@bradford-tech/supabase-integrity-attest 0.3.2 → 0.5.0

package/esm/assertion.d.ts

@@ -3,7 +3,10 @@
  * `@noble/curves`, keeping the bundle minimal for assertion-only use cases.
  *
  * ```ts
- * import { verifyAssertion } from "@bradford-tech/supabase-integrity-attest/assertion";
+ * import {
+ *   verifyAssertion,
+ *   withAssertion,
+ * } from "@bradford-tech/supabase-integrity-attest/assertion";
  *
  * const { signCount } = await verifyAssertion(
  *   { appId: "TEAMID.com.example.app" },
@@ -21,5 +24,5 @@ export type { AppInfo, AssertionResult } from "./src/assertion.js";
 export { AssertionError, AssertionErrorCode } from "./src/errors.js";
 export { withAssertion } from "./src/with-assertion.js";
 export { DEFAULT_ASSERTION_HEADER, DEFAULT_DEVICE_ID_HEADER, } from "./src/with-assertion.js";
-export type { AssertionContext, DeviceKey, ExtractAssertionFn, WithAssertionOptions, } from "./src/with-assertion.js";
+export type { AssertionContext, AssertionTimings, DeviceKey, ExtractAssertionFn, WithAssertionOptions, } from "./src/with-assertion.js";
 //# sourceMappingURL=assertion.d.ts.map

package/esm/assertion.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"assertion.d.ts","sourceRoot":"","sources":["../src/assertion.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,YAAY,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAGrE,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,OAAO,EACL,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,yBAAyB,CAAC;AACjC,YAAY,EACV,gBAAgB,EAChB,SAAS,EACT,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,yBAAyB,CAAC"}
+{"version":3,"file":"assertion.d.ts","sourceRoot":"","sources":["../src/assertion.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,YAAY,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAGrE,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,OAAO,EACL,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,yBAAyB,CAAC;AACjC,YAAY,EACV,gBAAgB,EAChB,gBAAgB,EAChB,SAAS,EACT,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,yBAAyB,CAAC"}

package/esm/assertion.js

@@ -3,7 +3,10 @@
  * `@noble/curves`, keeping the bundle minimal for assertion-only use cases.
  *
  * ```ts
- * import { verifyAssertion } from "@bradford-tech/supabase-integrity-attest/assertion";
+ * import {
+ *   verifyAssertion,
+ *   withAssertion,
+ * } from "@bradford-tech/supabase-integrity-attest/assertion";
  *
  * const { signCount } = await verifyAssertion(
  *   { appId: "TEAMID.com.example.app" },
@@ -18,6 +21,6 @@
  */
 export { verifyAssertion } from "./src/assertion.js";
 export { AssertionError, AssertionErrorCode } from "./src/errors.js";
-// withAssertion wrapper
+// withAssertion middleware
 export { withAssertion } from "./src/with-assertion.js";
 export { DEFAULT_ASSERTION_HEADER, DEFAULT_DEVICE_ID_HEADER, } from "./src/with-assertion.js";

package/esm/attestation.d.ts

@@ -3,7 +3,10 @@
  * dependencies (`asn1js`, `@noble/curves`).
  *
  * ```ts
- * import { verifyAttestation } from "@bradford-tech/supabase-integrity-attest/attestation";
+ * import {
+ *   verifyAttestation,
+ *   withAttestation,
+ * } from "@bradford-tech/supabase-integrity-attest/attestation";
  *
  * const { publicKeyPem } = await verifyAttestation(
  *   { appId: "TEAMID.com.example.app" },
@@ -18,4 +21,6 @@
 export { verifyAttestation } from "./src/attestation.js";
 export type { AppInfo, AttestationResult, VerifyAttestationOptions, } from "./src/attestation.js";
 export { AttestationError, AttestationErrorCode } from "./src/errors.js";
+export { withAttestation } from "./src/with-attestation.js";
+export type { AttestationContext, AttestationTimings, ExtractAttestationFn, WithAttestationOptions, } from "./src/with-attestation.js";
 //# sourceMappingURL=attestation.d.ts.map

package/esm/attestation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"attestation.d.ts","sourceRoot":"","sources":["../src/attestation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,YAAY,EACV,OAAO,EACP,iBAAiB,EACjB,wBAAwB,GACzB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC"}
+{"version":3,"file":"attestation.d.ts","sourceRoot":"","sources":["../src/attestation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,YAAY,EACV,OAAO,EACP,iBAAiB,EACjB,wBAAwB,GACzB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAGzE,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,YAAY,EACV,kBAAkB,EAClB,kBAAkB,EAClB,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,2BAA2B,CAAC"}

package/esm/attestation.js

@@ -3,7 +3,10 @@
  * dependencies (`asn1js`, `@noble/curves`).
  *
  * ```ts
- * import { verifyAttestation } from "@bradford-tech/supabase-integrity-attest/attestation";
+ * import {
+ *   verifyAttestation,
+ *   withAttestation,
+ * } from "@bradford-tech/supabase-integrity-attest/attestation";
  *
  * const { publicKeyPem } = await verifyAttestation(
  *   { appId: "TEAMID.com.example.app" },
@@ -17,3 +20,5 @@
  */
 export { verifyAttestation } from "./src/attestation.js";
 export { AttestationError, AttestationErrorCode } from "./src/errors.js";
+// withAttestation middleware
+export { withAttestation } from "./src/with-attestation.js";

package/esm/mod.d.ts

@@ -1,17 +1,95 @@
 /**
  * Verify Apple App Attest attestations and assertions using WebCrypto.
  *
+ * This library implements Apple's full
+ * [App Attest](https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity)
+ * server-side verification — CBOR decoding, X.509 certificate chain
+ * validation, nonce verification, ECDSA signature checks — using only
+ * WebCrypto APIs so it runs in Supabase Edge Functions, Deno Deploy,
+ * and other edge runtimes with no native dependencies.
+ *
+ * ## Attestation
+ *
+ * Verify a new device and extract its public key:
+ *
  * ```ts
- * import { verifyAttestation, verifyAssertion } from "@bradford-tech/supabase-integrity-attest";
+ * import { verifyAttestation } from "@bradford-tech/supabase-integrity-attest";
  *
- * const { publicKeyPem } = await verifyAttestation(
+ * // clientDataHash = SHA-256(challenge) — most client SDKs hash internally
+ * const clientDataHash = new Uint8Array(
+ *   await crypto.subtle.digest("SHA-256", new TextEncoder().encode(challenge)),
+ * );
+ * const { publicKeyPem, receipt, signCount } = await verifyAttestation(
  *   { appId: "TEAMID.com.example.app" },
  *   keyId,
- *   challenge,
+ *   clientDataHash,
  *   attestation,
  * );
+ * // Store publicKeyPem and signCount for future assertion verification
  * ```
  *
+ * ## Assertion
+ *
+ * Verify ongoing requests from an already-attested device:
+ *
+ * ```ts
+ * import { verifyAssertion } from "@bradford-tech/supabase-integrity-attest";
+ *
+ * const { signCount } = await verifyAssertion(
+ *   { appId: "TEAMID.com.example.app" },
+ *   assertion,
+ *   clientData,
+ *   publicKeyPem,
+ *   previousSignCount,
+ * );
+ * // Persist the updated signCount
+ * ```
+ *
+ * ## Middleware
+ *
+ * Use the {@linkcode withAttestation} and {@linkcode withAssertion}
+ * wrappers for automatic verification, callback-driven storage, and
+ * typed error handling:
+ *
+ * ```ts
+ * import {
+ *   withAttestation,
+ *   withAssertion,
+ * } from "@bradford-tech/supabase-integrity-attest";
+ *
+ * const attestHandler = withAttestation(
+ *   {
+ *     appId: "TEAMID.com.example.app",
+ *     consumeChallenge,
+ *     storeDeviceKey,
+ *   },
+ *   (_req, ctx) =>
+ *     Response.json({ ok: true, deviceId: ctx.deviceId }),
+ * );
+ *
+ * const protectedHandler = withAssertion(
+ *   {
+ *     appId: "TEAMID.com.example.app",
+ *     getDeviceKey,
+ *     commitSignCount,
+ *   },
+ *   (_req, ctx) =>
+ *     Response.json({ hello: ctx.deviceId, counter: ctx.signCount }),
+ * );
+ * ```
+ *
+ * ## Subpath imports
+ *
+ * For smaller bundles, import only what you need:
+ *
+ * - `@bradford-tech/supabase-integrity-attest/attestation` — attestation
+ *   (`verifyAttestation`, `withAttestation`). Full crypto deps.
+ * - `@bradford-tech/supabase-integrity-attest/assertion` — assertion
+ *   (`verifyAssertion`, `withAssertion`). Excludes `asn1js` and
+ *   `@noble/curves` to keep the bundle minimal.
+ *
+ * Full documentation: {@link https://integrity-attest.bradford.tech}
+ *
  * @module
  */
 export type { AppInfo, AttestationResult, VerifyAttestationOptions, } from "./src/attestation.js";
@@ -21,5 +99,7 @@ export { verifyAssertion } from "./src/assertion.js";
 export { AssertionError, AssertionErrorCode, AttestationError, AttestationErrorCode, } from "./src/errors.js";
 export { withAssertion } from "./src/with-assertion.js";
 export { DEFAULT_ASSERTION_HEADER, DEFAULT_DEVICE_ID_HEADER, } from "./src/with-assertion.js";
-export type { AssertionContext, DeviceKey, ExtractAssertionFn, WithAssertionOptions, } from "./src/with-assertion.js";
+export type { AssertionContext, AssertionTimings, DeviceKey, ExtractAssertionFn, WithAssertionOptions, } from "./src/with-assertion.js";
+export { withAttestation } from "./src/with-attestation.js";
+export type { AttestationContext, AttestationTimings, ExtractAttestationFn, WithAttestationOptions, } from "./src/with-attestation.js";
 //# sourceMappingURL=mod.d.ts.map

package/esm/mod.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../src/mod.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,YAAY,EACV,OAAO,EACP,iBAAiB,EACjB,wBAAwB,GACzB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EACL,cAAc,EACd,kBAAkB,EAClB,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,OAAO,EACL,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,yBAAyB,CAAC;AACjC,YAAY,EACV,gBAAgB,EAChB,SAAS,EACT,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,yBAAyB,CAAC"}
+{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../src/mod.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6FG;AAEH,YAAY,EACV,OAAO,EACP,iBAAiB,EACjB,wBAAwB,GACzB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EACL,cAAc,EACd,kBAAkB,EAClB,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,OAAO,EACL,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,yBAAyB,CAAC;AACjC,YAAY,EACV,gBAAgB,EAChB,gBAAgB,EAChB,SAAS,EACT,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,yBAAyB,CAAC;AAGjC,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,YAAY,EACV,kBAAkB,EAClB,kBAAkB,EAClB,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,2BAA2B,CAAC"}

package/esm/mod.js

@@ -1,22 +1,102 @@
 /**
  * Verify Apple App Attest attestations and assertions using WebCrypto.
  *
+ * This library implements Apple's full
+ * [App Attest](https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity)
+ * server-side verification — CBOR decoding, X.509 certificate chain
+ * validation, nonce verification, ECDSA signature checks — using only
+ * WebCrypto APIs so it runs in Supabase Edge Functions, Deno Deploy,
+ * and other edge runtimes with no native dependencies.
+ *
+ * ## Attestation
+ *
+ * Verify a new device and extract its public key:
+ *
  * ```ts
- * import { verifyAttestation, verifyAssertion } from "@bradford-tech/supabase-integrity-attest";
+ * import { verifyAttestation } from "@bradford-tech/supabase-integrity-attest";
  *
- * const { publicKeyPem } = await verifyAttestation(
+ * // clientDataHash = SHA-256(challenge) — most client SDKs hash internally
+ * const clientDataHash = new Uint8Array(
+ *   await crypto.subtle.digest("SHA-256", new TextEncoder().encode(challenge)),
+ * );
+ * const { publicKeyPem, receipt, signCount } = await verifyAttestation(
  *   { appId: "TEAMID.com.example.app" },
  *   keyId,
- *   challenge,
+ *   clientDataHash,
  *   attestation,
  * );
+ * // Store publicKeyPem and signCount for future assertion verification
  * ```
  *
+ * ## Assertion
+ *
+ * Verify ongoing requests from an already-attested device:
+ *
+ * ```ts
+ * import { verifyAssertion } from "@bradford-tech/supabase-integrity-attest";
+ *
+ * const { signCount } = await verifyAssertion(
+ *   { appId: "TEAMID.com.example.app" },
+ *   assertion,
+ *   clientData,
+ *   publicKeyPem,
+ *   previousSignCount,
+ * );
+ * // Persist the updated signCount
+ * ```
+ *
+ * ## Middleware
+ *
+ * Use the {@linkcode withAttestation} and {@linkcode withAssertion}
+ * wrappers for automatic verification, callback-driven storage, and
+ * typed error handling:
+ *
+ * ```ts
+ * import {
+ *   withAttestation,
+ *   withAssertion,
+ * } from "@bradford-tech/supabase-integrity-attest";
+ *
+ * const attestHandler = withAttestation(
+ *   {
+ *     appId: "TEAMID.com.example.app",
+ *     consumeChallenge,
+ *     storeDeviceKey,
+ *   },
+ *   (_req, ctx) =>
+ *     Response.json({ ok: true, deviceId: ctx.deviceId }),
+ * );
+ *
+ * const protectedHandler = withAssertion(
+ *   {
+ *     appId: "TEAMID.com.example.app",
+ *     getDeviceKey,
+ *     commitSignCount,
+ *   },
+ *   (_req, ctx) =>
+ *     Response.json({ hello: ctx.deviceId, counter: ctx.signCount }),
+ * );
+ * ```
+ *
+ * ## Subpath imports
+ *
+ * For smaller bundles, import only what you need:
+ *
+ * - `@bradford-tech/supabase-integrity-attest/attestation` — attestation
+ *   (`verifyAttestation`, `withAttestation`). Full crypto deps.
+ * - `@bradford-tech/supabase-integrity-attest/assertion` — assertion
+ *   (`verifyAssertion`, `withAssertion`). Excludes `asn1js` and
+ *   `@noble/curves` to keep the bundle minimal.
+ *
+ * Full documentation: {@link https://integrity-attest.bradford.tech}
+ *
  * @module
  */
 export { verifyAttestation } from "./src/attestation.js";
 export { verifyAssertion } from "./src/assertion.js";
 export { AssertionError, AssertionErrorCode, AttestationError, AttestationErrorCode, } from "./src/errors.js";
-// withAssertion wrapper
+// withAssertion middleware
 export { withAssertion } from "./src/with-assertion.js";
 export { DEFAULT_ASSERTION_HEADER, DEFAULT_DEVICE_ID_HEADER, } from "./src/with-assertion.js";
+// withAttestation middleware
+export { withAttestation } from "./src/with-attestation.js";

package/esm/src/attestation.d.ts

@@ -50,7 +50,15 @@ export declare function decodeAttestationCbor(data: Uint8Array): AttestationCbor
  * CBOR decode, certificate chain validation, nonce check, key extraction,
  * AAGUID check, and credential ID verification.
  *
+ * **Important:** The `clientDataHash` parameter corresponds to Apple's
+ * `clientDataHash` argument on `DCAppAttestService.attestKey(_:clientDataHash:)`.
+ * Most client SDKs (Expo's `attestKeyAsync`, native wrappers) hash the
+ * caller's challenge with SHA-256 before passing to Apple. If you are using
+ * the {@linkcode withAttestation} middleware, this hashing is handled
+ * automatically. If calling `verifyAttestation` directly, you must pass
+ * `SHA-256(challenge)` — not the raw challenge — as `clientDataHash`.
+ *
  * @throws {AttestationError} If any verification step fails.
  */
-export declare function verifyAttestation(appInfo: AppInfo, keyId: string, challenge: Uint8Array | string, attestation: Uint8Array | string, options?: VerifyAttestationOptions): Promise<AttestationResult>;
+export declare function verifyAttestation(appInfo: AppInfo, keyId: string, clientDataHash: Uint8Array | string, attestation: Uint8Array | string, options?: VerifyAttestationOptions): Promise<AttestationResult>;
 //# sourceMappingURL=attestation.d.ts.map

package/esm/src/attestation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"attestation.d.ts","sourceRoot":"","sources":["../../src/src/attestation.ts"],"names":[],"mappings":"AAaA,yCAAyC;AACzC,MAAM,WAAW,OAAO;IACtB,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,kFAAkF;IAClF,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,kDAAkD;AAClD,MAAM,WAAW,iBAAiB;IAChC,yEAAyE;IACzE,YAAY,EAAE,MAAM,CAAC;IACrB,4DAA4D;IAC5D,OAAO,EAAE,UAAU,CAAC;IACpB,uDAAuD;IACvD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,iDAAiD;AACjD,MAAM,WAAW,wBAAwB;IACvC,uFAAuF;IACvF,SAAS,CAAC,EAAE,IAAI,CAAC;CAClB;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE;QACP,GAAG,EAAE,UAAU,EAAE,CAAC;QAClB,OAAO,EAAE,UAAU,CAAC;KACrB,CAAC;IACF,QAAQ,EAAE,UAAU,CAAC;CACtB;AAsGD,yEAAyE;AACzE,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,UAAU,GAAG,eAAe,CAyEvE;AAED;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,OAAO,EAChB,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,UAAU,GAAG,MAAM,EAC9B,WAAW,EAAE,UAAU,GAAG,MAAM,EAChC,OAAO,CAAC,EAAE,wBAAwB,GACjC,OAAO,CAAC,iBAAiB,CAAC,CAkJ5B"}
+{"version":3,"file":"attestation.d.ts","sourceRoot":"","sources":["../../src/src/attestation.ts"],"names":[],"mappings":"AAaA,yCAAyC;AACzC,MAAM,WAAW,OAAO;IACtB,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,kFAAkF;IAClF,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,kDAAkD;AAClD,MAAM,WAAW,iBAAiB;IAChC,yEAAyE;IACzE,YAAY,EAAE,MAAM,CAAC;IACrB,4DAA4D;IAC5D,OAAO,EAAE,UAAU,CAAC;IACpB,uDAAuD;IACvD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,iDAAiD;AACjD,MAAM,WAAW,wBAAwB;IACvC,uFAAuF;IACvF,SAAS,CAAC,EAAE,IAAI,CAAC;CAClB;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE;QACP,GAAG,EAAE,UAAU,EAAE,CAAC;QAClB,OAAO,EAAE,UAAU,CAAC;KACrB,CAAC;IACF,QAAQ,EAAE,UAAU,CAAC;CACtB;AAsGD,yEAAyE;AACzE,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,UAAU,GAAG,eAAe,CAyEvE;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,OAAO,EAChB,KAAK,EAAE,MAAM,EACb,cAAc,EAAE,UAAU,GAAG,MAAM,EACnC,WAAW,EAAE,UAAU,GAAG,MAAM,EAChC,OAAO,CAAC,EAAE,wBAAwB,GACjC,OAAO,CAAC,iBAAiB,CAAC,CAkJ5B"}

package/esm/src/attestation.js

@@ -163,9 +163,17 @@ export function decodeAttestationCbor(data) {
  * CBOR decode, certificate chain validation, nonce check, key extraction,
  * AAGUID check, and credential ID verification.
  *
+ * **Important:** The `clientDataHash` parameter corresponds to Apple's
+ * `clientDataHash` argument on `DCAppAttestService.attestKey(_:clientDataHash:)`.
+ * Most client SDKs (Expo's `attestKeyAsync`, native wrappers) hash the
+ * caller's challenge with SHA-256 before passing to Apple. If you are using
+ * the {@linkcode withAttestation} middleware, this hashing is handled
+ * automatically. If calling `verifyAttestation` directly, you must pass
+ * `SHA-256(challenge)` — not the raw challenge — as `clientDataHash`.
+ *
  * @throws {AttestationError} If any verification step fails.
  */
-export async function verifyAttestation(appInfo, keyId, challenge, attestation, options) {
+export async function verifyAttestation(appInfo, keyId, clientDataHash, attestation, options) {
     // Decode attestation bytes from base64 if string
     let attestationBytes;
     if (typeof attestation === "string") {
@@ -199,11 +207,11 @@ export async function verifyAttestation(appInfo, keyId, challenge, attestation,
     }
     // Step 4: Verify certificate chain
     await verifyCertificateChain(x5c, options?.checkDate);
-    // Step 5-6: Compute nonce = SHA-256(authData || challenge)
-    // Apple's nonce verification uses the raw challenge bytes concatenated with authData,
-    // NOT a hash of the challenge.
-    const challengeBytes = toBytes(challenge);
-    const nonceInput = concat(authData, challengeBytes);
+    // Step 5-6: Compute nonce = SHA-256(authData || clientDataHash)
+    // The clientDataHash is typically SHA-256(challenge) — see the JSDoc above.
+    // The withAttestation middleware handles this hashing automatically.
+    const clientDataHashBytes = toBytes(clientDataHash);
+    const nonceInput = concat(authData, clientDataHashBytes);
     const computedNonce = new Uint8Array(await crypto.subtle.digest("SHA-256", nonceInput));
     // Step 7: Extract nonce from leaf cert
     const certNonce = extractNonceFromCert(x5c[0]);

package/esm/src/errors.d.ts

@@ -13,16 +13,32 @@ export declare enum AttestationErrorCode {
     /** Sign count is not zero (required for attestation). */
     INVALID_COUNTER = "INVALID_COUNTER",
     /** AAGUID does not match the expected environment (production/development). */
-    INVALID_AAGUID = "INVALID_AAGUID"
+    INVALID_AAGUID = "INVALID_AAGUID",
+    /**
+     * The `consumeChallenge` callback returned `false`, meaning the challenge
+     * was missing, expired, or already consumed. Used by {@linkcode withAttestation}.
+     */
+    CHALLENGE_INVALID = "CHALLENGE_INVALID",
+    /**
+     * An internal or storage callback error occurred (used by
+     * {@linkcode withAttestation}). The original error is attached via
+     * `Error.cause` and is deliberately NOT reflected in the HTTP response
+     * body to avoid leaking database schema or driver diagnostics.
+     */
+    INTERNAL_ERROR = "INTERNAL_ERROR"
 }
 /** Thrown when attestation verification fails. */
 export declare class AttestationError extends Error {
     /** Machine-readable error code. */
     readonly code: AttestationErrorCode;
+    /** Discriminant for `instanceof` checks in catch blocks. Always `"AttestationError"`. */
     readonly name = "AttestationError";
+    /** Create an AttestationError with a machine-readable code and human-readable message. */
     constructor(
     /** Machine-readable error code. */
-    code: AttestationErrorCode, message: string);
+    code: AttestationErrorCode, message: string, options?: {
+        cause?: unknown;
+    });
 }
 /** Error codes returned by {@linkcode AssertionError}. */
 export declare enum AssertionErrorCode {
@@ -37,13 +53,22 @@ export declare enum AssertionErrorCode {
     /** No device key found for the given device ID (used by {@linkcode withAssertion}). */
     DEVICE_NOT_FOUND = "DEVICE_NOT_FOUND",
     /** An internal or storage callback error occurred (used by {@linkcode withAssertion}). */
-    INTERNAL_ERROR = "INTERNAL_ERROR"
+    INTERNAL_ERROR = "INTERNAL_ERROR",
+    /**
+     * The `commitSignCount` callback returned `false`, meaning another
+     * concurrent request already advanced the stored counter past this value.
+     * Indicates an expected race under concurrent load, not a client bug.
+     * Used by {@linkcode withAssertion}.
+     */
+    SIGN_COUNT_STALE = "SIGN_COUNT_STALE"
 }
 /** Thrown when assertion verification fails. */
 export declare class AssertionError extends Error {
     /** Machine-readable error code. */
     readonly code: AssertionErrorCode;
+    /** Discriminant for `instanceof` checks in catch blocks. Always `"AssertionError"`. */
     readonly name = "AssertionError";
+    /** Create an AssertionError with a machine-readable code and human-readable message. */
     constructor(
     /** Machine-readable error code. */
     code: AssertionErrorCode, message: string, options?: {

package/esm/src/errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/src/errors.ts"],"names":[],"mappings":"AAEA,4DAA4D;AAC5D,oBAAY,oBAAoB;IAC9B,qDAAqD;IACrD,cAAc,mBAAmB;IACjC,mDAAmD;IACnD,yBAAyB,8BAA8B;IACvD,uEAAuE;IACvE,cAAc,mBAAmB;IACjC,uDAAuD;IACvD,cAAc,mBAAmB;IACjC,0DAA0D;IAC1D,eAAe,oBAAoB;IACnC,yDAAyD;IACzD,eAAe,oBAAoB;IACnC,+EAA+E;IAC/E,cAAc,mBAAmB;CAClC;AAED,kDAAkD;AAClD,qBAAa,gBAAiB,SAAQ,KAAK;IAGvC,mCAAmC;aACnB,IAAI,EAAE,oBAAoB;IAH5C,SAAkB,IAAI,sBAAsB;;IAE1C,mCAAmC;IACnB,IAAI,EAAE,oBAAoB,EAC1C,OAAO,EAAE,MAAM;CAIlB;AAED,0DAA0D;AAC1D,oBAAY,kBAAkB;IAC5B,qDAAqD;IACrD,cAAc,mBAAmB;IACjC,uDAAuD;IACvD,cAAc,mBAAmB;IACjC,mEAAmE;IACnE,uBAAuB,4BAA4B;IACnD,2CAA2C;IAC3C,iBAAiB,sBAAsB;IACvC,uFAAuF;IACvF,gBAAgB,qBAAqB;IACrC,0FAA0F;IAC1F,cAAc,mBAAmB;CAClC;AAED,gDAAgD;AAChD,qBAAa,cAAe,SAAQ,KAAK;IAGrC,mCAAmC;aACnB,IAAI,EAAE,kBAAkB;IAH1C,SAAkB,IAAI,oBAAoB;;IAExC,mCAAmC;IACnB,IAAI,EAAE,kBAAkB,EACxC,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAIhC"}
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/src/errors.ts"],"names":[],"mappings":"AAEA,4DAA4D;AAC5D,oBAAY,oBAAoB;IAC9B,qDAAqD;IACrD,cAAc,mBAAmB;IACjC,mDAAmD;IACnD,yBAAyB,8BAA8B;IACvD,uEAAuE;IACvE,cAAc,mBAAmB;IACjC,uDAAuD;IACvD,cAAc,mBAAmB;IACjC,0DAA0D;IAC1D,eAAe,oBAAoB;IACnC,yDAAyD;IACzD,eAAe,oBAAoB;IACnC,+EAA+E;IAC/E,cAAc,mBAAmB;IACjC;;;OAGG;IACH,iBAAiB,sBAAsB;IACvC;;;;;OAKG;IACH,cAAc,mBAAmB;CAClC;AAED,kDAAkD;AAClD,qBAAa,gBAAiB,SAAQ,KAAK;IAKvC,mCAAmC;aACnB,IAAI,EAAE,oBAAoB;IAL5C,yFAAyF;IACzF,SAAkB,IAAI,sBAAsB;IAC5C,0FAA0F;;IAExF,mCAAmC;IACnB,IAAI,EAAE,oBAAoB,EAC1C,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAIhC;AAED,0DAA0D;AAC1D,oBAAY,kBAAkB;IAC5B,qDAAqD;IACrD,cAAc,mBAAmB;IACjC,uDAAuD;IACvD,cAAc,mBAAmB;IACjC,mEAAmE;IACnE,uBAAuB,4BAA4B;IACnD,2CAA2C;IAC3C,iBAAiB,sBAAsB;IACvC,uFAAuF;IACvF,gBAAgB,qBAAqB;IACrC,0FAA0F;IAC1F,cAAc,mBAAmB;IACjC;;;;;OAKG;IACH,gBAAgB,qBAAqB;CACtC;AAED,gDAAgD;AAChD,qBAAa,cAAe,SAAQ,KAAK;IAKrC,mCAAmC;aACnB,IAAI,EAAE,kBAAkB;IAL1C,uFAAuF;IACvF,SAAkB,IAAI,oBAAoB;IAC1C,wFAAwF;;IAEtF,mCAAmC;IACnB,IAAI,EAAE,kBAAkB,EACxC,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAIhC"}

package/esm/src/errors.js

@@ -16,19 +16,33 @@ export var AttestationErrorCode;
     AttestationErrorCode["INVALID_COUNTER"] = "INVALID_COUNTER";
     /** AAGUID does not match the expected environment (production/development). */
     AttestationErrorCode["INVALID_AAGUID"] = "INVALID_AAGUID";
+    /**
+     * The `consumeChallenge` callback returned `false`, meaning the challenge
+     * was missing, expired, or already consumed. Used by {@linkcode withAttestation}.
+     */
+    AttestationErrorCode["CHALLENGE_INVALID"] = "CHALLENGE_INVALID";
+    /**
+     * An internal or storage callback error occurred (used by
+     * {@linkcode withAttestation}). The original error is attached via
+     * `Error.cause` and is deliberately NOT reflected in the HTTP response
+     * body to avoid leaking database schema or driver diagnostics.
+     */
+    AttestationErrorCode["INTERNAL_ERROR"] = "INTERNAL_ERROR";
 })(AttestationErrorCode || (AttestationErrorCode = {}));
 /** Thrown when attestation verification fails. */
 export class AttestationError extends Error {
+    /** Create an AttestationError with a machine-readable code and human-readable message. */
     constructor(
     /** Machine-readable error code. */
-    code, message) {
-        super(message);
+    code, message, options) {
+        super(message, options);
         Object.defineProperty(this, "code", {
             enumerable: true,
             configurable: true,
             writable: true,
             value: code
         });
+        /** Discriminant for `instanceof` checks in catch blocks. Always `"AttestationError"`. */
         Object.defineProperty(this, "name", {
             enumerable: true,
             configurable: true,
@@ -52,9 +66,17 @@ export var AssertionErrorCode;
     AssertionErrorCode["DEVICE_NOT_FOUND"] = "DEVICE_NOT_FOUND";
     /** An internal or storage callback error occurred (used by {@linkcode withAssertion}). */
     AssertionErrorCode["INTERNAL_ERROR"] = "INTERNAL_ERROR";
+    /**
+     * The `commitSignCount` callback returned `false`, meaning another
+     * concurrent request already advanced the stored counter past this value.
+     * Indicates an expected race under concurrent load, not a client bug.
+     * Used by {@linkcode withAssertion}.
+     */
+    AssertionErrorCode["SIGN_COUNT_STALE"] = "SIGN_COUNT_STALE";
 })(AssertionErrorCode || (AssertionErrorCode = {}));
 /** Thrown when assertion verification fails. */
 export class AssertionError extends Error {
+    /** Create an AssertionError with a machine-readable code and human-readable message. */
     constructor(
     /** Machine-readable error code. */
     code, message, options) {
@@ -65,6 +87,7 @@ export class AssertionError extends Error {
             writable: true,
             value: code
         });
+        /** Discriminant for `instanceof` checks in catch blocks. Always `"AssertionError"`. */
         Object.defineProperty(this, "name", {
             enumerable: true,
             configurable: true,

package/esm/src/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/src/utils.ts"],"names":[],"mappings":"AAGA,iDAAiD;AACjD,wBAAgB,MAAM,CAAC,GAAG,MAAM,EAAE,UAAU,EAAE,GAAG,UAAU,CAU1D;AAED,mDAAmD;AACnD,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,UAAU,GAAG,OAAO,CAOvE;AAED,2EAA2E;AAC3E,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,GAAG,UAAU,CAGxE;AAED,6EAA6E;AAC7E,wBAAgB,OAAO,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,GAAG,UAAU,CAG9D;AAED,wFAAwF;AACxF,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAaxE;AAED,qDAAqD;AACrD,wBAAsB,cAAc,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAIpE"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/src/utils.ts"],"names":[],"mappings":"AAGA,iDAAiD;AACjD,wBAAgB,MAAM,CAAC,GAAG,MAAM,EAAE,UAAU,EAAE,GAAG,UAAU,CAU1D;AAED,mDAAmD;AACnD,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,UAAU,GAAG,OAAO,CAMvE;AAED,2EAA2E;AAC3E,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,GAAG,UAAU,CAGxE;AAED,6EAA6E;AAC7E,wBAAgB,OAAO,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,GAAG,UAAU,CAG9D;AAED,wFAAwF;AACxF,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAaxE;AAED,qDAAqD;AACrD,wBAAsB,cAAc,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAIpE"}

package/esm/src/utils.js

@@ -15,10 +15,8 @@ export function concat(...arrays) {
 }
 /** Constant-time comparison of two byte arrays. */
 export function constantTimeEqual(a, b) {
-    if (a.length !== b.length)
-        return false;
-    let diff = 0;
-    for (let i = 0; i < a.length; i++) {
+    let diff = a.length ^ b.length;
+    for (let i = 0; i < a.length && i < b.length; i++) {
         diff |= a[i] ^ b[i];
     }
     return diff === 0;
@@ -47,6 +45,6 @@ export async function importPemPublicKey(pem) {
 /** Export a CryptoKey to PEM-encoded SPKI format. */
 export async function exportKeyToPem(key) {
     const spki = await crypto.subtle.exportKey("spki", key);
-    const base64 = encodeBase64(spki);
+    const base64 = encodeBase64(spki).match(/.{1,64}/g).join("\n");
     return `-----BEGIN PUBLIC KEY-----\n${base64}\n-----END PUBLIC KEY-----`;
 }

package/esm/src/with-assertion.d.ts

@@ -10,6 +10,21 @@ export type DeviceKey = {
     /** Last verified sign count for this device. */
     signCount: number;
 };
+/**
+ * Library-internal timing spans for an assertion verification, in
+ * milliseconds. Exposed on {@linkcode AssertionContext.timings} so the
+ * wrapped handler can emit them as part of its own Server-Timing response.
+ */
+export type AssertionTimings = {
+    /** Parse request headers and read raw body bytes. */
+    extractMs: number;
+    /** `getDeviceKey` callback wall-clock duration. */
+    getDeviceKeyMs: number;
+    /** Cryptographic verification (CBOR decode, ECDSA verify, counter check). */
+    verifyMs: number;
+    /** `commitSignCount` callback wall-clock duration. */
+    commitMs: number;
+};
 /** Context passed to the inner handler after successful assertion verification. */
 export type AssertionContext = {
     /** Device identifier from the request. */
@@ -18,6 +33,8 @@ export type AssertionContext = {
     signCount: number;
     /** Raw request body bytes (the client data that was signed). */
     rawBody: Uint8Array;
+    /** Library-internal timings, ready to merge into Server-Timing. */
+    timings: AssertionTimings;
 };
 /** Custom function to extract assertion data from an incoming request. */
 export type ExtractAssertionFn = (req: Request) => Promise<{
@@ -33,8 +50,24 @@ export type WithAssertionOptions = {
     developmentEnv?: boolean;
     /** Retrieve the stored device key for a given device ID. Return `null` if not found. */
     getDeviceKey: (deviceId: string) => Promise<DeviceKey | null>;
-    /** Persist the new sign count after successful verification. */
-    updateSignCount: (deviceId: string, newSignCount: number) => Promise<void>;
+    /**
+     * Atomically advance the stored sign count. MUST be implemented as a
+     * compare-and-swap: only update if the currently stored value is strictly
+     * less than `newSignCount`. Returns `true` if the row was advanced,
+     * `false` if another concurrent request already advanced past this value.
+     *
+     * Recommended SQL pattern against Postgres:
+     *
+     * ```sql
+     * UPDATE app_attest_devices
+     *    SET sign_count = $1, last_seen_at = now()
+     *  WHERE device_id = $2 AND sign_count < $1
+     * ```
+     *
+     * Return `rowCount > 0`. The library converts `false` into
+     * `AssertionError(SIGN_COUNT_STALE)`.
+     */
+    commitSignCount: (deviceId: string, newSignCount: number) => Promise<boolean>;
     /** Override the default header-based assertion extraction. */
     extractAssertion?: ExtractAssertionFn;
     /** Custom error response handler. Defaults to JSON error responses. */
@@ -44,8 +77,13 @@ export type WithAssertionOptions = {
  * Request handler middleware that verifies App Attest assertions.
  *
  * Wraps a handler function with automatic assertion verification,
- * device key lookup, and sign count management. Returns a new handler
+ * device key lookup, and atomic sign-count commit. Returns a new handler
  * that rejects unauthenticated requests with appropriate HTTP error responses.
+ *
+ * The `commitSignCount` callback MUST implement compare-and-swap semantics
+ * (see {@linkcode WithAssertionOptions.commitSignCount}) — a non-atomic
+ * unconditional write will silently corrupt replay protection under
+ * concurrent load.
  */
 export declare function withAssertion(options: WithAssertionOptions, handler: (req: Request, context: AssertionContext) => Response | Promise<Response>): (req: Request) => Promise<Response>;
 //# sourceMappingURL=with-assertion.d.ts.map

package/esm/src/with-assertion.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"with-assertion.d.ts","sourceRoot":"","sources":["../../src/src/with-assertion.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,cAAc,EAAsB,MAAM,aAAa,CAAC;AAEjE,iEAAiE;AACjE,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AACjE,0DAA0D;AAC1D,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AAEjE,0EAA0E;AAC1E,MAAM,MAAM,SAAS,GAAG;IACtB,2DAA2D;IAC3D,YAAY,EAAE,MAAM,CAAC;IACrB,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,mFAAmF;AACnF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC;IACjB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,OAAO,EAAE,UAAU,CAAC;CACrB,CAAC;AAEF,0EAA0E;AAC1E,MAAM,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IACzD,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,UAAU,CAAC;CACxB,CAAC,CAAC;AAEH,kEAAkE;AAClE,MAAM,MAAM,oBAAoB,GAAG;IACjC,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,8DAA8D;IAC9D,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,wFAAwF;IACxF,YAAY,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IAC9D,gEAAgE;IAChE,eAAe,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3E,8DAA8D;IAC9D,gBAAgB,CAAC,EAAE,kBAAkB,CAAC;IACtC,uEAAuE;IACvE,OAAO,CAAC,EAAE,CACR,KAAK,EAAE,cAAc,EACrB,GAAG,EAAE,OAAO,KACT,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACnC,CAAC;AAmCF;;;;;;GAMG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,oBAAoB,EAC7B,OAAO,EAAE,CACP,GAAG,EAAE,OAAO,EACZ,OAAO,EAAE,gBAAgB,KACtB,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAChC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAuErC"}
+{"version":3,"file":"with-assertion.d.ts","sourceRoot":"","sources":["../../src/src/with-assertion.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,cAAc,EAAsB,MAAM,aAAa,CAAC;AAEjE,iEAAiE;AACjE,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AACjE,0DAA0D;AAC1D,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AAEjE,0EAA0E;AAC1E,MAAM,MAAM,SAAS,GAAG;IACtB,2DAA2D;IAC3D,YAAY,EAAE,MAAM,CAAC;IACrB,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B,qDAAqD;IACrD,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,6EAA6E;IAC7E,QAAQ,EAAE,MAAM,CAAC;IACjB,sDAAsD;IACtD,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,mFAAmF;AACnF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC;IACjB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,OAAO,EAAE,UAAU,CAAC;IACpB,mEAAmE;IACnE,OAAO,EAAE,gBAAgB,CAAC;CAC3B,CAAC;AAEF,0EAA0E;AAC1E,MAAM,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IACzD,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,UAAU,CAAC;CACxB,CAAC,CAAC;AAEH,kEAAkE;AAClE,MAAM,MAAM,oBAAoB,GAAG;IACjC,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,8DAA8D;IAC9D,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,wFAAwF;IACxF,YAAY,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IAC9D;;;;;;;;;;;;;;;;OAgBG;IACH,eAAe,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9E,8DAA8D;IAC9D,gBAAgB,CAAC,EAAE,kBAAkB,CAAC;IACtC,uEAAuE;IACvE,OAAO,CAAC,EAAE,CACR,KAAK,EAAE,cAAc,EACrB,GAAG,EAAE,OAAO,KACT,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACnC,CAAC;AAmCF;;;;;;;;;;;GAWG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,oBAAoB,EAC7B,OAAO,EAAE,CACP,GAAG,EAAE,OAAO,EACZ,OAAO,EAAE,gBAAgB,KACtB,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAChC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAiGrC"}