@cello-protocol/daemon 0.0.8 → 0.0.9

package/dist/identity-migration.js

@@ -0,0 +1,455 @@
+/**
+ * CELLO-M7-PERSIST-002 — Unit 4/6: one-time migration of pre-story flat-file state and a plaintext
+ * node:sqlite DB into the single SQLCipher-encrypted daemon DB (AC-006, DB-002).
+ *
+ * Before this story the daemon kept:
+ *   - identity as plaintext flat files: `agents/<name>/key` (37-byte CELLO seed), `frost-share.json`,
+ *     `ml-dsa-keypair.json`, `registration-state.json`, `agent-user-link.json`, and the legacy
+ *     single-file `~/.cello/key` (loaded as agent "default");
+ *   - sessions/transcript/etc. in a PLAINTEXT `sessions.db` (node:sqlite), with two columns
+ *     (transcript.blob, retry_queue.content_blob) envelope-encrypted by a sibling
+ *     `sessions.db.transcript-key`.
+ *
+ * This migration runs at daemon startup BEFORE the encrypted DB is opened. If it detects either a
+ * plaintext DB or any flat-file identity, it builds a fresh SQLCipher DB (at `<dbPath>.migrating`),
+ * imports every row of the old DB (decrypting the two column-ciphered blobs to plaintext) AND every
+ * flat-file identity item into `agents` rows, verifies, then atomically swaps it into place — backing
+ * up the old plaintext DB to `<dbPath>.pre-sqlcipher.bak` and deleting the flat files. It is
+ * idempotent: once the DB is encrypted and the flat files are gone, it is a no-op.
+ *
+ * Fail-closed (SI-002/DB-002): on ANY error it aborts cleanly — the original flat files / plaintext
+ * DB are left in place, the partial `.migrating` DB is discarded, and the caller surfaces
+ * `identity_migration_failed`. No identity is lost and no plaintext is left half-migrated.
+ */
+import { existsSync, readFileSync, readdirSync, statSync, renameSync, unlinkSync, } from "node:fs";
+import { join, dirname } from "node:path";
+import { createDecipheriv } from "node:crypto";
+import { DatabaseSync } from "node:sqlite";
+import { InMemoryKeyProvider, decodeKeyFileSeed } from "@cello-protocol/crypto";
+import { openEncryptedDatabase, isPlaintextSqliteFile, resolveDbKey, dbKeyPathFor, } from "./sqlcipher-db.js";
+import { ensureIdentitySchema } from "./db-identity-store.js";
+import { ensureManifestSchema } from "./manifest-version-store-db.js";
+export class IdentityMigrationError extends Error {
+    code = "identity_migration_failed";
+    guidance;
+    constructor(message, guidance) {
+        super(message);
+        this.name = "IdentityMigrationError";
+        this.guidance = guidance;
+    }
+}
+const REG_FILES = {
+    frost: "frost-share.json",
+    mlDsa: "ml-dsa-keypair.json",
+    reg: "registration-state.json",
+    link: "agent-user-link.json",
+};
+const hexToBytes = (s) => new Uint8Array(Buffer.from(s, "hex"));
+/** Decrypt a legacy column blob (iv(12)||ct||tag(16)) with the old transcript key; null on failure. */
+function decryptColumnBlob(blob, key) {
+    if (blob.length < 12 + 16)
+        return null;
+    const buf = Buffer.from(blob);
+    const iv = buf.subarray(0, 12);
+    const tag = buf.subarray(buf.length - 16);
+    const ct = buf.subarray(12, buf.length - 16);
+    try {
+        const d = createDecipheriv("aes-256-gcm", key, iv);
+        d.setAuthTag(tag);
+        return Uint8Array.from(Buffer.concat([d.update(ct), d.final()]));
+    }
+    catch {
+        return null;
+    }
+}
+/** Read + parse a flat JSON identity file, or null if absent. */
+function readJson(path) {
+    if (!existsSync(path))
+        return null;
+    return JSON.parse(readFileSync(path, "utf8"));
+}
+/** Enumerate pre-story agent directories that hold a `key` file. */
+function discoverFlatAgents(celloDir) {
+    const out = [];
+    const agentsDir = join(celloDir, "agents");
+    if (existsSync(agentsDir) && statSync(agentsDir).isDirectory()) {
+        for (const entry of readdirSync(agentsDir, { withFileTypes: true })) {
+            if (!entry.isDirectory())
+                continue;
+            const dir = join(agentsDir, entry.name);
+            const keyPath = join(dir, "key");
+            if (existsSync(keyPath))
+                out.push({ name: entry.name, dir, keyPath });
+        }
+    }
+    // Legacy single-file ~/.cello/key → agent "default" (only when there's no agents/default already).
+    const legacyKey = join(celloDir, "key");
+    if (existsSync(legacyKey) && !out.some((a) => a.name === "default")) {
+        out.push({ name: "default", dir: celloDir, keyPath: legacyKey });
+    }
+    return out;
+}
+/** True if there is any pre-story flat-file identity to migrate. */
+function hasFlatIdentity(celloDir) {
+    return discoverFlatAgents(celloDir).length > 0;
+}
+const MANIFEST_FILE = "manifest-version.json";
+/**
+ * Carry the legacy anti-rollback floor (`manifest-version.json`) into the encrypted `manifest_state`
+ * table. CRITICAL (fallback-finder HIGH): without this, an upgraded operator's last-seen manifest
+ * version resets to null on first start, re-opening a manifest-DOWNGRADE window for one cycle. The
+ * upsert keeps the MAX of any existing floor, so it can never LOWER the floor. Returns true if a
+ * value was imported.
+ */
+function importManifestVersion(celloDir, db, logger) {
+    const obj = readJson(join(celloDir, MANIFEST_FILE));
+    if (!obj || typeof obj["lastSeenVersion"] !== "number")
+        return false;
+    ensureManifestSchema(db);
+    db.prepare(`INSERT INTO manifest_state (id, last_seen_version, updated_at) VALUES (1, ?, ?)
+     ON CONFLICT(id) DO UPDATE SET last_seen_version = MAX(last_seen_version, excluded.last_seen_version), updated_at = excluded.updated_at`).run(obj["lastSeenVersion"], Date.now());
+    logger.info("persist.manifest.version.migrated", { version: obj["lastSeenVersion"] });
+    return true;
+}
+/**
+ * Run the one-time migration if needed. Returns { migrated:false } when there is nothing to do
+ * (fresh install or an already-encrypted DB with no flat files).
+ */
+export function migrateToEncryptedIfNeeded(dbPath, logger) {
+    const celloDir = dirname(dbPath);
+    const keyPath = dbKeyPathFor(dbPath);
+    const migratingPath = `${dbPath}.migrating`;
+    // Resume a crash in the tiny window between the backup-rename and the swap-rename: a COMPLETED
+    // `.migrating` exists but `dbPath` is gone. Promote it (instead of the in-place branch rebuilding a
+    // fresh EMPTY DB and orphaning the migrated session/transcript history — code-review M1). Only if it
+    // decrypts with the key; otherwise discard the partial and let the originals drive a fresh attempt.
+    if (!existsSync(dbPath) && existsSync(migratingPath) && existsSync(keyPath)) {
+        try {
+            const k = new Uint8Array(readFileSync(keyPath));
+            openEncryptedDatabase(migratingPath, k, logger).close(); // probe: decrypts?
+            renameSync(migratingPath, dbPath);
+            for (const ext of ["-wal", "-shm"]) {
+                if (existsSync(`${migratingPath}${ext}`))
+                    renameSync(`${migratingPath}${ext}`, `${dbPath}${ext}`);
+            }
+            logger.warn("persist.identity.migrate.resumed", {});
+        }
+        catch {
+            for (const p of [migratingPath, `${migratingPath}-wal`, `${migratingPath}-shm`]) {
+                if (existsSync(p)) {
+                    try {
+                        unlinkSync(p);
+                    }
+                    catch { /* ignore */ }
+                }
+            }
+        }
+    }
+    const plaintextDb = isPlaintextSqliteFile(dbPath);
+    const flatIdentity = hasFlatIdentity(celloDir);
+    // The legacy anti-rollback floor file ALSO requires a migration pass even when there is no flat
+    // identity / plaintext DB (an already-encrypted DB whose manifest floor still sits in a file).
+    const manifestFile = existsSync(join(celloDir, MANIFEST_FILE));
+    if (!plaintextDb && !flatIdentity && !manifestFile) {
+        return { migrated: false, agentsMigrated: 0, rowsMigrated: 0 };
+    }
+    // ── In-place flat-identity import: the DB is ALREADY encrypted (or absent) and only flat-file
+    // identity remains to be imported. There is NO plaintext DB to re-encrypt, so we must NOT build a
+    // fresh DB and swap it over the existing one (that would destroy the existing encrypted data —
+    // sessions, transcript, hash chain). Open the existing/created encrypted DB and import in place. ──
+    if (!plaintextDb) {
+        let key;
+        try {
+            key = resolveDbKey(dbPath, keyPath); // loads the existing key, or generates one if the DB is absent
+        }
+        catch (err) {
+            throw new IdentityMigrationError(`could not open the encrypted DB for in-place identity import: ${err instanceof Error ? err.message : String(err)}`, "Restore the SQLCipher key file, then restart.");
+        }
+        let db = null;
+        let agentsMigrated = 0;
+        try {
+            db = openEncryptedDatabase(dbPath, key, logger);
+            ensureIdentitySchema(db);
+            agentsMigrated = importFlatIdentity(celloDir, db, logger);
+            importManifestVersion(celloDir, db, logger); // carry the anti-rollback floor (HIGH)
+            db.close();
+            db = null;
+        }
+        catch (err) {
+            if (db) {
+                try {
+                    db.close();
+                }
+                catch { /* ignore */ }
+            }
+            if (err instanceof IdentityMigrationError)
+                throw err;
+            throw new IdentityMigrationError(`in-place identity import failed: ${err instanceof Error ? err.message : String(err)}`, "The original flat files are untouched. Resolve the error and restart to retry.");
+        }
+        deleteFlatIdentity(celloDir, logger);
+        logger.info("persist.identity.migrated", { agentsMigrated, rowsMigrated: 0 });
+        return { migrated: true, agentsMigrated, rowsMigrated: 0 };
+    }
+    // ── Re-encrypt path: a PLAINTEXT DB exists. Build a fresh encrypted DB at `<dbPath>.migrating`
+    // (copying every row + importing flat identity), verify, then atomically swap it into place with a
+    // backup of the plaintext original. ──
+    // Clean any stale partial from a previously-interrupted attempt.
+    for (const p of [migratingPath, `${migratingPath}-wal`, `${migratingPath}-shm`]) {
+        if (existsSync(p))
+            unlinkSync(p);
+    }
+    // The SQLCipher key for the NEW encrypted DB. Reuse the key file if a prior attempt already wrote
+    // one; otherwise generate it via resolveDbKey on the migrating path (which has no DB yet → fresh).
+    let dbKey;
+    try {
+        dbKey = existsSync(keyPath)
+            ? new Uint8Array(readFileSync(keyPath))
+            : resolveDbKey(migratingPath, keyPath); // generates + writes keyPath (migrating DB absent → fresh)
+    }
+    catch (err) {
+        throw new IdentityMigrationError(`could not establish a SQLCipher key for migration: ${err instanceof Error ? err.message : String(err)}`, "Ensure the CELLO directory is writable, then restart.");
+    }
+    let encDb = null;
+    let agentsMigrated = 0;
+    let rowsMigrated = 0;
+    try {
+        encDb = openEncryptedDatabase(migratingPath, dbKey, logger);
+        ensureIdentitySchema(encDb);
+        // (1) Copy the old plaintext DB's schema + rows, decrypting the two column-ciphered blobs.
+        if (plaintextDb) {
+            rowsMigrated = copyPlaintextDb(dbPath, encDb, celloDir, logger);
+        }
+        // (2) Import flat-file identity into `agents` rows + the anti-rollback floor into manifest_state.
+        agentsMigrated = importFlatIdentity(celloDir, encDb, logger);
+        importManifestVersion(celloDir, encDb, logger);
+        encDb.close();
+        encDb = null;
+    }
+    catch (err) {
+        if (encDb) {
+            try {
+                encDb.close();
+            }
+            catch { /* ignore */ }
+        }
+        for (const p of [migratingPath, `${migratingPath}-wal`, `${migratingPath}-shm`]) {
+            if (existsSync(p)) {
+                try {
+                    unlinkSync(p);
+                }
+                catch { /* ignore */ }
+            }
+        }
+        if (err instanceof IdentityMigrationError)
+            throw err;
+        throw new IdentityMigrationError(`migration failed before commit: ${err instanceof Error ? err.message : String(err)}`, "The original data is untouched. Resolve the error (e.g. disk space) and restart to retry.");
+    }
+    // ── Commit: back up + swap the DB, then delete the flat files. Past this point identity is in the
+    // encrypted DB; deleting the now-redundant plaintext originals completes the move. ──
+    try {
+        if (plaintextDb) {
+            renameSync(dbPath, `${dbPath}.pre-sqlcipher.bak`);
+            // The old WAL/SHM + the column-cipher key are superseded — remove them.
+            for (const p of [`${dbPath}-wal`, `${dbPath}-shm`, `${dbPath}.transcript-key`]) {
+                if (existsSync(p)) {
+                    try {
+                        unlinkSync(p);
+                    }
+                    catch { /* ignore */ }
+                }
+            }
+        }
+        renameSync(migratingPath, dbPath);
+        for (const p of [`${migratingPath}-wal`, `${migratingPath}-shm`]) {
+            if (existsSync(p))
+                renameSync(p, p.replace(`${dbPath}.migrating`, dbPath));
+        }
+        deleteFlatIdentity(celloDir, logger);
+    }
+    catch (err) {
+        throw new IdentityMigrationError(`migration failed during commit/cleanup: ${err instanceof Error ? err.message : String(err)}`, "Inspect the CELLO directory: a .pre-sqlcipher.bak backup of the original DB is retained.");
+    }
+    logger.info("persist.identity.migrated", { agentsMigrated, rowsMigrated });
+    return { migrated: true, agentsMigrated, rowsMigrated };
+}
+/**
+ * Copy every table + row from the old plaintext DB into the encrypted DB, decrypting the two
+ * column-ciphered blobs to plaintext. A row whose transcript/retry blob CANNOT be decrypted (the old
+ * transcript-key is missing or the blob fails GCM) is SKIPPED with a loud error — it is NEVER stored
+ * as ciphertext-masquerading-as-plaintext (which the rest of the daemon would TextDecode into garbage;
+ * fallback-finder HIGH). After each table, the copied count is VERIFIED against (old count − skipped);
+ * a mismatch means INSERT OR IGNORE silently dropped a row → abort (the docstring's "verify" is real).
+ */
+function copyPlaintextDb(dbPath, encDb, _celloDir, logger) {
+    const old = new DatabaseSync(dbPath);
+    try {
+        const transcriptKeyPath = `${dbPath}.transcript-key`;
+        const transcriptKey = existsSync(transcriptKeyPath) ? readFileSync(transcriptKeyPath) : null;
+        const tables = old
+            .prepare("SELECT name, sql FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%'")
+            .all().filter((t) => t.sql);
+        let totalCopied = 0;
+        for (const t of tables) {
+            // Recreate the table in the encrypted DB (the old CREATE statement, made idempotent).
+            encDb.exec(t.sql.replace(/^CREATE TABLE/i, "CREATE TABLE IF NOT EXISTS"));
+            const cols = old.prepare(`PRAGMA table_info(${t.name})`).all().map((c) => c.name);
+            if (cols.length === 0)
+                continue;
+            const allRows = old.prepare(`SELECT * FROM ${t.name}`).all();
+            if (allRows.length === 0)
+                continue;
+            const placeholders = cols.map(() => "?").join(", ");
+            const insert = encDb.prepare(`INSERT OR IGNORE INTO ${t.name} (${cols.join(", ")}) VALUES (${placeholders})`);
+            let copied = 0;
+            let skipped = 0;
+            for (const r of allRows) {
+                let undecryptable = false;
+                const values = cols.map((c) => {
+                    let v = r[c];
+                    if (v instanceof Uint8Array && ((t.name === "transcript" && c === "blob") || (t.name === "retry_queue" && c === "content_blob"))) {
+                        const pt = transcriptKey ? decryptColumnBlob(v, transcriptKey) : null;
+                        if (pt !== null)
+                            v = Buffer.from(pt);
+                        else
+                            undecryptable = true;
+                    }
+                    return v;
+                });
+                if (undecryptable) {
+                    // Drop the row rather than store ciphertext-as-plaintext (silent corruption). The session's
+                    // authoritative hash chain (session_tree_leaves) is unaffected; only this readable copy is lost.
+                    logger.error("persist.identity.migrate.blob.undecryptable", { table: t.name });
+                    skipped++;
+                    continue;
+                }
+                insert.run(...values);
+                copied++;
+            }
+            // Verify: every old row was either copied or deliberately skipped — none silently dropped by IGNORE.
+            const newCount = Number(encDb.prepare(`SELECT COUNT(*) AS c FROM ${t.name}`).get().c);
+            if (newCount !== copied) {
+                throw new IdentityMigrationError(`row-count mismatch migrating table '${t.name}': expected ${copied}, found ${newCount}`, "A row was unexpectedly dropped during migration. The original DB is untouched; restart to retry.");
+            }
+            if (skipped > 0)
+                logger.warn("persist.identity.migrate.table.partial", { table: t.name, copied, skipped });
+            totalCopied += copied;
+        }
+        return totalCopied;
+    }
+    finally {
+        old.close();
+    }
+}
+/** Quarantine an agent's flat files (key + sibling secrets) to `*.corrupt`. */
+function quarantineFlatAgent(a, logger) {
+    for (const f of [a.keyPath, ...Object.values(REG_FILES).map((n) => join(a.dir, n))]) {
+        if (existsSync(f)) {
+            try {
+                renameSync(f, `${f}.corrupt`);
+            }
+            catch { /* ignore */ }
+        }
+    }
+    logger.warn("persist.identity.migrate.agent.quarantined", { agentName: a.name });
+}
+/** Import each pre-story agent's flat files into one `agents` row. Returns the count imported. */
+function importFlatIdentity(celloDir, encDb, logger) {
+    const agents = discoverFlatAgents(celloDir);
+    let count = 0;
+    for (const a of agents) {
+        // Skip an agent that already exists in the encrypted DB (e.g. a prior in-place run imported it but
+        // a cleanup unlink failed) — never overwrite live DB identity with stale flat-file values
+        // (fallback-finder / code-review LOW). deleteFlatIdentity will remove the redundant files.
+        const exists = encDb.prepare("SELECT 1 AS one FROM agents WHERE agent_name = ?").get(a.name);
+        if (exists)
+            continue;
+        // K_local seed from the 37-byte CELLO key file. A corrupt key SKIPS the WHOLE agent — its key AND
+        // its sibling plaintext secrets (frost-share/ml-dsa/link) are quarantined to `*.corrupt` so no
+        // plaintext secret is left on disk (code-review HIGH). One unreadable agent must not down the
+        // daemon (availability); its identity is unrecoverable anyway, so the daemon starts without it.
+        let seed;
+        try {
+            seed = decodeKeyFileSeed(new Uint8Array(readFileSync(a.keyPath)));
+        }
+        catch (err) {
+            logger.error("persist.identity.migrate.key.corrupt", {
+                agentName: a.name,
+                error: err?.message ?? String(err),
+            });
+            quarantineFlatAgent(a, logger);
+            continue;
+        }
+        const pubkeyHex = Buffer.from(deriverPubkey(seed)).toString("hex");
+        const reg = readJson(join(a.dir, REG_FILES.reg));
+        const mlDsa = readJson(join(a.dir, REG_FILES.mlDsa));
+        const frost = readJson(join(a.dir, REG_FILES.frost));
+        const link = readJson(join(a.dir, REG_FILES.link));
+        const state = reg ? "registered" : "created";
+        const now = Date.now();
+        encDb
+            .prepare(`INSERT OR IGNORE INTO agents (agent_name, k_local_seed, k_local_pubkey, state, created_at, updated_at)
+         VALUES (?, ?, ?, ?, ?, ?)`)
+            .run(a.name, Buffer.from(seed), pubkeyHex, state, now, now);
+        if (mlDsa) {
+            encDb
+                .prepare("UPDATE agents SET ml_dsa_pubkey = ?, ml_dsa_secret = ?, ml_dsa_algorithm = ? WHERE agent_name = ?")
+                .run(String(mlDsa["mlDsaPubkey"]), Buffer.from(hexToBytes(String(mlDsa["secretKeyBlob"]))), String(mlDsa["algorithm"] ?? "ML-DSA-44"), a.name);
+        }
+        if (frost) {
+            encDb
+                .prepare(`UPDATE agents SET frost_epoch_id=?, frost_primary_pubkey=?, frost_identifier=?, frost_signing_share=?,
+             frost_threshold=?, frost_participants=?, frost_commitments=?, frost_verifying_shares=?, frost_dkg_method=?
+           WHERE agent_name=?`)
+                .run(String(frost["epochId"]), String(frost["primaryPubkey"]), String(frost["identifier"]), Buffer.from(hexToBytes(String(frost["signingShare"]))), Number(frost["threshold"]), Number(frost["participants"]), Buffer.from(hexToBytes(String(frost["commitmentsCbor"]))), Buffer.from(hexToBytes(String(frost["verifyingSharesCbor"]))), String(frost["dkgMethod"]), a.name);
+        }
+        if (reg) {
+            encDb
+                .prepare("UPDATE agents SET reg_agent_id=?, reg_primary_pubkey=?, reg_ml_dsa_pubkey=?, reg_registered_at=?, reg_status=? WHERE agent_name=?")
+                .run(String(reg["agentId"]), String(reg["primaryPubkey"]), String(reg["mlDsaPubkey"]), Number(reg["registeredAt"]), String(reg["status"] ?? "active"), a.name);
+        }
+        if (link) {
+            encDb
+                .prepare("UPDATE agents SET link_agent_id=?, link_pre_auth_token=?, link_linked_at=? WHERE agent_name=?")
+                .run(String(link["agentId"]), String(link["preAuthToken"]), Number(link["linkedAt"]), a.name);
+        }
+        // SI-001: never log the seed/share/secret — only the agent name + count.
+        logger.info("persist.identity.migrated.agent", { agentName: a.name, registered: reg != null });
+        count++;
+    }
+    return count;
+}
+/** Delete every flat-file identity artifact after a successful import. */
+function deleteFlatIdentity(celloDir, logger) {
+    for (const a of discoverFlatAgents(celloDir)) {
+        for (const f of [a.keyPath, ...Object.values(REG_FILES).map((n) => join(a.dir, n))]) {
+            if (existsSync(f)) {
+                try {
+                    unlinkSync(f);
+                }
+                catch (err) {
+                    logger.warn("persist.identity.migrate.cleanup.failed", { file: f, error: String(err) });
+                }
+            }
+        }
+    }
+    // The legacy anti-rollback floor file — its value now lives in manifest_state (importManifestVersion).
+    const manifestPath = join(celloDir, MANIFEST_FILE);
+    if (existsSync(manifestPath)) {
+        try {
+            unlinkSync(manifestPath);
+        }
+        catch (err) {
+            logger.warn("persist.identity.migrate.cleanup.failed", { file: manifestPath, error: String(err) });
+        }
+    }
+}
+/** Derive the Ed25519 public key for a seed (migration helper). */
+function deriverPubkey(seed) {
+    // InMemoryKeyProvider computes the pubkey in its constructor; getPublicKey is async, but the value
+    // is synchronous. We re-derive via a throwaway provider's toJSON (which exposes the hex) to avoid
+    // an async hop in this sync migration.
+    const provider = new InMemoryKeyProvider(seed);
+    const hex = provider.toJSON().publicKey;
+    return new Uint8Array(Buffer.from(hex, "hex"));
+}
+//# sourceMappingURL=identity-migration.js.map

package/dist/identity-migration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-migration.js","sourceRoot":"","sources":["../src/identity-migration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EACL,UAAU,EACV,YAAY,EACZ,WAAW,EACX,QAAQ,EACR,UAAU,EACV,UAAU,GACX,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAChF,OAAO,EACL,qBAAqB,EACrB,qBAAqB,EACrB,YAAY,EACZ,YAAY,GAEb,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAC9D,OAAO,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAStE,MAAM,OAAO,sBAAuB,SAAQ,KAAK;IACtC,IAAI,GAAG,2BAAoC,CAAC;IAC5C,QAAQ,CAAS;IAC1B,YAAY,OAAe,EAAE,QAAgB;QAC3C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAC;QACrC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;CACF;AAED,MAAM,SAAS,GAAG;IAChB,KAAK,EAAE,kBAAkB;IACzB,KAAK,EAAE,qBAAqB;IAC5B,GAAG,EAAE,yBAAyB;IAC9B,IAAI,EAAE,sBAAsB;CACpB,CAAC;AAEX,MAAM,UAAU,GAAG,CAAC,CAAS,EAAc,EAAE,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;AAEpF,uGAAuG;AACvG,SAAS,iBAAiB,CAAC,IAAgB,EAAE,GAAW;IACtD,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,EAAE;QAAE,OAAO,IAAI,CAAC;IACvC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC9B,MAAM,EAAE,GAAG,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC/B,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAC1C,MAAM,EAAE,GAAG,GAAG,CAAC,QAAQ,CAAC,EAAE,EAAE,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAC7C,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QACnD,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,iEAAiE;AACjE,SAAS,QAAQ,CAAC,IAAY;IAC5B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAA4B,CAAC;AAC3E,CAAC;AAED,oEAAoE;AACpE,SAAS,kBAAkB,CAAC,QAAgB;IAC1C,MAAM,GAAG,GAA0D,EAAE,CAAC;IACtE,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC3C,IAAI,UAAU,CAAC,SAAS,CAAC,IAAI,QAAQ,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;QAC/D,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,SAAS,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;YACpE,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE;gBAAE,SAAS;YACnC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YACjC,IAAI,UAAU,CAAC,OAAO,CAAC;gBAAE,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IACD,mGAAmG;IACnG,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACxC,IAAI,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,EAAE,CAAC;QACpE,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC,CAAC;IACnE,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,oEAAoE;AACpE,SAAS,eAAe,CAAC,QAAgB;IACvC,OAAO,kBAAkB,CAAC,QAAQ,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;AACjD,CAAC;AAED,MAAM,aAAa,GAAG,uBAAuB,CAAC;AAE9C;;;;;;GAMG;AACH,SAAS,qBAAqB,CAAC,QAAgB,EAAE,EAAkB,EAAE,MAAc;IACjF,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC;IACpD,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,CAAC,iBAAiB,CAAC,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACrE,oBAAoB,CAAC,EAAE,CAAC,CAAC;IACzB,EAAE,CAAC,OAAO,CACR;4IACwI,CACzI,CAAC,GAAG,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IAC1C,MAAM,CAAC,IAAI,CAAC,mCAAmC,EAAE,EAAE,OAAO,EAAE,GAAG,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC;IACtF,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,0BAA0B,CAAC,MAAc,EAAE,MAAc;IACvE,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IACrC,MAAM,aAAa,GAAG,GAAG,MAAM,YAAY,CAAC;IAE5C,+FAA+F;IAC/F,oGAAoG;IACpG,qGAAqG;IACrG,oGAAoG;IACpG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,UAAU,CAAC,aAAa,CAAC,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5E,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,IAAI,UAAU,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC;YAChD,qBAAqB,CAAC,aAAa,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,mBAAmB;YAC5E,UAAU,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;YAClC,KAAK,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC;gBACnC,IAAI,UAAU,CAAC,GAAG,aAAa,GAAG,GAAG,EAAE,CAAC;oBAAE,UAAU,CAAC,GAAG,aAAa,GAAG,GAAG,EAAE,EAAE,GAAG,MAAM,GAAG,GAAG,EAAE,CAAC,CAAC;YACpG,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE,EAAE,CAAC,CAAC;QACtD,CAAC;QAAC,MAAM,CAAC;YACP,KAAK,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,GAAG,aAAa,MAAM,EAAE,GAAG,aAAa,MAAM,CAAC,EAAE,CAAC;gBAChF,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;oBAAC,IAAI,CAAC;wBAAC,UAAU,CAAC,CAAC,CAAC,CAAC;oBAAC,CAAC;oBAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;gBAAC,CAAC;YACtE,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,WAAW,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;IAClD,MAAM,YAAY,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC/C,gGAAgG;IAChG,+FAA+F;IAC/F,MAAM,YAAY,GAAG,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC;IAE/D,IAAI,CAAC,WAAW,IAAI,CAAC,YAAY,IAAI,CAAC,YAAY,EAAE,CAAC;QACnD,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC;IACjE,CAAC;IAED,+FAA+F;IAC/F,kGAAkG;IAClG,+FAA+F;IAC/F,oGAAoG;IACpG,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,IAAI,GAAe,CAAC;QACpB,IAAI,CAAC;YACH,GAAG,GAAG,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,+DAA+D;QACtG,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,sBAAsB,CAC9B,iEAAiE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACnH,+CAA+C,CAChD,CAAC;QACJ,CAAC;QACD,IAAI,EAAE,GAA0B,IAAI,CAAC;QACrC,IAAI,cAAc,GAAG,CAAC,CAAC;QACvB,IAAI,CAAC;YACH,EAAE,GAAG,qBAAqB,CAAC,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;YAChD,oBAAoB,CAAC,EAAE,CAAC,CAAC;YACzB,cAAc,GAAG,kBAAkB,CAAC,QAAQ,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;YAC1D,qBAAqB,CAAC,QAAQ,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,uCAAuC;YACpF,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,EAAE,GAAG,IAAI,CAAC;QACZ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,EAAE,EAAE,CAAC;gBAAC,IAAI,CAAC;oBAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAAC,CAAC;gBAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;YAAC,CAAC;YACtD,IAAI,GAAG,YAAY,sBAAsB;gBAAE,MAAM,GAAG,CAAC;YACrD,MAAM,IAAI,sBAAsB,CAC9B,oCAAoC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACtF,gFAAgF,CACjF,CAAC;QACJ,CAAC;QACD,kBAAkB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC,CAAC;QAC9E,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC;IAC7D,CAAC;IAED,gGAAgG;IAChG,mGAAmG;IACnG,uCAAuC;IACvC,iEAAiE;IACjE,KAAK,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,GAAG,aAAa,MAAM,EAAE,GAAG,aAAa,MAAM,CAAC,EAAE,CAAC;QAChF,IAAI,UAAU,CAAC,CAAC,CAAC;YAAE,UAAU,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,kGAAkG;IAClG,mGAAmG;IACnG,IAAI,KAAiB,CAAC;IACtB,IAAI,CAAC;QACH,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC;YACzB,CAAC,CAAC,IAAI,UAAU,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;YACvC,CAAC,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC,CAAC,2DAA2D;IACvG,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,sBAAsB,CAC9B,sDAAsD,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACxG,uDAAuD,CACxD,CAAC;IACJ,CAAC;IAED,IAAI,KAAK,GAA0B,IAAI,CAAC;IACxC,IAAI,cAAc,GAAG,CAAC,CAAC;IACvB,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,CAAC;QACH,KAAK,GAAG,qBAAqB,CAAC,aAAa,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAC5D,oBAAoB,CAAC,KAAK,CAAC,CAAC;QAE5B,2FAA2F;QAC3F,IAAI,WAAW,EAAE,CAAC;YAChB,YAAY,GAAG,eAAe,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QAClE,CAAC;QAED,kGAAkG;QAClG,cAAc,GAAG,kBAAkB,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAC7D,qBAAqB,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAE/C,KAAK,CAAC,KAAK,EAAE,CAAC;QACd,KAAK,GAAG,IAAI,CAAC;IACf,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC;gBAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QAC/C,CAAC;QACD,KAAK,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,GAAG,aAAa,MAAM,EAAE,GAAG,aAAa,MAAM,CAAC,EAAE,CAAC;YAChF,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;gBAAC,IAAI,CAAC;oBAAC,UAAU,CAAC,CAAC,CAAC,CAAC;gBAAC,CAAC;gBAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;YAAC,CAAC;QACtE,CAAC;QACD,IAAI,GAAG,YAAY,sBAAsB;YAAE,MAAM,GAAG,CAAC;QACrD,MAAM,IAAI,sBAAsB,CAC9B,mCAAmC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACrF,2FAA2F,CAC5F,CAAC;IACJ,CAAC;IAED,mGAAmG;IACnG,sFAAsF;IACtF,IAAI,CAAC;QACH,IAAI,WAAW,EAAE,CAAC;YAChB,UAAU,CAAC,MAAM,EAAE,GAAG,MAAM,oBAAoB,CAAC,CAAC;YAClD,wEAAwE;YACxE,KAAK,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,MAAM,EAAE,GAAG,MAAM,MAAM,EAAE,GAAG,MAAM,iBAAiB,CAAC,EAAE,CAAC;gBAC/E,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;oBAAC,IAAI,CAAC;wBAAC,UAAU,CAAC,CAAC,CAAC,CAAC;oBAAC,CAAC;oBAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;gBAAC,CAAC;YACtE,CAAC;QACH,CAAC;QACD,UAAU,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAClC,KAAK,MAAM,CAAC,IAAI,CAAC,GAAG,aAAa,MAAM,EAAE,GAAG,aAAa,MAAM,CAAC,EAAE,CAAC;YACjE,IAAI,UAAU,CAAC,CAAC,CAAC;gBAAE,UAAU,CAAC,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,MAAM,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC;QAC7E,CAAC;QACD,kBAAkB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACvC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,sBAAsB,CAC9B,2CAA2C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EAC7F,0FAA0F,CAC3F,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAC;IAC3E,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC;AAC1D,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,eAAe,CAAC,MAAc,EAAE,KAAqB,EAAE,SAAiB,EAAE,MAAc;IAC/F,MAAM,GAAG,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;IACrC,IAAI,CAAC;QACH,MAAM,iBAAiB,GAAG,GAAG,MAAM,iBAAiB,CAAC;QACrD,MAAM,aAAa,GAAG,UAAU,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAE7F,MAAM,MAAM,GACV,GAAG;aACA,OAAO,CAAC,qFAAqF,CAAC;aAC9F,GAAG,EACP,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAEvB,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;YACvB,sFAAsF;YACtF,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,gBAAgB,EAAE,4BAA4B,CAAC,CAAC,CAAC;YAC1E,MAAM,IAAI,GAAI,GAAG,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,EAA8B,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YAC/G,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAChC,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,EAAoC,CAAC;YAC/F,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YACnC,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpD,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,yBAAyB,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,YAAY,GAAG,CAAC,CAAC;YAC9G,IAAI,MAAM,GAAG,CAAC,CAAC;YACf,IAAI,OAAO,GAAG,CAAC,CAAC;YAChB,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;gBACxB,IAAI,aAAa,GAAG,KAAK,CAAC;gBAC1B,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;oBAC5B,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBACb,IAAI,CAAC,YAAY,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,YAAY,IAAI,CAAC,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,IAAI,CAAC,KAAK,cAAc,CAAC,CAAC,EAAE,CAAC;wBACjI,MAAM,EAAE,GAAG,aAAa,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;wBACtE,IAAI,EAAE,KAAK,IAAI;4BAAE,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;;4BAChC,aAAa,GAAG,IAAI,CAAC;oBAC5B,CAAC;oBACD,OAAO,CAAY,CAAC;gBACtB,CAAC,CAAC,CAAC;gBACH,IAAI,aAAa,EAAE,CAAC;oBAClB,4FAA4F;oBAC5F,iGAAiG;oBACjG,MAAM,CAAC,KAAK,CAAC,6CAA6C,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;oBAC/E,OAAO,EAAE,CAAC;oBACV,SAAS;gBACX,CAAC;gBACD,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;gBACtB,MAAM,EAAE,CAAC;YACX,CAAC;YACD,qGAAqG;YACrG,MAAM,QAAQ,GAAG,MAAM,CAAE,KAAK,CAAC,OAAO,CAAC,6BAA6B,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,EAAoB,CAAC,CAAC,CAAC,CAAC;YACzG,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;gBACxB,MAAM,IAAI,sBAAsB,CAC9B,uCAAuC,CAAC,CAAC,IAAI,eAAe,MAAM,WAAW,QAAQ,EAAE,EACvF,kGAAkG,CACnG,CAAC;YACJ,CAAC;YACD,IAAI,OAAO,GAAG,CAAC;gBAAE,MAAM,CAAC,IAAI,CAAC,wCAAwC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;YAC3G,WAAW,IAAI,MAAM,CAAC;QACxB,CAAC;QACD,OAAO,WAAW,CAAC;IACrB,CAAC;YAAS,CAAC;QACT,GAAG,CAAC,KAAK,EAAE,CAAC;IACd,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,SAAS,mBAAmB,CAAC,CAAiD,EAAE,MAAc;IAC5F,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACpF,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;YAClB,IAAI,CAAC;gBAAC,UAAU,CAAC,CAAC,EAAE,GAAG,CAAC,UAAU,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IACD,MAAM,CAAC,IAAI,CAAC,4CAA4C,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;AACnF,CAAC;AAED,kGAAkG;AAClG,SAAS,kBAAkB,CAAC,QAAgB,EAAE,KAAqB,EAAE,MAAc;IACjF,MAAM,MAAM,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;IAC5C,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,mGAAmG;QACnG,0FAA0F;QAC1F,2FAA2F;QAC3F,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,kDAAkD,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAgC,CAAC;QAC5H,IAAI,MAAM;YAAE,SAAS;QAErB,kGAAkG;QAClG,+FAA+F;QAC/F,8FAA8F;QAC9F,gGAAgG;QAChG,IAAI,IAAgB,CAAC;QACrB,IAAI,CAAC;YACH,IAAI,GAAG,iBAAiB,CAAC,IAAI,UAAU,CAAC,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACpE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE;gBACnD,SAAS,EAAE,CAAC,CAAC,IAAI;gBACjB,KAAK,EAAG,GAA4B,EAAE,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC;aAC7D,CAAC,CAAC;YACH,mBAAmB,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;YAC/B,SAAS;QACX,CAAC;QACD,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAEnE,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;QACjD,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACrD,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACrD,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;QACnD,MAAM,KAAK,GAAG,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC;QAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,KAAK;aACF,OAAO,CACN;mCAC2B,CAC5B;aACA,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;QAE9D,IAAI,KAAK,EAAE,CAAC;YACV,KAAK;iBACF,OAAO,CAAC,mGAAmG,CAAC;iBAC5G,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,WAAW,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QACnJ,CAAC;QACD,IAAI,KAAK,EAAE,CAAC;YACV,KAAK;iBACF,OAAO,CACN;;8BAEoB,CACrB;iBACA,GAAG,CACF,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,EACxB,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC,EAC9B,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,EAC3B,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EACtD,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,EAC1B,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,EAC7B,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,EACzD,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC,EAC7D,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,EAC1B,CAAC,CAAC,IAAI,CACP,CAAC;QACN,CAAC;QACD,IAAI,GAAG,EAAE,CAAC;YACR,KAAK;iBACF,OAAO,CAAC,mIAAmI,CAAC;iBAC5I,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,MAAM,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,EAAE,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,EAAE,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,EAAE,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QACnK,CAAC;QACD,IAAI,IAAI,EAAE,CAAC;YACT,KAAK;iBACF,OAAO,CAAC,+FAA+F,CAAC;iBACxG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAClG,CAAC;QACD,yEAAyE;QACzE,MAAM,CAAC,IAAI,CAAC,iCAAiC,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC,IAAI,EAAE,UAAU,EAAE,GAAG,IAAI,IAAI,EAAE,CAAC,CAAC;QAC/F,KAAK,EAAE,CAAC;IACV,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,0EAA0E;AAC1E,SAAS,kBAAkB,CAAC,QAAgB,EAAE,MAAc;IAC1D,KAAK,MAAM,CAAC,IAAI,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7C,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACpF,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;gBAAC,IAAI,CAAC;oBAAC,UAAU,CAAC,CAAC,CAAC,CAAC;gBAAC,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBAAC,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAAC,CAAC;YAAC,CAAC;QACxJ,CAAC;IACH,CAAC;IACD,uGAAuG;IACvG,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IACnD,IAAI,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC7B,IAAI,CAAC;YAAC,UAAU,CAAC,YAAY,CAAC,CAAC;QAAC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YAAC,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAAC,CAAC;IACvJ,CAAC;AACH,CAAC;AAED,mEAAmE;AACnE,SAAS,aAAa,CAAC,IAAgB;IACrC,mGAAmG;IACnG,kGAAkG;IAClG,uCAAuC;IACvC,MAAM,QAAQ,GAAG,IAAI,mBAAmB,CAAC,IAAI,CAAC,CAAC;IAC/C,MAAM,GAAG,GAAI,QAAQ,CAAC,MAAM,EAA4B,CAAC,SAAS,CAAC;IACnE,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;AACjD,CAAC"}

package/dist/index.d.ts

@@ -13,6 +13,6 @@ export type { ITransportSelector, TransportResult, TransportDialer, TransportDia
 export { FileManifestProvider } from "./manifest-loader.js";
 export { RandomizedPollScheduler, ImmediatePollScheduler } from "./manifest-poll-scheduler.js";
 export { InMemoryManifestVersionStore } from "./manifest-version-store.js";
-export { FileManifestVersionStore } from "./manifest-version-store-file.js";
+export { DbManifestVersionStore } from "./manifest-version-store-db.js";
 export { ManifestDirectoryChallengeVerifier, TestDirectoryChallengeVerifier } from "./challenge-verifier.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,MAAM,EACN,eAAe,EACf,UAAU,EACV,WAAW,EACX,aAAa,EACb,gBAAgB,EAChB,eAAe,EACf,QAAQ,EACR,UAAU,EACV,SAAS,EACT,gBAAgB,EAChB,cAAc,EACd,uBAAuB,EACvB,oBAAoB,EACpB,YAAY,EACZ,iBAAiB,EACjB,qBAAqB,EACrB,sBAAsB,EACtB,2BAA2B,GAC5B,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAExC,OAAO,EAAE,WAAW,EAAE,KAAK,YAAY,EAAE,MAAM,aAAa,CAAC;AAC7D,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACnF,OAAO,EAAE,UAAU,EAAE,KAAK,WAAW,EAAE,KAAK,WAAW,EAAE,KAAK,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACzG,OAAO,EAAE,eAAe,EAAE,KAAK,SAAS,EAAE,KAAK,UAAU,EAAE,KAAK,eAAe,EAAE,KAAK,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AACpI,OAAO,EAAE,eAAe,EAAE,KAAK,SAAS,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC5E,OAAO,EAAE,cAAc,EAAE,KAAK,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAC3E,OAAO,EAAE,UAAU,EAAE,KAAK,eAAe,EAAE,KAAK,QAAQ,EAAE,KAAK,YAAY,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACvH,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAGpE,OAAO,EACL,iBAAiB,EACjB,0BAA0B,EAC1B,eAAe,EACf,8BAA8B,EAC9B,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AACjC,YAAY,EACV,kBAAkB,EAClB,eAAe,EACf,eAAe,EACf,oBAAoB,EACpB,iBAAiB,GAClB,MAAM,yBAAyB,CAAC;AAGjC,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAC5D,OAAO,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AAC/F,OAAO,EAAE,4BAA4B,EAAE,MAAM,6BAA6B,CAAC;AAC3E,OAAO,EAAE,wBAAwB,EAAE,MAAM,kCAAkC,CAAC;AAC5E,OAAO,EAAE,kCAAkC,EAAE,8BAA8B,EAAE,MAAM,yBAAyB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,MAAM,EACN,eAAe,EACf,UAAU,EACV,WAAW,EACX,aAAa,EACb,gBAAgB,EAChB,eAAe,EACf,QAAQ,EACR,UAAU,EACV,SAAS,EACT,gBAAgB,EAChB,cAAc,EACd,uBAAuB,EACvB,oBAAoB,EACpB,YAAY,EACZ,iBAAiB,EACjB,qBAAqB,EACrB,sBAAsB,EACtB,2BAA2B,GAC5B,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAExC,OAAO,EAAE,WAAW,EAAE,KAAK,YAAY,EAAE,MAAM,aAAa,CAAC;AAC7D,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACnF,OAAO,EAAE,UAAU,EAAE,KAAK,WAAW,EAAE,KAAK,WAAW,EAAE,KAAK,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACzG,OAAO,EAAE,eAAe,EAAE,KAAK,SAAS,EAAE,KAAK,UAAU,EAAE,KAAK,eAAe,EAAE,KAAK,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AACpI,OAAO,EAAE,eAAe,EAAE,KAAK,SAAS,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC5E,OAAO,EAAE,cAAc,EAAE,KAAK,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAC3E,OAAO,EAAE,UAAU,EAAE,KAAK,eAAe,EAAE,KAAK,QAAQ,EAAE,KAAK,YAAY,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACvH,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAGpE,OAAO,EACL,iBAAiB,EACjB,0BAA0B,EAC1B,eAAe,EACf,8BAA8B,EAC9B,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AACjC,YAAY,EACV,kBAAkB,EAClB,eAAe,EACf,eAAe,EACf,oBAAoB,EACpB,iBAAiB,GAClB,MAAM,yBAAyB,CAAC;AAGjC,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAC5D,OAAO,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AAC/F,OAAO,EAAE,4BAA4B,EAAE,MAAM,6BAA6B,CAAC;AAC3E,OAAO,EAAE,sBAAsB,EAAE,MAAM,gCAAgC,CAAC;AACxE,OAAO,EAAE,kCAAkC,EAAE,8BAA8B,EAAE,MAAM,yBAAyB,CAAC"}

package/dist/index.js

@@ -13,6 +13,6 @@ export { TransportSelector, LocalTransportSelectorStub, TRANSPORT_ERROR, DEFAULT
 export { FileManifestProvider } from "./manifest-loader.js";
 export { RandomizedPollScheduler, ImmediatePollScheduler } from "./manifest-poll-scheduler.js";
 export { InMemoryManifestVersionStore } from "./manifest-version-store.js";
-export { FileManifestVersionStore } from "./manifest-version-store-file.js";
+export { DbManifestVersionStore } from "./manifest-version-store-db.js";
 export { ManifestDirectoryChallengeVerifier, TestDirectoryChallengeVerifier } from "./challenge-verifier.js";
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAqBA,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAExC,OAAO,EAAE,WAAW,EAAqB,MAAM,aAAa,CAAC;AAC7D,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACnF,OAAO,EAAE,UAAU,EAA4D,MAAM,mBAAmB,CAAC;AACzG,OAAO,EAAE,eAAe,EAAoF,MAAM,iBAAiB,CAAC;AACpI,OAAO,EAAE,eAAe,EAAkB,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC5E,OAAO,EAAE,cAAc,EAAsB,MAAM,uBAAuB,CAAC;AAC3E,OAAO,EAAE,UAAU,EAA0D,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACvH,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAEpE,qFAAqF;AACrF,OAAO,EACL,iBAAiB,EACjB,0BAA0B,EAC1B,eAAe,EACf,8BAA8B,EAC9B,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AASjC,+DAA+D;AAC/D,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAC5D,OAAO,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AAC/F,OAAO,EAAE,4BAA4B,EAAE,MAAM,6BAA6B,CAAC;AAC3E,OAAO,EAAE,wBAAwB,EAAE,MAAM,kCAAkC,CAAC;AAC5E,OAAO,EAAE,kCAAkC,EAAE,8BAA8B,EAAE,MAAM,yBAAyB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAqBA,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAExC,OAAO,EAAE,WAAW,EAAqB,MAAM,aAAa,CAAC;AAC7D,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACnF,OAAO,EAAE,UAAU,EAA4D,MAAM,mBAAmB,CAAC;AACzG,OAAO,EAAE,eAAe,EAAoF,MAAM,iBAAiB,CAAC;AACpI,OAAO,EAAE,eAAe,EAAkB,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC5E,OAAO,EAAE,cAAc,EAAsB,MAAM,uBAAuB,CAAC;AAC3E,OAAO,EAAE,UAAU,EAA0D,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACvH,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAEpE,qFAAqF;AACrF,OAAO,EACL,iBAAiB,EACjB,0BAA0B,EAC1B,eAAe,EACf,8BAA8B,EAC9B,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AASjC,+DAA+D;AAC/D,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAC5D,OAAO,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AAC/F,OAAO,EAAE,4BAA4B,EAAE,MAAM,6BAA6B,CAAC;AAC3E,OAAO,EAAE,sBAAsB,EAAE,MAAM,gCAAgC,CAAC;AACxE,OAAO,EAAE,kCAAkC,EAAE,8BAA8B,EAAE,MAAM,yBAAyB,CAAC"}

package/dist/manifest-version-store-db.d.ts

@@ -0,0 +1,24 @@
+/**
+ * CELLO-M7-PERSIST-002 (AC-008): DB-backed IManifestVersionStore.
+ *
+ * The last-seen manifest version (which backs the anti-rollback monotonicity invariant across daemon
+ * restarts) lives in the `manifest_state` singleton row of the SQLCipher-encrypted daemon DB — not a
+ * plaintext `manifest-version.json` file. Same interface as the old FileManifestVersionStore, so the
+ * SignalingManager that consumes it is unchanged.
+ *
+ * Crypto reference: RFC 8032 context — the version number is not itself cryptographic, but its
+ * correct, durable persistence is load-bearing for anti-rollback security (a reset enables a manifest
+ * downgrade attack). Whole-DB SQLCipher now protects it at rest along with all other client state.
+ */
+import type { IManifestVersionStore } from "@cello-protocol/transport";
+import type { DaemonDatabase } from "./sqlcipher-db.js";
+import type { Logger } from "./types.js";
+/** Idempotent schema for the singleton manifest-version row. */
+export declare function ensureManifestSchema(db: DaemonDatabase): void;
+export declare class DbManifestVersionStore implements IManifestVersionStore {
+    #private;
+    constructor(db: DaemonDatabase, logger: Logger);
+    getLastSeenVersion(): Promise<number | null>;
+    persistVersion(version: number): Promise<void>;
+}
+//# sourceMappingURL=manifest-version-store-db.d.ts.map

package/dist/manifest-version-store-db.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest-version-store-db.d.ts","sourceRoot":"","sources":["../src/manifest-version-store-db.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AACvE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAC;AAEzC,gEAAgE;AAChE,wBAAgB,oBAAoB,CAAC,EAAE,EAAE,cAAc,GAAG,IAAI,CAQ7D;AAED,qBAAa,sBAAuB,YAAW,qBAAqB;;gBAItD,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM;IAMxC,kBAAkB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAO5C,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAoBrD"}

package/dist/manifest-version-store-db.js

@@ -0,0 +1,57 @@
+/**
+ * CELLO-M7-PERSIST-002 (AC-008): DB-backed IManifestVersionStore.
+ *
+ * The last-seen manifest version (which backs the anti-rollback monotonicity invariant across daemon
+ * restarts) lives in the `manifest_state` singleton row of the SQLCipher-encrypted daemon DB — not a
+ * plaintext `manifest-version.json` file. Same interface as the old FileManifestVersionStore, so the
+ * SignalingManager that consumes it is unchanged.
+ *
+ * Crypto reference: RFC 8032 context — the version number is not itself cryptographic, but its
+ * correct, durable persistence is load-bearing for anti-rollback security (a reset enables a manifest
+ * downgrade attack). Whole-DB SQLCipher now protects it at rest along with all other client state.
+ */
+/** Idempotent schema for the singleton manifest-version row. */
+export function ensureManifestSchema(db) {
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS manifest_state (
+      id                INTEGER PRIMARY KEY CHECK (id = 1),
+      last_seen_version INTEGER,
+      updated_at        INTEGER NOT NULL
+    )
+  `);
+}
+export class DbManifestVersionStore {
+    #db;
+    #logger;
+    constructor(db, logger) {
+        this.#db = db;
+        this.#logger = logger;
+        ensureManifestSchema(db);
+    }
+    async getLastSeenVersion() {
+        const row = this.#db
+            .prepare("SELECT last_seen_version FROM manifest_state WHERE id = 1")
+            .get();
+        return row && row.last_seen_version != null ? Number(row.last_seen_version) : null;
+    }
+    async persistVersion(version) {
+        // Upsert the singleton row. Atomic within the encrypted DB — no temp-file rename dance.
+        try {
+            this.#db
+                .prepare(`INSERT INTO manifest_state (id, last_seen_version, updated_at)
+           VALUES (1, ?, ?)
+           ON CONFLICT(id) DO UPDATE SET last_seen_version = excluded.last_seen_version, updated_at = excluded.updated_at`)
+                .run(version, Date.now());
+        }
+        catch (err) {
+            // AC-012: a distinct, actionable failure — never a silent no-op (a lost anti-rollback version
+            // would re-open a manifest-downgrade window).
+            this.#logger.error("persist.manifest.persist.failed", { version, error: err instanceof Error ? err.message : String(err) });
+            const e = new Error(`manifest_persist_failed: ${err instanceof Error ? err.message : String(err)}`);
+            e.code = "manifest_persist_failed";
+            throw e;
+        }
+        this.#logger.info("persist.manifest.version.persisted", { version });
+    }
+}
+//# sourceMappingURL=manifest-version-store-db.js.map

package/dist/manifest-version-store-db.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest-version-store-db.js","sourceRoot":"","sources":["../src/manifest-version-store-db.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAMH,gEAAgE;AAChE,MAAM,UAAU,oBAAoB,CAAC,EAAkB;IACrD,EAAE,CAAC,IAAI,CAAC;;;;;;GAMP,CAAC,CAAC;AACL,CAAC;AAED,MAAM,OAAO,sBAAsB;IACxB,GAAG,CAAiB;IACpB,OAAO,CAAS;IAEzB,YAAY,EAAkB,EAAE,MAAc;QAC5C,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC;QACd,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,oBAAoB,CAAC,EAAE,CAAC,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,kBAAkB;QACtB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG;aACjB,OAAO,CAAC,2DAA2D,CAAC;aACpE,GAAG,EAAsD,CAAC;QAC7D,OAAO,GAAG,IAAI,GAAG,CAAC,iBAAiB,IAAI,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACrF,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,OAAe;QAClC,wFAAwF;QACxF,IAAI,CAAC;YACH,IAAI,CAAC,GAAG;iBACL,OAAO,CACN;;0HAEgH,CACjH;iBACA,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,8FAA8F;YAC9F,8CAA8C;YAC9C,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC5H,MAAM,CAAC,GAAG,IAAI,KAAK,CAAC,4BAA4B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACnG,CAA+B,CAAC,IAAI,GAAG,yBAAyB,CAAC;YAClE,MAAM,CAAC,CAAC;QACV,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,oCAAoC,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;IACvE,CAAC;CACF"}

package/dist/manifest-version-store.d.ts

@@ -6,7 +6,9 @@
  * number than the last-seen version is rejected as a potential rollback attack.
  *
  * InMemoryManifestVersionStore: stub for tests and initial deployments.
- * FileManifestVersionStore: file-backed bridge for cross-process persistence (AC-005).
+ * DbManifestVersionStore (manifest-version-store-db.ts): the production store — the version lives in
+ * the SQLCipher-encrypted manifest_state table (PERSIST-002 AC-008). The old file-backed store was
+ * removed.
  */
 import type { IManifestVersionStore } from "@cello-protocol/transport";
 export { InMemoryManifestVersionStore } from "@cello-protocol/transport";

package/dist/manifest-version-store.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"manifest-version-store.d.ts","sourceRoot":"","sources":["../src/manifest-version-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AAGvE,OAAO,EAAE,4BAA4B,EAAE,MAAM,2BAA2B,CAAC;AAEzE,YAAY,EAAE,qBAAqB,EAAE,CAAC"}
+{"version":3,"file":"manifest-version-store.d.ts","sourceRoot":"","sources":["../src/manifest-version-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AAGvE,OAAO,EAAE,4BAA4B,EAAE,MAAM,2BAA2B,CAAC;AAEzE,YAAY,EAAE,qBAAqB,EAAE,CAAC"}