@clawbureau/clawverify-core 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Clawbureau
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,40 @@
+# @clawbureau/clawverify-core
+
+Pure, offline-capable verification primitives for the **Clawsig Protocol**. Zero network dependencies — just cryptographic verification.
+
+## Install
+
+```bash
+npm install @clawbureau/clawverify-core
+```
+
+## Usage
+
+```ts
+import { verifyProofBundle } from '@clawbureau/clawverify-core';
+
+const bundle = JSON.parse(fs.readFileSync('run_xxx-bundle.json', 'utf-8'));
+const result = verifyProofBundle(bundle);
+
+console.log(result.status);      // 'PASS' or 'FAIL'
+console.log(result.reason_code); // 'OK', 'SIGNATURE_INVALID', etc.
+```
+
+## What it verifies
+
+- JSON schema validation (fail-closed on unknown versions)
+- Ed25519 signature verification (did:key extraction)
+- Event chain hash integrity (SHA-256)
+- Tool receipt validation (version, algorithm, agent DID, required fields)
+- Side-effect receipt validation (effect class, version, required fields)
+- Human approval receipt validation (approval type, agent DID, required fields)
+- Signer DID allowlist enforcement (optional, via config)
+- Export bundle and log inclusion proof verification
+
+## Fail-closed by design
+
+Unknown schema versions, hash algorithms, or envelope formats produce `FAIL` — never silently pass.
+
+## License
+
+MIT

package/dist/crypto.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Cryptographic utilities for signature verification
+ */
+import type { HashAlgorithm, Algorithm } from './types.js';
+/**
+ * Decode base64url to Uint8Array
+ */
+export declare function base64UrlDecode(str: string): Uint8Array;
+/**
+ * Encode Uint8Array to base64url
+ */
+export declare function base64UrlEncode(bytes: Uint8Array): string;
+/**
+ * Compute hash of payload using specified algorithm
+ */
+export declare function computeHash(payload: unknown, algorithm: HashAlgorithm): Promise<string>;
+/**
+ * Extract public key bytes from did:key
+ * Format: did:key:z<multibase-encoded-public-key>
+ */
+export declare function extractPublicKeyFromDidKey(did: string): Uint8Array | null;
+export declare function base58Decode(str: string): Uint8Array;
+/**
+ * Verify Ed25519 signature using Web Crypto API
+ */
+export declare function verifySignature(algorithm: Algorithm, publicKeyBytes: Uint8Array, signature: Uint8Array, message: Uint8Array): Promise<boolean>;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE3D;;GAEG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAWvD;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAIzD;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,OAAO,EAChB,SAAS,EAAE,aAAa,GACvB,OAAO,CAAC,MAAM,CAAC,CAWjB;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAmBzE;AAQD,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAkCpD;AAeD;;GAEG;AACH,wBAAsB,eAAe,CACnC,SAAS,EAAE,SAAS,EACpB,cAAc,EAAE,UAAU,EAC1B,SAAS,EAAE,UAAU,EACrB,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,OAAO,CAAC,CAyBlB"}

package/dist/crypto.js

@@ -0,0 +1,124 @@
+/**
+ * Cryptographic utilities for signature verification
+ */
+/**
+ * Decode base64url to Uint8Array
+ */
+export function base64UrlDecode(str) {
+    // Replace base64url chars with base64
+    const base64 = str.replace(/-/g, '+').replace(/_/g, '/');
+    // Pad with = if needed
+    const padded = base64 + '='.repeat((4 - (base64.length % 4)) % 4);
+    const binary = atob(padded);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}
+/**
+ * Encode Uint8Array to base64url
+ */
+export function base64UrlEncode(bytes) {
+    const binary = String.fromCharCode(...bytes);
+    const base64 = btoa(binary);
+    return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+/**
+ * Compute hash of payload using specified algorithm
+ */
+export async function computeHash(payload, algorithm) {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(JSON.stringify(payload));
+    if (algorithm === 'SHA-256') {
+        const hashBuffer = await crypto.subtle.digest('SHA-256', data);
+        return base64UrlEncode(new Uint8Array(hashBuffer));
+    }
+    // BLAKE3 would require a library - for now SHA-256 is primary
+    throw new Error(`Hash algorithm not implemented: ${algorithm}`);
+}
+/**
+ * Extract public key bytes from did:key
+ * Format: did:key:z<multibase-encoded-public-key>
+ */
+export function extractPublicKeyFromDidKey(did) {
+    if (!did.startsWith('did:key:z')) {
+        return null;
+    }
+    try {
+        // Remove did:key:z prefix and decode multibase (z = base58btc)
+        const multibase = did.slice(9);
+        const decoded = base58Decode(multibase);
+        // Ed25519 multicodec prefix is 0xed01
+        if (decoded[0] === 0xed && decoded[1] === 0x01) {
+            return decoded.slice(2);
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Base58 Bitcoin alphabet decoder
+ */
+const BASE58_ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
+export function base58Decode(str) {
+    const bytes = [0];
+    for (const char of str) {
+        const value = BASE58_ALPHABET.indexOf(char);
+        if (value === -1) {
+            throw new Error(`Invalid base58 character: ${char}`);
+        }
+        for (let i = 0; i < bytes.length; i++) {
+            bytes[i] *= 58;
+        }
+        bytes[0] += value;
+        let carry = 0;
+        for (let i = 0; i < bytes.length; i++) {
+            bytes[i] += carry;
+            carry = bytes[i] >> 8;
+            bytes[i] &= 0xff;
+        }
+        while (carry) {
+            bytes.push(carry & 0xff);
+            carry >>= 8;
+        }
+    }
+    // Handle leading zeros
+    for (const char of str) {
+        if (char !== '1')
+            break;
+        bytes.push(0);
+    }
+    return new Uint8Array(bytes.reverse());
+}
+function toArrayBuffer(bytes) {
+    // DOM SubtleCrypto typings reject SharedArrayBuffer-backed views.
+    // Our inputs are expected to be regular ArrayBuffers, but we normalize anyway.
+    const buf = bytes.buffer;
+    if (buf instanceof ArrayBuffer) {
+        return buf.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
+    }
+    const copy = new Uint8Array(bytes.byteLength);
+    copy.set(bytes);
+    return copy.buffer;
+}
+/**
+ * Verify Ed25519 signature using Web Crypto API
+ */
+export async function verifySignature(algorithm, publicKeyBytes, signature, message) {
+    if (algorithm !== 'Ed25519') {
+        throw new Error(`Algorithm not supported: ${algorithm}`);
+    }
+    try {
+        // Import the public key
+        const publicKey = await crypto.subtle.importKey('raw', toArrayBuffer(publicKeyBytes), { name: 'Ed25519' }, false, ['verify']);
+        // Verify the signature
+        return await crypto.subtle.verify('Ed25519', publicKey, toArrayBuffer(signature), toArrayBuffer(message));
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=crypto.js.map

package/dist/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,sCAAsC;IACtC,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACzD,uBAAuB;IACvB,MAAM,MAAM,GAAG,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAClE,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,KAAiB;IAC/C,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAC3E,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAgB,EAChB,SAAwB;IAExB,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;IAErD,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC5B,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QAC/D,OAAO,eAAe,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;IACrD,CAAC;IAED,8DAA8D;IAC9D,MAAM,IAAI,KAAK,CAAC,mCAAmC,SAAS,EAAE,CAAC,CAAC;AAClE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,0BAA0B,CAAC,GAAW;IACpD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QACjC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,+DAA+D;QAC/D,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC/B,MAAM,OAAO,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;QAExC,sCAAsC;QACtC,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC/C,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC1B,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,eAAe,GACnB,4DAA4D,CAAC;AAE/D,MAAM,UAAU,YAAY,CAAC,GAAW;IACtC,MAAM,KAAK,GAAa,CAAC,CAAC,CAAC,CAAC;IAE5B,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC5C,IAAI,KAAK,KAAK,CAAC,CAAC,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,EAAE,CAAC,CAAC;QACvD,CAAC;QAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACjB,CAAC;QACD,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC;QAElB,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC;YAClB,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YACtB,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;QACnB,CAAC;QAED,OAAO,KAAK,EAAE,CAAC;YACb,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;YACzB,KAAK,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;QACvB,IAAI,IAAI,KAAK,GAAG;YAAE,MAAM;QACxB,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAChB,CAAC;IAED,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,aAAa,CAAC,KAAiB;IACtC,kEAAkE;IAClE,+EAA+E;IAC/E,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,CAAC;IACzB,IAAI,GAAG,YAAY,WAAW,EAAE,CAAC;QAC/B,OAAO,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC9C,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAChB,OAAO,IAAI,CAAC,MAAM,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,SAAoB,EACpB,cAA0B,EAC1B,SAAqB,EACrB,OAAmB;IAEnB,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,4BAA4B,SAAS,EAAE,CAAC,CAAC;IAC3D,CAAC;IAED,IAAI,CAAC;QACH,wBAAwB;QACxB,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC7C,KAAK,EACL,aAAa,CAAC,cAAc,CAAC,EAC7B,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,QAAQ,CAAC,CACX,CAAC;QAEF,uBAAuB;QACvB,OAAO,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAC/B,SAAS,EACT,SAAS,EACT,aAAa,CAAC,SAAS,CAAC,EACxB,aAAa,CAAC,OAAO,CAAC,CACvB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,27 @@
+/**
+ * @clawbureau/clawverify-core
+ *
+ * Pure, offline-capable verification primitives shared by:
+ * - packages/clawverify-cli (offline verifier)
+ * - (optional) hosted verifiers / services
+ *
+ * Hard constraints:
+ * - fail-closed for unknown schema/version/algorithm
+ * - deterministic error codes
+ * - no network fetches
+ */
+export * from './types.js';
+export { verifyProofBundle } from './verify-proof-bundle.js';
+export type { ProofBundleVerifierOptions } from './verify-proof-bundle.js';
+export { verifyExportBundle } from './verify-export-bundle.js';
+export type { VerifyExportBundleOptions } from './verify-export-bundle.js';
+export { verifyReceipt } from './verify-receipt.js';
+export type { ReceiptVerifierOptions } from './verify-receipt.js';
+export { verifyWebReceipt } from './verify-web-receipt.js';
+export { verifyExecutionAttestation } from './verify-execution-attestation.js';
+export { verifyDerivationAttestation } from './verify-derivation-attestation.js';
+export { verifyAuditResultAttestation } from './verify-audit-result-attestation.js';
+export { verifyLogInclusionProof } from './verify-log-inclusion-proof.js';
+export { base64UrlDecode, base64UrlEncode, computeHash, extractPublicKeyFromDidKey, verifySignature, } from './crypto.js';
+export { jcsCanonicalize } from './jcs.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,cAAc,YAAY,CAAC;AAE3B,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,YAAY,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AAE3E,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,YAAY,EAAE,yBAAyB,EAAE,MAAM,2BAA2B,CAAC;AAE3E,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,YAAY,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAElE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAC;AAC/E,OAAO,EAAE,2BAA2B,EAAE,MAAM,oCAAoC,CAAC;AACjF,OAAO,EAAE,4BAA4B,EAAE,MAAM,sCAAsC,CAAC;AACpF,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAE1E,OAAO,EACL,eAAe,EACf,eAAe,EACf,WAAW,EACX,0BAA0B,EAC1B,eAAe,GAChB,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC"}

package/dist/index.js

@@ -0,0 +1,24 @@
+/**
+ * @clawbureau/clawverify-core
+ *
+ * Pure, offline-capable verification primitives shared by:
+ * - packages/clawverify-cli (offline verifier)
+ * - (optional) hosted verifiers / services
+ *
+ * Hard constraints:
+ * - fail-closed for unknown schema/version/algorithm
+ * - deterministic error codes
+ * - no network fetches
+ */
+export * from './types.js';
+export { verifyProofBundle } from './verify-proof-bundle.js';
+export { verifyExportBundle } from './verify-export-bundle.js';
+export { verifyReceipt } from './verify-receipt.js';
+export { verifyWebReceipt } from './verify-web-receipt.js';
+export { verifyExecutionAttestation } from './verify-execution-attestation.js';
+export { verifyDerivationAttestation } from './verify-derivation-attestation.js';
+export { verifyAuditResultAttestation } from './verify-audit-result-attestation.js';
+export { verifyLogInclusionProof } from './verify-log-inclusion-proof.js';
+export { base64UrlDecode, base64UrlEncode, computeHash, extractPublicKeyFromDidKey, verifySignature, } from './crypto.js';
+export { jcsCanonicalize } from './jcs.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,cAAc,YAAY,CAAC;AAE3B,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAG7D,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAG/D,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAGpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAC;AAC/E,OAAO,EAAE,2BAA2B,EAAE,MAAM,oCAAoC,CAAC;AACjF,OAAO,EAAE,4BAA4B,EAAE,MAAM,sCAAsC,CAAC;AACpF,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAE1E,OAAO,EACL,eAAe,EACf,eAAe,EACf,WAAW,EACX,0BAA0B,EAC1B,eAAe,GAChB,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC"}

package/dist/jcs.d.ts

@@ -0,0 +1,13 @@
+/**
+ * RFC 8785 — JSON Canonicalization Scheme (JCS)
+ *
+ * Produces a deterministic JSON string suitable for signing/verifying.
+ *
+ * Notes:
+ * - Only valid JSON data is supported (no undefined/functions/symbols).
+ * - Object keys are sorted lexicographically.
+ * - Numbers must be finite.
+ * - Output contains no whitespace.
+ */
+export declare function jcsCanonicalize(value: unknown): string;
+//# sourceMappingURL=jcs.d.ts.map

package/dist/jcs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jcs.d.ts","sourceRoot":"","sources":["../src/jcs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAqCtD"}

package/dist/jcs.js

@@ -0,0 +1,43 @@
+/**
+ * RFC 8785 — JSON Canonicalization Scheme (JCS)
+ *
+ * Produces a deterministic JSON string suitable for signing/verifying.
+ *
+ * Notes:
+ * - Only valid JSON data is supported (no undefined/functions/symbols).
+ * - Object keys are sorted lexicographically.
+ * - Numbers must be finite.
+ * - Output contains no whitespace.
+ */
+export function jcsCanonicalize(value) {
+    if (value === null)
+        return 'null';
+    switch (typeof value) {
+        case 'boolean':
+            return value ? 'true' : 'false';
+        case 'number':
+            if (!Number.isFinite(value)) {
+                throw new Error('Non-finite number not allowed in JCS');
+            }
+            // JSON.stringify() uses the ECMAScript number to string algorithm.
+            return JSON.stringify(value);
+        case 'string':
+            return JSON.stringify(value);
+        case 'object': {
+            if (Array.isArray(value)) {
+                return `[${value.map(jcsCanonicalize).join(',')}]`;
+            }
+            const obj = value;
+            const keys = Object.keys(obj).sort();
+            const parts = [];
+            for (const k of keys) {
+                parts.push(`${JSON.stringify(k)}:${jcsCanonicalize(obj[k])}`);
+            }
+            return `{${parts.join(',')}}`;
+        }
+        default:
+            // undefined | function | symbol | bigint
+            throw new Error(`Unsupported value type for JCS: ${typeof value}`);
+    }
+}
+//# sourceMappingURL=jcs.js.map

package/dist/jcs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jcs.js","sourceRoot":"","sources":["../src/jcs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,MAAM,UAAU,eAAe,CAAC,KAAc;IAC5C,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAElC,QAAQ,OAAO,KAAK,EAAE,CAAC;QACrB,KAAK,SAAS;YACZ,OAAO,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC;QAElC,KAAK,QAAQ;YACX,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5B,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;YAC1D,CAAC;YACD,mEAAmE;YACnE,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAE/B,KAAK,QAAQ;YACX,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAE/B,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzB,OAAO,IAAI,KAAK,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;YACrD,CAAC;YAED,MAAM,GAAG,GAAG,KAAgC,CAAC;YAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YACrC,MAAM,KAAK,GAAa,EAAE,CAAC;YAE3B,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;gBACrB,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAChE,CAAC;YAED,OAAO,IAAI,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;QAChC,CAAC;QAED;YACE,yCAAyC;YACzC,MAAM,IAAI,KAAK,CAAC,mCAAmC,OAAO,KAAK,EAAE,CAAC,CAAC;IACvE,CAAC;AACH,CAAC"}

package/dist/model-identity.d.ts

@@ -0,0 +1,46 @@
+/**
+ * CVF-US-016 — Model identity extraction + verification.
+ *
+ * Model identity is an orthogonal axis to PoH tiers:
+ * - PoH (`proof_tier` / `poh_tier`) describes execution provenance.
+ * - `model_identity_tier` describes what we can honestly claim about the model identity.
+ *
+ * This module intentionally fail-closes *only* the model identity axis.
+ * Receipt signature/binding validity is handled elsewhere.
+ */
+import type { GatewayReceiptPayload, ModelIdentityTier, SignedEnvelope } from './types.js';
+export declare function computeModelIdentityHashB64u(identity: unknown): Promise<string>;
+export interface ModelIdentityVerificationResult {
+    /** Whether the model identity claim itself verified (schema + hash + consistency). */
+    valid: boolean;
+    tier: ModelIdentityTier;
+    /** Deterministic risk flags (non-normative). */
+    risk_flags: string[];
+    computed_hash_b64u?: string;
+}
+/**
+ * Verify model identity for a single receipt payload.
+ *
+ * Returns:
+ * - `valid=false` only means model identity cannot be trusted. Receipt may still be cryptographically valid.
+ */
+export declare function verifyModelIdentityFromReceiptPayload(payload: GatewayReceiptPayload): Promise<ModelIdentityVerificationResult>;
+export interface ReceiptVerificationForModelIdentity {
+    signature_valid?: boolean;
+    binding_valid?: boolean;
+    valid?: boolean;
+}
+/**
+ * Compute a single model_identity_tier for a set of receipts.
+ *
+ * Policy/gating-friendly semantics: the overall tier is the *minimum* tier
+ * across all receipts that have signature-valid envelopes.
+ */
+export declare function computeModelIdentityTierFromReceipts(input: {
+    receipts: SignedEnvelope<GatewayReceiptPayload>[];
+    receiptResults?: ReceiptVerificationForModelIdentity[] | null;
+}): Promise<{
+    model_identity_tier: ModelIdentityTier;
+    risk_flags: string[];
+}>;
+//# sourceMappingURL=model-identity.d.ts.map

package/dist/model-identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"model-identity.d.ts","sourceRoot":"","sources":["../src/model-identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAgB3F,wBAAsB,4BAA4B,CAAC,QAAQ,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAErF;AA0DD,MAAM,WAAW,+BAA+B;IAC9C,sFAAsF;IACtF,KAAK,EAAE,OAAO,CAAC;IACf,IAAI,EAAE,iBAAiB,CAAC;IACxB,gDAAgD;IAChD,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;;;;GAKG;AACH,wBAAsB,qCAAqC,CACzD,OAAO,EAAE,qBAAqB,GAC7B,OAAO,CAAC,+BAA+B,CAAC,CAkH1C;AAED,MAAM,WAAW,mCAAmC;IAClD,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED;;;;;GAKG;AACH,wBAAsB,oCAAoC,CAAC,KAAK,EAAE;IAChE,QAAQ,EAAE,cAAc,CAAC,qBAAqB,CAAC,EAAE,CAAC;IAClD,cAAc,CAAC,EAAE,mCAAmC,EAAE,GAAG,IAAI,CAAC;CAC/D,GAAG,OAAO,CAAC;IAAE,mBAAmB,EAAE,iBAAiB,CAAC;IAAC,UAAU,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,CAoC5E"}

package/dist/model-identity.js

@@ -0,0 +1,233 @@
+/**
+ * CVF-US-016 — Model identity extraction + verification.
+ *
+ * Model identity is an orthogonal axis to PoH tiers:
+ * - PoH (`proof_tier` / `poh_tier`) describes execution provenance.
+ * - `model_identity_tier` describes what we can honestly claim about the model identity.
+ *
+ * This module intentionally fail-closes *only* the model identity axis.
+ * Receipt signature/binding validity is handled elsewhere.
+ */
+import { base64UrlEncode } from './crypto.js';
+import { jcsCanonicalize } from './jcs.js';
+import { isValidBase64Url } from './schema-registry.js';
+import { validateModelIdentityV1 } from './schema-validation.js';
+function isRecord(x) {
+    return typeof x === 'object' && x !== null && !Array.isArray(x);
+}
+async function sha256B64uUtf8(s) {
+    const bytes = new TextEncoder().encode(s);
+    const digest = await crypto.subtle.digest('SHA-256', bytes);
+    return base64UrlEncode(new Uint8Array(digest));
+}
+export async function computeModelIdentityHashB64u(identity) {
+    return sha256B64uUtf8(jcsCanonicalize(identity));
+}
+const TIER_STRENGTH = {
+    unknown: 0,
+    closed_opaque: 1,
+    closed_provider_manifest: 2,
+    openweights_hashable: 3,
+    tee_measured: 4,
+};
+function normalizeTier(tier) {
+    if (tier === 'closed_opaque')
+        return 'closed_opaque';
+    if (tier === 'closed_provider_manifest')
+        return 'closed_provider_manifest';
+    if (tier === 'openweights_hashable')
+        return 'openweights_hashable';
+    if (tier === 'tee_measured')
+        return 'tee_measured';
+    return 'unknown';
+}
+function requireString(obj, key) {
+    const v = obj[key];
+    return typeof v === 'string' && v.trim().length > 0 ? v : null;
+}
+function hasProviderManifestEvidence(identity) {
+    const artifacts = identity.artifacts;
+    if (!isRecord(artifacts))
+        return false;
+    const pm = artifacts.provider_manifest;
+    if (!isRecord(pm))
+        return false;
+    const h = pm.hash_b64u;
+    return typeof h === 'string' && isValidBase64Url(h) && h.length >= 8;
+}
+function hasOpenweightsEvidence(identity) {
+    const artifacts = identity.artifacts;
+    if (!isRecord(artifacts))
+        return false;
+    const ow = artifacts.openweights;
+    if (!isRecord(ow))
+        return false;
+    const weights = ow.weights;
+    if (!Array.isArray(weights) || weights.length === 0)
+        return false;
+    for (const w of weights) {
+        if (!isRecord(w))
+            return false;
+        const h = w.hash_b64u;
+        if (typeof h !== 'string' || !isValidBase64Url(h) || h.length < 8)
+            return false;
+    }
+    return true;
+}
+function hasTeeEvidence(identity) {
+    const artifacts = identity.artifacts;
+    if (!isRecord(artifacts))
+        return false;
+    const tm = artifacts.tee_measurement;
+    if (!isRecord(tm))
+        return false;
+    const ref = tm.attestation_report_ref;
+    if (!isRecord(ref))
+        return false;
+    const h = ref.resource_hash_b64u;
+    return typeof h === 'string' && isValidBase64Url(h) && h.length >= 8;
+}
+/**
+ * Verify model identity for a single receipt payload.
+ *
+ * Returns:
+ * - `valid=false` only means model identity cannot be trusted. Receipt may still be cryptographically valid.
+ */
+export async function verifyModelIdentityFromReceiptPayload(payload) {
+    const risk = new Set();
+    const metadata = isRecord(payload.metadata) ? payload.metadata : null;
+    const providedIdentity = metadata?.model_identity;
+    const providedHash = typeof metadata?.model_identity_hash_b64u === 'string' ? metadata.model_identity_hash_b64u : null;
+    let identity;
+    if (providedIdentity === undefined) {
+        // Back-compat: older receipts may not include model identity metadata.
+        // Default is still "closed_opaque" for closed providers.
+        risk.add('MODEL_IDENTITY_MISSING_DEFAULTED');
+        identity = {
+            model_identity_version: '1',
+            tier: 'closed_opaque',
+            model: {
+                provider: payload.provider,
+                name: payload.model,
+            },
+        };
+    }
+    else {
+        // Strict schema validate when present.
+        const v = validateModelIdentityV1(providedIdentity);
+        if (!v.valid) {
+            risk.add('MODEL_IDENTITY_SCHEMA_INVALID');
+            return { valid: false, tier: 'unknown', risk_flags: [...risk].sort() };
+        }
+        identity = providedIdentity;
+    }
+    // Ensure the identity model label matches the receipt payload model label.
+    if (!isRecord(identity)) {
+        risk.add('MODEL_IDENTITY_SCHEMA_INVALID');
+        return { valid: false, tier: 'unknown', risk_flags: [...risk].sort() };
+    }
+    const model = identity.model;
+    if (!isRecord(model)) {
+        risk.add('MODEL_IDENTITY_SCHEMA_INVALID');
+        return { valid: false, tier: 'unknown', risk_flags: [...risk].sort() };
+    }
+    const identityProvider = requireString(model, 'provider');
+    const identityName = requireString(model, 'name');
+    if (!identityProvider || !identityName) {
+        risk.add('MODEL_IDENTITY_SCHEMA_INVALID');
+        return { valid: false, tier: 'unknown', risk_flags: [...risk].sort() };
+    }
+    if (identityProvider !== payload.provider || identityName !== payload.model) {
+        risk.add('MODEL_IDENTITY_MODEL_MISMATCH');
+        return { valid: false, tier: 'unknown', risk_flags: [...risk].sort() };
+    }
+    // Validate hash (if present) against sha256_b64u(JCS(model_identity)).
+    let computedHash;
+    try {
+        computedHash = await computeModelIdentityHashB64u(identity);
+    }
+    catch {
+        risk.add('MODEL_IDENTITY_HASH_COMPUTE_FAILED');
+        return { valid: false, tier: 'unknown', risk_flags: [...risk].sort() };
+    }
+    if (providedHash) {
+        if (!isValidBase64Url(providedHash)) {
+            risk.add('MODEL_IDENTITY_HASH_INVALID');
+            return { valid: false, tier: 'unknown', risk_flags: [...risk].sort(), computed_hash_b64u: computedHash };
+        }
+        if (providedHash !== computedHash) {
+            risk.add('MODEL_IDENTITY_HASH_MISMATCH');
+            return { valid: false, tier: 'unknown', risk_flags: [...risk].sort(), computed_hash_b64u: computedHash };
+        }
+    }
+    else {
+        risk.add('MODEL_IDENTITY_HASH_MISSING');
+    }
+    // Validate tier semantics (fail-closed on stronger tiers without evidence).
+    const tier = normalizeTier(identity.tier);
+    if (tier === 'unknown') {
+        risk.add('MODEL_IDENTITY_TIER_INVALID');
+        return { valid: false, tier: 'unknown', risk_flags: [...risk].sort(), computed_hash_b64u: computedHash };
+    }
+    if (tier === 'closed_provider_manifest' && !hasProviderManifestEvidence(identity)) {
+        risk.add('MODEL_IDENTITY_EVIDENCE_MISSING');
+        return { valid: false, tier: 'unknown', risk_flags: [...risk].sort(), computed_hash_b64u: computedHash };
+    }
+    if (tier === 'openweights_hashable' && !hasOpenweightsEvidence(identity)) {
+        risk.add('MODEL_IDENTITY_EVIDENCE_MISSING');
+        return { valid: false, tier: 'unknown', risk_flags: [...risk].sort(), computed_hash_b64u: computedHash };
+    }
+    if (tier === 'tee_measured' && !hasTeeEvidence(identity)) {
+        risk.add('MODEL_IDENTITY_EVIDENCE_MISSING');
+        return { valid: false, tier: 'unknown', risk_flags: [...risk].sort(), computed_hash_b64u: computedHash };
+    }
+    if (tier === 'closed_opaque') {
+        // Not an error: this is the expected posture for closed providers.
+        risk.add('MODEL_IDENTITY_OPAQUE');
+    }
+    return {
+        valid: true,
+        tier,
+        risk_flags: [...risk].sort(),
+        computed_hash_b64u: computedHash,
+    };
+}
+/**
+ * Compute a single model_identity_tier for a set of receipts.
+ *
+ * Policy/gating-friendly semantics: the overall tier is the *minimum* tier
+ * across all receipts that have signature-valid envelopes.
+ */
+export async function computeModelIdentityTierFromReceipts(input) {
+    const risk = new Set();
+    const tiers = [];
+    for (let i = 0; i < input.receipts.length; i++) {
+        const r = input.receipts[i];
+        const vr = input.receiptResults?.[i];
+        // Only consider receipts whose envelope signature+payload hash were verified.
+        // If we have no per-receipt verification results, assume caller already filtered.
+        if (vr && vr.signature_valid === false)
+            continue;
+        const out = await verifyModelIdentityFromReceiptPayload(r.payload);
+        for (const f of out.risk_flags)
+            risk.add(f);
+        tiers.push(out.tier);
+    }
+    if (tiers.length === 0) {
+        risk.add('MODEL_IDENTITY_NO_SIGNATURE_VERIFIED_RECEIPTS');
+        return { model_identity_tier: 'unknown', risk_flags: [...risk].sort() };
+    }
+    let minTier = tiers[0];
+    for (const t of tiers) {
+        if (TIER_STRENGTH[t] < TIER_STRENGTH[minTier])
+            minTier = t;
+    }
+    const distinct = new Set(tiers);
+    if (distinct.size > 1)
+        risk.add('MODEL_IDENTITY_HETEROGENEOUS');
+    return {
+        model_identity_tier: minTier,
+        risk_flags: [...risk].sort(),
+    };
+}
+//# sourceMappingURL=model-identity.js.map

package/dist/model-identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"model-identity.js","sourceRoot":"","sources":["../src/model-identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AAEjE,SAAS,QAAQ,CAAC,CAAU;IAC1B,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AAClE,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,CAAS;IACrC,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAC5D,OAAO,eAAe,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;AACjD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAAC,QAAiB;IAClE,OAAO,cAAc,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,aAAa,GAAsC;IACvD,OAAO,EAAE,CAAC;IACV,aAAa,EAAE,CAAC;IAChB,wBAAwB,EAAE,CAAC;IAC3B,oBAAoB,EAAE,CAAC;IACvB,YAAY,EAAE,CAAC;CAChB,CAAC;AAEF,SAAS,aAAa,CAAC,IAAa;IAClC,IAAI,IAAI,KAAK,eAAe;QAAE,OAAO,eAAe,CAAC;IACrD,IAAI,IAAI,KAAK,0BAA0B;QAAE,OAAO,0BAA0B,CAAC;IAC3E,IAAI,IAAI,KAAK,sBAAsB;QAAE,OAAO,sBAAsB,CAAC;IACnE,IAAI,IAAI,KAAK,cAAc;QAAE,OAAO,cAAc,CAAC;IACnD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,aAAa,CAAC,GAA4B,EAAE,GAAW;IAC9D,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACnB,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACjE,CAAC;AAED,SAAS,2BAA2B,CAAC,QAAiC;IACpE,MAAM,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAC;IACrC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,MAAM,EAAE,GAAG,SAAS,CAAC,iBAAiB,CAAC;IACvC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAAE,OAAO,KAAK,CAAC;IAChC,MAAM,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC;IACvB,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC;AACvE,CAAC;AAED,SAAS,sBAAsB,CAAC,QAAiC;IAC/D,MAAM,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAC;IACrC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,MAAM,EAAE,GAAG,SAAS,CAAC,WAAW,CAAC;IACjC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAAE,OAAO,KAAK,CAAC;IAChC,MAAM,OAAO,GAAG,EAAE,CAAC,OAAO,CAAC;IAC3B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAClE,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QAC/B,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC;QACtB,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;IAClF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,cAAc,CAAC,QAAiC;IACvD,MAAM,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAC;IACrC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,MAAM,EAAE,GAAG,SAAS,CAAC,eAAe,CAAC;IACrC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAAE,OAAO,KAAK,CAAC;IAChC,MAAM,GAAG,GAAG,EAAE,CAAC,sBAAsB,CAAC;IACtC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACjC,MAAM,CAAC,GAAG,GAAG,CAAC,kBAAkB,CAAC;IACjC,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC;AACvE,CAAC;AAWD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,qCAAqC,CACzD,OAA8B;IAE9B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;IAEtE,MAAM,gBAAgB,GAAG,QAAQ,EAAE,cAAc,CAAC;IAClD,MAAM,YAAY,GAAG,OAAO,QAAQ,EAAE,wBAAwB,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAC,CAAC,IAAI,CAAC;IAEvH,IAAI,QAAiB,CAAC;IAEtB,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACnC,uEAAuE;QACvE,yDAAyD;QACzD,IAAI,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;QAC7C,QAAQ,GAAG;YACT,sBAAsB,EAAE,GAAG;YAC3B,IAAI,EAAE,eAAe;YACrB,KAAK,EAAE;gBACL,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,IAAI,EAAE,OAAO,CAAC,KAAK;aACpB;SACF,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,uCAAuC;QACvC,MAAM,CAAC,GAAG,uBAAuB,CAAC,gBAAgB,CAAC,CAAC;QACpD,IAAI,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;YAC1C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;QACzE,CAAC;QACD,QAAQ,GAAG,gBAAgB,CAAC;IAC9B,CAAC;IAED,2EAA2E;IAC3E,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxB,IAAI,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;QAC1C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;IACzE,CAAC;IAED,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC;IAC7B,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,IAAI,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;QAC1C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;IACzE,CAAC;IAED,MAAM,gBAAgB,GAAG,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAC1D,MAAM,YAAY,GAAG,aAAa,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAElD,IAAI,CAAC,gBAAgB,IAAI,CAAC,YAAY,EAAE,CAAC;QACvC,IAAI,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;QAC1C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;IACzE,CAAC;IAED,IAAI,gBAAgB,KAAK,OAAO,CAAC,QAAQ,IAAI,YAAY,KAAK,OAAO,CAAC,KAAK,EAAE,CAAC;QAC5E,IAAI,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;QAC1C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;IACzE,CAAC;IAED,uEAAuE;IACvE,IAAI,YAAoB,CAAC;IACzB,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,4BAA4B,CAAC,QAAQ,CAAC,CAAC;IAC9D,CAAC;IAAC,MAAM,CAAC;QACP,IAAI,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;QAC/C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;IACzE,CAAC;IAED,IAAI,YAAY,EAAE,CAAC;QACjB,IAAI,CAAC,gBAAgB,CAAC,YAAY,CAAC,EAAE,CAAC;YACpC,IAAI,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;YACxC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC;QAC3G,CAAC;QAED,IAAI,YAAY,KAAK,YAAY,EAAE,CAAC;YAClC,IAAI,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;YACzC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC;QAC3G,CAAC;IACH,CAAC;SAAM,CAAC;QACN,IAAI,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;IAC1C,CAAC;IAED,4EAA4E;IAC5E,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAE1C,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;QACxC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC;IAC3G,CAAC;IAED,IAAI,IAAI,KAAK,0BAA0B,IAAI,CAAC,2BAA2B,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClF,IAAI,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;QAC5C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC;IAC3G,CAAC;IAED,IAAI,IAAI,KAAK,sBAAsB,IAAI,CAAC,sBAAsB,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzE,IAAI,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;QAC5C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC;IAC3G,CAAC;IAED,IAAI,IAAI,KAAK,cAAc,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzD,IAAI,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;QAC5C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC;IAC3G,CAAC;IAED,IAAI,IAAI,KAAK,eAAe,EAAE,CAAC;QAC7B,mEAAmE;QACnE,IAAI,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;IACpC,CAAC;IAED,OAAO;QACL,KAAK,EAAE,IAAI;QACX,IAAI;QACJ,UAAU,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE;QAC5B,kBAAkB,EAAE,YAAY;KACjC,CAAC;AACJ,CAAC;AAQD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,oCAAoC,CAAC,KAG1D;IACC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,MAAM,KAAK,GAAwB,EAAE,CAAC;IAEtC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC/C,MAAM,CAAC,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QAC5B,MAAM,EAAE,GAAG,KAAK,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,CAAC;QAErC,8EAA8E;QAC9E,kFAAkF;QAClF,IAAI,EAAE,IAAI,EAAE,CAAC,eAAe,KAAK,KAAK;YAAE,SAAS;QAEjD,MAAM,GAAG,GAAG,MAAM,qCAAqC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;QACnE,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,UAAU;YAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAE5C,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACvB,CAAC;IAED,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;QAC1D,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;IAC1E,CAAC;IAED,IAAI,OAAO,GAAsB,KAAK,CAAC,CAAC,CAAC,CAAC;IAC1C,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,aAAa,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC,OAAO,CAAC;YAAE,OAAO,GAAG,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;IAChC,IAAI,QAAQ,CAAC,IAAI,GAAG,CAAC;QAAE,IAAI,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;IAEhE,OAAO;QACL,mBAAmB,EAAE,OAAO;QAC5B,UAAU,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE;KAC7B,CAAC;AACJ,CAAC"}