@credo-ts/openid4vc 0.6.1-pr-2091-20241119140918 → 0.6.1

package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.d.mts

@@ -0,0 +1,279 @@
+import { OpenId4VciCredentialRequestToCredentialMapper, OpenId4VciDeferredCredentialRequestToCredentialMapper, OpenId4VciGetVerificationSessionForIssuanceSessionAuthorization } from "./OpenId4VcIssuerServiceOptions.mjs";
+import { Express } from "express";
+
+//#region src/openid4vc-issuer/OpenId4VcIssuerModuleConfig.d.ts
+interface InternalOpenId4VcIssuerModuleConfigOptions {
+  /**
+   * Base url at which the issuer endpoints will be hosted. All endpoints will be exposed with
+   * this path as prefix.
+   */
+  baseUrl: string;
+  /**
+   * Express app on which the openid4vci endpoints will be registered.
+   */
+  app: Express;
+  /**
+   * The time after which a cNonce will expire.
+   *
+   * @default 60 (1 minute)
+   */
+  cNonceExpiresInSeconds?: number;
+  /**
+   * The time after which a stateful credential offer not bound to a subject expires. Once the offer has been bound
+   * to a subject the access token expiration takes effect. This is to prevent long-lived `pre-authorized_code` and
+   * `issuer_state` values.
+   *
+   * @default 180 (3 minutes)
+   */
+  statefulCredentialOfferExpirationInSeconds?: number;
+  /**
+   * The time after which an authorization code will expire.
+   *
+   * @default 60 (1 minute)
+   */
+  authorizationCodeExpiresInSeconds?: number;
+  /**
+   * The time after which an access token will expire.
+   *
+   * @default 180 (3 minutes)
+   */
+  accessTokenExpiresInSeconds?: number;
+  /**
+   * The time after which a refresh token will expire.
+   *
+   * @default 7776000 (90 days)
+   */
+  refreshTokenExpiresInSeconds?: number;
+  /**
+   * The time after which a pushed authorization request URI will expire.
+   *
+   * @default 60 (1 minute)
+   */
+  requestUriExpiresInSeconds?: number;
+  /**
+   * Whether DPoP is required for all issuance sessions. This value can be overridden when creating
+   * a credential offer. If dpop is not required, but used by a client in the first request to credo,
+   * DPoP will be required going forward.
+   *
+   * @default false
+   */
+  dpopRequired?: boolean;
+  /**
+   * Whether wallet attestations are required for all issuance sessions. This value can be overridden when creating
+   * a credential offer, but will have effect for dynamic issuance sessions. If wallet attestations are not required
+   * but used by a client in the first request to credo,
+   * wallet attestations will be required going forward.
+   *
+   * @default false
+   */
+  walletAttestationsRequired?: boolean;
+  /**
+   * Whether to allow dynamic issuance sessions based on a credential request.
+   *
+   * This requires an external authorization server which issues access tokens without
+   * a `pre-authorized_code` or `issuer_state` parameter.
+   *
+   * Credo only support stateful credential offer sessions (pre-auth or presentation during issuance)
+   *
+   * @default false
+   */
+  allowDynamicIssuanceSessions?: boolean;
+  /**
+   * A function mapping a credential request to the credential to be issued.
+   *
+   * When multiple credentials are returned it is recommended to use different or approximate issuance and expiration
+   * times to prevent correlation based on the specific time
+   */
+  credentialRequestToCredentialMapper: OpenId4VciCredentialRequestToCredentialMapper;
+  /**
+   * A function mapping a deferred credential request to the credential to be issued.
+   *
+   * When multiple credentials are returned it is recommended to use different or approximate issuance and expiration
+   * times to prevent correlation based on the specific time
+   */
+  deferredCredentialRequestToCredentialMapper?: OpenId4VciDeferredCredentialRequestToCredentialMapper;
+  /**
+   * Callback to get a verification session that needs to be fulfilled for the authorization of
+   * of a credential issuance session. Once the verification session has been completed the user can
+   * retrieve an authorization code and access token and retrieve the credential(s).
+   *
+   * Required if presentation during issuance flow is used
+   */
+  getVerificationSessionForIssuanceSessionAuthorization?: OpenId4VciGetVerificationSessionForIssuanceSessionAuthorization;
+  /**
+   * Custom the paths used for endpoints
+   */
+  endpoints?: {
+    /**
+     * @default /nonce
+     */
+    nonce?: string;
+    /**
+     * @default /challenge
+     */
+    authorizationChallenge?: string;
+    /**
+     * @default /offers
+     */
+    credentialOffer?: string;
+    /**
+     * @default /credential
+     */
+    credential?: string;
+    /**
+     * @default /deferred-credential
+     */
+    deferredCredential?: string;
+    /**
+     * @default /token
+     */
+    accessToken?: string;
+    /**
+     * @default /par
+     */
+    pushedAuthorizationRequest?: string;
+    /**
+     * @default /authorize
+     */
+    authorization?: string;
+    /**
+     * @default /redirect
+     */
+    redirect?: string;
+    /**
+     * @default /jwks
+     */
+    jwks: string;
+  };
+}
+declare class OpenId4VcIssuerModuleConfig {
+  private options;
+  /**
+   * Callback to get a verification session that needs to be fulfilled for the authorization of
+   * of a credential issuance session. Once the verification session has been completed the user can
+   * retrieve an authorization code and access token and retrieve the credential(s).
+   *
+   * Required if presentation during issuance flow is used
+   */
+  getVerificationSessionForIssuanceSessionAuthorization?: OpenId4VciGetVerificationSessionForIssuanceSessionAuthorization;
+  constructor(options: InternalOpenId4VcIssuerModuleConfigOptions);
+  get app(): Express;
+  get baseUrl(): string;
+  /**
+   * A function mapping a credential request to the credential to be issued.
+   */
+  get credentialRequestToCredentialMapper(): OpenId4VciCredentialRequestToCredentialMapper;
+  /**
+   * A function mapping a credential request to the credential to be issued.
+   */
+  get deferredCredentialRequestToCredentialMapper(): OpenId4VciDeferredCredentialRequestToCredentialMapper | undefined;
+  /**
+   * The time after which a cNone will expire.
+   *
+   * @default 60 (1 minute)
+   */
+  get cNonceExpiresInSeconds(): number;
+  /**
+   * The time after which a stateful credential offer not bound to a subject expires. Once the offer has been bound
+   * to a subject the access token expiration takes effect. This is to prevent long-lived `pre-authorized_code` and
+   * `issuer_state` values.
+   *
+   * @default 360 (5 minutes)
+   */
+  get statefulCredentialOfferExpirationInSeconds(): number;
+  /**
+   * The time after which a cNonce will expire.
+   *
+   * @default 60 (1 minute)
+   */
+  get authorizationCodeExpiresInSeconds(): number;
+  /**
+   * The time after which an access token will expire.
+   *
+   * @default 180 (3 minutes)
+   */
+  get accessTokenExpiresInSeconds(): number;
+  /**
+   * The time after which a refresh token will expire.
+   *
+   * @default 7776000 (90 days)
+   */
+  get refreshTokenExpiresInSeconds(): number;
+  /**
+   * The time after which a pushed authorization request URI will expire.
+   *
+   * @default 60 (1 minute)
+   */
+  get requestUriExpiresInSeconds(): number;
+  /**
+   * Whether DPoP is required for all issuance sessions. This value can be overridden when creating
+   * a credential offer. If dpop is not required, but used by a client in the first request to credo,
+   * DPoP will be required going forward.
+   *
+   * @default false
+   */
+  get dpopRequired(): boolean;
+  /**
+   * Whether wallet attestations are required for all issuance sessions. This value can be overridden when creating
+   * a credential offer, but will have effect for dynamic issuance sessions. If wallet attestations are not required
+   * but used by a client in the first request to credo,
+   * wallet attestations will be required going forward.
+   *
+   * @default false
+   */
+  get walletAttestationsRequired(): boolean;
+  /**
+   * Whether to allow dynamic issuance sessions based on a credential request.
+   *
+   * This requires an external authorization server which issues access tokens without
+   * a `pre-authorized_code` or `issuer_state` parameter.
+   *
+   * Credo only supports stateful credential offer sessions (pre-auth or presentation during issuance)
+   *
+   * @default false
+   */
+  get allowDynamicIssuanceSessions(): boolean;
+  /**
+   * @default /nonce
+   */
+  get nonceEndpointPath(): string;
+  /**
+   * @default /par
+   */
+  get pushedAuthorizationRequestEndpoint(): string;
+  /**
+   * @default /authorize
+   */
+  get authorizationEndpoint(): string;
+  /**
+   * @default /redirect
+   */
+  get redirectEndpoint(): string;
+  /**
+   * @default /challenge
+   */
+  get authorizationChallengeEndpointPath(): string;
+  /**
+   * @default /offers
+   */
+  get credentialOfferEndpointPath(): string;
+  /**
+   * @default /credential
+   */
+  get credentialEndpointPath(): string;
+  /**
+   * @default /deferred-credential
+   */
+  get deferredCredentialEndpointPath(): string;
+  /**
+   * @default /token
+   */
+  get accessTokenEndpointPath(): string;
+  /**
+   * @default /jwks
+   */
+  get jwksEndpointPath(): string;
+}
+//#endregion
+export { InternalOpenId4VcIssuerModuleConfigOptions, OpenId4VcIssuerModuleConfig };
+//# sourceMappingURL=OpenId4VcIssuerModuleConfig.d.mts.map

package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OpenId4VcIssuerModuleConfig.d.mts","names":[],"sources":["../../src/openid4vc-issuer/OpenId4VcIssuerModuleConfig.ts"],"sourcesContent":[],"mappings":";;;;UAciB,0CAAA;;AAAjB;;;EAqGgD,OAAA,EAAA,MAAA;EASU;;AA0D1D;EAUiE,GAAA,EAxK1D,OAwK0D;EAEnC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;uCAvFS;;;;;;;gDAQS;;;;;;;;0DASU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cA0D7C,2BAAA;;;;;;;;;0DAUoD;uBAEnC;aAMd;;;;;6CAWgC;;;;qDAOQ"}

package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.mjs

@@ -0,0 +1,179 @@
+//#region src/openid4vc-issuer/OpenId4VcIssuerModuleConfig.ts
+const DEFAULT_C_NONCE_EXPIRES_IN = 60;
+const DEFAULT_AUTHORIZATION_CODE_EXPIRES_IN = 60;
+const DEFAULT_TOKEN_EXPIRES_IN = 180;
+const DEFAULT_REFRESH_TOKEN_EXPIRES_IN = 2160 * 60 * 60;
+const DEFAULT_STATEFUL_CREDENTIAL_OFFER_EXPIRES_IN = 180;
+const DEFAULT_REQUEST_URI_EXPIRES_IN = 60;
+var OpenId4VcIssuerModuleConfig = class {
+	constructor(options) {
+		this.options = options;
+		this.getVerificationSessionForIssuanceSessionAuthorization = options.getVerificationSessionForIssuanceSessionAuthorization;
+	}
+	get app() {
+		return this.options.app;
+	}
+	get baseUrl() {
+		return this.options.baseUrl;
+	}
+	/**
+	* A function mapping a credential request to the credential to be issued.
+	*/
+	get credentialRequestToCredentialMapper() {
+		return this.options.credentialRequestToCredentialMapper;
+	}
+	/**
+	* A function mapping a credential request to the credential to be issued.
+	*/
+	get deferredCredentialRequestToCredentialMapper() {
+		return this.options.deferredCredentialRequestToCredentialMapper;
+	}
+	/**
+	* The time after which a cNone will expire.
+	*
+	* @default 60 (1 minute)
+	*/
+	get cNonceExpiresInSeconds() {
+		return this.options.cNonceExpiresInSeconds ?? DEFAULT_C_NONCE_EXPIRES_IN;
+	}
+	/**
+	* The time after which a stateful credential offer not bound to a subject expires. Once the offer has been bound
+	* to a subject the access token expiration takes effect. This is to prevent long-lived `pre-authorized_code` and
+	* `issuer_state` values.
+	*
+	* @default 360 (5 minutes)
+	*/
+	get statefulCredentialOfferExpirationInSeconds() {
+		return this.options.statefulCredentialOfferExpirationInSeconds ?? DEFAULT_STATEFUL_CREDENTIAL_OFFER_EXPIRES_IN;
+	}
+	/**
+	* The time after which a cNonce will expire.
+	*
+	* @default 60 (1 minute)
+	*/
+	get authorizationCodeExpiresInSeconds() {
+		return this.options.authorizationCodeExpiresInSeconds ?? DEFAULT_AUTHORIZATION_CODE_EXPIRES_IN;
+	}
+	/**
+	* The time after which an access token will expire.
+	*
+	* @default 180 (3 minutes)
+	*/
+	get accessTokenExpiresInSeconds() {
+		return this.options.accessTokenExpiresInSeconds ?? DEFAULT_TOKEN_EXPIRES_IN;
+	}
+	/**
+	* The time after which a refresh token will expire.
+	*
+	* @default 7776000 (90 days)
+	*/
+	get refreshTokenExpiresInSeconds() {
+		return this.options.refreshTokenExpiresInSeconds ?? DEFAULT_REFRESH_TOKEN_EXPIRES_IN;
+	}
+	/**
+	* The time after which a pushed authorization request URI will expire.
+	*
+	* @default 60 (1 minute)
+	*/
+	get requestUriExpiresInSeconds() {
+		return this.options.requestUriExpiresInSeconds ?? DEFAULT_REQUEST_URI_EXPIRES_IN;
+	}
+	/**
+	* Whether DPoP is required for all issuance sessions. This value can be overridden when creating
+	* a credential offer. If dpop is not required, but used by a client in the first request to credo,
+	* DPoP will be required going forward.
+	*
+	* @default false
+	*/
+	get dpopRequired() {
+		return this.options.dpopRequired ?? false;
+	}
+	/**
+	* Whether wallet attestations are required for all issuance sessions. This value can be overridden when creating
+	* a credential offer, but will have effect for dynamic issuance sessions. If wallet attestations are not required
+	* but used by a client in the first request to credo,
+	* wallet attestations will be required going forward.
+	*
+	* @default false
+	*/
+	get walletAttestationsRequired() {
+		return this.options.walletAttestationsRequired ?? false;
+	}
+	/**
+	* Whether to allow dynamic issuance sessions based on a credential request.
+	*
+	* This requires an external authorization server which issues access tokens without
+	* a `pre-authorized_code` or `issuer_state` parameter.
+	*
+	* Credo only supports stateful credential offer sessions (pre-auth or presentation during issuance)
+	*
+	* @default false
+	*/
+	get allowDynamicIssuanceSessions() {
+		return this.options.allowDynamicIssuanceSessions ?? false;
+	}
+	/**
+	* @default /nonce
+	*/
+	get nonceEndpointPath() {
+		return this.options.endpoints?.nonce ?? "/nonce";
+	}
+	/**
+	* @default /par
+	*/
+	get pushedAuthorizationRequestEndpoint() {
+		return this.options.endpoints?.pushedAuthorizationRequest ?? "/par";
+	}
+	/**
+	* @default /authorize
+	*/
+	get authorizationEndpoint() {
+		return this.options.endpoints?.authorization ?? "/authorize";
+	}
+	/**
+	* @default /redirect
+	*/
+	get redirectEndpoint() {
+		return this.options.endpoints?.redirect ?? "/redirect";
+	}
+	/**
+	* @default /challenge
+	*/
+	get authorizationChallengeEndpointPath() {
+		return this.options.endpoints?.authorizationChallenge ?? "/challenge";
+	}
+	/**
+	* @default /offers
+	*/
+	get credentialOfferEndpointPath() {
+		return this.options.endpoints?.credentialOffer ?? "/offers";
+	}
+	/**
+	* @default /credential
+	*/
+	get credentialEndpointPath() {
+		return this.options.endpoints?.credential ?? "/credential";
+	}
+	/**
+	* @default /deferred-credential
+	*/
+	get deferredCredentialEndpointPath() {
+		return this.options.endpoints?.deferredCredential ?? "/deferred-credential";
+	}
+	/**
+	* @default /token
+	*/
+	get accessTokenEndpointPath() {
+		return this.options.endpoints?.accessToken ?? "/token";
+	}
+	/**
+	* @default /jwks
+	*/
+	get jwksEndpointPath() {
+		return this.options.endpoints?.jwks ?? "/jwks";
+	}
+};
+
+//#endregion
+export { OpenId4VcIssuerModuleConfig };
+//# sourceMappingURL=OpenId4VcIssuerModuleConfig.mjs.map

package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"OpenId4VcIssuerModuleConfig.mjs","names":[],"sources":["../../src/openid4vc-issuer/OpenId4VcIssuerModuleConfig.ts"],"sourcesContent":["import type { Express } from 'express'\nimport type {\n  OpenId4VciCredentialRequestToCredentialMapper,\n  OpenId4VciDeferredCredentialRequestToCredentialMapper,\n  OpenId4VciGetVerificationSessionForIssuanceSessionAuthorization,\n} from './OpenId4VcIssuerServiceOptions'\n\nconst DEFAULT_C_NONCE_EXPIRES_IN = 1 * 60 // 1 minute\nconst DEFAULT_AUTHORIZATION_CODE_EXPIRES_IN = 1 * 60 // 1 minute\nconst DEFAULT_TOKEN_EXPIRES_IN = 3 * 60 // 3 minutes\nconst DEFAULT_REFRESH_TOKEN_EXPIRES_IN = 90 * 24 * 60 * 60 // 90 days\nconst DEFAULT_STATEFUL_CREDENTIAL_OFFER_EXPIRES_IN = 3 * 60 // 3 minutes\nconst DEFAULT_REQUEST_URI_EXPIRES_IN = 1 * 60 // 1 minute\n\nexport interface InternalOpenId4VcIssuerModuleConfigOptions {\n  /**\n   * Base url at which the issuer endpoints will be hosted. All endpoints will be exposed with\n   * this path as prefix.\n   */\n  baseUrl: string\n\n  /**\n   * Express app on which the openid4vci endpoints will be registered.\n   */\n  app: Express\n\n  /**\n   * The time after which a cNonce will expire.\n   *\n   * @default 60 (1 minute)\n   */\n  cNonceExpiresInSeconds?: number\n\n  /**\n   * The time after which a stateful credential offer not bound to a subject expires. Once the offer has been bound\n   * to a subject the access token expiration takes effect. This is to prevent long-lived `pre-authorized_code` and\n   * `issuer_state` values.\n   *\n   * @default 180 (3 minutes)\n   */\n  statefulCredentialOfferExpirationInSeconds?: number\n\n  /**\n   * The time after which an authorization code will expire.\n   *\n   * @default 60 (1 minute)\n   */\n  authorizationCodeExpiresInSeconds?: number\n\n  /**\n   * The time after which an access token will expire.\n   *\n   * @default 180 (3 minutes)\n   */\n  accessTokenExpiresInSeconds?: number\n\n  /**\n   * The time after which a refresh token will expire.\n   *\n   * @default 7776000 (90 days)\n   */\n  refreshTokenExpiresInSeconds?: number\n\n  /**\n   * The time after which a pushed authorization request URI will expire.\n   *\n   * @default 60 (1 minute)\n   */\n  requestUriExpiresInSeconds?: number\n\n  /**\n   * Whether DPoP is required for all issuance sessions. This value can be overridden when creating\n   * a credential offer. If dpop is not required, but used by a client in the first request to credo,\n   * DPoP will be required going forward.\n   *\n   * @default false\n   */\n  dpopRequired?: boolean\n\n  /**\n   * Whether wallet attestations are required for all issuance sessions. This value can be overridden when creating\n   * a credential offer, but will have effect for dynamic issuance sessions. If wallet attestations are not required\n   * but used by a client in the first request to credo,\n   * wallet attestations will be required going forward.\n   *\n   * @default false\n   */\n  walletAttestationsRequired?: boolean\n\n  /**\n   * Whether to allow dynamic issuance sessions based on a credential request.\n   *\n   * This requires an external authorization server which issues access tokens without\n   * a `pre-authorized_code` or `issuer_state` parameter.\n   *\n   * Credo only support stateful credential offer sessions (pre-auth or presentation during issuance)\n   *\n   * @default false\n   */\n  allowDynamicIssuanceSessions?: boolean\n\n  /**\n   * A function mapping a credential request to the credential to be issued.\n   *\n   * When multiple credentials are returned it is recommended to use different or approximate issuance and expiration\n   * times to prevent correlation based on the specific time\n   */\n  credentialRequestToCredentialMapper: OpenId4VciCredentialRequestToCredentialMapper\n\n  /**\n   * A function mapping a deferred credential request to the credential to be issued.\n   *\n   * When multiple credentials are returned it is recommended to use different or approximate issuance and expiration\n   * times to prevent correlation based on the specific time\n   */\n  deferredCredentialRequestToCredentialMapper?: OpenId4VciDeferredCredentialRequestToCredentialMapper\n\n  /**\n   * Callback to get a verification session that needs to be fulfilled for the authorization of\n   * of a credential issuance session. Once the verification session has been completed the user can\n   * retrieve an authorization code and access token and retrieve the credential(s).\n   *\n   * Required if presentation during issuance flow is used\n   */\n  getVerificationSessionForIssuanceSessionAuthorization?: OpenId4VciGetVerificationSessionForIssuanceSessionAuthorization\n\n  /**\n   * Custom the paths used for endpoints\n   */\n  endpoints?: {\n    /**\n     * @default /nonce\n     */\n    nonce?: string\n\n    /**\n     * @default /challenge\n     */\n    authorizationChallenge?: string\n\n    /**\n     * @default /offers\n     */\n    credentialOffer?: string\n\n    /**\n     * @default /credential\n     */\n    credential?: string\n\n    /**\n     * @default /deferred-credential\n     */\n    deferredCredential?: string\n\n    /**\n     * @default /token\n     */\n    accessToken?: string\n\n    /**\n     * @default /par\n     */\n    pushedAuthorizationRequest?: string\n\n    /**\n     * @default /authorize\n     */\n    authorization?: string\n\n    /**\n     * @default /redirect\n     */\n    redirect?: string\n\n    /**\n     * @default /jwks\n     */\n    jwks: string\n  }\n}\n\nexport class OpenId4VcIssuerModuleConfig {\n  private options: InternalOpenId4VcIssuerModuleConfigOptions\n\n  /**\n   * Callback to get a verification session that needs to be fulfilled for the authorization of\n   * of a credential issuance session. Once the verification session has been completed the user can\n   * retrieve an authorization code and access token and retrieve the credential(s).\n   *\n   * Required if presentation during issuance flow is used\n   */\n  public getVerificationSessionForIssuanceSessionAuthorization?: OpenId4VciGetVerificationSessionForIssuanceSessionAuthorization\n\n  public constructor(options: InternalOpenId4VcIssuerModuleConfigOptions) {\n    this.options = options\n    this.getVerificationSessionForIssuanceSessionAuthorization =\n      options.getVerificationSessionForIssuanceSessionAuthorization\n  }\n\n  public get app() {\n    return this.options.app\n  }\n\n  public get baseUrl() {\n    return this.options.baseUrl\n  }\n\n  /**\n   * A function mapping a credential request to the credential to be issued.\n   */\n  public get credentialRequestToCredentialMapper() {\n    return this.options.credentialRequestToCredentialMapper\n  }\n\n  /**\n   * A function mapping a credential request to the credential to be issued.\n   */\n  public get deferredCredentialRequestToCredentialMapper() {\n    return this.options.deferredCredentialRequestToCredentialMapper\n  }\n\n  /**\n   * The time after which a cNone will expire.\n   *\n   * @default 60 (1 minute)\n   */\n  public get cNonceExpiresInSeconds(): number {\n    return this.options.cNonceExpiresInSeconds ?? DEFAULT_C_NONCE_EXPIRES_IN\n  }\n\n  /**\n   * The time after which a stateful credential offer not bound to a subject expires. Once the offer has been bound\n   * to a subject the access token expiration takes effect. This is to prevent long-lived `pre-authorized_code` and\n   * `issuer_state` values.\n   *\n   * @default 360 (5 minutes)\n   */\n  public get statefulCredentialOfferExpirationInSeconds(): number {\n    return this.options.statefulCredentialOfferExpirationInSeconds ?? DEFAULT_STATEFUL_CREDENTIAL_OFFER_EXPIRES_IN\n  }\n\n  /**\n   * The time after which a cNonce will expire.\n   *\n   * @default 60 (1 minute)\n   */\n  public get authorizationCodeExpiresInSeconds(): number {\n    return this.options.authorizationCodeExpiresInSeconds ?? DEFAULT_AUTHORIZATION_CODE_EXPIRES_IN\n  }\n\n  /**\n   * The time after which an access token will expire.\n   *\n   * @default 180 (3 minutes)\n   */\n  public get accessTokenExpiresInSeconds(): number {\n    return this.options.accessTokenExpiresInSeconds ?? DEFAULT_TOKEN_EXPIRES_IN\n  }\n\n  /**\n   * The time after which a refresh token will expire.\n   *\n   * @default 7776000 (90 days)\n   */\n  public get refreshTokenExpiresInSeconds(): number {\n    return this.options.refreshTokenExpiresInSeconds ?? DEFAULT_REFRESH_TOKEN_EXPIRES_IN\n  }\n\n  /**\n   * The time after which a pushed authorization request URI will expire.\n   *\n   * @default 60 (1 minute)\n   */\n  public get requestUriExpiresInSeconds(): number {\n    return this.options.requestUriExpiresInSeconds ?? DEFAULT_REQUEST_URI_EXPIRES_IN\n  }\n\n  /**\n   * Whether DPoP is required for all issuance sessions. This value can be overridden when creating\n   * a credential offer. If dpop is not required, but used by a client in the first request to credo,\n   * DPoP will be required going forward.\n   *\n   * @default false\n   */\n  public get dpopRequired(): boolean {\n    return this.options.dpopRequired ?? false\n  }\n\n  /**\n   * Whether wallet attestations are required for all issuance sessions. This value can be overridden when creating\n   * a credential offer, but will have effect for dynamic issuance sessions. If wallet attestations are not required\n   * but used by a client in the first request to credo,\n   * wallet attestations will be required going forward.\n   *\n   * @default false\n   */\n  public get walletAttestationsRequired(): boolean {\n    return this.options.walletAttestationsRequired ?? false\n  }\n\n  /**\n   * Whether to allow dynamic issuance sessions based on a credential request.\n   *\n   * This requires an external authorization server which issues access tokens without\n   * a `pre-authorized_code` or `issuer_state` parameter.\n   *\n   * Credo only supports stateful credential offer sessions (pre-auth or presentation during issuance)\n   *\n   * @default false\n   */\n  public get allowDynamicIssuanceSessions(): boolean {\n    return this.options.allowDynamicIssuanceSessions ?? false\n  }\n\n  /**\n   * @default /nonce\n   */\n  public get nonceEndpointPath(): string {\n    return this.options.endpoints?.nonce ?? '/nonce'\n  }\n\n  /**\n   * @default /par\n   */\n  public get pushedAuthorizationRequestEndpoint(): string {\n    return this.options.endpoints?.pushedAuthorizationRequest ?? '/par'\n  }\n\n  /**\n   * @default /authorize\n   */\n  public get authorizationEndpoint(): string {\n    return this.options.endpoints?.authorization ?? '/authorize'\n  }\n\n  /**\n   * @default /redirect\n   */\n  public get redirectEndpoint(): string {\n    return this.options.endpoints?.redirect ?? '/redirect'\n  }\n\n  /**\n   * @default /challenge\n   */\n  public get authorizationChallengeEndpointPath(): string {\n    return this.options.endpoints?.authorizationChallenge ?? '/challenge'\n  }\n\n  /**\n   * @default /offers\n   */\n  public get credentialOfferEndpointPath(): string {\n    return this.options.endpoints?.credentialOffer ?? '/offers'\n  }\n\n  /**\n   * @default /credential\n   */\n  public get credentialEndpointPath(): string {\n    return this.options.endpoints?.credential ?? '/credential'\n  }\n\n  /**\n   * @default /deferred-credential\n   */\n  public get deferredCredentialEndpointPath(): string {\n    return this.options.endpoints?.deferredCredential ?? '/deferred-credential'\n  }\n\n  /**\n   * @default /token\n   */\n  public get accessTokenEndpointPath(): string {\n    return this.options.endpoints?.accessToken ?? '/token'\n  }\n\n  /**\n   * @default /jwks\n   */\n  public get jwksEndpointPath(): string {\n    return this.options.endpoints?.jwks ?? '/jwks'\n  }\n}\n"],"mappings":";AAOA,MAAM,6BAA6B;AACnC,MAAM,wCAAwC;AAC9C,MAAM,2BAA2B;AACjC,MAAM,mCAAmC,OAAU,KAAK;AACxD,MAAM,+CAA+C;AACrD,MAAM,iCAAiC;AA0KvC,IAAa,8BAAb,MAAyC;CAYvC,AAAO,YAAY,SAAqD;AACtE,OAAK,UAAU;AACf,OAAK,wDACH,QAAQ;;CAGZ,IAAW,MAAM;AACf,SAAO,KAAK,QAAQ;;CAGtB,IAAW,UAAU;AACnB,SAAO,KAAK,QAAQ;;;;;CAMtB,IAAW,sCAAsC;AAC/C,SAAO,KAAK,QAAQ;;;;;CAMtB,IAAW,8CAA8C;AACvD,SAAO,KAAK,QAAQ;;;;;;;CAQtB,IAAW,yBAAiC;AAC1C,SAAO,KAAK,QAAQ,0BAA0B;;;;;;;;;CAUhD,IAAW,6CAAqD;AAC9D,SAAO,KAAK,QAAQ,8CAA8C;;;;;;;CAQpE,IAAW,oCAA4C;AACrD,SAAO,KAAK,QAAQ,qCAAqC;;;;;;;CAQ3D,IAAW,8BAAsC;AAC/C,SAAO,KAAK,QAAQ,+BAA+B;;;;;;;CAQrD,IAAW,+BAAuC;AAChD,SAAO,KAAK,QAAQ,gCAAgC;;;;;;;CAQtD,IAAW,6BAAqC;AAC9C,SAAO,KAAK,QAAQ,8BAA8B;;;;;;;;;CAUpD,IAAW,eAAwB;AACjC,SAAO,KAAK,QAAQ,gBAAgB;;;;;;;;;;CAWtC,IAAW,6BAAsC;AAC/C,SAAO,KAAK,QAAQ,8BAA8B;;;;;;;;;;;;CAapD,IAAW,+BAAwC;AACjD,SAAO,KAAK,QAAQ,gCAAgC;;;;;CAMtD,IAAW,oBAA4B;AACrC,SAAO,KAAK,QAAQ,WAAW,SAAS;;;;;CAM1C,IAAW,qCAA6C;AACtD,SAAO,KAAK,QAAQ,WAAW,8BAA8B;;;;;CAM/D,IAAW,wBAAgC;AACzC,SAAO,KAAK,QAAQ,WAAW,iBAAiB;;;;;CAMlD,IAAW,mBAA2B;AACpC,SAAO,KAAK,QAAQ,WAAW,YAAY;;;;;CAM7C,IAAW,qCAA6C;AACtD,SAAO,KAAK,QAAQ,WAAW,0BAA0B;;;;;CAM3D,IAAW,8BAAsC;AAC/C,SAAO,KAAK,QAAQ,WAAW,mBAAmB;;;;;CAMpD,IAAW,yBAAiC;AAC1C,SAAO,KAAK,QAAQ,WAAW,cAAc;;;;;CAM/C,IAAW,iCAAyC;AAClD,SAAO,KAAK,QAAQ,WAAW,sBAAsB;;;;;CAMvD,IAAW,0BAAkC;AAC3C,SAAO,KAAK,QAAQ,WAAW,eAAe;;;;;CAMhD,IAAW,mBAA2B;AACpC,SAAO,KAAK,QAAQ,WAAW,QAAQ"}

package/build/openid4vc-issuer/OpenId4VcIssuerService.d.mts

@@ -0,0 +1,182 @@
+import { OpenId4VciCredentialConfigurationsSupportedWithFormats, OpenId4VciCredentialOfferPayload } from "../shared/models/index.mjs";
+import { OpenId4VcIssuanceSessionState } from "./OpenId4VcIssuanceSessionState.mjs";
+import { OpenId4VcIssuanceSessionRecord } from "./repository/OpenId4VcIssuanceSessionRecord.mjs";
+import { OpenId4VcIssuanceSessionRepository } from "./repository/OpenId4VcIssuanceSessionRepository.mjs";
+import { OpenId4VcIssuerRecord } from "./repository/OpenId4VcIssuerRecord.mjs";
+import { OpenId4VcIssuerRepository } from "./repository/OpenId4VcIssuerRepository.mjs";
+import "./repository/index.mjs";
+import "../shared/index.mjs";
+import { OpenId4VciCreateCredentialOfferOptions, OpenId4VciCreateCredentialResponseOptions, OpenId4VciCreateDeferredCredentialResponseOptions, OpenId4VciCreateIssuerOptions, OpenId4VciCreateStatelessCredentialOfferOptions } from "./OpenId4VcIssuerServiceOptions.mjs";
+import { OpenId4VcIssuerModuleConfig } from "./OpenId4VcIssuerModuleConfig.mjs";
+import "../index.mjs";
+import { AgentContext, Jwt, Query, QueryOptions, W3cCredentialService, W3cV2CredentialService } from "@credo-ts/core";
+import { Jwk, Oauth2AuthorizationServer, Oauth2Client, Oauth2ResourceServer, PkceCodeChallengeMethod } from "@openid4vc/oauth2";
+import { CredentialResponse, DeferredCredentialResponse, Openid4vciDraftVersion, Openid4vciIssuer } from "@openid4vc/openid4vci";
+
+//#region src/openid4vc-issuer/OpenId4VcIssuerService.d.ts
+/**
+ * @internal
+ */
+declare class OpenId4VcIssuerService {
+  private w3cCredentialService;
+  private w3cV2CredentialService;
+  private openId4VcIssuerConfig;
+  private openId4VcIssuerRepository;
+  private openId4VcIssuanceSessionRepository;
+  constructor(w3cCredentialService: W3cCredentialService, w3cV2CredentialService: W3cV2CredentialService, openId4VcIssuerConfig: OpenId4VcIssuerModuleConfig, openId4VcIssuerRepository: OpenId4VcIssuerRepository, openId4VcIssuanceSessionRepository: OpenId4VcIssuanceSessionRepository);
+  createStatelessCredentialOffer(agentContext: AgentContext, options: OpenId4VciCreateStatelessCredentialOfferOptions & {
+    issuer: OpenId4VcIssuerRecord;
+  }): Promise<{
+    credentialOffer: string;
+    credentialOfferObject: OpenId4VciCredentialOfferPayload;
+  }>;
+  createCredentialOffer(agentContext: AgentContext, options: OpenId4VciCreateCredentialOfferOptions & {
+    issuer: OpenId4VcIssuerRecord;
+  }): Promise<{
+    issuanceSession: OpenId4VcIssuanceSessionRecord;
+    credentialOffer: string;
+  }>;
+  createCredentialResponse(agentContext: AgentContext, options: OpenId4VciCreateCredentialResponseOptions & {
+    issuanceSession: OpenId4VcIssuanceSessionRecord;
+  }): Promise<{
+    issuanceSession: OpenId4VcIssuanceSessionRecord;
+    credentialResponse: CredentialResponse;
+  }>;
+  createDeferredCredentialResponse(agentContext: AgentContext, options: OpenId4VciCreateDeferredCredentialResponseOptions & {
+    issuanceSession: OpenId4VcIssuanceSessionRecord;
+  }): Promise<{
+    issuanceSession: OpenId4VcIssuanceSessionRecord;
+    deferredCredentialResponse: DeferredCredentialResponse;
+  }>;
+  private verifyCredentialRequestProofs;
+  findIssuanceSessionsByQuery(agentContext: AgentContext, query: Query<OpenId4VcIssuanceSessionRecord>, queryOptions?: QueryOptions): Promise<OpenId4VcIssuanceSessionRecord[]>;
+  findSingleIssuanceSessionByQuery(agentContext: AgentContext, query: Query<OpenId4VcIssuanceSessionRecord>): Promise<OpenId4VcIssuanceSessionRecord | null>;
+  getIssuanceSessionById(agentContext: AgentContext, issuanceSessionId: string): Promise<OpenId4VcIssuanceSessionRecord>;
+  getAllIssuers(agentContext: AgentContext): Promise<OpenId4VcIssuerRecord[]>;
+  getIssuerByIssuerId(agentContext: AgentContext, issuerId: string): Promise<OpenId4VcIssuerRecord>;
+  updateIssuer(agentContext: AgentContext, issuer: OpenId4VcIssuerRecord): Promise<void>;
+  createIssuer(agentContext: AgentContext, options: OpenId4VciCreateIssuerOptions): Promise<OpenId4VcIssuerRecord>;
+  private createSignedMetadata;
+  rotateAccessTokenSigningKey(agentContext: AgentContext, issuer: OpenId4VcIssuerRecord, options?: Pick<OpenId4VciCreateIssuerOptions, 'accessTokenSignerKeyType'>): Promise<void>;
+  /**
+   * @param fetchExternalAuthorizationServerMetadata defaults to false
+   */
+  getIssuerMetadata(agentContext: AgentContext, issuerRecord: OpenId4VcIssuerRecord, fetchExternalAuthorizationServerMetadata?: boolean): Promise<{
+    originalDraftVersion: Openid4vciDraftVersion;
+    credentialIssuer: {
+      credential_issuer: string;
+      credential_endpoint: string;
+      deferred_credential_endpoint: string;
+      credential_configurations_supported: OpenId4VciCredentialConfigurationsSupportedWithFormats;
+      authorization_servers: string[] | undefined;
+      display: {
+        [x: string]: unknown;
+        name?: string | undefined;
+        locale?: string | undefined;
+        logo?: {
+          [x: string]: unknown;
+          uri?: string | undefined;
+          alt_text?: string | undefined;
+        } | undefined;
+      }[] | undefined;
+      nonce_endpoint: string;
+      batch_credential_issuance: {
+        batch_size: number;
+      } | undefined;
+    };
+    authorizationServers: ({
+      [x: string]: unknown;
+      issuer: string;
+      token_endpoint: string;
+      token_endpoint_auth_methods_supported?: string[] | undefined;
+      authorization_endpoint?: string | undefined;
+      jwks_uri?: string | undefined;
+      grant_types_supported?: string[] | undefined;
+      code_challenge_methods_supported?: string[] | undefined;
+      dpop_signing_alg_values_supported?: string[] | undefined;
+      require_pushed_authorization_requests?: boolean | undefined;
+      pushed_authorization_request_endpoint?: string | undefined;
+      introspection_endpoint?: string | undefined;
+      introspection_endpoint_auth_methods_supported?: string[] | undefined;
+      introspection_endpoint_auth_signing_alg_values_supported?: string[] | undefined;
+      authorization_challenge_endpoint?: string | undefined;
+      'pre-authorized_grant_anonymous_access_supported'?: boolean | undefined;
+      client_attestation_pop_nonce_required?: boolean | undefined;
+    } | {
+      issuer: string;
+      token_endpoint: string;
+      'pre-authorized_grant_anonymous_access_supported': true;
+      jwks_uri: string;
+      grant_types_supported: ("authorization_code" | "urn:ietf:params:oauth:grant-type:pre-authorized_code")[];
+      authorization_challenge_endpoint: string;
+      authorization_endpoint: string;
+      pushed_authorization_request_endpoint: string;
+      require_pushed_authorization_requests: true;
+      code_challenge_methods_supported: PkceCodeChallengeMethod[];
+      dpop_signing_alg_values_supported: ["HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "PS256" | "PS384" | "PS512" | "EdDSA" | "Ed25519" | "ES256K", ...("HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "PS256" | "PS384" | "PS512" | "EdDSA" | "Ed25519" | "ES256K")[]] | undefined;
+    })[];
+    knownCredentialConfigurations: OpenId4VciCredentialConfigurationsSupportedWithFormats;
+    signedMetadataJwt: string | undefined;
+  }>;
+  createNonce(agentContext: AgentContext, issuer: OpenId4VcIssuerRecord): Promise<{
+    cNonce: string;
+    cNonceExpiresAt: Date;
+    cNonceExpiresInSeconds: number;
+  }>;
+  /**
+   * @todo nonces are very short lived (1 min), but it might be nice to also cache the nonces
+   * in the cache if we have 'seen' them. They will only be in the cache for a short time
+   * and it will prevent replay
+   */
+  private verifyNonce;
+  createRefreshToken(agentContext: AgentContext, issuer: OpenId4VcIssuerRecord, options: {
+    issuerState?: string;
+    preAuthorizedCode?: string;
+    dpop?: {
+      jwk: Jwk;
+    };
+  }): Promise<string>;
+  parseRefreshToken(token: string): {
+    jwt: Jwt;
+    expiresAt: Date;
+    issuerState: string | undefined;
+    preAuthorizedCode: string | undefined;
+    dpop: {
+      jwkThumbprint: string;
+    } | undefined;
+  };
+  verifyRefreshToken(agentContext: AgentContext, issuer: OpenId4VcIssuerRecord, parsedRefreshToken: ReturnType<OpenId4VcIssuerService['parseRefreshToken']>, options?: {
+    dpop?: {
+      jwkThumbprint?: string;
+    };
+  }): Promise<void>;
+  getIssuer(agentContext: AgentContext, options?: {
+    issuanceSessionId?: string;
+  }): Openid4vciIssuer;
+  getOauth2Client(agentContext: AgentContext, issuerRecord?: OpenId4VcIssuerRecord): Oauth2Client;
+  getOauth2AuthorizationServer(agentContext: AgentContext, options?: {
+    issuanceSessionId?: string;
+  }): Oauth2AuthorizationServer;
+  getResourceServer(agentContext: AgentContext, issuerRecord: OpenId4VcIssuerRecord): Oauth2ResourceServer;
+  /**
+   * Update the expiresAt field of the issuance session to ensure it remains
+   * valid during the deferral process. We set it to the maximum between the
+   * current expiresAt and the current time plus the configured expiration
+   * time or the interval multiplied by 2. This accounts for the chance of multiple
+   * deferrals happening, with longer intervals.
+   */
+  private updateExpiresAt;
+  /**
+   * Update the record to a new state and emit an state changed event. Also updates the record
+   * in storage.
+   */
+  updateState(agentContext: AgentContext, issuanceSession: OpenId4VcIssuanceSessionRecord, newState: OpenId4VcIssuanceSessionState): Promise<void>;
+  emitStateChangedEvent(agentContext: AgentContext, issuanceSession: OpenId4VcIssuanceSessionRecord, previousState: OpenId4VcIssuanceSessionState | null): void;
+  private getGrantsFromConfig;
+  private getCredentialConfigurationsForRequest;
+  private getSignedCredentials;
+  private signW3cCredential;
+}
+//#endregion
+export { OpenId4VcIssuerService };
+//# sourceMappingURL=OpenId4VcIssuerService.d.mts.map

package/build/openid4vc-issuer/OpenId4VcIssuerService.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OpenId4VcIssuerService.d.mts","names":[],"sources":["../../src/openid4vc-issuer/OpenId4VcIssuerService.ts"],"sourcesContent":[],"mappings":";;;;;;;;;;;;;;;;;;;cAkGa,sBAAA;;;;;EAAA,QAAA,kCAAsB;EAQT,WAAA,CAAA,oBAAA,EAAA,oBAAA,EAAA,sBAAA,EACE,sBADF,EAAA,qBAAA,EAEC,2BAFD,EAAA,yBAAA,EAGK,yBAHL,EAAA,kCAAA,EAIc,kCAJd;EACE,8BAAA,CAAA,YAAA,EAaV,YAbU,EAAA,OAAA,EAcf,+CAde,GAAA;IACD,MAAA,EAa8C,qBAb9C;EACI,CAAA,CAAA,EAa1B,OAb0B,CAAA;IACS,eAAA,EAAA,MAAA;IAUtB,qBAAA,EAE6C,gCAF7C;EACL,CAAA,CAAA;EAA4D,qBAAA,CAAA,YAAA,EA2CvD,YA3CuD,EAAA,OAAA,EA4C5D,sCA5C4D,GAAA;IACV,MAAA,EA2CC,qBA3CD;EAA1D,CAAA,CAAA,EA2CkF,OA3ClF,CAAA;IA0Ca,eAAA,gCAAA;IACL,eAAA,EAAA,MAAA;EAAmD,CAAA,CAAA;yCA6H9C,uBACL;IA9H0E,eAAA,EA8HX,8BA9HW;EA6HrE,CAAA,CAAA,EAEb,OAFa,CAAA;IACL,eAAA,EACmB,8BADnB;IAA+D,kBAAA,EACQ,kBADR;EAC5C,CAAA,CAAA;EAAoD,gCAAA,CAAA,YAAA,EA2LlE,YA3LkE,EAAA,OAAA,EA4LvE,iDA5LuE,GAAA;IAA/E,eAAA,EA4L+E,8BA5L/E;EA2La,CAAA,CAAA,EAEb,OAFa,CAAA;IACL,eAAA,EAEQ,8BAFR;IAAuE,0BAAA,EAGpD,0BAHoD;EAE/D,CAAA,CAAA;EACW,QAAA,6BAAA;EAF3B,2BAAA,CAAA,YAAA,EA8Za,YA9Zb,EAAA,KAAA,EA+ZM,KA/ZN,CA+ZY,8BA/ZZ,CAAA,EAAA,YAAA,CAAA,EAgac,YAhad,CAAA,EAga0B,OAha1B,CAga0B,8BAha1B,EAAA,CAAA;EA8Za,gCAAA,CAAA,YAAA,EAQA,YARA,EAAA,KAAA,EASP,KATO,CASD,8BATC,CAAA,CAAA,EAS8B,OAT9B,CAS8B,8BAT9B,GAAA,IAAA,CAAA;EACD,sBAAA,CAAA,YAAA,EAamC,YAbnC,EAAA,iBAAA,EAAA,MAAA,CAAA,EAa0E,OAb1E,CAa0E,8BAb1E,CAAA;EAAN,aAAA,CAAA,YAAA,EAiBgC,YAjBhC,CAAA,EAiB4C,OAjB5C,CAiB4C,qBAjB5C,EAAA,CAAA;EACQ,mBAAA,CAAA,YAAA,EAoB8B,YApB9B,EAAA,QAAA,EAAA,MAAA,CAAA,EAoB4D,OApB5D,CAoB4D,qBApB5D,CAAA;EAAY,YAAA,CAAA,YAAA,EAwBW,YAxBX,EAAA,MAAA,EAwBiC,qBAxBjC,CAAA,EAwBsD,OAxBtD,CAAA,IAAA,CAAA;EAAA,YAAA,CAAA,YAAA,EAqCW,YArCX,EAAA,OAAA,EAqCkC,6BArClC,CAAA,EAqC+D,OArC/D,CAqC+D,qBArC/D,CAAA;EAMb,QAAA,oBAAA;EACD,2BAAA,CAAA,YAAA,EAkFC,YAlFD,EAAA,MAAA,EAmFL,qBAnFK,EAAA,OAAA,CAAA,EAoFH,IApFG,CAoFE,6BApFF,EAAA,0BAAA,CAAA,CAAA,EAoF4D,OApF5D,CAAA,IAAA,CAAA;EAAN;;;EAKyC,iBAAA,CAAA,YAAA,EAqGlC,YArGkC,EAAA,YAAA,EAsGlC,qBAtGkC,EAAA,wCAAA,CAAA,EAAA,OAAA,CAAA,EAuGA,OAvGA,CAAA;IAAuC,oBAAA,wBAAA;IAAA,gBAAA,EAAA;MAIhD,iBAAA,EAAA,MAAA;MAAY,mBAAA,EAAA,MAAA;MAAA,4BAAA,EAAA,MAAA;MAIN,mCAAA,wDAAA;MAA8B,qBAAA,EAAA,MAAA,EAAA,GAAA,SAAA;MAAA,OAAA,EAAA;QAIrC,CAAA,CAAA,EAAA,MAAA,CAAA,EAAA,OAAA;QAAsB,IAAA,CAAA,EAAA,MAAA,GAAA,SAAA;QAAqB,MAAA,CAAA,EAAA,MAAA,GAAA,SAAA;QAa3C,IAAA,CAAA,EAAA;UAAuB,CAAA,CAAA,EAAA,MAAA,CAAA,EAAA,OAAA;UAA6B,GAAA,CAAA,EAAA,MAAA,GAAA,SAAA;UAAA,QAAA,CAAA,EAAA,MAAA,GAAA,SAAA;QAoD5E,CAAA,GAAA,SAAA;MACN,CAAA,EAAA,GAAA,SAAA;MACO,cAAA,EAAA,MAAA;MAAL,yBAAA,EAAA;QAA+D,UAAA,EAAA,MAAA;MAsB3D,CAAA,GAAA,SAAA;IACA,CAAA;;;;;MACkC,qCAAA,CAAA,EAAA,MAAA,EAAA,GAAA,SAAA;MAwEX,sBAAA,CAAA,EAAA,MAAA,GAAA,SAAA;MAAsB,QAAA,CAAA,EAAA,MAAA,GAAA,SAAA;;MAAqB,gCAAA,CAAA,EAAA,MAAA,EAAA,GAAA,SAAA;MA8DlE,iCAAA,CAAA,EAAA,MAAA,EAAA,GAAA,SAAA;MACN,qCAAA,CAAA,EAAA,OAAA,GAAA,SAAA;MAKC,qCAAA,CAAA,EAAA,MAAA,GAAA,SAAA;MAER,sBAAA,CAAA,EAAA,MAAA,GAAA,SAAA;;;MAqFa,gCAAA,CAAA,EAAA,MAAA,GAAA,SAAA;MACN,iDAAA,CAAA,EAAA,OAAA,GAAA,SAAA;MACuB,qCAAA,CAAA,EAAA,OAAA,GAAA,SAAA;IAAX,CAAA,GAAA;MAKd,MAAA,EAAA,MAAA;MAiCuB,cAAA,EAAA,MAAA;MAA0D,iDAAA,EAAA,IAAA;MAMpD,QAAA,EAAA,MAAA;MAA6B,qBAAA,EAAA,CAAA,oBAAA,GAAA,sDAAA,CAAA,EAAA;MAAqB,gCAAA,EAAA,MAAA;MAWrC,sBAAA,EAAA,MAAA;MAA0D,qCAAA,EAAA,MAAA;MAMrE,qCAAA,EAAA,IAAA;MAA4B,gCAAA,yBAAA,EAAA;MAAqB,iCAAA,EAAA,CAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,SAAA,GAAA,QAAA,EAAA,GAAA,CAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,OAAA,GAAA,SAAA,GAAA,QAAA,CAAA,EAAA,CAAA,GAAA,SAAA;IAgDxE,CAAA,CAAA,EAAA;IACG,6BAAA,wDAAA;IACP,iBAAA,EAAA,MAAA,GAAA,SAAA;EAA6B,CAAA,CAAA;EAczB,WAAA,CAAA,YAAA,EA1RuB,YA0RvB,EAAA,MAAA,EA1R6C,qBA0R7C,CAAA,EA1RkE,OA0RlE,CAAA;IACG,MAAA,EAAA,MAAA;IACF,eAAA,MAAA;IAA6B,sBAAA,EAAA,MAAA;;;;;;;;mCA9N9B,sBACN;;;;WAKC;;MAER;;;;;;;;;;mCAqFa,sBACN,2CACY,WAAW;;;;MAKzB;0BAiCuB;;MAA0D;gCAMpD,6BAA6B,wBAAqB;6CAWrC;;MAA0D;kCAMrE,4BAA4B,wBAAqB;;;;;;;;;;;;;4BAgDxE,+BACG,0CACP,gCAA6B;sCAczB,+BACG,+CACF"}