@datacules/agent-identity 0.9.0 → 0.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +128 -0
- package/dist/cjs/attestation.js +131 -29
- package/dist/cjs/attestation.js.map +1 -1
- package/dist/cjs/identity-providers.js +100 -0
- package/dist/cjs/identity-providers.js.map +1 -0
- package/dist/cjs/index.js +5 -0
- package/dist/cjs/index.js.map +1 -1
- package/dist/cjs/revocation-listener.js +78 -0
- package/dist/cjs/revocation-listener.js.map +1 -0
- package/dist/cjs/revocation.js +59 -0
- package/dist/cjs/revocation.js.map +1 -0
- package/dist/cjs/rotation.js +6 -1
- package/dist/cjs/rotation.js.map +1 -1
- package/dist/cjs/router.js +27 -5
- package/dist/cjs/router.js.map +1 -1
- package/dist/cjs/schemas.js +26 -2
- package/dist/cjs/schemas.js.map +1 -1
- package/dist/esm/attestation.js +129 -28
- package/dist/esm/attestation.js.map +1 -1
- package/dist/esm/identity-providers.js +97 -0
- package/dist/esm/identity-providers.js.map +1 -0
- package/dist/esm/index.js +5 -0
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/revocation-listener.js +74 -0
- package/dist/esm/revocation-listener.js.map +1 -0
- package/dist/esm/revocation.js +55 -0
- package/dist/esm/revocation.js.map +1 -0
- package/dist/esm/rotation.js +6 -1
- package/dist/esm/rotation.js.map +1 -1
- package/dist/esm/router.js +27 -5
- package/dist/esm/router.js.map +1 -1
- package/dist/esm/schemas.js +25 -1
- package/dist/esm/schemas.js.map +1 -1
- package/dist/types/attestation.d.ts +34 -6
- package/dist/types/attestation.d.ts.map +1 -1
- package/dist/types/identity-providers.d.ts +53 -0
- package/dist/types/identity-providers.d.ts.map +1 -0
- package/dist/types/index.d.ts +3 -0
- package/dist/types/index.d.ts.map +1 -1
- package/dist/types/revocation-listener.d.ts +63 -0
- package/dist/types/revocation-listener.d.ts.map +1 -0
- package/dist/types/revocation.d.ts +52 -0
- package/dist/types/revocation.d.ts.map +1 -0
- package/dist/types/rotation.d.ts.map +1 -1
- package/dist/types/router.d.ts +14 -0
- package/dist/types/router.d.ts.map +1 -1
- package/dist/types/schemas.d.ts +89 -4
- package/dist/types/schemas.d.ts.map +1 -1
- package/dist/types/types.d.ts +82 -1
- package/dist/types/types.d.ts.map +1 -1
- package/package.json +1 -1
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Inbound revocation handler — receives logout+jwt tokens from identity
|
|
3
|
+
* providers and propagates revocation to the CredentialStore.
|
|
4
|
+
*
|
|
5
|
+
* This module validates the logout+jwt STRUCTURE (does NOT verify the
|
|
6
|
+
* signature). The caller (e.g. an Express/Fastify route handler) is
|
|
7
|
+
* responsible for JWKS-based signature verification before passing the
|
|
8
|
+
* decoded payload here.
|
|
9
|
+
*
|
|
10
|
+
* @module revocation
|
|
11
|
+
*/
|
|
12
|
+
import type { CredentialStore } from './types';
|
|
13
|
+
export interface LogoutTokenPayload {
|
|
14
|
+
iss: string;
|
|
15
|
+
sub: string;
|
|
16
|
+
aud: string;
|
|
17
|
+
jti: string;
|
|
18
|
+
iat: number;
|
|
19
|
+
events: Record<string, unknown>;
|
|
20
|
+
}
|
|
21
|
+
export interface RevocationResult {
|
|
22
|
+
jti: string;
|
|
23
|
+
credentialsRevoked: number;
|
|
24
|
+
/** True if jti was already seen (replay attack) */
|
|
25
|
+
replay: boolean;
|
|
26
|
+
}
|
|
27
|
+
/**
|
|
28
|
+
* RevocationHandler validates and processes inbound logout tokens.
|
|
29
|
+
*
|
|
30
|
+
* Usage:
|
|
31
|
+
* const handler = new RevocationHandler(store);
|
|
32
|
+
* // In your route: const payload = await verifyLogoutJwt(token, jwks); // caller's job
|
|
33
|
+
* const result = await handler.process(payload);
|
|
34
|
+
*
|
|
35
|
+
* The handler keeps an in-memory jti replay cache with configurable TTL.
|
|
36
|
+
* Stale entries are evicted lazily on each process() call.
|
|
37
|
+
*/
|
|
38
|
+
export declare class RevocationHandler {
|
|
39
|
+
private readonly store;
|
|
40
|
+
/**
|
|
41
|
+
* jti → processed-at timestamp (ms).
|
|
42
|
+
* Evict entries older than maxAgeMs.
|
|
43
|
+
*/
|
|
44
|
+
private readonly seen;
|
|
45
|
+
private readonly maxAgeMs;
|
|
46
|
+
constructor(store: CredentialStore, options?: {
|
|
47
|
+
maxAgeMs?: number;
|
|
48
|
+
});
|
|
49
|
+
process(payload: LogoutTokenPayload): Promise<RevocationResult>;
|
|
50
|
+
private evictStale;
|
|
51
|
+
}
|
|
52
|
+
//# sourceMappingURL=revocation.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"revocation.d.ts","sourceRoot":"","sources":["../../src/revocation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAI/C,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC;AAED,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,MAAM,CAAC;IACZ,kBAAkB,EAAE,MAAM,CAAC;IAC3B,mDAAmD;IACnD,MAAM,EAAE,OAAO,CAAC;CACjB;AAID;;;;;;;;;;GAUG;AACH,qBAAa,iBAAiB;IAS1B,OAAO,CAAC,QAAQ,CAAC,KAAK;IARxB;;;OAGG;IACH,OAAO,CAAC,QAAQ,CAAC,IAAI,CAA6B;IAClD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAGf,KAAK,EAAE,eAAe,EACvC,OAAO,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE;IAK3B,OAAO,CAAC,OAAO,EAAE,kBAAkB,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAiBrE,OAAO,CAAC,UAAU;CAMnB"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"rotation.d.ts","sourceRoot":"","sources":["../../src/rotation.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAkB,MAAM,SAAS,CAAC;AAIvE;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAChF;AAED;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC,UAAU,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;IACpC,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,UAAU,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC/D;AAID,qBAAa,2BAA2B;IAKpC,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;IAL/B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAuC;IACjE,OAAO,CAAC,cAAc,CAA+C;gBAGlD,UAAU,EAAE,kBAAkB,EAC9B,WAAW,CAAC,EAAE,WAAW,YAAA;IAG5C,gBAAgB,CAAC,QAAQ,EAAE,gBAAgB,GAAG,IAAI;IAIlD;;;OAGG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;
|
|
1
|
+
{"version":3,"file":"rotation.d.ts","sourceRoot":"","sources":["../../src/rotation.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAkB,MAAM,SAAS,CAAC;AAIvE;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAChF;AAED;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC,UAAU,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;IACpC,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,UAAU,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC/D;AAID,qBAAa,2BAA2B;IAKpC,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;IAL/B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAuC;IACjE,OAAO,CAAC,cAAc,CAA+C;gBAGlD,UAAU,EAAE,kBAAkB,EAC9B,WAAW,CAAC,EAAE,WAAW,YAAA;IAG5C,gBAAgB,CAAC,QAAQ,EAAE,gBAAgB,GAAG,IAAI;IAIlD;;;OAGG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAmE9B;;;OAGG;IACH,KAAK,CAAC,UAAU,SAAY,GAAG,IAAI;IAOnC,IAAI,IAAI,IAAI;IAOZ,OAAO,CAAC,aAAa;YASP,gBAAgB;CAsB/B"}
|
package/dist/types/router.d.ts
CHANGED
|
@@ -9,6 +9,8 @@
|
|
|
9
9
|
* - resolveAsync(): full async resolution path for cloud stores
|
|
10
10
|
* - resolvePairAsync(): async migration pair resolution (async counterpart
|
|
11
11
|
* of resolvePair(), enabling budget + attestation on migration workflows)
|
|
12
|
+
* - Unclaimed guard: credentials with status='unclaimed' are never routed
|
|
13
|
+
* until the auth.md claim ceremony completes and status flips to 'active'
|
|
12
14
|
*/
|
|
13
15
|
import type { AgentRequestContext, AuditLogger, Credential, CredentialStore, MigrationContext, ResolvedCredential, ResolvedCredentialPair, RoutingRule, AttestationSigner } from './types';
|
|
14
16
|
import type { BudgetEnforcer } from './budget';
|
|
@@ -34,6 +36,18 @@ export declare class MemoryCredentialStore implements CredentialStore {
|
|
|
34
36
|
listByKind(kind: Credential['kind']): Promise<Credential[]>;
|
|
35
37
|
reserve(ref: string, migrationId: string, ttlSeconds: number): Promise<boolean>;
|
|
36
38
|
release(ref: string, migrationId: string): Promise<void>;
|
|
39
|
+
/**
|
|
40
|
+
* revokeByIdentity — MemoryCredentialStore no-op implementation.
|
|
41
|
+
*
|
|
42
|
+
* MemoryCredentialStore does not track the issuer/subject triple that
|
|
43
|
+
* corresponds to each credential (it only stores the credential object
|
|
44
|
+
* itself). It therefore cannot determine which credentials belong to
|
|
45
|
+
* a given identity triple and always returns 0.
|
|
46
|
+
*
|
|
47
|
+
* Implementers of custom stores should override this to mark matching
|
|
48
|
+
* credentials as status='revoked' based on their own metadata schema.
|
|
49
|
+
*/
|
|
50
|
+
revokeByIdentity(_issuer: string, _subject: string, _audience: string): Promise<number>;
|
|
37
51
|
}
|
|
38
52
|
export declare class CredentialRouter {
|
|
39
53
|
private readonly config;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../src/router.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../src/router.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EACV,mBAAmB,EAEnB,WAAW,EACX,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,kBAAkB,EAClB,sBAAsB,EACtB,WAAW,EACX,iBAAiB,EAClB,MAAM,SAAS,CAAC;AAEjB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC/C,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAUlD,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,eAAe,CAAC;IACvB,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,uEAAuE;IACvE,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IACtC,2CAA2C;IAC3C,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC,uDAAuD;IACvD,eAAe,CAAC,EAAE,eAAe,CAAC;CACnC;AAED,qBAAa,qBAAsB,YAAW,eAAe;IAC3D,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAe;IACrC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAiE;gBAElF,WAAW,EAAE,UAAU,EAAE;IAIrC,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI;IAIvC,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAIlD,UAAU,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;IAInC,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAI3D,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQ/E,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAK9D;;;;;;;;;;OAUG;IACG,gBAAgB,CACpB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,CAAC;CAGnB;AAED,qBAAa,gBAAgB;IACf,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,YAAY;IAIjD,OAAO,CAAC,GAAG,EAAE,mBAAmB,GAAG,kBAAkB,GAAG,IAAI;IA4CtD,YAAY,CAAC,GAAG,EAAE,mBAAmB,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC;IA0DhF,WAAW,CAAC,GAAG,EAAE,gBAAgB,GAAG,sBAAsB,GAAG,IAAI;IAajE;;;;;;;;;;;;;;;;OAgBG;IACG,gBAAgB,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,sBAAsB,GAAG,IAAI,CAAC;IAiCrF,OAAO,CAAC,SAAS;IAUjB,OAAO,CAAC,WAAW;IAoBnB,OAAO,CAAC,eAAe;CAsBxB;AAID,wBAAgB,YAAY,CAC1B,WAAW,EAAE,UAAU,EAAE,EACzB,KAAK,EAAE,WAAW,EAAE,EACpB,MAAM,CAAC,EAAE,WAAW,GACnB,gBAAgB,CAElB;AAED,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,eAAe,EACtB,KAAK,EAAE,WAAW,EAAE,EACpB,MAAM,CAAC,EAAE,WAAW,GACnB,gBAAgB,CAElB;AAED,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,YAAY,GAAG,gBAAgB,CAE7E"}
|
package/dist/types/schemas.d.ts
CHANGED
|
@@ -12,7 +12,11 @@ import { z } from 'zod';
|
|
|
12
12
|
export declare const SupportedProviderSchema: z.ZodEnum<["openai", "anthropic", "gemini", "mistral", "local"]>;
|
|
13
13
|
export declare const ResourceKindSchema: z.ZodEnum<["shared", "personal"]>;
|
|
14
14
|
export declare const CredentialKindSchema: z.ZodEnum<["fixed", "user-delegated"]>;
|
|
15
|
-
|
|
15
|
+
/**
|
|
16
|
+
* 'unclaimed' added for auth.md anonymous-flow credentials that are
|
|
17
|
+
* awaiting claim ceremony completion before becoming fully active.
|
|
18
|
+
*/
|
|
19
|
+
export declare const CredentialStatusSchema: z.ZodEnum<["active", "pending", "unclaimed", "revoked"]>;
|
|
16
20
|
export declare const MigrationPhaseSchema: z.ZodEnum<["dry-run", "extract", "transform", "load", "verify", "rollback"]>;
|
|
17
21
|
export declare const ApproverKindSchema: z.ZodEnum<["webhook", "email", "slack"]>;
|
|
18
22
|
export declare const RotationPolicySchema: z.ZodObject<{
|
|
@@ -114,7 +118,7 @@ export declare const CredentialSchema: z.ZodObject<{
|
|
|
114
118
|
kind: z.ZodEnum<["fixed", "user-delegated"]>;
|
|
115
119
|
name: z.ZodString;
|
|
116
120
|
scope: z.ZodString;
|
|
117
|
-
status: z.ZodEnum<["active", "pending", "revoked"]>;
|
|
121
|
+
status: z.ZodEnum<["active", "pending", "unclaimed", "revoked"]>;
|
|
118
122
|
provider: z.ZodOptional<z.ZodString>;
|
|
119
123
|
ref: z.ZodString;
|
|
120
124
|
expiresAt: z.ZodOptional<z.ZodString>;
|
|
@@ -160,8 +164,11 @@ export declare const CredentialSchema: z.ZodObject<{
|
|
|
160
164
|
resetSchedule?: string | undefined;
|
|
161
165
|
}>>;
|
|
162
166
|
tags: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
167
|
+
preClaimScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
168
|
+
postClaimScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
169
|
+
claimedAt: z.ZodOptional<z.ZodString>;
|
|
163
170
|
}, "strip", z.ZodTypeAny, {
|
|
164
|
-
status: "active" | "pending" | "revoked";
|
|
171
|
+
status: "active" | "pending" | "unclaimed" | "revoked";
|
|
165
172
|
name: string;
|
|
166
173
|
kind: "user-delegated" | "fixed";
|
|
167
174
|
id: string;
|
|
@@ -187,8 +194,11 @@ export declare const CredentialSchema: z.ZodObject<{
|
|
|
187
194
|
resetSchedule?: string | undefined;
|
|
188
195
|
} | undefined;
|
|
189
196
|
tags?: string[] | undefined;
|
|
197
|
+
preClaimScopes?: string[] | undefined;
|
|
198
|
+
postClaimScopes?: string[] | undefined;
|
|
199
|
+
claimedAt?: string | undefined;
|
|
190
200
|
}, {
|
|
191
|
-
status: "active" | "pending" | "revoked";
|
|
201
|
+
status: "active" | "pending" | "unclaimed" | "revoked";
|
|
192
202
|
name: string;
|
|
193
203
|
kind: "user-delegated" | "fixed";
|
|
194
204
|
id: string;
|
|
@@ -214,6 +224,9 @@ export declare const CredentialSchema: z.ZodObject<{
|
|
|
214
224
|
resetSchedule?: string | undefined;
|
|
215
225
|
} | undefined;
|
|
216
226
|
tags?: string[] | undefined;
|
|
227
|
+
preClaimScopes?: string[] | undefined;
|
|
228
|
+
postClaimScopes?: string[] | undefined;
|
|
229
|
+
claimedAt?: string | undefined;
|
|
217
230
|
}>;
|
|
218
231
|
export declare const RoutingRuleSchema: z.ZodObject<{
|
|
219
232
|
id: z.ZodString;
|
|
@@ -427,8 +440,80 @@ export declare const MigrationContextSchema: z.ZodObject<{
|
|
|
427
440
|
batchIndex?: number | undefined;
|
|
428
441
|
totalBatches?: number | undefined;
|
|
429
442
|
}>;
|
|
443
|
+
export declare const TrustedIdentityProviderSchema: z.ZodObject<{
|
|
444
|
+
issuerUrl: z.ZodString;
|
|
445
|
+
label: z.ZodString;
|
|
446
|
+
jwksUri: z.ZodOptional<z.ZodString>;
|
|
447
|
+
cimdUri: z.ZodOptional<z.ZodString>;
|
|
448
|
+
requiredAmr: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
449
|
+
enabled: z.ZodOptional<z.ZodBoolean>;
|
|
450
|
+
}, "strip", z.ZodTypeAny, {
|
|
451
|
+
label: string;
|
|
452
|
+
issuerUrl: string;
|
|
453
|
+
enabled?: boolean | undefined;
|
|
454
|
+
requiredAmr?: string[] | undefined;
|
|
455
|
+
jwksUri?: string | undefined;
|
|
456
|
+
cimdUri?: string | undefined;
|
|
457
|
+
}, {
|
|
458
|
+
label: string;
|
|
459
|
+
issuerUrl: string;
|
|
460
|
+
enabled?: boolean | undefined;
|
|
461
|
+
requiredAmr?: string[] | undefined;
|
|
462
|
+
jwksUri?: string | undefined;
|
|
463
|
+
cimdUri?: string | undefined;
|
|
464
|
+
}>;
|
|
465
|
+
export declare const TrustedProviderRegistrySchema: z.ZodObject<{
|
|
466
|
+
providers: z.ZodArray<z.ZodObject<{
|
|
467
|
+
issuerUrl: z.ZodString;
|
|
468
|
+
label: z.ZodString;
|
|
469
|
+
jwksUri: z.ZodOptional<z.ZodString>;
|
|
470
|
+
cimdUri: z.ZodOptional<z.ZodString>;
|
|
471
|
+
requiredAmr: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
472
|
+
enabled: z.ZodOptional<z.ZodBoolean>;
|
|
473
|
+
}, "strip", z.ZodTypeAny, {
|
|
474
|
+
label: string;
|
|
475
|
+
issuerUrl: string;
|
|
476
|
+
enabled?: boolean | undefined;
|
|
477
|
+
requiredAmr?: string[] | undefined;
|
|
478
|
+
jwksUri?: string | undefined;
|
|
479
|
+
cimdUri?: string | undefined;
|
|
480
|
+
}, {
|
|
481
|
+
label: string;
|
|
482
|
+
issuerUrl: string;
|
|
483
|
+
enabled?: boolean | undefined;
|
|
484
|
+
requiredAmr?: string[] | undefined;
|
|
485
|
+
jwksUri?: string | undefined;
|
|
486
|
+
cimdUri?: string | undefined;
|
|
487
|
+
}>, "many">;
|
|
488
|
+
jwksCacheTtlMs: z.ZodOptional<z.ZodNumber>;
|
|
489
|
+
jwksCacheFloorMs: z.ZodOptional<z.ZodNumber>;
|
|
490
|
+
}, "strip", z.ZodTypeAny, {
|
|
491
|
+
providers: {
|
|
492
|
+
label: string;
|
|
493
|
+
issuerUrl: string;
|
|
494
|
+
enabled?: boolean | undefined;
|
|
495
|
+
requiredAmr?: string[] | undefined;
|
|
496
|
+
jwksUri?: string | undefined;
|
|
497
|
+
cimdUri?: string | undefined;
|
|
498
|
+
}[];
|
|
499
|
+
jwksCacheTtlMs?: number | undefined;
|
|
500
|
+
jwksCacheFloorMs?: number | undefined;
|
|
501
|
+
}, {
|
|
502
|
+
providers: {
|
|
503
|
+
label: string;
|
|
504
|
+
issuerUrl: string;
|
|
505
|
+
enabled?: boolean | undefined;
|
|
506
|
+
requiredAmr?: string[] | undefined;
|
|
507
|
+
jwksUri?: string | undefined;
|
|
508
|
+
cimdUri?: string | undefined;
|
|
509
|
+
}[];
|
|
510
|
+
jwksCacheTtlMs?: number | undefined;
|
|
511
|
+
jwksCacheFloorMs?: number | undefined;
|
|
512
|
+
}>;
|
|
430
513
|
export type AgentRequestContextInput = z.infer<typeof AgentRequestContextSchema>;
|
|
431
514
|
export type MigrationContextInput = z.infer<typeof MigrationContextSchema>;
|
|
432
515
|
export type RoutingRuleInput = z.infer<typeof RoutingRuleSchema>;
|
|
433
516
|
export type CredentialInput = z.infer<typeof CredentialSchema>;
|
|
517
|
+
export type TrustedIdentityProviderInput = z.infer<typeof TrustedIdentityProviderSchema>;
|
|
518
|
+
export type TrustedProviderRegistryInput = z.infer<typeof TrustedProviderRegistrySchema>;
|
|
434
519
|
//# sourceMappingURL=schemas.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"schemas.d.ts","sourceRoot":"","sources":["../../src/schemas.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,eAAO,MAAM,uBAAuB,kEAMlC,CAAC;AAEH,eAAO,MAAM,kBAAkB,mCAAiC,CAAC;AAEjE,eAAO,MAAM,oBAAoB,wCAAsC,CAAC;AAExE,eAAO,MAAM,sBAAsB,
|
|
1
|
+
{"version":3,"file":"schemas.d.ts","sourceRoot":"","sources":["../../src/schemas.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,eAAO,MAAM,uBAAuB,kEAMlC,CAAC;AAEH,eAAO,MAAM,kBAAkB,mCAAiC,CAAC;AAEjE,eAAO,MAAM,oBAAoB,wCAAsC,CAAC;AAExE;;;GAGG;AACH,eAAO,MAAM,sBAAsB,0DAAwD,CAAC;AAE5F,eAAO,MAAM,oBAAoB,8EAO/B,CAAC;AAEH,eAAO,MAAM,kBAAkB,0CAAwC,CAAC;AAIxE,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;EAM/B,CAAC;AAIH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;EAM7B,CAAC;AAIH,eAAO,MAAM,cAAc;;;;;;;;;EAGzB,CAAC;AAEH,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAU/B,CAAC;AAIH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAqB3B,CAAC;AAIH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAkB5B,CAAC;AAIH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAYpC,CAAC;AAEH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAQjC,CAAC;AAIH,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;;EAOxC,CAAC;AAEH,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAIxC,CAAC;AAKH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AACjF,MAAM,MAAM,qBAAqB,GAAM,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAC9E,MAAM,MAAM,gBAAgB,GAAW,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AACzE,MAAM,MAAM,eAAe,GAAY,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AACxE,MAAM,MAAM,4BAA4B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC;AACzF,MAAM,MAAM,4BAA4B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC"}
|
package/dist/types/types.d.ts
CHANGED
|
@@ -38,7 +38,16 @@ export interface BudgetPolicy {
|
|
|
38
38
|
resetSchedule?: string;
|
|
39
39
|
}
|
|
40
40
|
export type CredentialKind = 'fixed' | 'user-delegated';
|
|
41
|
-
|
|
41
|
+
/**
|
|
42
|
+
* Lifecycle status for a Credential:
|
|
43
|
+
* active — fully trusted; scope is as declared
|
|
44
|
+
* pending — being provisioned; not yet usable
|
|
45
|
+
* unclaimed — anonymous auth.md registration; holds pre-claim scopes only;
|
|
46
|
+
* not routable until the claim ceremony completes and status
|
|
47
|
+
* is flipped to 'active'
|
|
48
|
+
* revoked — invalid; must not be resolved
|
|
49
|
+
*/
|
|
50
|
+
export type CredentialStatus = 'active' | 'pending' | 'unclaimed' | 'revoked';
|
|
42
51
|
export interface Credential {
|
|
43
52
|
id: string;
|
|
44
53
|
kind: CredentialKind;
|
|
@@ -59,6 +68,28 @@ export interface Credential {
|
|
|
59
68
|
budget?: BudgetPolicy;
|
|
60
69
|
/** Arbitrary tags e.g. ['pii', 'financial', 'prod'] — used by compliance reports */
|
|
61
70
|
tags?: string[];
|
|
71
|
+
/**
|
|
72
|
+
* For status='unclaimed': the scopes the credential currently carries
|
|
73
|
+
* (pre-claim). Once the claim ceremony completes, replaced with
|
|
74
|
+
* postClaimScopes and status flipped to 'active'.
|
|
75
|
+
*/
|
|
76
|
+
preClaimScopes?: string[];
|
|
77
|
+
/**
|
|
78
|
+
* For status='unclaimed': the scopes this credential will carry once
|
|
79
|
+
* the claim ceremony is completed. Informational until claim completes.
|
|
80
|
+
*/
|
|
81
|
+
postClaimScopes?: string[];
|
|
82
|
+
/**
|
|
83
|
+
* ISO 8601 timestamp when the auth.md claim ceremony was completed.
|
|
84
|
+
* Set by AgentAuthMdStore.completeClaimCeremony().
|
|
85
|
+
*/
|
|
86
|
+
claimedAt?: string;
|
|
87
|
+
/**
|
|
88
|
+
* Token required to complete an ongoing claim ceremony.
|
|
89
|
+
* NEVER persisted to any external store — held in memory only.
|
|
90
|
+
* Present only on the in-memory Credential inside AgentAuthMdStore's cache.
|
|
91
|
+
*/
|
|
92
|
+
claimToken?: string;
|
|
62
93
|
}
|
|
63
94
|
export type ApproverKind = 'webhook' | 'email' | 'slack';
|
|
64
95
|
export interface Approver {
|
|
@@ -170,6 +201,19 @@ export interface CredentialStore {
|
|
|
170
201
|
listByKind(kind: CredentialKind): Promise<Credential[]>;
|
|
171
202
|
reserve?(ref: string, migrationId: string, ttlSeconds: number): Promise<boolean>;
|
|
172
203
|
release?(ref: string, migrationId: string): Promise<void>;
|
|
204
|
+
/**
|
|
205
|
+
* Revoke all credentials that match the given identity triple.
|
|
206
|
+
*
|
|
207
|
+
* Called when a logout+jwt is received at revocation_uri from a trusted
|
|
208
|
+
* identity provider. Implementations should mark all matching credentials as
|
|
209
|
+
* status='revoked' and clear any cached resolved values.
|
|
210
|
+
*
|
|
211
|
+
* @param issuer - iss claim from the logout+jwt (provider base URL)
|
|
212
|
+
* @param subject - sub claim (user identifier at the provider)
|
|
213
|
+
* @param audience - aud claim (this service's auth server URL)
|
|
214
|
+
* @returns number of credentials revoked
|
|
215
|
+
*/
|
|
216
|
+
revokeByIdentity?(issuer: string, subject: string, audience: string): Promise<number>;
|
|
173
217
|
}
|
|
174
218
|
export interface AuditLogEntry {
|
|
175
219
|
timestamp: string;
|
|
@@ -289,4 +333,41 @@ export interface FederationConfig {
|
|
|
289
333
|
/** Map of trustDomain → base64 public key for verification */
|
|
290
334
|
trustedDomains: Record<string, string>;
|
|
291
335
|
}
|
|
336
|
+
/**
|
|
337
|
+
* A trusted identity provider whose ID-JAG assertions this service accepts.
|
|
338
|
+
* Add entries to a TrustedProviderRegistry to gate which assertion issuers
|
|
339
|
+
* are allowed during auth.md registration.
|
|
340
|
+
*/
|
|
341
|
+
export interface TrustedIdentityProvider {
|
|
342
|
+
/** Issuer URL — must match the iss claim in ID-JAGs from this provider. */
|
|
343
|
+
issuerUrl: string;
|
|
344
|
+
/** Human-readable label e.g. 'OpenAI', 'Anthropic', 'Cursor'. */
|
|
345
|
+
label: string;
|
|
346
|
+
/**
|
|
347
|
+
* JWKS endpoint. If omitted, derived as {issuerUrl}/.well-known/jwks.json
|
|
348
|
+
* per the ID-JAG draft spec.
|
|
349
|
+
*/
|
|
350
|
+
jwksUri?: string;
|
|
351
|
+
/**
|
|
352
|
+
* Optional CIMD URL. If the ID-JAG's client_id is a URL (not opaque),
|
|
353
|
+
* fetch it as an OAuth Client ID Metadata Document and verify its jwks_uri
|
|
354
|
+
* matches the one used for signature verification.
|
|
355
|
+
*/
|
|
356
|
+
cimdUri?: string;
|
|
357
|
+
/**
|
|
358
|
+
* Policy: require at least one of these AMR values in the ID-JAG.
|
|
359
|
+
* e.g. ['mfa'] enforces MFA at the provider.
|
|
360
|
+
*/
|
|
361
|
+
requiredAmr?: string[];
|
|
362
|
+
/** Whether this provider entry is currently active (default: true). */
|
|
363
|
+
enabled?: boolean;
|
|
364
|
+
}
|
|
365
|
+
/** Registry of identity providers whose ID-JAG assertions are accepted. */
|
|
366
|
+
export interface TrustedProviderRegistry {
|
|
367
|
+
providers: TrustedIdentityProvider[];
|
|
368
|
+
/** JWKS cache TTL in ms. Default: 3_600_000 (1 hour). */
|
|
369
|
+
jwksCacheTtlMs?: number;
|
|
370
|
+
/** Minimum JWKS cache floor in ms. Default: 600_000 (10 minutes). */
|
|
371
|
+
jwksCacheFloorMs?: number;
|
|
372
|
+
}
|
|
292
373
|
//# sourceMappingURL=types.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,YAAY,GACpB,gBAAgB,GAChB,eAAe,GACf,QAAQ,GACR,kBAAkB,CAAC;AAEvB,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,YAAY,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,EAAE,CAAC;CAChB;AAID,MAAM,MAAM,eAAe,GACvB,sBAAsB,GACtB,kBAAkB,GAClB,kBAAkB,GAClB,gBAAgB,CAAC;AAErB,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,eAAe,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,SAAS,EAAE,QAAQ,EAAE,CAAC;CACvB;AAED,MAAM,WAAW,QAAQ;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,SAAS,GAAG,MAAM,GAAG,KAAK,GAAG,OAAO,GAAG,OAAO,CAAC;CACzD;AAID,MAAM,WAAW,cAAc;IAC7B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,+CAA+C;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAID,MAAM,WAAW,YAAY;IAC3B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,oFAAoF;IACpF,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,uEAAuE;IACvE,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAID,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,gBAAgB,CAAC;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,YAAY,GACpB,gBAAgB,GAChB,eAAe,GACf,QAAQ,GACR,kBAAkB,CAAC;AAEvB,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,YAAY,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,EAAE,CAAC;CAChB;AAID,MAAM,MAAM,eAAe,GACvB,sBAAsB,GACtB,kBAAkB,GAClB,kBAAkB,GAClB,gBAAgB,CAAC;AAErB,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,eAAe,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,SAAS,EAAE,QAAQ,EAAE,CAAC;CACvB;AAED,MAAM,WAAW,QAAQ;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,SAAS,GAAG,MAAM,GAAG,KAAK,GAAG,OAAO,GAAG,OAAO,CAAC;CACzD;AAID,MAAM,WAAW,cAAc;IAC7B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,+CAA+C;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAID,MAAM,WAAW,YAAY;IAC3B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,oFAAoF;IACpF,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,uEAAuE;IACvE,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAID,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,gBAAgB,CAAC;AAExD;;;;;;;;GAQG;AACH,MAAM,MAAM,gBAAgB,GAAG,QAAQ,GAAG,SAAS,GAAG,WAAW,GAAG,SAAS,CAAC;AAE9E,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,cAAc,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,gBAAgB,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yDAAyD;IACzD,GAAG,EAAE,MAAM,CAAC;IACZ,iDAAiD;IACjD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,uEAAuE;IACvE,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,sCAAsC;IACtC,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,oFAAoF;IACpF,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAEhB;;;;OAIG;IACH,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAE1B;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAE3B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAID,MAAM,MAAM,YAAY,GAAG,SAAS,GAAG,OAAO,GAAG,OAAO,CAAC;AAEzD,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,YAAY,CAAC;IACnB,sDAAsD;IACtD,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,cAAc;IAC7B;;;OAGG;IACH,iBAAiB,EAAE,MAAM,CAAC;IAC1B;;;OAGG;IACH,SAAS,EAAE,QAAQ,EAAE,CAAC;IACtB,+DAA+D;IAC/D,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,UAAU,CAAC,EAAE;QACX,gDAAgD;QAChD,QAAQ,EAAE,MAAM,CAAC;QACjB,oBAAoB,CAAC,EAAE,OAAO,CAAC;KAChC,CAAC;CACH;AAID,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,UAAU,CAAC;AAEjD,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,cAAc,CAAC;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,CAAC,EAAE,YAAY,CAAC;IACjC,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAChC,aAAa,CAAC,EAAE,iBAAiB,CAAC;IAClC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,cAAc,GAAG,cAAc,EAAE,CAAC;IAC/C,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,mEAAmE;IACnE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qEAAqE;IACrE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,mDAAmD;IACnD,QAAQ,CAAC,EAAE,cAAc,CAAC;CAC3B;AAID,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,YAAY,CAAC;IAC3B,QAAQ,EAAE,iBAAiB,CAAC;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,yEAAyE;IACzE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,cAAc,CAAC;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,MAAM,CAAC;IACpB,kDAAkD;IAClD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,4EAA4E;IAC5E,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,6DAA6D;IAC7D,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;;;;;OAMG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAID,MAAM,MAAM,cAAc,GACtB,SAAS,GACT,SAAS,GACT,WAAW,GACX,MAAM,GACN,QAAQ,GACR,UAAU,CAAC;AAEf,MAAM,WAAW,gBAAiB,SAAQ,mBAAmB;IAC3D,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,cAAc,CAAC;IACtB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,kBAAkB,CAAC;IAC3B,MAAM,EAAE,kBAAkB,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAID,MAAM,MAAM,iBAAiB,GACzB,QAAQ,GACR,WAAW,GACX,QAAQ,GACR,SAAS,GACT,OAAO,CAAC;AAEZ,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,iBAAiB,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,gBAAgB,CACd,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,UAAU,EAAE,kBAAkB,GAC7B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC3B,QAAQ,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAClD,oBAAoB,CAAC,CACnB,UAAU,EAAE,kBAAkB,EAC9B,KAAK,EAAE,cAAc,GACpB,IAAI,CAAC;CACT;AAID,MAAM,WAAW,eAAe;IAC9B,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,UAAU,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;IACpC,UAAU,CAAC,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;IACxD,OAAO,CAAC,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACjF,OAAO,CAAC,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE1D;;;;;;;;;;;OAWG;IACH,gBAAgB,CAAC,CACf,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,MAAM,CAAC,CAAC;CACpB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,YAAY,CAAC;IAC3B,QAAQ,EAAE,iBAAiB,CAAC;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,cAAc,CAAC;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,iDAAiD;IACjD,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,+CAA+C;IAC/C,aAAa,CAAC,EAAE,kBAAkB,EAAE,CAAC;IACrC,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,sBAAuB,SAAQ,aAAa;IAC3D,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,cAAc,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,OAAO,CAAC;IAChB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,WAAW;IAC1B,GAAG,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACjD;AAED,MAAM,WAAW,oBAAqB,SAAQ,WAAW;IACvD,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;CAC3D;AAED,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,cAAc,EAAE,CAAC;IACzB,aAAa,EAAE,MAAM,CAAC;IACtB,gBAAgB,EAAE,MAAM,CAAC;IACzB,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAID,MAAM,WAAW,eAAe;IAC9B,cAAc,EAAE,OAAO,GAAG,IAAI,CAAC;IAC/B,cAAc,EAAE,OAAO,GAAG,IAAI,CAAC;IAC/B,aAAa,EAAE,OAAO,GAAG,IAAI,CAAC;IAC9B,oBAAoB,EAAE,OAAO,GAAG,IAAI,CAAC;CACtC;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,eAAe,CAAC;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;CACrB;AAID,MAAM,WAAW,iBAAiB;IAChC,qDAAqD;IACrD,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACxD,0EAA0E;IAC1E,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;CAChE;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAID,MAAM,MAAM,cAAc,GAAG,SAAS,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS,GAAG,aAAa,CAAC;AAE7F,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,mBAAmB,CAAC;IAC7B,MAAM,EAAE,cAAc,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,MAAM,WAAW,kBAAkB;IACjC,mCAAmC;IACnC,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,oDAAoD;IACpD,QAAQ,EAAE,MAAM,CAAC;IACjB,sDAAsD;IACtD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,gBAAgB;IAC/B,mCAAmC;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,8DAA8D;IAC9D,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACxC;AAID;;;;GAIG;AACH,MAAM,WAAW,uBAAuB;IACtC,2EAA2E;IAC3E,SAAS,EAAE,MAAM,CAAC;IAClB,iEAAiE;IACjE,KAAK,EAAE,MAAM,CAAC;IACd;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,uEAAuE;IACvE,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,2EAA2E;AAC3E,MAAM,WAAW,uBAAuB;IACtC,SAAS,EAAE,uBAAuB,EAAE,CAAC;IACrC,yDAAyD;IACzD,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,qEAAqE;IACrE,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B"}
|