@de-otio/chaoskb-client 0.3.6 → 0.3.7

package/dist/crypto/known-keys.d.ts

@@ -1,34 +0,0 @@
-interface PinnedKey {
-    fingerprint: string;
-    publicKey: string;
-    source: string;
-    firstSeen: string;
-    verifiedAt: string;
-}
-/**
- * Pin a key for an identifier (e.g., "github:alice").
- * Throws if the identifier is already pinned with a different fingerprint.
- */
-export declare function pinKey(identifier: string, fingerprint: string, publicKey: string, source: string): void;
-/**
- * Get a pinned key by identifier.
- */
-export declare function getPinnedKey(identifier: string): PinnedKey | null;
-/**
- * Check a key against the pin store.
- */
-export declare function checkKeyPin(identifier: string, fingerprint: string): 'match' | 'mismatch' | 'new';
-/**
- * Update a pinned key after verified rotation (e.g., new key confirmed on GitHub).
- */
-export declare function updatePinnedKey(identifier: string, fingerprint: string, publicKey: string, source: string): void;
-export declare class KeyMismatchError extends Error {
-    readonly identifier: string;
-    readonly pinnedFingerprint: string;
-    readonly newFingerprint: string;
-    readonly pinnedSource: string;
-    readonly newSource: string;
-    constructor(identifier: string, pinnedFingerprint: string, newFingerprint: string, pinnedSource: string, newSource: string);
-}
-export {};
-//# sourceMappingURL=known-keys.d.ts.map

package/dist/crypto/known-keys.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"known-keys.d.ts","sourceRoot":"","sources":["../../crypto/known-keys.ts"],"names":[],"mappings":"AASA,UAAU,SAAS;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAkCD;;;GAGG;AACH,wBAAgB,MAAM,CACpB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACb,IAAI,CA8BN;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CAGjE;AAED;;GAEG;AACH,wBAAgB,WAAW,CACzB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,OAAO,GAAG,UAAU,GAAG,KAAK,CAO9B;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACb,IAAI,CAUN;AAED,qBAAa,gBAAiB,SAAQ,KAAK;aAEvB,UAAU,EAAE,MAAM;aAClB,iBAAiB,EAAE,MAAM;aACzB,cAAc,EAAE,MAAM;aACtB,YAAY,EAAE,MAAM;aACpB,SAAS,EAAE,MAAM;gBAJjB,UAAU,EAAE,MAAM,EAClB,iBAAiB,EAAE,MAAM,EACzB,cAAc,EAAE,MAAM,EACtB,YAAY,EAAE,MAAM,EACpB,SAAS,EAAE,MAAM;CAUpC"}

package/dist/crypto/known-keys.js

@@ -1,114 +0,0 @@
-import * as crypto from 'node:crypto';
-import * as fs from 'node:fs';
-import * as path from 'node:path';
-import * as os from 'node:os';
-function getKnownKeysPath() {
-    return path.join(os.homedir(), '.chaoskb', 'known_keys.json');
-}
-function fingerprintsEqual(a, b) {
-    const aBuf = Buffer.from(a);
-    const bBuf = Buffer.from(b);
-    if (aBuf.length !== bBuf.length)
-        return false;
-    return crypto.timingSafeEqual(aBuf, bBuf);
-}
-/**
- * Trust on First Use (TOFU) key pinning for invite recipients.
- *
- * When we first see a recipient's public key (from GitHub, GitLab, or direct),
- * we pin it. On subsequent invites, we check if the key has changed.
- * A key mismatch triggers a warning; a conflict with an independent source
- * is a hard block.
- */
-function loadStore() {
-    try {
-        return JSON.parse(fs.readFileSync(getKnownKeysPath(), 'utf-8'));
-    }
-    catch {
-        return {};
-    }
-}
-function saveStore(store) {
-    const dir = path.dirname(getKnownKeysPath());
-    fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
-    fs.writeFileSync(getKnownKeysPath(), JSON.stringify(store, null, 2), { mode: 0o600 });
-}
-/**
- * Pin a key for an identifier (e.g., "github:alice").
- * Throws if the identifier is already pinned with a different fingerprint.
- */
-export function pinKey(identifier, fingerprint, publicKey, source) {
-    const store = loadStore();
-    const existing = store[identifier];
-    if (existing && !fingerprintsEqual(existing.fingerprint, fingerprint)) {
-        throw new KeyMismatchError(identifier, existing.fingerprint, fingerprint, existing.source, source);
-    }
-    if (existing && fingerprintsEqual(existing.fingerprint, fingerprint)) {
-        // Same key — update verifiedAt
-        existing.verifiedAt = new Date().toISOString();
-        saveStore(store);
-        return;
-    }
-    // New key — pin it
-    store[identifier] = {
-        fingerprint,
-        publicKey,
-        source,
-        firstSeen: new Date().toISOString(),
-        verifiedAt: new Date().toISOString(),
-    };
-    saveStore(store);
-}
-/**
- * Get a pinned key by identifier.
- */
-export function getPinnedKey(identifier) {
-    const store = loadStore();
-    return store[identifier] ?? null;
-}
-/**
- * Check a key against the pin store.
- */
-export function checkKeyPin(identifier, fingerprint) {
-    const store = loadStore();
-    const existing = store[identifier];
-    if (!existing)
-        return 'new';
-    if (fingerprintsEqual(existing.fingerprint, fingerprint))
-        return 'match';
-    return 'mismatch';
-}
-/**
- * Update a pinned key after verified rotation (e.g., new key confirmed on GitHub).
- */
-export function updatePinnedKey(identifier, fingerprint, publicKey, source) {
-    const store = loadStore();
-    store[identifier] = {
-        fingerprint,
-        publicKey,
-        source,
-        firstSeen: store[identifier]?.firstSeen ?? new Date().toISOString(),
-        verifiedAt: new Date().toISOString(),
-    };
-    saveStore(store);
-}
-export class KeyMismatchError extends Error {
-    identifier;
-    pinnedFingerprint;
-    newFingerprint;
-    pinnedSource;
-    newSource;
-    constructor(identifier, pinnedFingerprint, newFingerprint, pinnedSource, newSource) {
-        super(`Key mismatch for ${identifier}:\n` +
-            `  Pinned:   ${pinnedFingerprint} (source: ${pinnedSource})\n` +
-            `  Received: ${newFingerprint} (source: ${newSource})\n` +
-            `This may indicate a compromised key source. The operation was blocked.`);
-        this.identifier = identifier;
-        this.pinnedFingerprint = pinnedFingerprint;
-        this.newFingerprint = newFingerprint;
-        this.pinnedSource = pinnedSource;
-        this.newSource = newSource;
-        this.name = 'KeyMismatchError';
-    }
-}
-//# sourceMappingURL=known-keys.js.map

package/dist/crypto/known-keys.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"known-keys.js","sourceRoot":"","sources":["../../crypto/known-keys.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAE9B,SAAS,gBAAgB;IACvB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,iBAAiB,CAAC,CAAC;AAChE,CAAC;AAYD,SAAS,iBAAiB,CAAC,CAAS,EAAE,CAAS;IAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5B,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC9C,OAAO,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AAC5C,CAAC;AAED;;;;;;;GAOG;AAEH,SAAS,SAAS;IAChB,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,gBAAgB,EAAE,EAAE,OAAO,CAAC,CAAC,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,SAAS,CAAC,KAAqB;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC,CAAC;IAC7C,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACpD,EAAE,CAAC,aAAa,CAAC,gBAAgB,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AACxF,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,MAAM,CACpB,UAAkB,EAClB,WAAmB,EACnB,SAAiB,EACjB,MAAc;IAEd,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,MAAM,QAAQ,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC;IAEnC,IAAI,QAAQ,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC,EAAE,CAAC;QACtE,MAAM,IAAI,gBAAgB,CACxB,UAAU,EACV,QAAQ,CAAC,WAAW,EACpB,WAAW,EACX,QAAQ,CAAC,MAAM,EACf,MAAM,CACP,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ,IAAI,iBAAiB,CAAC,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC,EAAE,CAAC;QACrE,+BAA+B;QAC/B,QAAQ,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC/C,SAAS,CAAC,KAAK,CAAC,CAAC;QACjB,OAAO;IACT,CAAC;IAED,mBAAmB;IACnB,KAAK,CAAC,UAAU,CAAC,GAAG;QAClB,WAAW;QACX,SAAS;QACT,MAAM;QACN,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACrC,CAAC;IACF,SAAS,CAAC,KAAK,CAAC,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,UAAkB;IAC7C,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,OAAO,KAAK,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CACzB,UAAkB,EAClB,WAAmB;IAEnB,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,MAAM,QAAQ,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC;IAEnC,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,IAAI,iBAAiB,CAAC,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;QAAE,OAAO,OAAO,CAAC;IACzE,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAC7B,UAAkB,EAClB,WAAmB,EACnB,SAAiB,EACjB,MAAc;IAEd,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,KAAK,CAAC,UAAU,CAAC,GAAG;QAClB,WAAW;QACX,SAAS;QACT,MAAM;QACN,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnE,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACrC,CAAC;IACF,SAAS,CAAC,KAAK,CAAC,CAAC;AACnB,CAAC;AAED,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAEvB;IACA;IACA;IACA;IACA;IALlB,YACkB,UAAkB,EAClB,iBAAyB,EACzB,cAAsB,EACtB,YAAoB,EACpB,SAAiB;QAEjC,KAAK,CACH,oBAAoB,UAAU,KAAK;YACnC,eAAe,iBAAiB,aAAa,YAAY,KAAK;YAC9D,eAAe,cAAc,aAAa,SAAS,KAAK;YACxD,wEAAwE,CACzE,CAAC;QAXc,eAAU,GAAV,UAAU,CAAQ;QAClB,sBAAiB,GAAjB,iBAAiB,CAAQ;QACzB,mBAAc,GAAd,cAAc,CAAQ;QACtB,iBAAY,GAAZ,YAAY,CAAQ;QACpB,cAAS,GAAT,SAAS,CAAQ;QAQjC,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF"}

package/dist/crypto/project-keys.d.ts

@@ -1,26 +0,0 @@
-import type { ISecureBuffer } from './types.js';
-/**
- * Create a new random project key and wrap it with the personal master key.
- *
- * Uses HKDF to derive a wrapping key from the master key, then encrypts
- * the project key with XChaCha20-Poly1305. AAD can include a project name
- * for binding.
- *
- * @param personalMasterKey - The user's personal master key
- * @param projectName - Optional project name for AAD binding
- * @returns The project key (SecureBuffer) and the wrapped (encrypted) form
- */
-export declare function createProjectKey(personalMasterKey: ISecureBuffer, projectName?: string): {
-    projectKey: ISecureBuffer;
-    wrappedKey: Uint8Array;
-};
-/**
- * Unwrap a project key using the personal master key.
- *
- * @param wrappedKey - The wrapped project key (nonce || ciphertext || tag)
- * @param personalMasterKey - The user's personal master key
- * @param projectName - Optional project name for AAD binding (must match what was used during wrapping)
- * @returns The unwrapped project key as a SecureBuffer
- */
-export declare function unwrapProjectKey(wrappedKey: Uint8Array, personalMasterKey: ISecureBuffer, projectName?: string): ISecureBuffer;
-//# sourceMappingURL=project-keys.d.ts.map

package/dist/crypto/project-keys.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"project-keys.d.ts","sourceRoot":"","sources":["../../crypto/project-keys.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAKhD;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAC9B,iBAAiB,EAAE,aAAa,EAChC,WAAW,CAAC,EAAE,MAAM,GACnB;IAAE,UAAU,EAAE,aAAa,CAAC;IAAC,UAAU,EAAE,UAAU,CAAA;CAAE,CA8BvD;AAED;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAC9B,UAAU,EAAE,UAAU,EACtB,iBAAiB,EAAE,aAAa,EAChC,WAAW,CAAC,EAAE,MAAM,GACnB,aAAa,CA+Bf"}

package/dist/crypto/project-keys.js

@@ -1,69 +0,0 @@
-import { randomBytes } from 'node:crypto';
-import { aeadEncrypt, aeadDecrypt } from './aead.js';
-import { deriveKey } from './hkdf.js';
-import { SecureBuffer } from './secure-buffer.js';
-const PROJECT_KEY_LENGTH = 32;
-const WRAP_INFO = 'chaoskb-project-wrap';
-/**
- * Create a new random project key and wrap it with the personal master key.
- *
- * Uses HKDF to derive a wrapping key from the master key, then encrypts
- * the project key with XChaCha20-Poly1305. AAD can include a project name
- * for binding.
- *
- * @param personalMasterKey - The user's personal master key
- * @param projectName - Optional project name for AAD binding
- * @returns The project key (SecureBuffer) and the wrapped (encrypted) form
- */
-export function createProjectKey(personalMasterKey, projectName) {
-    // Generate random 32-byte project key
-    const projectKeyBytes = randomBytes(PROJECT_KEY_LENGTH);
-    // Derive a wrapping key via HKDF
-    const wrappingKey = deriveKey(new Uint8Array(personalMasterKey.buffer), WRAP_INFO);
-    // AAD: project name if available, otherwise empty
-    const aad = projectName
-        ? new TextEncoder().encode(projectName)
-        : new Uint8Array(0);
-    // Encrypt project key with XChaCha20-Poly1305
-    const { nonce, ciphertext, tag } = aeadEncrypt(wrappingKey, projectKeyBytes, aad);
-    // Zero wrapping key and plaintext project key bytes
-    wrappingKey.fill(0);
-    // Serialize: nonce(24) || ciphertext || tag(16)
-    const wrappedKey = new Uint8Array(nonce.length + ciphertext.length + tag.length);
-    wrappedKey.set(nonce, 0);
-    wrappedKey.set(ciphertext, nonce.length);
-    wrappedKey.set(tag, nonce.length + ciphertext.length);
-    const projectKey = SecureBuffer.from(projectKeyBytes);
-    return { projectKey, wrappedKey };
-}
-/**
- * Unwrap a project key using the personal master key.
- *
- * @param wrappedKey - The wrapped project key (nonce || ciphertext || tag)
- * @param personalMasterKey - The user's personal master key
- * @param projectName - Optional project name for AAD binding (must match what was used during wrapping)
- * @returns The unwrapped project key as a SecureBuffer
- */
-export function unwrapProjectKey(wrappedKey, personalMasterKey, projectName) {
-    const NONCE_SIZE = 24;
-    const TAG_SIZE = 16;
-    if (wrappedKey.length < NONCE_SIZE + TAG_SIZE + 1) {
-        throw new Error('Wrapped key is too short');
-    }
-    // Derive the same wrapping key
-    const wrappingKey = deriveKey(new Uint8Array(personalMasterKey.buffer), WRAP_INFO);
-    // Split wrapped key into nonce, ciphertext, tag
-    const nonce = wrappedKey.slice(0, NONCE_SIZE);
-    const ciphertext = wrappedKey.slice(NONCE_SIZE, wrappedKey.length - TAG_SIZE);
-    const tag = wrappedKey.slice(wrappedKey.length - TAG_SIZE);
-    // AAD: project name if available, otherwise empty
-    const aad = projectName
-        ? new TextEncoder().encode(projectName)
-        : new Uint8Array(0);
-    // Decrypt
-    const projectKeyBytes = aeadDecrypt(wrappingKey, nonce, ciphertext, tag, aad);
-    // Zero wrapping key
-    wrappingKey.fill(0);
-    return SecureBuffer.from(Buffer.from(projectKeyBytes));
-}
-//# sourceMappingURL=project-keys.js.map

package/dist/crypto/project-keys.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"project-keys.js","sourceRoot":"","sources":["../../crypto/project-keys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAGlD,MAAM,kBAAkB,GAAG,EAAE,CAAC;AAC9B,MAAM,SAAS,GAAG,sBAAsB,CAAC;AAEzC;;;;;;;;;;GAUG;AACH,MAAM,UAAU,gBAAgB,CAC9B,iBAAgC,EAChC,WAAoB;IAEpB,sCAAsC;IACtC,MAAM,eAAe,GAAG,WAAW,CAAC,kBAAkB,CAAC,CAAC;IAExD,iCAAiC;IACjC,MAAM,WAAW,GAAG,SAAS,CAC3B,IAAI,UAAU,CAAC,iBAAiB,CAAC,MAAM,CAAC,EACxC,SAAS,CACV,CAAC;IAEF,kDAAkD;IAClD,MAAM,GAAG,GAAG,WAAW;QACrB,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC;QACvC,CAAC,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAEtB,8CAA8C;IAC9C,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,WAAW,CAAC,WAAW,EAAE,eAAe,EAAE,GAAG,CAAC,CAAC;IAElF,oDAAoD;IACpD,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAEpB,gDAAgD;IAChD,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;IACjF,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACzB,UAAU,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACzC,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IAEtD,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAEtD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC;AACpC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAC9B,UAAsB,EACtB,iBAAgC,EAChC,WAAoB;IAEpB,MAAM,UAAU,GAAG,EAAE,CAAC;IACtB,MAAM,QAAQ,GAAG,EAAE,CAAC;IAEpB,IAAI,UAAU,CAAC,MAAM,GAAG,UAAU,GAAG,QAAQ,GAAG,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IAED,+BAA+B;IAC/B,MAAM,WAAW,GAAG,SAAS,CAC3B,IAAI,UAAU,CAAC,iBAAiB,CAAC,MAAM,CAAC,EACxC,SAAS,CACV,CAAC;IAEF,gDAAgD;IAChD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;IAC9C,MAAM,UAAU,GAAG,UAAU,CAAC,KAAK,CAAC,UAAU,EAAE,UAAU,CAAC,MAAM,GAAG,QAAQ,CAAC,CAAC;IAC9E,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,GAAG,QAAQ,CAAC,CAAC;IAE3D,kDAAkD;IAClD,MAAM,GAAG,GAAG,WAAW;QACrB,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC;QACvC,CAAC,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAEtB,UAAU;IACV,MAAM,eAAe,GAAG,WAAW,CAAC,WAAW,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IAE9E,oBAAoB;IACpB,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAEpB,OAAO,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC;AACzD,CAAC"}

package/dist/crypto/secure-buffer.d.ts

@@ -1,31 +0,0 @@
-import type { ISecureBuffer } from './types.js';
-/**
- * Memory-locked buffer for sensitive key material.
- * Uses sodium_malloc (mlock'd pages) and sodium_memzero on dispose.
- */
-export declare class SecureBuffer implements ISecureBuffer {
-    private _buffer;
-    private _disposed;
-    private constructor();
-    /** Read the buffer contents. Throws if disposed. */
-    get buffer(): Buffer;
-    /** Byte length of the buffer. */
-    get length(): number;
-    /** Whether the buffer has been zeroed and disposed. */
-    get isDisposed(): boolean;
-    /**
-     * Zero the buffer contents and mark as disposed.
-     * Safe to call multiple times (idempotent).
-     */
-    dispose(): void;
-    /** Support `using` keyword (TC39 Explicit Resource Management). */
-    [Symbol.dispose](): void;
-    /**
-     * Copy data into a new SecureBuffer and zero the source.
-     * The source buffer is zeroed after copying regardless of type.
-     */
-    static from(data: Buffer | Uint8Array): SecureBuffer;
-    /** Allocate a new zeroed SecureBuffer of the given length. */
-    static alloc(length: number): SecureBuffer;
-}
-//# sourceMappingURL=secure-buffer.d.ts.map

package/dist/crypto/secure-buffer.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"secure-buffer.d.ts","sourceRoot":"","sources":["../../crypto/secure-buffer.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAEhD;;;GAGG;AACH,qBAAa,YAAa,YAAW,aAAa;IAChD,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,SAAS,CAAS;IAE1B,OAAO;IAIP,oDAAoD;IACpD,IAAI,MAAM,IAAI,MAAM,CAKnB;IAED,iCAAiC;IACjC,IAAI,MAAM,IAAI,MAAM,CAEnB;IAED,uDAAuD;IACvD,IAAI,UAAU,IAAI,OAAO,CAExB;IAED;;;OAGG;IACH,OAAO,IAAI,IAAI;IAQf,mEAAmE;IACnE,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI;IAIxB;;;OAGG;IACH,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,YAAY;IASpD,8DAA8D;IAC9D,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY;CAK3C"}

package/dist/crypto/secure-buffer.js

@@ -1,61 +0,0 @@
-import sodium from 'sodium-native';
-/**
- * Memory-locked buffer for sensitive key material.
- * Uses sodium_malloc (mlock'd pages) and sodium_memzero on dispose.
- */
-export class SecureBuffer {
-    _buffer;
-    _disposed = false;
-    constructor(length) {
-        this._buffer = sodium.sodium_malloc(length);
-    }
-    /** Read the buffer contents. Throws if disposed. */
-    get buffer() {
-        if (this._disposed) {
-            throw new Error('SecureBuffer has been disposed');
-        }
-        return this._buffer;
-    }
-    /** Byte length of the buffer. */
-    get length() {
-        return this._buffer.byteLength;
-    }
-    /** Whether the buffer has been zeroed and disposed. */
-    get isDisposed() {
-        return this._disposed;
-    }
-    /**
-     * Zero the buffer contents and mark as disposed.
-     * Safe to call multiple times (idempotent).
-     */
-    dispose() {
-        if (this._disposed) {
-            return;
-        }
-        sodium.sodium_memzero(this._buffer);
-        this._disposed = true;
-    }
-    /** Support `using` keyword (TC39 Explicit Resource Management). */
-    [Symbol.dispose]() {
-        this.dispose();
-    }
-    /**
-     * Copy data into a new SecureBuffer and zero the source.
-     * The source buffer is zeroed after copying regardless of type.
-     */
-    static from(data) {
-        const sb = new SecureBuffer(data.byteLength);
-        const buf = Buffer.isBuffer(data) ? data : Buffer.from(data.buffer, data.byteOffset, data.byteLength);
-        buf.copy(sb._buffer);
-        // Zero the source
-        sodium.sodium_memzero(buf);
-        return sb;
-    }
-    /** Allocate a new zeroed SecureBuffer of the given length. */
-    static alloc(length) {
-        const sb = new SecureBuffer(length);
-        sodium.sodium_memzero(sb._buffer);
-        return sb;
-    }
-}
-//# sourceMappingURL=secure-buffer.js.map

package/dist/crypto/secure-buffer.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"secure-buffer.js","sourceRoot":"","sources":["../../crypto/secure-buffer.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,eAAe,CAAC;AAInC;;;GAGG;AACH,MAAM,OAAO,YAAY;IACf,OAAO,CAAS;IAChB,SAAS,GAAG,KAAK,CAAC;IAE1B,YAAoB,MAAc;QAChC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC;IAED,oDAAoD;IACpD,IAAI,MAAM;QACR,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;QACD,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,iCAAiC;IACjC,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC;IACjC,CAAC;IAED,uDAAuD;IACvD,IAAI,UAAU;QACZ,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;;OAGG;IACH,OAAO;QACL,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,OAAO;QACT,CAAC;QACD,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;IACxB,CAAC;IAED,mEAAmE;IACnE,CAAC,MAAM,CAAC,OAAO,CAAC;QACd,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,IAAI,CAAC,IAAyB;QACnC,MAAM,EAAE,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7C,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QACtG,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC;QACrB,kBAAkB;QAClB,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAC3B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,8DAA8D;IAC9D,MAAM,CAAC,KAAK,CAAC,MAAc;QACzB,MAAM,EAAE,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;QACpC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC;QAClC,OAAO,EAAE,CAAC;IACZ,CAAC;CACF"}

package/dist/crypto/tiers/enhanced.d.ts

@@ -1,25 +0,0 @@
-import type { ISecureBuffer } from '../types.js';
-export { wrapMasterKey, unwrapMasterKeyEd25519, unwrapMasterKeyRSA } from './standard.js';
-/**
- * @deprecated Enhanced tier is deprecated. New installations use Standard or Maximum only.
- *
- * Enhanced tier: BIP39 24-word recovery key.
- *
- * The master key is a 256-bit random value which maps directly to a 24-word
- * BIP39 mnemonic. Either the mnemonic or the SSH-wrapped key can recover.
- */
-/**
- * @deprecated Use Standard tier (SSH key wrapping) instead.
- *
- * Encode a 256-bit master key as a 24-word BIP39 mnemonic.
- * The master key bytes are used directly as the entropy.
- */
-export declare function generateRecoveryKey(masterKey: ISecureBuffer): string;
-/**
- * @deprecated Use Standard tier (SSH key wrapping) instead.
- *
- * Decode a 24-word BIP39 mnemonic back to the 256-bit master key.
- * Returns a SecureBuffer containing the recovered key.
- */
-export declare function recoverFromMnemonic(mnemonic: string): ISecureBuffer;
-//# sourceMappingURL=enhanced.d.ts.map

package/dist/crypto/tiers/enhanced.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"enhanced.d.ts","sourceRoot":"","sources":["../../../crypto/tiers/enhanced.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAGjD,OAAO,EAAE,aAAa,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAE1F;;;;;;;GAOG;AAEH;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,aAAa,GAAG,MAAM,CAQpE;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa,CAoBnE"}

package/dist/crypto/tiers/enhanced.js

@@ -1,56 +0,0 @@
-// Enhanced tier removed — see doc/analysis/zero-config-sync/security-tiers.md
-// This file is deprecated. The zero-config sync implementation uses only two tiers:
-//   - Standard: SSH key wrapping (automatic, zero-config)
-//   - Maximum: Argon2id passphrase derivation
-// The Enhanced (BIP39 mnemonic) tier added complexity without meaningful security
-// benefit over the Standard tier's SSH-based recovery. Retained for backward
-// compatibility with existing Enhanced-tier users.
-import * as bip39 from 'bip39';
-import { SecureBuffer } from '../secure-buffer.js';
-// Re-export standard tier wrapping for dual-path recovery
-export { wrapMasterKey, unwrapMasterKeyEd25519, unwrapMasterKeyRSA } from './standard.js';
-/**
- * @deprecated Enhanced tier is deprecated. New installations use Standard or Maximum only.
- *
- * Enhanced tier: BIP39 24-word recovery key.
- *
- * The master key is a 256-bit random value which maps directly to a 24-word
- * BIP39 mnemonic. Either the mnemonic or the SSH-wrapped key can recover.
- */
-/**
- * @deprecated Use Standard tier (SSH key wrapping) instead.
- *
- * Encode a 256-bit master key as a 24-word BIP39 mnemonic.
- * The master key bytes are used directly as the entropy.
- */
-export function generateRecoveryKey(masterKey) {
-    if (masterKey.length !== 32) {
-        throw new Error(`Master key must be 32 bytes (256 bits), got ${masterKey.length}`);
-    }
-    const entropy = Buffer.from(masterKey.buffer).toString('hex');
-    const mnemonic = bip39.entropyToMnemonic(entropy);
-    return mnemonic;
-}
-/**
- * @deprecated Use Standard tier (SSH key wrapping) instead.
- *
- * Decode a 24-word BIP39 mnemonic back to the 256-bit master key.
- * Returns a SecureBuffer containing the recovered key.
- */
-export function recoverFromMnemonic(mnemonic) {
-    const trimmed = mnemonic.trim().toLowerCase();
-    if (!bip39.validateMnemonic(trimmed)) {
-        throw new Error('Invalid BIP39 mnemonic');
-    }
-    const words = trimmed.split(/\s+/);
-    if (words.length !== 24) {
-        throw new Error(`Expected 24-word mnemonic, got ${words.length} words`);
-    }
-    const entropyHex = bip39.mnemonicToEntropy(trimmed);
-    const entropyBytes = Buffer.from(entropyHex, 'hex');
-    if (entropyBytes.length !== 32) {
-        throw new Error(`Recovered entropy must be 32 bytes, got ${entropyBytes.length}`);
-    }
-    return SecureBuffer.from(entropyBytes);
-}
-//# sourceMappingURL=enhanced.js.map

package/dist/crypto/tiers/enhanced.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"enhanced.js","sourceRoot":"","sources":["../../../crypto/tiers/enhanced.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,oFAAoF;AACpF,0DAA0D;AAC1D,8CAA8C;AAC9C,kFAAkF;AAClF,6EAA6E;AAC7E,mDAAmD;AAEnD,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAE/B,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAGnD,0DAA0D;AAC1D,OAAO,EAAE,aAAa,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAE1F;;;;;;;GAOG;AAEH;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAAwB;IAC1D,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,+CAA+C,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC9D,MAAM,QAAQ,GAAG,KAAK,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAClD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAgB;IAClD,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAE9C,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACnC,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,kCAAkC,KAAK,CAAC,MAAM,QAAQ,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;IACpD,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAEpD,IAAI,YAAY,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,2CAA2C,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC;IACpF,CAAC;IAED,OAAO,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;AACzC,CAAC"}

package/dist/crypto/tiers/maximum.d.ts

@@ -1,19 +0,0 @@
-import type { ISecureBuffer } from '../types.js';
-/**
- * Maximum tier: Argon2id passphrase derivation.
- *
- * The master key is derived from a user-chosen passphrase.
- * No recovery path — if the passphrase is lost, data is lost.
- */
-/**
- * Derive a master key from a passphrase using Argon2id.
- *
- * @param passphrase - User passphrase
- * @param salt - Optional 16-byte salt. If not provided, a random one is generated.
- * @returns Object with the derived master key and the salt (for server storage)
- */
-export declare function deriveFromPassphrase(passphrase: string, salt?: Uint8Array): {
-    masterKey: ISecureBuffer;
-    salt: Uint8Array;
-};
-//# sourceMappingURL=maximum.d.ts.map

package/dist/crypto/tiers/maximum.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"maximum.d.ts","sourceRoot":"","sources":["../../../crypto/tiers/maximum.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAIjD;;;;;GAKG;AAEH;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,MAAM,EAClB,IAAI,CAAC,EAAE,UAAU,GAChB;IAAE,SAAS,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,UAAU,CAAA;CAAE,CAUhD"}

package/dist/crypto/tiers/maximum.js

@@ -1,25 +0,0 @@
-import { randomBytes } from 'node:crypto';
-import { deriveFromPassphrase as argon2Derive } from '../argon2.js';
-const SALT_LENGTH = 16;
-/**
- * Maximum tier: Argon2id passphrase derivation.
- *
- * The master key is derived from a user-chosen passphrase.
- * No recovery path — if the passphrase is lost, data is lost.
- */
-/**
- * Derive a master key from a passphrase using Argon2id.
- *
- * @param passphrase - User passphrase
- * @param salt - Optional 16-byte salt. If not provided, a random one is generated.
- * @returns Object with the derived master key and the salt (for server storage)
- */
-export function deriveFromPassphrase(passphrase, salt) {
-    const actualSalt = salt ?? new Uint8Array(randomBytes(SALT_LENGTH));
-    if (actualSalt.length !== SALT_LENGTH) {
-        throw new Error(`Salt must be ${SALT_LENGTH} bytes, got ${actualSalt.length}`);
-    }
-    const masterKey = argon2Derive(passphrase, actualSalt);
-    return { masterKey, salt: actualSalt };
-}
-//# sourceMappingURL=maximum.js.map

package/dist/crypto/tiers/maximum.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"maximum.js","sourceRoot":"","sources":["../../../crypto/tiers/maximum.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,OAAO,EAAE,oBAAoB,IAAI,YAAY,EAAE,MAAM,cAAc,CAAC;AAGpE,MAAM,WAAW,GAAG,EAAE,CAAC;AAEvB;;;;;GAKG;AAEH;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAClC,UAAkB,EAClB,IAAiB;IAEjB,MAAM,UAAU,GAAG,IAAI,IAAI,IAAI,UAAU,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC,CAAC;IAEpE,IAAI,UAAU,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,gBAAgB,WAAW,eAAe,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;IACjF,CAAC;IAED,MAAM,SAAS,GAAG,YAAY,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IAEvD,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;AACzC,CAAC"}

package/dist/crypto/tiers/standard.d.ts

@@ -1,27 +0,0 @@
-import * as crypto from 'node:crypto';
-import type { ISecureBuffer, SSHKeyInfo } from '../types.js';
-/**
- * Standard tier: SSH key wrapping.
- *
- * For Ed25519 keys: crypto_box_seal (ephemeral X25519 ECDH + XSalsa20-Poly1305)
- * For RSA keys: RSA-OAEP-SHA256 KEM + XChaCha20-Poly1305 DEM
- */
-/**
- * Wrap a master key with an SSH public key.
- * Ed25519: uses crypto_box_seal after converting to X25519.
- * RSA: uses RSA-OAEP KEM + XChaCha20-Poly1305 DEM.
- */
-export declare function wrapMasterKey(masterKey: ISecureBuffer, sshPublicKey: SSHKeyInfo): Uint8Array;
-/**
- * Unwrap a master key with an SSH private key (Ed25519).
- * @param wrappedKey - The sealed box
- * @param ed25519SecretKey - The 64-byte Ed25519 secret key
- */
-export declare function unwrapMasterKeyEd25519(wrappedKey: Uint8Array, ed25519SecretKey: Uint8Array, ed25519PublicKey: Uint8Array): ISecureBuffer;
-/**
- * Unwrap a master key wrapped with RSA-OAEP KEM + DEM.
- * @param wrappedKey - Serialized [4-byte wrappedWKLen][wrappedWK][nonce][ct][tag]
- * @param rsaPrivateKey - RSA private key in PEM or DER format
- */
-export declare function unwrapMasterKeyRSA(wrappedKey: Uint8Array, rsaPrivateKey: crypto.KeyObject): ISecureBuffer;
-//# sourceMappingURL=standard.d.ts.map

package/dist/crypto/tiers/standard.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"standard.d.ts","sourceRoot":"","sources":["../../../crypto/tiers/standard.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAMtC,OAAO,KAAK,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAI7D;;;;;GAKG;AAEH;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,aAAa,EAAE,YAAY,EAAE,UAAU,GAAG,UAAU,CAO5F;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CACpC,UAAU,EAAE,UAAU,EACtB,gBAAgB,EAAE,UAAU,EAC5B,gBAAgB,EAAE,UAAU,GAC3B,aAAa,CAmBf;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAChC,UAAU,EAAE,UAAU,EACtB,aAAa,EAAE,MAAM,CAAC,SAAS,GAC9B,aAAa,CA0Cf"}