@dupecom/botcha-cloudflare 0.20.2 → 0.23.0

package/dist/tap-did.js

@@ -0,0 +1,262 @@
+/**
+ * BOTCHA DID — W3C DID Core 1.0 + did:web Method
+ *
+ * Implements:
+ *   - BOTCHA DID Document generation (did:web:botcha.ai)
+ *   - Basic did:web resolver (fetch DID Documents from remote hosts)
+ *   - DID parsing and validation utilities
+ *   - Agent DID helpers (did:web:botcha.ai:agents:<agent_id>)
+ *
+ * Standards:
+ *   - W3C DID Core 1.0: https://www.w3.org/TR/did-core/
+ *   - did:web method: https://w3c-ccg.github.io/did-web/
+ */
+// ============ CONSTANTS ============
+const BOTCHA_DID = 'did:web:botcha.ai';
+const DID_CORE_CONTEXT = 'https://www.w3.org/ns/did/v1';
+const JWS_2020_CONTEXT = 'https://w3id.org/security/suites/jws-2020/v1';
+const DID_RESOLUTION_CONTEXT = 'https://w3id.org/did-resolution/v1';
+// ============ DID DOCUMENT GENERATION ============
+/**
+ * Generate the canonical BOTCHA DID Document for did:web:botcha.ai.
+ *
+ * The ES256 signing key from BOTCHA's JWKS is registered as the
+ * assertionMethod — meaning VCs signed by this key are cryptographically
+ * tied to the botcha.ai DID Document.
+ *
+ * If no signing key is available (e.g. HS256-only deployment), the
+ * verificationMethod array is empty and VCs cannot be verified offline.
+ */
+export function generateBotchaDIDDocument(baseUrl, signingPublicKeyJwk) {
+    const keyId = `${BOTCHA_DID}#key-1`;
+    const verificationMethods = [];
+    if (signingPublicKeyJwk) {
+        verificationMethods.push({
+            id: keyId,
+            type: 'JsonWebKey2020',
+            controller: BOTCHA_DID,
+            publicKeyJwk: {
+                kty: signingPublicKeyJwk.kty || 'EC',
+                crv: signingPublicKeyJwk.crv || 'P-256',
+                x: signingPublicKeyJwk.x || '',
+                y: signingPublicKeyJwk.y || '',
+                kid: signingPublicKeyJwk.kid || 'botcha-signing-1',
+                use: 'sig',
+                alg: 'ES256',
+            },
+        });
+    }
+    const authAndAssert = verificationMethods.length > 0 ? [keyId] : [];
+    return {
+        '@context': [DID_CORE_CONTEXT, JWS_2020_CONTEXT],
+        id: BOTCHA_DID,
+        controller: BOTCHA_DID,
+        verificationMethod: verificationMethods,
+        authentication: authAndAssert,
+        assertionMethod: authAndAssert,
+        service: [
+            {
+                id: `${BOTCHA_DID}#botcha-api`,
+                type: 'LinkedDomains',
+                serviceEndpoint: baseUrl,
+                description: 'BOTCHA Verification API',
+            },
+            {
+                id: `${BOTCHA_DID}#jwks`,
+                type: 'JwkSet',
+                serviceEndpoint: `${baseUrl}/.well-known/jwks`,
+                description: 'BOTCHA JSON Web Key Set',
+            },
+            {
+                id: `${BOTCHA_DID}#vc-issuer`,
+                type: 'CredentialIssuanceService',
+                serviceEndpoint: `${baseUrl}/v1/credentials/issue`,
+                description: 'BOTCHA Verifiable Credential Issuance',
+            },
+        ],
+    };
+}
+// ============ DID PARSING ============
+/**
+ * Parse and validate a DID string.
+ *
+ * Valid DID format: did:method:method-specific-id
+ *   - must start with "did:"
+ *   - method: lowercase alphanumeric
+ *   - method-specific-id: non-empty
+ */
+export function parseDID(did) {
+    if (!did || typeof did !== 'string') {
+        return { valid: false, error: 'DID must be a non-empty string' };
+    }
+    if (!did.startsWith('did:')) {
+        return { valid: false, error: 'DID must start with "did:"' };
+    }
+    // Split into parts: ["did", "method", "method-specific-id", ...]
+    const parts = did.split(':');
+    if (parts.length < 3) {
+        return {
+            valid: false,
+            error: 'DID must have at least 3 colon-separated parts: did:method:id',
+        };
+    }
+    const method = parts[1];
+    const methodSpecificId = parts.slice(2).join(':');
+    if (!method || !/^[a-z0-9]+$/.test(method)) {
+        return { valid: false, error: 'DID method must be lowercase alphanumeric' };
+    }
+    if (!methodSpecificId) {
+        return { valid: false, error: 'DID method-specific ID is empty' };
+    }
+    return { valid: true, method, methodSpecificId };
+}
+// ============ DID:WEB URL RESOLUTION ============
+/**
+ * Convert a did:web DID to an HTTPS URL for DID Document fetching.
+ *
+ * Spec rules (https://w3c-ccg.github.io/did-web/):
+ *   did:web:example.com             → https://example.com/.well-known/did.json
+ *   did:web:example.com:user:alice  → https://example.com/user/alice/did.json
+ *   did:web:example.com%3A8080      → https://example.com:8080/.well-known/did.json
+ *
+ * Algorithm:
+ *   1. Split the method-specific-id on unencoded ':' characters.
+ *   2. The first segment is the host — percent-decode it (e.g. %3A → ':' for port).
+ *   3. Remaining segments are path components — join with '/'.
+ *
+ * Returns null if the DID cannot be converted to a valid URL.
+ */
+export function didWebToUrl(did) {
+    if (!did.startsWith('did:web:'))
+        return null;
+    const suffix = did.slice('did:web:'.length);
+    if (!suffix)
+        return null;
+    // Split on literal ':' FIRST (before any percent-decoding)
+    // This correctly separates path components from the host.
+    const parts = suffix.split(':');
+    // Decode only the first segment (the host/domain — may have %3A for port)
+    const host = decodeURIComponent(parts[0]);
+    if (!host)
+        return null;
+    if (parts.length === 1) {
+        // Simple domain (possibly with decoded port): did:web:example.com or did:web:example.com%3A8080
+        return `https://${host}/.well-known/did.json`;
+    }
+    else {
+        // Path-based: did:web:example.com:path:to:resource
+        // → https://example.com/path/to/resource/did.json
+        const pathSegments = parts.slice(1).map(decodeURIComponent);
+        const path = pathSegments.join('/');
+        return `https://${host}/${path}/did.json`;
+    }
+}
+// ============ DID:WEB RESOLUTION ============
+/**
+ * Resolve a did:web DID by fetching its DID Document from the network.
+ *
+ * Supports:
+ *   - did:web:example.com (fetches /.well-known/did.json)
+ *   - did:web:example.com:path:resource (fetches /path/resource/did.json)
+ *
+ * Note: Only did:web is supported. Other methods return methodNotSupported.
+ * Cloudflare Workers support outbound fetch, so this works in production.
+ */
+export async function resolveDIDWeb(did) {
+    const startTime = Date.now();
+    // Parse and validate
+    const parsed = parseDID(did);
+    if (!parsed.valid) {
+        return buildError('invalidDid', parsed.error || 'Invalid DID', startTime);
+    }
+    if (parsed.method !== 'web') {
+        return buildError('methodNotSupported', `Method "${parsed.method}" is not supported. Only did:web is implemented.`, startTime);
+    }
+    const url = didWebToUrl(did);
+    if (!url) {
+        return buildError('invalidDid', 'Cannot construct resolution URL from DID', startTime);
+    }
+    // Special case: self-resolution for did:web:botcha.ai
+    // The caller should handle this by providing the local DID document instead.
+    // We still attempt the fetch to allow staging/dev environments to work.
+    try {
+        const response = await fetch(url, {
+            headers: {
+                Accept: 'application/did+ld+json, application/json',
+                'User-Agent': 'BOTCHA-DID-Resolver/1.0 (+https://botcha.ai)',
+            },
+        });
+        if (!response.ok) {
+            return buildError('notFound', `HTTP ${response.status} fetching ${url}`, startTime);
+        }
+        const contentType = response.headers.get('content-type') || 'application/json';
+        const doc = (await response.json());
+        // Validate that the resolved document's `id` matches the requested DID
+        if (doc.id && doc.id !== did) {
+            return buildError('invalidDid', `DID Document id mismatch: expected "${did}", got "${doc.id}"`, startTime);
+        }
+        return {
+            '@context': DID_RESOLUTION_CONTEXT,
+            didDocument: doc,
+            didResolutionMetadata: {
+                contentType: 'application/did+ld+json',
+                retrieved: new Date().toISOString(),
+                duration: Date.now() - startTime,
+            },
+            didDocumentMetadata: {},
+        };
+    }
+    catch (error) {
+        return buildError('internalError', error instanceof Error ? error.message : 'Fetch failed', startTime);
+    }
+}
+// ============ AGENT DID HELPERS ============
+/**
+ * Build a did:web DID for a BOTCHA-registered agent.
+ *   agent_abc123 → did:web:botcha.ai:agents:agent_abc123
+ */
+export function buildAgentDID(agentId) {
+    return `did:web:botcha.ai:agents:${agentId}`;
+}
+/**
+ * Extract agent_id from a BOTCHA agent DID, if applicable.
+ * Returns null if the DID is not a BOTCHA agent DID.
+ */
+export function parseAgentDID(did) {
+    const prefix = 'did:web:botcha.ai:agents:';
+    if (!did.startsWith(prefix))
+        return null;
+    const agentId = did.slice(prefix.length);
+    return agentId || null;
+}
+/**
+ * Check if a DID is a valid did:web DID (basic format validation).
+ */
+export function isValidDIDWeb(did) {
+    const parsed = parseDID(did);
+    if (!parsed.valid || parsed.method !== 'web')
+        return false;
+    const url = didWebToUrl(did);
+    return url !== null;
+}
+// ============ UTILITIES ============
+function buildError(errorCode, message, startTime) {
+    return {
+        '@context': DID_RESOLUTION_CONTEXT,
+        didDocument: null,
+        didResolutionMetadata: {
+            error: `${errorCode}: ${message}`,
+            duration: Date.now() - startTime,
+        },
+        didDocumentMetadata: {},
+    };
+}
+export default {
+    generateBotchaDIDDocument,
+    parseDID,
+    didWebToUrl,
+    resolveDIDWeb,
+    buildAgentDID,
+    parseAgentDID,
+    isValidDIDWeb,
+};

package/dist/tap-oidca-routes.d.ts

@@ -0,0 +1,383 @@
+/**
+ * OIDC-A Attestation API Routes
+ *
+ * Routes:
+ *   POST /v1/attestation/eat                   — Issue EAT token (RFC 9334)
+ *   POST /v1/attestation/oidc-agent-claims     — Issue OIDC-A claims block
+ *   GET  /.well-known/oauth-authorization-server — OAuth AS metadata (RFC 8414)
+ *   POST /v1/auth/agent-grant                  — Agent Authorization Grant
+ *   GET  /v1/auth/agent-grant/:id/status       — Poll HITL grant status
+ *   POST /v1/auth/agent-grant/:id/resolve      — Approve/deny HITL grant (admin)
+ *   GET  /v1/oidc/userinfo                     — OIDC-A UserInfo endpoint
+ */
+import type { Context } from 'hono';
+/**
+ * POST /v1/attestation/eat
+ *
+ * Issue an RFC 9334 / draft-ietf-rats-eat-25 Entity Attestation Token.
+ *
+ * Input:
+ *   Authorization: Bearer <botcha_access_token>
+ *   Body (optional): {
+ *     nonce?: string              // Client nonce for freshness binding
+ *     agent_model?: string        // AI model name
+ *     ttl_seconds?: number        // Token TTL (max 3600)
+ *     verification_method?: string
+ *   }
+ *
+ * Output: {
+ *   eat_token: string             // Signed EAT JWT
+ *   eat_profile: string           // Profile URI
+ *   expires_in: number
+ *   claims: { ... }               // Decoded claims (for inspection)
+ * }
+ */
+export declare function issueEATRoute(c: Context): Promise<(Response & import("hono").TypedResponse<{
+    success: false;
+    error: string | undefined;
+    message: string;
+}, 401, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 503, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 400, "json">) | (Response & import("hono").TypedResponse<{
+    success: true;
+    eat_token: string;
+    token_type: string;
+    eat_profile: string;
+    algorithm: string;
+    expires_in: number;
+    claims: {
+        iss: string;
+        sub: string;
+        iat: number;
+        exp: number;
+        eat_profile: string;
+        oemid: string;
+        swname: string;
+        dbgstat: string;
+        intuse: string;
+        botcha_verified: true;
+        botcha_solve_time_ms: number;
+        botcha_app_id: string | undefined;
+    };
+    usage: {
+        description: string;
+        embed_as: string;
+        verify_with: string;
+        oidca_claims: string;
+    };
+}, import("hono/utils/http-status").ContentfulStatusCode, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 500, "json">)>;
+/**
+ * POST /v1/attestation/oidc-agent-claims
+ *
+ * Issue OIDC-A compatible agent claims block.
+ * Enterprise auth servers call this to enrich agent ID tokens.
+ *
+ * Input:
+ *   Authorization: Bearer <botcha_access_token>
+ *   Body (optional): {
+ *     agent_model?: string
+ *     agent_version?: string
+ *     agent_capabilities?: string[]
+ *     agent_operator?: string
+ *     delegation_chain?: string[]
+ *     human_oversight_required?: boolean
+ *     oversight_contact?: string
+ *     task_id?: string
+ *     task_purpose?: string
+ *     scope?: string
+ *     nonce?: string
+ *   }
+ *
+ * Output: {
+ *   claims_jwt: string            // Signed OIDC-A claims JWT (embed in ID token)
+ *   claims: OIDCAgentClaims       // Decoded claims object (for direct embedding)
+ *   eat_token: string             // The EAT token embedded within
+ *   expires_in: number
+ * }
+ */
+export declare function issueOIDCAgentClaimsRoute(c: Context): Promise<(Response & import("hono").TypedResponse<{
+    success: false;
+    error: string | undefined;
+    message: string;
+}, 401, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 503, "json">) | (Response & import("hono").TypedResponse<{
+    success: true;
+    claims_jwt: string;
+    token_type: string;
+    algorithm: string;
+    expires_in: number;
+    claims: {
+        agent_model: string;
+        agent_version?: string | undefined;
+        agent_capabilities: string[];
+        agent_attestation: string;
+        delegation_chain: string[];
+        agent_id: string;
+        agent_operator?: string | undefined;
+        agent_verification: {
+            method: string;
+            solve_time_ms: number;
+            verified_at: string;
+            issuer: string;
+            challenge_id: string;
+        };
+        human_oversight_required: boolean;
+        oversight_contact?: string | undefined;
+        task_id?: string | undefined;
+        task_purpose?: string | undefined;
+        iat: number;
+        exp: number;
+        iss: string;
+    };
+    eat_token: string;
+    usage: {
+        description: string;
+        embed_method_1: string;
+        embed_method_2: string;
+        embed_method_3: string;
+        verify_with: string;
+        standard: string;
+    };
+    available_capabilities: string[];
+}, import("hono/utils/http-status").ContentfulStatusCode, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 500, "json">)>;
+/**
+ * GET /.well-known/oauth-authorization-server
+ *
+ * OAuth 2.0 Authorization Server Metadata (RFC 8414).
+ * Extended with OIDC-A / agent-specific metadata.
+ *
+ * No authentication required — public discovery endpoint.
+ */
+export declare function oauthASMetadataRoute(c: Context): Promise<Response & import("hono").TypedResponse<never, 200, "json">>;
+/**
+ * POST /v1/auth/agent-grant
+ *
+ * Agent Authorization Grant per draft-rosenberg-oauth-aauth.
+ *
+ * An agent presents its BOTCHA token and receives a scoped OAuth grant
+ * with embedded OIDC-A claims and an EAT attestation.
+ *
+ * Input:
+ *   Authorization: Bearer <botcha_access_token>
+ *   Body (optional): {
+ *     scope?: string                    // Requested scopes (space-separated)
+ *     human_oversight_required?: bool   // Request HITL approval flow
+ *     agent_model?: string
+ *     agent_version?: string
+ *     agent_capabilities?: string[]
+ *     agent_operator?: string
+ *     task_id?: string
+ *     task_purpose?: string
+ *     delegation_chain?: string[]
+ *     constraints?: object
+ *   }
+ *
+ * Output: AgentGrantResult
+ */
+export declare function agentGrantRoute(c: Context): Promise<(Response & import("hono").TypedResponse<{
+    success: false;
+    error: string | undefined;
+    message: string;
+    how_to_get_token: string;
+}, 401, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 503, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 400, "json">) | (Response & import("hono").TypedResponse<{
+    standard: string;
+    issued_at: string;
+    grant_type: "urn:ietf:params:oauth:grant-type:agent_authorization";
+    access_token: string;
+    token_type: "Bearer";
+    expires_in: number;
+    scope: string;
+    agent_id: string;
+    app_id?: string | undefined;
+    human_oversight_required: boolean;
+    oversight_status: "none" | "pending" | "approved" | "denied";
+    oversight_polling_url?: string | undefined;
+    agent_claims: {
+        agent_model: string;
+        agent_version?: string | undefined;
+        agent_capabilities: string[];
+        agent_attestation: string;
+        delegation_chain: string[];
+        agent_id: string;
+        agent_operator?: string | undefined;
+        agent_verification: {
+            method: string;
+            solve_time_ms: number;
+            verified_at: string;
+            issuer: string;
+            challenge_id: string;
+        };
+        human_oversight_required: boolean;
+        oversight_contact?: string | undefined;
+        task_id?: string | undefined;
+        task_purpose?: string | undefined;
+        iat: number;
+        exp: number;
+        iss: string;
+    };
+    eat_token: string;
+    success: true;
+}, 200, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 500, "json">)>;
+/**
+ * GET /v1/auth/agent-grant/:id/status
+ *
+ * Poll the status of a human-in-the-loop pending grant.
+ * Returns current status: pending | approved | denied
+ */
+export declare function agentGrantStatusRoute(c: Context): Promise<(Response & import("hono").TypedResponse<{
+    success: false;
+    error: string | undefined;
+    message: string;
+}, 401 | 403, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+}, 400, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 404, "json">) | (Response & import("hono").TypedResponse<{
+    success: true;
+    grant_id: string;
+    agent_id: string;
+    scope: string;
+    status: "approved" | "denied" | "pending";
+    requested_at: string;
+    approved_at: string | null;
+    denied_at: string | null;
+    denial_reason: string | null;
+}, import("hono/utils/http-status").ContentfulStatusCode, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+}, 500, "json">)>;
+/**
+ * POST /v1/auth/agent-grant/:id/resolve
+ *
+ * Approve or deny a pending HITL grant.
+ * Requires app_id authentication (the grant owner must resolve it).
+ *
+ * Body: {
+ *   decision: 'approved' | 'denied'
+ *   reason?: string    // Required if denied
+ * }
+ */
+export declare function agentGrantResolveRoute(c: Context): Promise<(Response & import("hono").TypedResponse<{
+    success: false;
+    error: string | undefined;
+    message: string;
+}, 401 | 403, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+}, 400, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 404, "json">) | (Response & import("hono").TypedResponse<{
+    success: true;
+    grant_id: string;
+    decision: "approved" | "denied";
+    grant: {
+        status: "approved" | "denied" | "pending";
+        approved_at: string | null;
+        denied_at: string | null;
+        denial_reason: string | null;
+    };
+}, import("hono/utils/http-status").ContentfulStatusCode, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+}, 500, "json">)>;
+/**
+ * GET /v1/oidc/userinfo
+ *
+ * OIDC-A compliant UserInfo endpoint for verified agents.
+ *
+ * Returns agent identity claims + BOTCHA verification status.
+ * Accepts either a BOTCHA access_token or an EAT token as Bearer.
+ *
+ * Standard OIDC UserInfo response extended with agent claims.
+ */
+export declare function oidcUserInfoRoute(c: Context): Promise<(Response & import("hono").TypedResponse<{
+    error: string;
+    error_description: string;
+}, 401, "json">) | (Response & import("hono").TypedResponse<{
+    sub: string;
+    iss: string;
+    iat: number;
+    exp: number;
+    agent_id: string;
+    agent_model: string;
+    agent_capabilities: string[];
+    botcha_verified: true;
+    botcha_app_id: string | null;
+    botcha_solve_time_ms: number;
+    botcha_challenge_id: string;
+    verification: {
+        method: string;
+        verified_at: string;
+        issuer: string;
+        solve_time_ms: number;
+    };
+    attestation_endpoints: {
+        eat: string;
+        oidc_agent_claims: string;
+        agent_grant: string;
+    };
+}, import("hono/utils/http-status").ContentfulStatusCode, "json">) | (Response & import("hono").TypedResponse<{
+    sub: string;
+    iss: string;
+    iat: number;
+    exp: number;
+    agent_id: string;
+    agent_model: string;
+    agent_capabilities: string[];
+    eat_profile: string;
+    ueid: string;
+    oemid: string;
+    swname: string;
+    swversion: string;
+    dbgstat: import("./tap-oidca.js").EATDebugStatus;
+    botcha_verified: true;
+    botcha_app_id: string | null;
+    botcha_solve_time_ms: number;
+}, import("hono/utils/http-status").ContentfulStatusCode, "json">) | (Response & import("hono").TypedResponse<{
+    error: string;
+}, 500, "json">)>;
+declare const _default: {
+    issueEATRoute: typeof issueEATRoute;
+    issueOIDCAgentClaimsRoute: typeof issueOIDCAgentClaimsRoute;
+    oauthASMetadataRoute: typeof oauthASMetadataRoute;
+    agentGrantRoute: typeof agentGrantRoute;
+    agentGrantStatusRoute: typeof agentGrantStatusRoute;
+    agentGrantResolveRoute: typeof agentGrantResolveRoute;
+    oidcUserInfoRoute: typeof oidcUserInfoRoute;
+};
+export default _default;
+//# sourceMappingURL=tap-oidca-routes.d.ts.map

package/dist/tap-oidca-routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tap-oidca-routes.d.ts","sourceRoot":"","sources":["../src/tap-oidca-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AAuFnC;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,aAAa,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBA0F7C;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,wBAAsB,yBAAyB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAqFzD;AAED;;;;;;;GAOG;AACH,wBAAsB,oBAAoB,CAAC,CAAC,EAAE,OAAO,wEASpD;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAsB,eAAe,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAuG/C;AAED;;;;;GAKG;AACH,wBAAsB,qBAAqB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;kBAuDrD;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,sBAAsB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;kBAoFtD;AAED;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAgHjD;;;;;;;;;;AAED,wBAQC"}