@dupecom/botcha-cloudflare 0.20.2 → 0.23.0

package/dist/tap-oidca.js

@@ -0,0 +1,461 @@
+/**
+ * BOTCHA OIDC-A Attestation Module
+ *
+ * Implements OIDC-A (OpenID Connect for Agents) attestation:
+ *   - EAT (Entity Attestation Token) issuance per draft-ietf-rats-eat-25
+ *   - OIDC-A compatible claims per draft-aap-oauth-profile (Feb 2026)
+ *   - OAuth 2.0 AS metadata discovery per RFC 8414
+ *   - Agent Authorization Grant per draft-rosenberg-oauth-aauth
+ *   - OIDC-A UserInfo endpoint
+ *
+ * EAT tokens make BOTCHA an `agent_attestation` endpoint that enterprise
+ * auth servers embed in OpenID Connect for Agents token chains.
+ */
+import { SignJWT, jwtVerify, importJWK } from 'jose';
+// ============ CONSTANTS ============
+export const BOTCHA_EAT_PROFILE = 'https://botcha.ai/eat-profile/v1';
+export const BOTCHA_ISSUER = 'botcha.ai';
+export const EAT_TOKEN_TTL_SECONDS = 3600; // 1 hour
+export const OIDC_CLAIMS_TTL_SECONDS = 3600; // 1 hour
+export const AGENT_GRANT_TTL_SECONDS = 3600; // 1 hour
+/**
+ * Well-known BOTCHA agent capabilities
+ * Enterprise auth servers can use these to filter agents by capability.
+ */
+export const BOTCHA_AGENT_CAPABILITIES = [
+    'botcha:verified', // Core — agent passed BOTCHA challenge
+    'botcha:speed-challenge', // Can solve SHA256 speed challenges
+    'botcha:hybrid-challenge', // Can solve hybrid (speed + reasoning) challenges
+    'botcha:reasoning-challenge', // Can solve LLM-level reasoning challenges
+    'agent:autonomous', // Can operate autonomously
+    'agent:tool-use', // Can invoke external tools/APIs
+    'agent:multi-step', // Can execute multi-step workflows
+];
+// ============ CORE FUNCTIONS ============
+/**
+ * Derive a Universal Entity ID (UEID) from an agent identifier.
+ *
+ * Per draft-ietf-rats-eat-25 §4.2.1: UEID is a binary identifier
+ * unique to the entity. For software agents, we use SHA-256(agent_id)
+ * truncated to 33 bytes, base64url-encoded.
+ */
+async function deriveUEID(agentId) {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(agentId);
+    const hashBuffer = await crypto.subtle.digest('SHA-256', data);
+    const hashArray = new Uint8Array(hashBuffer).slice(0, 33); // 33 bytes per spec
+    return btoa(String.fromCharCode(...hashArray))
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=/g, '');
+}
+/**
+ * Generate a cryptographically random nonce for eat_nonce.
+ * Returns base64url-encoded 32 bytes.
+ */
+function generateEATNonce() {
+    const bytes = crypto.getRandomValues(new Uint8Array(32));
+    return btoa(String.fromCharCode(...bytes))
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=/g, '');
+}
+/**
+ * Issue an EAT (Entity Attestation Token) from a valid BOTCHA access token.
+ *
+ * The EAT proves:
+ * 1. The agent solved a computational challenge (proving it is a bot)
+ * 2. The challenge was issued by botcha.ai
+ * 3. The solution time demonstrates AI-speed computation
+ * 4. The agent is registered with a specific app
+ *
+ * This token can be embedded as `agent_attestation` in OIDC-A tokens.
+ *
+ * @param botchaPayload - Verified BOTCHA access token payload
+ * @param signingKey - ES256 private key for signing (required for EAT)
+ * @param options - Optional parameters
+ * @returns Signed EAT JWT
+ */
+export async function issueEAT(botchaPayload, signingKey, options) {
+    const now = Math.floor(Date.now() / 1000);
+    const ttl = options?.ttlSeconds ?? EAT_TOKEN_TTL_SECONDS;
+    const agentId = botchaPayload.app_id
+        ? `${botchaPayload.app_id}:${botchaPayload.sub}`
+        : botchaPayload.sub;
+    const ueid = await deriveUEID(agentId);
+    const eatNonce = options?.nonce ?? generateEATNonce();
+    const eatPayload = {
+        iss: BOTCHA_ISSUER,
+        sub: agentId,
+        iat: now,
+        exp: now + ttl,
+        // EAT standard claims
+        eat_profile: BOTCHA_EAT_PROFILE,
+        eat_nonce: eatNonce,
+        ueid,
+        oemid: BOTCHA_ISSUER,
+        swname: 'BOTCHA',
+        swversion: '0.21.0',
+        dbgstat: 'Disabled',
+        intuse: 'generic',
+        // BOTCHA private claims
+        botcha_verified: true,
+        botcha_challenge_id: botchaPayload.sub,
+        botcha_solve_time_ms: botchaPayload.solveTime,
+        botcha_app_id: botchaPayload.app_id,
+        botcha_verification_method: options?.verificationMethod ?? 'speed-challenge',
+    };
+    const cryptoKey = (await importJWK(signingKey, 'ES256'));
+    const kid = signingKey.kid || 'botcha-signing-1';
+    const token = await new SignJWT(eatPayload)
+        .setProtectedHeader({
+        alg: 'ES256',
+        kid,
+        typ: 'JWT+EAT', // RFC 9334 recommends typ claim for EAT
+    })
+        .sign(cryptoKey);
+    return token;
+}
+/**
+ * Build OIDC-A compatible agent claims block.
+ *
+ * This is the full claims object that enterprise auth servers embed in their
+ * ID tokens for agent grants. It includes the EAT token as `agent_attestation`.
+ *
+ * @param botchaPayload - Verified BOTCHA access token payload
+ * @param eatToken - Signed EAT JWT (from issueEAT)
+ * @param signingKey - ES256 signing key
+ * @param options - Agent metadata and OIDC-A options
+ * @returns Signed OIDC-A claims JWT + plain claims object
+ */
+export async function buildOIDCAgentClaims(botchaPayload, eatToken, signingKey, options) {
+    const now = Math.floor(Date.now() / 1000);
+    const ttl = options?.ttlSeconds ?? OIDC_CLAIMS_TTL_SECONDS;
+    const agentId = botchaPayload.app_id
+        ? `${botchaPayload.app_id}:${botchaPayload.sub}`
+        : botchaPayload.sub;
+    // Derive the BOTCHA verification method capability from the actual method used
+    const verificationMethod = options?.verificationMethod ?? 'speed-challenge';
+    const methodCapability = `botcha:${verificationMethod}`;
+    // Build the capability set: always include BOTCHA core + the actual method used
+    const capabilities = [
+        'botcha:verified',
+        methodCapability,
+        ...(options?.agentCapabilities ?? []).filter(c => c !== methodCapability),
+    ];
+    const claims = {
+        // OIDC-A core
+        agent_model: options?.agentModel ?? 'botcha-verified-agent',
+        agent_version: options?.agentVersion,
+        agent_capabilities: capabilities,
+        agent_attestation: eatToken,
+        delegation_chain: options?.delegationChain ?? [],
+        // Identity
+        agent_id: agentId,
+        agent_operator: options?.agentOperator,
+        // Verification metadata — reflect the actual challenge type used
+        agent_verification: {
+            method: `botcha-${verificationMethod}`,
+            solve_time_ms: botchaPayload.solveTime,
+            verified_at: new Date(botchaPayload.iat * 1000).toISOString(),
+            issuer: BOTCHA_ISSUER,
+            challenge_id: botchaPayload.sub,
+        },
+        // Oversight
+        human_oversight_required: options?.humanOversightRequired ?? false,
+        oversight_contact: options?.oversightContact,
+        // Task binding
+        task_id: options?.taskId,
+        task_purpose: options?.taskPurpose,
+        // Token metadata
+        iat: now,
+        exp: now + ttl,
+        iss: BOTCHA_ISSUER,
+    };
+    // Remove undefined fields for a clean JWT
+    const cleanClaims = JSON.parse(JSON.stringify(claims));
+    const cryptoKey = (await importJWK(signingKey, 'ES256'));
+    const kid = signingKey.kid || 'botcha-signing-1';
+    const claimsJwt = await new SignJWT(cleanClaims)
+        .setProtectedHeader({
+        alg: 'ES256',
+        kid,
+        typ: 'JWT+OIDCA', // OIDC-A claims token type
+    })
+        .sign(cryptoKey);
+    return { claims: cleanClaims, claimsJwt };
+}
+/**
+ * Issue an Agent Authorization Grant.
+ *
+ * Implements draft-rosenberg-oauth-aauth "Agent Authorization Grant":
+ * - Agent presents BOTCHA access token as credential
+ * - Server issues a scoped grant JWT bound to the agent's identity
+ * - Optionally queued for human-in-the-loop approval
+ *
+ * Grant token is a signed JWT with AAP claims (draft-aap-oauth-profile §5).
+ *
+ * @param botchaPayload - Verified BOTCHA access token payload
+ * @param eatToken - EAT JWT from issueEAT
+ * @param oidcClaims - OIDC-A claims object from buildOIDCAgentClaims
+ * @param signingKey - ES256 signing key
+ * @param kv - KV namespace for storing pending grants (for HITL polling)
+ * @param options - Grant options
+ * @returns AgentGrantResult
+ */
+export async function issueAgentGrant(botchaPayload, eatToken, oidcClaims, signingKey, kv, baseUrl, options) {
+    const now = Math.floor(Date.now() / 1000);
+    const ttl = options?.ttlSeconds ?? AGENT_GRANT_TTL_SECONDS;
+    const scope = options?.scope ?? 'agent:read agent:attest openid';
+    const humanOversight = options?.humanOversightRequired ?? false;
+    const agentId = botchaPayload.app_id
+        ? `${botchaPayload.app_id}:${botchaPayload.sub}`
+        : botchaPayload.sub;
+    // Generate grant ID for tracking
+    const grantId = crypto.randomUUID();
+    // AAP JWT payload (draft-aap-oauth-profile §5)
+    const grantPayload = {
+        // Standard JWT
+        iss: BOTCHA_ISSUER,
+        sub: agentId,
+        iat: now,
+        exp: now + ttl,
+        jti: grantId,
+        // OAuth grant type indicator
+        grant_type: 'urn:ietf:params:oauth:grant-type:agent_authorization',
+        // AAP §5.2 — Agent Identity Section
+        agent: {
+            id: agentId,
+            model: oidcClaims.agent_model,
+            version: oidcClaims.agent_version,
+            operator: oidcClaims.agent_operator,
+        },
+        // AAP §5.2 — Capabilities Section
+        capabilities: oidcClaims.agent_capabilities,
+        scope,
+        // AAP §5.2 — Attestation
+        attestation: {
+            eat_token: eatToken,
+            issuer: BOTCHA_ISSUER,
+            verified_at: oidcClaims.agent_verification.verified_at,
+            method: oidcClaims.agent_verification.method,
+        },
+        // AAP §5.2 — Oversight
+        oversight: {
+            human_in_the_loop: humanOversight,
+            status: humanOversight ? 'pending' : 'none',
+            grant_id: grantId,
+        },
+        // AAP §5.2 — Task binding (if provided)
+        ...(options?.taskId && {
+            task: {
+                id: options.taskId,
+                purpose: options.taskPurpose,
+            },
+        }),
+        // AAP §5.2 — Delegation chain
+        delegation_chain: oidcClaims.delegation_chain,
+        // AAP §5.2 — Contextual constraints
+        ...(options?.constraints && { constraints: options.constraints }),
+        // BOTCHA-specific: embed the full OIDC-A claims
+        agent_claims_ref: agentId,
+    };
+    const cryptoKey = (await importJWK(signingKey, 'ES256'));
+    const kid = signingKey.kid || 'botcha-signing-1';
+    const grantToken = await new SignJWT(grantPayload)
+        .setProtectedHeader({ alg: 'ES256', kid, typ: 'JWT+AGENT-GRANT' })
+        .sign(cryptoKey);
+    // If HITL required, store the pending grant in KV for polling
+    let oversightPollingUrl;
+    if (humanOversight) {
+        const pendingGrant = {
+            grant_id: grantId,
+            agent_id: agentId,
+            app_id: botchaPayload.app_id,
+            scope,
+            requested_at: Date.now(),
+            status: 'pending',
+        };
+        await kv.put(`agent_grant:${grantId}`, JSON.stringify(pendingGrant), { expirationTtl: ttl });
+        oversightPollingUrl = `${baseUrl}/v1/auth/agent-grant/${grantId}/status`;
+    }
+    return {
+        grant_type: 'urn:ietf:params:oauth:grant-type:agent_authorization',
+        access_token: grantToken,
+        token_type: 'Bearer',
+        expires_in: ttl,
+        scope,
+        agent_id: agentId,
+        app_id: botchaPayload.app_id,
+        human_oversight_required: humanOversight,
+        oversight_status: humanOversight ? 'pending' : 'none',
+        oversight_polling_url: oversightPollingUrl,
+        agent_claims: oidcClaims,
+        eat_token: eatToken,
+    };
+}
+/**
+ * Build OAuth 2.0 Authorization Server metadata (RFC 8414).
+ *
+ * This makes BOTCHA discoverable as an OAuth AS by enterprise auth servers
+ * that implement RFC 8414 auto-configuration.
+ *
+ * Extended with OIDC-A specific metadata for agent auth servers.
+ */
+export function buildOAuthASMetadata(baseUrl) {
+    return {
+        // RFC 8414 §2 — Required
+        issuer: baseUrl,
+        // Token endpoint (agent grant flow)
+        token_endpoint: `${baseUrl}/v1/auth/agent-grant`,
+        // JWKS for signature verification
+        jwks_uri: `${baseUrl}/.well-known/jwks`,
+        // RFC 8414 §2 — Optional but widely expected
+        scopes_supported: [
+            'openid',
+            'profile',
+            'agent:read',
+            'agent:write',
+            'agent:attest',
+            'agent:delegate',
+            'agent:oversight',
+        ],
+        // Grant types — includes the AAP agent authorization grant
+        grant_types_supported: [
+            'urn:ietf:params:oauth:grant-type:agent_authorization',
+            'urn:ietf:params:oauth:grant-type:token-exchange',
+            'client_credentials',
+        ],
+        // Token endpoint auth methods
+        token_endpoint_auth_methods_supported: [
+            'botcha_token', // BOTCHA-specific: Bearer token from challenge
+            'private_key_jwt', // RFC 7523 — for clients with registered keys
+        ],
+        // Response types (if acting as OIDC provider)
+        response_types_supported: ['token', 'id_token', 'token id_token'],
+        // Subject types
+        subject_types_supported: ['public'],
+        // ID token signing algorithms
+        id_token_signing_alg_values_supported: ['ES256'],
+        // Token lifetime
+        access_token_lifetime: AGENT_GRANT_TTL_SECONDS,
+        // ====== OIDC-A / BOTCHA Extensions ======
+        // BOTCHA-specific agent attestation endpoint
+        agent_attestation_endpoint: `${baseUrl}/v1/attestation/eat`,
+        // OIDC-A enrichment endpoint for auth servers
+        oidc_agent_claims_endpoint: `${baseUrl}/v1/attestation/oidc-agent-claims`,
+        // UserInfo endpoint (OIDC-A compliant)
+        userinfo_endpoint: `${baseUrl}/v1/oidc/userinfo`,
+        // EAT profile URI
+        eat_profile: BOTCHA_EAT_PROFILE,
+        // Well-known agent capabilities this AS can attest
+        agent_capabilities_supported: BOTCHA_AGENT_CAPABILITIES,
+        // Verification methods BOTCHA uses
+        agent_verification_methods_supported: [
+            'botcha:speed-challenge',
+            'botcha:hybrid-challenge',
+            'botcha:reasoning-challenge',
+        ],
+        // Human oversight support
+        human_oversight_supported: true,
+        oversight_polling_endpoint: `${baseUrl}/v1/auth/agent-grant/{id}/status`,
+        // draft-aap-oauth-profile compliance
+        aap_version: 'draft-aap-oauth-profile-00',
+        // OIDC-A compliance indicator
+        oidca_supported: true,
+        // Delegation chain support
+        delegation_supported: true,
+        max_delegation_depth: 5,
+        // Integration metadata
+        integration: {
+            documentation: `${baseUrl}/docs`,
+            openapi: `${baseUrl}/openapi.json`,
+            ai_txt: `${baseUrl}/ai.txt`,
+            whitepaper: `${baseUrl}/whitepaper`,
+        },
+    };
+}
+/**
+ * Verify and decode a BOTCHA EAT token.
+ * Used by the UserInfo endpoint to extract agent identity.
+ *
+ * @param eatJwt - The EAT JWT to verify
+ * @param publicKey - ES256 public key JWK
+ * @returns Verified EAT payload or null
+ */
+export async function verifyEAT(eatJwt, publicKey) {
+    try {
+        const cryptoKey = (await importJWK(publicKey, 'ES256'));
+        const { payload } = await jwtVerify(eatJwt, cryptoKey, {
+            algorithms: ['ES256'],
+            issuer: BOTCHA_ISSUER,
+        });
+        // Validate required EAT claims
+        if (!payload.eat_profile || !payload.eat_nonce || !payload.ueid) {
+            return null;
+        }
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Poll the status of a pending human-in-the-loop grant.
+ *
+ * @param grantId - The grant ID to poll
+ * @param kv - KV namespace
+ * @returns Current grant status or null if not found
+ */
+export async function getGrantStatus(grantId, kv) {
+    try {
+        const data = await kv.get(`agent_grant:${grantId}`);
+        if (!data)
+            return null;
+        return JSON.parse(data);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Approve or deny a pending agent grant (admin action).
+ *
+ * @param grantId - The grant ID
+ * @param decision - 'approved' or 'denied'
+ * @param reason - Optional denial reason
+ * @param kv - KV namespace
+ */
+export async function resolveGrant(grantId, decision, reason, kv) {
+    const grant = await getGrantStatus(grantId, kv);
+    if (!grant) {
+        return { success: false, error: 'Grant not found or expired' };
+    }
+    if (grant.status !== 'pending') {
+        return { success: false, error: `Grant is already ${grant.status}` };
+    }
+    const updated = {
+        ...grant,
+        status: decision,
+        approved_at: decision === 'approved' ? Date.now() : undefined,
+        denied_at: decision === 'denied' ? Date.now() : undefined,
+        denial_reason: decision === 'denied' ? reason : undefined,
+    };
+    // Preserve the original grant expiry rather than resetting to the full TTL.
+    // requested_at is stored in ms; KV expirationTtl is in seconds.
+    const elapsedSeconds = Math.floor((Date.now() - grant.requested_at) / 1000);
+    const remainingTtl = Math.max(1, AGENT_GRANT_TTL_SECONDS - elapsedSeconds);
+    await kv.put(`agent_grant:${grantId}`, JSON.stringify(updated), {
+        expirationTtl: remainingTtl,
+    });
+    return { success: true, grant: updated };
+}
+export default {
+    issueEAT,
+    buildOIDCAgentClaims,
+    issueAgentGrant,
+    buildOAuthASMetadata,
+    verifyEAT,
+    getGrantStatus,
+    resolveGrant,
+};

package/dist/tap-routes.d.ts

@@ -21,6 +21,14 @@ export declare function registerTAPAgentRoute(c: Context): Promise<(Response & i
     success: false;
     error: string;
     message: string;
+}, 404, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 403, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
 }, 500, "json">) | (Response & import("hono").TypedResponse<{
     success: true;
     agent_id: string;
@@ -30,7 +38,7 @@ export declare function registerTAPAgentRoute(c: Context): Promise<(Response & i
     version: string | undefined;
     created_at: string;
     tap_enabled: boolean | undefined;
-    trust_level: "verified" | "basic" | "enterprise" | undefined;
+    trust_level: "basic" | "verified" | "enterprise" | undefined;
     capabilities: {
         action: import("./tap-agents.js").TAPAction;
         scope?: string[] | undefined;
@@ -40,8 +48,12 @@ export declare function registerTAPAgentRoute(c: Context): Promise<(Response & i
             rate_limit?: number | undefined;
         } | undefined;
     }[] | undefined;
-    signature_algorithm: "ed25519" | "ecdsa-p256-sha256" | "rsa-pss-sha256" | undefined;
+    signature_algorithm: "ecdsa-p256-sha256" | "rsa-pss-sha256" | "ed25519" | undefined;
     issuer: string | undefined;
+    did: string | null;
+    ans_name: string | null;
+    ans_badge_id: string | null;
+    ans_trust_level: "domain-validated" | "key-validated" | "behavior-validated" | null;
     has_public_key: boolean;
     key_fingerprint: string | undefined;
 }, 201, "json">)>;
@@ -66,7 +78,7 @@ export declare function getTAPAgentRoute(c: Context): Promise<(Response & import
     version: string | undefined;
     created_at: string;
     tap_enabled: boolean | undefined;
-    trust_level: "verified" | "basic" | "enterprise" | undefined;
+    trust_level: "basic" | "verified" | "enterprise" | undefined;
     capabilities: {
         action: import("./tap-agents.js").TAPAction;
         scope?: string[] | undefined;
@@ -76,9 +88,13 @@ export declare function getTAPAgentRoute(c: Context): Promise<(Response & import
             rate_limit?: number | undefined;
         } | undefined;
     }[] | undefined;
-    signature_algorithm: "ed25519" | "ecdsa-p256-sha256" | "rsa-pss-sha256" | undefined;
+    signature_algorithm: "ecdsa-p256-sha256" | "rsa-pss-sha256" | "ed25519" | undefined;
     issuer: string | undefined;
     last_verified_at: string | null;
+    ans_name: string | null;
+    ans_badge_id: string | null;
+    ans_trust_level: "domain-validated" | "key-validated" | "behavior-validated" | null;
+    ans_verified_at: string | null;
     has_public_key: boolean;
     key_fingerprint: string | undefined;
     public_key: string | undefined;
@@ -108,7 +124,7 @@ export declare function listTAPAgentsRoute(c: Context): Promise<(Response & impo
         version: string | undefined;
         created_at: string;
         tap_enabled: boolean | undefined;
-        trust_level: "verified" | "basic" | "enterprise" | undefined;
+        trust_level: "basic" | "verified" | "enterprise" | undefined;
         capabilities: {
             action: import("./tap-agents.js").TAPAction;
             scope?: string[] | undefined;
@@ -229,7 +245,7 @@ export declare function rotateKeyRoute(c: Context): Promise<(Response & import("
     agent_id: string;
     message: string;
     has_public_key: true;
-    signature_algorithm: "ed25519" | "ecdsa-p256-sha256" | "rsa-pss-sha256" | undefined;
+    signature_algorithm: "ecdsa-p256-sha256" | "rsa-pss-sha256" | "ed25519" | undefined;
     key_created_at: string;
     key_expires_at: string | null;
     key_fingerprint: string | undefined;
@@ -264,7 +280,7 @@ export declare function createInvoiceRoute(c: Context): Promise<(Response & impo
     currency?: string | undefined;
     card_acceptor_id?: string | undefined;
     description?: string | undefined;
-    status?: "pending" | "fulfilled" | "expired" | undefined;
+    status?: "fulfilled" | "pending" | "expired" | undefined;
     success: true;
 }, 201, "json">)>;
 /**
@@ -289,7 +305,7 @@ export declare function getInvoiceRoute(c: Context): Promise<(Response & import(
     currency?: string | undefined;
     card_acceptor_id?: string | undefined;
     description?: string | undefined;
-    status?: "pending" | "fulfilled" | "expired" | undefined;
+    status?: "fulfilled" | "pending" | "expired" | undefined;
     success: true;
 }, import("hono/utils/http-status").ContentfulStatusCode, "json">) | (Response & import("hono").TypedResponse<{
     success: false;

package/dist/tap-routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tap-routes.d.ts","sourceRoot":"","sources":["../src/tap-routes.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAmKpC;;;GAGG;AACH,wBAAsB,qBAAqB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAwErD;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAwDhD;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;oEAmDlD;AAID;;;GAGG;AACH,wBAAsB,qBAAqB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAsFrD;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBA2ClD;AAID;;;GAGG;AACH,wBAAsB,cAAc,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBA4D9C;AAID;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;kBAwClD;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;kBAuB/C;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBA6E9C;AAID;;;GAGG;AACH,wBAAsB,mBAAmB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAqCnD;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAsClD;;;;;;;;;;;;;;AAaD,wBAYE"}
+{"version":3,"file":"tap-routes.d.ts","sourceRoot":"","sources":["../src/tap-routes.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAoNpC;;;GAGG;AACH,wBAAsB,qBAAqB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAkIrD;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBA+DhD;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;oEAmDlD;AAID;;;GAGG;AACH,wBAAsB,qBAAqB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAoHrD;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBA2ClD;AAID;;;GAGG;AACH,wBAAsB,cAAc,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAuF9C;AAID;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;kBAwClD;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;kBAuB/C;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBA6E9C;AAID;;;GAGG;AACH,wBAAsB,mBAAmB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAqCnD;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAsClD;;;;;;;;;;;;;;AAaD,wBAYE"}