@dwk/vc 0.1.0-beta.0

package/dist/did-web.js

@@ -0,0 +1,206 @@
+/**
+ * `did:web` ↔ URL mapping, DID-document construction, and verification-method
+ * resolution.
+ *
+ * The DID document itself (`/.well-known/did.json`) is a static artifact a static
+ * host can serve — {@link buildDidDocument} produces it — so this package does
+ * not need a Worker to *resolve* a DID. The Worker side uses
+ * {@link createDidWebResolver} during VC verification to fetch a credential
+ * issuer's DID document and locate the verification key referenced by a proof.
+ *
+ * Method/URL mapping follows the did:web rules: the first colon-separated
+ * component is the host (with a `%3A`-encoded port), remaining components are
+ * path segments, and a bare host resolves under `/.well-known/`.
+ *
+ * @see https://w3c-ccg.github.io/did-method-web/
+ */
+const DID_WEB_PREFIX = "did:web:";
+/** The default did:web context documents emitted by {@link buildDidDocument}. */
+export const DID_CONTEXT_V1 = "https://www.w3.org/ns/did/v1";
+export const MULTIKEY_CONTEXT_V1 = "https://w3id.org/security/multikey/v1";
+export const JWK_CONTEXT_V1 = "https://w3id.org/security/jwk/v1";
+/**
+ * Convert a `did:web` identifier to the URL of its DID document. Throws if the
+ * input is not a `did:web` identifier.
+ */
+export function didWebToUrl(did) {
+    if (!did.startsWith(DID_WEB_PREFIX)) {
+        throw new Error(`@dwk/vc: "${did}" is not a did:web identifier`);
+    }
+    const components = did.slice(DID_WEB_PREFIX.length).split(":");
+    const host = components[0];
+    if (host === undefined || host.length === 0) {
+        throw new Error(`@dwk/vc: did:web identifier "${did}" has no host`);
+    }
+    const authority = decodeURIComponent(host);
+    const segments = components.slice(1).map((segment) => {
+        if (segment.length === 0) {
+            throw new Error(`@dwk/vc: did:web identifier "${did}" has an empty path segment`);
+        }
+        const decoded = decodeURIComponent(segment);
+        // Reject `.`/`..` so a crafted identifier cannot traverse out of its path
+        // when the URL is built and fetched.
+        if (decoded === "." || decoded === "..") {
+            throw new Error(`@dwk/vc: did:web identifier "${did}" has an invalid path segment "${decoded}"`);
+        }
+        return decoded;
+    });
+    const path = segments.length === 0
+        ? "/.well-known/did.json"
+        : `/${segments.join("/")}/did.json`;
+    return `https://${authority}${path}`;
+}
+/**
+ * Derive the `did:web` identifier a URL (or host) would publish. A bare origin
+ * (or one whose path is `/.well-known/did.json`) maps to `did:web:<host>`; a
+ * deeper path maps its segments to colon-separated components.
+ */
+export function urlToDidWeb(input) {
+    const url = new URL(input.includes("://") ? input : `https://${input}`);
+    const host = url.host; // includes a non-default port
+    const encodedHost = host.replace(/:/g, "%3A");
+    let pathname = url.pathname;
+    if (pathname.endsWith("/did.json")) {
+        pathname = pathname.slice(0, -"/did.json".length);
+    }
+    const segments = pathname.split("/").filter((segment) => segment.length > 0);
+    if (segments.length === 0 ||
+        (segments.length === 1 && segments[0] === ".well-known")) {
+        return `${DID_WEB_PREFIX}${encodedHost}`;
+    }
+    const encoded = segments.map((segment) => encodeURIComponent(segment));
+    return `${DID_WEB_PREFIX}${encodedHost}:${encoded.join(":")}`;
+}
+function absoluteId(did, id) {
+    return id.startsWith("#") ? `${did}${id}` : id;
+}
+/**
+ * Build a `did:web` DID document from public verification methods. Emits the
+ * DID, Multikey, and (when a JWK method is present) JWK context documents, the
+ * `verificationMethod` array, and the requested verification relationships
+ * (defaulting to `assertionMethod`). Suitable for serialization to
+ * `/.well-known/did.json`.
+ */
+export function buildDidDocument(options) {
+    const { did } = options;
+    if (!did.startsWith(DID_WEB_PREFIX)) {
+        throw new Error(`@dwk/vc: "${did}" is not a did:web identifier`);
+    }
+    if (options.verificationMethods.length === 0) {
+        throw new Error("@dwk/vc: a DID document needs at least one verification method");
+    }
+    let hasJwk = false;
+    const methods = options.verificationMethods.map((input) => {
+        const id = absoluteId(did, input.id);
+        const method = {
+            id,
+            controller: did,
+        };
+        if (input.publicKeyMultibase !== undefined) {
+            method.type = input.type ?? "Multikey";
+            method.publicKeyMultibase = input.publicKeyMultibase;
+        }
+        else if (input.publicKeyJwk !== undefined) {
+            hasJwk = true;
+            method.type = input.type ?? "JsonWebKey";
+            method.publicKeyJwk = input.publicKeyJwk;
+        }
+        else {
+            throw new Error(`@dwk/vc: verification method "${id}" needs publicKeyMultibase or publicKeyJwk`);
+        }
+        return { id, method };
+    });
+    const context = [DID_CONTEXT_V1, MULTIKEY_CONTEXT_V1];
+    if (hasJwk)
+        context.push(JWK_CONTEXT_V1);
+    const relationships = options.relationships ?? {};
+    const ids = methods.map((m) => m.id);
+    const document = {
+        "@context": context,
+        id: did,
+        verificationMethod: methods.map((m) => m.method),
+    };
+    if (relationships.assertionMethod ?? true)
+        document.assertionMethod = ids;
+    if (relationships.authentication ?? false)
+        document.authentication = ids;
+    if (options.alsoKnownAs !== undefined && options.alsoKnownAs.length > 0) {
+        document.alsoKnownAs = [...options.alsoKnownAs];
+    }
+    return document;
+}
+/**
+ * Locate a verification method in a DID document by its id. A method `id` that
+ * is a relative reference (`#key-0`) is resolved against the document's `id`
+ * before comparison, per DID Core — foreign documents commonly use relative ids.
+ */
+export function findVerificationMethod(didDocument, id) {
+    const docId = typeof didDocument.id === "string" ? didDocument.id : "";
+    const methods = didDocument.verificationMethod;
+    if (!Array.isArray(methods))
+        return undefined;
+    for (const entry of methods) {
+        if (entry === null || typeof entry !== "object" || Array.isArray(entry)) {
+            continue;
+        }
+        const entryId = entry.id;
+        if (typeof entryId !== "string")
+            continue;
+        const resolved = entryId.startsWith("#") ? `${docId}${entryId}` : entryId;
+        if (resolved === id) {
+            return entry;
+        }
+    }
+    return undefined;
+}
+/**
+ * Build a {@link VerificationMethodResolver} that resolves a `did:web`
+ * verification-method id by fetching the controller's DID document over HTTPS
+ * and locating the referenced method. Returns `undefined` for non-`did:web`
+ * ids, fetch failures, and unknown methods — verification treats that as an
+ * unresolvable key rather than throwing.
+ */
+export function createDidWebResolver(options = {}) {
+    const fetchImpl = options.fetch ?? globalThis.fetch;
+    if (fetchImpl === undefined) {
+        throw new Error("@dwk/vc: no fetch implementation available for did:web resolution");
+    }
+    return async (id) => {
+        const hashIndex = id.indexOf("#");
+        const did = hashIndex === -1 ? id : id.slice(0, hashIndex);
+        if (!did.startsWith(DID_WEB_PREFIX))
+            return undefined;
+        let url;
+        try {
+            url = didWebToUrl(did);
+        }
+        catch {
+            return undefined;
+        }
+        let response;
+        try {
+            response = await fetchImpl(url, {
+                headers: { accept: "application/did+json, application/json" },
+            });
+        }
+        catch {
+            return undefined;
+        }
+        if (!response.ok)
+            return undefined;
+        let document;
+        try {
+            document = await response.json();
+        }
+        catch {
+            return undefined;
+        }
+        if (document === null ||
+            typeof document !== "object" ||
+            Array.isArray(document)) {
+            return undefined;
+        }
+        return findVerificationMethod(document, id);
+    };
+}
+//# sourceMappingURL=did-web.js.map

package/dist/did-web.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"did-web.js","sourceRoot":"","sources":["../src/did-web.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH,MAAM,cAAc,GAAG,UAAU,CAAC;AAElC,iFAAiF;AACjF,MAAM,CAAC,MAAM,cAAc,GAAG,8BAA8B,CAAC;AAC7D,MAAM,CAAC,MAAM,mBAAmB,GAAG,uCAAuC,CAAC;AAC3E,MAAM,CAAC,MAAM,cAAc,GAAG,kCAAkC,CAAC;AAEjE;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,GAAW;IACrC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,aAAa,GAAG,+BAA+B,CAAC,CAAC;IACnE,CAAC;IACD,MAAM,UAAU,GAAG,GAAG,CAAC,KAAK,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/D,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IAC3B,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,gCAAgC,GAAG,eAAe,CAAC,CAAC;IACtE,CAAC;IACD,MAAM,SAAS,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;IAC3C,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE;QACnD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CACb,gCAAgC,GAAG,6BAA6B,CACjE,CAAC;QACJ,CAAC;QACD,MAAM,OAAO,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAC5C,0EAA0E;QAC1E,qCAAqC;QACrC,IAAI,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CACb,gCAAgC,GAAG,kCAAkC,OAAO,GAAG,CAChF,CAAC;QACJ,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC,CAAC,CAAC;IACH,MAAM,IAAI,GACR,QAAQ,CAAC,MAAM,KAAK,CAAC;QACnB,CAAC,CAAC,uBAAuB;QACzB,CAAC,CAAC,IAAI,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;IACxC,OAAO,WAAW,SAAS,GAAG,IAAI,EAAE,CAAC;AACvC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,WAAW,CAAC,KAAa;IACvC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,WAAW,KAAK,EAAE,CAAC,CAAC;IACxE,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC,8BAA8B;IACrD,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAE9C,IAAI,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;IAC5B,IAAI,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QACnC,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IACpD,CAAC;IACD,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC7E,IACE,QAAQ,CAAC,MAAM,KAAK,CAAC;QACrB,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,CAAC,CAAC,KAAK,aAAa,CAAC,EACxD,CAAC;QACD,OAAO,GAAG,cAAc,GAAG,WAAW,EAAE,CAAC;IAC3C,CAAC;IACD,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;IACvE,OAAO,GAAG,cAAc,GAAG,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;AAChE,CAAC;AA8BD,SAAS,UAAU,CAAC,GAAW,EAAE,EAAU;IACzC,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AACjD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAgC;IAC/D,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IACxB,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,aAAa,GAAG,+BAA+B,CAAC,CAAC;IACnE,CAAC;IACD,IAAI,OAAO,CAAC,mBAAmB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CACb,gEAAgE,CACjE,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,MAAM,OAAO,GAAG,OAAO,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QACxD,MAAM,EAAE,GAAG,UAAU,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC;QACrC,MAAM,MAAM,GAAe;YACzB,EAAE;YACF,UAAU,EAAE,GAAG;SAChB,CAAC;QACF,IAAI,KAAK,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;YAC3C,MAAM,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,IAAI,UAAU,CAAC;YACvC,MAAM,CAAC,kBAAkB,GAAG,KAAK,CAAC,kBAAkB,CAAC;QACvD,CAAC;aAAM,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;YAC5C,MAAM,GAAG,IAAI,CAAC;YACd,MAAM,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,IAAI,YAAY,CAAC;YACzC,MAAM,CAAC,YAAY,GAAG,KAAK,CAAC,YAAqC,CAAC;QACpE,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CACb,iCAAiC,EAAE,4CAA4C,CAChF,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;IACxB,CAAC,CAAC,CAAC;IAEH,MAAM,OAAO,GAAa,CAAC,cAAc,EAAE,mBAAmB,CAAC,CAAC;IAChE,IAAI,MAAM;QAAE,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAEzC,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,EAAE,CAAC;IAClD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAErC,MAAM,QAAQ,GAAe;QAC3B,UAAU,EAAE,OAAO;QACnB,EAAE,EAAE,GAAG;QACP,kBAAkB,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;KACjD,CAAC;IACF,IAAI,aAAa,CAAC,eAAe,IAAI,IAAI;QAAE,QAAQ,CAAC,eAAe,GAAG,GAAG,CAAC;IAC1E,IAAI,aAAa,CAAC,cAAc,IAAI,KAAK;QAAE,QAAQ,CAAC,cAAc,GAAG,GAAG,CAAC;IACzE,IAAI,OAAO,CAAC,WAAW,KAAK,SAAS,IAAI,OAAO,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxE,QAAQ,CAAC,WAAW,GAAG,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CACpC,WAAuB,EACvB,EAAU;IAEV,MAAM,KAAK,GAAG,OAAO,WAAW,CAAC,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACvE,MAAM,OAAO,GAAG,WAAW,CAAC,kBAAkB,CAAC;IAC/C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;QAAE,OAAO,SAAS,CAAC;IAC9C,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACxE,SAAS;QACX,CAAC;QACD,MAAM,OAAO,GAAI,KAAoB,CAAC,EAAE,CAAC;QACzC,IAAI,OAAO,OAAO,KAAK,QAAQ;YAAE,SAAS;QAC1C,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;QAC1E,IAAI,QAAQ,KAAK,EAAE,EAAE,CAAC;YACpB,OAAO,KAAsC,CAAC;QAChD,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAcD;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAClC,UAAiC,EAAE;IAEnC,MAAM,SAAS,GACb,OAAO,CAAC,KAAK,IAAK,UAAU,CAAC,KAA0C,CAAC;IAC1E,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CACb,mEAAmE,CACpE,CAAC;IACJ,CAAC;IAED,OAAO,KAAK,EAAE,EAAU,EAAE,EAAE;QAC1B,MAAM,SAAS,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAClC,MAAM,GAAG,GAAG,SAAS,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;QAC3D,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,cAAc,CAAC;YAAE,OAAO,SAAS,CAAC;QAEtD,IAAI,GAAW,CAAC;QAChB,IAAI,CAAC;YACH,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QACzB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,QAAwC,CAAC;QAC7C,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE;gBAC9B,OAAO,EAAE,EAAE,MAAM,EAAE,wCAAwC,EAAE;aAC9D,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,SAAS,CAAC;QAEnC,IAAI,QAAiB,CAAC;QACtB,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,IACE,QAAQ,KAAK,IAAI;YACjB,OAAO,QAAQ,KAAK,QAAQ;YAC5B,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EACvB,CAAC;YACD,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO,sBAAsB,CAAC,QAAsB,EAAE,EAAE,CAAC,CAAC;IAC5D,CAAC,CAAC;AACJ,CAAC"}

package/dist/handler.d.ts

@@ -0,0 +1,37 @@
+/**
+ * The `@dwk/vc` fetch handler: VC-API-style issuance and verification endpoints,
+ * a status-update endpoint, and the served (signed) Bitstring Status List
+ * credentials. Routing matches the request pathname against each configured
+ * endpoint's path, so the handler is mountable under any prefix simply by
+ * configuring absolute endpoint URLs.
+ *
+ * The DID document itself is a static artifact ({@link ./did-web.buildDidDocument});
+ * this handler covers only the dynamic parts: signing credentials with the
+ * domain's key (a secret binding), verifying them, and flipping status bits in a
+ * strongly-consistent D1 store.
+ */
+import { type VcConfig } from "./config";
+import { type VcStatusStoreEnv } from "./status-list";
+/** Cloudflare bindings required by the `@dwk/vc` handler. */
+export interface VcEnv extends Partial<VcStatusStoreEnv> {
+    /**
+     * The issuer's **private** signing key as a JWK JSON string (secret binding).
+     * Its public half is published in the DID document's verification method.
+     */
+    readonly VC_SIGNING_KEY: string;
+}
+/** A `fetch`-compatible Worker handler. */
+export type VcHandler = (request: Request, env: VcEnv, ctx: ExecutionContext) => Promise<Response>;
+/**
+ * Build the `@dwk/vc` handler from configuration.
+ *
+ * The returned handler routes `POST {issueEndpoint}`, `POST {verifyEndpoint}`,
+ * `POST {statusEndpoint}`, and `GET {statusListEndpoint}/<purpose>`. Issuance and
+ * status changes are gated by the configured {@link AuthorizeOperation} hook (or
+ * the composing Worker's front door) and require the `VC_SIGNING_KEY` secret;
+ * status requires the `VC_STATUS_DB` D1 binding. Unmatched routes get `404`;
+ * wrong methods get `405`. The issuer credential / `issuerId` is recorded by host
+ * only; subjects, claims, keys, and proof values are never logged.
+ */
+export declare function createVc(config: VcConfig): VcHandler;
+//# sourceMappingURL=handler.d.ts.map

package/dist/handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../src/handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,OAAO,EAAwC,KAAK,QAAQ,EAAE,MAAM,UAAU,CAAC;AAY/E,OAAO,EAWL,KAAK,gBAAgB,EACtB,MAAM,eAAe,CAAC;AAEvB,6DAA6D;AAC7D,MAAM,WAAW,KAAM,SAAQ,OAAO,CAAC,gBAAgB,CAAC;IACtD;;;OAGG;IACH,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;CACjC;AAED,2CAA2C;AAC3C,MAAM,MAAM,SAAS,GAAG,CACtB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,KAAK,EACV,GAAG,EAAE,gBAAgB,KAClB,OAAO,CAAC,QAAQ,CAAC,CAAC;AAoWvB;;;;;;;;;;GAUG;AACH,wBAAgB,QAAQ,CAAC,MAAM,EAAE,QAAQ,GAAG,SAAS,CA8CpD"}

package/dist/handler.js

@@ -0,0 +1,362 @@
+/**
+ * The `@dwk/vc` fetch handler: VC-API-style issuance and verification endpoints,
+ * a status-update endpoint, and the served (signed) Bitstring Status List
+ * credentials. Routing matches the request pathname against each configured
+ * endpoint's path, so the handler is mountable under any prefix simply by
+ * configuring absolute endpoint URLs.
+ *
+ * The DID document itself is a static artifact ({@link ./did-web.buildDidDocument});
+ * this handler covers only the dynamic parts: signing credentials with the
+ * domain's key (a secret binding), verifying them, and flipping status bits in a
+ * strongly-consistent D1 store.
+ */
+import { hostFromUrl } from "@dwk/log";
+import { resolveConfig } from "./config";
+import { addProof, importSigner, verifyProof, } from "./data-integrity";
+import { createDidWebResolver } from "./did-web";
+import { checkValidityPeriod, validateCredential } from "./credential";
+import { VcLogEvent } from "./log";
+import { buildEncodedList, buildStatusEntry, buildStatusListCredential, createVcStatusStore, decodeBitstring, findStatusEntry, getBit, statusEntryIndex, } from "./status-list";
+const JSON_HEADERS = { "content-type": "application/json" };
+function json(body, status = 200) {
+    return new Response(JSON.stringify(body), { status, headers: JSON_HEADERS });
+}
+function problem(reason, description, status) {
+    return json({ error: reason, error_description: description }, status);
+}
+function emit(config, level, event, fields) {
+    config.logger[level](event, fields);
+    config.metrics.count(event, fields);
+}
+// Importing a key with crypto.subtle is comparatively expensive, and the secret
+// binding is stable for the life of the isolate. Cache the resolved Signer by the
+// raw JWK string so a hot issuance path imports the key once, not per request.
+const signerCache = new Map();
+/** Parse and validate the signing-key secret binding (fail loudly). */
+async function loadSigner(env) {
+    if (!env.VC_SIGNING_KEY || typeof env.VC_SIGNING_KEY !== "string") {
+        throw new Error("@dwk/vc: missing required secret binding `VC_SIGNING_KEY`");
+    }
+    const cached = signerCache.get(env.VC_SIGNING_KEY);
+    if (cached !== undefined)
+        return cached;
+    let jwk;
+    try {
+        jwk = JSON.parse(env.VC_SIGNING_KEY);
+    }
+    catch {
+        throw new Error("@dwk/vc: `VC_SIGNING_KEY` is not valid JWK JSON");
+    }
+    const signer = await importSigner(jwk);
+    signerCache.set(env.VC_SIGNING_KEY, signer);
+    return signer;
+}
+function getStore(env) {
+    return env.VC_STATUS_DB
+        ? createVcStatusStore({ VC_STATUS_DB: env.VC_STATUS_DB })
+        : undefined;
+}
+/** The status list credential URL for a purpose, under this issuer. */
+function statusListUrl(config, purpose) {
+    return `${config.statusListEndpoint}/${purpose}`;
+}
+async function isObjectBody(request) {
+    try {
+        const body = (await request.json());
+        if (body !== null && typeof body === "object" && !Array.isArray(body)) {
+            return body;
+        }
+    }
+    catch {
+        /* fall through */
+    }
+    return null;
+}
+/** POST issue: sign a credential, optionally attaching a status entry. */
+async function handleIssue(request, env, config) {
+    if (!(await config.authorize("issue", request))) {
+        emit(config, "warn", VcLogEvent.Rejected, { reason: "unauthorized" });
+        return problem("unauthorized", "not authorized to issue credentials", 401);
+    }
+    const body = await isObjectBody(request);
+    const credential = body?.credential;
+    if (credential === null ||
+        typeof credential !== "object" ||
+        Array.isArray(credential)) {
+        emit(config, "warn", VcLogEvent.Rejected, { reason: "malformed_request" });
+        return problem("malformed_request", "body must be { credential }", 400);
+    }
+    const doc = credential;
+    const errors = validateCredential(doc);
+    if (errors.length > 0) {
+        emit(config, "warn", VcLogEvent.Rejected, { reason: "malformed_request" });
+        return problem("malformed_request", errors.join("; "), 400);
+    }
+    // Attach a status entry when status is enabled, the request does not opt out,
+    // and the credential does not already carry one.
+    if (config.statusEnabled &&
+        body?.credentialStatus !== false &&
+        doc.credentialStatus === undefined) {
+        const store = getStore(env);
+        if (store !== undefined) {
+            await store.init();
+            const listUrl = statusListUrl(config, config.statusPurpose);
+            const index = await store.allocateIndex(listUrl, config.statusPurpose);
+            doc.credentialStatus = buildStatusEntry({
+                statusListCredential: listUrl,
+                statusListIndex: index,
+                statusPurpose: config.statusPurpose,
+            });
+        }
+    }
+    let signer;
+    try {
+        signer = await loadSigner(env);
+    }
+    catch (error) {
+        return problem("server_error", error.message, 500);
+    }
+    const verifiableCredential = await addProof(doc, signer, {
+        verificationMethod: config.verificationMethod,
+    });
+    emit(config, "info", VcLogEvent.Issued, { cryptosuite: signer.cryptosuite });
+    return json({ verifiableCredential });
+}
+/** Resolve a credential's status bit, best-effort. */
+async function checkStatus(credential, env, config) {
+    const entry = findStatusEntry(credential, config.statusPurpose);
+    if (entry === undefined)
+        return { checked: false, revoked: false };
+    const index = statusEntryIndex(entry);
+    const listCredential = entry.statusListCredential;
+    if (index === undefined || typeof listCredential !== "string") {
+        return {
+            checked: false,
+            revoked: false,
+            error: "malformed credentialStatus",
+        };
+    }
+    // Our own list: read the authoritative D1 store directly.
+    const store = getStore(env);
+    if (store !== undefined &&
+        listCredential.startsWith(config.statusListEndpoint)) {
+        const revoked = await store.getStatus(listCredential, config.statusPurpose, index);
+        return { checked: true, revoked };
+    }
+    // Foreign list: fetch the published status list credential and decode it.
+    // Only https: is fetched — a foreign `statusListCredential` is attacker-
+    // controlled, so refusing other schemes blunts SSRF into internal services.
+    let listUrl;
+    try {
+        listUrl = new URL(listCredential);
+    }
+    catch {
+        return { checked: false, revoked: false, error: "status list malformed" };
+    }
+    if (listUrl.protocol !== "https:") {
+        return {
+            checked: false,
+            revoked: false,
+            error: "status list URL must use https",
+        };
+    }
+    try {
+        const response = await fetch(listUrl.toString(), {
+            headers: { accept: "application/json" },
+        });
+        if (!response.ok) {
+            return {
+                checked: false,
+                revoked: false,
+                error: "status list unreachable",
+            };
+        }
+        const listCred = (await response.json());
+        const subject = listCred.credentialSubject;
+        const encodedList = subject?.encodedList;
+        if (typeof encodedList !== "string") {
+            return { checked: false, revoked: false, error: "status list malformed" };
+        }
+        const bits = await decodeBitstring(encodedList);
+        return { checked: true, revoked: getBit(bits, index) };
+    }
+    catch {
+        return { checked: false, revoked: false, error: "status list unreachable" };
+    }
+}
+/** POST verify: structural + validity + proof + status checks. */
+async function handleVerify(request, env, config, resolver) {
+    const body = await isObjectBody(request);
+    const vc = body?.verifiableCredential ?? body?.credential;
+    if (vc === null || typeof vc !== "object" || Array.isArray(vc)) {
+        emit(config, "warn", VcLogEvent.Rejected, { reason: "malformed_request" });
+        return problem("malformed_request", "body must be { verifiableCredential }", 400);
+    }
+    const doc = vc;
+    const errors = [...validateCredential(doc)];
+    const warnings = [];
+    const proofResult = await verifyProof(doc, {
+        resolveVerificationMethod: resolver,
+    });
+    errors.push(...proofResult.errors);
+    const validity = checkValidityPeriod(doc);
+    if (validity !== null)
+        errors.push(`credential is ${validity}`);
+    const status = await checkStatus(doc, env, config);
+    if (status.error !== undefined)
+        warnings.push(status.error);
+    if (status.checked && status.revoked) {
+        errors.push(config.statusPurpose === "revocation"
+            ? "credential is revoked"
+            : `credential status "${config.statusPurpose}" is set`);
+    }
+    const verified = errors.length === 0;
+    emit(config, verified ? "info" : "warn", VcLogEvent.Verified, { verified });
+    return json({ verified, errors, warnings });
+}
+/** POST status: flip a credential's status bit (e.g. revoke). */
+async function handleStatusUpdate(request, env, config) {
+    if (!config.statusEnabled) {
+        emit(config, "warn", VcLogEvent.Rejected, { reason: "status_disabled" });
+        return problem("status_disabled", "status lists are not enabled", 404);
+    }
+    if (!(await config.authorize("status", request))) {
+        emit(config, "warn", VcLogEvent.Rejected, { reason: "unauthorized" });
+        return problem("unauthorized", "not authorized to change status", 401);
+    }
+    const store = getStore(env);
+    if (store === undefined) {
+        return problem("server_error", "missing D1 binding `VC_STATUS_DB`", 500);
+    }
+    const body = await isObjectBody(request);
+    if (body === null) {
+        emit(config, "warn", VcLogEvent.Rejected, { reason: "malformed_request" });
+        return problem("malformed_request", "body must be a JSON object", 400);
+    }
+    // Accept either a full credential (read its status entry) or an explicit index.
+    let index;
+    const purpose = (typeof body.statusPurpose === "string"
+        ? body.statusPurpose
+        : config.statusPurpose);
+    const cred = body.credential;
+    if (cred !== undefined && typeof cred === "object" && !Array.isArray(cred)) {
+        const entry = findStatusEntry(cred, purpose);
+        if (entry !== undefined)
+            index = statusEntryIndex(entry);
+    }
+    if (index === undefined) {
+        const raw = body.statusListIndex ?? body.index;
+        const n = typeof raw === "string" ? Number(raw) : raw;
+        if (typeof n === "number" && Number.isInteger(n) && n >= 0)
+            index = n;
+    }
+    if (index === undefined) {
+        emit(config, "warn", VcLogEvent.Rejected, { reason: "malformed_request" });
+        return problem("malformed_request", "provide a credential with a status entry or a statusListIndex", 400);
+    }
+    const value = body.status === undefined ? true : body.status === true;
+    await store.init();
+    await store.setStatus(statusListUrl(config, purpose), purpose, index, value);
+    emit(config, "info", VcLogEvent.StatusChanged, {
+        statusPurpose: purpose,
+        value,
+    });
+    return json({ status: "ok", statusListIndex: index, value });
+}
+/** GET a signed status list credential for a purpose. */
+async function handleStatusList(env, config, purposeSegment) {
+    if (!config.statusEnabled) {
+        return problem("status_disabled", "status lists are not enabled", 404);
+    }
+    const store = getStore(env);
+    if (store === undefined) {
+        return problem("server_error", "missing D1 binding `VC_STATUS_DB`", 500);
+    }
+    const purpose = purposeSegment;
+    const listUrl = statusListUrl(config, purpose);
+    await store.init();
+    const indices = await store.setIndices(listUrl, purpose);
+    const encodedList = await buildEncodedList(indices, config.statusListLength);
+    const unsigned = buildStatusListCredential({
+        id: listUrl,
+        statusPurpose: purpose,
+        encodedList,
+        issuer: config.did,
+    });
+    let signer;
+    try {
+        signer = await loadSigner(env);
+    }
+    catch (error) {
+        return problem("server_error", error.message, 500);
+    }
+    const signed = await addProof(unsigned, signer, {
+        verificationMethod: config.verificationMethod,
+    });
+    return json(signed);
+}
+/**
+ * Build the `@dwk/vc` handler from configuration.
+ *
+ * The returned handler routes `POST {issueEndpoint}`, `POST {verifyEndpoint}`,
+ * `POST {statusEndpoint}`, and `GET {statusListEndpoint}/<purpose>`. Issuance and
+ * status changes are gated by the configured {@link AuthorizeOperation} hook (or
+ * the composing Worker's front door) and require the `VC_SIGNING_KEY` secret;
+ * status requires the `VC_STATUS_DB` D1 binding. Unmatched routes get `404`;
+ * wrong methods get `405`. The issuer credential / `issuerId` is recorded by host
+ * only; subjects, claims, keys, and proof values are never logged.
+ */
+export function createVc(config) {
+    const resolved = resolveConfig(config);
+    // Default verification resolver: did:web over the global fetch.
+    const resolver = resolved.resolveDid ?? createDidWebResolver();
+    return async (request, env, _ctx) => {
+        const url = new URL(request.url);
+        const path = url.pathname;
+        const method = request.method;
+        if (path === resolved.issuePath) {
+            if (method !== "POST")
+                return methodNotAllowed(resolved, "POST");
+            return handleIssue(request, env, resolved);
+        }
+        if (path === resolved.verifyPath) {
+            if (method !== "POST")
+                return methodNotAllowed(resolved, "POST");
+            return handleVerify(request, env, resolved, resolver);
+        }
+        if (path === resolved.statusPath) {
+            if (method !== "POST")
+                return methodNotAllowed(resolved, "POST");
+            return handleStatusUpdate(request, env, resolved);
+        }
+        if (path.startsWith(`${resolved.statusListPath}/`)) {
+            if (method !== "GET" && method !== "HEAD") {
+                return methodNotAllowed(resolved, "GET");
+            }
+            const segment = path.slice(resolved.statusListPath.length + 1);
+            if (segment.length === 0 || segment.includes("/")) {
+                return problem("not_found", "no such status list", 404);
+            }
+            const response = await handleStatusList(env, resolved, segment);
+            return method === "HEAD"
+                ? new Response(null, {
+                    status: response.status,
+                    headers: response.headers,
+                })
+                : response;
+        }
+        emit(resolved, "warn", VcLogEvent.Rejected, {
+            reason: "not_found",
+            host: hostFromUrl(request.url),
+        });
+        return problem("not_found", "no such endpoint", 404);
+    };
+}
+function methodNotAllowed(config, allow) {
+    emit(config, "warn", VcLogEvent.Rejected, { reason: "method_not_allowed" });
+    return new Response(JSON.stringify({ error: "method_not_allowed" }), {
+        status: 405,
+        headers: { ...JSON_HEADERS, allow },
+    });
+}
+//# sourceMappingURL=handler.js.map

package/dist/handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.js","sourceRoot":"","sources":["../src/handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,WAAW,EAAkB,MAAM,UAAU,CAAC;AAEvD,OAAO,EAAE,aAAa,EAAwC,MAAM,UAAU,CAAC;AAC/E,OAAO,EACL,QAAQ,EACR,YAAY,EACZ,WAAW,GAIZ,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AACjD,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AACvE,OAAO,EAAE,UAAU,EAAE,MAAM,OAAO,CAAC;AACnC,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,yBAAyB,EACzB,mBAAmB,EACnB,eAAe,EACf,eAAe,EACf,MAAM,EACN,gBAAgB,GAIjB,MAAM,eAAe,CAAC;AAkBvB,MAAM,YAAY,GAAG,EAAE,cAAc,EAAE,kBAAkB,EAAW,CAAC;AAErE,SAAS,IAAI,CAAC,IAAa,EAAE,MAAM,GAAG,GAAG;IACvC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC,CAAC;AAC/E,CAAC;AAED,SAAS,OAAO,CACd,MAAc,EACd,WAAmB,EACnB,MAAc;IAEd,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,WAAW,EAAE,EAAE,MAAM,CAAC,CAAC;AACzE,CAAC;AAED,SAAS,IAAI,CACX,MAAwB,EACxB,KAAsB,EACtB,KAAa,EACb,MAAkB;IAElB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACpC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;AACtC,CAAC;AAED,gFAAgF;AAChF,kFAAkF;AAClF,+EAA+E;AAC/E,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAC;AAE9C,uEAAuE;AACvE,KAAK,UAAU,UAAU,CAAC,GAAU;IAClC,IAAI,CAAC,GAAG,CAAC,cAAc,IAAI,OAAO,GAAG,CAAC,cAAc,KAAK,QAAQ,EAAE,CAAC;QAClE,MAAM,IAAI,KAAK,CACb,2DAA2D,CAC5D,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACnD,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,MAAM,CAAC;IAExC,IAAI,GAAe,CAAC;IACpB,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,CAAe,CAAC;IACrD,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC;IACvC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;IAC5C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,QAAQ,CAAC,GAAU;IAC1B,OAAO,GAAG,CAAC,YAAY;QACrB,CAAC,CAAC,mBAAmB,CAAC,EAAE,YAAY,EAAE,GAAG,CAAC,YAAY,EAAE,CAAC;QACzD,CAAC,CAAC,SAAS,CAAC;AAChB,CAAC;AAED,uEAAuE;AACvE,SAAS,aAAa,CACpB,MAAwB,EACxB,OAAsB;IAEtB,OAAO,GAAG,MAAM,CAAC,kBAAkB,IAAI,OAAO,EAAE,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,OAAgB;IAC1C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAY,CAAC;QAC/C,IAAI,IAAI,KAAK,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACtE,OAAO,IAAkB,CAAC;QAC5B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,kBAAkB;IACpB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,0EAA0E;AAC1E,KAAK,UAAU,WAAW,CACxB,OAAgB,EAChB,GAAU,EACV,MAAwB;IAExB,IAAI,CAAC,CAAC,MAAM,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC;QAChD,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC,CAAC;QACtE,OAAO,OAAO,CAAC,cAAc,EAAE,qCAAqC,EAAE,GAAG,CAAC,CAAC;IAC7E,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;IACzC,MAAM,UAAU,GAAG,IAAI,EAAE,UAAU,CAAC;IACpC,IACE,UAAU,KAAK,IAAI;QACnB,OAAO,UAAU,KAAK,QAAQ;QAC9B,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,EACzB,CAAC;QACD,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC,CAAC;QAC3E,OAAO,OAAO,CAAC,mBAAmB,EAAE,6BAA6B,EAAE,GAAG,CAAC,CAAC;IAC1E,CAAC;IACD,MAAM,GAAG,GAAG,UAAwB,CAAC;IAErC,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;IACvC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC,CAAC;QAC3E,OAAO,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,CAAC;IAC9D,CAAC;IAED,8EAA8E;IAC9E,iDAAiD;IACjD,IACE,MAAM,CAAC,aAAa;QACpB,IAAI,EAAE,gBAAgB,KAAK,KAAK;QAChC,GAAG,CAAC,gBAAgB,KAAK,SAAS,EAClC,CAAC;QACD,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;YACnB,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;YAC5D,MAAM,KAAK,GAAG,MAAM,KAAK,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;YACvE,GAAG,CAAC,gBAAgB,GAAG,gBAAgB,CAAC;gBACtC,oBAAoB,EAAE,OAAO;gBAC7B,eAAe,EAAE,KAAK;gBACtB,aAAa,EAAE,MAAM,CAAC,aAAa;aACpC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,MAAc,CAAC;IACnB,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,OAAO,CAAC,cAAc,EAAG,KAAe,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IAChE,CAAC;IAED,MAAM,oBAAoB,GAAG,MAAM,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE;QACvD,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;KAC9C,CAAC,CAAC;IACH,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IAC7E,OAAO,IAAI,CAAC,EAAE,oBAAoB,EAAE,CAAC,CAAC;AACxC,CAAC;AAED,sDAAsD;AACtD,KAAK,UAAU,WAAW,CACxB,UAAsB,EACtB,GAAU,EACV,MAAwB;IAExB,MAAM,KAAK,GAAG,eAAe,CAAC,UAAU,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;IAChE,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IACnE,MAAM,KAAK,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IACtC,MAAM,cAAc,GAAG,KAAK,CAAC,oBAAoB,CAAC;IAClD,IAAI,KAAK,KAAK,SAAS,IAAI,OAAO,cAAc,KAAK,QAAQ,EAAE,CAAC;QAC9D,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,4BAA4B;SACpC,CAAC;IACJ,CAAC;IAED,0DAA0D;IAC1D,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC5B,IACE,KAAK,KAAK,SAAS;QACnB,cAAc,CAAC,UAAU,CAAC,MAAM,CAAC,kBAAkB,CAAC,EACpD,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,SAAS,CACnC,cAAc,EACd,MAAM,CAAC,aAAa,EACpB,KAAK,CACN,CAAC;QACF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IACpC,CAAC;IAED,0EAA0E;IAC1E,yEAAyE;IACzE,4EAA4E;IAC5E,IAAI,OAAY,CAAC;IACjB,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC;IAC5E,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,gCAAgC;SACxC,CAAC;IACJ,CAAC;IACD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE;YAC/C,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;SACxC,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,yBAAyB;aACjC,CAAC;QACJ,CAAC;QACD,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAe,CAAC;QACvD,MAAM,OAAO,GAAG,QAAQ,CAAC,iBAA2C,CAAC;QACrE,MAAM,WAAW,GAAG,OAAO,EAAE,WAAW,CAAC;QACzC,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;YACpC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC;QAC5E,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,WAAW,CAAC,CAAC;QAChD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;IAC9E,CAAC;AACH,CAAC;AAED,kEAAkE;AAClE,KAAK,UAAU,YAAY,CACzB,OAAgB,EAChB,GAAU,EACV,MAAwB,EACxB,QAAoC;IAEpC,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;IACzC,MAAM,EAAE,GAAG,IAAI,EAAE,oBAAoB,IAAI,IAAI,EAAE,UAAU,CAAC;IAC1D,IAAI,EAAE,KAAK,IAAI,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC;QAC/D,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC,CAAC;QAC3E,OAAO,OAAO,CACZ,mBAAmB,EACnB,uCAAuC,EACvC,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,GAAG,GAAG,EAAgB,CAAC;IAE7B,MAAM,MAAM,GAAa,CAAC,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC;IACtD,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,GAAG,EAAE;QACzC,yBAAyB,EAAE,QAAQ;KACpC,CAAC,CAAC;IACH,MAAM,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IAEnC,MAAM,QAAQ,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;IAC1C,IAAI,QAAQ,KAAK,IAAI;QAAE,MAAM,CAAC,IAAI,CAAC,iBAAiB,QAAQ,EAAE,CAAC,CAAC;IAEhE,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;IACnD,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS;QAAE,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC5D,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACrC,MAAM,CAAC,IAAI,CACT,MAAM,CAAC,aAAa,KAAK,YAAY;YACnC,CAAC,CAAC,uBAAuB;YACzB,CAAC,CAAC,sBAAsB,MAAM,CAAC,aAAa,UAAU,CACzD,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC;IACrC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,UAAU,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC5E,OAAO,IAAI,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;AAC9C,CAAC;AAED,iEAAiE;AACjE,KAAK,UAAU,kBAAkB,CAC/B,OAAgB,EAChB,GAAU,EACV,MAAwB;IAExB,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;QAC1B,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC,CAAC;QACzE,OAAO,OAAO,CAAC,iBAAiB,EAAE,8BAA8B,EAAE,GAAG,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,CAAC,CAAC,MAAM,MAAM,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC;QACjD,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC,CAAC;QACtE,OAAO,OAAO,CAAC,cAAc,EAAE,iCAAiC,EAAE,GAAG,CAAC,CAAC;IACzE,CAAC;IACD,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC5B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,OAAO,OAAO,CAAC,cAAc,EAAE,mCAAmC,EAAE,GAAG,CAAC,CAAC;IAC3E,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;IACzC,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC,CAAC;QAC3E,OAAO,OAAO,CAAC,mBAAmB,EAAE,4BAA4B,EAAE,GAAG,CAAC,CAAC;IACzE,CAAC;IAED,gFAAgF;IAChF,IAAI,KAAyB,CAAC;IAC9B,MAAM,OAAO,GAAG,CACd,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QACpC,CAAC,CAAC,IAAI,CAAC,aAAa;QACpB,CAAC,CAAC,MAAM,CAAC,aAAa,CACR,CAAC;IACnB,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC;IAC7B,IAAI,IAAI,KAAK,SAAS,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3E,MAAM,KAAK,GAAG,eAAe,CAAC,IAAkB,EAAE,OAAO,CAAC,CAAC;QAC3D,IAAI,KAAK,KAAK,SAAS;YAAE,KAAK,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,IAAI,IAAI,CAAC,KAAK,CAAC;QAC/C,MAAM,CAAC,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QACtD,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,KAAK,GAAG,CAAC,CAAC;IACxE,CAAC;IACD,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC,CAAC;QAC3E,OAAO,OAAO,CACZ,mBAAmB,EACnB,+DAA+D,EAC/D,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC;IACtE,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;IACnB,MAAM,KAAK,CAAC,SAAS,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;IAC7E,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,aAAa,EAAE;QAC7C,aAAa,EAAE,OAAO;QACtB,KAAK;KACN,CAAC,CAAC;IACH,OAAO,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;AAC/D,CAAC;AAED,yDAAyD;AACzD,KAAK,UAAU,gBAAgB,CAC7B,GAAU,EACV,MAAwB,EACxB,cAAsB;IAEtB,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;QAC1B,OAAO,OAAO,CAAC,iBAAiB,EAAE,8BAA8B,EAAE,GAAG,CAAC,CAAC;IACzE,CAAC;IACD,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC5B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,OAAO,OAAO,CAAC,cAAc,EAAE,mCAAmC,EAAE,GAAG,CAAC,CAAC;IAC3E,CAAC;IACD,MAAM,OAAO,GAAG,cAA+B,CAAC;IAChD,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/C,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;IACnB,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAEzD,MAAM,WAAW,GAAG,MAAM,gBAAgB,CAAC,OAAO,EAAE,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAC7E,MAAM,QAAQ,GAAG,yBAAyB,CAAC;QACzC,EAAE,EAAE,OAAO;QACX,aAAa,EAAE,OAAO;QACtB,WAAW;QACX,MAAM,EAAE,MAAM,CAAC,GAAG;KACnB,CAAC,CAAC;IAEH,IAAI,MAAc,CAAC;IACnB,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,OAAO,CAAC,cAAc,EAAG,KAAe,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE;QAC9C,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;KAC9C,CAAC,CAAC;IACH,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;AACtB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,QAAQ,CAAC,MAAgB;IACvC,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,gEAAgE;IAChE,MAAM,QAAQ,GACZ,QAAQ,CAAC,UAAU,IAAI,oBAAoB,EAAE,CAAC;IAEhD,OAAO,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAClC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAC;QAC1B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAE9B,IAAI,IAAI,KAAK,QAAQ,CAAC,SAAS,EAAE,CAAC;YAChC,IAAI,MAAM,KAAK,MAAM;gBAAE,OAAO,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YACjE,OAAO,WAAW,CAAC,OAAO,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;QAC7C,CAAC;QACD,IAAI,IAAI,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC;YACjC,IAAI,MAAM,KAAK,MAAM;gBAAE,OAAO,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YACjE,OAAO,YAAY,CAAC,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACxD,CAAC;QACD,IAAI,IAAI,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC;YACjC,IAAI,MAAM,KAAK,MAAM;gBAAE,OAAO,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YACjE,OAAO,kBAAkB,CAAC,OAAO,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;QACpD,CAAC;QACD,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,QAAQ,CAAC,cAAc,GAAG,CAAC,EAAE,CAAC;YACnD,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC1C,OAAO,gBAAgB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;YAC3C,CAAC;YACD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YAC/D,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAClD,OAAO,OAAO,CAAC,WAAW,EAAE,qBAAqB,EAAE,GAAG,CAAC,CAAC;YAC1D,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAChE,OAAO,MAAM,KAAK,MAAM;gBACtB,CAAC,CAAC,IAAI,QAAQ,CAAC,IAAI,EAAE;oBACjB,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,OAAO,EAAE,QAAQ,CAAC,OAAO;iBAC1B,CAAC;gBACJ,CAAC,CAAC,QAAQ,CAAC;QACf,CAAC;QAED,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,QAAQ,EAAE;YAC1C,MAAM,EAAE,WAAW;YACnB,IAAI,EAAE,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC;SAC/B,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,WAAW,EAAE,kBAAkB,EAAE,GAAG,CAAC,CAAC;IACvD,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAwB,EAAE,KAAa;IAC/D,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC,CAAC;IAC5E,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,EAAE;QACnE,MAAM,EAAE,GAAG;QACX,OAAO,EAAE,EAAE,GAAG,YAAY,EAAE,KAAK,EAAE;KACpC,CAAC,CAAC;AACL,CAAC"}