@enbox/dwn-sdk-js 0.0.5 → 0.0.7

package/dist/esm/src/core/messages-grant-authorization.js

@@ -1,12 +1,3 @@
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
 import { DwnInterfaceName } from '../enums/dwn-interface-method.js';
 import { GrantAuthorization } from './grant-authorization.js';
 import { PermissionsProtocol } from '../protocols/permissions.js';
@@ -18,95 +9,89 @@ export class MessagesGrantAuthorization {
      * Authorizes a MessagesReadMessage using the given permission grant.
      * @param messageStore Used to check if the given grant has been revoked; and to fetch related RecordsWrites if needed.
      */
-    static authorizeMessagesRead(input) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const { messagesReadMessage, messageToRead, expectedGrantor, expectedGrantee, permissionGrant, messageStore } = input;
-            yield GrantAuthorization.performBaseValidation({
-                incomingMessage: messagesReadMessage,
-                expectedGrantor,
-                expectedGrantee,
-                permissionGrant,
-                messageStore
-            });
-            const scope = permissionGrant.scope;
-            yield MessagesGrantAuthorization.verifyScope(expectedGrantor, messageToRead, scope, messageStore);
+    static async authorizeMessagesRead(input) {
+        const { messagesReadMessage, messageToRead, expectedGrantor, expectedGrantee, permissionGrant, messageStore } = input;
+        await GrantAuthorization.performBaseValidation({
+            incomingMessage: messagesReadMessage,
+            expectedGrantor,
+            expectedGrantee,
+            permissionGrant,
+            messageStore
         });
+        const scope = permissionGrant.scope;
+        await MessagesGrantAuthorization.verifyScope(expectedGrantor, messageToRead, scope, messageStore);
     }
     /**
      * Authorizes the scope of a permission grant for MessagesSubscribe or MessagesSync.
      * @param messageStore Used to check if the grant has been revoked.
      */
-    static authorizeSubscribeOrSync(input) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const { incomingMessage, expectedGrantor, expectedGrantee, permissionGrant, messageStore } = input;
-            yield GrantAuthorization.performBaseValidation({
-                incomingMessage,
-                expectedGrantor,
-                expectedGrantee,
-                permissionGrant,
-                messageStore
-            });
-            // if the grant is scoped to a specific protocol, ensure that the message targets that protocol
-            if (PermissionsProtocol.hasProtocolScope(permissionGrant.scope)) {
-                const scopedProtocol = permissionGrant.scope.protocol;
-                // MessagesSync uses a direct `protocol` field on the descriptor
-                if ('action' in incomingMessage.descriptor) {
-                    const syncMessage = incomingMessage;
-                    if (syncMessage.descriptor.protocol !== scopedProtocol) {
-                        throw new DwnError(DwnErrorCode.MessagesGrantAuthorizationMismatchedProtocol, `The protocol ${syncMessage.descriptor.protocol} does not match the scoped protocol ${scopedProtocol}`);
-                    }
+    static async authorizeSubscribeOrSync(input) {
+        const { incomingMessage, expectedGrantor, expectedGrantee, permissionGrant, messageStore } = input;
+        await GrantAuthorization.performBaseValidation({
+            incomingMessage,
+            expectedGrantor,
+            expectedGrantee,
+            permissionGrant,
+            messageStore
+        });
+        // if the grant is scoped to a specific protocol, ensure that the message targets that protocol
+        if (PermissionsProtocol.hasProtocolScope(permissionGrant.scope)) {
+            const scopedProtocol = permissionGrant.scope.protocol;
+            // MessagesSync uses a direct `protocol` field on the descriptor
+            if ('action' in incomingMessage.descriptor) {
+                const syncMessage = incomingMessage;
+                if (syncMessage.descriptor.protocol !== scopedProtocol) {
+                    throw new DwnError(DwnErrorCode.MessagesGrantAuthorizationMismatchedProtocol, `The protocol ${syncMessage.descriptor.protocol} does not match the scoped protocol ${scopedProtocol}`);
                 }
-                else {
-                    // MessagesSubscribe uses filters
-                    const filteredMessage = incomingMessage;
-                    for (const filter of filteredMessage.descriptor.filters) {
-                        if (filter.protocol !== scopedProtocol) {
-                            throw new DwnError(DwnErrorCode.MessagesGrantAuthorizationMismatchedProtocol, `The protocol ${filter.protocol} does not match the scoped protocol ${scopedProtocol}`);
-                        }
+            }
+            else {
+                // MessagesSubscribe uses filters
+                const filteredMessage = incomingMessage;
+                for (const filter of filteredMessage.descriptor.filters) {
+                    if (filter.protocol !== scopedProtocol) {
+                        throw new DwnError(DwnErrorCode.MessagesGrantAuthorizationMismatchedProtocol, `The protocol ${filter.protocol} does not match the scoped protocol ${scopedProtocol}`);
                     }
                 }
             }
-        });
+        }
     }
     /**
      * Verifies the given record against the scope of the given grant.
      */
-    static verifyScope(tenant, messageToGet, incomingScope, messageStore) {
-        return __awaiter(this, void 0, void 0, function* () {
-            if (incomingScope.protocol === undefined) {
-                // if no protocol is specified in the scope, then the grant is for all records
+    static async verifyScope(tenant, messageToGet, incomingScope, messageStore) {
+        if (incomingScope.protocol === undefined) {
+            // if no protocol is specified in the scope, then the grant is for all records
+            return;
+        }
+        if (messageToGet.descriptor.interface === DwnInterfaceName.Records) {
+            // if the message is a Records interface message, get the RecordsWrite message associated with the record
+            const recordsMessage = messageToGet;
+            const recordsWriteMessage = Records.isRecordsWrite(recordsMessage) ? recordsMessage :
+                await RecordsWrite.fetchNewestRecordsWrite(messageStore, tenant, recordsMessage.descriptor.recordId);
+            if (recordsWriteMessage.descriptor.protocol === incomingScope.protocol) {
+                // the record protocol matches the incoming scope protocol
                 return;
             }
-            if (messageToGet.descriptor.interface === DwnInterfaceName.Records) {
-                // if the message is a Records interface message, get the RecordsWrite message associated with the record
-                const recordsMessage = messageToGet;
-                const recordsWriteMessage = Records.isRecordsWrite(recordsMessage) ? recordsMessage :
-                    yield RecordsWrite.fetchNewestRecordsWrite(messageStore, tenant, recordsMessage.descriptor.recordId);
-                if (recordsWriteMessage.descriptor.protocol === incomingScope.protocol) {
-                    // the record protocol matches the incoming scope protocol
+            // we check if the protocol is the internal PermissionsProtocol for further validation
+            if (recordsWriteMessage.descriptor.protocol === PermissionsProtocol.uri) {
+                // get the permission scope from the permission message
+                const permissionScope = await PermissionsProtocol.getScopeFromPermissionRecord(tenant, messageStore, recordsWriteMessage);
+                if (PermissionsProtocol.hasProtocolScope(permissionScope) && permissionScope.protocol === incomingScope.protocol) {
+                    // the permissions record scoped protocol matches the incoming scope protocol
                     return;
                 }
-                // we check if the protocol is the internal PermissionsProtocol for further validation
-                if (recordsWriteMessage.descriptor.protocol === PermissionsProtocol.uri) {
-                    // get the permission scope from the permission message
-                    const permissionScope = yield PermissionsProtocol.getScopeFromPermissionRecord(tenant, messageStore, recordsWriteMessage);
-                    if (PermissionsProtocol.hasProtocolScope(permissionScope) && permissionScope.protocol === incomingScope.protocol) {
-                        // the permissions record scoped protocol matches the incoming scope protocol
-                        return;
-                    }
-                }
             }
-            else if (messageToGet.descriptor.interface === DwnInterfaceName.Protocols) {
-                // if the message is a protocol message, it must be a `ProtocolConfigure` message
-                const protocolsConfigureMessage = messageToGet;
-                const configureProtocol = protocolsConfigureMessage.descriptor.definition.protocol;
-                if (configureProtocol === incomingScope.protocol) {
-                    // the configured protocol matches the incoming scope protocol
-                    return;
-                }
+        }
+        else if (messageToGet.descriptor.interface === DwnInterfaceName.Protocols) {
+            // if the message is a protocol message, it must be a `ProtocolConfigure` message
+            const protocolsConfigureMessage = messageToGet;
+            const configureProtocol = protocolsConfigureMessage.descriptor.definition.protocol;
+            if (configureProtocol === incomingScope.protocol) {
+                // the configured protocol matches the incoming scope protocol
+                return;
             }
-            throw new DwnError(DwnErrorCode.MessagesReadVerifyScopeFailed, 'record message failed scope authorization');
-        });
+        }
+        throw new DwnError(DwnErrorCode.MessagesReadVerifyScopeFailed, 'record message failed scope authorization');
     }
 }
 //# sourceMappingURL=messages-grant-authorization.js.map

package/dist/esm/src/core/messages-grant-authorization.js.map

@@ -1 +1 @@
-{"version":3,"file":"messages-grant-authorization.js","sourceRoot":"","sources":["../../../../src/core/messages-grant-authorization.ts"],"names":[],"mappings":";;;;;;;;;AAQA,OAAO,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AACpE,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,gCAAgC,CAAC;AAC9D,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAExD,MAAM,OAAO,0BAA0B;IAErC;;;OAGG;IACI,MAAM,CAAO,qBAAqB,CAAC,KAOzC;;YACC,MAAM,EACJ,mBAAmB,EAAE,aAAa,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,YAAY,EACpG,GAAG,KAAK,CAAC;YAEV,MAAM,kBAAkB,CAAC,qBAAqB,CAAC;gBAC7C,eAAe,EAAE,mBAAmB;gBACpC,eAAe;gBACf,eAAe;gBACf,eAAe;gBACf,YAAY;aACb,CAAC,CAAC;YAEH,MAAM,KAAK,GAAG,eAAe,CAAC,KAAgC,CAAC;YAC/D,MAAM,0BAA0B,CAAC,WAAW,CAAC,eAAe,EAAE,aAAa,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC;QACpG,CAAC;KAAA;IAED;;;OAGG;IACI,MAAM,CAAO,wBAAwB,CAAC,KAM5C;;YACC,MAAM,EACJ,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,YAAY,EACjF,GAAG,KAAK,CAAC;YAEV,MAAM,kBAAkB,CAAC,qBAAqB,CAAC;gBAC7C,eAAe;gBACf,eAAe;gBACf,eAAe;gBACf,eAAe;gBACf,YAAY;aACb,CAAC,CAAC;YAEH,+FAA+F;YAC/F,IAAI,mBAAmB,CAAC,gBAAgB,CAAC,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChE,MAAM,cAAc,GAAG,eAAe,CAAC,KAAK,CAAC,QAAQ,CAAC;gBAEtD,gEAAgE;gBAChE,IAAI,QAAQ,IAAI,eAAe,CAAC,UAAU,EAAE,CAAC;oBAC3C,MAAM,WAAW,GAAG,eAAsC,CAAC;oBAC3D,IAAI,WAAW,CAAC,UAAU,CAAC,QAAQ,KAAK,cAAc,EAAE,CAAC;wBACvD,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,4CAA4C,EACzD,gBAAgB,WAAW,CAAC,UAAU,CAAC,QAAQ,uCAAuC,cAAc,EAAE,CACvG,CAAC;oBACJ,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,iCAAiC;oBACjC,MAAM,eAAe,GAAG,eAA2C,CAAC;oBACpE,KAAK,MAAM,MAAM,IAAI,eAAe,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;wBACxD,IAAI,MAAM,CAAC,QAAQ,KAAK,cAAc,EAAE,CAAC;4BACvC,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,4CAA4C,EACzD,gBAAgB,MAAM,CAAC,QAAQ,uCAAuC,cAAc,EAAE,CACvF,CAAC;wBACJ,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;KAAA;IAED;;OAEG;IACK,MAAM,CAAO,WAAW,CAC9B,MAAc,EACd,YAA4B,EAC5B,aAAsC,EACtC,YAA0B;;YAE1B,IAAI,aAAa,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;gBACzC,8EAA8E;gBAC9E,OAAO;YACT,CAAC;YAED,IAAI,YAAY,CAAC,UAAU,CAAC,SAAS,KAAK,gBAAgB,CAAC,OAAO,EAAE,CAAC;gBACnE,yGAAyG;gBACzG,MAAM,cAAc,GAAG,YAA0D,CAAC;gBAClF,MAAM,mBAAmB,GAAG,OAAO,CAAC,cAAc,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;oBACnF,MAAM,YAAY,CAAC,uBAAuB,CAAC,YAAY,EAAE,MAAM,EAAE,cAAc,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;gBAEvG,IAAI,mBAAmB,CAAC,UAAU,CAAC,QAAQ,KAAK,aAAa,CAAC,QAAQ,EAAE,CAAC;oBACvE,0DAA0D;oBAC1D,OAAO;gBACT,CAAC;gBAED,sFAAsF;gBACtF,IAAI,mBAAmB,CAAC,UAAU,CAAC,QAAQ,KAAK,mBAAmB,CAAC,GAAG,EAAE,CAAC;oBACxE,uDAAuD;oBACvD,MAAM,eAAe,GAAG,MAAM,mBAAmB,CAAC,4BAA4B,CAC5E,MAAM,EACN,YAAY,EACZ,mBAAqD,CACtD,CAAC;oBAEF,IAAI,mBAAmB,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,eAAe,CAAC,QAAQ,KAAK,aAAa,CAAC,QAAQ,EAAE,CAAC;wBACjH,6EAA6E;wBAC7E,OAAO;oBACT,CAAC;gBACH,CAAC;YACH,CAAC;iBAAM,IAAI,YAAY,CAAC,UAAU,CAAC,SAAS,KAAK,gBAAgB,CAAC,SAAS,EAAE,CAAC;gBAC5E,iFAAiF;gBACjF,MAAM,yBAAyB,GAAG,YAAyC,CAAC;gBAC5E,MAAM,iBAAiB,GAAG,yBAAyB,CAAC,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC;gBACnF,IAAI,iBAAiB,KAAK,aAAa,CAAC,QAAQ,EAAE,CAAC;oBACjD,8DAA8D;oBAC9D,OAAO;gBACT,CAAC;YACH,CAAC;YAED,MAAM,IAAI,QAAQ,CAAC,YAAY,CAAC,6BAA6B,EAAE,2CAA2C,CAAC,CAAC;QAC9G,CAAC;KAAA;CACF"}
+{"version":3,"file":"messages-grant-authorization.js","sourceRoot":"","sources":["../../../../src/core/messages-grant-authorization.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AACpE,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,gCAAgC,CAAC;AAC9D,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAExD,MAAM,OAAO,0BAA0B;IAErC;;;OAGG;IACI,MAAM,CAAC,KAAK,CAAC,qBAAqB,CAAC,KAOzC;QACC,MAAM,EACJ,mBAAmB,EAAE,aAAa,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,YAAY,EACpG,GAAG,KAAK,CAAC;QAEV,MAAM,kBAAkB,CAAC,qBAAqB,CAAC;YAC7C,eAAe,EAAE,mBAAmB;YACpC,eAAe;YACf,eAAe;YACf,eAAe;YACf,YAAY;SACb,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,eAAe,CAAC,KAAgC,CAAC;QAC/D,MAAM,0BAA0B,CAAC,WAAW,CAAC,eAAe,EAAE,aAAa,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC;IACpG,CAAC;IAED;;;OAGG;IACI,MAAM,CAAC,KAAK,CAAC,wBAAwB,CAAC,KAM5C;QACC,MAAM,EACJ,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,YAAY,EACjF,GAAG,KAAK,CAAC;QAEV,MAAM,kBAAkB,CAAC,qBAAqB,CAAC;YAC7C,eAAe;YACf,eAAe;YACf,eAAe;YACf,eAAe;YACf,YAAY;SACb,CAAC,CAAC;QAEH,+FAA+F;QAC/F,IAAI,mBAAmB,CAAC,gBAAgB,CAAC,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC;YAChE,MAAM,cAAc,GAAG,eAAe,CAAC,KAAK,CAAC,QAAQ,CAAC;YAEtD,gEAAgE;YAChE,IAAI,QAAQ,IAAI,eAAe,CAAC,UAAU,EAAE,CAAC;gBAC3C,MAAM,WAAW,GAAG,eAAsC,CAAC;gBAC3D,IAAI,WAAW,CAAC,UAAU,CAAC,QAAQ,KAAK,cAAc,EAAE,CAAC;oBACvD,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,4CAA4C,EACzD,gBAAgB,WAAW,CAAC,UAAU,CAAC,QAAQ,uCAAuC,cAAc,EAAE,CACvG,CAAC;gBACJ,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,iCAAiC;gBACjC,MAAM,eAAe,GAAG,eAA2C,CAAC;gBACpE,KAAK,MAAM,MAAM,IAAI,eAAe,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;oBACxD,IAAI,MAAM,CAAC,QAAQ,KAAK,cAAc,EAAE,CAAC;wBACvC,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,4CAA4C,EACzD,gBAAgB,MAAM,CAAC,QAAQ,uCAAuC,cAAc,EAAE,CACvF,CAAC;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,KAAK,CAAC,WAAW,CAC9B,MAAc,EACd,YAA4B,EAC5B,aAAsC,EACtC,YAA0B;QAE1B,IAAI,aAAa,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YACzC,8EAA8E;YAC9E,OAAO;QACT,CAAC;QAED,IAAI,YAAY,CAAC,UAAU,CAAC,SAAS,KAAK,gBAAgB,CAAC,OAAO,EAAE,CAAC;YACnE,yGAAyG;YACzG,MAAM,cAAc,GAAG,YAA0D,CAAC;YAClF,MAAM,mBAAmB,GAAG,OAAO,CAAC,cAAc,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;gBACnF,MAAM,YAAY,CAAC,uBAAuB,CAAC,YAAY,EAAE,MAAM,EAAE,cAAc,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YAEvG,IAAI,mBAAmB,CAAC,UAAU,CAAC,QAAQ,KAAK,aAAa,CAAC,QAAQ,EAAE,CAAC;gBACvE,0DAA0D;gBAC1D,OAAO;YACT,CAAC;YAED,sFAAsF;YACtF,IAAI,mBAAmB,CAAC,UAAU,CAAC,QAAQ,KAAK,mBAAmB,CAAC,GAAG,EAAE,CAAC;gBACxE,uDAAuD;gBACvD,MAAM,eAAe,GAAG,MAAM,mBAAmB,CAAC,4BAA4B,CAC5E,MAAM,EACN,YAAY,EACZ,mBAAqD,CACtD,CAAC;gBAEF,IAAI,mBAAmB,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,eAAe,CAAC,QAAQ,KAAK,aAAa,CAAC,QAAQ,EAAE,CAAC;oBACjH,6EAA6E;oBAC7E,OAAO;gBACT,CAAC;YACH,CAAC;QACH,CAAC;aAAM,IAAI,YAAY,CAAC,UAAU,CAAC,SAAS,KAAK,gBAAgB,CAAC,SAAS,EAAE,CAAC;YAC5E,iFAAiF;YACjF,MAAM,yBAAyB,GAAG,YAAyC,CAAC;YAC5E,MAAM,iBAAiB,GAAG,yBAAyB,CAAC,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC;YACnF,IAAI,iBAAiB,KAAK,aAAa,CAAC,QAAQ,EAAE,CAAC;gBACjD,8DAA8D;gBAC9D,OAAO;YACT,CAAC;QACH,CAAC;QAED,MAAM,IAAI,QAAQ,CAAC,YAAY,CAAC,6BAA6B,EAAE,2CAA2C,CAAC,CAAC;IAC9G,CAAC;CACF"}

package/dist/esm/src/core/protocol-authorization-action.js

@@ -0,0 +1,266 @@
+import { FilterUtility } from '../utils/filter.js';
+import { RecordsWrite } from '../interfaces/records-write.js';
+import { DwnError, DwnErrorCode } from './dwn-error.js';
+import { DwnInterfaceName, DwnMethodName } from '../enums/dwn-interface-method.js';
+import { getRuleSetAtPath, isCrossProtocolRef, parseCrossProtocolRef } from '../utils/protocols.js';
+import { ProtocolAction, ProtocolActor } from '../types/protocols-types.js';
+/**
+ * Check if the incoming message is invoking a role. If so, validate the invoked role.
+ * For cross-protocol role invocation, the role record may live in a different protocol
+ * (resolved via the composing protocol's `uses` map).
+ */
+export async function verifyInvokedRole(tenant, incomingMessage, protocolUri, contextId, protocolDefinition, messageStore, fetchProtocolDefinition, governingTimestamp) {
+    const protocolRole = incomingMessage.signaturePayload?.protocolRole;
+    // Only verify role if there is a role being invoked
+    if (protocolRole === undefined) {
+        return;
+    }
+    // Determine the protocol URI and protocol path for the role record.
+    // For cross-protocol roles (e.g., "threads:thread/participant"), resolve the alias.
+    let roleProtocolUri = protocolUri;
+    let roleProtocolPath = protocolRole;
+    if (isCrossProtocolRef(protocolRole)) {
+        const parsed = parseCrossProtocolRef(protocolRole);
+        if (parsed === undefined) {
+            throw new DwnError(DwnErrorCode.ProtocolAuthorizationNotARole, `Cross-protocol role '${protocolRole}' could not be parsed as a valid 'alias:path' format.`);
+        }
+        if (protocolDefinition.uses === undefined || protocolDefinition.uses[parsed.alias] === undefined) {
+            throw new DwnError(DwnErrorCode.ProtocolAuthorizationNotARole, `Cross-protocol role alias '${parsed.alias}' in '${protocolRole}' does not exist in the protocol's 'uses' map.`);
+        }
+        roleProtocolUri = protocolDefinition.uses[parsed.alias];
+        roleProtocolPath = parsed.protocolPath;
+        // Fetch the referenced protocol's definition to validate the role exists
+        const refDefinition = await fetchProtocolDefinition(tenant, roleProtocolUri, messageStore, governingTimestamp);
+        const roleRuleSet = getRuleSetAtPath(roleProtocolPath, refDefinition.structure);
+        if (roleRuleSet === undefined || !roleRuleSet.$role) {
+            throw new DwnError(DwnErrorCode.ProtocolAuthorizationNotARole, `Cross-protocol role path ${protocolRole} does not match role record type.`);
+        }
+    }
+    else {
+        // Local role: validate in the composing protocol's definition
+        const roleRuleSet = getRuleSetAtPath(protocolRole, protocolDefinition.structure);
+        if (roleRuleSet === undefined || !roleRuleSet.$role) {
+            throw new DwnError(DwnErrorCode.ProtocolAuthorizationNotARole, `Protocol path ${protocolRole} does not match role record type.`);
+        }
+    }
+    // Construct a filter to fetch the invoked role record
+    const roleRecordFilter = {
+        interface: DwnInterfaceName.Records,
+        method: DwnMethodName.Write,
+        protocol: roleProtocolUri,
+        protocolPath: roleProtocolPath,
+        recipient: incomingMessage.author,
+        isLatestBaseState: true,
+    };
+    const ancestorSegmentCountOfRolePath = roleProtocolPath.split('/').length - 1;
+    if (contextId === undefined && ancestorSegmentCountOfRolePath > 0) {
+        throw new DwnError(DwnErrorCode.ProtocolAuthorizationMissingContextId, 'Could not verify role because contextId is missing.');
+    }
+    // Compute `contextId` prefix filter for fetching the invoked role record if the role path is not at the root level.
+    // e.g. if invoked role path is `Thread/Participant`, and the `contextId` of the message is `threadX/messageY/attachmentZ`,
+    // then we need to add a prefix filter as `threadX` for the `contextId`
+    // because the `contextId` of the Participant record would be in the form of be `threadX/participantA`
+    if (ancestorSegmentCountOfRolePath > 0) {
+        const contextIdSegments = contextId.split('/'); // NOTE: currently contextId segment count is never shorter than the role path count.
+        const contextIdPrefix = contextIdSegments.slice(0, ancestorSegmentCountOfRolePath).join('/');
+        const contextIdPrefixFilter = FilterUtility.constructPrefixFilterAsRangeFilter(contextIdPrefix);
+        roleRecordFilter.contextId = contextIdPrefixFilter;
+    }
+    const { messages: matchingMessages } = await messageStore.query(tenant, [roleRecordFilter]);
+    if (matchingMessages.length === 0) {
+        throw new DwnError(DwnErrorCode.ProtocolAuthorizationMatchingRoleRecordNotFound, `No matching role record found for protocol path ${roleProtocolPath}`);
+    }
+}
+/**
+ * Returns all the ProtocolActions that would authorized the incoming message
+ * (but we still need to later verify if there is a rule defined that matches one of the actions).
+ * NOTE: the reason why there could be multiple actions is because:
+ * - In case of an initial RecordsWrite, the RecordsWrite can be authorized by an allow `create` or `write` rule.
+ * - In case of a non-initial RecordsWrite by the original record author, the RecordsWrite can be authorized by a `write` or `co-update` rule.
+ *
+ * It is important to recognize that the `write` access that allowed the original record author to create the record maybe revoked
+ * (e.g. by role revocation) by the time a "non-initial" write by the same author is attempted.
+ */
+export async function getActionsSeekingARuleMatch(tenant, incomingMessage, messageStore) {
+    switch (incomingMessage.message.descriptor.method) {
+        case DwnMethodName.Delete:
+            const recordsDelete = incomingMessage;
+            const recordId = recordsDelete.message.descriptor.recordId;
+            const initialWrite = await RecordsWrite.fetchInitialRecordsWrite(messageStore, tenant, recordId);
+            // if there is no initial write, then no action rule can authorize the incoming message, because we won't know who the original author is
+            // NOTE: purely defensive programming: currently not reachable
+            // because RecordsDelete handler already have an existence check prior to this method being called.
+            if (initialWrite === undefined) {
+                return [];
+            }
+            const actionsThatWouldAuthorizeDelete = [];
+            const prune = recordsDelete.message.descriptor.prune;
+            if (prune) {
+                actionsThatWouldAuthorizeDelete.push(ProtocolAction.CoPrune);
+                // A prune by the original record author can also be authorized by a 'prune' rule.
+                if (incomingMessage.author === initialWrite.author) {
+                    actionsThatWouldAuthorizeDelete.push(ProtocolAction.Prune);
+                }
+            }
+            else {
+                actionsThatWouldAuthorizeDelete.push(ProtocolAction.CoDelete);
+                // A delete by the original record author can also be authorized by a 'delete' rule.
+                if (incomingMessage.author === initialWrite.author) {
+                    actionsThatWouldAuthorizeDelete.push(ProtocolAction.Delete);
+                }
+            }
+            return actionsThatWouldAuthorizeDelete;
+        case DwnMethodName.Count:
+            return [ProtocolAction.Read];
+        case DwnMethodName.Query:
+            return [ProtocolAction.Read];
+        case DwnMethodName.Read:
+            return [ProtocolAction.Read];
+        case DwnMethodName.Subscribe:
+            return [ProtocolAction.Read];
+        case DwnMethodName.Write:
+            const incomingRecordsWrite = incomingMessage;
+            if (await incomingRecordsWrite.isInitialWrite()) {
+                return [ProtocolAction.Create];
+            }
+            else {
+                // else incoming RecordsWrite not an initial write
+                const recordId = incomingMessage.message.recordId;
+                const initialWrite = await RecordsWrite.fetchInitialRecordsWrite(messageStore, tenant, recordId);
+                // if there is no initial write to update from, then no action rule can authorize the incoming message
+                if (initialWrite === undefined) {
+                    return [];
+                }
+                if (incomingMessage.author === initialWrite.author) {
+                    // 'update' or 'co-update' action authorizes the incoming message
+                    return [ProtocolAction.CoUpdate, ProtocolAction.Update];
+                }
+                else {
+                    // An update by someone who is not the record author can only be authorized by a 'co-update' rule.
+                    return [ProtocolAction.CoUpdate];
+                }
+            }
+    }
+    // purely defensive programming: should not be reachable
+    // setting to empty array will prevent any message from being authorized
+    return [];
+}
+/**
+ * Verifies the given message is authorized by one of the action rules in the given protocol rule set.
+ * @param protocolDefinition Optional protocol definition for resolving cross-protocol `of` and `role` references.
+ * @throws {Error} if action not allowed.
+ */
+export async function authorizeAgainstAllowedActions(tenant, incomingMessage, ruleSet, recordChain, messageStore, protocolDefinition) {
+    const incomingMessageMethod = incomingMessage.message.descriptor.method;
+    const actionsSeekingARuleMatch = await getActionsSeekingARuleMatch(tenant, incomingMessage, messageStore);
+    const author = incomingMessage.author;
+    const actionRules = ruleSet.$actions;
+    // NOTE: We have already checked that the message is not from tenant, owner, or permission grant authorized prior to this method being called.
+    if (actionRules === undefined) {
+        throw new DwnError(DwnErrorCode.ProtocolAuthorizationActionRulesNotFound, `no action rule defined for Records${incomingMessageMethod}, ${author} is unauthorized`);
+    }
+    const invokedRole = incomingMessage.signaturePayload?.protocolRole;
+    // Iterate through the action rules to find a rule that authorizes the incoming message.
+    for (const actionRule of actionRules) {
+        // If the action rule does not have an allowed action that matches an action that can authorize the message, skip to evaluate next action rule.
+        const ruleHasAMatchingAllowedAction = actionRule.can.some((allowedAction) => actionsSeekingARuleMatch.includes(allowedAction));
+        if (!ruleHasAMatchingAllowedAction) {
+            continue;
+        }
+        // Code reaches here means this action rule has an allowed action that matches the action of the message.
+        // The remaining code checks the actor/author of the incoming message.
+        // If the action rule allows `anyone`, then no further checks are needed.
+        if (actionRule.who === ProtocolActor.Anyone) {
+            return;
+        }
+        // Since not `anyone` is allowed in this action rule, we will need to check the author of the incoming message,
+        // if the author of incoming message is not defined, this action rule cannot authorize the incoming message.
+        if (author === undefined) {
+            continue;
+        }
+        // go through role validation path if a role is invoked by the incoming message
+        if (invokedRole !== undefined) {
+            // When a protocol role is being invoked, we require that there is a matching `role` rule.
+            if (actionRule.role === invokedRole) {
+                // role is successfully invoked
+                return;
+            }
+            else {
+                continue;
+            }
+        }
+        // else we go through the actor (`who`) validation
+        // If `of` is not set, handle it as a special case
+        // NOTE: `of` is always set if `who` is set to `author` (we do this check in `validateRuleSetRecursively()`)
+        if (actionRule.who === ProtocolActor.Recipient && actionRule.of === undefined) {
+            // If the action rule specifies a recipient without `of` and the incoming message is authenticated:
+            // Author must be recipient of the record being accessed
+            let recordsWriteMessage;
+            if (incomingMessage.message.descriptor.method === DwnMethodName.Write) {
+                recordsWriteMessage = incomingMessage.message;
+            }
+            else {
+                // else the incoming message must be a `RecordsDelete` because only `co-update`, `co-delete`, `co-prune` are allowed recipient actions,
+                // (we do this check in `validateRuleSetRecursively()`)
+                // and we have already checked that the incoming message is not a `RecordsWrite` above which covers `co-update` path.
+                recordsWriteMessage = recordChain[recordChain.length - 1];
+            }
+            if (recordsWriteMessage.descriptor.recipient === author) {
+                return;
+            }
+            else {
+                continue;
+            }
+        }
+        // validate the actor is allowed by the current action rule
+        const ancestorRuleSuccess = await checkActor(author, actionRule, recordChain, protocolDefinition);
+        if (ancestorRuleSuccess) {
+            return;
+        }
+    }
+    // No action rules were satisfied, message is not authorized
+    throw new DwnError(DwnErrorCode.ProtocolAuthorizationActionNotAllowed, `Inbound message action Records${incomingMessageMethod} by author ${incomingMessage.author} not allowed.`);
+}
+/**
+ * Checks if the `who: 'author' | 'recipient'` action rule has a matching record in the record chain.
+ * For cross-protocol `of` references (e.g., `"threads:thread"`), matches against both the protocol URI
+ * and the protocol path of the ancestor record.
+ * @returns `true` if the action rule is satisfied; `false` otherwise.
+ */
+export async function checkActor(author, actionRule, recordChain, composingDefinition) {
+    const ofValue = actionRule.of;
+    // `of` should always be defined when `checkActor` is called, but guard defensively
+    if (ofValue === undefined) {
+        return false;
+    }
+    let ancestorRecordsWrite;
+    if (isCrossProtocolRef(ofValue) && composingDefinition?.uses !== undefined) {
+        // Cross-protocol `of`: resolve alias to protocol URI and match by both protocol + protocolPath
+        const parsed = parseCrossProtocolRef(ofValue);
+        if (parsed !== undefined) {
+            const refProtocolUri = composingDefinition.uses[parsed.alias];
+            if (refProtocolUri !== undefined) {
+                ancestorRecordsWrite = recordChain.find((msg) => msg.descriptor.protocol === refProtocolUri && msg.descriptor.protocolPath === parsed.protocolPath);
+            }
+        }
+    }
+    else {
+        // Local `of`: match by protocolPath only (same protocol assumed)
+        ancestorRecordsWrite = recordChain.find((msg) => msg.descriptor.protocolPath === ofValue);
+    }
+    if (ancestorRecordsWrite === undefined) {
+        // No matching ancestor found in the record chain. Return false to allow the caller
+        // to continue evaluating other action rules that might authorize the request.
+        return false;
+    }
+    if (actionRule.who === ProtocolActor.Recipient) {
+        // author of the incoming message must be the recipient of the ancestor message
+        return author === ancestorRecordsWrite.descriptor.recipient;
+    }
+    else { // actionRule.who === ProtocolActor.Author
+        // author of the incoming message must be the author of the ancestor message
+        const ancestorAuthor = (await RecordsWrite.parse(ancestorRecordsWrite)).author;
+        return author === ancestorAuthor;
+    }
+}
+//# sourceMappingURL=protocol-authorization-action.js.map

package/dist/esm/src/core/protocol-authorization-action.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"protocol-authorization-action.js","sourceRoot":"","sources":["../../../../src/core/protocol-authorization-action.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,gCAAgC,CAAC;AAC9D,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AACxD,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,kCAAkC,CAAC;AACnF,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;AACpG,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAI5E;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAc,EACd,eAA4G,EAC5G,WAAmB,EACnB,SAA6B,EAC7B,kBAAsC,EACtC,YAA0B,EAC1B,uBAAkD,EAClD,kBAA2B;IAE3B,MAAM,YAAY,GAAG,eAAe,CAAC,gBAAgB,EAAE,YAAY,CAAC;IAEpE,oDAAoD;IACpD,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;QAC/B,OAAO;IACT,CAAC;IAED,oEAAoE;IACpE,oFAAoF;IACpF,IAAI,eAAe,GAAG,WAAW,CAAC;IAClC,IAAI,gBAAgB,GAAG,YAAY,CAAC;IAEpC,IAAI,kBAAkB,CAAC,YAAY,CAAC,EAAE,CAAC;QACrC,MAAM,MAAM,GAAG,qBAAqB,CAAC,YAAY,CAAC,CAAC;QACnD,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,6BAA6B,EAC1C,wBAAwB,YAAY,uDAAuD,CAC5F,CAAC;QACJ,CAAC;QAED,IAAI,kBAAkB,CAAC,IAAI,KAAK,SAAS,IAAI,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,SAAS,EAAE,CAAC;YACjG,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,6BAA6B,EAC1C,8BAA8B,MAAM,CAAC,KAAK,SAAS,YAAY,gDAAgD,CAChH,CAAC;QACJ,CAAC;QAED,eAAe,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACxD,gBAAgB,GAAG,MAAM,CAAC,YAAY,CAAC;QAEvC,yEAAyE;QACzE,MAAM,aAAa,GAAG,MAAM,uBAAuB,CACjD,MAAM,EAAE,eAAe,EAAE,YAAY,EAAE,kBAAkB,CAC1D,CAAC;QACF,MAAM,WAAW,GAAG,gBAAgB,CAAC,gBAAgB,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;QAChF,IAAI,WAAW,KAAK,SAAS,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;YACpD,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,6BAA6B,EAC1C,4BAA4B,YAAY,mCAAmC,CAC5E,CAAC;QACJ,CAAC;IACH,CAAC;SAAM,CAAC;QACN,8DAA8D;QAC9D,MAAM,WAAW,GAAG,gBAAgB,CAAC,YAAY,EAAE,kBAAkB,CAAC,SAAS,CAAC,CAAC;QACjF,IAAI,WAAW,KAAK,SAAS,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;YACpD,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,6BAA6B,EAC1C,iBAAiB,YAAY,mCAAmC,CACjE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,sDAAsD;IACtD,MAAM,gBAAgB,GAAW;QAC/B,SAAS,EAAW,gBAAgB,CAAC,OAAO;QAC5C,MAAM,EAAc,aAAa,CAAC,KAAK;QACvC,QAAQ,EAAY,eAAe;QACnC,YAAY,EAAQ,gBAAgB;QACpC,SAAS,EAAW,eAAe,CAAC,MAAO;QAC3C,iBAAiB,EAAG,IAAI;KACzB,CAAC;IAEF,MAAM,8BAA8B,GAAG,gBAAgB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;IAC9E,IAAI,SAAS,KAAK,SAAS,IAAI,8BAA8B,GAAG,CAAC,EAAE,CAAC;QAClE,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,qCAAqC,EAClD,qDAAqD,CACtD,CAAC;IACJ,CAAC;IAED,oHAAoH;IACpH,2HAA2H;IAC3H,uEAAuE;IACvE,sGAAsG;IACtG,IAAI,8BAA8B,GAAG,CAAC,EAAE,CAAC;QACvC,MAAM,iBAAiB,GAAG,SAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,qFAAqF;QACtI,MAAM,eAAe,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC,EAAE,8BAA8B,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7F,MAAM,qBAAqB,GAAG,aAAa,CAAC,kCAAkC,CAAC,eAAe,CAAC,CAAC;QAEhG,gBAAgB,CAAC,SAAS,GAAG,qBAAqB,CAAC;IACrD,CAAC;IAGD,MAAM,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAE5F,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,+CAA+C,EAC5D,mDAAmD,gBAAgB,EAAE,CACtE,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,MAAc,EACd,eAA4G,EAC5G,YAA0B;IAG1B,QAAQ,eAAe,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;QACpD,KAAK,aAAa,CAAC,MAAM;YACvB,MAAM,aAAa,GAAG,eAAgC,CAAC;YACvD,MAAM,QAAQ,GAAG,aAAa,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC;YAC3D,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,wBAAwB,CAAC,YAAY,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;YAEjG,yIAAyI;YACzI,8DAA8D;YAC9D,mGAAmG;YACnG,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;gBAC/B,OAAO,EAAE,CAAC;YACZ,CAAC;YAED,MAAM,+BAA+B,GAAG,EAAE,CAAC;YAC3C,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC;YACrD,IAAI,KAAK,EAAE,CAAC;gBACV,+BAA+B,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;gBAE7D,kFAAkF;gBAClF,IAAI,eAAe,CAAC,MAAM,KAAK,YAAY,CAAC,MAAM,EAAE,CAAC;oBACnD,+BAA+B,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;gBAC7D,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,+BAA+B,CAAC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;gBAE9D,oFAAoF;gBACpF,IAAI,eAAe,CAAC,MAAM,KAAK,YAAY,CAAC,MAAM,EAAE,CAAC;oBACnD,+BAA+B,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;gBAC9D,CAAC;YACH,CAAC;YAED,OAAO,+BAA+B,CAAC;QAEzC,KAAK,aAAa,CAAC,KAAK;YACtB,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAE/B,KAAK,aAAa,CAAC,KAAK;YACtB,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAE/B,KAAK,aAAa,CAAC,IAAI;YACrB,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAE/B,KAAK,aAAa,CAAC,SAAS;YAC1B,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAE/B,KAAK,aAAa,CAAC,KAAK;YACtB,MAAM,oBAAoB,GAAG,eAA+B,CAAC;YAE7D,IAAI,MAAM,oBAAoB,CAAC,cAAc,EAAE,EAAE,CAAC;gBAChD,OAAO,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;YACjC,CAAC;iBAAM,CAAC;gBACN,kDAAkD;gBAElD,MAAM,QAAQ,GAAI,eAAgC,CAAC,OAAO,CAAC,QAAQ,CAAC;gBACpE,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,wBAAwB,CAAC,YAAY,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;gBAEjG,sGAAsG;gBACtG,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;oBAC/B,OAAO,EAAE,CAAC;gBACZ,CAAC;gBAED,IAAI,eAAe,CAAC,MAAM,KAAK,YAAY,CAAC,MAAM,EAAE,CAAC;oBACrD,iEAAiE;oBAC/D,OAAO,CAAC,cAAc,CAAC,QAAQ,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;gBAC1D,CAAC;qBAAM,CAAC;oBACN,kGAAkG;oBAClG,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;gBACnC,CAAC;YACH,CAAC;IACH,CAAC;IAED,wDAAwD;IACxD,wEAAwE;IACxE,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,MAAc,EACd,eAA4G,EAC5G,OAAwB,EACxB,WAAkC,EAClC,YAA0B,EAC1B,kBAAuC;IAEvC,MAAM,qBAAqB,GAAG,eAAe,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC;IACxE,MAAM,wBAAwB,GAAG,MAAM,2BAA2B,CAAC,MAAM,EAAE,eAAe,EAAE,YAAY,CAAC,CAAC;IAC1G,MAAM,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC;IACtC,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IAErC,8IAA8I;IAE9I,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;QAC9B,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,wCAAwC,EACrD,qCAAqC,qBAAqB,KAAK,MAAM,kBAAkB,CACxF,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,eAAe,CAAC,gBAAgB,EAAE,YAAY,CAAC;IAEnE,wFAAwF;IACxF,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;QACrC,+IAA+I;QAC/I,MAAM,6BAA6B,GAAG,UAAU,CAAC,GAAG,CAAC,IAAI,CACvD,CAAC,aAAqB,EAAW,EAAE,CAAC,wBAAwB,CAAC,QAAQ,CAAC,aAA+B,CAAC,CACvG,CAAC;QACF,IAAI,CAAC,6BAA6B,EAAE,CAAC;YACnC,SAAS;QACX,CAAC;QAED,yGAAyG;QACzG,sEAAsE;QAEtE,yEAAyE;QACzE,IAAI,UAAU,CAAC,GAAG,KAAK,aAAa,CAAC,MAAM,EAAE,CAAC;YAC5C,OAAO;QACT,CAAC;QAED,+GAA+G;QAC/G,4GAA4G;QAC5G,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,SAAS;QACX,CAAC;QAED,+EAA+E;QAC/E,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;YAC9B,0FAA0F;YAC1F,IAAI,UAAU,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;gBACpC,+BAA+B;gBAC/B,OAAO;YACT,CAAC;iBAAM,CAAC;gBACN,SAAS;YACX,CAAC;QACH,CAAC;QAED,kDAAkD;QAElD,kDAAkD;QAClD,4GAA4G;QAC5G,IAAI,UAAU,CAAC,GAAG,KAAK,aAAa,CAAC,SAAS,IAAI,UAAU,CAAC,EAAE,KAAK,SAAS,EAAE,CAAC;YAC9E,mGAAmG;YAEnG,wDAAwD;YACxD,IAAI,mBAAwC,CAAC;YAC7C,IAAI,eAAe,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,KAAK,aAAa,CAAC,KAAK,EAAE,CAAC;gBACtE,mBAAmB,GAAG,eAAe,CAAC,OAA8B,CAAC;YACvE,CAAC;iBAAM,CAAC;gBACN,uIAAuI;gBACvI,uDAAuD;gBACvD,qHAAqH;gBACrH,mBAAmB,GAAG,WAAW,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YAC5D,CAAC;YAED,IAAI,mBAAmB,CAAC,UAAU,CAAC,SAAS,KAAK,MAAM,EAAE,CAAC;gBACxD,OAAO;YACT,CAAC;iBAAM,CAAC;gBACN,SAAS;YACX,CAAC;QACH,CAAC;QAED,2DAA2D;QAC3D,MAAM,mBAAmB,GAAY,MAAM,UAAU,CAAC,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,kBAAkB,CAAC,CAAC;QAC3G,IAAI,mBAAmB,EAAE,CAAC;YACxB,OAAO;QACT,CAAC;IACH,CAAC;IAED,4DAA4D;IAC5D,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,qCAAqC,EAClD,iCAAiC,qBAAqB,cAAc,eAAe,CAAC,MAAM,eAAe,CAC1G,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,MAAc,EACd,UAA8B,EAC9B,WAAkC,EAClC,mBAAwC;IAExC,MAAM,OAAO,GAAG,UAAU,CAAC,EAAE,CAAC;IAE9B,mFAAmF;IACnF,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,oBAAqD,CAAC;IAE1D,IAAI,kBAAkB,CAAC,OAAO,CAAC,IAAI,mBAAmB,EAAE,IAAI,KAAK,SAAS,EAAE,CAAC;QAC3E,+FAA+F;QAC/F,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC9C,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,cAAc,GAAG,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC9D,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;gBACjC,oBAAoB,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,GAAwB,EAAW,EAAE,CAC5E,GAAG,CAAC,UAAU,CAAC,QAAQ,KAAK,cAAc,IAAI,GAAG,CAAC,UAAU,CAAC,YAAY,KAAK,MAAM,CAAC,YAAY,CAClG,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,iEAAiE;QACjE,oBAAoB,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,GAAwB,EAAW,EAAE,CAC5E,GAAG,CAAC,UAAU,CAAC,YAAY,KAAK,OAAO,CACxC,CAAC;IACJ,CAAC;IAED,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;QACvC,mFAAmF;QACnF,8EAA8E;QAC9E,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,UAAU,CAAC,GAAG,KAAK,aAAa,CAAC,SAAS,EAAE,CAAC;QAC/C,+EAA+E;QAC/E,OAAO,MAAM,KAAK,oBAAoB,CAAC,UAAU,CAAC,SAAS,CAAC;IAC9D,CAAC;SAAM,CAAC,CAAC,0CAA0C;QACjD,4EAA4E;QAC5E,MAAM,cAAc,GAAG,CAAC,MAAM,YAAY,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,CAAC,MAAM,CAAC;QAC/E,OAAO,MAAM,KAAK,cAAc,CAAC;IACnC,CAAC;AACH,CAAC"}