@fgv/ts-extras 5.1.0-21 → 5.1.0-22

package/dist/packlets/crypto-utils/nodeCryptoProvider.js.map

@@ -1 +1 @@
-{"version":3,"file":"nodeCryptoProvider.js","sourceRoot":"","sources":["../../../src/packlets/crypto-utils/nodeCryptoProvider.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,EAAE;AACF,+EAA+E;AAC/E,gFAAgF;AAChF,+EAA+E;AAC/E,4EAA4E;AAC5E,wEAAwE;AACxE,2DAA2D;AAC3D,EAAE;AACF,iFAAiF;AACjF,kDAAkD;AAClD,EAAE;AACF,6EAA6E;AAC7E,2EAA2E;AAC3E,8EAA8E;AAC9E,yEAAyE;AACzE,gFAAgF;AAChF,gFAAgF;AAChF,YAAY;AAEZ,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AACjC,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,IAAI,EAAE,OAAO,EAAU,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAC3G,OAAO,KAAK,SAAS,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AASlE;;;;GAIG;AACH,MAAM,OAAO,kBAAkB;IAC7B;;;;;OAKG;IACI,KAAK,CAAC,OAAO,CAAC,SAAiB,EAAE,GAAe;QACrD,OAAO,aAAa,CAAC,GAAG,EAAE;YACxB,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,gBAAgB,EAAE,CAAC;gBAC9C,MAAM,IAAI,KAAK,CAAC,eAAe,SAAS,CAAC,gBAAgB,eAAe,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;YACxF,CAAC;YAED,qBAAqB;YACrB,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;YAErD,gBAAgB;YAChB,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;YAE7D,UAAU;YACV,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAEpF,eAAe;YACf,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;YAEpC,OAAO;gBACL,EAAE,EAAE,IAAI,UAAU,CAAC,EAAE,CAAC;gBACtB,OAAO,EAAE,IAAI,UAAU,CAAC,OAAO,CAAC;gBAChC,aAAa,EAAE,IAAI,UAAU,CAAC,SAAS,CAAC;aACzC,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,OAAO,CAClB,aAAyB,EACzB,GAAe,EACf,EAAc,EACd,OAAmB;QAEnB,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,gBAAgB,EAAE,CAAC;YAC9C,OAAO,IAAI,CAAC,eAAe,SAAS,CAAC,gBAAgB,eAAe,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACpF,CAAC;QACD,IAAI,EAAE,CAAC,MAAM,KAAK,SAAS,CAAC,WAAW,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC,cAAc,SAAS,CAAC,WAAW,eAAe,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC;QAC7E,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,CAAC,iBAAiB,EAAE,CAAC;YACnD,OAAO,IAAI,CAAC,oBAAoB,SAAS,CAAC,iBAAiB,eAAe,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QAC9F,CAAC;QAED,OAAO,aAAa,CAAC,GAAG,EAAE;YACxB,kBAAkB;YAClB,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YAE3F,eAAe;YACf,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;YAE1C,UAAU;YACV,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAEjG,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACpC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,CAAC,EAAE,CAAC,CAAC;IACvD,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,WAAW;QACtB,OAAO,aAAa,CAAC,GAAG,EAAE;YACxB,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;YAC3D,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,SAAS,CACpB,QAAgB,EAChB,IAAgB,EAChB,UAAkB;QAElB,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;YACnB,OAAO,IAAI,CAAC,+BAA+B,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC,iCAAiC,CAAC,CAAC;QACjD,CAAC;QAED,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAC7B,MAAM,CAAC,MAAM,CACX,QAAQ,EACR,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EACjB,UAAU,EACV,SAAS,CAAC,gBAAgB,EAC1B,QAAQ,EACR,CAAC,GAAG,EAAE,UAAU,EAAE,EAAE;gBAClB,yFAAyF;gBACzF,IAAI,GAAG,EAAE,CAAC;oBACR,OAAO,CAAC,IAAI,CAAC,0BAA0B,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;gBACzD,CAAC;qBAAM,CAAC;oBACN,OAAO,CAAC,OAAO,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;gBAC/C,CAAC;YACH,CAAC,CACF,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,MAAM,CAAC,IAAY;QAC9B,OAAO,aAAa,CAAC,GAAG,EAAE;YACxB,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YACzC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAC1B,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC5B,CAAC,CAAC,CAAC;IACL,CAAC;IAED,+EAA+E;IAC/E,2BAA2B;IAC3B,+EAA+E;IAE/E;;;;OAIG;IACI,mBAAmB,CAAC,MAAc;QACvC,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;YACf,OAAO,OAAO,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;QACnD,CAAC;QACD,OAAO,aAAa,CAAC,GAAG,EAAE,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACzE,CAAC;IAED;;;;OAIG;IACI,QAAQ,CAAC,IAAgB;QAC9B,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC9C,CAAC;IAED;;;;OAIG;IACI,UAAU,CAAC,MAAc;QAC9B,yCAAyC;QACzC,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3C,OAAO,OAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAC/C,CAAC;QACD,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC;IACrE,CAAC;IAED,+EAA+E;IAC/E,4BAA4B;IAC5B,+EAA+E;IAE/E;;;;;OAKG;IACI,KAAK,CAAC,eAAe,CAC1B,SAA2B,EAC3B,WAAoB;QAEpB,MAAM,MAAM,GAAG,sBAAsB,CAAC,SAAS,CAAC,CAAC;QACjD,6EAA6E;QAC7E,4EAA4E;QAC5E,6EAA6E;QAC7E,kEAAkE;QAClE,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,KAAK,IAAI,EAAE;YACjD,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,WAAW,CACzD,MAAM,CAAC,WAAkC,EACzC,WAAW,EACX,CAAC,GAAG,MAAM,CAAC,aAAa,CAAC,CAC1B,CAAC;YACF,IAAI,YAAY,IAAI,SAAS,IAAI,WAAW,IAAI,SAAS,EAAE,CAAC;gBAC1D,OAAO,SAAS,CAAC;YACnB,CAAC;YACD,4FAA4F;YAC5F,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,2CAA2C,CAAC,CAAC;QAC3E,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,SAAS,aAAa,CAAC,EAAE,CAAC,CAAC;IACxF,CAAC;IAED;;;;;;;;;OASG;IACI,KAAK,CAAC,kBAAkB,CAAC,SAAoB;QAClD,IAAI,SAAS,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,IAAI,CAAC,wDAAwD,SAAS,CAAC,IAAI,GAAG,CAAC,CAAC;QACzF,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC;QACnG,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uCAAuC,CAAC,EAAE,CAAC,CAAC;IACnF,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,kBAAkB,CAAC,GAAe,EAAE,SAA2B;QAC1E,MAAM,MAAM,GAAG,sBAAsB,CAAC,SAAS,CAAC,CAAC;QACjD,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,GAAG,EAAE,CAC3C,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM,CAAC,eAAe,EAAE,IAAI,EAAE,MAAM,CAAC,eAAe,CAAC,CACpG,CAAC;QACF,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,oBAAoB,SAAS,yBAAyB,CAAC,EAAE,CAAC,CAAC;IAClG,CAAC;IAED;;;;;;;;OAQG;IACI,KAAK,CAAC,SAAS,CACpB,SAAqB,EACrB,kBAA6B,EAC7B,OAA0B;QAE1B,MAAM,cAAc,GAAG,aAAa,CAAC,kBAAkB,EAAE,QAAQ,EAAE,sBAAsB,CAAC,CAAC;QAC3F,IAAI,cAAc,CAAC,SAAS,EAAE,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,qBAAqB,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC;QAC7D,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC;QACvC,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,KAAK,IAAI,EAAE;YACjD,MAAM,SAAS,GAAG,CAAC,MAAM,MAAM,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE;gBACvF,WAAW;aACZ,CAAC,CAAkB,CAAC;YACrB,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,SAAS,CACrC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAC5C,SAAS,CAAC,UAAU,EACpB,EAAE,IAAI,EAAE,MAAM,EAAE,EAChB,KAAK,EACL,CAAC,WAAW,CAAC,CACd,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,SAAS,CACpC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,EACzE,QAAQ,EACR,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YACF,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;YACxD,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;YACvF,MAAM,kBAAkB,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;YAC9E,OAAO;gBACL,kBAAkB;gBAClB,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAC3B,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;aACjD,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC;IACjE,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,WAAW,CACtB,OAAsB,EACtB,mBAA8B,EAC9B,OAA0B;QAE1B,MAAM,cAAc,GAAG,aAAa,CAAC,mBAAmB,EAAE,SAAS,EAAE,uBAAuB,CAAC,CAAC;QAC9F,IAAI,cAAc,CAAC,SAAS,EAAE,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,uBAAuB,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACnD,IAAI,WAAW,CAAC,SAAS,EAAE,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC,8BAA8B,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,WAAW,CAAC,KAAK,CAAC,MAAM,KAAK,SAAS,CAAC,WAAW,EAAE,CAAC;YACvD,OAAO,IAAI,CACT,qCAAqC,SAAS,CAAC,WAAW,eAAe,WAAW,CAAC,KAAK,CAAC,MAAM,GAAG,CACrG,CAAC;QACJ,CAAC;QACD,MAAM,gBAAgB,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC7D,IAAI,gBAAgB,CAAC,SAAS,EAAE,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC,mCAAmC,gBAAgB,CAAC,OAAO,EAAE,CAAC,CAAC;QAC7E,CAAC;QACD,IAAI,gBAAgB,CAAC,KAAK,CAAC,MAAM,GAAG,SAAS,CAAC,iBAAiB,EAAE,CAAC;YAChE,OAAO,IAAI,CACT,mDAAmD,SAAS,CAAC,iBAAiB,eAAe,gBAAgB,CAAC,KAAK,CAAC,MAAM,GAAG,CAC9H,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC;QACvC,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,KAAK,IAAI,EAAE;YACjD,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,SAAS,CACzC,KAAK,EACL,OAAO,CAAC,kBAAkB,EAC1B,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EACrC,KAAK,EACL,EAAE,CACH,CAAC;YACF,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,SAAS,CACrC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,EACtC,mBAAmB,EACnB,EAAE,IAAI,EAAE,MAAM,EAAE,EAChB,KAAK,EACL,CAAC,WAAW,CAAC,CACd,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,SAAS,CACpC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,EACzE,QAAQ,EACR,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YACF,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,OAAO,CAChC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,WAAW,CAAC,KAAK,EAAE,EAC1C,OAAO,EACP,gBAAgB,CAAC,KAAK,CACvB,CAAC;YACF,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAuB,CAAC,EAAE,CAAC,CAAC;IACnE,CAAC;CACF;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,aAAa,CAAC,GAAc,EAAE,OAA6B,EAAE,KAAa;IACjF,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QAClC,OAAO,IAAI,CAAC,GAAG,KAAK,uCAAuC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,CAAC;IACrF,CAAC;IACD,MAAM,UAAU,GAAI,GAAG,CAAC,SAA4B,CAAC,UAAU,CAAC;IAChE,IAAI,UAAU,KAAK,OAAO,EAAE,CAAC;QAC3B,OAAO,IAAI,CAAC,GAAG,KAAK,mCAAmC,UAAU,IAAI,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,IAAI,CAAC,GAAG,KAAK,cAAc,OAAO,oBAAoB,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC;IAC7E,CAAC;IACD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC;AACtB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAuB,IAAI,kBAAkB,EAAE,CAAC","sourcesContent":["// Copyright (c) 2024 Erik Fortune\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy\n// of this software and associated documentation files (the \"Software\"), to deal\n// in the Software without restriction, including without limitation the rights\n// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n// copies of the Software, and to permit persons to whom the Software is\n// furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all\n// copies or substantial portions of the Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n// SOFTWARE.\n\nimport * as crypto from 'crypto';\nimport { captureAsyncResult, captureResult, fail, Failure, Result, succeed, Success } from '@fgv/ts-utils';\nimport * as Constants from './constants';\nimport { keyPairAlgorithmParams } from './keyPairAlgorithmParams';\nimport {\n  ICryptoProvider,\n  IEncryptionResult,\n  IWrapBytesOptions,\n  IWrappedBytes,\n  KeyPairAlgorithm\n} from './model';\n\n/**\n * Node.js implementation of {@link CryptoUtils.ICryptoProvider} using the built-in crypto module.\n * Uses AES-256-GCM for authenticated encryption.\n * @public\n */\nexport class NodeCryptoProvider implements ICryptoProvider {\n  /**\n   * Encrypts plaintext using AES-256-GCM.\n   * @param plaintext - UTF-8 string to encrypt\n   * @param key - 32-byte encryption key\n   * @returns `Success` with encryption result, or `Failure` with an error.\n   */\n  public async encrypt(plaintext: string, key: Uint8Array): Promise<Result<IEncryptionResult>> {\n    return captureResult(() => {\n      if (key.length !== Constants.AES_256_KEY_SIZE) {\n        throw new Error(`Key must be ${Constants.AES_256_KEY_SIZE} bytes, got ${key.length}`);\n      }\n\n      // Generate random IV\n      const iv = crypto.randomBytes(Constants.GCM_IV_SIZE);\n\n      // Create cipher\n      const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);\n\n      // Encrypt\n      const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);\n\n      // Get auth tag\n      const authTag = cipher.getAuthTag();\n\n      return {\n        iv: new Uint8Array(iv),\n        authTag: new Uint8Array(authTag),\n        encryptedData: new Uint8Array(encrypted)\n      };\n    });\n  }\n\n  /**\n   * Decrypts ciphertext using AES-256-GCM.\n   * @param encryptedData - Encrypted bytes\n   * @param key - 32-byte decryption key\n   * @param iv - Initialization vector (12 bytes)\n   * @param authTag - GCM authentication tag (16 bytes)\n   * @returns `Success` with decrypted UTF-8 string, or `Failure` with an error.\n   */\n  public async decrypt(\n    encryptedData: Uint8Array,\n    key: Uint8Array,\n    iv: Uint8Array,\n    authTag: Uint8Array\n  ): Promise<Result<string>> {\n    if (key.length !== Constants.AES_256_KEY_SIZE) {\n      return fail(`Key must be ${Constants.AES_256_KEY_SIZE} bytes, got ${key.length}`);\n    }\n    if (iv.length !== Constants.GCM_IV_SIZE) {\n      return fail(`IV must be ${Constants.GCM_IV_SIZE} bytes, got ${iv.length}`);\n    }\n    if (authTag.length !== Constants.GCM_AUTH_TAG_SIZE) {\n      return fail(`Auth tag must be ${Constants.GCM_AUTH_TAG_SIZE} bytes, got ${authTag.length}`);\n    }\n\n    return captureResult(() => {\n      // Create decipher\n      const decipher = crypto.createDecipheriv('aes-256-gcm', Buffer.from(key), Buffer.from(iv));\n\n      // Set auth tag\n      decipher.setAuthTag(Buffer.from(authTag));\n\n      // Decrypt\n      const decrypted = Buffer.concat([decipher.update(Buffer.from(encryptedData)), decipher.final()]);\n\n      return decrypted.toString('utf8');\n    }).withErrorFormat((e) => `Decryption failed: ${e}`);\n  }\n\n  /**\n   * Generates a random 32-byte key suitable for AES-256.\n   * @returns `Success` with generated key, or `Failure` with an error.\n   */\n  public async generateKey(): Promise<Result<Uint8Array>> {\n    return captureResult(() => {\n      const key = crypto.randomBytes(Constants.AES_256_KEY_SIZE);\n      return new Uint8Array(key);\n    });\n  }\n\n  /**\n   * Derives a key from a password using PBKDF2.\n   * @param password - Password string\n   * @param salt - Salt bytes (should be at least 16 bytes)\n   * @param iterations - Number of iterations (recommend 100000+)\n   * @returns `Success` with derived 32-byte key, or `Failure` with an error.\n   */\n  public async deriveKey(\n    password: string,\n    salt: Uint8Array,\n    iterations: number\n  ): Promise<Result<Uint8Array>> {\n    if (iterations < 1) {\n      return fail('Iterations must be at least 1');\n    }\n    if (salt.length < 8) {\n      return fail('Salt should be at least 8 bytes');\n    }\n\n    return new Promise((resolve) => {\n      crypto.pbkdf2(\n        password,\n        Buffer.from(salt),\n        iterations,\n        Constants.AES_256_KEY_SIZE,\n        'sha256',\n        (err, derivedKey) => {\n          /* c8 ignore next 3 - PBKDF2 internal errors are hard to trigger with valid parameters */\n          if (err) {\n            resolve(fail(`Key derivation failed: ${err.message}`));\n          } else {\n            resolve(succeed(new Uint8Array(derivedKey)));\n          }\n        }\n      );\n    });\n  }\n\n  /**\n   * Computes a SHA-256 hash of the given data.\n   * @param data - UTF-8 string to hash\n   * @returns `Success` with hex-encoded hash string, or `Failure` with an error.\n   */\n  public async sha256(data: string): Promise<Result<string>> {\n    return captureResult(() => {\n      const hash = crypto.createHash('sha256');\n      hash.update(data, 'utf8');\n      return hash.digest('hex');\n    });\n  }\n\n  // ============================================================================\n  // Platform Utility Methods\n  // ============================================================================\n\n  /**\n   * Generates cryptographically secure random bytes.\n   * @param length - Number of bytes to generate\n   * @returns Success with random bytes, or Failure with error\n   */\n  public generateRandomBytes(length: number): Result<Uint8Array> {\n    if (length < 1) {\n      return Failure.with('Length must be at least 1');\n    }\n    return captureResult(() => new Uint8Array(crypto.randomBytes(length)));\n  }\n\n  /**\n   * Encodes binary data to base64 string.\n   * @param data - Binary data to encode\n   * @returns Base64-encoded string\n   */\n  public toBase64(data: Uint8Array): string {\n    return Buffer.from(data).toString('base64');\n  }\n\n  /**\n   * Decodes base64 string to binary data.\n   * @param base64 - Base64-encoded string\n   * @returns Success with decoded bytes, or Failure if invalid base64\n   */\n  public fromBase64(base64: string): Result<Uint8Array> {\n    // Check for obviously invalid characters\n    if (!/^[A-Za-z0-9+/]*={0,2}$/.test(base64)) {\n      return Failure.with('Invalid base64 string');\n    }\n    return Success.with(new Uint8Array(Buffer.from(base64, 'base64')));\n  }\n\n  // ============================================================================\n  // Asymmetric Key Operations\n  // ============================================================================\n\n  /**\n   * Generates a new asymmetric keypair using Node's WebCrypto.\n   * @param algorithm - The {@link CryptoUtils.KeyPairAlgorithm | algorithm} to use.\n   * @param extractable - Whether the resulting keys may be exported.\n   * @returns `Success` with the generated `CryptoKeyPair`, or `Failure` with an error.\n   */\n  public async generateKeyPair(\n    algorithm: KeyPairAlgorithm,\n    extractable: boolean\n  ): Promise<Result<CryptoKeyPair>> {\n    const params = keyPairAlgorithmParams[algorithm];\n    // Widening upcast to `AlgorithmIdentifier` steers TS to subtle.generateKey's\n    // broad overload, which accepts the Ed25519 `{ name: 'Ed25519' }` shape and\n    // returns `CryptoKey | CryptoKeyPair`. The narrowing back to `CryptoKeyPair`\n    // is a runtime check via the `in` operator, not a type assertion.\n    const result = await captureAsyncResult(async () => {\n      const generated = await crypto.webcrypto.subtle.generateKey(\n        params.generateKey as AlgorithmIdentifier,\n        extractable,\n        [...params.keyPairUsages]\n      );\n      if ('privateKey' in generated && 'publicKey' in generated) {\n        return generated;\n      }\n      /* c8 ignore next - unreachable: every entry in keyPairAlgorithmParams produces a keypair */\n      throw new Error(`${algorithm} unexpectedly produced a single CryptoKey`);\n    });\n    return result.withErrorFormat((e) => `Failed to generate ${algorithm} keypair: ${e}`);\n  }\n\n  /**\n   * Exports a public `CryptoKey` as a JSON Web Key.\n   * @remarks\n   * Rejects non-public keys at runtime. WebCrypto's `exportKey('jwk', ...)`\n   * does not enforce public-vs-private; without this guard a caller that\n   * passed an extractable private key would receive its private fields\n   * (`d`, `p`, `q`, ...) as JWK, defeating the method's name.\n   * @param publicKey - Extractable public key to export.\n   * @returns `Success` with the JWK, or `Failure` if not a public key or if export fails.\n   */\n  public async exportPublicKeyJwk(publicKey: CryptoKey): Promise<Result<JsonWebKey>> {\n    if (publicKey.type !== 'public') {\n      return fail(`exportPublicKeyJwk requires a public CryptoKey, got '${publicKey.type}'`);\n    }\n    const result = await captureAsyncResult(() => crypto.webcrypto.subtle.exportKey('jwk', publicKey));\n    return result.withErrorFormat((e) => `Failed to export public key as JWK: ${e}`);\n  }\n\n  /**\n   * Imports a public-key JWK as a `CryptoKey` for the requested algorithm.\n   * @param jwk - The JSON Web Key produced by a prior export.\n   * @param algorithm - The algorithm the key was generated for.\n   * @returns `Success` with the imported public `CryptoKey`, or `Failure` with an error.\n   */\n  public async importPublicKeyJwk(jwk: JsonWebKey, algorithm: KeyPairAlgorithm): Promise<Result<CryptoKey>> {\n    const params = keyPairAlgorithmParams[algorithm];\n    const result = await captureAsyncResult(() =>\n      crypto.webcrypto.subtle.importKey('jwk', jwk, params.importPublicKey, true, params.publicKeyUsages)\n    );\n    return result.withErrorFormat((e) => `Failed to import ${algorithm} public key from JWK: ${e}`);\n  }\n\n  /**\n   * Wraps `plaintext` for the holder of `recipientPublicKey` using\n   * ECIES (ECDH P-256 + HKDF-SHA256 + AES-GCM-256). See\n   * {@link CryptoUtils.ICryptoProvider.wrapBytes | ICryptoProvider.wrapBytes}.\n   * @param plaintext - The bytes to wrap.\n   * @param recipientPublicKey - The recipient's ECDH P-256 public `CryptoKey`.\n   * @param options - HKDF salt and info; see {@link CryptoUtils.IWrapBytesOptions | IWrapBytesOptions}.\n   * @returns `Success` with the wrapped payload, or `Failure` with an error.\n   */\n  public async wrapBytes(\n    plaintext: Uint8Array,\n    recipientPublicKey: CryptoKey,\n    options: IWrapBytesOptions\n  ): Promise<Result<IWrappedBytes>> {\n    const recipientCheck = checkEcdhP256(recipientPublicKey, 'public', 'recipient public key');\n    if (recipientCheck.isFailure()) {\n      return fail(`wrapBytes failed: ${recipientCheck.message}`);\n    }\n    const subtle = crypto.webcrypto.subtle;\n    const result = await captureAsyncResult(async () => {\n      const ephemeral = (await subtle.generateKey({ name: 'ECDH', namedCurve: 'P-256' }, true, [\n        'deriveKey'\n      ])) as CryptoKeyPair;\n      const hkdfBase = await subtle.deriveKey(\n        { name: 'ECDH', public: recipientPublicKey },\n        ephemeral.privateKey,\n        { name: 'HKDF' },\n        false,\n        ['deriveKey']\n      );\n      const wrapKey = await subtle.deriveKey(\n        { name: 'HKDF', salt: options.salt, info: options.info, hash: 'SHA-256' },\n        hkdfBase,\n        { name: 'AES-GCM', length: 256 },\n        false,\n        ['encrypt']\n      );\n      const nonce = crypto.randomBytes(Constants.GCM_IV_SIZE);\n      const ctBuf = await subtle.encrypt({ name: 'AES-GCM', iv: nonce }, wrapKey, plaintext);\n      const ephemeralPublicKey = await subtle.exportKey('jwk', ephemeral.publicKey);\n      return {\n        ephemeralPublicKey,\n        nonce: this.toBase64(nonce),\n        ciphertext: this.toBase64(new Uint8Array(ctBuf))\n      };\n    });\n    return result.withErrorFormat((e) => `wrapBytes failed: ${e}`);\n  }\n\n  /**\n   * Unwraps a payload produced by `wrapBytes` using the recipient's private\n   * key. See {@link CryptoUtils.ICryptoProvider.unwrapBytes | ICryptoProvider.unwrapBytes}.\n   * @param wrapped - The wrapped payload.\n   * @param recipientPrivateKey - The recipient's ECDH P-256 private `CryptoKey`.\n   * @param options - HKDF salt and info matching the wrap call.\n   * @returns `Success` with the original `plaintext`, or `Failure` with an error.\n   */\n  public async unwrapBytes(\n    wrapped: IWrappedBytes,\n    recipientPrivateKey: CryptoKey,\n    options: IWrapBytesOptions\n  ): Promise<Result<Uint8Array>> {\n    const recipientCheck = checkEcdhP256(recipientPrivateKey, 'private', 'recipient private key');\n    if (recipientCheck.isFailure()) {\n      return fail(`unwrapBytes failed: ${recipientCheck.message}`);\n    }\n    const nonceResult = this.fromBase64(wrapped.nonce);\n    if (nonceResult.isFailure()) {\n      return fail(`unwrapBytes failed: nonce: ${nonceResult.message}`);\n    }\n    if (nonceResult.value.length !== Constants.GCM_IV_SIZE) {\n      return fail(\n        `unwrapBytes failed: nonce must be ${Constants.GCM_IV_SIZE} bytes (got ${nonceResult.value.length})`\n      );\n    }\n    const ciphertextResult = this.fromBase64(wrapped.ciphertext);\n    if (ciphertextResult.isFailure()) {\n      return fail(`unwrapBytes failed: ciphertext: ${ciphertextResult.message}`);\n    }\n    if (ciphertextResult.value.length < Constants.GCM_AUTH_TAG_SIZE) {\n      return fail(\n        `unwrapBytes failed: ciphertext must be at least ${Constants.GCM_AUTH_TAG_SIZE} bytes (got ${ciphertextResult.value.length})`\n      );\n    }\n    const subtle = crypto.webcrypto.subtle;\n    const result = await captureAsyncResult(async () => {\n      const ephemeralPub = await subtle.importKey(\n        'jwk',\n        wrapped.ephemeralPublicKey,\n        { name: 'ECDH', namedCurve: 'P-256' },\n        false,\n        []\n      );\n      const hkdfBase = await subtle.deriveKey(\n        { name: 'ECDH', public: ephemeralPub },\n        recipientPrivateKey,\n        { name: 'HKDF' },\n        false,\n        ['deriveKey']\n      );\n      const wrapKey = await subtle.deriveKey(\n        { name: 'HKDF', salt: options.salt, info: options.info, hash: 'SHA-256' },\n        hkdfBase,\n        { name: 'AES-GCM', length: 256 },\n        false,\n        ['decrypt']\n      );\n      const ptBuf = await subtle.decrypt(\n        { name: 'AES-GCM', iv: nonceResult.value },\n        wrapKey,\n        ciphertextResult.value\n      );\n      return new Uint8Array(ptBuf);\n    });\n    return result.withErrorFormat((e) => `unwrapBytes failed: ${e}`);\n  }\n}\n\n/**\n * Verifies that `key` is an ECDH P-256 `CryptoKey` of the expected `keyType`\n * (public or private). Used by the wrap/unwrap methods to surface a clean\n * `Failure` instead of letting the WebCrypto deriveKey call throw a less\n * informative error later in the pipeline. Key usages are intentionally not\n * checked here: WebCrypto already produces a specific error if `deriveKey` is\n * not in `usages`, and `deriveBits` is an equally valid alternative usage that\n * an explicit check would have to track.\n * @param key - The CryptoKey to validate.\n * @param keyType - The required `key.type` ('public' for wrap, 'private' for unwrap).\n * @param label - Human-readable role label included in the failure message.\n * @returns `Success` with the key (unchanged) when the algorithm, curve, and\n * type all match; otherwise `Failure` with `<label> must be ECDH P-256 (...)`.\n */\nfunction checkEcdhP256(key: CryptoKey, keyType: 'public' | 'private', label: string): Result<CryptoKey> {\n  if (key.algorithm.name !== 'ECDH') {\n    return fail(`${label} must be ECDH P-256 (got algorithm '${key.algorithm.name}')`);\n  }\n  const namedCurve = (key.algorithm as EcKeyAlgorithm).namedCurve;\n  if (namedCurve !== 'P-256') {\n    return fail(`${label} must be ECDH P-256 (got curve '${namedCurve}')`);\n  }\n  if (key.type !== keyType) {\n    return fail(`${label} must be a ${keyType} CryptoKey (got '${key.type}')`);\n  }\n  return succeed(key);\n}\n\n/**\n * Singleton instance of {@link CryptoUtils.NodeCryptoProvider}.\n * @public\n */\nexport const nodeCryptoProvider: NodeCryptoProvider = new NodeCryptoProvider();\n"]}
+{"version":3,"file":"nodeCryptoProvider.js","sourceRoot":"","sources":["../../../src/packlets/crypto-utils/nodeCryptoProvider.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,EAAE;AACF,+EAA+E;AAC/E,gFAAgF;AAChF,+EAA+E;AAC/E,4EAA4E;AAC5E,wEAAwE;AACxE,2DAA2D;AAC3D,EAAE;AACF,iFAAiF;AACjF,kDAAkD;AAClD,EAAE;AACF,6EAA6E;AAC7E,2EAA2E;AAC3E,8EAA8E;AAC9E,yEAAyE;AACzE,gFAAgF;AAChF,gFAAgF;AAChF,YAAY;AAEZ,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AACjC,OAAO,EACL,kBAAkB,EAClB,aAAa,EACb,IAAI,EACJ,OAAO,EACP,YAAY,EAEZ,OAAO,EACP,OAAO,EAER,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,SAAS,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AASlE;;;;GAIG;AACH,MAAM,OAAO,kBAAkB;IAC7B;;;;;OAKG;IACI,KAAK,CAAC,OAAO,CAAC,SAAiB,EAAE,GAAe;QACrD,OAAO,aAAa,CAAC,GAAG,EAAE;YACxB,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,gBAAgB,EAAE,CAAC;gBAC9C,MAAM,IAAI,KAAK,CAAC,eAAe,SAAS,CAAC,gBAAgB,eAAe,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;YACxF,CAAC;YAED,qBAAqB;YACrB,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;YAErD,gBAAgB;YAChB,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;YAE7D,UAAU;YACV,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAEpF,eAAe;YACf,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;YAEpC,OAAO;gBACL,EAAE,EAAE,IAAI,UAAU,CAAC,EAAE,CAAC;gBACtB,OAAO,EAAE,IAAI,UAAU,CAAC,OAAO,CAAC;gBAChC,aAAa,EAAE,IAAI,UAAU,CAAC,SAAS,CAAC;aACzC,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,OAAO,CAClB,aAAyB,EACzB,GAAe,EACf,EAAc,EACd,OAAmB;QAEnB,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,gBAAgB,EAAE,CAAC;YAC9C,OAAO,IAAI,CAAC,eAAe,SAAS,CAAC,gBAAgB,eAAe,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACpF,CAAC;QACD,IAAI,EAAE,CAAC,MAAM,KAAK,SAAS,CAAC,WAAW,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC,cAAc,SAAS,CAAC,WAAW,eAAe,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC;QAC7E,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,CAAC,iBAAiB,EAAE,CAAC;YACnD,OAAO,IAAI,CAAC,oBAAoB,SAAS,CAAC,iBAAiB,eAAe,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QAC9F,CAAC;QAED,OAAO,aAAa,CAAC,GAAG,EAAE;YACxB,kBAAkB;YAClB,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YAE3F,eAAe;YACf,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;YAE1C,UAAU;YACV,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAEjG,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACpC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,CAAC,EAAE,CAAC,CAAC;IACvD,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,WAAW;QACtB,OAAO,aAAa,CAAC,GAAG,EAAE;YACxB,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;YAC3D,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,SAAS,CACpB,QAAgB,EAChB,IAAgB,EAChB,UAAkB;QAElB,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;YACnB,OAAO,IAAI,CAAC,+BAA+B,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC,iCAAiC,CAAC,CAAC;QACjD,CAAC;QAED,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAC7B,MAAM,CAAC,MAAM,CACX,QAAQ,EACR,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EACjB,UAAU,EACV,SAAS,CAAC,gBAAgB,EAC1B,QAAQ,EACR,CAAC,GAAG,EAAE,UAAU,EAAE,EAAE;gBAClB,yFAAyF;gBACzF,IAAI,GAAG,EAAE,CAAC;oBACR,OAAO,CAAC,IAAI,CAAC,0BAA0B,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;gBACzD,CAAC;qBAAM,CAAC;oBACN,OAAO,CAAC,OAAO,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;gBAC/C,CAAC;YACH,CAAC,CACF,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,MAAM,CAAC,IAAY;QAC9B,OAAO,aAAa,CAAC,GAAG,EAAE;YACxB,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YACzC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAC1B,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC5B,CAAC,CAAC,CAAC;IACL,CAAC;IAED,+EAA+E;IAC/E,2BAA2B;IAC3B,+EAA+E;IAE/E;;;;OAIG;IACI,mBAAmB,CAAC,MAAc;QACvC,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;YACf,OAAO,OAAO,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;QACnD,CAAC;QACD,OAAO,aAAa,CAAC,GAAG,EAAE,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACzE,CAAC;IAED;;;;OAIG;IACI,YAAY;QACjB,OAAO,aAAa,CAAC,GAAG,EAAE,CAAC,YAAY,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED;;;;OAIG;IACI,QAAQ,CAAC,IAAgB;QAC9B,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC9C,CAAC;IAED;;;;OAIG;IACI,UAAU,CAAC,MAAc;QAC9B,yCAAyC;QACzC,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3C,OAAO,OAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAC/C,CAAC;QACD,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC;IACrE,CAAC;IAED,+EAA+E;IAC/E,4BAA4B;IAC5B,+EAA+E;IAE/E;;;;;OAKG;IACI,KAAK,CAAC,eAAe,CAC1B,SAA2B,EAC3B,WAAoB;QAEpB,MAAM,MAAM,GAAG,sBAAsB,CAAC,SAAS,CAAC,CAAC;QACjD,6EAA6E;QAC7E,4EAA4E;QAC5E,6EAA6E;QAC7E,kEAAkE;QAClE,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,KAAK,IAAI,EAAE;YACjD,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,WAAW,CACzD,MAAM,CAAC,WAAkC,EACzC,WAAW,EACX,CAAC,GAAG,MAAM,CAAC,aAAa,CAAC,CAC1B,CAAC;YACF,IAAI,YAAY,IAAI,SAAS,IAAI,WAAW,IAAI,SAAS,EAAE,CAAC;gBAC1D,OAAO,SAAS,CAAC;YACnB,CAAC;YACD,4FAA4F;YAC5F,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,2CAA2C,CAAC,CAAC;QAC3E,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,SAAS,aAAa,CAAC,EAAE,CAAC,CAAC;IACxF,CAAC;IAED;;;;;;;;;OASG;IACI,KAAK,CAAC,kBAAkB,CAAC,SAAoB;QAClD,IAAI,SAAS,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,IAAI,CAAC,wDAAwD,SAAS,CAAC,IAAI,GAAG,CAAC,CAAC;QACzF,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC;QACnG,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uCAAuC,CAAC,EAAE,CAAC,CAAC;IACnF,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,kBAAkB,CAAC,GAAe,EAAE,SAA2B;QAC1E,MAAM,MAAM,GAAG,sBAAsB,CAAC,SAAS,CAAC,CAAC;QACjD,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,GAAG,EAAE,CAC3C,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM,CAAC,eAAe,EAAE,IAAI,EAAE,MAAM,CAAC,eAAe,CAAC,CACpG,CAAC;QACF,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,oBAAoB,SAAS,yBAAyB,CAAC,EAAE,CAAC,CAAC;IAClG,CAAC;IAED;;;;;;;;OAQG;IACI,KAAK,CAAC,SAAS,CACpB,SAAqB,EACrB,kBAA6B,EAC7B,OAA0B;QAE1B,MAAM,cAAc,GAAG,aAAa,CAAC,kBAAkB,EAAE,QAAQ,EAAE,sBAAsB,CAAC,CAAC;QAC3F,IAAI,cAAc,CAAC,SAAS,EAAE,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,qBAAqB,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC;QAC7D,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC;QACvC,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,KAAK,IAAI,EAAE;YACjD,MAAM,SAAS,GAAG,CAAC,MAAM,MAAM,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE;gBACvF,WAAW;aACZ,CAAC,CAAkB,CAAC;YACrB,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,SAAS,CACrC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAC5C,SAAS,CAAC,UAAU,EACpB,EAAE,IAAI,EAAE,MAAM,EAAE,EAChB,KAAK,EACL,CAAC,WAAW,CAAC,CACd,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,SAAS,CACpC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,EACzE,QAAQ,EACR,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YACF,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;YACxD,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;YACvF,MAAM,kBAAkB,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;YAC9E,OAAO;gBACL,kBAAkB;gBAClB,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAC3B,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;aACjD,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC;IACjE,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,WAAW,CACtB,OAAsB,EACtB,mBAA8B,EAC9B,OAA0B;QAE1B,MAAM,cAAc,GAAG,aAAa,CAAC,mBAAmB,EAAE,SAAS,EAAE,uBAAuB,CAAC,CAAC;QAC9F,IAAI,cAAc,CAAC,SAAS,EAAE,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,uBAAuB,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACnD,IAAI,WAAW,CAAC,SAAS,EAAE,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC,8BAA8B,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,WAAW,CAAC,KAAK,CAAC,MAAM,KAAK,SAAS,CAAC,WAAW,EAAE,CAAC;YACvD,OAAO,IAAI,CACT,qCAAqC,SAAS,CAAC,WAAW,eAAe,WAAW,CAAC,KAAK,CAAC,MAAM,GAAG,CACrG,CAAC;QACJ,CAAC;QACD,MAAM,gBAAgB,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC7D,IAAI,gBAAgB,CAAC,SAAS,EAAE,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC,mCAAmC,gBAAgB,CAAC,OAAO,EAAE,CAAC,CAAC;QAC7E,CAAC;QACD,IAAI,gBAAgB,CAAC,KAAK,CAAC,MAAM,GAAG,SAAS,CAAC,iBAAiB,EAAE,CAAC;YAChE,OAAO,IAAI,CACT,mDAAmD,SAAS,CAAC,iBAAiB,eAAe,gBAAgB,CAAC,KAAK,CAAC,MAAM,GAAG,CAC9H,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC;QACvC,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,KAAK,IAAI,EAAE;YACjD,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,SAAS,CACzC,KAAK,EACL,OAAO,CAAC,kBAAkB,EAC1B,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EACrC,KAAK,EACL,EAAE,CACH,CAAC;YACF,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,SAAS,CACrC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,EACtC,mBAAmB,EACnB,EAAE,IAAI,EAAE,MAAM,EAAE,EAChB,KAAK,EACL,CAAC,WAAW,CAAC,CACd,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,SAAS,CACpC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,EACzE,QAAQ,EACR,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YACF,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,OAAO,CAChC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,WAAW,CAAC,KAAK,EAAE,EAC1C,OAAO,EACP,gBAAgB,CAAC,KAAK,CACvB,CAAC;YACF,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAuB,CAAC,EAAE,CAAC,CAAC;IACnE,CAAC;CACF;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,aAAa,CAAC,GAAc,EAAE,OAA6B,EAAE,KAAa;IACjF,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QAClC,OAAO,IAAI,CAAC,GAAG,KAAK,uCAAuC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,CAAC;IACrF,CAAC;IACD,MAAM,UAAU,GAAI,GAAG,CAAC,SAA4B,CAAC,UAAU,CAAC;IAChE,IAAI,UAAU,KAAK,OAAO,EAAE,CAAC;QAC3B,OAAO,IAAI,CAAC,GAAG,KAAK,mCAAmC,UAAU,IAAI,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,IAAI,CAAC,GAAG,KAAK,cAAc,OAAO,oBAAoB,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC;IAC7E,CAAC;IACD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC;AACtB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAuB,IAAI,kBAAkB,EAAE,CAAC","sourcesContent":["// Copyright (c) 2024 Erik Fortune\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy\n// of this software and associated documentation files (the \"Software\"), to deal\n// in the Software without restriction, including without limitation the rights\n// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n// copies of the Software, and to permit persons to whom the Software is\n// furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all\n// copies or substantial portions of the Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n// SOFTWARE.\n\nimport * as crypto from 'crypto';\nimport {\n  captureAsyncResult,\n  captureResult,\n  fail,\n  Failure,\n  generateUuid,\n  Result,\n  succeed,\n  Success,\n  Uuid\n} from '@fgv/ts-utils';\nimport * as Constants from './constants';\nimport { keyPairAlgorithmParams } from './keyPairAlgorithmParams';\nimport {\n  ICryptoProvider,\n  IEncryptionResult,\n  IWrapBytesOptions,\n  IWrappedBytes,\n  KeyPairAlgorithm\n} from './model';\n\n/**\n * Node.js implementation of {@link CryptoUtils.ICryptoProvider} using the built-in crypto module.\n * Uses AES-256-GCM for authenticated encryption.\n * @public\n */\nexport class NodeCryptoProvider implements ICryptoProvider {\n  /**\n   * Encrypts plaintext using AES-256-GCM.\n   * @param plaintext - UTF-8 string to encrypt\n   * @param key - 32-byte encryption key\n   * @returns `Success` with encryption result, or `Failure` with an error.\n   */\n  public async encrypt(plaintext: string, key: Uint8Array): Promise<Result<IEncryptionResult>> {\n    return captureResult(() => {\n      if (key.length !== Constants.AES_256_KEY_SIZE) {\n        throw new Error(`Key must be ${Constants.AES_256_KEY_SIZE} bytes, got ${key.length}`);\n      }\n\n      // Generate random IV\n      const iv = crypto.randomBytes(Constants.GCM_IV_SIZE);\n\n      // Create cipher\n      const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);\n\n      // Encrypt\n      const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);\n\n      // Get auth tag\n      const authTag = cipher.getAuthTag();\n\n      return {\n        iv: new Uint8Array(iv),\n        authTag: new Uint8Array(authTag),\n        encryptedData: new Uint8Array(encrypted)\n      };\n    });\n  }\n\n  /**\n   * Decrypts ciphertext using AES-256-GCM.\n   * @param encryptedData - Encrypted bytes\n   * @param key - 32-byte decryption key\n   * @param iv - Initialization vector (12 bytes)\n   * @param authTag - GCM authentication tag (16 bytes)\n   * @returns `Success` with decrypted UTF-8 string, or `Failure` with an error.\n   */\n  public async decrypt(\n    encryptedData: Uint8Array,\n    key: Uint8Array,\n    iv: Uint8Array,\n    authTag: Uint8Array\n  ): Promise<Result<string>> {\n    if (key.length !== Constants.AES_256_KEY_SIZE) {\n      return fail(`Key must be ${Constants.AES_256_KEY_SIZE} bytes, got ${key.length}`);\n    }\n    if (iv.length !== Constants.GCM_IV_SIZE) {\n      return fail(`IV must be ${Constants.GCM_IV_SIZE} bytes, got ${iv.length}`);\n    }\n    if (authTag.length !== Constants.GCM_AUTH_TAG_SIZE) {\n      return fail(`Auth tag must be ${Constants.GCM_AUTH_TAG_SIZE} bytes, got ${authTag.length}`);\n    }\n\n    return captureResult(() => {\n      // Create decipher\n      const decipher = crypto.createDecipheriv('aes-256-gcm', Buffer.from(key), Buffer.from(iv));\n\n      // Set auth tag\n      decipher.setAuthTag(Buffer.from(authTag));\n\n      // Decrypt\n      const decrypted = Buffer.concat([decipher.update(Buffer.from(encryptedData)), decipher.final()]);\n\n      return decrypted.toString('utf8');\n    }).withErrorFormat((e) => `Decryption failed: ${e}`);\n  }\n\n  /**\n   * Generates a random 32-byte key suitable for AES-256.\n   * @returns `Success` with generated key, or `Failure` with an error.\n   */\n  public async generateKey(): Promise<Result<Uint8Array>> {\n    return captureResult(() => {\n      const key = crypto.randomBytes(Constants.AES_256_KEY_SIZE);\n      return new Uint8Array(key);\n    });\n  }\n\n  /**\n   * Derives a key from a password using PBKDF2.\n   * @param password - Password string\n   * @param salt - Salt bytes (should be at least 16 bytes)\n   * @param iterations - Number of iterations (recommend 100000+)\n   * @returns `Success` with derived 32-byte key, or `Failure` with an error.\n   */\n  public async deriveKey(\n    password: string,\n    salt: Uint8Array,\n    iterations: number\n  ): Promise<Result<Uint8Array>> {\n    if (iterations < 1) {\n      return fail('Iterations must be at least 1');\n    }\n    if (salt.length < 8) {\n      return fail('Salt should be at least 8 bytes');\n    }\n\n    return new Promise((resolve) => {\n      crypto.pbkdf2(\n        password,\n        Buffer.from(salt),\n        iterations,\n        Constants.AES_256_KEY_SIZE,\n        'sha256',\n        (err, derivedKey) => {\n          /* c8 ignore next 3 - PBKDF2 internal errors are hard to trigger with valid parameters */\n          if (err) {\n            resolve(fail(`Key derivation failed: ${err.message}`));\n          } else {\n            resolve(succeed(new Uint8Array(derivedKey)));\n          }\n        }\n      );\n    });\n  }\n\n  /**\n   * Computes a SHA-256 hash of the given data.\n   * @param data - UTF-8 string to hash\n   * @returns `Success` with hex-encoded hash string, or `Failure` with an error.\n   */\n  public async sha256(data: string): Promise<Result<string>> {\n    return captureResult(() => {\n      const hash = crypto.createHash('sha256');\n      hash.update(data, 'utf8');\n      return hash.digest('hex');\n    });\n  }\n\n  // ============================================================================\n  // Platform Utility Methods\n  // ============================================================================\n\n  /**\n   * Generates cryptographically secure random bytes.\n   * @param length - Number of bytes to generate\n   * @returns Success with random bytes, or Failure with error\n   */\n  public generateRandomBytes(length: number): Result<Uint8Array> {\n    if (length < 1) {\n      return Failure.with('Length must be at least 1');\n    }\n    return captureResult(() => new Uint8Array(crypto.randomBytes(length)));\n  }\n\n  /**\n   * Generates a cryptographically random UUIDv4 via the platform Web Crypto API.\n   * @returns `Success` with the generated UUID, or `Failure` if the runtime\n   * does not expose `globalThis.crypto.randomUUID`.\n   */\n  public generateUuid(): Result<Uuid> {\n    return captureResult(() => generateUuid());\n  }\n\n  /**\n   * Encodes binary data to base64 string.\n   * @param data - Binary data to encode\n   * @returns Base64-encoded string\n   */\n  public toBase64(data: Uint8Array): string {\n    return Buffer.from(data).toString('base64');\n  }\n\n  /**\n   * Decodes base64 string to binary data.\n   * @param base64 - Base64-encoded string\n   * @returns Success with decoded bytes, or Failure if invalid base64\n   */\n  public fromBase64(base64: string): Result<Uint8Array> {\n    // Check for obviously invalid characters\n    if (!/^[A-Za-z0-9+/]*={0,2}$/.test(base64)) {\n      return Failure.with('Invalid base64 string');\n    }\n    return Success.with(new Uint8Array(Buffer.from(base64, 'base64')));\n  }\n\n  // ============================================================================\n  // Asymmetric Key Operations\n  // ============================================================================\n\n  /**\n   * Generates a new asymmetric keypair using Node's WebCrypto.\n   * @param algorithm - The {@link CryptoUtils.KeyPairAlgorithm | algorithm} to use.\n   * @param extractable - Whether the resulting keys may be exported.\n   * @returns `Success` with the generated `CryptoKeyPair`, or `Failure` with an error.\n   */\n  public async generateKeyPair(\n    algorithm: KeyPairAlgorithm,\n    extractable: boolean\n  ): Promise<Result<CryptoKeyPair>> {\n    const params = keyPairAlgorithmParams[algorithm];\n    // Widening upcast to `AlgorithmIdentifier` steers TS to subtle.generateKey's\n    // broad overload, which accepts the Ed25519 `{ name: 'Ed25519' }` shape and\n    // returns `CryptoKey | CryptoKeyPair`. The narrowing back to `CryptoKeyPair`\n    // is a runtime check via the `in` operator, not a type assertion.\n    const result = await captureAsyncResult(async () => {\n      const generated = await crypto.webcrypto.subtle.generateKey(\n        params.generateKey as AlgorithmIdentifier,\n        extractable,\n        [...params.keyPairUsages]\n      );\n      if ('privateKey' in generated && 'publicKey' in generated) {\n        return generated;\n      }\n      /* c8 ignore next - unreachable: every entry in keyPairAlgorithmParams produces a keypair */\n      throw new Error(`${algorithm} unexpectedly produced a single CryptoKey`);\n    });\n    return result.withErrorFormat((e) => `Failed to generate ${algorithm} keypair: ${e}`);\n  }\n\n  /**\n   * Exports a public `CryptoKey` as a JSON Web Key.\n   * @remarks\n   * Rejects non-public keys at runtime. WebCrypto's `exportKey('jwk', ...)`\n   * does not enforce public-vs-private; without this guard a caller that\n   * passed an extractable private key would receive its private fields\n   * (`d`, `p`, `q`, ...) as JWK, defeating the method's name.\n   * @param publicKey - Extractable public key to export.\n   * @returns `Success` with the JWK, or `Failure` if not a public key or if export fails.\n   */\n  public async exportPublicKeyJwk(publicKey: CryptoKey): Promise<Result<JsonWebKey>> {\n    if (publicKey.type !== 'public') {\n      return fail(`exportPublicKeyJwk requires a public CryptoKey, got '${publicKey.type}'`);\n    }\n    const result = await captureAsyncResult(() => crypto.webcrypto.subtle.exportKey('jwk', publicKey));\n    return result.withErrorFormat((e) => `Failed to export public key as JWK: ${e}`);\n  }\n\n  /**\n   * Imports a public-key JWK as a `CryptoKey` for the requested algorithm.\n   * @param jwk - The JSON Web Key produced by a prior export.\n   * @param algorithm - The algorithm the key was generated for.\n   * @returns `Success` with the imported public `CryptoKey`, or `Failure` with an error.\n   */\n  public async importPublicKeyJwk(jwk: JsonWebKey, algorithm: KeyPairAlgorithm): Promise<Result<CryptoKey>> {\n    const params = keyPairAlgorithmParams[algorithm];\n    const result = await captureAsyncResult(() =>\n      crypto.webcrypto.subtle.importKey('jwk', jwk, params.importPublicKey, true, params.publicKeyUsages)\n    );\n    return result.withErrorFormat((e) => `Failed to import ${algorithm} public key from JWK: ${e}`);\n  }\n\n  /**\n   * Wraps `plaintext` for the holder of `recipientPublicKey` using\n   * ECIES (ECDH P-256 + HKDF-SHA256 + AES-GCM-256). See\n   * {@link CryptoUtils.ICryptoProvider.wrapBytes | ICryptoProvider.wrapBytes}.\n   * @param plaintext - The bytes to wrap.\n   * @param recipientPublicKey - The recipient's ECDH P-256 public `CryptoKey`.\n   * @param options - HKDF salt and info; see {@link CryptoUtils.IWrapBytesOptions | IWrapBytesOptions}.\n   * @returns `Success` with the wrapped payload, or `Failure` with an error.\n   */\n  public async wrapBytes(\n    plaintext: Uint8Array,\n    recipientPublicKey: CryptoKey,\n    options: IWrapBytesOptions\n  ): Promise<Result<IWrappedBytes>> {\n    const recipientCheck = checkEcdhP256(recipientPublicKey, 'public', 'recipient public key');\n    if (recipientCheck.isFailure()) {\n      return fail(`wrapBytes failed: ${recipientCheck.message}`);\n    }\n    const subtle = crypto.webcrypto.subtle;\n    const result = await captureAsyncResult(async () => {\n      const ephemeral = (await subtle.generateKey({ name: 'ECDH', namedCurve: 'P-256' }, true, [\n        'deriveKey'\n      ])) as CryptoKeyPair;\n      const hkdfBase = await subtle.deriveKey(\n        { name: 'ECDH', public: recipientPublicKey },\n        ephemeral.privateKey,\n        { name: 'HKDF' },\n        false,\n        ['deriveKey']\n      );\n      const wrapKey = await subtle.deriveKey(\n        { name: 'HKDF', salt: options.salt, info: options.info, hash: 'SHA-256' },\n        hkdfBase,\n        { name: 'AES-GCM', length: 256 },\n        false,\n        ['encrypt']\n      );\n      const nonce = crypto.randomBytes(Constants.GCM_IV_SIZE);\n      const ctBuf = await subtle.encrypt({ name: 'AES-GCM', iv: nonce }, wrapKey, plaintext);\n      const ephemeralPublicKey = await subtle.exportKey('jwk', ephemeral.publicKey);\n      return {\n        ephemeralPublicKey,\n        nonce: this.toBase64(nonce),\n        ciphertext: this.toBase64(new Uint8Array(ctBuf))\n      };\n    });\n    return result.withErrorFormat((e) => `wrapBytes failed: ${e}`);\n  }\n\n  /**\n   * Unwraps a payload produced by `wrapBytes` using the recipient's private\n   * key. See {@link CryptoUtils.ICryptoProvider.unwrapBytes | ICryptoProvider.unwrapBytes}.\n   * @param wrapped - The wrapped payload.\n   * @param recipientPrivateKey - The recipient's ECDH P-256 private `CryptoKey`.\n   * @param options - HKDF salt and info matching the wrap call.\n   * @returns `Success` with the original `plaintext`, or `Failure` with an error.\n   */\n  public async unwrapBytes(\n    wrapped: IWrappedBytes,\n    recipientPrivateKey: CryptoKey,\n    options: IWrapBytesOptions\n  ): Promise<Result<Uint8Array>> {\n    const recipientCheck = checkEcdhP256(recipientPrivateKey, 'private', 'recipient private key');\n    if (recipientCheck.isFailure()) {\n      return fail(`unwrapBytes failed: ${recipientCheck.message}`);\n    }\n    const nonceResult = this.fromBase64(wrapped.nonce);\n    if (nonceResult.isFailure()) {\n      return fail(`unwrapBytes failed: nonce: ${nonceResult.message}`);\n    }\n    if (nonceResult.value.length !== Constants.GCM_IV_SIZE) {\n      return fail(\n        `unwrapBytes failed: nonce must be ${Constants.GCM_IV_SIZE} bytes (got ${nonceResult.value.length})`\n      );\n    }\n    const ciphertextResult = this.fromBase64(wrapped.ciphertext);\n    if (ciphertextResult.isFailure()) {\n      return fail(`unwrapBytes failed: ciphertext: ${ciphertextResult.message}`);\n    }\n    if (ciphertextResult.value.length < Constants.GCM_AUTH_TAG_SIZE) {\n      return fail(\n        `unwrapBytes failed: ciphertext must be at least ${Constants.GCM_AUTH_TAG_SIZE} bytes (got ${ciphertextResult.value.length})`\n      );\n    }\n    const subtle = crypto.webcrypto.subtle;\n    const result = await captureAsyncResult(async () => {\n      const ephemeralPub = await subtle.importKey(\n        'jwk',\n        wrapped.ephemeralPublicKey,\n        { name: 'ECDH', namedCurve: 'P-256' },\n        false,\n        []\n      );\n      const hkdfBase = await subtle.deriveKey(\n        { name: 'ECDH', public: ephemeralPub },\n        recipientPrivateKey,\n        { name: 'HKDF' },\n        false,\n        ['deriveKey']\n      );\n      const wrapKey = await subtle.deriveKey(\n        { name: 'HKDF', salt: options.salt, info: options.info, hash: 'SHA-256' },\n        hkdfBase,\n        { name: 'AES-GCM', length: 256 },\n        false,\n        ['decrypt']\n      );\n      const ptBuf = await subtle.decrypt(\n        { name: 'AES-GCM', iv: nonceResult.value },\n        wrapKey,\n        ciphertextResult.value\n      );\n      return new Uint8Array(ptBuf);\n    });\n    return result.withErrorFormat((e) => `unwrapBytes failed: ${e}`);\n  }\n}\n\n/**\n * Verifies that `key` is an ECDH P-256 `CryptoKey` of the expected `keyType`\n * (public or private). Used by the wrap/unwrap methods to surface a clean\n * `Failure` instead of letting the WebCrypto deriveKey call throw a less\n * informative error later in the pipeline. Key usages are intentionally not\n * checked here: WebCrypto already produces a specific error if `deriveKey` is\n * not in `usages`, and `deriveBits` is an equally valid alternative usage that\n * an explicit check would have to track.\n * @param key - The CryptoKey to validate.\n * @param keyType - The required `key.type` ('public' for wrap, 'private' for unwrap).\n * @param label - Human-readable role label included in the failure message.\n * @returns `Success` with the key (unchanged) when the algorithm, curve, and\n * type all match; otherwise `Failure` with `<label> must be ECDH P-256 (...)`.\n */\nfunction checkEcdhP256(key: CryptoKey, keyType: 'public' | 'private', label: string): Result<CryptoKey> {\n  if (key.algorithm.name !== 'ECDH') {\n    return fail(`${label} must be ECDH P-256 (got algorithm '${key.algorithm.name}')`);\n  }\n  const namedCurve = (key.algorithm as EcKeyAlgorithm).namedCurve;\n  if (namedCurve !== 'P-256') {\n    return fail(`${label} must be ECDH P-256 (got curve '${namedCurve}')`);\n  }\n  if (key.type !== keyType) {\n    return fail(`${label} must be a ${keyType} CryptoKey (got '${key.type}')`);\n  }\n  return succeed(key);\n}\n\n/**\n * Singleton instance of {@link CryptoUtils.NodeCryptoProvider}.\n * @public\n */\nexport const nodeCryptoProvider: NodeCryptoProvider = new NodeCryptoProvider();\n"]}

package/dist/ts-extras.d.ts

@@ -6,6 +6,7 @@ import { Hash as Hash_2 } from '@fgv/ts-utils';
 import { JsonValue } from '@fgv/ts-json-base';
 import { Logging } from '@fgv/ts-utils';
 import { Result } from '@fgv/ts-utils';
+import { Uuid } from '@fgv/ts-utils';
 import { Validator } from '@fgv/ts-utils';
 
 /**
@@ -87,7 +88,17 @@ declare namespace AiAssist {
         aiAssistSettings,
         modelSpecKey,
         modelSpec,
-        resolveEffectiveTools
+        resolveEffectiveTools,
+        extractJsonText,
+        fencedStringifiedJson,
+        IFencedStringifiedJsonExtractorOptions,
+        IFencedStringifiedJsonOptions,
+        JsonTextExtractor,
+        generateJsonCompletion,
+        SMART_JSON_PROMPT_HINT,
+        IGenerateJsonCompletionParams,
+        IGenerateJsonCompletionResult,
+        JsonPromptHint
     }
 }
 export { AiAssist }
@@ -768,6 +779,54 @@ declare class ExtendedArray<T> extends Array<T> {
  */
 declare function extendedArrayOf<T, TC = undefined>(label: string, converter: Converter<T, TC>, onError?: Conversion.OnError): Converter<ExtendedArray<T>, TC>;
 
+/**
+ * Default {@link AiAssist.JsonTextExtractor | extractor} for LLM responses. Tolerates:
+ *
+ * - Leading/trailing whitespace and a leading byte-order mark.
+ * - Markdown code fences (with or without a language tag).
+ * - Conversational preamble before the first `{` or `[`.
+ * - Trailing prose after the matched closing `}` or `]`.
+ *
+ * Out of scope: repairing malformed JSON, handling smart quotes, etc.
+ *
+ * @param text - Raw model output.
+ * @returns A `Result<string>` containing the JSON-shaped substring, or a
+ * `Failure` if no JSON-shaped substring was found.
+ * @public
+ */
+declare const extractJsonText: JsonTextExtractor;
+
+/**
+ * Creates a `Converter` that accepts raw LLM response text, runs it through a
+ * tolerant extractor (default: {@link AiAssist.extractJsonText}), parses the
+ * extracted substring as JSON, and applies an optional inner converter or
+ * validator.
+ *
+ * @example
+ * ```ts
+ * const converter = fencedStringifiedJson({ inner: myShapeConverter });
+ * const result = converter.convert(llmText); // Result<MyShape>
+ * ```
+ *
+ * @param options - Optional extractor; omit to keep the default. Without an
+ * `inner` step, the converter resolves to the parsed `JsonValue`.
+ * @returns A `Converter<JsonValue>`.
+ * @public
+ */
+declare function fencedStringifiedJson(options?: IFencedStringifiedJsonExtractorOptions): Converter<JsonValue>;
+
+/**
+ * Creates a `Converter` that accepts raw LLM response text, runs it through a
+ * tolerant extractor (default: {@link AiAssist.extractJsonText}), parses the
+ * extracted substring as JSON, and applies the supplied inner converter or
+ * validator.
+ *
+ * @param options - Required `inner` converter/validator and optional extractor.
+ * @returns A `Converter<T>`.
+ * @public
+ */
+declare function fencedStringifiedJson<T>(options: IFencedStringifiedJsonOptions<T>): Converter<T>;
+
 /**
  * Formats a list of items using the supplied template and formatter, one result
  * per output line.
@@ -859,6 +918,27 @@ declare const GCM_AUTH_TAG_SIZE: number;
  */
 declare const GCM_IV_SIZE: number;
 
+/**
+ * Calls {@link AiAssist.callProviderCompletion}, then runs the response text
+ * through a tolerant JSON converter (default:
+ * {@link AiAssist.fencedStringifiedJson}) and the caller's
+ * `converter`/`validator`. Returns the validated value plus the raw text and
+ * underlying completion response for diagnostics.
+ *
+ * @remarks
+ * The default smart prompt hint asks the model to emit raw JSON. The read-side
+ * extractor still tolerates fences and prose, so models that ignore the hint
+ * are still handled.
+ *
+ * Either `converter` or `jsonConverter` must be provided; passing both lets
+ * `jsonConverter` win.
+ *
+ * @param params - Provider parameters plus JSON validation options.
+ * @returns The validated value, the raw text, and the underlying response.
+ * @public
+ */
+declare function generateJsonCompletion<T>(params: IGenerateJsonCompletionParams<T>): Promise<Result<IGenerateJsonCompletionResult<T>>>;
+
 /**
  * Get a provider descriptor by id.
  * @param id - The provider identifier
@@ -1540,6 +1620,15 @@ declare interface ICryptoProvider {
      * @returns Success with random bytes, or Failure with error
      */
     generateRandomBytes(length: number): Result<Uint8Array>;
+    /**
+     * Generates a cryptographically random UUIDv4 using the provider's
+     * underlying source of randomness. The default Node and browser
+     * implementations delegate to `globalThis.crypto.randomUUID`;
+     * deterministic providers (e.g. test stubs) may override to produce
+     * reproducible values.
+     * @returns Success with a canonical UUID, or Failure with error.
+     */
+    generateUuid(): Result<Uuid>;
     /**
      * Encodes binary data to base64 string.
      * @param data - Binary data to encode
@@ -1757,6 +1846,70 @@ declare interface IEncryptionResult {
     readonly encryptedData: Uint8Array;
 }
 
+/**
+ * Options shared by every {@link AiAssist.fencedStringifiedJson} call.
+ * @public
+ */
+declare interface IFencedStringifiedJsonExtractorOptions {
+    /**
+     * Optional pre-parse extractor. Defaults to {@link AiAssist.extractJsonText}.
+     * Provide a custom extractor to handle response shapes the default does not
+     * understand.
+     */
+    readonly extractor?: JsonTextExtractor;
+}
+
+/**
+ * Options for the validating overload of {@link AiAssist.fencedStringifiedJson}.
+ * `inner` is required so the typed `Converter<T>` return value can never lie
+ * about the runtime shape.
+ * @public
+ */
+declare interface IFencedStringifiedJsonOptions<T> extends IFencedStringifiedJsonExtractorOptions {
+    /** Inner converter or validator applied to the parsed JSON value. */
+    readonly inner: Converter<T> | Validator<T>;
+}
+
+/**
+ * Parameters for {@link AiAssist.generateJsonCompletion}. Extends
+ * {@link AiAssist.IProviderCompletionParams} with JSON-validation knobs.
+ * @public
+ */
+declare interface IGenerateJsonCompletionParams<T> extends IProviderCompletionParams {
+    /**
+     * Caller-supplied `Converter<T>` or `Validator<T>` applied to the parsed
+     * JSON value. Wrapped internally in {@link AiAssist.fencedStringifiedJson}
+     * unless {@link AiAssist.IGenerateJsonCompletionParams.jsonConverter} is
+     * provided.
+     */
+    readonly converter?: Converter<T> | Validator<T>;
+    /**
+     * Full string-to-`T` pipeline override. When supplied, takes precedence over
+     * {@link AiAssist.IGenerateJsonCompletionParams.converter} and lets the
+     * caller plug in a custom extractor or skip the default fence tolerance
+     * entirely.
+     */
+    readonly jsonConverter?: Converter<T>;
+    /**
+     * Controls the optional system-prompt augmentation. Defaults to `'smart'`.
+     * Pass `'none'` to disable, or a string to append custom guidance.
+     */
+    readonly promptHint?: JsonPromptHint;
+}
+
+/**
+ * Successful result of {@link AiAssist.generateJsonCompletion}.
+ * @public
+ */
+declare interface IGenerateJsonCompletionResult<T> {
+    /** The validated JSON value. */
+    readonly value: T;
+    /** The raw response text returned by the provider. */
+    readonly raw: string;
+    /** The full underlying completion response. */
+    readonly response: IAiCompletionResponse;
+}
+
 /**
  * Options for importing raw key material via {@link KeyStore.importSecret}.
  * Extends {@link IImportSecretOptions} with a type classification.
@@ -2575,6 +2728,31 @@ declare interface JarRecordParserOptions {
     readonly fixedContinuationSize?: number;
 }
 
+/**
+ * Controls the optional system-prompt augmentation applied by
+ * {@link AiAssist.generateJsonCompletion}.
+ *
+ * - `'smart'` (default): append {@link AiAssist.SMART_JSON_PROMPT_HINT}.
+ * - `'none'`: do not modify the prompt.
+ * - A string: append the supplied text verbatim.
+ *
+ * @remarks
+ * The `string & {}` branch is the standard TypeScript trick that prevents
+ * the literal members from being widened away — callers still get
+ * autocomplete for `'smart'` and `'none'` while accepting any string.
+ *
+ * @public
+ */
+declare type JsonPromptHint = 'smart' | 'none' | (string & {});
+
+/**
+ * A function that pulls a JSON-shaped substring out of arbitrary model text.
+ * Implementations strip whatever wrappers the model added (fences, preamble,
+ * trailing prose) and return the JSON-shaped substring ready for `JSON.parse`.
+ * @public
+ */
+declare type JsonTextExtractor = (text: string) => Result<string>;
+
 /**
  * In-place shape check for a JSON Web Key. Asserts only that the input is a
  * non-array object whose `kty` discriminator is a string; every other JWK
@@ -2882,6 +3060,41 @@ declare class KeyStore_2 implements IEncryptionProvider {
      * @public
      */
     addSecretFromPassword(name: string, password: string, options?: IAddSecretFromPasswordOptions): Promise<Result<IAddSecretFromPasswordResult>>;
+    /**
+     * Verifies that a candidate password derives the same key material currently
+     * stored under `name`, using the supplied
+     * {@link CryptoUtils.IKeyDerivationParams | key derivation parameters}.
+     *
+     * The keystore does not persist per-slot key derivation parameters with the
+     * entry — callers receive them from `addSecretFromPassword` and store them
+     * alongside the encrypted artifact (or wherever else makes sense). Pass
+     * those same parameters here for verification.
+     *
+     * Re-derives a key from `password` + `keyDerivation`, then compares it to
+     * the stored key material in constant time. Restricted to entries of type
+     * `'encryption-key'` — the type produced by `addSecretFromPassword`. Other
+     * symmetric types (`'api-key'`) and asymmetric entries are rejected so
+     * the boolean result reflects "this slot accepts this password" rather
+     * than an incidental byte-equality match against unrelated material.
+     *
+     * Note: the keystore does not currently flag whether an `'encryption-key'`
+     * entry was actually password-derived (vs. random via `addSecret` or raw
+     * via `importSecret`). A `true` result therefore means "the candidate
+     * password produces the same 32 bytes currently stored", which is what
+     * the equivalent consumer-side helper (`verifyGatePassword`) already
+     * implies for entries it manages.
+     *
+     * @param name - Name of the secret to verify against
+     * @param password - Candidate password to test
+     * @param keyDerivation - The key derivation parameters returned by
+     * `addSecretFromPassword` when the secret was created. Only
+     * `kdf: 'pbkdf2'` is supported.
+     * @returns Success(true) when the candidate matches the stored key,
+     * Success(false) when it does not, Failure if locked, secret missing,
+     * wrong type, unsupported `kdf`, or key derivation fails
+     * @public
+     */
+    verifySecretFromPassword(name: string, password: string, keyDerivation: IKeyDerivationParams): Promise<Result<boolean>>;
     /**
      * Removes a secret by name. Vault-first: the in-memory vault entry is dropped
      * before any storage cleanup runs. For asymmetric-keypair entries, best-effort
@@ -3028,6 +3241,13 @@ declare class KeyStore_2 implements IEncryptionProvider {
      * @returns A warning string if storage cleanup failed, otherwise undefined.
      */
     private _releaseEntryResources;
+    /**
+     * Constant-time byte comparison. Returns false immediately for length
+     * mismatch (length is not secret); for equal-length inputs, walks the full
+     * buffer accumulating differences via XOR so the running time does not leak
+     * the position of the first differing byte.
+     */
+    private static _timingSafeEqual;
     /**
      * Mints a fresh UUID v4 storage handle using the crypto provider's
      * {@link CryptoUtils.ICryptoProvider.generateRandomBytes | generateRandomBytes}.
@@ -3346,6 +3566,12 @@ declare class NodeCryptoProvider implements ICryptoProvider {
      * @returns Success with random bytes, or Failure with error
      */
     generateRandomBytes(length: number): Result<Uint8Array>;
+    /**
+     * Generates a cryptographically random UUIDv4 via the platform Web Crypto API.
+     * @returns `Success` with the generated UUID, or `Failure` if the runtime
+     * does not expose `globalThis.crypto.randomUUID`.
+     */
+    generateUuid(): Result<Uuid>;
     /**
      * Encodes binary data to base64 string.
      * @param data - Binary data to encode
@@ -3670,6 +3896,14 @@ declare function resolveModel(spec: ModelSpec, context?: string): string;
  */
 declare type SecretProvider = (secretName: string) => Promise<Result<Uint8Array>>;
 
+/**
+ * Default system-prompt suffix appended when {@link AiAssist.IGenerateJsonCompletionParams.promptHint}
+ * is `'smart'` (the default). Designed to discourage code fences and prose in
+ * the model's response while still tolerating them via the read-side extractor.
+ * @public
+ */
+declare const SMART_JSON_PROMPT_HINT: string;
+
 /**
  * Whether a provider declares any image-generation capability at all.
  *

package/lib/packlets/ai-assist/index.d.ts

@@ -8,4 +8,6 @@ export { callProviderCompletion, callProxiedCompletion, callProviderImageGenerat
 export { callProviderCompletionStream, callProxiedCompletionStream, type IProviderCompletionStreamParams } from './streamingClient';
 export { aiProviderId, aiServerToolType, aiWebSearchToolConfig, aiServerToolConfig, aiToolEnablement, aiAssistProviderConfig, aiAssistSettings, modelSpecKey, modelSpec } from './converters';
 export { resolveEffectiveTools } from './toolFormats';
+export { extractJsonText, fencedStringifiedJson, type IFencedStringifiedJsonExtractorOptions, type IFencedStringifiedJsonOptions, type JsonTextExtractor } from './jsonResponse';
+export { generateJsonCompletion, SMART_JSON_PROMPT_HINT, type IGenerateJsonCompletionParams, type IGenerateJsonCompletionResult, type JsonPromptHint } from './jsonCompletion';
 //# sourceMappingURL=index.d.ts.map

package/lib/packlets/ai-assist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/packlets/ai-assist/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,QAAQ,EACR,KAAK,iBAAiB,EACtB,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,sBAAsB,EAC3B,KAAK,iBAAiB,EACtB,KAAK,qBAAqB,EAC1B,KAAK,YAAY,EACjB,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACrB,KAAK,uBAAuB,EAC5B,KAAK,qBAAqB,EAC1B,KAAK,uBAAuB,EAC5B,KAAK,iBAAiB,EACtB,iBAAiB,EACjB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACvB,KAAK,YAAY,EACjB,KAAK,yBAAyB,EAC9B,KAAK,wBAAwB,EAC7B,KAAK,iBAAiB,EACtB,KAAK,0BAA0B,EAC/B,KAAK,sBAAsB,EAC3B,KAAK,wBAAwB,EAC7B,KAAK,YAAY,EACjB,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,aAAa,EAClB,KAAK,cAAc,EACnB,KAAK,SAAS,EACd,KAAK,YAAY,EACjB,KAAK,aAAa,EAClB,gBAAgB,EAChB,mBAAmB,EACnB,YAAY,EACZ,SAAS,EACV,MAAM,SAAS,CAAC;AAEjB,OAAO,EACL,cAAc,EACd,sBAAsB,EACtB,qBAAqB,EACrB,sBAAsB,EACtB,uBAAuB,EACvB,+BAA+B,EAChC,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,sBAAsB,EACtB,qBAAqB,EACrB,2BAA2B,EAC3B,0BAA0B,EAC1B,sBAAsB,EACtB,qBAAqB,EACrB,KAAK,yBAAyB,EAC9B,KAAK,8BAA8B,EACnC,KAAK,yBAAyB,EAC/B,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,4BAA4B,EAC5B,2BAA2B,EAC3B,KAAK,+BAA+B,EACrC,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,qBAAqB,EACrB,kBAAkB,EAClB,gBAAgB,EAChB,sBAAsB,EACtB,gBAAgB,EAChB,YAAY,EACZ,SAAS,EACV,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/packlets/ai-assist/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,QAAQ,EACR,KAAK,iBAAiB,EACtB,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,sBAAsB,EAC3B,KAAK,iBAAiB,EACtB,KAAK,qBAAqB,EAC1B,KAAK,YAAY,EACjB,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACrB,KAAK,uBAAuB,EAC5B,KAAK,qBAAqB,EAC1B,KAAK,uBAAuB,EAC5B,KAAK,iBAAiB,EACtB,iBAAiB,EACjB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACvB,KAAK,YAAY,EACjB,KAAK,yBAAyB,EAC9B,KAAK,wBAAwB,EAC7B,KAAK,iBAAiB,EACtB,KAAK,0BAA0B,EAC/B,KAAK,sBAAsB,EAC3B,KAAK,wBAAwB,EAC7B,KAAK,YAAY,EACjB,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,aAAa,EAClB,KAAK,cAAc,EACnB,KAAK,SAAS,EACd,KAAK,YAAY,EACjB,KAAK,aAAa,EAClB,gBAAgB,EAChB,mBAAmB,EACnB,YAAY,EACZ,SAAS,EACV,MAAM,SAAS,CAAC;AAEjB,OAAO,EACL,cAAc,EACd,sBAAsB,EACtB,qBAAqB,EACrB,sBAAsB,EACtB,uBAAuB,EACvB,+BAA+B,EAChC,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,sBAAsB,EACtB,qBAAqB,EACrB,2BAA2B,EAC3B,0BAA0B,EAC1B,sBAAsB,EACtB,qBAAqB,EACrB,KAAK,yBAAyB,EAC9B,KAAK,8BAA8B,EACnC,KAAK,yBAAyB,EAC/B,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,4BAA4B,EAC5B,2BAA2B,EAC3B,KAAK,+BAA+B,EACrC,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,qBAAqB,EACrB,kBAAkB,EAClB,gBAAgB,EAChB,sBAAsB,EACtB,gBAAgB,EAChB,YAAY,EACZ,SAAS,EACV,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAEtD,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,KAAK,sCAAsC,EAC3C,KAAK,6BAA6B,EAClC,KAAK,iBAAiB,EACvB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,sBAAsB,EACtB,sBAAsB,EACtB,KAAK,6BAA6B,EAClC,KAAK,6BAA6B,EAClC,KAAK,cAAc,EACpB,MAAM,kBAAkB,CAAC"}

package/lib/packlets/ai-assist/index.js

@@ -4,7 +4,7 @@
  * @packageDocumentation
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.resolveEffectiveTools = exports.modelSpec = exports.modelSpecKey = exports.aiAssistSettings = exports.aiAssistProviderConfig = exports.aiToolEnablement = exports.aiServerToolConfig = exports.aiWebSearchToolConfig = exports.aiServerToolType = exports.aiProviderId = exports.callProxiedCompletionStream = exports.callProviderCompletionStream = exports.callProxiedListModels = exports.callProviderListModels = exports.callProxiedImageGeneration = exports.callProviderImageGeneration = exports.callProxiedCompletion = exports.callProviderCompletion = exports.DEFAULT_MODEL_CAPABILITY_CONFIG = exports.supportsImageGeneration = exports.resolveImageCapability = exports.getProviderDescriptor = exports.getProviderDescriptors = exports.allProviderIds = exports.toDataUrl = exports.resolveModel = exports.MODEL_SPEC_BASE_KEY = exports.allModelSpecKeys = exports.DEFAULT_AI_ASSIST = exports.AiPrompt = void 0;
+exports.SMART_JSON_PROMPT_HINT = exports.generateJsonCompletion = exports.fencedStringifiedJson = exports.extractJsonText = exports.resolveEffectiveTools = exports.modelSpec = exports.modelSpecKey = exports.aiAssistSettings = exports.aiAssistProviderConfig = exports.aiToolEnablement = exports.aiServerToolConfig = exports.aiWebSearchToolConfig = exports.aiServerToolType = exports.aiProviderId = exports.callProxiedCompletionStream = exports.callProviderCompletionStream = exports.callProxiedListModels = exports.callProviderListModels = exports.callProxiedImageGeneration = exports.callProviderImageGeneration = exports.callProxiedCompletion = exports.callProviderCompletion = exports.DEFAULT_MODEL_CAPABILITY_CONFIG = exports.supportsImageGeneration = exports.resolveImageCapability = exports.getProviderDescriptor = exports.getProviderDescriptors = exports.allProviderIds = exports.toDataUrl = exports.resolveModel = exports.MODEL_SPEC_BASE_KEY = exports.allModelSpecKeys = exports.DEFAULT_AI_ASSIST = exports.AiPrompt = void 0;
 var model_1 = require("./model");
 Object.defineProperty(exports, "AiPrompt", { enumerable: true, get: function () { return model_1.AiPrompt; } });
 Object.defineProperty(exports, "DEFAULT_AI_ASSIST", { enumerable: true, get: function () { return model_1.DEFAULT_AI_ASSIST; } });
@@ -41,4 +41,10 @@ Object.defineProperty(exports, "modelSpecKey", { enumerable: true, get: function
 Object.defineProperty(exports, "modelSpec", { enumerable: true, get: function () { return converters_1.modelSpec; } });
 var toolFormats_1 = require("./toolFormats");
 Object.defineProperty(exports, "resolveEffectiveTools", { enumerable: true, get: function () { return toolFormats_1.resolveEffectiveTools; } });
+var jsonResponse_1 = require("./jsonResponse");
+Object.defineProperty(exports, "extractJsonText", { enumerable: true, get: function () { return jsonResponse_1.extractJsonText; } });
+Object.defineProperty(exports, "fencedStringifiedJson", { enumerable: true, get: function () { return jsonResponse_1.fencedStringifiedJson; } });
+var jsonCompletion_1 = require("./jsonCompletion");
+Object.defineProperty(exports, "generateJsonCompletion", { enumerable: true, get: function () { return jsonCompletion_1.generateJsonCompletion; } });
+Object.defineProperty(exports, "SMART_JSON_PROMPT_HINT", { enumerable: true, get: function () { return jsonCompletion_1.SMART_JSON_PROMPT_HINT; } });
 //# sourceMappingURL=index.js.map

package/lib/packlets/ai-assist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/packlets/ai-assist/index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH,iCAuCiB;AAtCf,iGAAA,QAAQ,OAAA;AAeR,0GAAA,iBAAiB,OAAA;AAmBjB,yGAAA,gBAAgB,OAAA;AAChB,4GAAA,mBAAmB,OAAA;AACnB,qGAAA,YAAY,OAAA;AACZ,kGAAA,SAAS,OAAA;AAGX,uCAOoB;AANlB,0GAAA,cAAc,OAAA;AACd,kHAAA,sBAAsB,OAAA;AACtB,iHAAA,qBAAqB,OAAA;AACrB,kHAAA,sBAAsB,OAAA;AACtB,mHAAA,uBAAuB,OAAA;AACvB,2HAAA,+BAA+B,OAAA;AAGjC,yCAUqB;AATnB,mHAAA,sBAAsB,OAAA;AACtB,kHAAA,qBAAqB,OAAA;AACrB,wHAAA,2BAA2B,OAAA;AAC3B,uHAAA,0BAA0B,OAAA;AAC1B,mHAAA,sBAAsB,OAAA;AACtB,kHAAA,qBAAqB,OAAA;AAMvB,qDAI2B;AAHzB,+HAAA,4BAA4B,OAAA;AAC5B,8HAAA,2BAA2B,OAAA;AAI7B,2CAUsB;AATpB,0GAAA,YAAY,OAAA;AACZ,8GAAA,gBAAgB,OAAA;AAChB,mHAAA,qBAAqB,OAAA;AACrB,gHAAA,kBAAkB,OAAA;AAClB,8GAAA,gBAAgB,OAAA;AAChB,oHAAA,sBAAsB,OAAA;AACtB,8GAAA,gBAAgB,OAAA;AAChB,0GAAA,YAAY,OAAA;AACZ,uGAAA,SAAS,OAAA;AAGX,6CAAsD;AAA7C,oHAAA,qBAAqB,OAAA","sourcesContent":["/**\n * AI assist packlet - provider registry, prompt class, settings, and API client.\n * @packageDocumentation\n */\n\nexport {\n  AiPrompt,\n  type AiModelCapability,\n  type AiProviderId,\n  type AiServerToolType,\n  type AiServerToolConfig,\n  type IAiWebSearchToolConfig,\n  type IAiToolEnablement,\n  type IAiCompletionResponse,\n  type IChatMessage,\n  type AiApiFormat,\n  type AiImageApiFormat,\n  type IAiImageModelCapability,\n  type IAiProviderDescriptor,\n  type IAiAssistProviderConfig,\n  type IAiAssistSettings,\n  DEFAULT_AI_ASSIST,\n  type IAiAssistKeyStore,\n  type IAiImageAttachment,\n  type IAiImageData,\n  type IAiImageGenerationOptions,\n  type IAiImageGenerationParams,\n  type IAiGeneratedImage,\n  type IAiImageGenerationResponse,\n  type IAiModelCapabilityRule,\n  type IAiModelCapabilityConfig,\n  type IAiModelInfo,\n  type IAiStreamEvent,\n  type IAiStreamTextDelta,\n  type IAiStreamToolEvent,\n  type IAiStreamDone,\n  type IAiStreamError,\n  type ModelSpec,\n  type ModelSpecKey,\n  type IModelSpecMap,\n  allModelSpecKeys,\n  MODEL_SPEC_BASE_KEY,\n  resolveModel,\n  toDataUrl\n} from './model';\n\nexport {\n  allProviderIds,\n  getProviderDescriptors,\n  getProviderDescriptor,\n  resolveImageCapability,\n  supportsImageGeneration,\n  DEFAULT_MODEL_CAPABILITY_CONFIG\n} from './registry';\n\nexport {\n  callProviderCompletion,\n  callProxiedCompletion,\n  callProviderImageGeneration,\n  callProxiedImageGeneration,\n  callProviderListModels,\n  callProxiedListModels,\n  type IProviderCompletionParams,\n  type IProviderImageGenerationParams,\n  type IProviderListModelsParams\n} from './apiClient';\n\nexport {\n  callProviderCompletionStream,\n  callProxiedCompletionStream,\n  type IProviderCompletionStreamParams\n} from './streamingClient';\n\nexport {\n  aiProviderId,\n  aiServerToolType,\n  aiWebSearchToolConfig,\n  aiServerToolConfig,\n  aiToolEnablement,\n  aiAssistProviderConfig,\n  aiAssistSettings,\n  modelSpecKey,\n  modelSpec\n} from './converters';\n\nexport { resolveEffectiveTools } from './toolFormats';\n"]}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/packlets/ai-assist/index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH,iCAuCiB;AAtCf,iGAAA,QAAQ,OAAA;AAeR,0GAAA,iBAAiB,OAAA;AAmBjB,yGAAA,gBAAgB,OAAA;AAChB,4GAAA,mBAAmB,OAAA;AACnB,qGAAA,YAAY,OAAA;AACZ,kGAAA,SAAS,OAAA;AAGX,uCAOoB;AANlB,0GAAA,cAAc,OAAA;AACd,kHAAA,sBAAsB,OAAA;AACtB,iHAAA,qBAAqB,OAAA;AACrB,kHAAA,sBAAsB,OAAA;AACtB,mHAAA,uBAAuB,OAAA;AACvB,2HAAA,+BAA+B,OAAA;AAGjC,yCAUqB;AATnB,mHAAA,sBAAsB,OAAA;AACtB,kHAAA,qBAAqB,OAAA;AACrB,wHAAA,2BAA2B,OAAA;AAC3B,uHAAA,0BAA0B,OAAA;AAC1B,mHAAA,sBAAsB,OAAA;AACtB,kHAAA,qBAAqB,OAAA;AAMvB,qDAI2B;AAHzB,+HAAA,4BAA4B,OAAA;AAC5B,8HAAA,2BAA2B,OAAA;AAI7B,2CAUsB;AATpB,0GAAA,YAAY,OAAA;AACZ,8GAAA,gBAAgB,OAAA;AAChB,mHAAA,qBAAqB,OAAA;AACrB,gHAAA,kBAAkB,OAAA;AAClB,8GAAA,gBAAgB,OAAA;AAChB,oHAAA,sBAAsB,OAAA;AACtB,8GAAA,gBAAgB,OAAA;AAChB,0GAAA,YAAY,OAAA;AACZ,uGAAA,SAAS,OAAA;AAGX,6CAAsD;AAA7C,oHAAA,qBAAqB,OAAA;AAE9B,+CAMwB;AALtB,+GAAA,eAAe,OAAA;AACf,qHAAA,qBAAqB,OAAA;AAMvB,mDAM0B;AALxB,wHAAA,sBAAsB,OAAA;AACtB,wHAAA,sBAAsB,OAAA","sourcesContent":["/**\n * AI assist packlet - provider registry, prompt class, settings, and API client.\n * @packageDocumentation\n */\n\nexport {\n  AiPrompt,\n  type AiModelCapability,\n  type AiProviderId,\n  type AiServerToolType,\n  type AiServerToolConfig,\n  type IAiWebSearchToolConfig,\n  type IAiToolEnablement,\n  type IAiCompletionResponse,\n  type IChatMessage,\n  type AiApiFormat,\n  type AiImageApiFormat,\n  type IAiImageModelCapability,\n  type IAiProviderDescriptor,\n  type IAiAssistProviderConfig,\n  type IAiAssistSettings,\n  DEFAULT_AI_ASSIST,\n  type IAiAssistKeyStore,\n  type IAiImageAttachment,\n  type IAiImageData,\n  type IAiImageGenerationOptions,\n  type IAiImageGenerationParams,\n  type IAiGeneratedImage,\n  type IAiImageGenerationResponse,\n  type IAiModelCapabilityRule,\n  type IAiModelCapabilityConfig,\n  type IAiModelInfo,\n  type IAiStreamEvent,\n  type IAiStreamTextDelta,\n  type IAiStreamToolEvent,\n  type IAiStreamDone,\n  type IAiStreamError,\n  type ModelSpec,\n  type ModelSpecKey,\n  type IModelSpecMap,\n  allModelSpecKeys,\n  MODEL_SPEC_BASE_KEY,\n  resolveModel,\n  toDataUrl\n} from './model';\n\nexport {\n  allProviderIds,\n  getProviderDescriptors,\n  getProviderDescriptor,\n  resolveImageCapability,\n  supportsImageGeneration,\n  DEFAULT_MODEL_CAPABILITY_CONFIG\n} from './registry';\n\nexport {\n  callProviderCompletion,\n  callProxiedCompletion,\n  callProviderImageGeneration,\n  callProxiedImageGeneration,\n  callProviderListModels,\n  callProxiedListModels,\n  type IProviderCompletionParams,\n  type IProviderImageGenerationParams,\n  type IProviderListModelsParams\n} from './apiClient';\n\nexport {\n  callProviderCompletionStream,\n  callProxiedCompletionStream,\n  type IProviderCompletionStreamParams\n} from './streamingClient';\n\nexport {\n  aiProviderId,\n  aiServerToolType,\n  aiWebSearchToolConfig,\n  aiServerToolConfig,\n  aiToolEnablement,\n  aiAssistProviderConfig,\n  aiAssistSettings,\n  modelSpecKey,\n  modelSpec\n} from './converters';\n\nexport { resolveEffectiveTools } from './toolFormats';\n\nexport {\n  extractJsonText,\n  fencedStringifiedJson,\n  type IFencedStringifiedJsonExtractorOptions,\n  type IFencedStringifiedJsonOptions,\n  type JsonTextExtractor\n} from './jsonResponse';\n\nexport {\n  generateJsonCompletion,\n  SMART_JSON_PROMPT_HINT,\n  type IGenerateJsonCompletionParams,\n  type IGenerateJsonCompletionResult,\n  type JsonPromptHint\n} from './jsonCompletion';\n"]}

package/lib/packlets/ai-assist/jsonCompletion.d.ts

@@ -0,0 +1,93 @@
+/**
+ * `generateJsonCompletion<T>` — request a JSON-shaped completion from any
+ * provider supported by AiAssist and validate it against a caller-supplied
+ * `Converter<T>` or `Validator<T>`. Wraps fence/preamble tolerance + parsing +
+ * validation into a single call so consumers don't reinvent the pipeline.
+ *
+ * @packageDocumentation
+ */
+import { type Converter, Result, type Validator } from '@fgv/ts-utils';
+import { type IProviderCompletionParams } from './apiClient';
+import { type IAiCompletionResponse } from './model';
+/**
+ * Default system-prompt suffix appended when {@link AiAssist.IGenerateJsonCompletionParams.promptHint}
+ * is `'smart'` (the default). Designed to discourage code fences and prose in
+ * the model's response while still tolerating them via the read-side extractor.
+ * @public
+ */
+export declare const SMART_JSON_PROMPT_HINT: string;
+/**
+ * Controls the optional system-prompt augmentation applied by
+ * {@link AiAssist.generateJsonCompletion}.
+ *
+ * - `'smart'` (default): append {@link AiAssist.SMART_JSON_PROMPT_HINT}.
+ * - `'none'`: do not modify the prompt.
+ * - A string: append the supplied text verbatim.
+ *
+ * @remarks
+ * The `string & {}` branch is the standard TypeScript trick that prevents
+ * the literal members from being widened away — callers still get
+ * autocomplete for `'smart'` and `'none'` while accepting any string.
+ *
+ * @public
+ */
+export type JsonPromptHint = 'smart' | 'none' | (string & {});
+/**
+ * Parameters for {@link AiAssist.generateJsonCompletion}. Extends
+ * {@link AiAssist.IProviderCompletionParams} with JSON-validation knobs.
+ * @public
+ */
+export interface IGenerateJsonCompletionParams<T> extends IProviderCompletionParams {
+    /**
+     * Caller-supplied `Converter<T>` or `Validator<T>` applied to the parsed
+     * JSON value. Wrapped internally in {@link AiAssist.fencedStringifiedJson}
+     * unless {@link AiAssist.IGenerateJsonCompletionParams.jsonConverter} is
+     * provided.
+     */
+    readonly converter?: Converter<T> | Validator<T>;
+    /**
+     * Full string-to-`T` pipeline override. When supplied, takes precedence over
+     * {@link AiAssist.IGenerateJsonCompletionParams.converter} and lets the
+     * caller plug in a custom extractor or skip the default fence tolerance
+     * entirely.
+     */
+    readonly jsonConverter?: Converter<T>;
+    /**
+     * Controls the optional system-prompt augmentation. Defaults to `'smart'`.
+     * Pass `'none'` to disable, or a string to append custom guidance.
+     */
+    readonly promptHint?: JsonPromptHint;
+}
+/**
+ * Successful result of {@link AiAssist.generateJsonCompletion}.
+ * @public
+ */
+export interface IGenerateJsonCompletionResult<T> {
+    /** The validated JSON value. */
+    readonly value: T;
+    /** The raw response text returned by the provider. */
+    readonly raw: string;
+    /** The full underlying completion response. */
+    readonly response: IAiCompletionResponse;
+}
+/**
+ * Calls {@link AiAssist.callProviderCompletion}, then runs the response text
+ * through a tolerant JSON converter (default:
+ * {@link AiAssist.fencedStringifiedJson}) and the caller's
+ * `converter`/`validator`. Returns the validated value plus the raw text and
+ * underlying completion response for diagnostics.
+ *
+ * @remarks
+ * The default smart prompt hint asks the model to emit raw JSON. The read-side
+ * extractor still tolerates fences and prose, so models that ignore the hint
+ * are still handled.
+ *
+ * Either `converter` or `jsonConverter` must be provided; passing both lets
+ * `jsonConverter` win.
+ *
+ * @param params - Provider parameters plus JSON validation options.
+ * @returns The validated value, the raw text, and the underlying response.
+ * @public
+ */
+export declare function generateJsonCompletion<T>(params: IGenerateJsonCompletionParams<T>): Promise<Result<IGenerateJsonCompletionResult<T>>>;
+//# sourceMappingURL=jsonCompletion.d.ts.map

package/lib/packlets/ai-assist/jsonCompletion.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jsonCompletion.d.ts","sourceRoot":"","sources":["../../../src/packlets/ai-assist/jsonCompletion.ts"],"names":[],"mappings":"AAoBA;;;;;;;GAOG;AAEH,OAAO,EAAE,KAAK,SAAS,EAAQ,MAAM,EAAW,KAAK,SAAS,EAAE,MAAM,eAAe,CAAC;AAEtF,OAAO,EAA0B,KAAK,yBAAyB,EAAE,MAAM,aAAa,CAAC;AAErF,OAAO,EAAY,KAAK,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAE/D;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB,EAAE,MAE2C,CAAC;AAEjF;;;;;;;;;;;;;;GAcG;AACH,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,MAAM,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAE9D;;;;GAIG;AACH,MAAM,WAAW,6BAA6B,CAAC,CAAC,CAAE,SAAQ,yBAAyB;IACjF;;;;;OAKG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;IAEjD;;;;;OAKG;IACH,QAAQ,CAAC,aAAa,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;IAEtC;;;OAGG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,cAAc,CAAC;CACtC;AAED;;;GAGG;AACH,MAAM,WAAW,6BAA6B,CAAC,CAAC;IAC9C,gCAAgC;IAChC,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC;IAClB,sDAAsD;IACtD,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,+CAA+C;IAC/C,QAAQ,CAAC,QAAQ,EAAE,qBAAqB,CAAC;CAC1C;AAWD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,sBAAsB,CAAC,CAAC,EAC5C,MAAM,EAAE,6BAA6B,CAAC,CAAC,CAAC,GACvC,OAAO,CAAC,MAAM,CAAC,6BAA6B,CAAC,CAAC,CAAC,CAAC,CAAC,CAoBnD"}