@flarcos/kiota-authentication-gnap 0.1.0

package/dist/gnapAuthenticationProvider.js

@@ -0,0 +1,216 @@
+/**
+ * GNAP Authentication Provider for Kiota.
+ *
+ * Implements the Kiota AuthenticationProvider interface to authenticate
+ * requests using the GNAP protocol (RFC 9635) with HTTP Message Signatures
+ * (RFC 9421).
+ *
+ * This is the main entry point for the package. Usage:
+ *
+ * ```typescript
+ * import { GnapAuthenticationProvider } from "@flarcos/kiota-authentication-gnap";
+ *
+ * const authProvider = new GnapAuthenticationProvider({
+ *   authServerUrl: "https://auth.wallet.example/.well-known/...",
+ *   privateKey: fs.readFileSync("private-key.pem", "utf-8"),
+ *   clientIdentifier: "https://wallet.example/alice",
+ *   accessRights: [{ type: "outgoing-payment", actions: ["create", "read"] }],
+ * });
+ *
+ * const adapter = new FetchRequestAdapter(authProvider);
+ * const client = new OpenPaymentsClient(adapter);
+ * ```
+ */
+import { GnapAccessTokenProvider, } from "./gnapAccessTokenProvider.js";
+import { InMemoryGnapTokenStore } from "./gnapTokenStore.js";
+import { createHttpSignature } from "./httpMessageSigner.js";
+import { computeContentDigest } from "./contentDigest.js";
+import { loadPrivateKey, createGnapClientKey } from "./keyManagement.js";
+import { GnapInteractionRequiredError, GnapError, } from "./errors.js";
+export class GnapAuthenticationProvider {
+    authServerUrl;
+    clientIdentifier;
+    accessRights;
+    interact;
+    interactionHandler;
+    tokenStore;
+    allowedHosts;
+    tokenProvider;
+    // Initialized lazily on first use
+    keyPromise = null;
+    rawKey;
+    constructor(options) {
+        this.authServerUrl = options.authServerUrl;
+        this.clientIdentifier = options.clientIdentifier;
+        this.accessRights = options.accessRights;
+        this.interact = options.interact;
+        this.interactionHandler = options.interactionHandler;
+        this.tokenStore = options.tokenStore ?? new InMemoryGnapTokenStore();
+        this.allowedHosts = new Set(options.allowedHosts ?? []);
+        this.tokenProvider = new GnapAccessTokenProvider();
+        this.rawKey = options.privateKey;
+    }
+    /**
+     * Lazily initialize the key material.
+     */
+    async getKeyMaterial() {
+        if (!this.keyPromise) {
+            this.keyPromise = (async () => {
+                const privateKey = await loadPrivateKey(this.rawKey);
+                const { jwk, keyId } = await createGnapClientKey(privateKey);
+                return { privateKey, jwk, keyId };
+            })();
+        }
+        return this.keyPromise;
+    }
+    /**
+     * Authenticate a Kiota request by:
+     * 1. Obtaining/caching a GNAP access token
+     * 2. Setting the Authorization: GNAP header
+     * 3. Computing Content-Digest for request bodies
+     * 4. Signing the request with HTTP Message Signatures
+     */
+    authenticateRequest = async (request, additionalAuthenticationContext) => {
+        if (!request) {
+            throw new GnapError("Request information cannot be null");
+        }
+        // Check allowed hosts
+        if (this.allowedHosts.size > 0) {
+            const url = new URL(request.URL);
+            if (!this.allowedHosts.has(url.host)) {
+                return; // Skip auth for non-allowed hosts
+            }
+        }
+        const { privateKey, jwk, keyId } = await this.getKeyMaterial();
+        // Step 1: Get or obtain an access token
+        const token = await this.getAccessToken(privateKey, jwk, keyId);
+        // Step 2: Set Authorization header
+        request.headers.add("Authorization", `GNAP ${token.value}`);
+        // Step 3: Compute Content-Digest if body is present
+        const method = request.httpMethod?.toString() ?? "GET";
+        const bodyContent = request.content;
+        let hasBody = false;
+        if (bodyContent && bodyContent.byteLength > 0) {
+            hasBody = true;
+            const digest = computeContentDigest(new Uint8Array(bodyContent));
+            request.headers.add("Content-Digest", digest);
+        }
+        // Step 4: Sign the request
+        const headersMap = new Map();
+        // Extract existing headers from RequestInformation
+        const headersIterator = request.headers.entries();
+        let headerEntry = headersIterator.next();
+        while (!headerEntry.done) {
+            const [key, values] = headerEntry.value;
+            if (values.size > 0) {
+                // Use the first value
+                headersMap.set(key.toLowerCase(), values.values().next().value);
+            }
+            headerEntry = headersIterator.next();
+        }
+        const { signature, signatureInput } = await createHttpSignature({
+            privateKey,
+            keyId,
+            method,
+            targetUri: request.URL,
+            headers: headersMap,
+            hasBody,
+        });
+        request.headers.add("Signature", signature);
+        request.headers.add("Signature-Input", signatureInput);
+    };
+    /**
+     * Get an access token — either from cache or by negotiating a new grant.
+     */
+    async getAccessToken(privateKey, jwk, keyId) {
+        // Try cache first
+        const cached = await this.tokenStore.get(this.authServerUrl);
+        if (cached) {
+            return cached.token;
+        }
+        // Request new grant
+        try {
+            const token = await this.tokenProvider.requestGrant({
+                authServerUrl: this.authServerUrl,
+                clientIdentifier: this.clientIdentifier,
+                clientKeyJwk: jwk,
+                privateKey,
+                keyId,
+                accessRights: this.accessRights,
+                interact: this.interact,
+            });
+            // Cache the token
+            await this.tokenStore.set(this.authServerUrl, {
+                token,
+                acquiredAt: Date.now(),
+                authServerUrl: this.authServerUrl,
+            });
+            return token;
+        }
+        catch (error) {
+            if (error instanceof GnapInteractionRequiredError) {
+                return this.handleInteraction(error, privateKey, keyId);
+            }
+            throw error;
+        }
+    }
+    /**
+     * Handle interactive grants (redirect-based user consent).
+     */
+    async handleInteraction(error, privateKey, keyId) {
+        if (!this.interactionHandler) {
+            throw new GnapError("Grant requires user interaction but no InteractionHandler is configured. " +
+                `Redirect URL: ${error.redirectUrl}`);
+        }
+        // Delegate to the interaction handler
+        const result = await this.interactionHandler.handleRedirect(error.redirectUrl, error.finishNonce ?? "");
+        // Continue the grant with the interact_ref
+        const token = await this.tokenProvider.continueGrant(error.continueUri, error.continueAccessToken, result.interactRef, privateKey, keyId);
+        // Cache the token
+        await this.tokenStore.set(this.authServerUrl, {
+            token,
+            acquiredAt: Date.now(),
+            authServerUrl: this.authServerUrl,
+            continueUri: error.continueUri,
+            continueAccessToken: error.continueAccessToken,
+        });
+        return token;
+    }
+    /**
+     * Rotate the current access token.
+     */
+    async rotateToken() {
+        const { privateKey, keyId } = await this.getKeyMaterial();
+        const cached = await this.tokenStore.get(this.authServerUrl);
+        if (!cached) {
+            throw new GnapError("No cached token to rotate");
+        }
+        if (!cached.token.manage) {
+            throw new GnapError("Token does not have a management URL");
+        }
+        const newToken = await this.tokenProvider.rotateToken(cached.token.manage, cached.token.value, privateKey, keyId);
+        await this.tokenStore.set(this.authServerUrl, {
+            token: newToken,
+            acquiredAt: Date.now(),
+            authServerUrl: this.authServerUrl,
+            continueUri: cached.continueUri,
+            continueAccessToken: cached.continueAccessToken,
+        });
+        return newToken;
+    }
+    /**
+     * Revoke the current access token.
+     */
+    async revokeToken() {
+        const { privateKey, keyId } = await this.getKeyMaterial();
+        const cached = await this.tokenStore.get(this.authServerUrl);
+        if (!cached) {
+            return; // Nothing to revoke
+        }
+        if (cached.token.manage) {
+            await this.tokenProvider.revokeToken(cached.token.manage, cached.token.value, privateKey, keyId);
+        }
+        await this.tokenStore.delete(this.authServerUrl);
+    }
+}
+//# sourceMappingURL=gnapAuthenticationProvider.js.map

package/dist/gnapAuthenticationProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gnapAuthenticationProvider.js","sourceRoot":"","sources":["../src/gnapAuthenticationProvider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAMH,OAAO,EACL,uBAAuB,GAExB,MAAM,8BAA8B,CAAC;AACtC,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzE,OAAO,EACL,4BAA4B,EAC5B,SAAS,GACV,MAAM,aAAa,CAAC;AASrB,MAAM,OAAO,0BAA0B;IACpB,aAAa,CAAS;IACtB,gBAAgB,CAAS;IACzB,YAAY,CAAoD;IAChE,QAAQ,CAAgD;IACxD,kBAAkB,CAAsB;IACxC,UAAU,CAAiB;IAC3B,YAAY,CAAc;IAC1B,aAAa,CAA0B;IAExD,kCAAkC;IAC1B,UAAU,GAIN,IAAI,CAAC;IACA,MAAM,CAAqB;IAE5C,YAAY,OAA0C;QACpD,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;QAC3C,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACjD,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;QACzC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QACjC,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,CAAC;QACrD,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,IAAI,sBAAsB,EAAE,CAAC;QACrE,IAAI,CAAC,YAAY,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC;QACxD,IAAI,CAAC,aAAa,GAAG,IAAI,uBAAuB,EAAE,CAAC;QACnD,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IACnC,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,cAAc;QAC1B,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,IAAI,CAAC,UAAU,GAAG,CAAC,KAAK,IAAI,EAAE;gBAC5B,MAAM,UAAU,GAAG,MAAM,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACrD,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,MAAM,mBAAmB,CAAC,UAAU,CAAC,CAAC;gBAC7D,OAAO,EAAE,UAAU,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;YACpC,CAAC,CAAC,EAAE,CAAC;QACP,CAAC;QACD,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAED;;;;;;OAMG;IACH,mBAAmB,GAAG,KAAK,EACzB,OAA2B,EAC3B,+BAAyD,EAC1C,EAAE;QACjB,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,SAAS,CAAC,oCAAoC,CAAC,CAAC;QAC5D,CAAC;QAED,sBAAsB;QACtB,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,OAAO,CAAC,kCAAkC;YAC5C,CAAC;QACH,CAAC;QAED,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAE/D,wCAAwC;QACxC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,UAAU,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QAEhE,mCAAmC;QACnC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,QAAQ,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;QAE5D,oDAAoD;QACpD,MAAM,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,QAAQ,EAAE,IAAI,KAAK,CAAC;QACvD,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC;QACpC,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,IAAI,WAAW,IAAI,WAAW,CAAC,UAAU,GAAG,CAAC,EAAE,CAAC;YAC9C,OAAO,GAAG,IAAI,CAAC;YACf,MAAM,MAAM,GAAG,oBAAoB,CAAC,IAAI,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC;YACjE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;QAChD,CAAC;QAED,2BAA2B;QAC3B,MAAM,UAAU,GAAG,IAAI,GAAG,EAAkB,CAAC;QAE7C,mDAAmD;QACnD,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QAClD,IAAI,WAAW,GAAG,eAAe,CAAC,IAAI,EAAE,CAAC;QACzC,OAAO,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;YACzB,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC;YACxC,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;gBACpB,sBAAsB;gBACtB,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,KAAe,CAAC,CAAC;YAC5E,CAAC;YACD,WAAW,GAAG,eAAe,CAAC,IAAI,EAAE,CAAC;QACvC,CAAC;QAED,MAAM,EAAE,SAAS,EAAE,cAAc,EAAE,GAAG,MAAM,mBAAmB,CAAC;YAC9D,UAAU;YACV,KAAK;YACL,MAAM;YACN,SAAS,EAAE,OAAO,CAAC,GAAG;YACtB,OAAO,EAAE,UAAU;YACnB,OAAO;SACR,CAAC,CAAC;QAEH,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;QAC5C,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,cAAc,CAAC,CAAC;IACzD,CAAC,CAAC;IAEF;;OAEG;IACK,KAAK,CAAC,cAAc,CAC1B,UAAqB,EACrB,GAAe,EACf,KAAa;QAEb,kBAAkB;QAClB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC7D,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC,KAAK,CAAC;QACtB,CAAC;QAED,oBAAoB;QACpB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC;gBAClD,aAAa,EAAE,IAAI,CAAC,aAAa;gBACjC,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;gBACvC,YAAY,EAAE,GAAG;gBACjB,UAAU;gBACV,KAAK;gBACL,YAAY,EAAE,IAAI,CAAC,YAAY;gBAC/B,QAAQ,EAAE,IAAI,CAAC,QAAQ;aACxB,CAAC,CAAC;YAEH,kBAAkB;YAClB,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,EAAE;gBAC5C,KAAK;gBACL,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE;gBACtB,aAAa,EAAE,IAAI,CAAC,aAAa;aAClC,CAAC,CAAC;YAEH,OAAO,KAAK,CAAC;QACf,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,4BAA4B,EAAE,CAAC;gBAClD,OAAO,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;YAC1D,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,iBAAiB,CAC7B,KAAmC,EACnC,UAAqB,EACrB,KAAa;QAEb,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC7B,MAAM,IAAI,SAAS,CACjB,2EAA2E;gBACzE,iBAAiB,KAAK,CAAC,WAAW,EAAE,CACvC,CAAC;QACJ,CAAC;QAED,sCAAsC;QACtC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,cAAc,CACzD,KAAK,CAAC,WAAW,EACjB,KAAK,CAAC,WAAW,IAAI,EAAE,CACxB,CAAC;QAEF,2CAA2C;QAC3C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,aAAa,CAClD,KAAK,CAAC,WAAW,EACjB,KAAK,CAAC,mBAAmB,EACzB,MAAM,CAAC,WAAW,EAClB,UAAU,EACV,KAAK,CACN,CAAC;QAEF,kBAAkB;QAClB,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,EAAE;YAC5C,KAAK;YACL,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE;YACtB,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,mBAAmB,EAAE,KAAK,CAAC,mBAAmB;SAC/C,CAAC,CAAC;QAEH,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW;QACf,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC1D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAE7D,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,SAAS,CAAC,2BAA2B,CAAC,CAAC;QACnD,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACzB,MAAM,IAAI,SAAS,CAAC,sCAAsC,CAAC,CAAC;QAC9D,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,WAAW,CACnD,MAAM,CAAC,KAAK,CAAC,MAAM,EACnB,MAAM,CAAC,KAAK,CAAC,KAAK,EAClB,UAAU,EACV,KAAK,CACN,CAAC;QAEF,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,EAAE;YAC5C,KAAK,EAAE,QAAQ;YACf,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE;YACtB,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;SAChD,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW;QACf,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC1D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAE7D,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,oBAAoB;QAC9B,CAAC;QAED,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACxB,MAAM,IAAI,CAAC,aAAa,CAAC,WAAW,CAClC,MAAM,CAAC,KAAK,CAAC,MAAM,EACnB,MAAM,CAAC,KAAK,CAAC,KAAK,EAClB,UAAU,EACV,KAAK,CACN,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IACnD,CAAC;CACF"}

package/dist/gnapTokenStore.d.ts

@@ -0,0 +1,11 @@
+/**
+ * In-memory GNAP token store.
+ */
+import type { GnapTokenStore, StoredGnapToken } from "./types.js";
+export declare class InMemoryGnapTokenStore implements GnapTokenStore {
+    private store;
+    get(key: string): Promise<StoredGnapToken | undefined>;
+    set(key: string, token: StoredGnapToken): Promise<void>;
+    delete(key: string): Promise<void>;
+}
+//# sourceMappingURL=gnapTokenStore.d.ts.map

package/dist/gnapTokenStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gnapTokenStore.d.ts","sourceRoot":"","sources":["../src/gnapTokenStore.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElE,qBAAa,sBAAuB,YAAW,cAAc;IAC3D,OAAO,CAAC,KAAK,CAAsC;IAE7C,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,SAAS,CAAC;IAgBtD,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC;IAIvD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAGzC"}

package/dist/gnapTokenStore.js

@@ -0,0 +1,27 @@
+/**
+ * In-memory GNAP token store.
+ */
+export class InMemoryGnapTokenStore {
+    store = new Map();
+    async get(key) {
+        const stored = this.store.get(key);
+        if (!stored)
+            return undefined;
+        // Check if token has expired
+        if (stored.token.expires_in) {
+            const elapsed = (Date.now() - stored.acquiredAt) / 1000;
+            if (elapsed >= stored.token.expires_in) {
+                this.store.delete(key);
+                return undefined;
+            }
+        }
+        return stored;
+    }
+    async set(key, token) {
+        this.store.set(key, token);
+    }
+    async delete(key) {
+        this.store.delete(key);
+    }
+}
+//# sourceMappingURL=gnapTokenStore.js.map

package/dist/gnapTokenStore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gnapTokenStore.js","sourceRoot":"","sources":["../src/gnapTokenStore.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,MAAM,OAAO,sBAAsB;IACzB,KAAK,GAAG,IAAI,GAAG,EAA2B,CAAC;IAEnD,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,CAAC,MAAM;YAAE,OAAO,SAAS,CAAC;QAE9B,6BAA6B;QAC7B,IAAI,MAAM,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC;YACxD,IAAI,OAAO,IAAI,MAAM,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;gBACvC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACvB,OAAO,SAAS,CAAC;YACnB,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,KAAsB;QAC3C,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;CACF"}

package/dist/httpMessageSigner.d.ts

@@ -0,0 +1,41 @@
+/**
+ * RFC 9421 HTTP Message Signatures for GNAP.
+ * @see https://www.rfc-editor.org/rfc/rfc9421.html
+ * @see https://www.rfc-editor.org/rfc/rfc9635.html#section-7.3.1
+ *
+ * Uses the `http-message-signatures` package (same as the official
+ * @interledger/http-signature-utils) for signature base construction
+ * and Ed25519 signing.
+ *
+ * Open Payments requires Ed25519-based signatures covering:
+ * - @method, @target-uri (always)
+ * - authorization (when token attached)
+ * - content-digest, content-length, content-type (when body present)
+ */
+import { type KeyObject } from "node:crypto";
+export interface SignatureParams {
+    /** The signing key */
+    privateKey: KeyObject;
+    /** The key ID (from wallet JWKS) */
+    keyId: string;
+    /** HTTP method (GET, POST, etc.) */
+    method: string;
+    /** Full target URI */
+    targetUri: string;
+    /** Request headers (key-value pairs) */
+    headers: Map<string, string>;
+    /** Whether the request has a body */
+    hasBody: boolean;
+}
+/**
+ * Signs an HTTP request per RFC 9421 and returns the Signature and
+ * Signature-Input header values.
+ *
+ * Uses the same signing library as the official @interledger/http-signature-utils
+ * to ensure full compatibility with the Open Payments authorization server.
+ */
+export declare function createHttpSignature(params: SignatureParams): Promise<{
+    signature: string;
+    signatureInput: string;
+}>;
+//# sourceMappingURL=httpMessageSigner.d.ts.map

package/dist/httpMessageSigner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"httpMessageSigner.d.ts","sourceRoot":"","sources":["../src/httpMessageSigner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,KAAK,SAAS,EAAE,MAAM,aAAa,CAAC;AAI7C,MAAM,WAAW,eAAe;IAC9B,sBAAsB;IACtB,UAAU,EAAE,SAAS,CAAC;IACtB,oCAAoC;IACpC,KAAK,EAAE,MAAM,CAAC;IACd,oCAAoC;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,sBAAsB;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,wCAAwC;IACxC,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,qCAAqC;IACrC,OAAO,EAAE,OAAO,CAAC;CAClB;AAED;;;;;;GAMG;AACH,wBAAsB,mBAAmB,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC;IAC1E,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACxB,CAAC,CA4DD"}

package/dist/httpMessageSigner.js

@@ -0,0 +1,74 @@
+/**
+ * RFC 9421 HTTP Message Signatures for GNAP.
+ * @see https://www.rfc-editor.org/rfc/rfc9421.html
+ * @see https://www.rfc-editor.org/rfc/rfc9635.html#section-7.3.1
+ *
+ * Uses the `http-message-signatures` package (same as the official
+ * @interledger/http-signature-utils) for signature base construction
+ * and Ed25519 signing.
+ *
+ * Open Payments requires Ed25519-based signatures covering:
+ * - @method, @target-uri (always)
+ * - authorization (when token attached)
+ * - content-digest, content-length, content-type (when body present)
+ */
+import { createSigner, httpbis } from "http-message-signatures";
+import { GnapSignatureError } from "./errors.js";
+/**
+ * Signs an HTTP request per RFC 9421 and returns the Signature and
+ * Signature-Input header values.
+ *
+ * Uses the same signing library as the official @interledger/http-signature-utils
+ * to ensure full compatibility with the Open Payments authorization server.
+ */
+export async function createHttpSignature(params) {
+    const { privateKey, keyId, method, targetUri, headers, hasBody } = params;
+    // Build the list of covered components — order matters
+    // Matches @interledger/http-signature-utils exactly
+    const components = ["@method", "@target-uri"];
+    // Always include authorization if present
+    if (headers.has("authorization")) {
+        components.push("authorization");
+    }
+    // Include body-related components when a body is present
+    // Order: content-digest, content-length, content-type
+    if (hasBody) {
+        if (headers.has("content-digest")) {
+            components.push("content-digest");
+        }
+        if (headers.has("content-length")) {
+            components.push("content-length");
+        }
+        if (headers.has("content-type")) {
+            components.push("content-type");
+        }
+    }
+    try {
+        // Create the signer using the same API as the official OP implementation
+        const signingKey = createSigner(privateKey, "ed25519", keyId);
+        // Convert our Map to a plain object for the http-message-signatures lib
+        const headersObj = {};
+        for (const [key, value] of headers) {
+            headersObj[key] = value;
+        }
+        // Sign using httpbis (RFC 9421) mode
+        const { headers: signedHeaders } = await httpbis.signMessage({
+            key: signingKey,
+            name: "sig1",
+            params: ["keyid", "created"],
+            fields: components,
+        }, {
+            method,
+            url: targetUri,
+            headers: headersObj,
+        });
+        return {
+            signature: signedHeaders["Signature"],
+            signatureInput: signedHeaders["Signature-Input"],
+        };
+    }
+    catch (error) {
+        throw new GnapSignatureError(`Failed to sign request: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}
+//# sourceMappingURL=httpMessageSigner.js.map

package/dist/httpMessageSigner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"httpMessageSigner.js","sourceRoot":"","sources":["../src/httpMessageSigner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAChE,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAiBjD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,MAAuB;IAI/D,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC;IAE1E,uDAAuD;IACvD,oDAAoD;IACpD,MAAM,UAAU,GAAa,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;IAExD,0CAA0C;IAC1C,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,CAAC;QACjC,UAAU,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACnC,CAAC;IAED,yDAAyD;IACzD,sDAAsD;IACtD,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAClC,UAAU,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QACpC,CAAC;QACD,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAClC,UAAU,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QACpC,CAAC;QACD,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;YAChC,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,yEAAyE;QACzE,MAAM,UAAU,GAAG,YAAY,CAAC,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;QAE9D,wEAAwE;QACxE,MAAM,UAAU,GAA2B,EAAE,CAAC;QAC9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,OAAO,EAAE,CAAC;YACnC,UAAU,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QAC1B,CAAC;QAED,qCAAqC;QACrC,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,MAAM,OAAO,CAAC,WAAW,CAC1D;YACE,GAAG,EAAE,UAAU;YACf,IAAI,EAAE,MAAM;YACZ,MAAM,EAAE,CAAC,OAAO,EAAE,SAAS,CAAC;YAC5B,MAAM,EAAE,UAAU;SACnB,EACD;YACE,MAAM;YACN,GAAG,EAAE,SAAS;YACd,OAAO,EAAE,UAAU;SACpB,CACF,CAAC;QAEF,OAAO;YACL,SAAS,EAAE,aAAa,CAAC,WAAW,CAAW;YAC/C,cAAc,EAAE,aAAa,CAAC,iBAAiB,CAAW;SAC3D,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,kBAAkB,CAC1B,2BAA2B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACpF,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,20 @@
+/**
+ * @flarcos/kiota-authentication-gnap
+ *
+ * GNAP (RFC 9635) Authentication Provider for Microsoft Kiota.
+ * Enables Kiota-generated API clients to authenticate using the
+ * Grant Negotiation and Authorization Protocol with HTTP Message
+ * Signatures (RFC 9421).
+ *
+ * @packageDocumentation
+ */
+export { GnapAuthenticationProvider } from "./gnapAuthenticationProvider.js";
+export { GnapAccessTokenProvider } from "./gnapAccessTokenProvider.js";
+export { InMemoryGnapTokenStore } from "./gnapTokenStore.js";
+export { createHttpSignature } from "./httpMessageSigner.js";
+export type { SignatureParams } from "./httpMessageSigner.js";
+export { computeContentDigest, computeContentDigestFromString, } from "./contentDigest.js";
+export { loadPrivateKey, derivePublicKey, exportPublicKeyJwk, computeJwkThumbprint, createGnapClientKey, } from "./keyManagement.js";
+export { GnapError, GnapGrantError, GnapInteractionRequiredError, GnapTokenExpiredError, GnapSignatureError, } from "./errors.js";
+export type { GnapClientKey, GnapClientInstance, GnapAccessRight, GnapGrantRequest, GnapAccessToken, GnapGrantResponse, StoredGnapToken, InteractionResult, GnapAuthenticationProviderOptions, InteractionHandler, GnapTokenStore, } from "./types.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAG7E,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AAGvE,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAG7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC7D,YAAY,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAG9D,OAAO,EACL,oBAAoB,EACpB,8BAA8B,GAC/B,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,cAAc,EACd,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,SAAS,EACT,cAAc,EACd,4BAA4B,EAC5B,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,aAAa,CAAC;AAGrB,YAAY,EACV,aAAa,EACb,kBAAkB,EAClB,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,iBAAiB,EACjB,iCAAiC,EACjC,kBAAkB,EAClB,cAAc,GACf,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,25 @@
+/**
+ * @flarcos/kiota-authentication-gnap
+ *
+ * GNAP (RFC 9635) Authentication Provider for Microsoft Kiota.
+ * Enables Kiota-generated API clients to authenticate using the
+ * Grant Negotiation and Authorization Protocol with HTTP Message
+ * Signatures (RFC 9421).
+ *
+ * @packageDocumentation
+ */
+// Main provider
+export { GnapAuthenticationProvider } from "./gnapAuthenticationProvider.js";
+// Access token lifecycle
+export { GnapAccessTokenProvider } from "./gnapAccessTokenProvider.js";
+// Token storage
+export { InMemoryGnapTokenStore } from "./gnapTokenStore.js";
+// HTTP Message Signatures (RFC 9421)
+export { createHttpSignature } from "./httpMessageSigner.js";
+// Content-Digest (RFC 9530)
+export { computeContentDigest, computeContentDigestFromString, } from "./contentDigest.js";
+// Key management
+export { loadPrivateKey, derivePublicKey, exportPublicKeyJwk, computeJwkThumbprint, createGnapClientKey, } from "./keyManagement.js";
+// Errors
+export { GnapError, GnapGrantError, GnapInteractionRequiredError, GnapTokenExpiredError, GnapSignatureError, } from "./errors.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,gBAAgB;AAChB,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAE7E,yBAAyB;AACzB,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AAEvE,gBAAgB;AAChB,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAE7D,qCAAqC;AACrC,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAG7D,4BAA4B;AAC5B,OAAO,EACL,oBAAoB,EACpB,8BAA8B,GAC/B,MAAM,oBAAoB,CAAC;AAE5B,iBAAiB;AACjB,OAAO,EACL,cAAc,EACd,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAE5B,SAAS;AACT,OAAO,EACL,SAAS,EACT,cAAc,EACd,4BAA4B,EAC5B,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,aAAa,CAAC"}

package/dist/keyManagement.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Ed25519 key management utilities.
+ * Handles key loading, JWK conversion, and JWK thumbprint computation.
+ */
+import { type KeyObject } from "node:crypto";
+/**
+ * Load an Ed25519 private key from PEM string or CryptoKey.
+ */
+export declare function loadPrivateKey(key: CryptoKey | string): Promise<KeyObject>;
+/**
+ * Derive the public key from a private key.
+ */
+export declare function derivePublicKey(privateKey: KeyObject): KeyObject;
+/**
+ * Export a KeyObject to JWK format.
+ */
+export declare function exportPublicKeyJwk(privateKey: KeyObject): Promise<JsonWebKey>;
+/**
+ * Compute the JWK Thumbprint (RFC 7638) for an Ed25519 public key.
+ * Used as the `keyid` in HTTP Message Signatures.
+ *
+ * For OKP (Ed25519) keys, the thumbprint input is:
+ *   {"crv":"Ed25519","kty":"OKP","x":"<base64url>"}
+ *
+ * @see https://www.rfc-editor.org/rfc/rfc7638.html
+ */
+export declare function computeJwkThumbprint(jwk: JsonWebKey): string;
+/**
+ * Create a complete GnapClientKey from a KeyObject.
+ */
+export declare function createGnapClientKey(privateKey: KeyObject): Promise<{
+    jwk: JsonWebKey;
+    keyId: string;
+    privateKey: KeyObject;
+}>;
+//# sourceMappingURL=keyManagement.d.ts.map

package/dist/keyManagement.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keyManagement.d.ts","sourceRoot":"","sources":["../src/keyManagement.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAqC,KAAK,SAAS,EAAE,MAAM,aAAa,CAAC;AAIhF;;GAEG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,SAAS,GAAG,MAAM,GACtB,OAAO,CAAC,SAAS,CAAC,CAapB;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,UAAU,EAAE,SAAS,GAAG,SAAS,CAEhE;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,UAAU,EAAE,SAAS,GACpB,OAAO,CAAC,UAAU,CAAC,CAIrB;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,UAAU,GAAG,MAAM,CAmB5D;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CAAC,UAAU,EAAE,SAAS;;;;GAS9D"}

package/dist/keyManagement.js

@@ -0,0 +1,75 @@
+/**
+ * Ed25519 key management utilities.
+ * Handles key loading, JWK conversion, and JWK thumbprint computation.
+ */
+import { createPrivateKey, createPublicKey } from "node:crypto";
+import { createHash } from "node:crypto";
+/**
+ * Load an Ed25519 private key from PEM string or CryptoKey.
+ */
+export async function loadPrivateKey(key) {
+    if (typeof key === "string") {
+        // PEM format
+        return createPrivateKey({
+            key,
+            format: "pem",
+            type: "pkcs8",
+        });
+    }
+    // Already a CryptoKey — this shouldn't happen in Node, but handle gracefully
+    throw new Error("CryptoKey is not supported in Node.js. Please provide a PEM string.");
+}
+/**
+ * Derive the public key from a private key.
+ */
+export function derivePublicKey(privateKey) {
+    return createPublicKey(privateKey);
+}
+/**
+ * Export a KeyObject to JWK format.
+ */
+export async function exportPublicKeyJwk(privateKey) {
+    const publicKey = derivePublicKey(privateKey);
+    const jwk = publicKey.export({ format: "jwk" });
+    return jwk;
+}
+/**
+ * Compute the JWK Thumbprint (RFC 7638) for an Ed25519 public key.
+ * Used as the `keyid` in HTTP Message Signatures.
+ *
+ * For OKP (Ed25519) keys, the thumbprint input is:
+ *   {"crv":"Ed25519","kty":"OKP","x":"<base64url>"}
+ *
+ * @see https://www.rfc-editor.org/rfc/rfc7638.html
+ */
+export function computeJwkThumbprint(jwk) {
+    // Per RFC 7638 §3.2: lexicographic ordering of required members
+    // For OKP: crv, kty, x
+    const thumbprintInput = JSON.stringify({
+        crv: jwk.crv,
+        kty: jwk.kty,
+        x: jwk.x,
+    });
+    const hash = createHash("sha-256")
+        .update(thumbprintInput, "utf-8")
+        .digest();
+    // Base64url encode
+    return hash
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/, "");
+}
+/**
+ * Create a complete GnapClientKey from a KeyObject.
+ */
+export async function createGnapClientKey(privateKey) {
+    const jwk = await exportPublicKeyJwk(privateKey);
+    const keyId = computeJwkThumbprint(jwk);
+    return {
+        jwk,
+        keyId,
+        privateKey,
+    };
+}
+//# sourceMappingURL=keyManagement.js.map

package/dist/keyManagement.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keyManagement.js","sourceRoot":"","sources":["../src/keyManagement.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAkB,MAAM,aAAa,CAAC;AAChF,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGzC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,GAAuB;IAEvB,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,aAAa;QACb,OAAO,gBAAgB,CAAC;YACtB,GAAG;YACH,MAAM,EAAE,KAAK;YACb,IAAI,EAAE,OAAO;SACd,CAAC,CAAC;IACL,CAAC;IACD,6EAA6E;IAC7E,MAAM,IAAI,KAAK,CACb,qEAAqE,CACtE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,UAAqB;IACnD,OAAO,eAAe,CAAC,UAAU,CAAC,CAAC;AACrC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,UAAqB;IAErB,MAAM,SAAS,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IAChD,OAAO,GAAiB,CAAC;AAC3B,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB,CAAC,GAAe;IAClD,gEAAgE;IAChE,uBAAuB;IACvB,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC;QACrC,GAAG,EAAE,GAAG,CAAC,GAAG;QACZ,GAAG,EAAE,GAAG,CAAC,GAAG;QACZ,CAAC,EAAG,GAA+B,CAAC,CAAC;KACtC,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC;SAC/B,MAAM,CAAC,eAAe,EAAE,OAAO,CAAC;SAChC,MAAM,EAAE,CAAC;IAEZ,mBAAmB;IACnB,OAAO,IAAI;SACR,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,UAAqB;IAC7D,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,UAAU,CAAC,CAAC;IACjD,MAAM,KAAK,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;IAExC,OAAO;QACL,GAAG;QACH,KAAK;QACL,UAAU;KACX,CAAC;AACJ,CAAC"}