@framers/agentos 0.1.6 → 0.1.8

package/dist/core/provenance/config/PolicyProfiles.js

@@ -0,0 +1,144 @@
+/**
+ * @file PolicyProfiles.ts
+ * @description Preset policy profiles for common provenance configurations.
+ * Provides mutableDev(), revisionedVerified(), and sealedAutonomous() presets.
+ *
+ * @module AgentOS/Provenance/Config
+ */
+/**
+ * Policy profiles for quick configuration.
+ *
+ * @example
+ * ```typescript
+ * import { profiles } from '@framers/agentos/provenance';
+ *
+ * // For development:
+ * const config = profiles.mutableDev();
+ *
+ * // For production with audit trail:
+ * const config = profiles.revisionedVerified();
+ *
+ * // For autonomous agents:
+ * const config = profiles.sealedAutonomous();
+ * ```
+ */
+export const profiles = {
+    /**
+     * Mutable (development) mode.
+     * No enforcement, no signing, no restrictions.
+     * Standard app semantics with optional ledger.
+     */
+    mutableDev() {
+        return {
+            storagePolicy: {
+                mode: 'mutable',
+            },
+            provenance: {
+                enabled: false,
+                signatureMode: 'anchor-only',
+                hashAlgorithm: 'sha256',
+                keySource: { type: 'generate' },
+            },
+            autonomy: {
+                allowHumanPrompting: true,
+                allowConfigEdits: true,
+                allowToolChanges: true,
+            },
+            anchorIntervalMs: 0,
+            anchorBatchSize: 0,
+        };
+    },
+    /**
+     * Revisioned (verifiable) mode.
+     * Edits become revisions. Deletes become tombstones.
+     * Full signed event ledger with periodic anchoring.
+     * Humans can still interact, but all changes are tracked.
+     */
+    revisionedVerified() {
+        return {
+            storagePolicy: {
+                mode: 'revisioned',
+            },
+            provenance: {
+                enabled: true,
+                signatureMode: 'every-event',
+                hashAlgorithm: 'sha256',
+                keySource: { type: 'generate' },
+            },
+            autonomy: {
+                allowHumanPrompting: true,
+                allowConfigEdits: true,
+                allowToolChanges: true,
+            },
+            anchorIntervalMs: 300000, // 5 minutes
+            anchorBatchSize: 100,
+        };
+    },
+    /**
+     * Sealed (autonomous) mode.
+     * Append-only storage. No human prompting after genesis.
+     * Signed event ledger with frequent anchoring.
+     * Required for "Verified Autonomous" badge.
+     */
+    sealedAutonomous() {
+        return {
+            storagePolicy: {
+                mode: 'sealed',
+                protectedTables: [
+                    'conversations',
+                    'conversation_messages',
+                    'messages',
+                ],
+            },
+            provenance: {
+                enabled: true,
+                signatureMode: 'every-event',
+                hashAlgorithm: 'sha256',
+                keySource: { type: 'generate' },
+            },
+            autonomy: {
+                allowHumanPrompting: false,
+                allowConfigEdits: false,
+                allowToolChanges: false,
+                allowedHumanActions: ['pause', 'stop', 'approve_gated_action'],
+            },
+            anchorIntervalMs: 60000, // 1 minute
+            anchorBatchSize: 50,
+        };
+    },
+    /**
+     * Sealed mode with Rekor transparency log anchoring.
+     * Suitable for publicly auditable autonomous agents.
+     *
+     * Requires `@framers/agentos-ext-anchor-providers` extension
+     * with `registerExtensionProviders()` called at startup.
+     */
+    sealedAuditable(rekorEndpoint) {
+        return profiles.custom(profiles.sealedAutonomous(), {
+            provenance: {
+                enabled: true,
+                signatureMode: 'every-event',
+                hashAlgorithm: 'sha256',
+                keySource: { type: 'generate' },
+                anchorTarget: {
+                    type: 'rekor',
+                    endpoint: rekorEndpoint ?? 'https://rekor.sigstore.dev',
+                    options: { serverUrl: rekorEndpoint ?? 'https://rekor.sigstore.dev' },
+                },
+            },
+        });
+    },
+    /**
+     * Create a custom profile by merging overrides onto a base.
+     */
+    custom(base, overrides) {
+        return {
+            ...base,
+            ...overrides,
+            storagePolicy: { ...base.storagePolicy, ...overrides.storagePolicy },
+            provenance: { ...base.provenance, ...overrides.provenance },
+            autonomy: { ...base.autonomy, ...overrides.autonomy },
+        };
+    },
+};
+//# sourceMappingURL=PolicyProfiles.js.map

package/dist/core/provenance/config/PolicyProfiles.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"PolicyProfiles.js","sourceRoot":"","sources":["../../../../src/core/provenance/config/PolicyProfiles.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,MAAM,QAAQ,GAAG;IACtB;;;;OAIG;IACH,UAAU;QACR,OAAO;YACL,aAAa,EAAE;gBACb,IAAI,EAAE,SAAS;aAChB;YACD,UAAU,EAAE;gBACV,OAAO,EAAE,KAAK;gBACd,aAAa,EAAE,aAAa;gBAC5B,aAAa,EAAE,QAAQ;gBACvB,SAAS,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE;aAChC;YACD,QAAQ,EAAE;gBACR,mBAAmB,EAAE,IAAI;gBACzB,gBAAgB,EAAE,IAAI;gBACtB,gBAAgB,EAAE,IAAI;aACvB;YACD,gBAAgB,EAAE,CAAC;YACnB,eAAe,EAAE,CAAC;SACnB,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,kBAAkB;QAChB,OAAO;YACL,aAAa,EAAE;gBACb,IAAI,EAAE,YAAY;aACnB;YACD,UAAU,EAAE;gBACV,OAAO,EAAE,IAAI;gBACb,aAAa,EAAE,aAAa;gBAC5B,aAAa,EAAE,QAAQ;gBACvB,SAAS,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE;aAChC;YACD,QAAQ,EAAE;gBACR,mBAAmB,EAAE,IAAI;gBACzB,gBAAgB,EAAE,IAAI;gBACtB,gBAAgB,EAAE,IAAI;aACvB;YACD,gBAAgB,EAAE,MAAO,EAAE,YAAY;YACvC,eAAe,EAAE,GAAG;SACrB,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,gBAAgB;QACd,OAAO;YACL,aAAa,EAAE;gBACb,IAAI,EAAE,QAAQ;gBACd,eAAe,EAAE;oBACf,eAAe;oBACf,uBAAuB;oBACvB,UAAU;iBACX;aACF;YACD,UAAU,EAAE;gBACV,OAAO,EAAE,IAAI;gBACb,aAAa,EAAE,aAAa;gBAC5B,aAAa,EAAE,QAAQ;gBACvB,SAAS,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE;aAChC;YACD,QAAQ,EAAE;gBACR,mBAAmB,EAAE,KAAK;gBAC1B,gBAAgB,EAAE,KAAK;gBACvB,gBAAgB,EAAE,KAAK;gBACvB,mBAAmB,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,sBAAsB,CAAC;aAC/D;YACD,gBAAgB,EAAE,KAAM,EAAE,WAAW;YACrC,eAAe,EAAE,EAAE;SACpB,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACH,eAAe,CAAC,aAAsB;QACpC,OAAO,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,EAAE,EAAE;YAClD,UAAU,EAAE;gBACV,OAAO,EAAE,IAAI;gBACb,aAAa,EAAE,aAAa;gBAC5B,aAAa,EAAE,QAAQ;gBACvB,SAAS,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE;gBAC/B,YAAY,EAAE;oBACZ,IAAI,EAAE,OAAO;oBACb,QAAQ,EAAE,aAAa,IAAI,4BAA4B;oBACvD,OAAO,EAAE,EAAE,SAAS,EAAE,aAAa,IAAI,4BAA4B,EAAE;iBACtE;aACF;SACF,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,MAAM,CACJ,IAA4B,EAC5B,SAA0C;QAE1C,OAAO;YACL,GAAG,IAAI;YACP,GAAG,SAAS;YACZ,aAAa,EAAE,EAAE,GAAG,IAAI,CAAC,aAAa,EAAE,GAAG,SAAS,CAAC,aAAa,EAAE;YACpE,UAAU,EAAE,EAAE,GAAG,IAAI,CAAC,UAAU,EAAE,GAAG,SAAS,CAAC,UAAU,EAAE;YAC3D,QAAQ,EAAE,EAAE,GAAG,IAAI,CAAC,QAAQ,EAAE,GAAG,SAAS,CAAC,QAAQ,EAAE;SACtD,CAAC;IACJ,CAAC;CACF,CAAC"}

package/dist/core/provenance/crypto/AgentKeyManager.d.ts

@@ -0,0 +1,48 @@
+/**
+ * @file AgentKeyManager.ts
+ * @description Ed25519 keypair generation, signing, and verification.
+ * Uses Node.js `crypto` module on server; falls back to `@noble/ed25519` in browser.
+ *
+ * @module AgentOS/Provenance/Crypto
+ */
+import type { AgentKeySource } from '../types.js';
+export declare class AgentKeyManager {
+    private privateKey;
+    private publicKey;
+    readonly agentId: string;
+    private constructor();
+    /**
+     * Generate a new Ed25519 keypair.
+     */
+    static generate(agentId: string): Promise<AgentKeyManager>;
+    /**
+     * Create from an imported key source configuration.
+     */
+    static fromKeySource(agentId: string, source: AgentKeySource): Promise<AgentKeyManager>;
+    /**
+     * Sign data and return a base64-encoded signature.
+     */
+    sign(data: string): Promise<string>;
+    /**
+     * Verify a signature against data using a public key.
+     * Can verify using this instance's key or a provided external key.
+     */
+    verify(data: string, signatureBase64: string, publicKeyBase64?: string): Promise<boolean>;
+    /**
+     * Static verification using only a public key (no instance needed).
+     */
+    static verifySignature(data: string, signatureBase64: string, publicKeyBase64: string): Promise<boolean>;
+    /**
+     * Get the base64-encoded public key.
+     */
+    getPublicKeyBase64(): string;
+    /**
+     * Get the base64-encoded private key (for persistence).
+     */
+    getPrivateKeyBase64(): string;
+    /**
+     * Export as an AgentKeySource for serialization.
+     */
+    toKeySource(): AgentKeySource;
+}
+//# sourceMappingURL=AgentKeyManager.d.ts.map

package/dist/core/provenance/crypto/AgentKeyManager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AgentKeyManager.d.ts","sourceRoot":"","sources":["../../../../src/core/provenance/crypto/AgentKeyManager.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAkBlD,qBAAa,eAAe;IAC1B,OAAO,CAAC,UAAU,CAAsB;IACxC,OAAO,CAAC,SAAS,CAAsB;IACvC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IAEzB,OAAO;IAUP;;OAEG;WACU,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;IAkBhE;;OAEG;WACU,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,CAAC;IAc7F;;OAEG;IACG,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAoBzC;;;OAGG;IACG,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,EAAE,eAAe,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IA8B/F;;OAEG;WACU,eAAe,CAC1B,IAAI,EAAE,MAAM,EACZ,eAAe,EAAE,MAAM,EACvB,eAAe,EAAE,MAAM,GACtB,OAAO,CAAC,OAAO,CAAC;IA2BnB;;OAEG;IACH,kBAAkB,IAAI,MAAM;IAI5B;;OAEG;IACH,mBAAmB,IAAI,MAAM;IAI7B;;OAEG;IACH,WAAW,IAAI,cAAc;CAO9B"}

package/dist/core/provenance/crypto/AgentKeyManager.js

@@ -0,0 +1,162 @@
+/**
+ * @file AgentKeyManager.ts
+ * @description Ed25519 keypair generation, signing, and verification.
+ * Uses Node.js `crypto` module on server; falls back to `@noble/ed25519` in browser.
+ *
+ * @module AgentOS/Provenance/Crypto
+ */
+// =============================================================================
+// Runtime Detection
+// =============================================================================
+let nodeCrypto;
+try {
+    // Dynamic import for Node.js runtime
+    nodeCrypto = await import('node:crypto');
+}
+catch {
+    // Not in Node.js environment
+}
+// =============================================================================
+// AgentKeyManager
+// =============================================================================
+export class AgentKeyManager {
+    constructor(agentId, privateKey, publicKey) {
+        this.agentId = agentId;
+        this.privateKey = privateKey;
+        this.publicKey = publicKey;
+    }
+    /**
+     * Generate a new Ed25519 keypair.
+     */
+    static async generate(agentId) {
+        if (nodeCrypto) {
+            const { publicKey, privateKey } = nodeCrypto.generateKeyPairSync('ed25519');
+            return new AgentKeyManager(agentId, privateKey.export({ type: 'pkcs8', format: 'der' }), publicKey.export({ type: 'spki', format: 'der' }));
+        }
+        // Browser fallback via @noble/ed25519
+        // @ts-ignore -- optional peer dependency, only used in browser environments
+        const noble = await import('@noble/ed25519');
+        const privKey = noble.utils.randomPrivateKey();
+        const pubKey = await noble.getPublicKeyAsync(privKey);
+        return new AgentKeyManager(agentId, privKey, pubKey);
+    }
+    /**
+     * Create from an imported key source configuration.
+     */
+    static async fromKeySource(agentId, source) {
+        if (source.type === 'generate') {
+            return AgentKeyManager.generate(agentId);
+        }
+        if (!source.privateKeyBase64 || !source.publicKeyBase64) {
+            throw new Error('AgentKeyManager: import requires both privateKeyBase64 and publicKeyBase64');
+        }
+        const privateKey = Buffer.from(source.privateKeyBase64, 'base64');
+        const publicKey = Buffer.from(source.publicKeyBase64, 'base64');
+        return new AgentKeyManager(agentId, privateKey, publicKey);
+    }
+    /**
+     * Sign data and return a base64-encoded signature.
+     */
+    async sign(data) {
+        const dataBuffer = Buffer.from(data, 'utf-8');
+        if (nodeCrypto) {
+            const keyObject = nodeCrypto.createPrivateKey({
+                key: this.privateKey,
+                format: 'der',
+                type: 'pkcs8',
+            });
+            const signature = nodeCrypto.sign(null, dataBuffer, keyObject);
+            return signature.toString('base64');
+        }
+        // Browser fallback
+        // @ts-ignore -- optional peer dependency, only used in browser environments
+        const noble = await import('@noble/ed25519');
+        const sig = await noble.signAsync(dataBuffer, this.privateKey);
+        return Buffer.from(sig).toString('base64');
+    }
+    /**
+     * Verify a signature against data using a public key.
+     * Can verify using this instance's key or a provided external key.
+     */
+    async verify(data, signatureBase64, publicKeyBase64) {
+        const dataBuffer = Buffer.from(data, 'utf-8');
+        const sigBuffer = Buffer.from(signatureBase64, 'base64');
+        const pubKeyBytes = publicKeyBase64
+            ? Buffer.from(publicKeyBase64, 'base64')
+            : this.publicKey;
+        if (nodeCrypto) {
+            try {
+                const keyObject = nodeCrypto.createPublicKey({
+                    key: pubKeyBytes,
+                    format: 'der',
+                    type: 'spki',
+                });
+                return nodeCrypto.verify(null, dataBuffer, keyObject, sigBuffer);
+            }
+            catch {
+                return false;
+            }
+        }
+        // Browser fallback
+        try {
+            // @ts-ignore -- optional peer dependency, only used in browser environments
+            const noble = await import('@noble/ed25519');
+            return await noble.verifyAsync(sigBuffer, dataBuffer, pubKeyBytes);
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Static verification using only a public key (no instance needed).
+     */
+    static async verifySignature(data, signatureBase64, publicKeyBase64) {
+        const dataBuffer = Buffer.from(data, 'utf-8');
+        const sigBuffer = Buffer.from(signatureBase64, 'base64');
+        const pubKeyBytes = Buffer.from(publicKeyBase64, 'base64');
+        if (nodeCrypto) {
+            try {
+                const keyObject = nodeCrypto.createPublicKey({
+                    key: pubKeyBytes,
+                    format: 'der',
+                    type: 'spki',
+                });
+                return nodeCrypto.verify(null, dataBuffer, keyObject, sigBuffer);
+            }
+            catch {
+                return false;
+            }
+        }
+        try {
+            // @ts-ignore -- optional peer dependency, only used in browser environments
+            const noble = await import('@noble/ed25519');
+            return await noble.verifyAsync(sigBuffer, dataBuffer, pubKeyBytes);
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Get the base64-encoded public key.
+     */
+    getPublicKeyBase64() {
+        return Buffer.from(this.publicKey).toString('base64');
+    }
+    /**
+     * Get the base64-encoded private key (for persistence).
+     */
+    getPrivateKeyBase64() {
+        return Buffer.from(this.privateKey).toString('base64');
+    }
+    /**
+     * Export as an AgentKeySource for serialization.
+     */
+    toKeySource() {
+        return {
+            type: 'import',
+            privateKeyBase64: this.getPrivateKeyBase64(),
+            publicKeyBase64: this.getPublicKeyBase64(),
+        };
+    }
+}
+//# sourceMappingURL=AgentKeyManager.js.map

package/dist/core/provenance/crypto/AgentKeyManager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AgentKeyManager.js","sourceRoot":"","sources":["../../../../src/core/provenance/crypto/AgentKeyManager.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,gFAAgF;AAChF,oBAAoB;AACpB,gFAAgF;AAEhF,IAAI,UAAoD,CAAC;AACzD,IAAI,CAAC;IACH,qCAAqC;IACrC,UAAU,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;AAC3C,CAAC;AAAC,MAAM,CAAC;IACP,6BAA6B;AAC/B,CAAC;AAED,gFAAgF;AAChF,kBAAkB;AAClB,gFAAgF;AAEhF,MAAM,OAAO,eAAe;IAK1B,YACE,OAAe,EACf,UAA+B,EAC/B,SAA8B;QAE9B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAe;QACnC,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,UAAU,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;YAC5E,OAAO,IAAI,eAAe,CACxB,OAAO,EACP,UAAU,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,EACnD,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAClD,CAAC;QACJ,CAAC;QAED,sCAAsC;QACtC,4EAA4E;QAC5E,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAC7C,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC/C,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;QACtD,OAAO,IAAI,eAAe,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACvD,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,OAAe,EAAE,MAAsB;QAChE,IAAI,MAAM,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAC/B,OAAO,eAAe,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC3C,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;YACxD,MAAM,IAAI,KAAK,CAAC,4EAA4E,CAAC,CAAC;QAChG,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE,QAAQ,CAAC,CAAC;QAClE,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;QAChE,OAAO,IAAI,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;IAC7D,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,IAAI,CAAC,IAAY;QACrB,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAE9C,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,SAAS,GAAG,UAAU,CAAC,gBAAgB,CAAC;gBAC5C,GAAG,EAAE,IAAI,CAAC,UAAoB;gBAC9B,MAAM,EAAE,KAAK;gBACb,IAAI,EAAE,OAAO;aACd,CAAC,CAAC;YACH,MAAM,SAAS,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;YAC/D,OAAO,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACtC,CAAC;QAED,mBAAmB;QACnB,4EAA4E;QAC5E,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAC7C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAC/D,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC7C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,MAAM,CAAC,IAAY,EAAE,eAAuB,EAAE,eAAwB;QAC1E,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC9C,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;QACzD,MAAM,WAAW,GAAG,eAAe;YACjC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC;YACxC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC;QAEnB,IAAI,UAAU,EAAE,CAAC;YACf,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,UAAU,CAAC,eAAe,CAAC;oBAC3C,GAAG,EAAE,WAAqB;oBAC1B,MAAM,EAAE,KAAK;oBACb,IAAI,EAAE,MAAM;iBACb,CAAC,CAAC;gBACH,OAAO,UAAU,CAAC,MAAM,CAAC,IAAI,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;YACnE,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,IAAI,CAAC;YACH,4EAA4E;YAC9E,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;YAC3C,OAAO,MAAM,KAAK,CAAC,WAAW,CAAC,SAAS,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;QACrE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,eAAe,CAC1B,IAAY,EACZ,eAAuB,EACvB,eAAuB;QAEvB,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC9C,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;QACzD,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;QAE3D,IAAI,UAAU,EAAE,CAAC;YACf,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,UAAU,CAAC,eAAe,CAAC;oBAC3C,GAAG,EAAE,WAAW;oBAChB,MAAM,EAAE,KAAK;oBACb,IAAI,EAAE,MAAM;iBACb,CAAC,CAAC;gBACH,OAAO,UAAU,CAAC,MAAM,CAAC,IAAI,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;YACnE,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QAED,IAAI,CAAC;YACH,4EAA4E;YAC9E,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;YAC3C,OAAO,MAAM,KAAK,CAAC,WAAW,CAAC,SAAS,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;QACrE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACH,kBAAkB;QAChB,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACxD,CAAC;IAED;;OAEG;IACH,mBAAmB;QACjB,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACzD,CAAC;IAED;;OAEG;IACH,WAAW;QACT,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,gBAAgB,EAAE,IAAI,CAAC,mBAAmB,EAAE;YAC5C,eAAe,EAAE,IAAI,CAAC,kBAAkB,EAAE;SAC3C,CAAC;IACJ,CAAC;CACF"}

package/dist/core/provenance/crypto/HashChain.d.ts

@@ -0,0 +1,58 @@
+/**
+ * @file HashChain.ts
+ * @description SHA-256 hash chain for provenance events.
+ * Computes deterministic hashes using a canonical preimage format.
+ *
+ * @module AgentOS/Provenance/Crypto
+ */
+import type { ProvenanceEventType } from '../types.js';
+export declare class HashChain {
+    private lastHash;
+    private sequence;
+    constructor(initialHash?: string, initialSequence?: number);
+    /**
+     * Get the current sequence number.
+     */
+    getSequence(): number;
+    /**
+     * Get the hash of the last event in the chain.
+     */
+    getLastHash(): string;
+    /**
+     * Advance the chain: increment sequence, return the new sequence and prevHash.
+     */
+    advance(): {
+        sequence: number;
+        prevHash: string;
+    };
+    /**
+     * Record a hash as the new chain head (call after event is persisted).
+     */
+    recordHash(hash: string): void;
+    /**
+     * Compute the SHA-256 hash of an event's preimage.
+     * Preimage format: `${sequence}|${type}|${timestamp}|${agentId}|${prevHash}|${payloadHash}`
+     */
+    static computeEventHash(event: {
+        sequence: number;
+        type: ProvenanceEventType;
+        timestamp: string;
+        agentId: string;
+        prevHash: string;
+        payloadHash: string;
+    }, algorithm?: string): string;
+    /**
+     * Compute the SHA-256 hash of a payload object using canonical JSON.
+     * Canonical = sorted keys recursively for deterministic output.
+     */
+    static computePayloadHash(payload: Record<string, unknown>, algorithm?: string): string;
+    /**
+     * Produce canonical JSON: keys sorted lexicographically at every level.
+     */
+    static canonicalJSON(obj: unknown): string;
+    /**
+     * Compute a generic SHA-256 hash of a string.
+     */
+    static hash(data: string, algorithm?: string): string;
+}
+//# sourceMappingURL=HashChain.d.ts.map

package/dist/core/provenance/crypto/HashChain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"HashChain.d.ts","sourceRoot":"","sources":["../../../../src/core/provenance/crypto/HashChain.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAe,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAMpE,qBAAa,SAAS;IACpB,OAAO,CAAC,QAAQ,CAAc;IAC9B,OAAO,CAAC,QAAQ,CAAa;gBAEjB,WAAW,GAAE,MAAW,EAAE,eAAe,GAAE,MAAU;IAKjE;;OAEG;IACH,WAAW,IAAI,MAAM;IAIrB;;OAEG;IACH,WAAW,IAAI,MAAM;IAIrB;;OAEG;IACH,OAAO,IAAI;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE;IAQjD;;OAEG;IACH,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAI9B;;;OAGG;IACH,MAAM,CAAC,gBAAgB,CAAC,KAAK,EAAE;QAC7B,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,mBAAmB,CAAC;QAC1B,SAAS,EAAE,MAAM,CAAC;QAClB,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;KACrB,EAAE,SAAS,GAAE,MAAiB,GAAG,MAAM;IAKxC;;;OAGG;IACH,MAAM,CAAC,kBAAkB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS,GAAE,MAAiB,GAAG,MAAM;IAKjG;;OAEG;IACH,MAAM,CAAC,aAAa,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM;IAe1C;;OAEG;IACH,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,GAAE,MAAiB,GAAG,MAAM;CAGhE"}

package/dist/core/provenance/crypto/HashChain.js

@@ -0,0 +1,86 @@
+/**
+ * @file HashChain.ts
+ * @description SHA-256 hash chain for provenance events.
+ * Computes deterministic hashes using a canonical preimage format.
+ *
+ * @module AgentOS/Provenance/Crypto
+ */
+import { createHash } from 'node:crypto';
+// =============================================================================
+// HashChain
+// =============================================================================
+export class HashChain {
+    constructor(initialHash = '', initialSequence = 0) {
+        this.lastHash = '';
+        this.sequence = 0;
+        this.lastHash = initialHash;
+        this.sequence = initialSequence;
+    }
+    /**
+     * Get the current sequence number.
+     */
+    getSequence() {
+        return this.sequence;
+    }
+    /**
+     * Get the hash of the last event in the chain.
+     */
+    getLastHash() {
+        return this.lastHash;
+    }
+    /**
+     * Advance the chain: increment sequence, return the new sequence and prevHash.
+     */
+    advance() {
+        this.sequence += 1;
+        return {
+            sequence: this.sequence,
+            prevHash: this.lastHash,
+        };
+    }
+    /**
+     * Record a hash as the new chain head (call after event is persisted).
+     */
+    recordHash(hash) {
+        this.lastHash = hash;
+    }
+    /**
+     * Compute the SHA-256 hash of an event's preimage.
+     * Preimage format: `${sequence}|${type}|${timestamp}|${agentId}|${prevHash}|${payloadHash}`
+     */
+    static computeEventHash(event, algorithm = 'sha256') {
+        const preimage = `${event.sequence}|${event.type}|${event.timestamp}|${event.agentId}|${event.prevHash}|${event.payloadHash}`;
+        return createHash(algorithm).update(preimage, 'utf-8').digest('hex');
+    }
+    /**
+     * Compute the SHA-256 hash of a payload object using canonical JSON.
+     * Canonical = sorted keys recursively for deterministic output.
+     */
+    static computePayloadHash(payload, algorithm = 'sha256') {
+        const canonical = HashChain.canonicalJSON(payload);
+        return createHash(algorithm).update(canonical, 'utf-8').digest('hex');
+    }
+    /**
+     * Produce canonical JSON: keys sorted lexicographically at every level.
+     */
+    static canonicalJSON(obj) {
+        if (obj === null || obj === undefined)
+            return JSON.stringify(obj);
+        if (typeof obj !== 'object')
+            return JSON.stringify(obj);
+        if (Array.isArray(obj)) {
+            return '[' + obj.map(item => HashChain.canonicalJSON(item)).join(',') + ']';
+        }
+        const record = obj;
+        const sortedKeys = Object.keys(record).sort();
+        const entries = sortedKeys.map(key => `${JSON.stringify(key)}:${HashChain.canonicalJSON(record[key])}`);
+        return '{' + entries.join(',') + '}';
+    }
+    /**
+     * Compute a generic SHA-256 hash of a string.
+     */
+    static hash(data, algorithm = 'sha256') {
+        return createHash(algorithm).update(data, 'utf-8').digest('hex');
+    }
+}
+//# sourceMappingURL=HashChain.js.map

package/dist/core/provenance/crypto/HashChain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"HashChain.js","sourceRoot":"","sources":["../../../../src/core/provenance/crypto/HashChain.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGzC,gFAAgF;AAChF,YAAY;AACZ,gFAAgF;AAEhF,MAAM,OAAO,SAAS;IAIpB,YAAY,cAAsB,EAAE,EAAE,kBAA0B,CAAC;QAHzD,aAAQ,GAAW,EAAE,CAAC;QACtB,aAAQ,GAAW,CAAC,CAAC;QAG3B,IAAI,CAAC,QAAQ,GAAG,WAAW,CAAC;QAC5B,IAAI,CAAC,QAAQ,GAAG,eAAe,CAAC;IAClC,CAAC;IAED;;OAEG;IACH,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,OAAO;QACL,IAAI,CAAC,QAAQ,IAAI,CAAC,CAAC;QACnB,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,IAAY;QACrB,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;IACvB,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,gBAAgB,CAAC,KAOvB,EAAE,YAAoB,QAAQ;QAC7B,MAAM,QAAQ,GAAG,GAAG,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;QAC9H,OAAO,UAAU,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvE,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,kBAAkB,CAAC,OAAgC,EAAE,YAAoB,QAAQ;QACtF,MAAM,SAAS,GAAG,SAAS,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QACnD,OAAO,UAAU,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACxE,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,aAAa,CAAC,GAAY;QAC/B,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QAClE,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACxD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,OAAO,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,SAAS,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;QAC9E,CAAC;QAED,MAAM,MAAM,GAAG,GAA8B,CAAC;QAC9C,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QAC9C,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAC5B,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC,aAAa,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,CACxE,CAAC;QACF,OAAO,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IACvC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,IAAI,CAAC,IAAY,EAAE,YAAoB,QAAQ;QACpD,OAAO,UAAU,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACnE,CAAC;CACF"}

package/dist/core/provenance/crypto/MerkleTree.d.ts

@@ -0,0 +1,41 @@
+/**
+ * @file MerkleTree.ts
+ * @description Merkle tree computation for anchoring provenance events.
+ * Computes a root hash from a list of leaf hashes.
+ *
+ * @module AgentOS/Provenance/Crypto
+ */
+export declare class MerkleTree {
+    /**
+     * Compute the Merkle root of a list of leaf hashes.
+     * If the number of leaves is odd, the last leaf is duplicated.
+     * Returns empty string for empty input.
+     */
+    static computeRoot(leaves: string[], algorithm?: string): string;
+    /**
+     * Compute a Merkle inclusion proof for a leaf at a given index.
+     * Returns the sibling hashes needed to reconstruct the root.
+     */
+    static computeProof(leaves: string[], leafIndex: number, algorithm?: string): MerkleProof;
+    /**
+     * Verify a Merkle inclusion proof.
+     */
+    static verifyProof(proof: MerkleProof, algorithm?: string): boolean;
+}
+export interface MerkleProofStep {
+    /** Sibling hash at this level. */
+    hash: string;
+    /** Position of the sibling relative to the current node. */
+    position: 'left' | 'right';
+}
+export interface MerkleProof {
+    /** Hash of the leaf being proved. */
+    leafHash: string;
+    /** Index of the leaf in the original list. */
+    leafIndex: number;
+    /** Ordered sibling hashes for reconstruction. */
+    proof: MerkleProofStep[];
+    /** Expected Merkle root. */
+    root: string;
+}
+//# sourceMappingURL=MerkleTree.d.ts.map

package/dist/core/provenance/crypto/MerkleTree.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"MerkleTree.d.ts","sourceRoot":"","sources":["../../../../src/core/provenance/crypto/MerkleTree.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAQH,qBAAa,UAAU;IACrB;;;;OAIG;IACH,MAAM,CAAC,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,SAAS,GAAE,MAAiB,GAAG,MAAM;IAwB1E;;;OAGG;IACH,MAAM,CAAC,YAAY,CACjB,MAAM,EAAE,MAAM,EAAE,EAChB,SAAS,EAAE,MAAM,EACjB,SAAS,GAAE,MAAiB,GAC3B,WAAW;IAsCd;;OAEG;IACH,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,WAAW,EAAE,SAAS,GAAE,MAAiB,GAAG,OAAO;CAY9E;AAMD,MAAM,WAAW,eAAe;IAC9B,kCAAkC;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,4DAA4D;IAC5D,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;CAC5B;AAED,MAAM,WAAW,WAAW;IAC1B,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,8CAA8C;IAC9C,SAAS,EAAE,MAAM,CAAC;IAClB,iDAAiD;IACjD,KAAK,EAAE,eAAe,EAAE,CAAC;IACzB,4BAA4B;IAC5B,IAAI,EAAE,MAAM,CAAC;CACd"}

package/dist/core/provenance/crypto/MerkleTree.js

@@ -0,0 +1,86 @@
+/**
+ * @file MerkleTree.ts
+ * @description Merkle tree computation for anchoring provenance events.
+ * Computes a root hash from a list of leaf hashes.
+ *
+ * @module AgentOS/Provenance/Crypto
+ */
+import { createHash } from 'node:crypto';
+// =============================================================================
+// MerkleTree
+// =============================================================================
+export class MerkleTree {
+    /**
+     * Compute the Merkle root of a list of leaf hashes.
+     * If the number of leaves is odd, the last leaf is duplicated.
+     * Returns empty string for empty input.
+     */
+    static computeRoot(leaves, algorithm = 'sha256') {
+        if (leaves.length === 0)
+            return '';
+        if (leaves.length === 1)
+            return leaves[0];
+        let currentLevel = [...leaves];
+        while (currentLevel.length > 1) {
+            const nextLevel = [];
+            for (let i = 0; i < currentLevel.length; i += 2) {
+                const left = currentLevel[i];
+                // If odd number of nodes, duplicate the last one
+                const right = i + 1 < currentLevel.length ? currentLevel[i + 1] : currentLevel[i];
+                const combined = left + right;
+                const parentHash = createHash(algorithm).update(combined, 'utf-8').digest('hex');
+                nextLevel.push(parentHash);
+            }
+            currentLevel = nextLevel;
+        }
+        return currentLevel[0];
+    }
+    /**
+     * Compute a Merkle inclusion proof for a leaf at a given index.
+     * Returns the sibling hashes needed to reconstruct the root.
+     */
+    static computeProof(leaves, leafIndex, algorithm = 'sha256') {
+        if (leafIndex < 0 || leafIndex >= leaves.length) {
+            throw new Error(`MerkleTree: leafIndex ${leafIndex} out of range [0, ${leaves.length})`);
+        }
+        const proof = [];
+        let currentLevel = [...leaves];
+        let currentIndex = leafIndex;
+        while (currentLevel.length > 1) {
+            const nextLevel = [];
+            for (let i = 0; i < currentLevel.length; i += 2) {
+                const left = currentLevel[i];
+                const right = i + 1 < currentLevel.length ? currentLevel[i + 1] : currentLevel[i];
+                if (i === currentIndex || i + 1 === currentIndex) {
+                    const siblingHash = i === currentIndex ? right : left;
+                    const position = i === currentIndex ? 'right' : 'left';
+                    proof.push({ hash: siblingHash, position });
+                }
+                const combined = left + right;
+                nextLevel.push(createHash(algorithm).update(combined, 'utf-8').digest('hex'));
+            }
+            currentIndex = Math.floor(currentIndex / 2);
+            currentLevel = nextLevel;
+        }
+        return {
+            leafHash: leaves[leafIndex],
+            leafIndex,
+            proof,
+            root: currentLevel[0],
+        };
+    }
+    /**
+     * Verify a Merkle inclusion proof.
+     */
+    static verifyProof(proof, algorithm = 'sha256') {
+        let currentHash = proof.leafHash;
+        for (const step of proof.proof) {
+            const combined = step.position === 'right'
+                ? currentHash + step.hash
+                : step.hash + currentHash;
+            currentHash = createHash(algorithm).update(combined, 'utf-8').digest('hex');
+        }
+        return currentHash === proof.root;
+    }
+}
+//# sourceMappingURL=MerkleTree.js.map

package/dist/core/provenance/crypto/MerkleTree.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"MerkleTree.js","sourceRoot":"","sources":["../../../../src/core/provenance/crypto/MerkleTree.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF,MAAM,OAAO,UAAU;IACrB;;;;OAIG;IACH,MAAM,CAAC,WAAW,CAAC,MAAgB,EAAE,YAAoB,QAAQ;QAC/D,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QACnC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;QAE1C,IAAI,YAAY,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;QAE/B,OAAO,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,SAAS,GAAa,EAAE,CAAC;YAE/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChD,MAAM,IAAI,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;gBAC7B,iDAAiD;gBACjD,MAAM,KAAK,GAAG,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;gBAClF,MAAM,QAAQ,GAAG,IAAI,GAAG,KAAK,CAAC;gBAC9B,MAAM,UAAU,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBACjF,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC7B,CAAC;YAED,YAAY,GAAG,SAAS,CAAC;QAC3B,CAAC;QAED,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;IACzB,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,YAAY,CACjB,MAAgB,EAChB,SAAiB,EACjB,YAAoB,QAAQ;QAE5B,IAAI,SAAS,GAAG,CAAC,IAAI,SAAS,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAChD,MAAM,IAAI,KAAK,CAAC,yBAAyB,SAAS,qBAAqB,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;QAC3F,CAAC;QAED,MAAM,KAAK,GAAsB,EAAE,CAAC;QACpC,IAAI,YAAY,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;QAC/B,IAAI,YAAY,GAAG,SAAS,CAAC;QAE7B,OAAO,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,SAAS,GAAa,EAAE,CAAC;YAE/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChD,MAAM,IAAI,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;gBAC7B,MAAM,KAAK,GAAG,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;gBAElF,IAAI,CAAC,KAAK,YAAY,IAAI,CAAC,GAAG,CAAC,KAAK,YAAY,EAAE,CAAC;oBACjD,MAAM,WAAW,GAAG,CAAC,KAAK,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;oBACtD,MAAM,QAAQ,GAAqB,CAAC,KAAK,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;oBACzE,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,CAAC,CAAC;gBAC9C,CAAC;gBAED,MAAM,QAAQ,GAAG,IAAI,GAAG,KAAK,CAAC;gBAC9B,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;YAChF,CAAC;YAED,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC;YAC5C,YAAY,GAAG,SAAS,CAAC;QAC3B,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC;YAC3B,SAAS;YACT,KAAK;YACL,IAAI,EAAE,YAAY,CAAC,CAAC,CAAC;SACtB,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,WAAW,CAAC,KAAkB,EAAE,YAAoB,QAAQ;QACjE,IAAI,WAAW,GAAG,KAAK,CAAC,QAAQ,CAAC;QAEjC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,KAAK,OAAO;gBACxC,CAAC,CAAC,WAAW,GAAG,IAAI,CAAC,IAAI;gBACzB,CAAC,CAAC,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;YAC5B,WAAW,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC9E,CAAC;QAED,OAAO,WAAW,KAAK,KAAK,CAAC,IAAI,CAAC;IACpC,CAAC;CACF"}