@haneullabs/seal 0.1.0 → 1.1.1

package/dist/session-key.mjs

@@ -0,0 +1,171 @@
+import { ExpiredSessionKeyError, InvalidPackageError, InvalidPersonalMessageSignatureError, UserError } from "./error.mjs";
+import { generateSecretKey, toPublicKey, toVerificationKey } from "./elgamal.mjs";
+import { toBase64 } from "@haneullabs/bcs";
+import { bcs as bcs$1 } from "@haneullabs/haneul/bcs";
+import { isValidHaneulAddress, isValidHaneulObjectId, isValidNamedPackage } from "@haneullabs/haneul/utils";
+import { Ed25519Keypair } from "@haneullabs/haneul/keypairs/ed25519";
+import { verifyPersonalMessageSignature } from "@haneullabs/haneul/verify";
+
+//#region src/session-key.ts
+const RequestFormat = bcs$1.struct("RequestFormat", {
+	ptb: bcs$1.byteVector(),
+	encKey: bcs$1.byteVector(),
+	encVerificationKey: bcs$1.byteVector()
+});
+var SessionKey = class SessionKey {
+	#address;
+	#packageId;
+	#mvrName;
+	#creationTimeMs;
+	#ttlMin;
+	#sessionKey;
+	#personalMessageSignature;
+	#signer;
+	#haneulClient;
+	constructor({ address, packageId, mvrName, ttlMin, signer, haneulClient }) {
+		if (mvrName && !isValidNamedPackage(mvrName)) throw new UserError(`Invalid package name ${mvrName}`);
+		if (!isValidHaneulObjectId(packageId) || !isValidHaneulAddress(address)) throw new UserError(`Invalid package ID ${packageId} or address ${address}`);
+		if (ttlMin > 30 || ttlMin < 1) throw new UserError(`Invalid TTL ${ttlMin}, must be between 1 and 30`);
+		if (signer && signer.getPublicKey().toHaneulAddress() !== address) throw new UserError("Signer address does not match session key address");
+		this.#address = address;
+		this.#packageId = packageId;
+		this.#mvrName = mvrName;
+		this.#creationTimeMs = Date.now();
+		this.#ttlMin = ttlMin;
+		this.#sessionKey = Ed25519Keypair.generate();
+		this.#signer = signer;
+		this.#haneulClient = haneulClient;
+	}
+	/**
+	* Create a new SessionKey instance.
+	* @param address - The address of the user.
+	* @param packageId - The ID of the package.
+	* @param mvrName - Optional. The name of the MVR, if there is one.
+	* @param ttlMin - The TTL in minutes.
+	* @param signer - Optional. The signer instance, e.g. EnokiSigner.
+	* @param haneulClient - The Haneul client.
+	* @returns A new SessionKey instance.
+	*/
+	static async create({ address, packageId, mvrName, ttlMin, signer, haneulClient }) {
+		const packageObj = await haneulClient.core.getObject({ objectId: packageId });
+		if (String(packageObj.object.version) !== "1") throw new InvalidPackageError(`Package ${packageId} is not the first version`);
+		return new SessionKey({
+			address,
+			packageId,
+			mvrName,
+			ttlMin,
+			signer,
+			haneulClient
+		});
+	}
+	isExpired() {
+		return this.#creationTimeMs + this.#ttlMin * 60 * 1e3 - 1e4 < Date.now();
+	}
+	getAddress() {
+		return this.#address;
+	}
+	getPackageName() {
+		if (this.#mvrName) return this.#mvrName;
+		return this.#packageId;
+	}
+	getPackageId() {
+		return this.#packageId;
+	}
+	getPersonalMessage() {
+		const creationTimeUtc = new Date(this.#creationTimeMs).toISOString().slice(0, 19).replace("T", " ") + " UTC";
+		const message = `Accessing keys of package ${this.getPackageName()} for ${this.#ttlMin} mins from ${creationTimeUtc}, session key ${toBase64(this.#sessionKey.getPublicKey().toRawBytes())}`;
+		return new TextEncoder().encode(message);
+	}
+	async setPersonalMessageSignature(personalMessageSignature) {
+		if (!this.#personalMessageSignature) try {
+			await verifyPersonalMessageSignature(this.getPersonalMessage(), personalMessageSignature, {
+				address: this.#address,
+				client: this.#haneulClient
+			});
+			this.#personalMessageSignature = personalMessageSignature;
+		} catch {
+			throw new InvalidPersonalMessageSignatureError("Not valid");
+		}
+	}
+	async getCertificate() {
+		if (!this.#personalMessageSignature) if (this.#signer) {
+			const { signature } = await this.#signer.signPersonalMessage(this.getPersonalMessage());
+			this.#personalMessageSignature = signature;
+		} else throw new InvalidPersonalMessageSignatureError("Personal message signature is not set");
+		return {
+			user: this.#address,
+			session_vk: toBase64(this.#sessionKey.getPublicKey().toRawBytes()),
+			creation_time: this.#creationTimeMs,
+			ttl_min: this.#ttlMin,
+			signature: this.#personalMessageSignature,
+			mvr_name: this.#mvrName
+		};
+	}
+	/**
+	* Create request params for the given transaction bytes.
+	* @param txBytes - The transaction bytes.
+	* @returns The request params containing the ephemeral secret key,
+	* its public key and its verification key.
+	*/
+	async createRequestParams(txBytes) {
+		if (this.isExpired()) throw new ExpiredSessionKeyError();
+		const encKey = generateSecretKey();
+		const encKeyPk = toPublicKey(encKey);
+		const encVerificationKey = toVerificationKey(encKey);
+		const msgToSign = RequestFormat.serialize({
+			ptb: txBytes.slice(1),
+			encKey: encKeyPk,
+			encVerificationKey
+		}).toBytes();
+		return {
+			encKey,
+			encKeyPk,
+			encVerificationKey,
+			requestSignature: toBase64(await this.#sessionKey.sign(msgToSign))
+		};
+	}
+	/**
+	* Export the Session Key object from the instance. Store the object in IndexedDB to persist.
+	*/
+	export() {
+		const obj = {
+			address: this.#address,
+			packageId: this.#packageId,
+			mvrName: this.#mvrName,
+			creationTimeMs: this.#creationTimeMs,
+			ttlMin: this.#ttlMin,
+			personalMessageSignature: this.#personalMessageSignature,
+			sessionKey: this.#sessionKey.getSecretKey()
+		};
+		Object.defineProperty(obj, "toJSON", {
+			enumerable: false,
+			value: () => {
+				throw new Error("This object is not serializable");
+			}
+		});
+		return obj;
+	}
+	/**
+	* Restore a SessionKey instance for the given object.
+	* @returns A new SessionKey instance with restored state
+	*/
+	static import(data, haneulClient, signer) {
+		const instance = new SessionKey({
+			address: data.address,
+			packageId: data.packageId,
+			mvrName: data.mvrName,
+			ttlMin: data.ttlMin,
+			signer,
+			haneulClient
+		});
+		instance.#creationTimeMs = data.creationTimeMs;
+		instance.#sessionKey = Ed25519Keypair.fromSecretKey(data.sessionKey);
+		instance.#personalMessageSignature = data.personalMessageSignature;
+		if (instance.isExpired()) throw new ExpiredSessionKeyError();
+		return instance;
+	}
+};
+
+//#endregion
+export { SessionKey };
+//# sourceMappingURL=session-key.mjs.map

package/dist/session-key.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-key.mjs","names":["bcs","#address","#packageId","#mvrName","#creationTimeMs","#ttlMin","#sessionKey","#signer","#haneulClient","#personalMessageSignature"],"sources":["../src/session-key.ts"],"sourcesContent":["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { toBase64 } from '@haneullabs/bcs';\nimport { bcs } from '@haneullabs/haneul/bcs';\nimport type { Signer } from '@haneullabs/haneul/cryptography';\nimport { Ed25519Keypair } from '@haneullabs/haneul/keypairs/ed25519';\nimport { isValidNamedPackage, isValidHaneulAddress, isValidHaneulObjectId } from '@haneullabs/haneul/utils';\nimport { verifyPersonalMessageSignature } from '@haneullabs/haneul/verify';\nimport { generateSecretKey, toPublicKey, toVerificationKey } from './elgamal.js';\nimport {\n\tExpiredSessionKeyError,\n\tInvalidPackageError,\n\tInvalidPersonalMessageSignatureError,\n\tUserError,\n} from './error.js';\nimport type { SealCompatibleClient } from './types.js';\n\nexport const RequestFormat = bcs.struct('RequestFormat', {\n\tptb: bcs.byteVector(),\n\tencKey: bcs.byteVector(),\n\tencVerificationKey: bcs.byteVector(),\n});\n\nexport type Certificate = {\n\tuser: string;\n\tsession_vk: string;\n\tcreation_time: number;\n\tttl_min: number;\n\tsignature: string;\n\tmvr_name?: string;\n};\n\nexport type ExportedSessionKey = {\n\taddress: string;\n\tpackageId: string;\n\tmvrName?: string;\n\tcreationTimeMs: number;\n\tttlMin: number;\n\tpersonalMessageSignature?: string;\n\tsessionKey: string;\n};\n\nexport class SessionKey {\n\t#address: string;\n\t#packageId: string;\n\t#mvrName?: string;\n\t#creationTimeMs: number;\n\t#ttlMin: number;\n\t#sessionKey: Ed25519Keypair;\n\t#personalMessageSignature?: string;\n\t#signer?: Signer;\n\t#haneulClient: SealCompatibleClient;\n\n\tprivate constructor({\n\t\taddress,\n\t\tpackageId,\n\t\tmvrName,\n\t\tttlMin,\n\t\tsigner,\n\t\thaneulClient,\n\t}: {\n\t\taddress: string;\n\t\tpackageId: string;\n\t\tmvrName?: string;\n\t\tttlMin: number;\n\t\tsigner?: Signer;\n\t\thaneulClient: SealCompatibleClient;\n\t}) {\n\t\tif (mvrName && !isValidNamedPackage(mvrName)) {\n\t\t\tthrow new UserError(`Invalid package name ${mvrName}`);\n\t\t}\n\t\tif (!isValidHaneulObjectId(packageId) || !isValidHaneulAddress(address)) {\n\t\t\tthrow new UserError(`Invalid package ID ${packageId} or address ${address}`);\n\t\t}\n\t\tif (ttlMin > 30 || ttlMin < 1) {\n\t\t\tthrow new UserError(`Invalid TTL ${ttlMin}, must be between 1 and 30`);\n\t\t}\n\t\tif (signer && signer.getPublicKey().toHaneulAddress() !== address) {\n\t\t\tthrow new UserError('Signer address does not match session key address');\n\t\t}\n\n\t\tthis.#address = address;\n\t\tthis.#packageId = packageId;\n\t\tthis.#mvrName = mvrName;\n\t\tthis.#creationTimeMs = Date.now();\n\t\tthis.#ttlMin = ttlMin;\n\t\tthis.#sessionKey = Ed25519Keypair.generate();\n\t\tthis.#signer = signer;\n\t\tthis.#haneulClient = haneulClient;\n\t}\n\n\t/**\n\t * Create a new SessionKey instance.\n\t * @param address - The address of the user.\n\t * @param packageId - The ID of the package.\n\t * @param mvrName - Optional. The name of the MVR, if there is one.\n\t * @param ttlMin - The TTL in minutes.\n\t * @param signer - Optional. The signer instance, e.g. EnokiSigner.\n\t * @param haneulClient - The Haneul client.\n\t * @returns A new SessionKey instance.\n\t */\n\tstatic async create({\n\t\taddress,\n\t\tpackageId,\n\t\tmvrName,\n\t\tttlMin,\n\t\tsigner,\n\t\thaneulClient,\n\t}: {\n\t\taddress: string;\n\t\tpackageId: string;\n\t\tmvrName?: string;\n\t\tttlMin: number;\n\t\tsigner?: Signer;\n\t\thaneulClient: SealCompatibleClient;\n\t}): Promise<SessionKey> {\n\t\tconst packageObj = await haneulClient.core.getObject({ objectId: packageId });\n\t\tif (String(packageObj.object.version) !== '1') {\n\t\t\tthrow new InvalidPackageError(`Package ${packageId} is not the first version`);\n\t\t}\n\n\t\treturn new SessionKey({\n\t\t\taddress,\n\t\t\tpackageId,\n\t\t\tmvrName,\n\t\t\tttlMin,\n\t\t\tsigner,\n\t\t\thaneulClient,\n\t\t});\n\t}\n\tisExpired(): boolean {\n\t\t// Allow 10 seconds for clock skew\n\t\treturn this.#creationTimeMs + this.#ttlMin * 60 * 1000 - 10_000 < Date.now();\n\t}\n\n\tgetAddress(): string {\n\t\treturn this.#address;\n\t}\n\n\tgetPackageName(): string {\n\t\tif (this.#mvrName) {\n\t\t\treturn this.#mvrName;\n\t\t}\n\t\treturn this.#packageId;\n\t}\n\n\tgetPackageId(): string {\n\t\treturn this.#packageId;\n\t}\n\n\tgetPersonalMessage(): Uint8Array {\n\t\tconst creationTimeUtc =\n\t\t\tnew Date(this.#creationTimeMs).toISOString().slice(0, 19).replace('T', ' ') + ' UTC';\n\t\tconst message = `Accessing keys of package ${this.getPackageName()} for ${this.#ttlMin} mins from ${creationTimeUtc}, session key ${toBase64(this.#sessionKey.getPublicKey().toRawBytes())}`;\n\t\treturn new TextEncoder().encode(message);\n\t}\n\n\tasync setPersonalMessageSignature(personalMessageSignature: string) {\n\t\tif (!this.#personalMessageSignature) {\n\t\t\ttry {\n\t\t\t\tawait verifyPersonalMessageSignature(this.getPersonalMessage(), personalMessageSignature, {\n\t\t\t\t\taddress: this.#address,\n\t\t\t\t\tclient: this.#haneulClient,\n\t\t\t\t});\n\t\t\t\tthis.#personalMessageSignature = personalMessageSignature;\n\t\t\t} catch {\n\t\t\t\tthrow new InvalidPersonalMessageSignatureError('Not valid');\n\t\t\t}\n\t\t}\n\t}\n\n\tasync getCertificate(): Promise<Certificate> {\n\t\tif (!this.#personalMessageSignature) {\n\t\t\tif (this.#signer) {\n\t\t\t\tconst { signature } = await this.#signer.signPersonalMessage(this.getPersonalMessage());\n\t\t\t\tthis.#personalMessageSignature = signature;\n\t\t\t} else {\n\t\t\t\tthrow new InvalidPersonalMessageSignatureError('Personal message signature is not set');\n\t\t\t}\n\t\t}\n\t\treturn {\n\t\t\tuser: this.#address,\n\t\t\tsession_vk: toBase64(this.#sessionKey.getPublicKey().toRawBytes()),\n\t\t\tcreation_time: this.#creationTimeMs,\n\t\t\tttl_min: this.#ttlMin,\n\t\t\tsignature: this.#personalMessageSignature,\n\t\t\tmvr_name: this.#mvrName,\n\t\t};\n\t}\n\n\t/**\n\t * Create request params for the given transaction bytes.\n\t * @param txBytes - The transaction bytes.\n\t * @returns The request params containing the ephemeral secret key,\n\t * its public key and its verification key.\n\t */\n\tasync createRequestParams(txBytes: Uint8Array): Promise<{\n\t\tencKey: Uint8Array<ArrayBuffer>;\n\t\tencKeyPk: Uint8Array<ArrayBuffer>;\n\t\tencVerificationKey: Uint8Array<ArrayBuffer>;\n\t\trequestSignature: string;\n\t}> {\n\t\tif (this.isExpired()) {\n\t\t\tthrow new ExpiredSessionKeyError();\n\t\t}\n\t\tconst encKey = generateSecretKey();\n\t\tconst encKeyPk = toPublicKey(encKey);\n\t\tconst encVerificationKey = toVerificationKey(encKey);\n\n\t\tconst msgToSign = RequestFormat.serialize({\n\t\t\tptb: txBytes.slice(1),\n\t\t\tencKey: encKeyPk,\n\t\t\tencVerificationKey,\n\t\t}).toBytes();\n\t\treturn {\n\t\t\tencKey,\n\t\t\tencKeyPk,\n\t\t\tencVerificationKey,\n\t\t\trequestSignature: toBase64(await this.#sessionKey.sign(msgToSign)),\n\t\t};\n\t}\n\n\t/**\n\t * Export the Session Key object from the instance. Store the object in IndexedDB to persist.\n\t */\n\texport(): ExportedSessionKey {\n\t\tconst obj = {\n\t\t\taddress: this.#address,\n\t\t\tpackageId: this.#packageId,\n\t\t\tmvrName: this.#mvrName,\n\t\t\tcreationTimeMs: this.#creationTimeMs,\n\t\t\tttlMin: this.#ttlMin,\n\t\t\tpersonalMessageSignature: this.#personalMessageSignature,\n\t\t\tsessionKey: this.#sessionKey.getSecretKey(), // bech32 encoded string\n\t\t};\n\n\t\tObject.defineProperty(obj, 'toJSON', {\n\t\t\tenumerable: false,\n\t\t\tvalue: () => {\n\t\t\t\tthrow new Error('This object is not serializable');\n\t\t\t},\n\t\t});\n\t\treturn obj;\n\t}\n\n\t/**\n\t * Restore a SessionKey instance for the given object.\n\t * @returns A new SessionKey instance with restored state\n\t */\n\tstatic import(\n\t\tdata: ExportedSessionKey,\n\t\thaneulClient: SealCompatibleClient,\n\t\tsigner?: Signer,\n\t): SessionKey {\n\t\tconst instance = new SessionKey({\n\t\t\taddress: data.address,\n\t\t\tpackageId: data.packageId,\n\t\t\tmvrName: data.mvrName,\n\t\t\tttlMin: data.ttlMin,\n\t\t\tsigner,\n\t\t\thaneulClient,\n\t\t});\n\n\t\tinstance.#creationTimeMs = data.creationTimeMs;\n\t\tinstance.#sessionKey = Ed25519Keypair.fromSecretKey(data.sessionKey);\n\t\tinstance.#personalMessageSignature = data.personalMessageSignature;\n\n\t\tif (instance.isExpired()) {\n\t\t\tthrow new ExpiredSessionKeyError();\n\t\t}\n\t\treturn instance;\n\t}\n}\n"],"mappings":";;;;;;;;;AAkBA,MAAa,gBAAgBA,MAAI,OAAO,iBAAiB;CACxD,KAAKA,MAAI,YAAY;CACrB,QAAQA,MAAI,YAAY;CACxB,oBAAoBA,MAAI,YAAY;CACpC,CAAC;AAqBF,IAAa,aAAb,MAAa,WAAW;CACvB;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CAEA,AAAQ,YAAY,EACnB,SACA,WACA,SACA,QACA,QACA,gBAQE;AACF,MAAI,WAAW,CAAC,oBAAoB,QAAQ,CAC3C,OAAM,IAAI,UAAU,wBAAwB,UAAU;AAEvD,MAAI,CAAC,sBAAsB,UAAU,IAAI,CAAC,qBAAqB,QAAQ,CACtE,OAAM,IAAI,UAAU,sBAAsB,UAAU,cAAc,UAAU;AAE7E,MAAI,SAAS,MAAM,SAAS,EAC3B,OAAM,IAAI,UAAU,eAAe,OAAO,4BAA4B;AAEvE,MAAI,UAAU,OAAO,cAAc,CAAC,iBAAiB,KAAK,QACzD,OAAM,IAAI,UAAU,oDAAoD;AAGzE,QAAKC,UAAW;AAChB,QAAKC,YAAa;AAClB,QAAKC,UAAW;AAChB,QAAKC,iBAAkB,KAAK,KAAK;AACjC,QAAKC,SAAU;AACf,QAAKC,aAAc,eAAe,UAAU;AAC5C,QAAKC,SAAU;AACf,QAAKC,eAAgB;;;;;;;;;;;;CAatB,aAAa,OAAO,EACnB,SACA,WACA,SACA,QACA,QACA,gBAQuB;EACvB,MAAM,aAAa,MAAM,aAAa,KAAK,UAAU,EAAE,UAAU,WAAW,CAAC;AAC7E,MAAI,OAAO,WAAW,OAAO,QAAQ,KAAK,IACzC,OAAM,IAAI,oBAAoB,WAAW,UAAU,2BAA2B;AAG/E,SAAO,IAAI,WAAW;GACrB;GACA;GACA;GACA;GACA;GACA;GACA,CAAC;;CAEH,YAAqB;AAEpB,SAAO,MAAKJ,iBAAkB,MAAKC,SAAU,KAAK,MAAO,MAAS,KAAK,KAAK;;CAG7E,aAAqB;AACpB,SAAO,MAAKJ;;CAGb,iBAAyB;AACxB,MAAI,MAAKE,QACR,QAAO,MAAKA;AAEb,SAAO,MAAKD;;CAGb,eAAuB;AACtB,SAAO,MAAKA;;CAGb,qBAAiC;EAChC,MAAM,kBACL,IAAI,KAAK,MAAKE,eAAgB,CAAC,aAAa,CAAC,MAAM,GAAG,GAAG,CAAC,QAAQ,KAAK,IAAI,GAAG;EAC/E,MAAM,UAAU,6BAA6B,KAAK,gBAAgB,CAAC,OAAO,MAAKC,OAAQ,aAAa,gBAAgB,gBAAgB,SAAS,MAAKC,WAAY,cAAc,CAAC,YAAY,CAAC;AAC1L,SAAO,IAAI,aAAa,CAAC,OAAO,QAAQ;;CAGzC,MAAM,4BAA4B,0BAAkC;AACnE,MAAI,CAAC,MAAKG,yBACT,KAAI;AACH,SAAM,+BAA+B,KAAK,oBAAoB,EAAE,0BAA0B;IACzF,SAAS,MAAKR;IACd,QAAQ,MAAKO;IACb,CAAC;AACF,SAAKC,2BAA4B;UAC1B;AACP,SAAM,IAAI,qCAAqC,YAAY;;;CAK9D,MAAM,iBAAuC;AAC5C,MAAI,CAAC,MAAKA,yBACT,KAAI,MAAKF,QAAS;GACjB,MAAM,EAAE,cAAc,MAAM,MAAKA,OAAQ,oBAAoB,KAAK,oBAAoB,CAAC;AACvF,SAAKE,2BAA4B;QAEjC,OAAM,IAAI,qCAAqC,wCAAwC;AAGzF,SAAO;GACN,MAAM,MAAKR;GACX,YAAY,SAAS,MAAKK,WAAY,cAAc,CAAC,YAAY,CAAC;GAClE,eAAe,MAAKF;GACpB,SAAS,MAAKC;GACd,WAAW,MAAKI;GAChB,UAAU,MAAKN;GACf;;;;;;;;CASF,MAAM,oBAAoB,SAKvB;AACF,MAAI,KAAK,WAAW,CACnB,OAAM,IAAI,wBAAwB;EAEnC,MAAM,SAAS,mBAAmB;EAClC,MAAM,WAAW,YAAY,OAAO;EACpC,MAAM,qBAAqB,kBAAkB,OAAO;EAEpD,MAAM,YAAY,cAAc,UAAU;GACzC,KAAK,QAAQ,MAAM,EAAE;GACrB,QAAQ;GACR;GACA,CAAC,CAAC,SAAS;AACZ,SAAO;GACN;GACA;GACA;GACA,kBAAkB,SAAS,MAAM,MAAKG,WAAY,KAAK,UAAU,CAAC;GAClE;;;;;CAMF,SAA6B;EAC5B,MAAM,MAAM;GACX,SAAS,MAAKL;GACd,WAAW,MAAKC;GAChB,SAAS,MAAKC;GACd,gBAAgB,MAAKC;GACrB,QAAQ,MAAKC;GACb,0BAA0B,MAAKI;GAC/B,YAAY,MAAKH,WAAY,cAAc;GAC3C;AAED,SAAO,eAAe,KAAK,UAAU;GACpC,YAAY;GACZ,aAAa;AACZ,UAAM,IAAI,MAAM,kCAAkC;;GAEnD,CAAC;AACF,SAAO;;;;;;CAOR,OAAO,OACN,MACA,cACA,QACa;EACb,MAAM,WAAW,IAAI,WAAW;GAC/B,SAAS,KAAK;GACd,WAAW,KAAK;GAChB,SAAS,KAAK;GACd,QAAQ,KAAK;GACb;GACA;GACA,CAAC;AAEF,YAASF,iBAAkB,KAAK;AAChC,YAASE,aAAc,eAAe,cAAc,KAAK,WAAW;AACpE,YAASG,2BAA4B,KAAK;AAE1C,MAAI,SAAS,WAAW,CACvB,OAAM,IAAI,wBAAwB;AAEnC,SAAO"}