@id-wispera/core 0.1.0

package/dist/provisioning/providers/twilio.js

@@ -0,0 +1,194 @@
+/**
+ * Twilio Provisioning Provider
+ * Creates API keys via the Twilio REST API
+ */
+import { BaseProvisioningProvider } from '../provider.js';
+const TWILIO_BASE_URL = 'https://api.twilio.com/2010-04-01';
+export class TwilioProvider extends BaseProvisioningProvider {
+    provider = 'twilio';
+    capabilities = {
+        canCreate: true,
+        canConfigurePermissions: true,
+        canRotate: true,
+        canRevoke: true,
+        canList: true,
+        supportsExpiry: false,
+        supportsScopedKeys: true,
+    };
+    async provision(request) {
+        this.ensureInitialized();
+        const config = request.config;
+        if (config.provider !== 'twilio') {
+            return {
+                success: false,
+                error: {
+                    code: 'INVALID_CONFIG',
+                    message: `Expected twilio config, got ${config.provider}`,
+                },
+            };
+        }
+        if (this.auth?.type !== 'basic') {
+            return {
+                success: false,
+                error: {
+                    code: 'INVALID_AUTH',
+                    message: 'Twilio provider requires basic authentication (Account SID + Auth Token)',
+                },
+            };
+        }
+        try {
+            const url = `${TWILIO_BASE_URL}/Accounts/${config.accountSid}/Keys.json`;
+            const credentials = btoa(`${this.auth.username}:${this.auth.password}`);
+            const bodyParams = new URLSearchParams();
+            bodyParams.set('FriendlyName', config.friendlyName ?? request.name);
+            const response = await fetch(url, {
+                method: 'POST',
+                headers: {
+                    'Authorization': `Basic ${credentials}`,
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                },
+                body: bodyParams.toString(),
+            });
+            if (!response.ok) {
+                const errorBody = await response.json().catch(() => ({}));
+                return {
+                    success: false,
+                    error: {
+                        code: `TWILIO_${errorBody.code ?? response.status}`,
+                        message: errorBody.message ?? `HTTP ${response.status}`,
+                        details: errorBody,
+                    },
+                };
+            }
+            const data = await response.json();
+            const now = new Date().toISOString();
+            return {
+                success: true,
+                credentialValue: data.sid,
+                secondaryValue: data.secret,
+                providerKeyId: data.sid,
+                metadata: {
+                    friendlyName: data.friendly_name,
+                    accountSid: config.accountSid,
+                    keyType: config.keyType,
+                    dateCreated: data.date_created,
+                },
+                passportInput: {
+                    name: request.name,
+                    credentialType: 'api-key',
+                    credentialValue: `${data.sid}:${data.secret}`,
+                    visaType: this.mapToVisaType('twilio', false),
+                    issuingAuthority: 'Twilio',
+                    platforms: [this.mapToPlatform('twilio')],
+                    scope: config.keyType === 'restricted' ? ['restricted'] : ['standard'],
+                    validFrom: now,
+                    humanOwner: request.humanOwner,
+                    agentId: request.agentId,
+                    delegationChain: request.delegationChain ?? [
+                        {
+                            from: request.humanOwner,
+                            to: request.agentId ?? request.name,
+                            grantedAt: now,
+                            scope: config.keyType === 'restricted' ? ['restricted'] : ['standard'],
+                            notes: `Provisioned via Twilio API (account: ${config.accountSid})`,
+                        },
+                    ],
+                    tags: [...(request.tags ?? []), 'provisioned', 'twilio', config.keyType],
+                    notes: request.notes ?? `Twilio ${config.keyType} API key for account ${config.accountSid}`,
+                },
+            };
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            return {
+                success: false,
+                error: {
+                    code: 'PROVISIONING_FAILED',
+                    message: `Twilio provisioning failed: ${message}`,
+                },
+            };
+        }
+    }
+    async list() {
+        this.ensureInitialized();
+        if (this.auth?.type !== 'basic') {
+            throw new Error('Twilio provider requires basic authentication');
+        }
+        // Use the username (Account SID) from auth for listing
+        const credentials = btoa(`${this.auth.username}:${this.auth.password}`);
+        const url = `${TWILIO_BASE_URL}/Accounts/${this.auth.username}/Keys.json`;
+        const response = await fetch(url, {
+            headers: {
+                'Authorization': `Basic ${credentials}`,
+            },
+        });
+        if (!response.ok) {
+            const errorBody = await response.text();
+            throw new Error(`Failed to list Twilio keys: ${response.status} ${errorBody}`);
+        }
+        const data = await response.json();
+        return (data.keys ?? []).map((key) => ({
+            id: key.sid,
+            name: key.friendly_name,
+            createdAt: new Date(key.date_created),
+            status: 'active',
+        }));
+    }
+    async rotate(existingKeyId, request) {
+        const newCredential = await this.provision(request);
+        return {
+            newCredential,
+            oldKeyId: existingKeyId,
+            recommendedRevocationDelay: 60, // 1 minute for propagation
+        };
+    }
+    async revoke(keyId) {
+        this.ensureInitialized();
+        if (this.auth?.type !== 'basic') {
+            return { success: false, error: 'Twilio provider requires basic authentication' };
+        }
+        try {
+            const credentials = btoa(`${this.auth.username}:${this.auth.password}`);
+            const url = `${TWILIO_BASE_URL}/Accounts/${this.auth.username}/Keys/${keyId}.json`;
+            const response = await fetch(url, {
+                method: 'DELETE',
+                headers: {
+                    'Authorization': `Basic ${credentials}`,
+                },
+            });
+            if (!response.ok) {
+                const errorBody = await response.text();
+                return { success: false, error: `Failed to revoke: ${response.status} ${errorBody}` };
+            }
+            return { success: true };
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            return { success: false, error: message };
+        }
+    }
+    async validateAuth() {
+        this.ensureInitialized();
+        if (this.auth?.type !== 'basic') {
+            return { valid: false, error: 'Twilio provider requires basic authentication' };
+        }
+        try {
+            const credentials = btoa(`${this.auth.username}:${this.auth.password}`);
+            const url = `${TWILIO_BASE_URL}/Accounts/${this.auth.username}.json`;
+            const response = await fetch(url, {
+                headers: {
+                    'Authorization': `Basic ${credentials}`,
+                },
+            });
+            if (response.ok) {
+                return { valid: true };
+            }
+            return { valid: false, error: `Auth validation failed: ${response.status}` };
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            return { valid: false, error: message };
+        }
+    }
+}
+//# sourceMappingURL=twilio.js.map

package/dist/provisioning/providers/twilio.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"twilio.js","sourceRoot":"","sources":["../../../src/provisioning/providers/twilio.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AA+B1D,MAAM,eAAe,GAAG,mCAAmC,CAAC;AAE5D,MAAM,OAAO,cAAe,SAAQ,wBAAwB;IACjD,QAAQ,GAAyB,QAAQ,CAAC;IAE1C,YAAY,GAAyB;QAC5C,SAAS,EAAE,IAAI;QACf,uBAAuB,EAAE,IAAI;QAC7B,SAAS,EAAE,IAAI;QACf,SAAS,EAAE,IAAI;QACf,OAAO,EAAE,IAAI;QACb,cAAc,EAAE,KAAK;QACrB,kBAAkB,EAAE,IAAI;KACzB,CAAC;IAEF,KAAK,CAAC,SAAS,CAAC,OAA4B;QAC1C,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAEzB,MAAM,MAAM,GAAG,OAAO,CAAC,MAAsB,CAAC;QAC9C,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjC,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,gBAAgB;oBACtB,OAAO,EAAE,+BAA+B,MAAM,CAAC,QAAQ,EAAE;iBAC1D;aACF,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,CAAC,IAAI,EAAE,IAAI,KAAK,OAAO,EAAE,CAAC;YAChC,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,cAAc;oBACpB,OAAO,EAAE,0EAA0E;iBACpF;aACF,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,GAAG,eAAe,aAAa,MAAM,CAAC,UAAU,YAAY,CAAC;YACzE,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YAExE,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,UAAU,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;YAEpE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAChC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,eAAe,EAAE,SAAS,WAAW,EAAE;oBACvC,cAAc,EAAE,mCAAmC;iBACpD;gBACD,IAAI,EAAE,UAAU,CAAC,QAAQ,EAAE;aAC5B,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAwC,CAAC;gBACjG,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE;wBACL,IAAI,EAAE,UAAU,SAAS,CAAC,IAAI,IAAI,QAAQ,CAAC,MAAM,EAAE;wBACnD,OAAO,EAAE,SAAS,CAAC,OAAO,IAAI,QAAQ,QAAQ,CAAC,MAAM,EAAE;wBACvD,OAAO,EAAE,SAAS;qBACnB;iBACF,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAuB,CAAC;YACxD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;YAErC,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,eAAe,EAAE,IAAI,CAAC,GAAG;gBACzB,cAAc,EAAE,IAAI,CAAC,MAAM;gBAC3B,aAAa,EAAE,IAAI,CAAC,GAAG;gBACvB,QAAQ,EAAE;oBACR,YAAY,EAAE,IAAI,CAAC,aAAa;oBAChC,UAAU,EAAE,MAAM,CAAC,UAAU;oBAC7B,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,WAAW,EAAE,IAAI,CAAC,YAAY;iBAC/B;gBACD,aAAa,EAAE;oBACb,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,cAAc,EAAE,SAAS;oBACzB,eAAe,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,MAAM,EAAE;oBAC7C,QAAQ,EAAE,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,KAAK,CAAC;oBAC7C,gBAAgB,EAAE,QAAQ;oBAC1B,SAAS,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;oBACzC,KAAK,EAAE,MAAM,CAAC,OAAO,KAAK,YAAY,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;oBACtE,SAAS,EAAE,GAAG;oBACd,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,eAAe,EAAE,OAAO,CAAC,eAAe,IAAI;wBAC1C;4BACE,IAAI,EAAE,OAAO,CAAC,UAAU;4BACxB,EAAE,EAAE,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI;4BACnC,SAAS,EAAE,GAAG;4BACd,KAAK,EAAE,MAAM,CAAC,OAAO,KAAK,YAAY,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;4BACtE,KAAK,EAAE,wCAAwC,MAAM,CAAC,UAAU,GAAG;yBACpE;qBACF;oBACD,IAAI,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC;oBACxE,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,UAAU,MAAM,CAAC,OAAO,wBAAwB,MAAM,CAAC,UAAU,EAAE;iBAC5F;aACF,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,qBAAqB;oBAC3B,OAAO,EAAE,+BAA+B,OAAO,EAAE;iBAClD;aACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI;QACR,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAEzB,IAAI,IAAI,CAAC,IAAI,EAAE,IAAI,KAAK,OAAO,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACnE,CAAC;QAED,uDAAuD;QACvD,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;QACxE,MAAM,GAAG,GAAG,GAAG,eAAe,aAAa,IAAI,CAAC,IAAI,CAAC,QAAQ,YAAY,CAAC;QAE1E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,OAAO,EAAE;gBACP,eAAe,EAAE,SAAS,WAAW,EAAE;aACxC;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CAAC,+BAA+B,QAAQ,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC,CAAC;QACjF,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAgC,CAAC;QACjE,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YACrC,EAAE,EAAE,GAAG,CAAC,GAAG;YACX,IAAI,EAAE,GAAG,CAAC,aAAa;YACvB,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC;YACrC,MAAM,EAAE,QAAQ;SACjB,CAAC,CAAC,CAAC;IACN,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,aAAqB,EAAE,OAA4B;QAC9D,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAEpD,OAAO;YACL,aAAa;YACb,QAAQ,EAAE,aAAa;YACvB,0BAA0B,EAAE,EAAE,EAAE,2BAA2B;SAC5D,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAEzB,IAAI,IAAI,CAAC,IAAI,EAAE,IAAI,KAAK,OAAO,EAAE,CAAC;YAChC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,+CAA+C,EAAE,CAAC;QACpF,CAAC;QAED,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YACxE,MAAM,GAAG,GAAG,GAAG,eAAe,aAAa,IAAI,CAAC,IAAI,CAAC,QAAQ,SAAS,KAAK,OAAO,CAAC;YAEnF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAChC,MAAM,EAAE,QAAQ;gBAChB,OAAO,EAAE;oBACP,eAAe,EAAE,SAAS,WAAW,EAAE;iBACxC;aACF,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACxC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,qBAAqB,QAAQ,CAAC,MAAM,IAAI,SAAS,EAAE,EAAE,CAAC;YACxF,CAAC;YAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;QAC5C,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAEzB,IAAI,IAAI,CAAC,IAAI,EAAE,IAAI,KAAK,OAAO,EAAE,CAAC;YAChC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,+CAA+C,EAAE,CAAC;QAClF,CAAC;QAED,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YACxE,MAAM,GAAG,GAAG,GAAG,eAAe,aAAa,IAAI,CAAC,IAAI,CAAC,QAAQ,OAAO,CAAC;YAErE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAChC,OAAO,EAAE;oBACP,eAAe,EAAE,SAAS,WAAW,EAAE;iBACxC;aACF,CAAC,CAAC;YAEH,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAChB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;YACzB,CAAC;YAED,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA2B,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC;QAC/E,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;QAC1C,CAAC;IACH,CAAC;CACF"}

package/dist/provisioning/types.d.ts

@@ -0,0 +1,274 @@
+/**
+ * ID Wispera Provisioning Module Types
+ * Types for programmatic credential creation through vendor APIs
+ */
+import { VisaType, CredentialType, Platform, DelegationHop } from '../types.js';
+/**
+ * Supported provisioning providers
+ */
+export type ProvisioningProvider = 'openai' | 'aws' | 'google-cloud' | 'azure-entra' | 'github' | 'twilio' | 'sendgrid' | 'anthropic';
+/**
+ * Provider capability flags
+ */
+export interface ProviderCapabilities {
+    canCreate: boolean;
+    canConfigurePermissions: boolean;
+    canRotate: boolean;
+    canRevoke: boolean;
+    canList: boolean;
+    supportsExpiry: boolean;
+    supportsScopedKeys: boolean;
+}
+/**
+ * Authentication configuration per provider
+ */
+export type ProviderAuth = {
+    type: 'api-key';
+    key: string;
+} | {
+    type: 'basic';
+    username: string;
+    password: string;
+} | {
+    type: 'aws-sigv4';
+    accessKeyId: string;
+    secretAccessKey: string;
+    region?: string;
+} | {
+    type: 'oauth2';
+    clientId: string;
+    clientSecret: string;
+    tenantId?: string;
+} | {
+    type: 'jwt';
+    privateKey: string;
+    appId: string;
+} | {
+    type: 'service-account';
+    keyFile: string | object;
+};
+/**
+ * Request to provision a new credential
+ */
+export interface ProvisioningRequest {
+    provider: ProvisioningProvider;
+    /** Human-readable name for the key (used in both vendor system and passport) */
+    name: string;
+    /** Who owns this credential (required for passport) */
+    humanOwner: string;
+    /** Optional: which agent this credential is for */
+    agentId?: string;
+    /** Provider-specific configuration */
+    config: ProviderSpecificConfig;
+    /** Permissions/scopes to configure (provider-specific) */
+    permissions?: ProviderPermissions;
+    /** Optional expiry (if provider supports it) */
+    expiresIn?: number;
+    /** Tags to apply to the resulting passport */
+    tags?: string[];
+    /** Notes for the passport */
+    notes?: string;
+    /** Initial delegation chain (optional - defaults to humanOwner as root) */
+    delegationChain?: DelegationHop[];
+}
+/**
+ * Provider-specific configuration union
+ */
+export type ProviderSpecificConfig = OpenAIConfig | AWSConfig | GoogleCloudConfig | AzureEntraConfig | GitHubConfig | TwilioConfig | SendGridConfig | AnthropicConfig;
+export interface OpenAIConfig {
+    provider: 'openai';
+    /** Organization ID (required) */
+    organizationId: string;
+    /** Project ID - if provided, creates project-scoped service account key */
+    projectId?: string;
+    /** Key type: 'admin' (org-level) or 'service-account' (project-scoped, recommended) */
+    keyType: 'admin' | 'service-account';
+}
+export interface AWSConfig {
+    provider: 'aws';
+    /** IAM username to create key for (for long-lived keys) */
+    userName?: string;
+    /** Role ARN to assume (for temporary credentials via STS) */
+    roleArn?: string;
+    /** Session name (required if using roleArn) */
+    sessionName?: string;
+    /** Duration in seconds for STS credentials (900-43200, default 3600) */
+    durationSeconds?: number;
+    /** External ID for cross-account role assumption */
+    externalId?: string;
+}
+export interface GoogleCloudConfig {
+    provider: 'google-cloud';
+    /** Project ID */
+    projectId: string;
+    /** Key type: 'api-key' or 'service-account-key' */
+    keyType: 'api-key' | 'service-account-key';
+    /** Service account email (required for service-account-key) */
+    serviceAccountEmail?: string;
+    /** API restrictions for API keys (list of API target service names) */
+    apiTargets?: string[];
+    /** IP allowlist for API keys */
+    allowedIps?: string[];
+}
+export interface AzureEntraConfig {
+    provider: 'azure-entra';
+    /** Tenant ID */
+    tenantId: string;
+    /** Create new app registration, or add secret to existing app */
+    mode: 'create-app' | 'add-secret';
+    /** Existing application object ID (required for 'add-secret' mode) */
+    applicationId?: string;
+    /** Display name for new application (required for 'create-app' mode) */
+    displayName?: string;
+    /** Secret expiry in days (default 365, max 730) */
+    secretExpiryDays?: number;
+}
+export interface GitHubConfig {
+    provider: 'github';
+    /** Installation ID for the GitHub App */
+    installationId: number;
+    /** Repository IDs to scope the token to (optional - defaults to all installation repos) */
+    repositoryIds?: number[];
+    /** Repository names to scope the token to (alternative to IDs) */
+    repositories?: string[];
+}
+export interface TwilioConfig {
+    provider: 'twilio';
+    /** Account SID */
+    accountSid: string;
+    /** Key type: 'standard' or 'restricted' */
+    keyType: 'standard' | 'restricted';
+    /** Friendly name */
+    friendlyName?: string;
+}
+export interface SendGridConfig {
+    provider: 'sendgrid';
+}
+export interface AnthropicConfig {
+    provider: 'anthropic';
+    /** Workspace ID (optional - for workspace-scoped operations) */
+    workspaceId?: string;
+}
+/**
+ * Provider-specific permissions union
+ */
+export type ProviderPermissions = OpenAIPermissions | AWSPermissions | GoogleCloudPermissions | AzureEntraPermissions | GitHubPermissions | TwilioPermissions | SendGridPermissions;
+export interface OpenAIPermissions {
+    provider: 'openai';
+    /** 'all', 'read-only', or 'restricted' */
+    level: 'all' | 'read-only' | 'restricted';
+    /** Per-endpoint permissions (only for 'restricted' level) */
+    endpoints?: Record<string, 'read' | 'write' | 'none'>;
+}
+export interface AWSPermissions {
+    provider: 'aws';
+    /** Inline session policy JSON (for STS) */
+    sessionPolicy?: string;
+    /** Policy ARNs to attach (for STS) */
+    policyArns?: string[];
+    /** Session tags for ABAC */
+    tags?: Record<string, string>;
+}
+export interface GoogleCloudPermissions {
+    provider: 'google-cloud';
+    /** IAM roles to grant to service account */
+    roles?: string[];
+    /** IAM conditions */
+    conditions?: Array<{
+        title: string;
+        expression: string;
+    }>;
+}
+export interface AzureEntraPermissions {
+    provider: 'azure-entra';
+    /** Microsoft Graph API permissions to request */
+    graphPermissions?: string[];
+    /** Azure RBAC role assignments */
+    rbacRoles?: Array<{
+        roleDefinitionId: string;
+        scope: string;
+    }>;
+}
+export interface GitHubPermissions {
+    provider: 'github';
+    /** Fine-grained permissions */
+    permissions?: Partial<{
+        actions: 'read' | 'write';
+        contents: 'read' | 'write';
+        issues: 'read' | 'write';
+        pull_requests: 'read' | 'write';
+        metadata: 'read';
+    }>;
+}
+export interface TwilioPermissions {
+    provider: 'twilio';
+    /** Policy document for restricted keys */
+    policy?: {
+        allow: Array<{
+            url: string;
+            methods: string[];
+            query_params?: Record<string, {
+                required: boolean;
+            }>;
+            post_params?: Record<string, {
+                required: boolean;
+            }>;
+        }>;
+    };
+}
+export interface SendGridPermissions {
+    provider: 'sendgrid';
+    /** Scopes to grant (100+ available) */
+    scopes: string[];
+}
+/**
+ * Result of a provisioning operation
+ */
+export interface ProvisioningResult {
+    success: boolean;
+    /** The provisioned credential value (SENSITIVE - shown only once by most providers) */
+    credentialValue?: string;
+    /** Secondary credential if applicable (e.g., AWS secret access key) */
+    secondaryValue?: string;
+    /** Provider's ID for this key (for future management operations) */
+    providerKeyId?: string;
+    /** Additional provider-specific metadata */
+    metadata?: Record<string, unknown>;
+    /** When the credential expires (if applicable) */
+    expiresAt?: Date;
+    /** Pre-populated passport fields ready for createPassport() */
+    passportInput?: {
+        name: string;
+        credentialType: CredentialType;
+        credentialValue: string;
+        visaType: VisaType;
+        issuingAuthority: string;
+        platforms: Platform[];
+        scope: string[];
+        validFrom: string;
+        validUntil?: string;
+        humanOwner: string;
+        agentId?: string;
+        delegationChain?: DelegationHop[];
+        tags: string[];
+        notes?: string;
+    };
+    /** Error details if success is false */
+    error?: {
+        code: string;
+        message: string;
+        details?: unknown;
+    };
+}
+/**
+ * Credential rotation result
+ */
+export interface RotationResult {
+    /** New credential info */
+    newCredential: ProvisioningResult;
+    /** Old key ID to revoke after transition */
+    oldKeyId: string;
+    /** Recommended: revoke old key after this delay to allow propagation */
+    recommendedRevocationDelay: number;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/provisioning/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/provisioning/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAMhF;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAC5B,QAAQ,GACR,KAAK,GACL,cAAc,GACd,aAAa,GACb,QAAQ,GACR,QAAQ,GACR,UAAU,GACV,WAAW,CAAC;AAEhB;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,OAAO,CAAC;IACnB,uBAAuB,EAAE,OAAO,CAAC;IACjC,SAAS,EAAE,OAAO,CAAC;IACnB,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,cAAc,EAAE,OAAO,CAAC;IACxB,kBAAkB,EAAE,OAAO,CAAC;CAC7B;AAMD;;GAEG;AACH,MAAM,MAAM,YAAY,GACpB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAChC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GACrD;IAAE,IAAI,EAAE,WAAW,CAAC;IAAC,WAAW,EAAE,MAAM,CAAC;IAAC,eAAe,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,GACpF;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,GAC7E;IAAE,IAAI,EAAE,KAAK,CAAC;IAAC,UAAU,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAClD;IAAE,IAAI,EAAE,iBAAiB,CAAC;IAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAAA;CAAE,CAAC;AAM1D;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,oBAAoB,CAAC;IAE/B,gFAAgF;IAChF,IAAI,EAAE,MAAM,CAAC;IAEb,uDAAuD;IACvD,UAAU,EAAE,MAAM,CAAC;IAEnB,mDAAmD;IACnD,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,sCAAsC;IACtC,MAAM,EAAE,sBAAsB,CAAC;IAE/B,0DAA0D;IAC1D,WAAW,CAAC,EAAE,mBAAmB,CAAC;IAElC,gDAAgD;IAChD,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,8CAA8C;IAC9C,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAEhB,6BAA6B;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,2EAA2E;IAC3E,eAAe,CAAC,EAAE,aAAa,EAAE,CAAC;CACnC;AAMD;;GAEG;AACH,MAAM,MAAM,sBAAsB,GAC9B,YAAY,GACZ,SAAS,GACT,iBAAiB,GACjB,gBAAgB,GAChB,YAAY,GACZ,YAAY,GACZ,cAAc,GACd,eAAe,CAAC;AAEpB,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,QAAQ,CAAC;IACnB,iCAAiC;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,2EAA2E;IAC3E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,uFAAuF;IACvF,OAAO,EAAE,OAAO,GAAG,iBAAiB,CAAC;CACtC;AAED,MAAM,WAAW,SAAS;IACxB,QAAQ,EAAE,KAAK,CAAC;IAChB,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6DAA6D;IAC7D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,+CAA+C;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,wEAAwE;IACxE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,oDAAoD;IACpD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,cAAc,CAAC;IACzB,iBAAiB;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,OAAO,EAAE,SAAS,GAAG,qBAAqB,CAAC;IAC3C,+DAA+D;IAC/D,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,uEAAuE;IACvE,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,gCAAgC;IAChC,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACvB;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,aAAa,CAAC;IACxB,gBAAgB;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,iEAAiE;IACjE,IAAI,EAAE,YAAY,GAAG,YAAY,CAAC;IAClC,sEAAsE;IACtE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wEAAwE;IACxE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,mDAAmD;IACnD,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,QAAQ,CAAC;IACnB,yCAAyC;IACzC,cAAc,EAAE,MAAM,CAAC;IACvB,2FAA2F;IAC3F,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,kEAAkE;IAClE,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,QAAQ,CAAC;IACnB,kBAAkB;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,2CAA2C;IAC3C,OAAO,EAAE,UAAU,GAAG,YAAY,CAAC;IACnC,oBAAoB;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,UAAU,CAAC;CAEtB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,WAAW,CAAC;IACtB,gEAAgE;IAChE,WAAW,CAAC,EAAE,MAAM,CAAC;CAEtB;AAMD;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAC3B,iBAAiB,GACjB,cAAc,GACd,sBAAsB,GACtB,qBAAqB,GACrB,iBAAiB,GACjB,iBAAiB,GACjB,mBAAmB,CAAC;AAExB,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,QAAQ,CAAC;IACnB,0CAA0C;IAC1C,KAAK,EAAE,KAAK,GAAG,WAAW,GAAG,YAAY,CAAC;IAC1C,6DAA6D;IAC7D,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,GAAG,MAAM,CAAC,CAAC;CACvD;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,KAAK,CAAC;IAChB,2CAA2C;IAC3C,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,sCAAsC;IACtC,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,4BAA4B;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC/B;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,EAAE,cAAc,CAAC;IACzB,4CAA4C;IAC5C,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,qBAAqB;IACrB,UAAU,CAAC,EAAE,KAAK,CAAC;QACjB,KAAK,EAAE,MAAM,CAAC;QACd,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC,CAAC;CACJ;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,aAAa,CAAC;IACxB,iDAAiD;IACjD,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,kCAAkC;IAClC,SAAS,CAAC,EAAE,KAAK,CAAC;QAChB,gBAAgB,EAAE,MAAM,CAAC;QACzB,KAAK,EAAE,MAAM,CAAC;KACf,CAAC,CAAC;CACJ;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,QAAQ,CAAC;IACnB,+BAA+B;IAC/B,WAAW,CAAC,EAAE,OAAO,CAAC;QACpB,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC;QAC1B,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;QAC3B,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;QACzB,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC;QAChC,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC,CAAC;CACJ;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,QAAQ,CAAC;IACnB,0CAA0C;IAC1C,MAAM,CAAC,EAAE;QACP,KAAK,EAAE,KAAK,CAAC;YACX,GAAG,EAAE,MAAM,CAAC;YACZ,OAAO,EAAE,MAAM,EAAE,CAAC;YAClB,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;gBAAE,QAAQ,EAAE,OAAO,CAAA;aAAE,CAAC,CAAC;YACrD,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;gBAAE,QAAQ,EAAE,OAAO,CAAA;aAAE,CAAC,CAAC;SACrD,CAAC,CAAC;KACJ,CAAC;CACH;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,UAAU,CAAC;IACrB,uCAAuC;IACvC,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAMD;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IAEjB,uFAAuF;IACvF,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,uEAAuE;IACvE,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,oEAAoE;IACpE,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB,4CAA4C;IAC5C,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAEnC,kDAAkD;IAClD,SAAS,CAAC,EAAE,IAAI,CAAC;IAEjB,+DAA+D;IAC/D,aAAa,CAAC,EAAE;QACd,IAAI,EAAE,MAAM,CAAC;QACb,cAAc,EAAE,cAAc,CAAC;QAC/B,eAAe,EAAE,MAAM,CAAC;QACxB,QAAQ,EAAE,QAAQ,CAAC;QACnB,gBAAgB,EAAE,MAAM,CAAC;QACzB,SAAS,EAAE,QAAQ,EAAE,CAAC;QACtB,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,EAAE,MAAM,CAAC;QACnB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,eAAe,CAAC,EAAE,aAAa,EAAE,CAAC;QAClC,IAAI,EAAE,MAAM,EAAE,CAAC;QACf,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;IAEF,wCAAwC;IACxC,KAAK,CAAC,EAAE;QACN,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,0BAA0B;IAC1B,aAAa,EAAE,kBAAkB,CAAC;IAClC,4CAA4C;IAC5C,QAAQ,EAAE,MAAM,CAAC;IACjB,wEAAwE;IACxE,0BAA0B,EAAE,MAAM,CAAC;CACpC"}

package/dist/provisioning/types.js

@@ -0,0 +1,6 @@
+/**
+ * ID Wispera Provisioning Module Types
+ * Types for programmatic credential creation through vendor APIs
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/provisioning/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/provisioning/types.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/sharing.d.ts

@@ -0,0 +1,60 @@
+/**
+ * ID Wispera Secure Sharing
+ * Zero-knowledge credential sharing primitives
+ */
+import { Passport, SharePayload, ShareOptions } from './types.js';
+/**
+ * Create a share link for a passport
+ * Returns the encrypted payload and the decryption key separately
+ */
+export declare function createShareLink(passport: Passport, options: ShareOptions): Promise<{
+    payload: string;
+    key: string;
+}>;
+/**
+ * Resolve (decrypt) a shared passport
+ */
+export declare function resolveShareLink(payload: string, key: string): Promise<Passport>;
+/**
+ * Get share payload info without decrypting
+ */
+export declare function getShareInfo(payload: string): Omit<SharePayload, 'encrypted'> & {
+    hasCredential: boolean;
+};
+/**
+ * Check if a share link is still valid (not expired, not maxed out)
+ */
+export declare function isShareValid(payload: string): {
+    valid: boolean;
+    reason?: string;
+};
+/**
+ * Create a full share URL (for web-based sharing)
+ * The key is passed as a URL fragment (not sent to server)
+ */
+export declare function createShareUrl(baseUrl: string, payload: string, key: string): string;
+/**
+ * Parse a share URL back into payload and key
+ */
+export declare function parseShareUrl(url: string): {
+    payload: string;
+    key: string;
+} | null;
+/**
+ * Create a one-time share (single use, auto-expires)
+ */
+export declare function createOneTimeShare(passport: Passport, expiresInMinutes?: number): Promise<{
+    payload: string;
+    key: string;
+}>;
+/**
+ * Create a metadata-only share (no credential exposed)
+ */
+export declare function createMetadataShare(passport: Passport, options?: {
+    expiresAt?: string;
+    maxViews?: number;
+}): Promise<{
+    payload: string;
+    key: string;
+}>;
+//# sourceMappingURL=sharing.d.ts.map

package/dist/sharing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sharing.d.ts","sourceRoot":"","sources":["../src/sharing.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,EACL,QAAQ,EACR,YAAY,EACZ,YAAY,EAGb,MAAM,YAAY,CAAC;AAmJpB;;;GAGG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,YAAY,GACpB,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAAC,CAuC3C;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,QAAQ,CAAC,CAgDnB;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,GAAG;IAAE,aAAa,EAAE,OAAO,CAAA;CAAE,CAc1G;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAyBjF;AAMD;;;GAGG;AACH,wBAAgB,cAAc,CAC5B,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,GACV,MAAM,CAER;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAqBlF;AAMD;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,QAAQ,EAClB,gBAAgB,GAAE,MAAW,GAC5B,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAAC,CAQ3C;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,QAAQ,EAClB,OAAO,CAAC,EAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,GAClD,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAAC,CAK3C"}