@interop/did-web-resolver 4.0.0 → 6.0.0

package/dist/DidWebResolver.js

@@ -0,0 +1,557 @@
+/**
+ * A `did:web` method resolver and document generator for the `@interop/did-io`
+ * library. Builds `did:web` DID documents directly from registered key-suite
+ * instances (no `crypto-ld` dependency) and resolves them over HTTPS with
+ * SSRF, response-size, and document-`id` safety checks.
+ */
+import { httpClient } from '@interop/http-client';
+import * as didIo from '@interop/did-io';
+import { decodeSecretKeySeed } from '@digitalcredentials/bnid';
+import { DID_CONTEXT_URL, DEFAULT_PURPOSES, contextsBySuite, defaultFetchOptions } from './constants.js';
+import { assertDomain } from './assertions.js';
+const { VERIFICATION_RELATIONSHIPS } = didIo;
+export function didFromUrl({ url } = {}) {
+    if (!url) {
+        throw new TypeError('Cannot convert url to did, missing url.');
+    }
+    if (url.startsWith('http:')) {
+        throw new TypeError('did:web does not support non-HTTPS URLs.');
+    }
+    let parsedUrl;
+    try {
+        parsedUrl = new URL(url);
+    }
+    catch (cause) {
+        throw new TypeError(`Invalid url: "${url}".`, { cause });
+    }
+    const { host } = parsedUrl;
+    let { pathname } = parsedUrl;
+    let pathComponent = '';
+    const didJsonSuffix = '/did.json';
+    const wellKnownSuffix = '/.well-known';
+    if (pathname?.endsWith(didJsonSuffix)) {
+        pathname = pathname.substring(0, pathname.length - didJsonSuffix.length);
+    }
+    if (pathname?.endsWith(wellKnownSuffix)) {
+        pathname = pathname.substring(0, pathname.length - wellKnownSuffix.length);
+    }
+    if (pathname && pathname !== '/') {
+        pathComponent = pathname.split('/').map(encodeURIComponent).join(':');
+    }
+    return 'did:web:' + encodeURIComponent(host) + pathComponent;
+}
+export function urlFromDid({ did }) {
+    if (!did?.startsWith('did:web:')) {
+        throw new TypeError(`DID Method not supported: "${did ?? ''}".`);
+    }
+    const [didUrl = '', hashFragment] = did.split('#');
+    const [_did, _web, urlNoProtocol = '', ...pathFragments] = didUrl.split(':');
+    if (urlNoProtocol.includes('/')) {
+        throw new TypeError(`Cannot construct url from did: "${did}". domain-name cannot contain a path.`);
+    }
+    let parsedUrl;
+    try {
+        // URI-decode the url (in case it contained a port number,
+        // for example, `did:web:localhost%3A8080`
+        parsedUrl = new URL('https://' + decodeURIComponent(urlNoProtocol));
+    }
+    catch (cause) {
+        throw new TypeError(`Cannot construct url from did: "${did}".`, { cause });
+    }
+    if (pathFragments.length === 0) {
+        parsedUrl.pathname = '/.well-known/did.json';
+    }
+    else {
+        parsedUrl.pathname = pathFragments.map(decodeURIComponent).join('/') + '/did.json';
+    }
+    if (hashFragment) {
+        parsedUrl.hash = hashFragment;
+    }
+    return parsedUrl.toString();
+}
+/**
+ * Returns the subnode of a DID document identified by `id`, with the
+ * appropriate `@context` attached. Searches `verificationMethod` first, then
+ * any other top-level node (e.g. `service`), so it can dereference keys *and*
+ * non-key subnodes.
+ *
+ * @param options {object} - Options hashmap.
+ * @param options.didDocument {object} - The DID Document to search.
+ * @param options.id {string} - The full id of the subnode to return.
+ *
+ * @returns {object} The matched subnode, cloned, with `@context`.
+ */
+export function getNode({ didDocument, id }) {
+    let match = (didDocument.verificationMethod ?? [])
+        .find((vm) => vm?.id === id);
+    if (!match) {
+        for (const [key, value] of Object.entries(didDocument)) {
+            if (key === '@context' || key === 'verificationMethod') {
+                continue;
+            }
+            if (Array.isArray(value)) {
+                match = value.find((entry) => entry?.id === id);
+            }
+            else if (value?.id === id) {
+                match = value;
+            }
+            if (match) {
+                break;
+            }
+        }
+    }
+    if (!match) {
+        throw new Error(`DID document entity with id "${id}" not found.`);
+    }
+    return {
+        '@context': contextsBySuite.get(match.type) ?? didDocument['@context'],
+        ...structuredClone(match)
+    };
+}
+export class DidWebResolver {
+    method;
+    allowList;
+    fetchOptions;
+    logger;
+    _allowedKeyTypes;
+    /**
+     * @param options {object} - Options hashmap.
+     * @param [options.allowList] {string[]} - Hosts permitted as fetch targets
+     *   (SSRF gate). Empty/absent means no restriction.
+     * @param [options.fetchOptions] {object} - Network limits passed to the http
+     *   client (`size` in bytes, `timeout` in ms).
+     * @param [options.logger] {object} - Logger object (with .info, .error, etc).
+     */
+    constructor({ allowList = [], fetchOptions = defaultFetchOptions, logger = console } = {}) {
+        this.method = 'web'; // did:web:... (used for didIo resolver harness)
+        this.allowList = allowList;
+        this.fetchOptions = fetchOptions;
+        this.logger = logger;
+        this._allowedKeyTypes = new Map();
+    }
+    /**
+     * Registers a key suite this driver may handle when generating documents and
+     * rebuilding key pairs from plain descriptions.
+     *
+     * Preferred form: pass a `keyPairClass` exposing static `multibaseHeader`,
+     * `from`, and (optionally) `generate`. The driver reads the header off the
+     * class, so callers need not know the literal value.
+     *
+     * Lower-level form: pass `multibaseMultikeyHeader` plus a `fromMultibase`
+     * deserializer. Suites registered this way support resolution/rebuilding but
+     * not `generate()`.
+     *
+     * @param options {object} - Options hashmap.
+     * @param [options.keyPairClass] {Function} - A KeyPair suite class.
+     * @param [options.multibaseMultikeyHeader] {string} - Multibase header.
+     * @param [options.fromMultibase] {Function} - `{publicKeyMultibase}` to key.
+     */
+    use({ keyPairClass, multibaseMultikeyHeader, fromMultibase } = {}) {
+        if (keyPairClass) {
+            const header = keyPairClass.multibaseHeader;
+            if (!(header && typeof header === 'string')) {
+                throw new TypeError('"keyPairClass.multibaseHeader" must be a string.');
+            }
+            if (typeof keyPairClass.from !== 'function') {
+                throw new TypeError('"keyPairClass.from" must be a function.');
+            }
+            this._allowedKeyTypes.set(header, {
+                fromMultibase: keyPairClass.from.bind(keyPairClass),
+                generate: typeof keyPairClass.generate === 'function'
+                    ? keyPairClass.generate.bind(keyPairClass)
+                    : undefined
+            });
+            return;
+        }
+        if (!(multibaseMultikeyHeader && typeof multibaseMultikeyHeader === 'string')) {
+            throw new TypeError('"multibaseMultikeyHeader" must be a string.');
+        }
+        if (typeof fromMultibase !== 'function') {
+            throw new TypeError('"fromMultibase" must be a function.');
+        }
+        this._allowedKeyTypes.set(multibaseMultikeyHeader, { fromMultibase });
+    }
+    /**
+     * Adds a single verification method to a DID document: exports the key's
+     * public node, assigns it the id `${did}#${fragment}`, pushes it into
+     * `verificationMethod`, references it under each requested purpose, and
+     * accumulates the key's `@context`.
+     *
+     * This is the foundational document-building primitive; it works on a freshly
+     * created document or on one fetched and republished with rotated keys.
+     *
+     * @param options {object} - Options hashmap.
+     * @param options.didDocument {object} - Document to mutate (must have `id`).
+     * @param options.keyPair {object} - A registered key suite instance.
+     * @param [options.keyPairs] {Map} - Optional key-id to key-pair map to update.
+     * @param [options.fragment] {string} - Author-chosen fragment (defaults to
+     *   the key fingerprint).
+     * @param [options.purposes] {string[]} - Verification relationships to wire.
+     * @param [options.serialization] {string} - `'multibase'` (default); `'jwk'`
+     *   is reserved for when key suites expose JWK export.
+     *
+     * @returns {object} The mutated DID document.
+     */
+    addVerificationMethod({ didDocument, keyPairs, keyPair, fragment, purposes = DEFAULT_PURPOSES, serialization = 'multibase' }) {
+        if (!didDocument?.id) {
+            throw new TypeError('"didDocument.id" is required to add a verification method.');
+        }
+        if (!keyPair) {
+            throw new TypeError('A "keyPair" is required.');
+        }
+        if (serialization !== 'multibase') {
+            throw new Error(`Serialization "${serialization}" is not yet supported.`);
+        }
+        const did = didDocument.id;
+        fragment = fragment ?? _defaultFragment(keyPair);
+        keyPair.controller = did;
+        keyPair.id = `${did}#${fragment}`;
+        const publicNode = keyPair.export({ publicKey: true, includeContext: true });
+        const context = publicNode['@context'];
+        delete publicNode['@context'];
+        if (context) {
+            _addContext({ didDocument, context });
+        }
+        didDocument.verificationMethod = didDocument.verificationMethod ?? [];
+        didDocument.verificationMethod.push(publicNode);
+        for (const purpose of purposes) {
+            if (!VERIFICATION_RELATIONSHIPS.has(purpose)) {
+                throw new Error(`Unsupported key purpose: "${purpose}".`);
+            }
+            didDocument[purpose] = didDocument[purpose] ?? [];
+            didDocument[purpose].push(publicNode.id);
+        }
+        keyPairs?.set(keyPair.id, keyPair);
+        return didDocument;
+    }
+    /**
+     * Generates a new `did:web` DID Document.
+     *
+     * @example
+     *   const { didDocument, keyPairs } = await didWeb.generate({
+     *     url: 'https://example.com', verificationKeyPair
+     *   })
+     *   didDocument.id // -> 'did:web:example.com'
+     *
+     * Either an `id` or a `url` is required. For the single-key common case, pass
+     * a `verificationKeyPair` (or `seed`/`keyType` to generate one from a
+     * registered suite) and optionally a `keyAgreementKeyPair`. For multi-key
+     * documents, pass `verificationMethods`.
+     *
+     * @param options {object} - Options hashmap.
+     * @param [options.id] {string} - A did:web DID (else derived from `url`).
+     * @param [options.url] {string} - HTTPS url of the DID document.
+     * @param [options.seed] {string|Uint8Array} - Secret seed to derive a key.
+     * @param [options.keyType] {Function|string} - Which registered suite to
+     *   generate with (a key class or its multibase header).
+     * @param [options.verificationKeyPair] {object} - A pre-made verification key.
+     * @param [options.keyAgreementKeyPair] {object} - A pre-made keyAgreement key.
+     * @param [options.verificationMethods] {Array} - Multi-key entries, each
+     *   `{ keyPair, fragment?, purposes?, serialization? }`.
+     *
+     * @returns {Promise<{didDocument: object, keyPairs: Map, methodFor: Function}>}
+     */
+    async generate({ id, url, seed, keyType, verificationKeyPair, keyAgreementKeyPair, verificationMethods } = {}) {
+        if (!id && !url) {
+            throw new TypeError('A "url" or an "id" parameter is required.');
+        }
+        const did = id ?? didFromUrl({ url });
+        assertDomain({ allowList: this.allowList, url: url ?? urlFromDid({ did }) });
+        const didDocument = { '@context': [DID_CONTEXT_URL], id: did };
+        const keyPairs = new Map();
+        if (verificationMethods && verificationMethods.length > 0) {
+            for (const entry of verificationMethods) {
+                this.addVerificationMethod({
+                    didDocument,
+                    keyPairs,
+                    keyPair: entry.keyPair,
+                    fragment: entry.fragment,
+                    purposes: entry.purposes,
+                    serialization: entry.serialization
+                });
+            }
+        }
+        else {
+            let keyPair = verificationKeyPair;
+            if (!keyPair && !keyAgreementKeyPair) {
+                keyPair = await this._generateKeyPair({ seed, keyType });
+            }
+            if (keyPair) {
+                this.addVerificationMethod({
+                    didDocument, keyPairs, keyPair, purposes: DEFAULT_PURPOSES
+                });
+            }
+            if (keyAgreementKeyPair) {
+                this.addVerificationMethod({
+                    didDocument, keyPairs, keyPair: keyAgreementKeyPair,
+                    purposes: ['keyAgreement']
+                });
+            }
+        }
+        // Convenience function that returns the public/private key pair instance
+        // for a given purpose (authentication, assertionMethod, keyAgreement, etc).
+        const methodFor = ({ purpose }) => {
+            const method = didIo.findVerificationMethod({
+                doc: didDocument, purpose
+            });
+            return keyPairs.get(method?.id);
+        };
+        return { didDocument, keyPairs, methodFor };
+    }
+    /**
+     * Generates a `did:web` DID Document from existing key pairs. A `url` or `id`
+     * is required (unlike `did:key`, a `did:web` identifier is not derivable from
+     * key material alone).
+     *
+     * @param options {object} - Options hashmap.
+     * @param [options.url] {string} - HTTPS url of the DID document.
+     * @param [options.id] {string} - A did:web DID.
+     * @param [options.verificationKeyPair] {object} - A verification KeyPair.
+     * @param [options.keyAgreementKeyPair] {object} - A keyAgreement KeyPair.
+     *
+     * @returns {Promise<{didDocument: object, keyPairs: Map, methodFor: Function}>}
+     */
+    async fromKeyPair({ url, id, verificationKeyPair, keyAgreementKeyPair } = {}) {
+        if (!(verificationKeyPair || keyAgreementKeyPair)) {
+            throw new TypeError('"verificationKeyPair" or "keyAgreementKeyPair" must be provided.');
+        }
+        if (!url && !id) {
+            throw new TypeError('A "url" or "id" is required to build a did:web document.');
+        }
+        return this.generate({ url, id, verificationKeyPair, keyAgreementKeyPair });
+    }
+    /**
+     * Converts a public key description to a `did:web` DID Document. A `url` or
+     * `id` is required. Unlike `generate()`, no `keyPairs` map is returned.
+     *
+     * @param options {object} - Options hashmap.
+     * @param [options.url] {string} - HTTPS url of the DID document.
+     * @param [options.id] {string} - A did:web DID.
+     * @param options.publicKeyDescription {object} - A key pair instance or a
+     *   plain public key description (e.g. from a KMS).
+     *
+     * @returns {Promise<{didDocument: object}>}
+     */
+    async publicKeyToDidDoc({ url, id, publicKeyDescription } = {}) {
+        if (!publicKeyDescription) {
+            throw new TypeError('"publicKeyDescription" is required.');
+        }
+        if (!url && !id) {
+            throw new TypeError('A "url" or "id" is required to build a did:web document.');
+        }
+        const did = id ?? didFromUrl({ url });
+        const didDocument = { '@context': [DID_CONTEXT_URL], id: did };
+        const keyPair = await this._toKeyPair(publicKeyDescription);
+        this.addVerificationMethod({ didDocument, keyPair, purposes: DEFAULT_PURPOSES });
+        return { didDocument };
+    }
+    /**
+     * Computes the id of a given key pair (used by `did-io` drivers). For
+     * `did:web` the id depends on the document's DID, so the key pair must
+     * already carry an `id` or a `controller`.
+     *
+     * @param options {object} - Options hashmap.
+     * @param options.keyPair {object} - The key pair.
+     *
+     * @returns {Promise<string>} The key's id.
+     */
+    async computeId({ keyPair }) {
+        if (keyPair?.id) {
+            return keyPair.id;
+        }
+        if (keyPair?.controller) {
+            return `${keyPair.controller}#${_defaultFragment(keyPair)}`;
+        }
+        throw new TypeError('Cannot compute id: key pair has no "id" or "controller".');
+    }
+    /**
+     * Fetches a `did:web` DID Document for a given DID, or dereferences a subnode
+     * when the DID carries a `#fragment`. Applies the SSRF allow list, network
+     * limits, and verifies that the fetched document's `id` matches the DID.
+     *
+     * @param options {object} - Options hashmap.
+     * @param [options.did] {string} - For example, 'did:web:example.com'.
+     * @param [options.url] {string} - Alias for `did`, for readability.
+     * @param [options.agent] {object} - Optional agent to customize network
+     *   behavior in Node.js (such as `rejectUnauthorized: false`).
+     * @param [options.fetchOptions] {object} - Per-request network limits,
+     *   merged over the driver's defaults.
+     * @param [options.logger] {object} - Logger object.
+     *
+     * @throws {Error}
+     *
+     * @returns {Promise<object>} The DID Document, or a public key / subnode.
+     */
+    async get({ did, url, agent, fetchOptions = {}, logger = this.logger } = {}) {
+        did = did ?? url;
+        if (!did) {
+            throw new TypeError('A DID or a URL is required to fetch.');
+        }
+        // Separate the bare DID authority from any `?query` or `#fragment`.
+        const [didAuthority = ''] = did.split(/[#?]/);
+        const fragment = did.includes('#')
+            ? did.slice(did.indexOf('#') + 1)
+            : undefined;
+        const fetchUrl = urlFromDid({ did: didAuthority });
+        // SSRF gate: reject disallowed hosts before making any network request.
+        assertDomain({ allowList: this.allowList, url: fetchUrl });
+        let didDocument;
+        try {
+            logger.info(`Fetching "${fetchUrl}" via http client.`);
+            const result = await httpClient.get(fetchUrl, { ...this.fetchOptions, ...fetchOptions, agent });
+            didDocument = result.data;
+        }
+        catch (err) {
+            // status is HTTP status code; data is the server's JSON error if any.
+            const { data, status } = err ?? {};
+            logger.error(`Http ${status ?? ''} error:`, data);
+            throw err;
+        }
+        if (didDocument?.id !== didAuthority) {
+            throw new Error(`DID document for DID "${didAuthority}" not found.`);
+        }
+        if (fragment) {
+            // Dereference an individual subnode (key or service) by id.
+            return getNode({ didDocument, id: `${didDocument.id}#${fragment}` });
+        }
+        return didDocument;
+    }
+    /**
+     * Returns the public key (verification method) object for a given DID
+     * Document and purpose. Useful in conjunction with a `.get()` call.
+     *
+     * @param options {object} - Options hashmap.
+     * @param options.didDocument {object} - DID Document (retrieved via a
+     *   `.get()` or from some other source).
+     * @param options.purpose {string} - Verification method purpose, such as
+     *   'authentication', 'assertionMethod', 'keyAgreement' and so on.
+     *
+     * @returns {object} The public key object (without a `@context`).
+     */
+    publicMethodFor({ didDocument, purpose }) {
+        if (!didDocument) {
+            throw new TypeError('The "didDocument" parameter is required.');
+        }
+        if (!purpose) {
+            throw new TypeError('The "purpose" parameter is required.');
+        }
+        const method = didIo.findVerificationMethod({ doc: didDocument, purpose });
+        if (!method) {
+            throw new Error(`No verification method found for purpose "${purpose}"`);
+        }
+        return method;
+    }
+    /**
+     * Generates a verification key pair from a registered suite.
+     *
+     * @param options {object} - Options hashmap.
+     * @param [options.seed] {string|Uint8Array} - Secret seed.
+     * @param [options.keyType] {Function|string} - Which registered suite to use.
+     *
+     * @returns {Promise<object>} The generated key pair.
+     */
+    async _generateKeyPair({ seed, keyType } = {}) {
+        let header;
+        if (keyType) {
+            header = typeof keyType === 'string' ? keyType : keyType.multibaseHeader;
+        }
+        else if (this._allowedKeyTypes.size === 1) {
+            ;
+            [header] = this._allowedKeyTypes.keys();
+        }
+        else if (this._allowedKeyTypes.size === 0) {
+            throw new Error('No key suite registered; call "use({keyPairClass})" or pass a ' +
+                '"verificationKeyPair".');
+        }
+        else {
+            throw new Error('Multiple key suites registered; specify which via "keyType" or pass ' +
+                'a "verificationKeyPair".');
+        }
+        const registered = this._allowedKeyTypes.get(header);
+        if (!registered?.generate) {
+            throw new Error(`Registered suite "${header}" cannot generate keys; register it via ` +
+                '"use({keyPairClass})".');
+        }
+        const seedBytes = seed === undefined ? undefined : _decodeSeed(seed);
+        return registered.generate({ seed: seedBytes });
+    }
+    /**
+     * Resolves a key pair instance from either a live key pair (with `.export`)
+     * or a plain public key description (rebuilt via the registry).
+     *
+     * @param description {object} - A key pair instance or key description.
+     *
+     * @returns {Promise<object>} A live key pair instance.
+     */
+    async _toKeyPair(description) {
+        if (typeof description?.export === 'function') {
+            return description;
+        }
+        const publicKeyMultibase = description?.publicKeyMultibase;
+        if (!publicKeyMultibase) {
+            throw new TypeError('"publicKeyMultibase" is required to rebuild a key pair.');
+        }
+        const header = publicKeyMultibase.slice(0, 4);
+        const registered = this._allowedKeyTypes.get(header);
+        if (!registered) {
+            throw new Error(`Unsupported multibase header "${header}". Register the suite via ` +
+                '"use()".');
+        }
+        return registered.fromMultibase({ publicKeyMultibase });
+    }
+}
+/**
+ * Adds one or more contexts to a DID document's `@context`, de-duplicating.
+ *
+ * @param options {object} - Options hashmap.
+ * @param options.didDocument {object} - The document to mutate.
+ * @param options.context {string|string[]} - Context(s) to add.
+ */
+function _addContext({ didDocument, context }) {
+    const contexts = Array.isArray(didDocument['@context'])
+        ? didDocument['@context']
+        : [didDocument['@context']];
+    const toAdd = Array.isArray(context) ? context : [context];
+    for (const ctx of toAdd) {
+        if (!contexts.includes(ctx)) {
+            contexts.push(ctx);
+        }
+    }
+    didDocument['@context'] = contexts;
+}
+/**
+ * Returns a default fragment for a key pair: its fingerprint when available,
+ * otherwise its `publicKeyMultibase`.
+ *
+ * @param keyPair {object} - The key pair.
+ *
+ * @returns {string} The fragment (without a leading `#`).
+ */
+function _defaultFragment(keyPair) {
+    if (typeof keyPair?.fingerprint === 'function') {
+        return keyPair.fingerprint();
+    }
+    if (keyPair?.publicKeyMultibase) {
+        return keyPair.publicKeyMultibase;
+    }
+    throw new TypeError('Cannot determine a default fragment; provide a "fragment".');
+}
+/**
+ * Decodes a secret key seed to bytes. Accepts a multibase/multihash-encoded
+ * string (must start with `z1A`) or a `Uint8Array`.
+ *
+ * @param seed {string|Uint8Array} - The seed.
+ *
+ * @returns {Uint8Array} The decoded seed bytes.
+ */
+function _decodeSeed(seed) {
+    if (typeof seed === 'string') {
+        if (!seed.startsWith('z1A')) {
+            throw new TypeError('"seed" parameter must be a multibase/multihash encoded string, or a ' +
+                'Uint8Array.');
+        }
+        return decodeSecretKeySeed({ secretKeySeed: seed });
+    }
+    return new Uint8Array(seed);
+}
+//# sourceMappingURL=DidWebResolver.js.map

package/dist/DidWebResolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"DidWebResolver.js","sourceRoot":"","sources":["../src/DidWebResolver.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AACjD,OAAO,KAAK,KAAK,MAAM,iBAAiB,CAAA;AACxC,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAA;AAC9D,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,mBAAmB,EACpB,MAAM,gBAAgB,CAAA;AACvB,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAA;AAE9C,MAAM,EAAE,0BAA0B,EAAE,GAAG,KAAK,CAAA;AAE5C,MAAM,UAAU,UAAU,CAAE,EAAE,GAAG,KAAuB,EAAE;IACxD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,SAAS,CAAC,yCAAyC,CAAC,CAAA;IAChE,CAAC;IACD,IAAI,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,SAAS,CAAC,0CAA0C,CAAC,CAAA;IACjE,CAAC;IAED,IAAI,SAAS,CAAA;IACb,IAAI,CAAC;QACH,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;IAC1B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,SAAS,CAAC,iBAAiB,GAAG,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;IAC1D,CAAC;IAED,MAAM,EAAE,IAAI,EAAE,GAAG,SAAS,CAAA;IAC1B,IAAI,EAAE,QAAQ,EAAE,GAAG,SAAS,CAAA;IAC5B,IAAI,aAAa,GAAG,EAAE,CAAA;IAEtB,MAAM,aAAa,GAAG,WAAW,CAAA;IACjC,MAAM,eAAe,GAAG,cAAc,CAAA;IAEtC,IAAI,QAAQ,EAAE,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QACtC,QAAQ,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,QAAQ,CAAC,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,CAAA;IAC1E,CAAC;IAED,IAAI,QAAQ,EAAE,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;QACxC,QAAQ,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,QAAQ,CAAC,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC,CAAA;IAC5E,CAAC;IAED,IAAI,QAAQ,IAAI,QAAQ,KAAK,GAAG,EAAE,CAAC;QACjC,aAAa,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACvE,CAAC;IAED,OAAO,UAAU,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,aAAa,CAAA;AAC9D,CAAC;AAED,MAAM,UAAU,UAAU,CAAE,EAAE,GAAG,EAA+B;IAC9D,IAAI,CAAC,GAAG,EAAE,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,SAAS,CAAC,8BAA8B,GAAG,IAAI,EAAE,IAAI,CAAC,CAAA;IAClE,CAAC;IAED,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,YAAY,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAElD,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,aAAa,GAAG,EAAE,EAAE,GAAG,aAAa,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAE5E,IAAI,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,SAAS,CAAC,mCAAmC,GAAG,uCAAuC,CAAC,CAAA;IACpG,CAAC;IAED,IAAI,SAAS,CAAA;IACb,IAAI,CAAC;QACH,0DAA0D;QAC1D,0CAA0C;QAC1C,SAAS,GAAG,IAAI,GAAG,CAAC,UAAU,GAAG,kBAAkB,CAAC,aAAa,CAAC,CAAC,CAAA;IACrE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,SAAS,CAAC,mCAAmC,GAAG,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;IAC5E,CAAC;IAED,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,SAAS,CAAC,QAAQ,GAAG,uBAAuB,CAAA;IAC9C,CAAC;SAAM,CAAC;QACN,SAAS,CAAC,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,WAAW,CAAA;IACpF,CAAC;IAED,IAAI,YAAY,EAAE,CAAC;QACjB,SAAS,CAAC,IAAI,GAAG,YAAY,CAAA;IAC/B,CAAC;IACD,OAAO,SAAS,CAAC,QAAQ,EAAE,CAAA;AAC7B,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,OAAO,CACrB,EAAE,WAAW,EAAE,EAAE,EAAoC;IAErD,IAAI,KAAK,GAAG,CAAC,WAAW,CAAC,kBAAkB,IAAI,EAAE,CAAC;SAC/C,IAAI,CAAC,CAAC,EAAO,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;IACnC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;YACvD,IAAI,GAAG,KAAK,UAAU,IAAI,GAAG,KAAK,oBAAoB,EAAE,CAAC;gBACvD,SAAQ;YACV,CAAC;YACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzB,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,KAAU,EAAE,EAAE,CAAC,KAAK,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;YACtD,CAAC;iBAAM,IAAK,KAAa,EAAE,EAAE,KAAK,EAAE,EAAE,CAAC;gBACrC,KAAK,GAAG,KAAK,CAAA;YACf,CAAC;YACD,IAAI,KAAK,EAAE,CAAC;gBACV,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,gCAAgC,EAAE,cAAc,CAAC,CAAA;IACnE,CAAC;IAED,OAAO;QACL,UAAU,EAAE,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,WAAW,CAAC,UAAU,CAAC;QACtE,GAAG,eAAe,CAAC,KAAK,CAAC;KAC1B,CAAA;AACH,CAAC;AASD,MAAM,OAAO,cAAc;IAClB,MAAM,CAAQ;IACd,SAAS,CAAU;IACnB,YAAY,CAAK;IACjB,MAAM,CAAK;IACX,gBAAgB,CAAqD;IAE5E;;;;;;;OAOG;IACH,YAAa,EACX,SAAS,GAAG,EAAE,EACd,YAAY,GAAG,mBAAmB,EAClC,MAAM,GAAG,OAAO,KAC8C,EAAE;QAChE,IAAI,CAAC,MAAM,GAAG,KAAK,CAAA,CAAC,gDAAgD;QACpE,IAAI,CAAC,SAAS,GAAG,SAAS,CAAA;QAC1B,IAAI,CAAC,YAAY,GAAG,YAAY,CAAA;QAChC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAA;QACpB,IAAI,CAAC,gBAAgB,GAAG,IAAI,GAAG,EAAE,CAAA;IACnC,CAAC;IAED;;;;;;;;;;;;;;;;OAgBG;IACH,GAAG,CAAE,EAAE,YAAY,EAAE,uBAAuB,EAAE,aAAa,KACqB,EAAE;QAEhF,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,MAAM,GAAG,YAAY,CAAC,eAAe,CAAA;YAC3C,IAAI,CAAC,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC,EAAE,CAAC;gBAC5C,MAAM,IAAI,SAAS,CAAC,kDAAkD,CAAC,CAAA;YACzE,CAAC;YACD,IAAI,OAAO,YAAY,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;gBAC5C,MAAM,IAAI,SAAS,CAAC,yCAAyC,CAAC,CAAA;YAChE,CAAC;YACD,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,MAAM,EAAE;gBAChC,aAAa,EAAE,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC;gBACnD,QAAQ,EAAE,OAAO,YAAY,CAAC,QAAQ,KAAK,UAAU;oBACnD,CAAC,CAAC,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC;oBAC1C,CAAC,CAAC,SAAS;aACd,CAAC,CAAA;YACF,OAAM;QACR,CAAC;QACD,IAAI,CAAC,CAAC,uBAAuB,IAAI,OAAO,uBAAuB,KAAK,QAAQ,CAAC,EAAE,CAAC;YAC9E,MAAM,IAAI,SAAS,CAAC,6CAA6C,CAAC,CAAA;QACpE,CAAC;QACD,IAAI,OAAO,aAAa,KAAK,UAAU,EAAE,CAAC;YACxC,MAAM,IAAI,SAAS,CAAC,qCAAqC,CAAC,CAAA;QAC5D,CAAC;QACD,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,uBAAuB,EAAE,EAAE,aAAa,EAAE,CAAC,CAAA;IACvE,CAAC;IAED;;;;;;;;;;;;;;;;;;;;OAoBG;IACH,qBAAqB,CAAE,EACrB,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,GAAG,gBAAgB,EACrE,aAAa,GAAG,WAAW,EAI5B;QACC,IAAI,CAAC,WAAW,EAAE,EAAE,EAAE,CAAC;YACrB,MAAM,IAAI,SAAS,CACjB,4DAA4D,CAAC,CAAA;QACjE,CAAC;QACD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,SAAS,CAAC,0BAA0B,CAAC,CAAA;QACjD,CAAC;QACD,IAAI,aAAa,KAAK,WAAW,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,kBAAkB,aAAa,yBAAyB,CAAC,CAAA;QAC3E,CAAC;QACD,MAAM,GAAG,GAAG,WAAW,CAAC,EAAE,CAAA;QAC1B,QAAQ,GAAG,QAAQ,IAAI,gBAAgB,CAAC,OAAO,CAAC,CAAA;QAChD,OAAO,CAAC,UAAU,GAAG,GAAG,CAAA;QACxB,OAAO,CAAC,EAAE,GAAG,GAAG,GAAG,IAAI,QAAQ,EAAE,CAAA;QAEjC,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAA;QAC5E,MAAM,OAAO,GAAG,UAAU,CAAC,UAAU,CAAC,CAAA;QACtC,OAAO,UAAU,CAAC,UAAU,CAAC,CAAA;QAC7B,IAAI,OAAO,EAAE,CAAC;YACZ,WAAW,CAAC,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAA;QACvC,CAAC;QAED,WAAW,CAAC,kBAAkB,GAAG,WAAW,CAAC,kBAAkB,IAAI,EAAE,CAAA;QACrE,WAAW,CAAC,kBAAkB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAE/C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,IAAI,CAAC,0BAA0B,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC7C,MAAM,IAAI,KAAK,CAAC,6BAA6B,OAAO,IAAI,CAAC,CAAA;YAC3D,CAAC;YACD,WAAW,CAAC,OAAO,CAAC,GAAG,WAAW,CAAC,OAAO,CAAC,IAAI,EAAE,CAAA;YACjD,WAAW,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,CAAA;QAC1C,CAAC;QAED,QAAQ,EAAE,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,CAAA;QAClC,OAAO,WAAW,CAAA;IACpB,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,KAAK,CAAC,QAAQ,CAAE,EACd,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE,mBAAmB,EAAE,mBAAmB,EAChE,mBAAmB,KAKjB,EAAE;QAIJ,IAAI,CAAC,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC;YAChB,MAAM,IAAI,SAAS,CAAC,2CAA2C,CAAC,CAAA;QAClE,CAAC;QAED,MAAM,GAAG,GAAG,EAAE,IAAI,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC,CAAA;QACrC,YAAY,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,IAAI,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,CAAA;QAE5E,MAAM,WAAW,GAAQ,EAAE,UAAU,EAAE,CAAC,eAAe,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,CAAA;QACnE,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAe,CAAA;QAEvC,IAAI,mBAAmB,IAAI,mBAAmB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1D,KAAK,MAAM,KAAK,IAAI,mBAAmB,EAAE,CAAC;gBACxC,IAAI,CAAC,qBAAqB,CAAC;oBACzB,WAAW;oBACX,QAAQ;oBACR,OAAO,EAAE,KAAK,CAAC,OAAO;oBACtB,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,aAAa,EAAE,KAAK,CAAC,aAAa;iBACnC,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,OAAO,GAAG,mBAAmB,CAAA;YACjC,IAAI,CAAC,OAAO,IAAI,CAAC,mBAAmB,EAAE,CAAC;gBACrC,OAAO,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAA;YAC1D,CAAC;YACD,IAAI,OAAO,EAAE,CAAC;gBACZ,IAAI,CAAC,qBAAqB,CAAC;oBACzB,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,gBAAgB;iBAC3D,CAAC,CAAA;YACJ,CAAC;YACD,IAAI,mBAAmB,EAAE,CAAC;gBACxB,IAAI,CAAC,qBAAqB,CAAC;oBACzB,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,mBAAmB;oBACnD,QAAQ,EAAE,CAAC,cAAc,CAAC;iBAC3B,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,yEAAyE;QACzE,4EAA4E;QAC5E,MAAM,SAAS,GAAG,CAAC,EAAE,OAAO,EAAuB,EAAO,EAAE;YAC1D,MAAM,MAAM,GAAQ,KAAK,CAAC,sBAAsB,CAAC;gBAC/C,GAAG,EAAE,WAAW,EAAE,OAAO;aAC1B,CAAC,CAAA;YACF,OAAO,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;QACjC,CAAC,CAAA;QAED,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAA;IAC7C,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,WAAW,CAAE,EACjB,GAAG,EAAE,EAAE,EAAE,mBAAmB,EAAE,mBAAmB,KAI/C,EAAE;QAIJ,IAAI,CAAC,CAAC,mBAAmB,IAAI,mBAAmB,CAAC,EAAE,CAAC;YAClD,MAAM,IAAI,SAAS,CACjB,kEAAkE,CAAC,CAAA;QACvE,CAAC;QACD,IAAI,CAAC,GAAG,IAAI,CAAC,EAAE,EAAE,CAAC;YAChB,MAAM,IAAI,SAAS,CACjB,0DAA0D,CAAC,CAAA;QAC/D,CAAC;QACD,OAAO,IAAI,CAAC,QAAQ,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,CAAC,CAAA;IAC7E,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,iBAAiB,CAAE,EACvB,GAAG,EAAE,EAAE,EAAE,oBAAoB,KAG3B,EAAE;QACJ,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAC1B,MAAM,IAAI,SAAS,CAAC,qCAAqC,CAAC,CAAA;QAC5D,CAAC;QACD,IAAI,CAAC,GAAG,IAAI,CAAC,EAAE,EAAE,CAAC;YAChB,MAAM,IAAI,SAAS,CACjB,0DAA0D,CAAC,CAAA;QAC/D,CAAC;QACD,MAAM,GAAG,GAAG,EAAE,IAAI,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC,CAAA;QACrC,MAAM,WAAW,GAAQ,EAAE,UAAU,EAAE,CAAC,eAAe,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,CAAA;QACnE,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAA;QAC3D,IAAI,CAAC,qBAAqB,CAAC,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,EAAE,gBAAgB,EAAE,CAAC,CAAA;QAChF,OAAO,EAAE,WAAW,EAAE,CAAA;IACxB,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,SAAS,CAAE,EAAE,OAAO,EAAoB;QAC5C,IAAI,OAAO,EAAE,EAAE,EAAE,CAAC;YAChB,OAAO,OAAO,CAAC,EAAE,CAAA;QACnB,CAAC;QACD,IAAI,OAAO,EAAE,UAAU,EAAE,CAAC;YACxB,OAAO,GAAG,OAAO,CAAC,UAAU,IAAI,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAA;QAC7D,CAAC;QACD,MAAM,IAAI,SAAS,CACjB,0DAA0D,CAAC,CAAA;IAC/D,CAAC;IAED;;;;;;;;;;;;;;;;;OAiBG;IACH,KAAK,CAAC,GAAG,CAAE,EACT,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,YAAY,GAAG,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC,MAAM,KAItD,EAAE;QACJ,GAAG,GAAG,GAAG,IAAI,GAAG,CAAA;QAChB,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,SAAS,CAAC,sCAAsC,CAAC,CAAA;QAC7D,CAAC;QAED,oEAAoE;QACpE,MAAM,CAAC,YAAY,GAAG,EAAE,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;QAC7C,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC;YAChC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACjC,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,QAAQ,GAAG,UAAU,CAAC,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAA;QAClD,wEAAwE;QACxE,YAAY,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAA;QAE1D,IAAI,WAAgB,CAAA;QACpB,IAAI,CAAC;YACH,MAAM,CAAC,IAAI,CAAC,aAAa,QAAQ,oBAAoB,CAAC,CAAA;YACtD,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,GAAG,CACjC,QAAQ,EAAE,EAAE,GAAG,IAAI,CAAC,YAAY,EAAE,GAAG,YAAY,EAAE,KAAK,EAAE,CAAC,CAAA;YAC7D,WAAW,GAAG,MAAM,CAAC,IAAI,CAAA;QAC3B,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,sEAAsE;YACtE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,GAAG,IAAI,EAAE,CAAA;YAClC,MAAM,CAAC,KAAK,CAAC,QAAQ,MAAM,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,CAAA;YACjD,MAAM,GAAG,CAAA;QACX,CAAC;QAED,IAAI,WAAW,EAAE,EAAE,KAAK,YAAY,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,yBAAyB,YAAY,cAAc,CAAC,CAAA;QACtE,CAAC;QAED,IAAI,QAAQ,EAAE,CAAC;YACb,4DAA4D;YAC5D,OAAO,OAAO,CAAC,EAAE,WAAW,EAAE,EAAE,EAAE,GAAG,WAAW,CAAC,EAAE,IAAI,QAAQ,EAAE,EAAE,CAAC,CAAA;QACtE,CAAC;QAED,OAAO,WAAW,CAAA;IACpB,CAAC;IAED;;;;;;;;;;;OAWG;IACH,eAAe,CAAE,EAAE,WAAW,EAAE,OAAO,EAAyC;QAC9E,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,SAAS,CAAC,0CAA0C,CAAC,CAAA;QACjE,CAAC;QACD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,SAAS,CAAC,sCAAsC,CAAC,CAAA;QAC7D,CAAC;QACD,MAAM,MAAM,GAAG,KAAK,CAAC,sBAAsB,CAAC,EAAE,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAA;QAC1E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,6CAA6C,OAAO,GAAG,CAAC,CAAA;QAC1E,CAAC;QACD,OAAO,MAAM,CAAA;IACf,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,gBAAgB,CACpB,EAAE,IAAI,EAAE,OAAO,KAAoD,EAAE;QAErE,IAAI,MAA0B,CAAA;QAC9B,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,eAAe,CAAA;QAC1E,CAAC;aAAM,IAAI,IAAI,CAAC,gBAAgB,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;YAC5C,CAAC;YAAA,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAA;QAC1C,CAAC;aAAM,IAAI,IAAI,CAAC,gBAAgB,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CACb,gEAAgE;gBAC9D,wBAAwB,CAAC,CAAA;QAC/B,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CACb,sEAAsE;gBACpE,0BAA0B,CAAC,CAAA;QACjC,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,MAAO,CAAC,CAAA;QACrD,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CACb,qBAAqB,MAAM,0CAA0C;gBACnE,wBAAwB,CAAC,CAAA;QAC/B,CAAC;QACD,MAAM,SAAS,GAAG,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,CAAA;QACpE,OAAO,UAAU,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAA;IACjD,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,UAAU,CAAE,WAAgB;QAChC,IAAI,OAAO,WAAW,EAAE,MAAM,KAAK,UAAU,EAAE,CAAC;YAC9C,OAAO,WAAW,CAAA;QACpB,CAAC;QACD,MAAM,kBAAkB,GAAG,WAAW,EAAE,kBAAkB,CAAA;QAC1D,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACxB,MAAM,IAAI,SAAS,CACjB,yDAAyD,CAAC,CAAA;QAC9D,CAAC;QACD,MAAM,MAAM,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;QAC7C,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACpD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CACb,iCAAiC,MAAM,4BAA4B;gBACjE,UAAU,CAAC,CAAA;QACjB,CAAC;QACD,OAAO,UAAU,CAAC,aAAa,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAA;IACzD,CAAC;CACF;AAED;;;;;;GAMG;AACH,SAAS,WAAW,CAClB,EAAE,WAAW,EAAE,OAAO,EAAoD;IAE1E,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;QACrD,CAAC,CAAC,WAAW,CAAC,UAAU,CAAC;QACzB,CAAC,CAAC,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,CAAA;IAC7B,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAA;IAC1D,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;QACxB,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5B,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QACpB,CAAC;IACH,CAAC;IACD,WAAW,CAAC,UAAU,CAAC,GAAG,QAAQ,CAAA;AACpC,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,gBAAgB,CAAE,OAAY;IACrC,IAAI,OAAO,OAAO,EAAE,WAAW,KAAK,UAAU,EAAE,CAAC;QAC/C,OAAO,OAAO,CAAC,WAAW,EAAE,CAAA;IAC9B,CAAC;IACD,IAAI,OAAO,EAAE,kBAAkB,EAAE,CAAC;QAChC,OAAO,OAAO,CAAC,kBAAkB,CAAA;IACnC,CAAC;IACD,MAAM,IAAI,SAAS,CACjB,4DAA4D,CAAC,CAAA;AACjE,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,WAAW,CAAE,IAAyB;IAC7C,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,SAAS,CACjB,sEAAsE;gBACpE,aAAa,CAAC,CAAA;QACpB,CAAC;QACD,OAAO,mBAAmB,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAA;IACrD,CAAC;IACD,OAAO,IAAI,UAAU,CAAC,IAAI,CAAC,CAAA;AAC7B,CAAC"}

package/dist/assertions.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Assertions guarding the resolver's network path: that a fetch target is an
+ * HTTPS URL, that an identifier is a well-formed `did:web` DID, and that a
+ * target host is permitted by an optional allow list (SSRF gate).
+ */
+/**
+ * Asserts that the given value is an HTTPS URL.
+ *
+ * @param url {URL|string} - The URL to check.
+ *
+ * @throws {TypeError} If the value is not a URL or its protocol is not https.
+ */
+export declare function assertHttpsUrl(url: URL | string): void;
+/**
+ * Coerces a string to a `URL`, or returns an existing `URL` instance.
+ *
+ * @param url {URL|string} - The value to coerce.
+ *
+ * @returns {URL} The parsed URL.
+ */
+export declare function assertUrl(url: URL | string): URL;
+/**
+ * Asserts that a DID is a well-formed `did:web` identifier whose
+ * method-specific id (the domain component) does not itself contain a path.
+ * Sets `err.code` to `'invalidDid'` or `'methodNotSupported'` where relevant.
+ *
+ * @param did {string} - The DID to check.
+ *
+ * @throws {Error} If the DID is missing, malformed, or not a did:web DID.
+ */
+export declare function assertDidWebUrl(did: string): void;
+/**
+ * SSRF gate: asserts that the host of `url` is present in `allowList`. An empty
+ * or absent allow list disables the check (all hosts permitted).
+ *
+ * @param options {object} - Options hashmap.
+ * @param [options.allowList] {string[]} - Permitted hosts (e.g. 'example.com'
+ *   or 'example.com:3000'). When empty/absent, no restriction is applied.
+ * @param options.url {URL|string} - The fetch target URL.
+ *
+ * @throws {Error} If the host is not in a non-empty allow list.
+ */
+export declare function assertDomain({ allowList, url }: {
+    allowList?: string[];
+    url: URL | string;
+}): void;
+//# sourceMappingURL=assertions.d.ts.map

package/dist/assertions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"assertions.d.ts","sourceRoot":"","sources":["../src/assertions.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAE,GAAG,EAAE,GAAG,GAAG,MAAM,GAAG,IAAI,CAMvD;AAED;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAE,GAAG,EAAE,GAAG,GAAG,MAAM,GAAG,GAAG,CAQjD;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAE,GAAG,EAAE,MAAM,GAAG,IAAI,CA0BlD;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,YAAY,CAC1B,EAAE,SAAS,EAAE,GAAG,EAAE,EAAE;IAAE,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IAAC,GAAG,EAAE,GAAG,GAAG,MAAM,CAAA;CAAE,GAC9D,IAAI,CASN"}