@keetanetwork/anchor 0.0.52 → 0.0.58

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (70) hide show
  1. package/lib/asset.d.ts +18 -4
  2. package/lib/asset.d.ts.map +1 -1
  3. package/lib/asset.js +18 -0
  4. package/lib/asset.js.map +1 -1
  5. package/lib/chaining-graph.cli.d.ts +2 -0
  6. package/lib/chaining-graph.cli.d.ts.map +1 -0
  7. package/lib/chaining-graph.cli.js +257 -0
  8. package/lib/chaining-graph.cli.js.map +1 -0
  9. package/lib/chaining.d.ts +247 -0
  10. package/lib/chaining.d.ts.map +1 -0
  11. package/lib/chaining.js +1187 -0
  12. package/lib/chaining.js.map +1 -0
  13. package/lib/metadata.types.d.ts +28 -0
  14. package/lib/metadata.types.d.ts.map +1 -0
  15. package/lib/metadata.types.generated.d.ts +3 -0
  16. package/lib/metadata.types.generated.d.ts.map +1 -0
  17. package/lib/metadata.types.generated.js +15 -0
  18. package/lib/metadata.types.generated.js.map +1 -0
  19. package/lib/metadata.types.js +50 -0
  20. package/lib/metadata.types.js.map +1 -0
  21. package/lib/resolver.d.ts +15 -19
  22. package/lib/resolver.d.ts.map +1 -1
  23. package/lib/resolver.js +1101 -469
  24. package/lib/resolver.js.map +1 -1
  25. package/npm-shrinkwrap.json +2 -2
  26. package/package.json +1 -1
  27. package/services/asset-movement/client.d.ts +12 -5
  28. package/services/asset-movement/client.d.ts.map +1 -1
  29. package/services/asset-movement/client.js +190 -9
  30. package/services/asset-movement/client.js.map +1 -1
  31. package/services/asset-movement/common.d.ts +119 -60
  32. package/services/asset-movement/common.d.ts.map +1 -1
  33. package/services/asset-movement/common.generated.d.ts +48 -0
  34. package/services/asset-movement/common.generated.d.ts.map +1 -0
  35. package/services/asset-movement/common.generated.js +37425 -0
  36. package/services/asset-movement/common.generated.js.map +1 -0
  37. package/services/asset-movement/common.js +22 -35368
  38. package/services/asset-movement/common.js.map +1 -1
  39. package/services/asset-movement/lib/location.d.ts +10 -1
  40. package/services/asset-movement/lib/location.d.ts.map +1 -1
  41. package/services/asset-movement/lib/location.generated.d.ts +2 -1
  42. package/services/asset-movement/lib/location.generated.d.ts.map +1 -1
  43. package/services/asset-movement/lib/location.generated.js +23 -0
  44. package/services/asset-movement/lib/location.generated.js.map +1 -1
  45. package/services/asset-movement/lib/location.js +3 -0
  46. package/services/asset-movement/lib/location.js.map +1 -1
  47. package/services/asset-movement/server.d.ts +17 -6
  48. package/services/asset-movement/server.d.ts.map +1 -1
  49. package/services/asset-movement/server.js +47 -2
  50. package/services/asset-movement/server.js.map +1 -1
  51. package/services/fx/client.d.ts +3 -2
  52. package/services/fx/client.d.ts.map +1 -1
  53. package/services/fx/client.js +8 -3
  54. package/services/fx/client.js.map +1 -1
  55. package/services/fx/server.d.ts +2 -1
  56. package/services/fx/server.d.ts.map +1 -1
  57. package/services/fx/server.js +3 -0
  58. package/services/fx/server.js.map +1 -1
  59. package/services/storage/clients/contacts.generated.js +142 -90
  60. package/services/storage/clients/contacts.generated.js.map +1 -1
  61. package/services/storage/common.d.ts +61 -16
  62. package/services/storage/common.d.ts.map +1 -1
  63. package/services/storage/common.js.map +1 -1
  64. package/services/storage/server.d.ts.map +1 -1
  65. package/services/storage/server.js +35 -22
  66. package/services/storage/server.js.map +1 -1
  67. package/services/storage/test-utils.d.ts +7 -2
  68. package/services/storage/test-utils.d.ts.map +1 -1
  69. package/services/storage/test-utils.js +22 -4
  70. package/services/storage/test-utils.js.map +1 -1
package/services/storage/server.js CHANGED
@@ -161,12 +161,14 @@ function extractObjectPath(params) {
161
161
  */
162
162
  async function authorizeURLAccess(pathPolicies, params, url, operation, getSigningData, buildRequest) {
163
163
  const objectPath = extractObjectPath(params);
164
- parsePath(pathPolicies, objectPath);
164
+ const { policy, parsed } = parsePath(pathPolicies, objectPath);
165
165
  const account = await verifyURLAuth(url, getSigningData, function (pubKey) {
166
166
  return (buildRequest(objectPath, pubKey));
167
167
  });
168
- assertPathAccess(pathPolicies, account, objectPath, operation);
169
- return ({ account, objectPath });
168
+ if (!policy.checkAccess(account, parsed, operation)) {
169
+ throw (new Errors.AccessDenied('Can only access your own namespace'));
170
+ }
171
+ return ({ account, objectPath, policy, parsed });
170
172
  }
171
173
  // Default quota configuration
172
174
  const DEFAULT_QUOTAS = {
@@ -360,14 +362,12 @@ export class KeetaNetStorageAnchorHTTPServer extends KeetaAnchorHTTPServer.Keeta
360
362
  const tags = rawTags;
361
363
  // Validate path format, metadata, and ownership
362
364
  const { policy, parsed } = assertPathAccess(pathPolicies, account, objectPath, 'put');
363
- const owner = account.publicKeyString.get();
364
- if (policy.validateMetadata) {
365
- policy.validateMetadata(parsed, { owner, tags, visibility });
366
- }
365
+ const owner = policy.getOwner(objectPath);
367
366
  // Resolve per-user quota limits, falling back to global config
368
- const userLimits = backend.getQuotaLimits
369
- ? await backend.getQuotaLimits(owner)
370
- : null;
367
+ let userLimits = null;
368
+ if (backend.getQuotaLimits) {
369
+ userLimits = await backend.getQuotaLimits(owner);
370
+ }
371
371
  const effectiveLimits = userLimits ?? quotas;
372
372
  // Body is raw binary (EncryptedContainer)
373
373
  const data = arrayBufferLikeToBuffer(postData);
@@ -380,13 +380,13 @@ export class KeetaNetStorageAnchorHTTPServer extends KeetaAnchorHTTPServer.Keeta
380
380
  }));
381
381
  }
382
382
  const needsValidation = requiresValidation(objectPath, validators);
383
- const needsContainerValidation = !!policy.validateContainer;
383
+ const needsContextValidation = !!policy.validateContext;
384
384
  const needsAnchorDecryption = needsValidation || visibility === 'public';
385
- if (needsContainerValidation || needsAnchorDecryption) {
385
+ if (needsContextValidation || needsAnchorDecryption) {
386
386
  try {
387
387
  const container = EncryptedContainer.fromEncryptedBuffer(data, [anchorAccount]);
388
- if (policy.validateContainer) {
389
- policy.validateContainer(parsed, container, { owner, tags, visibility });
388
+ if (policy.validateContext) {
389
+ policy.validateContext(parsed, { operation: 'put', account, metadata: { owner, tags, visibility }, container });
390
390
  }
391
391
  if (needsAnchorDecryption) {
392
392
  const plaintext = await container.getPlaintext();
@@ -458,9 +458,12 @@ export class KeetaNetStorageAnchorHTTPServer extends KeetaAnchorHTTPServer.Keeta
458
458
  };
459
459
  // GET /api/object/* - Retrieve an object
460
460
  routes['GET /api/object/**'] = async function (params, _postData, _headers, url) {
461
- const { objectPath } = await authorizeURLAccess(pathPolicies, params, url, 'get', getKeetaStorageAnchorGetRequestSigningData, function (path, pubKey) {
461
+ const { objectPath, policy, parsed, account } = await authorizeURLAccess(pathPolicies, params, url, 'get', getKeetaStorageAnchorGetRequestSigningData, function (path, pubKey) {
462
462
  return (assertKeetaStorageAnchorGetRequest({ path, account: pubKey }));
463
463
  });
464
+ if (policy.validateContext) {
465
+ policy.validateContext(parsed, { operation: 'get', account });
466
+ }
464
467
  const headers = {};
465
468
  if (authenticatedCorsOrigin) {
466
469
  headers['Access-Control-Allow-Origin'] = authenticatedCorsOrigin;
@@ -474,9 +477,12 @@ export class KeetaNetStorageAnchorHTTPServer extends KeetaAnchorHTTPServer.Keeta
474
477
  };
475
478
  // DELETE /api/object/* - Delete an object
476
479
  routes['DELETE /api/object/**'] = async function (params, _postData, _headers, url) {
477
- const { objectPath } = await authorizeURLAccess(pathPolicies, params, url, 'delete', getKeetaStorageAnchorDeleteRequestSigningData, function (path, pubKey) {
480
+ const { objectPath, policy, parsed, account } = await authorizeURLAccess(pathPolicies, params, url, 'delete', getKeetaStorageAnchorDeleteRequestSigningData, function (path, pubKey) {
478
481
  return ({ path, account: pubKey });
479
482
  });
483
+ if (policy.validateContext) {
484
+ policy.validateContext(parsed, { operation: 'delete', account });
485
+ }
480
486
  const deleted = await backend.delete(objectPath);
481
487
  const response = {
482
488
  ok: true,
@@ -486,9 +492,12 @@ export class KeetaNetStorageAnchorHTTPServer extends KeetaAnchorHTTPServer.Keeta
486
492
  };
487
493
  // GET /api/metadata/* - Get object metadata
488
494
  routes['GET /api/metadata/**'] = async function (params, _postData, _headers, url) {
489
- const { objectPath } = await authorizeURLAccess(pathPolicies, params, url, 'metadata', getKeetaStorageAnchorGetRequestSigningData, function (path, pubKey) {
495
+ const { objectPath, policy, parsed, account } = await authorizeURLAccess(pathPolicies, params, url, 'metadata', getKeetaStorageAnchorGetRequestSigningData, function (path, pubKey) {
490
496
  return (assertKeetaStorageAnchorGetRequest({ path, account: pubKey }));
491
497
  });
498
+ if (policy.validateContext) {
499
+ policy.validateContext(parsed, { operation: 'metadata', account });
500
+ }
492
501
  const result = await requireObject(objectPath);
493
502
  return (jsonResponse({ ok: true, object: result.metadata }, assertKeetaStorageAnchorPutResponse));
494
503
  };
@@ -508,8 +517,8 @@ export class KeetaNetStorageAnchorHTTPServer extends KeetaAnchorHTTPServer.Keeta
508
517
  const tags = request.tags;
509
518
  // Confirm object exists and preserve existing owner
510
519
  const existing = await requireObject(objectPath);
511
- if (policy.validateMetadata) {
512
- policy.validateMetadata(parsed, { owner: existing.metadata.owner, tags, visibility });
520
+ if (policy.validateContext) {
521
+ policy.validateContext(parsed, { operation: 'updateMetadata', account, metadata: { owner: existing.metadata.owner, tags, visibility }, current: existing.metadata });
513
522
  }
514
523
  if (!backend.updateMetadata) {
515
524
  throw (new Errors.OperationNotSupported('updateMetadata'));
@@ -552,9 +561,10 @@ export class KeetaNetStorageAnchorHTTPServer extends KeetaAnchorHTTPServer.Keeta
552
561
  const account = await verifyURLAuth(url, getKeetaStorageAnchorQuotaRequestSigningData, function () { return ({}); });
553
562
  // Get current usage from backend and compute remaining using per-user or global limits
554
563
  const owner = account.publicKeyString.get();
555
- const userLimits = backend.getQuotaLimits
556
- ? await backend.getQuotaLimits(owner)
557
- : null;
564
+ let userLimits = null;
565
+ if (backend.getQuotaLimits) {
566
+ userLimits = await backend.getQuotaLimits(owner);
567
+ }
558
568
  const effectiveLimits = userLimits ?? quotas;
559
569
  const backendStatus = await backend.getQuotaStatus(owner);
560
570
  // Compute remaining from config limits
@@ -631,6 +641,9 @@ export class KeetaNetStorageAnchorHTTPServer extends KeetaAnchorHTTPServer.Keeta
631
641
  }
632
642
  throw (new Errors.SignatureInvalid('Signature verification failed'));
633
643
  }
644
+ if (policy.validateContext) {
645
+ policy.validateContext(parsed, { operation: 'get', account: signerAccount });
646
+ }
634
647
  const result = await requireObject(objectPath);
635
648
  if (result.metadata.visibility !== 'public') {
636
649
  throw (new Errors.AccessDenied('Object is not public'));
package/services/storage/server.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"server.js","sourceRoot":"","sources":["../../../src/services/storage/server.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,qBAAqB,MAAM,gCAAgC,CAAC;AACxE,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AACjD,OAAO,EACN,oBAAoB,EACpB,MAAM,oBAAoB,CAAC;AAe5B,OAAO,EACN,sCAAsC,EACtC,mCAAmC,EACnC,kCAAkC,EAClC,qCAAqC,EACrC,sCAAsC,EACtC,qCAAqC,EACrC,6CAA6C,EAC7C,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACN,6CAA6C,EAC7C,0CAA0C,EAC1C,0CAA0C,EAC1C,6CAA6C,EAC7C,4CAA4C,EAC5C,qDAAqD,EACrD,qBAAqB,EACrB,MAAM,EACN,yBAAyB,EACzB,8BAA8B,EAC9B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAC9D,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,iCAAiC,CAAC;AAC/F,OAAO,EAAE,uBAAuB,EAAE,MAAM,EAAE,MAAM,2BAA2B,CAAC;AAC5E,OAAO,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AACjF,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAC;AAC/F,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAI9C;;GAEG;AACH,SAAS,mBAAmB,CAAC,OAAsB;IAClD,MAAM,QAAQ,GAAqC;QAClD,EAAE,EAAE,IAAI;QACR,OAAO,EAAE,OAAO,CAAC,OAAO;KACxB,CAAC;IACF,IAAI,OAAO,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACtC,QAAQ,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAC1C,CAAC;IACD,OAAM,CAAC,QAAQ,CAAC,CAAC;AAClB,CAAC;AAED,+BAA+B;AAE/B;;;;;;;GAOG;AACH,SAAS,gBAAgB,CACxB,YAAmC,EACnC,OAAgB,EAChB,IAAY,EACZ,SAA8E;IAE9E,KAAK,MAAM,MAAM,IAAI,YAAY,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACrB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAEtB,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,CAAC;gBACrD,MAAK,CAAC,IAAI,MAAM,CAAC,YAAY,CAAC,oCAAoC,CAAC,CAAC,CAAC;YACtE,CAAC;YAED,OAAM,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QAC5B,CAAC;IACF,CAAC;IAED,MAAK,CAAC,IAAI,MAAM,CAAC,WAAW,CAAC,gCAAgC,CAAC,CAAC,CAAC;AACjE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,SAAS,CACjB,YAAmC,EACnC,IAAY;IAEZ,KAAK,MAAM,MAAM,IAAI,YAAY,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACrB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACtB,OAAM,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QAC5B,CAAC;IACF,CAAC;IAED,MAAK,CAAC,IAAI,MAAM,CAAC,WAAW,CAAC,gCAAgC,CAAC,CAAC,CAAC;AACjE,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,KAAK,UAAU,cAAc,CAC5B,OAAU,EACV,cAAoC;IAEpC,IAAI,CAAC,OAAO,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;QACzC,MAAK,CAAC,IAAI,oBAAoB,CAAC,yBAAyB,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,aAAa,EAAE,CAAC;IAC1F,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAErD,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IAChE,IAAI,CAAC,KAAK,EAAE,CAAC;QACZ,MAAK,CAAC,IAAI,oBAAoB,CAAC,mBAAmB,CAAC,CAAC,CAAC;IACtD,CAAC;IAED,OAAM,CAAC,OAAO,CAAC,CAAC;AACjB,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,KAAK,UAAU,aAAa,CAC3B,GAAiB,EACjB,cAAoC,EACpC,YAA0C;IAE1C,IAAI,SAAiB,CAAC;IACtB,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC7B,SAAS,GAAG,GAAG,CAAC;IACjB,CAAC;SAAM,CAAC;QACP,SAAS,GAAG,GAAG,CAAC,IAAI,CAAC;IACtB,CAAC;IAED,MAAM,MAAM,GAAG,qBAAqB,CAAC,SAAS,CAAC,CAAC;IAChD,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QAC5C,MAAK,CAAC,IAAI,oBAAoB,CAAC,yBAAyB,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,GAAG,EAAE,CAAC,CAAC;IACnE,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IAEzC,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;IACnF,IAAI,CAAC,KAAK,EAAE,CAAC;QACZ,MAAK,CAAC,IAAI,oBAAoB,CAAC,mBAAmB,CAAC,CAAC,CAAC;IACtD,CAAC;IAED,OAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;AACxB,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,iBAAiB,CAAC,MAA2B;IACrD,MAAM,YAAY,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACtC,IAAI,CAAC,YAAY,EAAE,CAAC;QACnB,MAAK,CAAC,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IACjC,CAAC;IAED,OAAM,CAAC,GAAG,GAAG,YAAY,CAAC,CAAC;AAC5B,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,KAAK,UAAU,kBAAkB,CAChC,YAAmC,EACnC,MAA2B,EAC3B,GAAiB,EACjB,SAAgD,EAChD,cAAoC,EACpC,YAAwD;IAExD,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAC7C,SAAS,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;IAEpC,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,cAAc,EAAE,UAAS,MAAM;QACvE,OAAM,CAAC,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,gBAAgB,CAAC,YAAY,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;IAE/D,OAAM,CAAC,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC;AACjC,CAAC;AA6HD,8BAA8B;AAC9B,MAAM,cAAc,GAAgB;IACnC,aAAa,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,OAAO;IACxC,iBAAiB,EAAE,IAAI;IACvB,iBAAiB,EAAE,GAAG,GAAG,IAAI,GAAG,IAAI,EAAE,QAAQ;IAC9C,cAAc,EAAE,GAAG;IACnB,eAAe,EAAE,KAAK,CAAC,WAAW;CAClC,CAAC;AAEF,uCAAuC;AACvC,MAAM,sBAAsB,GAAG;IAC9B,OAAO,EAAE,EAAE;IACX,YAAY,EAAE,EAAE;IAChB,OAAO,EAAE,kBAAkB;CAC3B,CAAC;AAEF,MAAM,OAAO,+BAAgC,SAAQ,qBAAqB,CAAC,wBAAwD;IACzH,QAAQ,CAA0D;IAClE,OAAO,CAAqB;IAC5B,aAAa,CAAU;IACvB,MAAM,CAAc;IACpB,UAAU,CAAuB;IACjC,mBAAmB,CAAS;IAC5B,gBAAgB,CAAiB;IACjC,uBAAuB,CAAS;IAChC,YAAY,CAAwB;IACpC,aAAa,CAAyE;IAE/F,YAAY,MAAsC;QACjD,KAAK,CAAC,MAAM,CAAC,CAAC;QAEd,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;QACtC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC;QAC1C,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;QACtD,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;QAC1C,IAAI,CAAC,mBAAmB,GAAG,MAAM,CAAC,mBAAmB,IAAI,8BAA8B,CAAC;QACxF,IAAI,CAAC,gBAAgB,GAAG,MAAM,CAAC,gBAAgB,IAAI,KAAK,CAAC;QACzD,IAAI,CAAC,uBAAuB,GAAG,MAAM,CAAC,uBAAuB,IAAI,GAAG,CAAC;QACrE,IAAI,CAAC,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;QACxC,IAAI,CAAC,aAAa,GAAG;YACpB,OAAO,EAAE,MAAM,CAAC,aAAa,EAAE,OAAO,IAAI,sBAAsB,CAAC,OAAO;YACxE,YAAY,EAAE,MAAM,CAAC,aAAa,EAAE,YAAY,IAAI,sBAAsB,CAAC,YAAY;YACvF,OAAO,EAAE,MAAM,CAAC,aAAa,EAAE,OAAO,IAAI,sBAAsB,CAAC,OAAO;SACxE,CAAC;QAEF,yCAAyC;QACzC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,aAAa,EAAE,CAAC;YACvC,MAAK,CAAC,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC,CAAC;QAC3D,CAAC;QAED,gDAAgD;QAChD,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpC,MAAK,CAAC,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC,CAAC;QAC/D,CAAC;QAED,mDAAmD;QACnD,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,IAAI,CAAC,EAAE,CAAC;YACpC,MAAK,CAAC,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC,CAAC;QAC3D,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,IAAI,CAAC,EAAE,CAAC;YACxC,MAAK,CAAC,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,IAAI,CAAC,EAAE,CAAC;YACxC,MAAK,CAAC,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc,IAAI,CAAC,EAAE,CAAC;YACrC,MAAK,CAAC,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,eAAe,IAAI,CAAC,EAAE,CAAC;YACtC,MAAK,CAAC,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC,CAAC;QAC7D,CAAC;QAED,wCAAwC;QACxC,IAAI,IAAI,CAAC,aAAa,CAAC,OAAO,IAAI,CAAC,EAAE,CAAC;YACrC,MAAK,CAAC,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,IAAI,CAAC,aAAa,CAAC,YAAY,IAAI,CAAC,EAAE,CAAC;YAC1C,MAAK,CAAC,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC,CAAC;QACjE,CAAC;IACF,CAAC;IAED,sDAAsD;IACtD,qFAAqF;IAC3E,KAAK,CAAC,UAAU,CAAC,aAA6C;QACvE,MAAM,MAAM,GAAiC,EAAE,CAAC;QAChD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAC7B,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC;QACzC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3B,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;QACnC,MAAM,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,CAAC;QAC/C,MAAM,uBAAuB,GAAG,IAAI,CAAC,uBAAuB,CAAC;QAC7D,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC;QACvC,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC;QACzC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAE3B;;;WAGG;QACH,SAAS,YAAY,CAAC,IAAc;YACnC,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,aAAa,CAAC;YACrE,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACxB,IAAI,GAAG,CAAC,MAAM,GAAG,YAAY,EAAE,CAAC;oBAC/B,MAAK,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,iCAAiC,YAAY,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC;gBACzF,CAAC;gBACD,UAAU,CAAC,SAAS,GAAG,CAAC,CAAC;gBACzB,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC3B,MAAK,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,qCAAqC,GAAG,GAAG,CAAC,CAAC,CAAC;gBAC3E,CAAC;YACF,CAAC;YACD,IAAI,IAAI,CAAC,MAAM,GAAG,OAAO,EAAE,CAAC;gBAC3B,MAAK,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,kBAAkB,IAAI,CAAC,MAAM,uBAAuB,OAAO,EAAE,CAAC,CAAC,CAAC;YAC7F,CAAC;QACF,CAAC;QAED;;WAEG;QACH,SAAS,YAAY,CAAI,QAAW,EAAE,gBAAuC;YAC5E,OAAM,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC;QAChE,CAAC;QAED;;WAEG;QACH,KAAK,UAAU,aAAa,CAAC,IAAY;YACxC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACvC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACb,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACtC,CAAC;YAED,OAAM,CAAC,MAAM,CAAC,CAAC;QAChB,CAAC;QAED;;WAEG;QACH,SAAS,kBAAkB,CAAC,UAAwC;YACnE,MAAM,cAAc,GAAG,UAAU,EAAE,KAAK,IAAI,MAAM,CAAC,cAAc,CAAC;YAClE,OAAM,CAAC,EAAE,GAAG,UAAU,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC;QACnF,CAAC;QAED;;WAEG;QACH,SAAS,mBAAmB,CAC3B,OAAsB,EACtB,UAAqD;YAErD,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;gBACnC,IAAI,UAAU,CAAC,UAAU,IAAI,GAAG,CAAC,UAAU,KAAK,UAAU,CAAC,UAAU,EAAE,CAAC;oBACvE,MAAK,CAAC,IAAI,MAAM,CAAC,kBAAkB,CAClC,oBAAoB,GAAG,CAAC,UAAU,cAAc,UAAU,CAAC,UAAU,SAAS,CAC9E,CAAC,CAAC;gBACJ,CAAC;gBACD,IAAI,UAAU,CAAC,KAAK,IAAI,GAAG,CAAC,KAAK,KAAK,UAAU,CAAC,KAAK,EAAE,CAAC;oBACxD,MAAK,CAAC,IAAI,MAAM,CAAC,kBAAkB,CAClC,oCAAoC,GAAG,CAAC,KAAK,kBAAkB,UAAU,CAAC,KAAK,EAAE,CACjF,CAAC,CAAC;gBACJ,CAAC;YACF,CAAC;QACF,CAAC;QAED;;WAEG;QACH,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC/B,IAAI,QAAQ,EAAE,CAAC;YACd,MAAM,CAAC,OAAO,CAAC,GAAG,KAAK;gBACtB,IAAI,YAAoB,CAAC;gBACzB,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBAClC,YAAY,GAAG,QAAQ,CAAC;gBACzB,CAAC;qBAAM,CAAC;oBACP,YAAY,GAAG,MAAM,QAAQ,EAAE,CAAC;gBACjC,CAAC;gBAED,OAAM,CAAC;oBACN,MAAM,EAAE,YAAY;oBACpB,WAAW,EAAE,WAAW;iBACxB,CAAC,CAAC;YACJ,CAAC,CAAC;QACH,CAAC;QAED,qBAAqB;QAErB,iDAAiD;QACjD,MAAM,CAAC,oBAAoB,CAAC,GAAG;YAC9B,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,MAAM,CAAC,aAAa;YACjC,OAAO,EAAE,KAAK,WAAU,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG;gBACtD,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;gBAE7C,iCAAiC;gBACjC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;gBAC/B,MAAM,eAAe,GAAG,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;gBACjE,MAAM,SAAS,GAAG,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAErD,+DAA+D;gBAC/D,IAAI,UAAU,GAA4B,SAAS,CAAC;gBACpD,IAAI,eAAe,KAAK,IAAI,EAAE,CAAC;oBAC9B,UAAU,GAAG,gBAAgB,CAAC,eAAe,CAAC,CAAC;gBAChD,CAAC;gBAED,MAAM,OAAO,GAAa,CAAC,SAAS,IAAI,EAAE,CAAC;qBACzC,KAAK,CAAC,GAAG,CAAC;qBACV,GAAG,CAAC,UAAS,CAAC;oBACd,OAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;gBAClB,CAAC,CAAC;qBACD,MAAM,CAAC,UAAS,CAAC;oBACjB,OAAM,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBACtB,CAAC,CAAC,CAAC;gBAEJ,mBAAmB;gBACnB,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,0CAA0C,EAAE;oBACpF,OAAM,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;gBACzD,CAAC,CAAC,CAAC;gBAEH,YAAY,CAAC,OAAO,CAAC,CAAC;gBACtB,MAAM,IAAI,GAAG,OAAO,CAAC;gBAErB,gDAAgD;gBAChD,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,gBAAgB,CAAC,YAAY,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;gBACtF,MAAM,KAAK,GAAG,OAAO,CAAC,eAAe,CAAC,GAAG,EAAE,CAAC;gBAC5C,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;oBAC7B,MAAM,CAAC,gBAAgB,CAAC,MAAM,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC;gBAC9D,CAAC;gBAED,+DAA+D;gBAC/D,MAAM,UAAU,GAAG,OAAO,CAAC,cAAc;oBACxC,CAAC,CAAC,MAAM,OAAO,CAAC,cAAc,CAAC,KAAK,CAAC;oBACrC,CAAC,CAAC,IAAI,CAAC;gBACR,MAAM,eAAe,GAAG,UAAU,IAAI,MAAM,CAAC;gBAE7C,0CAA0C;gBAC1C,MAAM,IAAI,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAC;gBAC/C,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;gBACnC,IAAI,UAAU,GAAG,eAAe,CAAC,aAAa,EAAE,CAAC;oBAChD,MAAK,CAAC,IAAI,MAAM,CAAC,aAAa,CAAC;wBAC9B,SAAS,EAAE,eAAe;wBAC1B,KAAK,EAAE,eAAe,CAAC,aAAa;wBACpC,OAAO,EAAE,UAAU;qBACnB,CAAC,CAAC,CAAC;gBACL,CAAC;gBAED,MAAM,eAAe,GAAG,kBAAkB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;gBACnE,MAAM,wBAAwB,GAAG,CAAC,CAAC,MAAM,CAAC,iBAAiB,CAAC;gBAC5D,MAAM,qBAAqB,GAAG,eAAe,IAAI,UAAU,KAAK,QAAQ,CAAC;gBACzE,IAAI,wBAAwB,IAAI,qBAAqB,EAAE,CAAC;oBACvD,IAAI,CAAC;wBACJ,MAAM,SAAS,GAAG,kBAAkB,CAAC,mBAAmB,CAAC,IAAI,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC;wBAEhF,IAAI,MAAM,CAAC,iBAAiB,EAAE,CAAC;4BAC9B,MAAM,CAAC,iBAAiB,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC;wBAC1E,CAAC;wBAED,IAAI,qBAAqB,EAAE,CAAC;4BAC3B,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,YAAY,EAAE,CAAC;4BACjD,IAAI,eAAe,EAAE,CAAC;gCACrB,sDAAsD;gCACtD,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,qBAAqB,CAAC,SAAS,CAAC,CAAC;gCAC/D,MAAM,kBAAkB,GAAG,sBAAsB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;gCAC1E,KAAK,MAAM,SAAS,IAAI,kBAAkB,EAAE,CAAC;oCAC5C,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;oCACvE,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;wCACnB,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;oCAClD,CAAC;gCACF,CAAC;4BACF,CAAC;wBACF,CAAC;oBACF,CAAC;oBAAC,OAAO,CAAC,EAAE,CAAC;wBACZ,IAAI,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;4BAC1C,MAAK,CAAC,CAAC,CAAC,CAAC;wBACV,CAAC;wBACD,IAAI,MAAM,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;4BAC3C,MAAK,CAAC,CAAC,CAAC,CAAC;wBACV,CAAC;wBACD,IAAI,uBAAuB,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;4BAC3C,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;gCACrC,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,gCAAgC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;4BACjF,CAAC;4BACD,IAAI,CAAC,CAAC,IAAI,KAAK,iBAAiB,IAAI,CAAC,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;gCACpE,MAAK,CAAC,IAAI,MAAM,CAAC,uBAAuB,EAAE,CAAC,CAAC;4BAC7C,CAAC;wBACF,CAAC;wBACD,MAAK,CAAC,CAAC,CAAC,CAAC;oBACV,CAAC;gBACF,CAAC;gBAED,8BAA8B;gBAC9B,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE;oBAC9E,WAAW,EAAE;wBACZ,iBAAiB,EAAE,eAAe,CAAC,iBAAiB;wBACpD,iBAAiB,EAAE,eAAe,CAAC,iBAAiB;qBACpD;iBACD,CAAC,CAAC;gBAEH,IAAI,cAAqC,CAAC;gBAC1C,IAAI,CAAC;oBACJ,cAAc,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,EAAE;wBACpD,KAAK;wBACL,IAAI;wBACJ,UAAU;qBACV,CAAC,CAAC;oBAEH,MAAM,OAAO,CAAC,YAAY,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;gBAC5C,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACZ,IAAI,CAAC;wBACJ,MAAM,OAAO,CAAC,aAAa,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;oBAC7C,CAAC;oBAAC,OAAO,YAAY,EAAE,CAAC;wBACvB;;2BAEG;wBACH,MAAM,EAAE,IAAI,CAAC,sCAAsC,EAAE,EAAE,aAAa,EAAE,WAAW,CAAC,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC;oBAC9G,CAAC;oBACD,MAAK,CAAC,CAAC,CAAC,CAAC;gBACV,CAAC;gBAED,MAAM,QAAQ,GAAkC;oBAC/C,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,cAAc;iBACtB,CAAC;gBAEF,OAAM,CAAC,YAAY,CAAC,QAAQ,EAAE,mCAAmC,CAAC,CAAC,CAAC;YACrE,CAAC;SACD,CAAC;QAEF,yCAAyC;QACzC,MAAM,CAAC,oBAAoB,CAAC,GAAG,KAAK,WAAU,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG;YAC7E,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,kBAAkB,CAC9C,YAAY,EACZ,MAAM,EACN,GAAG,EACH,KAAK,EACL,0CAA0C,EAC1C,UAAS,IAAI,EAAE,MAAM;gBACpB,OAAM,CAAC,kCAAkC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;YACvE,CAAC,CACD,CAAC;YAEF,MAAM,OAAO,GAA8B,EAAE,CAAC;YAC9C,IAAI,uBAAuB,EAAE,CAAC;gBAC7B,OAAO,CAAC,6BAA6B,CAAC,GAAG,uBAAuB,CAAC;YAClE,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;YAC/C,OAAM,CAAC;gBACN,OAAO;gBACP,MAAM,EAAE,MAAM,CAAC,IAAI;gBACnB,WAAW,EAAE,yBAAyB;aACtC,CAAC,CAAC;QACJ,CAAC,CAAC;QAEF,0CAA0C;QAC1C,MAAM,CAAC,uBAAuB,CAAC,GAAG,KAAK,WAAU,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG;YAChF,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,kBAAkB,CAC9C,YAAY,EACZ,MAAM,EACN,GAAG,EACH,QAAQ,EACR,6CAA6C,EAC7C,UAAS,IAAI,EAAE,MAAM;gBACpB,OAAM,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;YACnC,CAAC,CACD,CAAC;YAEF,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YACjD,MAAM,QAAQ,GAAqC;gBAClD,EAAE,EAAE,IAAI;gBACR,OAAO;aACP,CAAC;YAEF,OAAM,CAAC,YAAY,CAAC,QAAQ,EAAE,sCAAsC,CAAC,CAAC,CAAC;QACxE,CAAC,CAAC;QAEF,4CAA4C;QAC5C,MAAM,CAAC,sBAAsB,CAAC,GAAG,KAAK,WAAU,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG;YAC/E,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,kBAAkB,CAC9C,YAAY,EACZ,MAAM,EACN,GAAG,EACH,UAAU,EACV,0CAA0C,EAC1C,UAAS,IAAI,EAAE,MAAM;gBACpB,OAAM,CAAC,kCAAkC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;YACvE,CAAC,CACD,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;YAC/C,OAAM,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,QAAQ,EAAE,EAAE,mCAAmC,CAAC,CAAC,CAAC;QAClG,CAAC,CAAC;QAEF,yEAAyE;QACzE,MAAM,CAAC,sBAAsB,CAAC,GAAG,KAAK,WAAU,MAAM,EAAE,QAAQ;YAC/D,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;YAC7C,MAAM,OAAO,GAAG,6CAA6C,CAAC,QAAQ,CAAC,CAAC;YAExE,MAAM,QAAQ,GAAG,qDAAqD,CAAC;gBACtE,IAAI,EAAE,UAAU;gBAChB,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,IAAI,EAAE,OAAO,CAAC,IAAI;aAClB,CAAC,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,OAAO,EAAE,cAAa,OAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAEhF,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,gBAAgB,CAAC,YAAY,EAAE,OAAO,EAAE,UAAU,EAAE,gBAAgB,CAAC,CAAC;YAEjG,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAE3B,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;YACxD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;YAE1B,oDAAoD;YACpD,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;YACjD,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;gBAC7B,MAAM,CAAC,gBAAgB,CAAC,MAAM,EAAE,EAAE,KAAK,EAAE,QAAQ,CAAC,QAAQ,CAAC,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC;YACvF,CAAC;YAED,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;gBAC7B,MAAK,CAAC,IAAI,MAAM,CAAC,qBAAqB,CAAC,gBAAgB,CAAC,CAAC,CAAC;YAC3D,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,UAAU,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC;YAC/E,IAAI,CAAC,OAAO,EAAE,CAAC;gBACd,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACtC,CAAC;YAED,OAAM,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,mCAAmC,CAAC,CAAC,CAAC;QAC1F,CAAC,CAAC;QAEF,wCAAwC;QACxC,MAAM,CAAC,kBAAkB,CAAC,GAAG,KAAK,WAAU,OAAO,EAAE,QAAQ;YAC5D,MAAM,OAAO,GAAG,qCAAqC,CAAC,QAAQ,CAAC,CAAC;YAChE,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,OAAO,EAAE,6CAA6C,CAAC,CAAC;YAC7F,MAAM,aAAa,GAAG,OAAO,CAAC,eAAe,CAAC,GAAG,EAAE,CAAC;YAEpD,0DAA0D;YAC1D,MAAM,eAAe,GAAG,OAAO,CAAC,QAAQ,CAAC,UAAU,KAAK,QAAQ,CAAC;YACjE,IAAI,eAAe,EAAE,CAAC;gBACrB,uFAAuF;gBACvF,iDAAiD;gBACjD,MAAM,cAAc,GAAG;oBACtB,GAAG,OAAO,CAAC,QAAQ;oBACnB,UAAU,EAAE,QAAiB;iBAC7B,CAAC;gBAEF,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,MAAM,CACnC,cAAc,EACd,kBAAkB,CAAC,OAAO,CAAC,UAAU,CAAC,CACtC,CAAC;gBAEF,mBAAmB,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC,CAAC;gBAEvD,OAAM,CAAC,YAAY,CAAC,mBAAmB,CAAC,OAAO,CAAC,EAAE,sCAAsC,CAAC,CAAC,CAAC;YAC5F,CAAC;YAED,oDAAoD;YACpD,MAAM,cAAc,GAAG;gBACtB,GAAG,OAAO,CAAC,QAAQ;gBACnB,KAAK,EAAE,aAAa;aACpB,CAAC;YAEF,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,MAAM,CACnC,cAAc,EACd,kBAAkB,CAAC,OAAO,CAAC,UAAU,CAAC,CACtC,CAAC;YAEF,mBAAmB,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC,CAAC;YAEvD,OAAM,CAAC,YAAY,CAAC,mBAAmB,CAAC,OAAO,CAAC,EAAE,sCAAsC,CAAC,CAAC,CAAC;QAC5F,CAAC,CAAC;QAEF,oCAAoC;QACpC,MAAM,CAAC,gBAAgB,CAAC,GAAG,KAAK,WAAU,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG;YAC1E,MAAM,OAAO,GAAG,MAAM,aAAa,CAClC,GAAG,EACH,4CAA4C,EAC5C,cAAa,OAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAC1B,CAAC;YAEF,uFAAuF;YACvF,MAAM,KAAK,GAAG,OAAO,CAAC,eAAe,CAAC,GAAG,EAAE,CAAC;YAC5C,MAAM,UAAU,GAAG,OAAO,CAAC,cAAc;gBACxC,CAAC,CAAC,MAAM,OAAO,CAAC,cAAc,CAAC,KAAK,CAAC;gBACrC,CAAC,CAAC,IAAI,CAAC;YACR,MAAM,eAAe,GAAG,UAAU,IAAI,MAAM,CAAC;YAE7C,MAAM,aAAa,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;YAE1D,uCAAuC;YACvC,IAAI,gBAAgB,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,eAAe,CAAC,iBAAiB,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;YAClG,IAAI,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,eAAe,CAAC,iBAAiB,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;YAE7F,0EAA0E;YAC1E,IAAI,aAAa,CAAC,gBAAgB,KAAK,SAAS,IAAI,aAAa,CAAC,gBAAgB,GAAG,CAAC,EAAE,CAAC;gBACxF,gBAAgB,GAAG,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC,gBAAgB,EAAE,gBAAgB,CAAC,CAAC;YAC/E,CAAC;YACD,IAAI,aAAa,CAAC,aAAa,KAAK,SAAS,IAAI,aAAa,CAAC,aAAa,GAAG,CAAC,EAAE,CAAC;gBAClF,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;YACtE,CAAC;YAED,MAAM,QAAQ,GAAoC;gBACjD,EAAE,EAAE,IAAI;gBACR,KAAK,EAAE;oBACN,WAAW,EAAE,aAAa,CAAC,WAAW;oBACtC,SAAS,EAAE,aAAa,CAAC,SAAS;oBAClC,gBAAgB;oBAChB,aAAa;iBACb;aACD,CAAC;YAEF,OAAM,CAAC,YAAY,CAAC,QAAQ,EAAE,qCAAqC,CAAC,CAAC,CAAC;QACvE,CAAC,CAAC;QAEF,+DAA+D;QAC/D,MAAM,CAAC,oBAAoB,CAAC,GAAG,KAAK,WAAU,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG;YAC7E,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;YAC7C,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;YAE/D,yDAAyD;YACzD,MAAM,SAAS,GAAG,qBAAqB,CAAC,GAAG,CAAC,CAAC;YAC7C,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;gBAC5B,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,uCAAuC,CAAC,CAAC,CAAC;YAC7E,CAAC;YAED,6FAA6F;YAC7F,MAAM,aAAa,GAAG,MAAM,CAAC,mBAAmB,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,OAAO,IAAI,IAAI,CAAC;YACtF,IAAI,CAAC,aAAa,EAAE,CAAC;gBACpB,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,gBAAgB,CAAC,CAAC,CAAC;YACtD,CAAC;YACD,MAAM,YAAY,GAAG,aAAa,CAAC,eAAe,CAAC,GAAG,EAAE,CAAC;YAEzD,mCAAmC;YACnC,MAAM,SAAS,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YAC/D,MAAM,YAAY,GAAG,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAC3D,IAAI,CAAC,YAAY,EAAE,CAAC;gBACnB,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,2BAA2B,CAAC,CAAC,CAAC;YACjE,CAAC;YACD,MAAM,SAAS,GAAG,QAAQ,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;YAC7C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBACjC,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,2BAA2B,CAAC,CAAC,CAAC;YACjE,CAAC;YACD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI,EAAE,CAAC;gBACnC,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACtC,CAAC;YAED,sBAAsB;YACtB,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,MAAM,CAAC,eAAe,CAAC;YAC5E,IAAI,SAAS,GAAG,YAAY,EAAE,CAAC;gBAC9B,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,wCAAwC,CAAC,CAAC,CAAC;YAC9E,CAAC;YAED,gEAAgE;YAChE,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YAC/E,IAAI,eAAe,CAAC,MAAM,GAAG,EAAE,IAAI,eAAe,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;gBACjE,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,0BAA0B,CAAC,CAAC,CAAC;YAChE,CAAC;YAED,IAAI,CAAC;gBACJ,2DAA2D;gBAC3D,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,aAAa,EAAE,CAAC,UAAU,EAAE,SAAS,EAAE,YAAY,CAAC,EAAE,SAAS,CAAC,WAAW,EAAE;oBACjH,SAAS,EAAE,CAAC,GAAG,EAAE,GAAG,IAAI;iBACxB,CAAC,CAAC;gBACH,IAAI,CAAC,KAAK,EAAE,CAAC;oBACZ,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC,CAAC;gBACtC,CAAC;YACF,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACZ,IAAI,MAAM,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3C,MAAK,CAAC,CAAC,CAAC,CAAC;gBACV,CAAC;gBAED,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,+BAA+B,CAAC,CAAC,CAAC;YACrE,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;YAC/C,IAAI,MAAM,CAAC,QAAQ,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;gBAC7C,MAAK,CAAC,IAAI,MAAM,CAAC,YAAY,CAAC,sBAAsB,CAAC,CAAC,CAAC;YACxD,CAAC;YAED,2EAA2E;YAC3E,MAAM,IAAI,GAAG,uBAAuB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAClD,MAAM,SAAS,GAAG,kBAAkB,CAAC,mBAAmB,CAAC,IAAI,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC;YAChF,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,YAAY,EAAE,CAAC;YACjD,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,qBAAqB,CAAC,SAAS,CAAC,CAAC;YAE/D,MAAM,OAAO,GAA8B,EAAE,CAAC;YAC9C,IAAI,gBAAgB,EAAE,CAAC;gBACtB,OAAO,CAAC,6BAA6B,CAAC,GAAG,gBAAgB,CAAC;YAC3D,CAAC;YAED,OAAM,CAAC;gBACN,MAAM,EAAE,OAAO;gBACf,WAAW,EAAE,QAAQ;gBACrB,OAAO;aACP,CAAC,CAAC;QACJ,CAAC,CAAC;QAEF,aAAa;QAEb,OAAM,CAAC,MAAM,CAAC,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,eAAe;QACpB,MAAM,YAAY,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,EAAE,IAAI,EAAE,UAAmB,EAAE,MAAM,EAAE,eAAwB,EAAE,EAAC,EAAC,CAAC;QACpH,MAAM,UAAU,GAA8E;YAC7F,GAAG,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,GAAG,YAAY,EAAE;YAC5E,GAAG,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,GAAG,YAAY,EAAE;YAC5E,MAAM,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,GAAG,YAAY,EAAE;YAC/E,QAAQ,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,GAAG,YAAY,EAAE;YACnF,cAAc,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,GAAG,YAAY,EAAE;YACzF,MAAM,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,GAAG,YAAY,EAAE;YAC/E,MAAM,EAAE,CAAC,IAAI,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE;YACrD,KAAK,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,GAAG,YAAY,EAAE;SAC7E,CAAC;QAEF,OAAM,CAAC;YACN,UAAU;YACV,aAAa,EAAE,IAAI,CAAC,aAAa,CAAC,eAAe,CAAC,GAAG,EAAE;YACvD,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;YAC7C,gBAAgB,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;SAC/D,CAAC,CAAC;IACJ,CAAC;CACD","sourcesContent":["import type { ServiceMetadata } from '../../lib/resolver.ts';\nimport type { Signable } from '../../lib/utils/signing.js';\nimport type { NamespaceValidator } from './lib/validators.js';\nimport * as KeetaAnchorHTTPServer from '../../lib/http-server/index.js';\nimport { KeetaNet } from '../../client/index.js';\nimport {\n\tKeetaAnchorUserError\n} from '../../lib/error.js';\nimport type {\n\tKeetaStorageAnchorDeleteResponse,\n\tKeetaStorageAnchorPutResponse,\n\tKeetaStorageAnchorSearchResponse,\n\tKeetaStorageAnchorQuotaResponse,\n\tFullStorageBackend,\n\tQuotaConfig,\n\tStorageObjectVisibility,\n\tStorageObjectMetadata,\n\tPathPolicy,\n\tSearchResults,\n\tStorageGetResult,\n\tSearchPagination\n} from './common.ts';\nimport {\n\tassertKeetaStorageAnchorDeleteResponse,\n\tassertKeetaStorageAnchorPutResponse,\n\tassertKeetaStorageAnchorGetRequest,\n\tassertKeetaStorageAnchorSearchRequest,\n\tassertKeetaStorageAnchorSearchResponse,\n\tassertKeetaStorageAnchorQuotaResponse,\n\tassertKeetaStorageAnchorUpdateMetadataRequest\n} from './common.generated.js';\nimport {\n\tgetKeetaStorageAnchorDeleteRequestSigningData,\n\tgetKeetaStorageAnchorPutRequestSigningData,\n\tgetKeetaStorageAnchorGetRequestSigningData,\n\tgetKeetaStorageAnchorSearchRequestSigningData,\n\tgetKeetaStorageAnchorQuotaRequestSigningData,\n\tgetKeetaStorageAnchorUpdateMetadataRequestSigningData,\n\tparseContainerPayload,\n\tErrors,\n\tCONTENT_TYPE_OCTET_STREAM,\n\tDEFAULT_SIGNED_URL_TTL_SECONDS\n} from './common.js';\nimport { VerifySignedData } from '../../lib/utils/signing.js';\nimport { assertHTTPSignedField, parseSignatureFromURL } from '../../lib/http-server/common.js';\nimport { arrayBufferLikeToBuffer, Buffer } from '../../lib/utils/buffer.js';\nimport { requiresValidation, findMatchingValidators } from './lib/validators.js';\nimport { EncryptedContainer, EncryptedContainerError } from '../../lib/encrypted-container.js';\nimport { assertVisibility } from './utils.js';\n\ntype Account = InstanceType<typeof KeetaNet.lib.Account>;\n\n/**\n * Build a standardized search response from search results.\n */\nfunction buildSearchResponse(results: SearchResults): KeetaStorageAnchorSearchResponse {\n\tconst response: KeetaStorageAnchorSearchResponse = {\n\t\tok: true,\n\t\tresults: results.results\n\t};\n\tif (results.nextCursor !== undefined) {\n\t\tresponse.nextCursor = results.nextCursor;\n\t}\n\treturn(response);\n}\n\n// #region Module-Level Helpers\n\n/**\n * Find a matching policy for a path, validate it, and check access.\n *\n * @param pathPolicies - Array of path policies to check against\n * @param account - The account to check access for\n * @param path - The path to check\n * @param operation - The operation being performed\n */\nfunction assertPathAccess(\n\tpathPolicies: PathPolicy<unknown>[],\n\taccount: Account,\n\tpath: string,\n\toperation: 'get' | 'put' | 'delete' | 'search' | 'metadata' | 'updateMetadata'\n): { policy: PathPolicy<unknown>; parsed: unknown } {\n\tfor (const policy of pathPolicies) {\n\t\tconst parsed = policy.parse(path);\n\t\tif (parsed !== null) {\n\t\t\tpolicy.validate(path);\n\n\t\t\tif (!policy.checkAccess(account, parsed, operation)) {\n\t\t\t\tthrow(new Errors.AccessDenied('Can only access your own namespace'));\n\t\t\t}\n\n\t\t\treturn({ policy, parsed });\n\t\t}\n\t}\n\n\tthrow(new Errors.InvalidPath('Path does not match any policy'));\n}\n\n/**\n * Find a matching policy and parse a path.\n * Used for public endpoints where auth is optional.\n *\n * @param pathPolicies - Array of path policies to check against\n * @param path - The path to parse\n */\nfunction parsePath(\n\tpathPolicies: PathPolicy<unknown>[],\n\tpath: string\n): { policy: PathPolicy<unknown>; parsed: unknown } {\n\tfor (const policy of pathPolicies) {\n\t\tconst parsed = policy.parse(path);\n\t\tif (parsed !== null) {\n\t\t\tpolicy.validate(path);\n\t\t\treturn({ policy, parsed });\n\t\t}\n\t}\n\n\tthrow(new Errors.InvalidPath('Path does not match any policy'));\n}\n\n/**\n * Verify a signed request from POST body.\n * Extracts account and signature from the request, verifies the signature,\n * and returns the authenticated account.\n *\n * @typeParam T - Request type containing optional account and signed fields\n *\n * @param request - The request object containing account and signed fields\n * @param getSigningData - Function to extract signable data from the request\n *\n * @returns The authenticated account\n *\n * @throws KeetaAnchorUserError if authentication is missing or invalid\n */\nasync function verifyBodyAuth<T extends { account?: string; signed?: unknown }>(\n\trequest: T,\n\tgetSigningData: (req: T) => Signable\n): Promise<Account> {\n\tif (!request.account || !request.signed) {\n\t\tthrow(new KeetaAnchorUserError('Authentication required'));\n\t}\n\n\tconst account = KeetaNet.lib.Account.fromPublicKeyString(request.account).assertAccount();\n\tconst signable = getSigningData(request);\n\tconst signed = assertHTTPSignedField(request.signed);\n\n\tconst valid = await VerifySignedData(account, signable, signed);\n\tif (!valid) {\n\t\tthrow(new KeetaAnchorUserError('Invalid signature'));\n\t}\n\n\treturn(account);\n}\n\n/**\n * Verify a signed request from URL query parameters.\n * Parses signature from URL, builds a request object, verifies the signature,\n * and returns the authenticated account.\n *\n * @typeParam T - Request type to build from the account public key\n *\n * @param url - The URL containing signature query parameters\n * @param getSigningData - Function to extract signable data from the request\n * @param buildRequest - Function to build a request object from the account public key\n *\n * @returns The authenticated account\n *\n * @throws KeetaAnchorUserError if authentication is missing or invalid\n */\nasync function verifyURLAuth<T>(\n\turl: URL | string,\n\tgetSigningData: (req: T) => Signable,\n\tbuildRequest: (accountPubKey: string) => T\n): Promise<Account> {\n\tlet urlString: string;\n\tif (typeof url === 'string') {\n\t\turlString = url;\n\t} else {\n\t\turlString = url.href;\n\t}\n\n\tconst parsed = parseSignatureFromURL(urlString);\n\tif (!parsed.account || !parsed.signedField) {\n\t\tthrow(new KeetaAnchorUserError('Authentication required'));\n\t}\n\n\tconst request = buildRequest(parsed.account.publicKeyString.get());\n\tconst signable = getSigningData(request);\n\n\tconst valid = await VerifySignedData(parsed.account, signable, parsed.signedField);\n\tif (!valid) {\n\t\tthrow(new KeetaAnchorUserError('Invalid signature'));\n\t}\n\n\treturn(parsed.account);\n}\n\n/**\n * Extract object path from wildcard route parameter.\n * Prepends a leading slash to create a valid storage path.\n *\n * @param params - Route parameters containing the wildcard match\n *\n * @returns The object path with leading slash\n *\n * @throws InvalidPath if wildcard parameter is missing\n */\nfunction extractObjectPath(params: Map<string, string>): string {\n\tconst wildcardPath = params.get('**');\n\tif (!wildcardPath) {\n\t\tthrow(new Errors.InvalidPath());\n\t}\n\n\treturn('/' + wildcardPath);\n}\n\n/**\n * Authorize access to an object path via URL-signed request.\n * Combines path validation, signature verification, and access control.\n *\n * @typeParam T - Request type to build from path and account\n *\n * @param pathPolicies - Array of path policies to check against\n * @param params - Route parameters containing the wildcard path\n * @param url - The URL containing signature query parameters\n * @param operation - The operation being authorized\n * @param getSigningData - Function to extract signable data from the request\n * @param buildRequest - Function to build a request object from path and account\n *\n * @returns The authenticated account and validated object path\n *\n * @throws InvalidPath if path is invalid or doesn't match any policy\n * @throws AccessDenied if user doesn't have access to the path\n * @throws KeetaAnchorUserError if signature is invalid\n */\nasync function authorizeURLAccess<T>(\n\tpathPolicies: PathPolicy<unknown>[],\n\tparams: Map<string, string>,\n\turl: URL | string,\n\toperation: 'get' | 'put' | 'delete' | 'metadata',\n\tgetSigningData: (req: T) => Signable,\n\tbuildRequest: (path: string, accountPubKey: string) => T\n): Promise<{ account: Account; objectPath: string }> {\n\tconst objectPath = extractObjectPath(params);\n\tparsePath(pathPolicies, objectPath);\n\n\tconst account = await verifyURLAuth(url, getSigningData, function(pubKey) {\n\t\treturn(buildRequest(objectPath, pubKey));\n\t});\n\n\tassertPathAccess(pathPolicies, account, objectPath, operation);\n\n\treturn({ account, objectPath });\n}\n\n// #endregion\n\n/**\n * Configuration for the Storage Anchor\n *\n * The Storage Anchor provides encrypted object storage with the following operations:\n *\n * PUT (Create/Update):\n * 1. Client creates EncryptedContainer with data, shares with anchor for public objects\n * 2. Client signs request (path, visibility, tags) and sends to server\n * 3. Server reserves quota, validates, stores object, commits reservation\n *\n * GET (Retrieve):\n * 1. Client signs request (path) and sends to server\n * 2. Server verifies access, returns EncryptedContainer\n * 3. Client decrypts with their private key\n *\n * DELETE:\n * 1. Client signs request (path) and sends to server\n * 2. Server verifies ownership, removes object\n *\n * SEARCH:\n * 1. Client signs request with criteria (tags, prefix, etc.)\n * 2. Server returns matching metadata (scoped to user's namespace)\n *\n * PUBLIC ACCESS (Pre-signed URLs):\n * 1. Client generates pre-signed URL with expiry, signed by owner\n * 2. Anyone can fetch via URL (no auth headers)\n * 3. Server verifies signature, expiry, and visibility\n * 4. Server decrypts and returns plaintext content\n *\n *\n * +-------------------+ +---------------------+ +------------------+\n * | Client | | Storage Anchor | | Storage Backend |\n * +-------------------+ +---------------------+ +------------------+\n * | | |\n * (PUT) Create EncryptedContainer | |\n * | Sign(path, visibility, tags) | |\n * |---------------------------------->| |\n * | | reserveUpload() ---------------->|\n * | | validate, put() ---------------->|\n * | | commitUpload() ----------------->|\n * |<--------------------------------- | { ok: true, object: metadata } |\n * | | |\n * (GET) Sign(path) ------------------------>| |\n * | | get() -------------------------->|\n * |<--------------------------------- | EncryptedContainer (binary) |\n * | Decrypt with private key | |\n * | | |\n * (PUBLIC) Generate pre-signed URL | |\n * | URL with expires, signature | |\n * (Anyone) Fetch URL ---------------------->| |\n * | | verify signature, expiry |\n * | | get(), decrypt ----------------->|\n * |<--------------------------------- | Plaintext content |\n */\nexport interface KeetaAnchorStorageServerConfig extends KeetaAnchorHTTPServer.KeetaAnchorHTTPServerConfig {\n\t/**\n\t * The data to use for the index page (optional)\n\t */\n\thomepage?: string | (() => Promise<string> | string);\n\n\t/**\n\t * The storage backend to use for storing documents.\n\t * Must implement full capabilities: CRUD, search, and quota management.\n\t */\n\tbackend: FullStorageBackend;\n\n\t/**\n\t * The anchor's account for decrypting objects.\n\t */\n\tanchorAccount: Account;\n\n\t/**\n\t * Quota configuration for storage limits.\n\t * Partial values are merged with defaults.\n\t */\n\tquotas?: Partial<QuotaConfig>;\n\n\t/**\n\t * Namespace validators for special paths\n\t */\n\tvalidators?: NamespaceValidator[];\n\n\t/**\n\t * Default TTL in seconds for pre-signed URLs (default: 3600)\n\t */\n\tsignedUrlDefaultTTL?: number;\n\n\t/**\n\t * CORS origin for public endpoints (default: false).\n\t * - '*' allows all origins\n\t * - specific origin string restricts to that origin\n\t * - false (default) disables CORS headers on public responses\n\t */\n\tpublicCORSOrigin?: string | false;\n\n\t/**\n\t * CORS origin for authenticated object endpoints (default: '*').\n\t * - '*' allows all origins\n\t * - specific origin string restricts to that origin\n\t */\n\tauthenticatedCORSOrigin?: string;\n\n\t/**\n\t * Path policies for parsing, validating, and access control of storage paths.\n\t * Each policy handles a specific path pattern. First matching policy wins.\n\t */\n\tpathPolicies: PathPolicy<unknown>[];\n\n\t/**\n\t * Tag validation configuration.\n\t */\n\ttagValidation?: {\n\t\t/** Maximum number of tags per object (default: 10) */\n\t\tmaxTags?: number;\n\t\t/** Maximum length of each tag (default: 50) */\n\t\tmaxTagLength?: number;\n\t\t/** Pattern for valid tag characters (default: /^[a-zA-Z0-9_-]+$/) */\n\t\tpattern?: RegExp;\n\t};\n}\n\n// Default quota configuration\nconst DEFAULT_QUOTAS: QuotaConfig = {\n\tmaxObjectSize: 10 * 1024 * 1024, // 10MB\n\tmaxObjectsPerUser: 1000,\n\tmaxStoragePerUser: 100 * 1024 * 1024, // 100MB\n\tmaxSearchLimit: 100,\n\tmaxSignedUrlTTL: 86400 // 24 hours\n};\n\n// Default tag validation configuration\nconst DEFAULT_TAG_VALIDATION = {\n\tmaxTags: 10,\n\tmaxTagLength: 50,\n\tpattern: /^[a-zA-Z0-9_-]+$/\n};\n\nexport class KeetaNetStorageAnchorHTTPServer extends KeetaAnchorHTTPServer.KeetaNetAnchorHTTPServer<KeetaAnchorStorageServerConfig> {\n\treadonly homepage: NonNullable<KeetaAnchorStorageServerConfig['homepage']>;\n\treadonly backend: FullStorageBackend;\n\treadonly anchorAccount: Account;\n\treadonly quotas: QuotaConfig;\n\treadonly validators: NamespaceValidator[];\n\treadonly signedUrlDefaultTTL: number;\n\treadonly publicCorsOrigin: string | false;\n\treadonly authenticatedCorsOrigin: string;\n\treadonly pathPolicies: PathPolicy<unknown>[];\n\treadonly tagValidation: Required<NonNullable<KeetaAnchorStorageServerConfig['tagValidation']>>;\n\n\tconstructor(config: KeetaAnchorStorageServerConfig) {\n\t\tsuper(config);\n\n\t\tthis.homepage = config.homepage ?? '';\n\t\tthis.backend = config.backend;\n\t\tthis.anchorAccount = config.anchorAccount;\n\t\tthis.quotas = { ...DEFAULT_QUOTAS, ...config.quotas };\n\t\tthis.validators = config.validators ?? [];\n\t\tthis.signedUrlDefaultTTL = config.signedUrlDefaultTTL ?? DEFAULT_SIGNED_URL_TTL_SECONDS;\n\t\tthis.publicCorsOrigin = config.publicCORSOrigin ?? false;\n\t\tthis.authenticatedCorsOrigin = config.authenticatedCORSOrigin ?? '*';\n\t\tthis.pathPolicies = config.pathPolicies;\n\t\tthis.tagValidation = {\n\t\t\tmaxTags: config.tagValidation?.maxTags ?? DEFAULT_TAG_VALIDATION.maxTags,\n\t\t\tmaxTagLength: config.tagValidation?.maxTagLength ?? DEFAULT_TAG_VALIDATION.maxTagLength,\n\t\t\tpattern: config.tagValidation?.pattern ?? DEFAULT_TAG_VALIDATION.pattern\n\t\t};\n\n\t\t// Validate anchorAccount has private key\n\t\tif (!this.anchorAccount.hasPrivateKey) {\n\t\t\tthrow(new Error('anchorAccount must have a private key'));\n\t\t}\n\n\t\t// Validate at least one path policy is provided\n\t\tif (this.pathPolicies.length === 0) {\n\t\t\tthrow(new Error('At least one path policy must be provided'));\n\t\t}\n\n\t\t// Validate quota configuration values are positive\n\t\tif (this.quotas.maxObjectSize <= 0) {\n\t\t\tthrow(new Error('quotas.maxObjectSize must be positive'));\n\t\t}\n\t\tif (this.quotas.maxObjectsPerUser <= 0) {\n\t\t\tthrow(new Error('quotas.maxObjectsPerUser must be positive'));\n\t\t}\n\t\tif (this.quotas.maxStoragePerUser <= 0) {\n\t\t\tthrow(new Error('quotas.maxStoragePerUser must be positive'));\n\t\t}\n\t\tif (this.quotas.maxSearchLimit <= 0) {\n\t\t\tthrow(new Error('quotas.maxSearchLimit must be positive'));\n\t\t}\n\t\tif (this.quotas.maxSignedUrlTTL <= 0) {\n\t\t\tthrow(new Error('quotas.maxSignedUrlTTL must be positive'));\n\t\t}\n\n\t\t// Validate tag validation configuration\n\t\tif (this.tagValidation.maxTags <= 0) {\n\t\t\tthrow(new Error('tagValidation.maxTags must be positive'));\n\t\t}\n\t\tif (this.tagValidation.maxTagLength <= 0) {\n\t\t\tthrow(new Error('tagValidation.maxTagLength must be positive'));\n\t\t}\n\t}\n\n\t// Note: We use this.* properties instead of config.*.\n\t// The config parameter is required by the abstract method signature but unused here.\n\tprotected async initRoutes(_ignoreConfig: KeetaAnchorStorageServerConfig): Promise<KeetaAnchorHTTPServer.Routes> {\n\t\tconst routes: KeetaAnchorHTTPServer.Routes = {};\n\t\tconst backend = this.backend;\n\t\tconst anchorAccount = this.anchorAccount;\n\t\tconst quotas = this.quotas;\n\t\tconst validators = this.validators;\n\t\tconst publicCorsOrigin = this.publicCorsOrigin;\n\t\tconst authenticatedCorsOrigin = this.authenticatedCorsOrigin;\n\t\tconst pathPolicies = this.pathPolicies;\n\t\tconst tagValidation = this.tagValidation;\n\t\tconst logger = this.logger;\n\n\t\t/**\n\t\t * Validate tags against configured limits.\n\t\t * @throws Errors.InvalidTag if any tag violates constraints\n\t\t */\n\t\tfunction validateTags(tags: string[]): void {\n\t\t\tconst { maxTags, maxTagLength, pattern: tagPattern } = tagValidation;\n\t\t\tfor (const tag of tags) {\n\t\t\t\tif (tag.length > maxTagLength) {\n\t\t\t\t\tthrow(new Errors.InvalidTag(`Tag exceeds maximum length of ${maxTagLength}: \"${tag}\"`));\n\t\t\t\t}\n\t\t\t\ttagPattern.lastIndex = 0;\n\t\t\t\tif (!tagPattern.test(tag)) {\n\t\t\t\t\tthrow(new Errors.InvalidTag(`Tag contains invalid characters: \"${tag}\"`));\n\t\t\t\t}\n\t\t\t}\n\t\t\tif (tags.length > maxTags) {\n\t\t\t\tthrow(new Errors.InvalidTag(`Too many tags: ${tags.length} exceeds maximum of ${maxTags}`));\n\t\t\t}\n\t\t}\n\n\t\t/**\n\t\t * Build a JSON response with assertion.\n\t\t */\n\t\tfunction jsonResponse<T>(response: T, assertionHandler: (input: unknown) => T): { output: string } {\n\t\t\treturn({ output: JSON.stringify(assertionHandler(response)) });\n\t\t}\n\n\t\t/**\n\t\t * Get an object or throw DocumentNotFound.\n\t\t */\n\t\tasync function requireObject(path: string): Promise<StorageGetResult> {\n\t\t\tconst result = await backend.get(path);\n\t\t\tif (!result) {\n\t\t\t\tthrow(new Errors.DocumentNotFound());\n\t\t\t}\n\n\t\t\treturn(result);\n\t\t}\n\n\t\t/**\n\t\t * Enforce server-side search limit cap.\n\t\t */\n\t\tfunction enforceSearchLimit(pagination: SearchPagination | undefined): SearchPagination {\n\t\t\tconst requestedLimit = pagination?.limit ?? quotas.maxSearchLimit;\n\t\t\treturn({ ...pagination, limit: Math.min(requestedLimit, quotas.maxSearchLimit) });\n\t\t}\n\n\t\t/**\n\t\t * Validate search results match expected constraints.\n\t\t */\n\t\tfunction assertSearchResults(\n\t\t\tresults: SearchResults,\n\t\t\tconstraint: { visibility?: 'public'; owner?: string }\n\t\t): void {\n\t\t\tfor (const obj of results.results) {\n\t\t\t\tif (constraint.visibility && obj.visibility !== constraint.visibility) {\n\t\t\t\t\tthrow(new Errors.InvariantViolation(\n\t\t\t\t\t\t`Backend returned ${obj.visibility} object in ${constraint.visibility} search`\n\t\t\t\t\t));\n\t\t\t\t}\n\t\t\t\tif (constraint.owner && obj.owner !== constraint.owner) {\n\t\t\t\t\tthrow(new Errors.InvariantViolation(\n\t\t\t\t\t\t`Backend returned object owned by ${obj.owner} in search for ${constraint.owner}`\n\t\t\t\t\t));\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\t/**\n\t\t * If a homepage is provided, setup the route for it\n\t\t */\n\t\tconst homepage = this.homepage;\n\t\tif (homepage) {\n\t\t\troutes['GET /'] = async function() {\n\t\t\t\tlet homepageData: string;\n\t\t\t\tif (typeof homepage === 'string') {\n\t\t\t\t\thomepageData = homepage;\n\t\t\t\t} else {\n\t\t\t\t\thomepageData = await homepage();\n\t\t\t\t}\n\n\t\t\t\treturn({\n\t\t\t\t\toutput: homepageData,\n\t\t\t\t\tcontentType: 'text/html'\n\t\t\t\t});\n\t\t\t};\n\t\t}\n\n\t\t// #region API Routes\n\n\t\t// PUT /api/object/* - Create or update an object\n\t\troutes['PUT /api/object/**'] = {\n\t\t\tbodyType: 'raw',\n\t\t\tmaxBodySize: quotas.maxObjectSize,\n\t\t\thandler: async function(params, postData, _headers, url) {\n\t\t\t\tconst objectPath = extractObjectPath(params);\n\n\t\t\t\t// Get metadata from query params\n\t\t\t\tconst parsedUrl = new URL(url);\n\t\t\t\tconst visibilityParam = parsedUrl.searchParams.get('visibility');\n\t\t\t\tconst tagsParam = parsedUrl.searchParams.get('tags');\n\n\t\t\t\t// Default to private when absent, assert valid value otherwise\n\t\t\t\tlet visibility: StorageObjectVisibility = 'private';\n\t\t\t\tif (visibilityParam !== null) {\n\t\t\t\t\tvisibility = assertVisibility(visibilityParam);\n\t\t\t\t}\n\n\t\t\t\tconst rawTags: string[] = (tagsParam ?? '')\n\t\t\t\t\t.split(',')\n\t\t\t\t\t.map(function(t) {\n\t\t\t\t\t\treturn(t.trim());\n\t\t\t\t\t})\n\t\t\t\t\t.filter(function(t) {\n\t\t\t\t\t\treturn(t.length > 0);\n\t\t\t\t\t});\n\n\t\t\t\t// Verify signature\n\t\t\t\tconst account = await verifyURLAuth(url, getKeetaStorageAnchorPutRequestSigningData, function() {\n\t\t\t\t\treturn({ path: objectPath, visibility, tags: rawTags });\n\t\t\t\t});\n\n\t\t\t\tvalidateTags(rawTags);\n\t\t\t\tconst tags = rawTags;\n\n\t\t\t\t// Validate path format, metadata, and ownership\n\t\t\t\tconst { policy, parsed } = assertPathAccess(pathPolicies, account, objectPath, 'put');\n\t\t\t\tconst owner = account.publicKeyString.get();\n\t\t\t\tif (policy.validateMetadata) {\n\t\t\t\t\tpolicy.validateMetadata(parsed, { owner, tags, visibility });\n\t\t\t\t}\n\n\t\t\t\t// Resolve per-user quota limits, falling back to global config\n\t\t\t\tconst userLimits = backend.getQuotaLimits\n\t\t\t\t\t? await backend.getQuotaLimits(owner)\n\t\t\t\t\t: null;\n\t\t\t\tconst effectiveLimits = userLimits ?? quotas;\n\n\t\t\t\t// Body is raw binary (EncryptedContainer)\n\t\t\t\tconst data = arrayBufferLikeToBuffer(postData);\n\t\t\t\tconst objectSize = data.byteLength;\n\t\t\t\tif (objectSize > effectiveLimits.maxObjectSize) {\n\t\t\t\t\tthrow(new Errors.QuotaExceeded({\n\t\t\t\t\t\tquotaType: 'maxObjectSize',\n\t\t\t\t\t\tlimit: effectiveLimits.maxObjectSize,\n\t\t\t\t\t\tcurrent: objectSize\n\t\t\t\t\t}));\n\t\t\t\t}\n\n\t\t\t\tconst needsValidation = requiresValidation(objectPath, validators);\n\t\t\t\tconst needsContainerValidation = !!policy.validateContainer;\n\t\t\t\tconst needsAnchorDecryption = needsValidation || visibility === 'public';\n\t\t\t\tif (needsContainerValidation || needsAnchorDecryption) {\n\t\t\t\t\ttry {\n\t\t\t\t\t\tconst container = EncryptedContainer.fromEncryptedBuffer(data, [anchorAccount]);\n\n\t\t\t\t\t\tif (policy.validateContainer) {\n\t\t\t\t\t\t\tpolicy.validateContainer(parsed, container, { owner, tags, visibility });\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tif (needsAnchorDecryption) {\n\t\t\t\t\t\t\tconst plaintext = await container.getPlaintext();\n\t\t\t\t\t\t\tif (needsValidation) {\n\t\t\t\t\t\t\t\t// Extract content and mimeType from encrypted payload\n\t\t\t\t\t\t\t\tconst { content, mimeType } = parseContainerPayload(plaintext);\n\t\t\t\t\t\t\t\tconst matchingValidators = findMatchingValidators(objectPath, validators);\n\t\t\t\t\t\t\t\tfor (const validator of matchingValidators) {\n\t\t\t\t\t\t\t\t\tconst result = await validator.validate(objectPath, content, mimeType);\n\t\t\t\t\t\t\t\t\tif (!result.valid) {\n\t\t\t\t\t\t\t\t\t\tthrow(new Errors.ValidationFailed(result.error));\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t} catch (e) {\n\t\t\t\t\t\tif (Errors.InvalidMetadata.isInstance(e)) {\n\t\t\t\t\t\t\tthrow(e);\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (Errors.ValidationFailed.isInstance(e)) {\n\t\t\t\t\t\t\tthrow(e);\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (EncryptedContainerError.isInstance(e)) {\n\t\t\t\t\t\t\tif (e.code.startsWith('MALFORMED_')) {\n\t\t\t\t\t\t\t\tthrow(new Errors.ValidationFailed(`Invalid encrypted container: ${e.message}`));\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tif (e.code === 'NO_MATCHING_KEY' || e.code === 'DECRYPTION_FAILED') {\n\t\t\t\t\t\t\t\tthrow(new Errors.AnchorPrincipalRequired());\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tthrow(e);\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// Reserve quota before upload\n\t\t\t\tconst reservation = await backend.reserveUpload(owner, objectPath, objectSize, {\n\t\t\t\t\tquotaLimits: {\n\t\t\t\t\t\tmaxObjectsPerUser: effectiveLimits.maxObjectsPerUser,\n\t\t\t\t\t\tmaxStoragePerUser: effectiveLimits.maxStoragePerUser\n\t\t\t\t\t}\n\t\t\t\t});\n\n\t\t\t\tlet objectMetadata: StorageObjectMetadata;\n\t\t\t\ttry {\n\t\t\t\t\tobjectMetadata = await backend.put(objectPath, data, {\n\t\t\t\t\t\towner,\n\t\t\t\t\t\ttags,\n\t\t\t\t\t\tvisibility\n\t\t\t\t\t});\n\n\t\t\t\t\tawait backend.commitUpload(reservation.id);\n\t\t\t\t} catch (e) {\n\t\t\t\t\ttry {\n\t\t\t\t\t\tawait backend.releaseUpload(reservation.id);\n\t\t\t\t\t} catch (releaseError) {\n\t\t\t\t\t\t/**\n\t\t\t\t\t\t * This provides a hint for cleanup\n\t\t\t\t\t\t */\n\t\t\t\t\t\tlogger?.warn('Failed to release upload reservation', { reservationId: reservation.id, error: releaseError });\n\t\t\t\t\t}\n\t\t\t\t\tthrow(e);\n\t\t\t\t}\n\n\t\t\t\tconst response: KeetaStorageAnchorPutResponse = {\n\t\t\t\t\tok: true,\n\t\t\t\t\tobject: objectMetadata\n\t\t\t\t};\n\n\t\t\t\treturn(jsonResponse(response, assertKeetaStorageAnchorPutResponse));\n\t\t\t}\n\t\t};\n\n\t\t// GET /api/object/* - Retrieve an object\n\t\troutes['GET /api/object/**'] = async function(params, _postData, _headers, url) {\n\t\t\tconst { objectPath } = await authorizeURLAccess(\n\t\t\t\tpathPolicies,\n\t\t\t\tparams,\n\t\t\t\turl,\n\t\t\t\t'get',\n\t\t\t\tgetKeetaStorageAnchorGetRequestSigningData,\n\t\t\t\tfunction(path, pubKey) {\n\t\t\t\t\treturn(assertKeetaStorageAnchorGetRequest({ path, account: pubKey }));\n\t\t\t\t}\n\t\t\t);\n\n\t\t\tconst headers: { [key: string]: string } = {};\n\t\t\tif (authenticatedCorsOrigin) {\n\t\t\t\theaders['Access-Control-Allow-Origin'] = authenticatedCorsOrigin;\n\t\t\t}\n\n\t\t\tconst result = await requireObject(objectPath);\n\t\t\treturn({\n\t\t\t\theaders,\n\t\t\t\toutput: result.data,\n\t\t\t\tcontentType: CONTENT_TYPE_OCTET_STREAM\n\t\t\t});\n\t\t};\n\n\t\t// DELETE /api/object/* - Delete an object\n\t\troutes['DELETE /api/object/**'] = async function(params, _postData, _headers, url) {\n\t\t\tconst { objectPath } = await authorizeURLAccess(\n\t\t\t\tpathPolicies,\n\t\t\t\tparams,\n\t\t\t\turl,\n\t\t\t\t'delete',\n\t\t\t\tgetKeetaStorageAnchorDeleteRequestSigningData,\n\t\t\t\tfunction(path, pubKey) {\n\t\t\t\t\treturn({ path, account: pubKey });\n\t\t\t\t}\n\t\t\t);\n\n\t\t\tconst deleted = await backend.delete(objectPath);\n\t\t\tconst response: KeetaStorageAnchorDeleteResponse = {\n\t\t\t\tok: true,\n\t\t\t\tdeleted\n\t\t\t};\n\n\t\t\treturn(jsonResponse(response, assertKeetaStorageAnchorDeleteResponse));\n\t\t};\n\n\t\t// GET /api/metadata/* - Get object metadata\n\t\troutes['GET /api/metadata/**'] = async function(params, _postData, _headers, url) {\n\t\t\tconst { objectPath } = await authorizeURLAccess(\n\t\t\t\tpathPolicies,\n\t\t\t\tparams,\n\t\t\t\turl,\n\t\t\t\t'metadata',\n\t\t\t\tgetKeetaStorageAnchorGetRequestSigningData,\n\t\t\t\tfunction(path, pubKey) {\n\t\t\t\t\treturn(assertKeetaStorageAnchorGetRequest({ path, account: pubKey }));\n\t\t\t\t}\n\t\t\t);\n\n\t\t\tconst result = await requireObject(objectPath);\n\t\t\treturn(jsonResponse({ ok: true, object: result.metadata }, assertKeetaStorageAnchorPutResponse));\n\t\t};\n\n\t\t// PUT /api/metadata/* - Update object metadata without re-uploading data\n\t\troutes['PUT /api/metadata/**'] = async function(params, postData) {\n\t\t\tconst objectPath = extractObjectPath(params);\n\t\t\tconst request = assertKeetaStorageAnchorUpdateMetadataRequest(postData);\n\n\t\t\tconst signable = getKeetaStorageAnchorUpdateMetadataRequestSigningData({\n\t\t\t\tpath: objectPath,\n\t\t\t\tvisibility: request.visibility,\n\t\t\t\ttags: request.tags\n\t\t\t});\n\t\t\tconst account = await verifyBodyAuth(request, function() { return(signable); });\n\n\t\t\tconst { policy, parsed } = assertPathAccess(pathPolicies, account, objectPath, 'updateMetadata');\n\n\t\t\tvalidateTags(request.tags);\n\n\t\t\tconst visibility = assertVisibility(request.visibility);\n\t\t\tconst tags = request.tags;\n\n\t\t\t// Confirm object exists and preserve existing owner\n\t\t\tconst existing = await requireObject(objectPath);\n\t\t\tif (policy.validateMetadata) {\n\t\t\t\tpolicy.validateMetadata(parsed, { owner: existing.metadata.owner, tags, visibility });\n\t\t\t}\n\n\t\t\tif (!backend.updateMetadata) {\n\t\t\t\tthrow(new Errors.OperationNotSupported('updateMetadata'));\n\t\t\t}\n\n\t\t\tconst updated = await backend.updateMetadata(objectPath, { tags, visibility });\n\t\t\tif (!updated) {\n\t\t\t\tthrow(new Errors.DocumentNotFound());\n\t\t\t}\n\n\t\t\treturn(jsonResponse({ ok: true, object: updated }, assertKeetaStorageAnchorPutResponse));\n\t\t};\n\n\t\t// POST /api/search - Search for objects\n\t\troutes['POST /api/search'] = async function(_params, postData) {\n\t\t\tconst request = assertKeetaStorageAnchorSearchRequest(postData);\n\t\t\tconst account = await verifyBodyAuth(request, getKeetaStorageAnchorSearchRequestSigningData);\n\t\t\tconst accountPubKey = account.publicKeyString.get();\n\n\t\t\t// Check if searching for public objects outside namespace\n\t\t\tconst searchingPublic = request.criteria.visibility === 'public';\n\t\t\tif (searchingPublic) {\n\t\t\t\t// When searching for public objects, we allow searching outside the caller's namespace\n\t\t\t\t// but only for objects with visibility: 'public'\n\t\t\t\tconst scopedCriteria = {\n\t\t\t\t\t...request.criteria,\n\t\t\t\t\tvisibility: 'public' as const\n\t\t\t\t};\n\n\t\t\t\tconst results = await backend.search(\n\t\t\t\t\tscopedCriteria,\n\t\t\t\t\tenforceSearchLimit(request.pagination)\n\t\t\t\t);\n\n\t\t\t\tassertSearchResults(results, { visibility: 'public' });\n\n\t\t\t\treturn(jsonResponse(buildSearchResponse(results), assertKeetaStorageAnchorSearchResponse));\n\t\t\t}\n\n\t\t\t// Scope search to authenticated account's namespace\n\t\t\tconst scopedCriteria = {\n\t\t\t\t...request.criteria,\n\t\t\t\towner: accountPubKey\n\t\t\t};\n\n\t\t\tconst results = await backend.search(\n\t\t\t\tscopedCriteria,\n\t\t\t\tenforceSearchLimit(request.pagination)\n\t\t\t);\n\n\t\t\tassertSearchResults(results, { owner: accountPubKey });\n\n\t\t\treturn(jsonResponse(buildSearchResponse(results), assertKeetaStorageAnchorSearchResponse));\n\t\t};\n\n\t\t// GET /api/quota - Get quota status\n\t\troutes['GET /api/quota'] = async function(_params, _postData, _headers, url) {\n\t\t\tconst account = await verifyURLAuth(\n\t\t\t\turl,\n\t\t\t\tgetKeetaStorageAnchorQuotaRequestSigningData,\n\t\t\t\tfunction() { return({}); }\n\t\t\t);\n\n\t\t\t// Get current usage from backend and compute remaining using per-user or global limits\n\t\t\tconst owner = account.publicKeyString.get();\n\t\t\tconst userLimits = backend.getQuotaLimits\n\t\t\t\t? await backend.getQuotaLimits(owner)\n\t\t\t\t: null;\n\t\t\tconst effectiveLimits = userLimits ?? quotas;\n\n\t\t\tconst backendStatus = await backend.getQuotaStatus(owner);\n\n\t\t\t// Compute remaining from config limits\n\t\t\tlet remainingObjects = Math.max(0, effectiveLimits.maxObjectsPerUser - backendStatus.objectCount);\n\t\t\tlet remainingSize = Math.max(0, effectiveLimits.maxStoragePerUser - backendStatus.totalSize);\n\n\t\t\t// If backend reports its own remaining values, use the tighter constraint\n\t\t\tif (backendStatus.remainingObjects !== undefined && backendStatus.remainingObjects > 0) {\n\t\t\t\tremainingObjects = Math.min(backendStatus.remainingObjects, remainingObjects);\n\t\t\t}\n\t\t\tif (backendStatus.remainingSize !== undefined && backendStatus.remainingSize > 0) {\n\t\t\t\tremainingSize = Math.min(backendStatus.remainingSize, remainingSize);\n\t\t\t}\n\n\t\t\tconst response: KeetaStorageAnchorQuotaResponse = {\n\t\t\t\tok: true,\n\t\t\t\tquota: {\n\t\t\t\t\tobjectCount: backendStatus.objectCount,\n\t\t\t\t\ttotalSize: backendStatus.totalSize,\n\t\t\t\t\tremainingObjects,\n\t\t\t\t\tremainingSize\n\t\t\t\t}\n\t\t\t};\n\n\t\t\treturn(jsonResponse(response, assertKeetaStorageAnchorQuotaResponse));\n\t\t};\n\n\t\t// GET /api/public/** - Public object access via pre-signed URL\n\t\troutes['GET /api/public/**'] = async function(params, _postData, _headers, url) {\n\t\t\tconst objectPath = extractObjectPath(params);\n\t\t\tconst { policy, parsed } = parsePath(pathPolicies, objectPath);\n\n\t\t\t// Parse signature using standard signed field convention\n\t\t\tconst urlParsed = parseSignatureFromURL(url);\n\t\t\tif (!urlParsed.signedField) {\n\t\t\t\tthrow(new Errors.SignatureInvalid('Missing required signature parameters'));\n\t\t\t}\n\n\t\t\t// Resolve signer: policy-specified or from URL account param (any-signer for public objects)\n\t\t\tconst signerAccount = policy.getAuthorizedSigner(parsed) ?? urlParsed.account ?? null;\n\t\t\tif (!signerAccount) {\n\t\t\t\tthrow(new Errors.SignatureInvalid('Missing signer'));\n\t\t\t}\n\t\t\tconst signerPubKey = signerAccount.publicKeyString.get();\n\n\t\t\t// Parse and validate expires param\n\t\t\tconst parsedUrl = typeof url === 'string' ? new URL(url) : url;\n\t\t\tconst expiresParam = parsedUrl.searchParams.get('expires');\n\t\t\tif (!expiresParam) {\n\t\t\t\tthrow(new Errors.SignatureInvalid('Missing expires parameter'));\n\t\t\t}\n\t\t\tconst expiresAt = parseInt(expiresParam, 10);\n\t\t\tif (!Number.isFinite(expiresAt)) {\n\t\t\t\tthrow(new Errors.SignatureInvalid('Invalid expires parameter'));\n\t\t\t}\n\t\t\tif (Date.now() > expiresAt * 1000) {\n\t\t\t\tthrow(new Errors.SignatureExpired());\n\t\t\t}\n\n\t\t\t// Enforce maximum TTL\n\t\t\tconst maxExpiresAt = Math.floor(Date.now() / 1000) + quotas.maxSignedUrlTTL;\n\t\t\tif (expiresAt > maxExpiresAt) {\n\t\t\t\tthrow(new Errors.SignatureExpired('Signed URL TTL exceeds maximum allowed'));\n\t\t\t}\n\n\t\t\t// Pre-validate signature is valid base64 with reasonable length\n\t\t\tconst signatureBuffer = Buffer.from(urlParsed.signedField.signature, 'base64');\n\t\t\tif (signatureBuffer.length < 64 || signatureBuffer.length > 256) {\n\t\t\t\tthrow(new Errors.SignatureInvalid('Invalid signature format'));\n\t\t\t}\n\n\t\t\ttry {\n\t\t\t\t// Allow 5 minutes of clock skew for signature verification\n\t\t\t\tconst valid = await VerifySignedData(signerAccount, [objectPath, expiresAt, signerPubKey], urlParsed.signedField, {\n\t\t\t\t\tmaxSkewMs: 5 * 60 * 1000\n\t\t\t\t});\n\t\t\t\tif (!valid) {\n\t\t\t\t\tthrow(new Errors.SignatureInvalid());\n\t\t\t\t}\n\t\t\t} catch (e) {\n\t\t\t\tif (Errors.SignatureInvalid.isInstance(e)) {\n\t\t\t\t\tthrow(e);\n\t\t\t\t}\n\n\t\t\t\tthrow(new Errors.SignatureInvalid('Signature verification failed'));\n\t\t\t}\n\n\t\t\tconst result = await requireObject(objectPath);\n\t\t\tif (result.metadata.visibility !== 'public') {\n\t\t\t\tthrow(new Errors.AccessDenied('Object is not public'));\n\t\t\t}\n\n\t\t\t// Decrypt using anchor account and extract mimeType from encrypted payload\n\t\t\tconst data = arrayBufferLikeToBuffer(result.data);\n\t\t\tconst container = EncryptedContainer.fromEncryptedBuffer(data, [anchorAccount]);\n\t\t\tconst plaintext = await container.getPlaintext();\n\t\t\tconst { content, mimeType } = parseContainerPayload(plaintext);\n\n\t\t\tconst headers: { [key: string]: string } = {};\n\t\t\tif (publicCorsOrigin) {\n\t\t\t\theaders['Access-Control-Allow-Origin'] = publicCorsOrigin;\n\t\t\t}\n\n\t\t\treturn({\n\t\t\t\toutput: content,\n\t\t\t\tcontentType: mimeType,\n\t\t\t\theaders\n\t\t\t});\n\t\t};\n\n\t\t// #endregion\n\n\t\treturn(routes);\n\t}\n\n\tasync serviceMetadata(): Promise<NonNullable<ServiceMetadata['services']['storage']>[string]> {\n\t\tconst authRequired = { options: { authentication: { type: 'required' as const, method: 'keeta-account' as const }}};\n\t\tconst operations: NonNullable<ServiceMetadata['services']['storage']>[string]['operations'] = {\n\t\t\tput: { url: (new URL('/api/object', this.url)).toString(), ...authRequired },\n\t\t\tget: { url: (new URL('/api/object', this.url)).toString(), ...authRequired },\n\t\t\tdelete: { url: (new URL('/api/object', this.url)).toString(), ...authRequired },\n\t\t\tmetadata: { url: (new URL('/api/metadata', this.url)).toString(), ...authRequired },\n\t\t\tupdateMetadata: { url: (new URL('/api/metadata', this.url)).toString(), ...authRequired },\n\t\t\tsearch: { url: (new URL('/api/search', this.url)).toString(), ...authRequired },\n\t\t\tpublic: (new URL('/api/public', this.url)).toString(),\n\t\t\tquota: { url: (new URL('/api/quota', this.url)).toString(), ...authRequired }\n\t\t};\n\n\t\treturn({\n\t\t\toperations,\n\t\t\tanchorAccount: this.anchorAccount.publicKeyString.get(),\n\t\t\tquotas: this.quotas,\n\t\t\tsignedUrlDefaultTTL: this.signedUrlDefaultTTL,\n\t\t\tsearchableFields: ['owner', 'tags', 'visibility', 'pathPrefix']\n\t\t});\n\t}\n}\n"]}
1
+ {"version":3,"file":"server.js","sourceRoot":"","sources":["../../../src/services/storage/server.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,qBAAqB,MAAM,gCAAgC,CAAC;AACxE,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AACjD,OAAO,EACN,oBAAoB,EACpB,MAAM,oBAAoB,CAAC;AAiB5B,OAAO,EACN,sCAAsC,EACtC,mCAAmC,EACnC,kCAAkC,EAClC,qCAAqC,EACrC,sCAAsC,EACtC,qCAAqC,EACrC,6CAA6C,EAC7C,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACN,6CAA6C,EAC7C,0CAA0C,EAC1C,0CAA0C,EAC1C,6CAA6C,EAC7C,4CAA4C,EAC5C,qDAAqD,EACrD,qBAAqB,EACrB,MAAM,EACN,yBAAyB,EACzB,8BAA8B,EAC9B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAC9D,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,iCAAiC,CAAC;AAC/F,OAAO,EAAE,uBAAuB,EAAE,MAAM,EAAE,MAAM,2BAA2B,CAAC;AAC5E,OAAO,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AACjF,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAC;AAC/F,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAI9C;;GAEG;AACH,SAAS,mBAAmB,CAAC,OAAsB;IAClD,MAAM,QAAQ,GAAqC;QAClD,EAAE,EAAE,IAAI;QACR,OAAO,EAAE,OAAO,CAAC,OAAO;KACxB,CAAC;IACF,IAAI,OAAO,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACtC,QAAQ,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAC1C,CAAC;IACD,OAAM,CAAC,QAAQ,CAAC,CAAC;AAClB,CAAC;AAED,+BAA+B;AAE/B;;;;;;;GAOG;AACH,SAAS,gBAAgB,CACxB,YAAmC,EACnC,OAAgB,EAChB,IAAY,EACZ,SAA2B;IAE3B,KAAK,MAAM,MAAM,IAAI,YAAY,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACrB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAEtB,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,CAAC;gBACrD,MAAK,CAAC,IAAI,MAAM,CAAC,YAAY,CAAC,oCAAoC,CAAC,CAAC,CAAC;YACtE,CAAC;YAED,OAAM,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QAC5B,CAAC;IACF,CAAC;IAED,MAAK,CAAC,IAAI,MAAM,CAAC,WAAW,CAAC,gCAAgC,CAAC,CAAC,CAAC;AACjE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,SAAS,CACjB,YAAmC,EACnC,IAAY;IAEZ,KAAK,MAAM,MAAM,IAAI,YAAY,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACrB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACtB,OAAM,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QAC5B,CAAC;IACF,CAAC;IAED,MAAK,CAAC,IAAI,MAAM,CAAC,WAAW,CAAC,gCAAgC,CAAC,CAAC,CAAC;AACjE,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,KAAK,UAAU,cAAc,CAC5B,OAAU,EACV,cAAoC;IAEpC,IAAI,CAAC,OAAO,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;QACzC,MAAK,CAAC,IAAI,oBAAoB,CAAC,yBAAyB,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,aAAa,EAAE,CAAC;IAC1F,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAErD,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IAChE,IAAI,CAAC,KAAK,EAAE,CAAC;QACZ,MAAK,CAAC,IAAI,oBAAoB,CAAC,mBAAmB,CAAC,CAAC,CAAC;IACtD,CAAC;IAED,OAAM,CAAC,OAAO,CAAC,CAAC;AACjB,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,KAAK,UAAU,aAAa,CAC3B,GAAiB,EACjB,cAAoC,EACpC,YAA0C;IAE1C,IAAI,SAAiB,CAAC;IACtB,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC7B,SAAS,GAAG,GAAG,CAAC;IACjB,CAAC;SAAM,CAAC;QACP,SAAS,GAAG,GAAG,CAAC,IAAI,CAAC;IACtB,CAAC;IAED,MAAM,MAAM,GAAG,qBAAqB,CAAC,SAAS,CAAC,CAAC;IAChD,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QAC5C,MAAK,CAAC,IAAI,oBAAoB,CAAC,yBAAyB,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,GAAG,EAAE,CAAC,CAAC;IACnE,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IAEzC,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;IACnF,IAAI,CAAC,KAAK,EAAE,CAAC;QACZ,MAAK,CAAC,IAAI,oBAAoB,CAAC,mBAAmB,CAAC,CAAC,CAAC;IACtD,CAAC;IAED,OAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;AACxB,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,iBAAiB,CAAC,MAA2B;IACrD,MAAM,YAAY,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACtC,IAAI,CAAC,YAAY,EAAE,CAAC;QACnB,MAAK,CAAC,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IACjC,CAAC;IAED,OAAM,CAAC,GAAG,GAAG,YAAY,CAAC,CAAC;AAC5B,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,KAAK,UAAU,kBAAkB,CAChC,YAAmC,EACnC,MAA2B,EAC3B,GAAiB,EACjB,SAA2B,EAC3B,cAAoC,EACpC,YAAwD;IAExD,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAC7C,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;IAE/D,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,cAAc,EAAE,UAAS,MAAM;QACvE,OAAM,CAAC,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,CAAC;QACrD,MAAK,CAAC,IAAI,MAAM,CAAC,YAAY,CAAC,oCAAoC,CAAC,CAAC,CAAC;IACtE,CAAC;IAED,OAAM,CAAC,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;AACjD,CAAC;AA6HD,8BAA8B;AAC9B,MAAM,cAAc,GAAgB;IACnC,aAAa,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,OAAO;IACxC,iBAAiB,EAAE,IAAI;IACvB,iBAAiB,EAAE,GAAG,GAAG,IAAI,GAAG,IAAI,EAAE,QAAQ;IAC9C,cAAc,EAAE,GAAG;IACnB,eAAe,EAAE,KAAK,CAAC,WAAW;CAClC,CAAC;AAEF,uCAAuC;AACvC,MAAM,sBAAsB,GAAG;IAC9B,OAAO,EAAE,EAAE;IACX,YAAY,EAAE,EAAE;IAChB,OAAO,EAAE,kBAAkB;CAC3B,CAAC;AAEF,MAAM,OAAO,+BAAgC,SAAQ,qBAAqB,CAAC,wBAAwD;IACzH,QAAQ,CAA0D;IAClE,OAAO,CAAqB;IAC5B,aAAa,CAAU;IACvB,MAAM,CAAc;IACpB,UAAU,CAAuB;IACjC,mBAAmB,CAAS;IAC5B,gBAAgB,CAAiB;IACjC,uBAAuB,CAAS;IAChC,YAAY,CAAwB;IACpC,aAAa,CAAyE;IAE/F,YAAY,MAAsC;QACjD,KAAK,CAAC,MAAM,CAAC,CAAC;QAEd,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;QACtC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC;QAC1C,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;QACtD,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;QAC1C,IAAI,CAAC,mBAAmB,GAAG,MAAM,CAAC,mBAAmB,IAAI,8BAA8B,CAAC;QACxF,IAAI,CAAC,gBAAgB,GAAG,MAAM,CAAC,gBAAgB,IAAI,KAAK,CAAC;QACzD,IAAI,CAAC,uBAAuB,GAAG,MAAM,CAAC,uBAAuB,IAAI,GAAG,CAAC;QACrE,IAAI,CAAC,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;QACxC,IAAI,CAAC,aAAa,GAAG;YACpB,OAAO,EAAE,MAAM,CAAC,aAAa,EAAE,OAAO,IAAI,sBAAsB,CAAC,OAAO;YACxE,YAAY,EAAE,MAAM,CAAC,aAAa,EAAE,YAAY,IAAI,sBAAsB,CAAC,YAAY;YACvF,OAAO,EAAE,MAAM,CAAC,aAAa,EAAE,OAAO,IAAI,sBAAsB,CAAC,OAAO;SACxE,CAAC;QAEF,yCAAyC;QACzC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,aAAa,EAAE,CAAC;YACvC,MAAK,CAAC,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC,CAAC;QAC3D,CAAC;QAED,gDAAgD;QAChD,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpC,MAAK,CAAC,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC,CAAC;QAC/D,CAAC;QAED,mDAAmD;QACnD,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,IAAI,CAAC,EAAE,CAAC;YACpC,MAAK,CAAC,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC,CAAC;QAC3D,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,IAAI,CAAC,EAAE,CAAC;YACxC,MAAK,CAAC,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,IAAI,CAAC,EAAE,CAAC;YACxC,MAAK,CAAC,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc,IAAI,CAAC,EAAE,CAAC;YACrC,MAAK,CAAC,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,eAAe,IAAI,CAAC,EAAE,CAAC;YACtC,MAAK,CAAC,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC,CAAC;QAC7D,CAAC;QAED,wCAAwC;QACxC,IAAI,IAAI,CAAC,aAAa,CAAC,OAAO,IAAI,CAAC,EAAE,CAAC;YACrC,MAAK,CAAC,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,IAAI,CAAC,aAAa,CAAC,YAAY,IAAI,CAAC,EAAE,CAAC;YAC1C,MAAK,CAAC,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC,CAAC;QACjE,CAAC;IACF,CAAC;IAED,sDAAsD;IACtD,qFAAqF;IAC3E,KAAK,CAAC,UAAU,CAAC,aAA6C;QACvE,MAAM,MAAM,GAAiC,EAAE,CAAC;QAChD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAC7B,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC;QACzC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3B,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;QACnC,MAAM,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,CAAC;QAC/C,MAAM,uBAAuB,GAAG,IAAI,CAAC,uBAAuB,CAAC;QAC7D,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC;QACvC,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC;QACzC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAE3B;;;WAGG;QACH,SAAS,YAAY,CAAC,IAAc;YACnC,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,aAAa,CAAC;YACrE,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACxB,IAAI,GAAG,CAAC,MAAM,GAAG,YAAY,EAAE,CAAC;oBAC/B,MAAK,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,iCAAiC,YAAY,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC;gBACzF,CAAC;gBACD,UAAU,CAAC,SAAS,GAAG,CAAC,CAAC;gBACzB,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC3B,MAAK,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,qCAAqC,GAAG,GAAG,CAAC,CAAC,CAAC;gBAC3E,CAAC;YACF,CAAC;YACD,IAAI,IAAI,CAAC,MAAM,GAAG,OAAO,EAAE,CAAC;gBAC3B,MAAK,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,kBAAkB,IAAI,CAAC,MAAM,uBAAuB,OAAO,EAAE,CAAC,CAAC,CAAC;YAC7F,CAAC;QACF,CAAC;QAED;;WAEG;QACH,SAAS,YAAY,CAAI,QAAW,EAAE,gBAAuC;YAC5E,OAAM,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC;QAChE,CAAC;QAED;;WAEG;QACH,KAAK,UAAU,aAAa,CAAC,IAAY;YACxC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACvC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACb,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACtC,CAAC;YAED,OAAM,CAAC,MAAM,CAAC,CAAC;QAChB,CAAC;QAED;;WAEG;QACH,SAAS,kBAAkB,CAAC,UAAwC;YACnE,MAAM,cAAc,GAAG,UAAU,EAAE,KAAK,IAAI,MAAM,CAAC,cAAc,CAAC;YAClE,OAAM,CAAC,EAAE,GAAG,UAAU,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC;QACnF,CAAC;QAED;;WAEG;QACH,SAAS,mBAAmB,CAC3B,OAAsB,EACtB,UAAqD;YAErD,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;gBACnC,IAAI,UAAU,CAAC,UAAU,IAAI,GAAG,CAAC,UAAU,KAAK,UAAU,CAAC,UAAU,EAAE,CAAC;oBACvE,MAAK,CAAC,IAAI,MAAM,CAAC,kBAAkB,CAClC,oBAAoB,GAAG,CAAC,UAAU,cAAc,UAAU,CAAC,UAAU,SAAS,CAC9E,CAAC,CAAC;gBACJ,CAAC;gBACD,IAAI,UAAU,CAAC,KAAK,IAAI,GAAG,CAAC,KAAK,KAAK,UAAU,CAAC,KAAK,EAAE,CAAC;oBACxD,MAAK,CAAC,IAAI,MAAM,CAAC,kBAAkB,CAClC,oCAAoC,GAAG,CAAC,KAAK,kBAAkB,UAAU,CAAC,KAAK,EAAE,CACjF,CAAC,CAAC;gBACJ,CAAC;YACF,CAAC;QACF,CAAC;QAED;;WAEG;QACH,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC/B,IAAI,QAAQ,EAAE,CAAC;YACd,MAAM,CAAC,OAAO,CAAC,GAAG,KAAK;gBACtB,IAAI,YAAoB,CAAC;gBACzB,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBAClC,YAAY,GAAG,QAAQ,CAAC;gBACzB,CAAC;qBAAM,CAAC;oBACP,YAAY,GAAG,MAAM,QAAQ,EAAE,CAAC;gBACjC,CAAC;gBAED,OAAM,CAAC;oBACN,MAAM,EAAE,YAAY;oBACpB,WAAW,EAAE,WAAW;iBACxB,CAAC,CAAC;YACJ,CAAC,CAAC;QACH,CAAC;QAED,qBAAqB;QAErB,iDAAiD;QACjD,MAAM,CAAC,oBAAoB,CAAC,GAAG;YAC9B,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,MAAM,CAAC,aAAa;YACjC,OAAO,EAAE,KAAK,WAAU,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG;gBACtD,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;gBAE7C,iCAAiC;gBACjC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;gBAC/B,MAAM,eAAe,GAAG,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;gBACjE,MAAM,SAAS,GAAG,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAErD,+DAA+D;gBAC/D,IAAI,UAAU,GAA4B,SAAS,CAAC;gBACpD,IAAI,eAAe,KAAK,IAAI,EAAE,CAAC;oBAC9B,UAAU,GAAG,gBAAgB,CAAC,eAAe,CAAC,CAAC;gBAChD,CAAC;gBAED,MAAM,OAAO,GAAa,CAAC,SAAS,IAAI,EAAE,CAAC;qBACzC,KAAK,CAAC,GAAG,CAAC;qBACV,GAAG,CAAC,UAAS,CAAC;oBACd,OAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;gBAClB,CAAC,CAAC;qBACD,MAAM,CAAC,UAAS,CAAC;oBACjB,OAAM,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBACtB,CAAC,CAAC,CAAC;gBAEJ,mBAAmB;gBACnB,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,0CAA0C,EAAE;oBACpF,OAAM,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;gBACzD,CAAC,CAAC,CAAC;gBAEH,YAAY,CAAC,OAAO,CAAC,CAAC;gBACtB,MAAM,IAAI,GAAG,OAAO,CAAC;gBAErB,gDAAgD;gBAChD,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,gBAAgB,CAAC,YAAY,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;gBACtF,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;gBAE1C,+DAA+D;gBAC/D,IAAI,UAAU,GAAuB,IAAI,CAAC;gBAC1C,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;oBAC5B,UAAU,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;gBAClD,CAAC;gBAED,MAAM,eAAe,GAAG,UAAU,IAAI,MAAM,CAAC;gBAC7C,0CAA0C;gBAC1C,MAAM,IAAI,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAC;gBAC/C,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;gBACnC,IAAI,UAAU,GAAG,eAAe,CAAC,aAAa,EAAE,CAAC;oBAChD,MAAK,CAAC,IAAI,MAAM,CAAC,aAAa,CAAC;wBAC9B,SAAS,EAAE,eAAe;wBAC1B,KAAK,EAAE,eAAe,CAAC,aAAa;wBACpC,OAAO,EAAE,UAAU;qBACnB,CAAC,CAAC,CAAC;gBACL,CAAC;gBAED,MAAM,eAAe,GAAG,kBAAkB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;gBACnE,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC;gBACxD,MAAM,qBAAqB,GAAG,eAAe,IAAI,UAAU,KAAK,QAAQ,CAAC;gBACzE,IAAI,sBAAsB,IAAI,qBAAqB,EAAE,CAAC;oBACrD,IAAI,CAAC;wBACJ,MAAM,SAAS,GAAG,kBAAkB,CAAC,mBAAmB,CAAC,IAAI,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC;wBAEhF,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;4BAC5B,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;wBACjH,CAAC;wBAED,IAAI,qBAAqB,EAAE,CAAC;4BAC3B,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,YAAY,EAAE,CAAC;4BACjD,IAAI,eAAe,EAAE,CAAC;gCACrB,sDAAsD;gCACtD,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,qBAAqB,CAAC,SAAS,CAAC,CAAC;gCAC/D,MAAM,kBAAkB,GAAG,sBAAsB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;gCAC1E,KAAK,MAAM,SAAS,IAAI,kBAAkB,EAAE,CAAC;oCAC5C,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;oCACvE,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;wCACnB,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;oCAClD,CAAC;gCACF,CAAC;4BACF,CAAC;wBACF,CAAC;oBACF,CAAC;oBAAC,OAAO,CAAC,EAAE,CAAC;wBACZ,IAAI,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;4BAC1C,MAAK,CAAC,CAAC,CAAC,CAAC;wBACV,CAAC;wBACD,IAAI,MAAM,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;4BAC3C,MAAK,CAAC,CAAC,CAAC,CAAC;wBACV,CAAC;wBACD,IAAI,uBAAuB,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;4BAC3C,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;gCACrC,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,gCAAgC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;4BACjF,CAAC;4BACD,IAAI,CAAC,CAAC,IAAI,KAAK,iBAAiB,IAAI,CAAC,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;gCACpE,MAAK,CAAC,IAAI,MAAM,CAAC,uBAAuB,EAAE,CAAC,CAAC;4BAC7C,CAAC;wBACF,CAAC;wBACD,MAAK,CAAC,CAAC,CAAC,CAAC;oBACV,CAAC;gBACF,CAAC;gBAED,8BAA8B;gBAC9B,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE;oBAC9E,WAAW,EAAE;wBACZ,iBAAiB,EAAE,eAAe,CAAC,iBAAiB;wBACpD,iBAAiB,EAAE,eAAe,CAAC,iBAAiB;qBACpD;iBACD,CAAC,CAAC;gBAEH,IAAI,cAAqC,CAAC;gBAC1C,IAAI,CAAC;oBACJ,cAAc,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,EAAE;wBACpD,KAAK;wBACL,IAAI;wBACJ,UAAU;qBACV,CAAC,CAAC;oBAEH,MAAM,OAAO,CAAC,YAAY,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;gBAC5C,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACZ,IAAI,CAAC;wBACJ,MAAM,OAAO,CAAC,aAAa,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;oBAC7C,CAAC;oBAAC,OAAO,YAAY,EAAE,CAAC;wBACvB;;2BAEG;wBACH,MAAM,EAAE,IAAI,CAAC,sCAAsC,EAAE,EAAE,aAAa,EAAE,WAAW,CAAC,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC;oBAC9G,CAAC;oBACD,MAAK,CAAC,CAAC,CAAC,CAAC;gBACV,CAAC;gBAED,MAAM,QAAQ,GAAkC;oBAC/C,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,cAAc;iBACtB,CAAC;gBAEF,OAAM,CAAC,YAAY,CAAC,QAAQ,EAAE,mCAAmC,CAAC,CAAC,CAAC;YACrE,CAAC;SACD,CAAC;QAEF,yCAAyC;QACzC,MAAM,CAAC,oBAAoB,CAAC,GAAG,KAAK,WAAU,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG;YAC7E,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,kBAAkB,CACvE,YAAY,EACZ,MAAM,EACN,GAAG,EACH,KAAK,EACL,0CAA0C,EAC1C,UAAS,IAAI,EAAE,MAAM;gBACpB,OAAM,CAAC,kCAAkC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;YACvE,CAAC,CACD,CAAC;YAEF,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;gBAC5B,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;YAC/D,CAAC;YAED,MAAM,OAAO,GAA8B,EAAE,CAAC;YAC9C,IAAI,uBAAuB,EAAE,CAAC;gBAC7B,OAAO,CAAC,6BAA6B,CAAC,GAAG,uBAAuB,CAAC;YAClE,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;YAC/C,OAAM,CAAC;gBACN,OAAO;gBACP,MAAM,EAAE,MAAM,CAAC,IAAI;gBACnB,WAAW,EAAE,yBAAyB;aACtC,CAAC,CAAC;QACJ,CAAC,CAAC;QAEF,0CAA0C;QAC1C,MAAM,CAAC,uBAAuB,CAAC,GAAG,KAAK,WAAU,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG;YAChF,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,kBAAkB,CACvE,YAAY,EACZ,MAAM,EACN,GAAG,EACH,QAAQ,EACR,6CAA6C,EAC7C,UAAS,IAAI,EAAE,MAAM;gBACpB,OAAM,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;YACnC,CAAC,CACD,CAAC;YAEF,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;gBAC5B,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;YAClE,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YACjD,MAAM,QAAQ,GAAqC;gBAClD,EAAE,EAAE,IAAI;gBACR,OAAO;aACP,CAAC;YAEF,OAAM,CAAC,YAAY,CAAC,QAAQ,EAAE,sCAAsC,CAAC,CAAC,CAAC;QACxE,CAAC,CAAC;QAEF,4CAA4C;QAC5C,MAAM,CAAC,sBAAsB,CAAC,GAAG,KAAK,WAAU,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG;YAC/E,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,kBAAkB,CACvE,YAAY,EACZ,MAAM,EACN,GAAG,EACH,UAAU,EACV,0CAA0C,EAC1C,UAAS,IAAI,EAAE,MAAM;gBACpB,OAAM,CAAC,kCAAkC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;YACvE,CAAC,CACD,CAAC;YAEF,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;gBAC5B,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC;YACpE,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;YAC/C,OAAM,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,QAAQ,EAAE,EAAE,mCAAmC,CAAC,CAAC,CAAC;QAClG,CAAC,CAAC;QAEF,yEAAyE;QACzE,MAAM,CAAC,sBAAsB,CAAC,GAAG,KAAK,WAAU,MAAM,EAAE,QAAQ;YAC/D,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;YAC7C,MAAM,OAAO,GAAG,6CAA6C,CAAC,QAAQ,CAAC,CAAC;YAExE,MAAM,QAAQ,GAAG,qDAAqD,CAAC;gBACtE,IAAI,EAAE,UAAU;gBAChB,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,IAAI,EAAE,OAAO,CAAC,IAAI;aAClB,CAAC,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,OAAO,EAAE,cAAa,OAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAEhF,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,gBAAgB,CAAC,YAAY,EAAE,OAAO,EAAE,UAAU,EAAE,gBAAgB,CAAC,CAAC;YAEjG,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAE3B,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;YACxD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;YAE1B,oDAAoD;YACpD,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;YACjD,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;gBAC5B,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,gBAAgB,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,EAAE,QAAQ,CAAC,QAAQ,CAAC,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,OAAO,EAAE,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;YACtK,CAAC;YAED,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;gBAC7B,MAAK,CAAC,IAAI,MAAM,CAAC,qBAAqB,CAAC,gBAAgB,CAAC,CAAC,CAAC;YAC3D,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,UAAU,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC;YAC/E,IAAI,CAAC,OAAO,EAAE,CAAC;gBACd,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACtC,CAAC;YAED,OAAM,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,mCAAmC,CAAC,CAAC,CAAC;QAC1F,CAAC,CAAC;QAEF,wCAAwC;QACxC,MAAM,CAAC,kBAAkB,CAAC,GAAG,KAAK,WAAU,OAAO,EAAE,QAAQ;YAC5D,MAAM,OAAO,GAAG,qCAAqC,CAAC,QAAQ,CAAC,CAAC;YAChE,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,OAAO,EAAE,6CAA6C,CAAC,CAAC;YAC7F,MAAM,aAAa,GAAG,OAAO,CAAC,eAAe,CAAC,GAAG,EAAE,CAAC;YAEpD,0DAA0D;YAC1D,MAAM,eAAe,GAAG,OAAO,CAAC,QAAQ,CAAC,UAAU,KAAK,QAAQ,CAAC;YACjE,IAAI,eAAe,EAAE,CAAC;gBACrB,uFAAuF;gBACvF,iDAAiD;gBACjD,MAAM,cAAc,GAAG;oBACtB,GAAG,OAAO,CAAC,QAAQ;oBACnB,UAAU,EAAE,QAAiB;iBAC7B,CAAC;gBAEF,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,MAAM,CACnC,cAAc,EACd,kBAAkB,CAAC,OAAO,CAAC,UAAU,CAAC,CACtC,CAAC;gBAEF,mBAAmB,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC,CAAC;gBAEvD,OAAM,CAAC,YAAY,CAAC,mBAAmB,CAAC,OAAO,CAAC,EAAE,sCAAsC,CAAC,CAAC,CAAC;YAC5F,CAAC;YAED,oDAAoD;YACpD,MAAM,cAAc,GAAG;gBACtB,GAAG,OAAO,CAAC,QAAQ;gBACnB,KAAK,EAAE,aAAa;aACpB,CAAC;YAEF,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,MAAM,CACnC,cAAc,EACd,kBAAkB,CAAC,OAAO,CAAC,UAAU,CAAC,CACtC,CAAC;YAEF,mBAAmB,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC,CAAC;YAEvD,OAAM,CAAC,YAAY,CAAC,mBAAmB,CAAC,OAAO,CAAC,EAAE,sCAAsC,CAAC,CAAC,CAAC;QAC5F,CAAC,CAAC;QAEF,oCAAoC;QACpC,MAAM,CAAC,gBAAgB,CAAC,GAAG,KAAK,WAAU,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG;YAC1E,MAAM,OAAO,GAAG,MAAM,aAAa,CAClC,GAAG,EACH,4CAA4C,EAC5C,cAAa,OAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAC1B,CAAC;YAEF,uFAAuF;YACvF,MAAM,KAAK,GAAG,OAAO,CAAC,eAAe,CAAC,GAAG,EAAE,CAAC;YAC5C,IAAI,UAAU,GAAuB,IAAI,CAAC;YAC1C,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;gBAC5B,UAAU,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;YAClD,CAAC;YAED,MAAM,eAAe,GAAG,UAAU,IAAI,MAAM,CAAC;YAC7C,MAAM,aAAa,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;YAE1D,uCAAuC;YACvC,IAAI,gBAAgB,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,eAAe,CAAC,iBAAiB,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;YAClG,IAAI,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,eAAe,CAAC,iBAAiB,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;YAE7F,0EAA0E;YAC1E,IAAI,aAAa,CAAC,gBAAgB,KAAK,SAAS,IAAI,aAAa,CAAC,gBAAgB,GAAG,CAAC,EAAE,CAAC;gBACxF,gBAAgB,GAAG,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC,gBAAgB,EAAE,gBAAgB,CAAC,CAAC;YAC/E,CAAC;YACD,IAAI,aAAa,CAAC,aAAa,KAAK,SAAS,IAAI,aAAa,CAAC,aAAa,GAAG,CAAC,EAAE,CAAC;gBAClF,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;YACtE,CAAC;YAED,MAAM,QAAQ,GAAoC;gBACjD,EAAE,EAAE,IAAI;gBACR,KAAK,EAAE;oBACN,WAAW,EAAE,aAAa,CAAC,WAAW;oBACtC,SAAS,EAAE,aAAa,CAAC,SAAS;oBAClC,gBAAgB;oBAChB,aAAa;iBACb;aACD,CAAC;YAEF,OAAM,CAAC,YAAY,CAAC,QAAQ,EAAE,qCAAqC,CAAC,CAAC,CAAC;QACvE,CAAC,CAAC;QAEF,+DAA+D;QAC/D,MAAM,CAAC,oBAAoB,CAAC,GAAG,KAAK,WAAU,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG;YAC7E,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;YAC7C,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;YAE/D,yDAAyD;YACzD,MAAM,SAAS,GAAG,qBAAqB,CAAC,GAAG,CAAC,CAAC;YAC7C,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;gBAC5B,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,uCAAuC,CAAC,CAAC,CAAC;YAC7E,CAAC;YAED,6FAA6F;YAC7F,MAAM,aAAa,GAAG,MAAM,CAAC,mBAAmB,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,OAAO,IAAI,IAAI,CAAC;YACtF,IAAI,CAAC,aAAa,EAAE,CAAC;gBACpB,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,gBAAgB,CAAC,CAAC,CAAC;YACtD,CAAC;YACD,MAAM,YAAY,GAAG,aAAa,CAAC,eAAe,CAAC,GAAG,EAAE,CAAC;YAEzD,mCAAmC;YACnC,MAAM,SAAS,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YAC/D,MAAM,YAAY,GAAG,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAC3D,IAAI,CAAC,YAAY,EAAE,CAAC;gBACnB,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,2BAA2B,CAAC,CAAC,CAAC;YACjE,CAAC;YACD,MAAM,SAAS,GAAG,QAAQ,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;YAC7C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBACjC,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,2BAA2B,CAAC,CAAC,CAAC;YACjE,CAAC;YACD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI,EAAE,CAAC;gBACnC,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC,CAAC;YACtC,CAAC;YAED,sBAAsB;YACtB,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,MAAM,CAAC,eAAe,CAAC;YAC5E,IAAI,SAAS,GAAG,YAAY,EAAE,CAAC;gBAC9B,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,wCAAwC,CAAC,CAAC,CAAC;YAC9E,CAAC;YAED,gEAAgE;YAChE,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YAC/E,IAAI,eAAe,CAAC,MAAM,GAAG,EAAE,IAAI,eAAe,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;gBACjE,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,0BAA0B,CAAC,CAAC,CAAC;YAChE,CAAC;YAED,IAAI,CAAC;gBACJ,2DAA2D;gBAC3D,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,aAAa,EAAE,CAAC,UAAU,EAAE,SAAS,EAAE,YAAY,CAAC,EAAE,SAAS,CAAC,WAAW,EAAE;oBACjH,SAAS,EAAE,CAAC,GAAG,EAAE,GAAG,IAAI;iBACxB,CAAC,CAAC;gBACH,IAAI,CAAC,KAAK,EAAE,CAAC;oBACZ,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC,CAAC;gBACtC,CAAC;YACF,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACZ,IAAI,MAAM,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3C,MAAK,CAAC,CAAC,CAAC,CAAC;gBACV,CAAC;gBAED,MAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,+BAA+B,CAAC,CAAC,CAAC;YACrE,CAAC;YAED,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;gBAC5B,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC,CAAC;YAC9E,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;YAC/C,IAAI,MAAM,CAAC,QAAQ,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;gBAC7C,MAAK,CAAC,IAAI,MAAM,CAAC,YAAY,CAAC,sBAAsB,CAAC,CAAC,CAAC;YACxD,CAAC;YAED,2EAA2E;YAC3E,MAAM,IAAI,GAAG,uBAAuB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAClD,MAAM,SAAS,GAAG,kBAAkB,CAAC,mBAAmB,CAAC,IAAI,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC;YAChF,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,YAAY,EAAE,CAAC;YACjD,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,qBAAqB,CAAC,SAAS,CAAC,CAAC;YAE/D,MAAM,OAAO,GAA8B,EAAE,CAAC;YAC9C,IAAI,gBAAgB,EAAE,CAAC;gBACtB,OAAO,CAAC,6BAA6B,CAAC,GAAG,gBAAgB,CAAC;YAC3D,CAAC;YAED,OAAM,CAAC;gBACN,MAAM,EAAE,OAAO;gBACf,WAAW,EAAE,QAAQ;gBACrB,OAAO;aACP,CAAC,CAAC;QACJ,CAAC,CAAC;QAEF,aAAa;QAEb,OAAM,CAAC,MAAM,CAAC,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,eAAe;QACpB,MAAM,YAAY,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,EAAE,IAAI,EAAE,UAAmB,EAAE,MAAM,EAAE,eAAwB,EAAE,EAAC,EAAC,CAAC;QACpH,MAAM,UAAU,GAA8E;YAC7F,GAAG,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,GAAG,YAAY,EAAE;YAC5E,GAAG,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,GAAG,YAAY,EAAE;YAC5E,MAAM,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,GAAG,YAAY,EAAE;YAC/E,QAAQ,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,GAAG,YAAY,EAAE;YACnF,cAAc,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,GAAG,YAAY,EAAE;YACzF,MAAM,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,GAAG,YAAY,EAAE;YAC/E,MAAM,EAAE,CAAC,IAAI,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE;YACrD,KAAK,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,GAAG,YAAY,EAAE;SAC7E,CAAC;QAEF,OAAM,CAAC;YACN,UAAU;YACV,aAAa,EAAE,IAAI,CAAC,aAAa,CAAC,eAAe,CAAC,GAAG,EAAE;YACvD,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;YAC7C,gBAAgB,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;SAC/D,CAAC,CAAC;IACJ,CAAC;CACD","sourcesContent":["import type { ServiceMetadata } from '../../lib/resolver.ts';\nimport type { Signable } from '../../lib/utils/signing.js';\nimport type { NamespaceValidator } from './lib/validators.js';\nimport * as KeetaAnchorHTTPServer from '../../lib/http-server/index.js';\nimport { KeetaNet } from '../../client/index.js';\nimport {\n\tKeetaAnchorUserError\n} from '../../lib/error.js';\nimport type {\n\tKeetaStorageAnchorDeleteResponse,\n\tKeetaStorageAnchorPutResponse,\n\tKeetaStorageAnchorSearchResponse,\n\tKeetaStorageAnchorQuotaResponse,\n\tFullStorageBackend,\n\tQuotaConfig,\n\tQuotaLimits,\n\tStorageOperation,\n\tStorageObjectVisibility,\n\tStorageObjectMetadata,\n\tPathPolicy,\n\tSearchResults,\n\tStorageGetResult,\n\tSearchPagination\n} from './common.ts';\nimport {\n\tassertKeetaStorageAnchorDeleteResponse,\n\tassertKeetaStorageAnchorPutResponse,\n\tassertKeetaStorageAnchorGetRequest,\n\tassertKeetaStorageAnchorSearchRequest,\n\tassertKeetaStorageAnchorSearchResponse,\n\tassertKeetaStorageAnchorQuotaResponse,\n\tassertKeetaStorageAnchorUpdateMetadataRequest\n} from './common.generated.js';\nimport {\n\tgetKeetaStorageAnchorDeleteRequestSigningData,\n\tgetKeetaStorageAnchorPutRequestSigningData,\n\tgetKeetaStorageAnchorGetRequestSigningData,\n\tgetKeetaStorageAnchorSearchRequestSigningData,\n\tgetKeetaStorageAnchorQuotaRequestSigningData,\n\tgetKeetaStorageAnchorUpdateMetadataRequestSigningData,\n\tparseContainerPayload,\n\tErrors,\n\tCONTENT_TYPE_OCTET_STREAM,\n\tDEFAULT_SIGNED_URL_TTL_SECONDS\n} from './common.js';\nimport { VerifySignedData } from '../../lib/utils/signing.js';\nimport { assertHTTPSignedField, parseSignatureFromURL } from '../../lib/http-server/common.js';\nimport { arrayBufferLikeToBuffer, Buffer } from '../../lib/utils/buffer.js';\nimport { requiresValidation, findMatchingValidators } from './lib/validators.js';\nimport { EncryptedContainer, EncryptedContainerError } from '../../lib/encrypted-container.js';\nimport { assertVisibility } from './utils.js';\n\ntype Account = InstanceType<typeof KeetaNet.lib.Account>;\n\n/**\n * Build a standardized search response from search results.\n */\nfunction buildSearchResponse(results: SearchResults): KeetaStorageAnchorSearchResponse {\n\tconst response: KeetaStorageAnchorSearchResponse = {\n\t\tok: true,\n\t\tresults: results.results\n\t};\n\tif (results.nextCursor !== undefined) {\n\t\tresponse.nextCursor = results.nextCursor;\n\t}\n\treturn(response);\n}\n\n// #region Module-Level Helpers\n\n/**\n * Find a matching policy for a path, validate it, and check access.\n *\n * @param pathPolicies - Array of path policies to check against\n * @param account - The account to check access for\n * @param path - The path to check\n * @param operation - The operation being performed\n */\nfunction assertPathAccess(\n\tpathPolicies: PathPolicy<unknown>[],\n\taccount: Account,\n\tpath: string,\n\toperation: StorageOperation\n): { policy: PathPolicy<unknown>; parsed: unknown } {\n\tfor (const policy of pathPolicies) {\n\t\tconst parsed = policy.parse(path);\n\t\tif (parsed !== null) {\n\t\t\tpolicy.validate(path);\n\n\t\t\tif (!policy.checkAccess(account, parsed, operation)) {\n\t\t\t\tthrow(new Errors.AccessDenied('Can only access your own namespace'));\n\t\t\t}\n\n\t\t\treturn({ policy, parsed });\n\t\t}\n\t}\n\n\tthrow(new Errors.InvalidPath('Path does not match any policy'));\n}\n\n/**\n * Find a matching policy and parse a path.\n * Used for public endpoints where auth is optional.\n *\n * @param pathPolicies - Array of path policies to check against\n * @param path - The path to parse\n */\nfunction parsePath(\n\tpathPolicies: PathPolicy<unknown>[],\n\tpath: string\n): { policy: PathPolicy<unknown>; parsed: unknown } {\n\tfor (const policy of pathPolicies) {\n\t\tconst parsed = policy.parse(path);\n\t\tif (parsed !== null) {\n\t\t\tpolicy.validate(path);\n\t\t\treturn({ policy, parsed });\n\t\t}\n\t}\n\n\tthrow(new Errors.InvalidPath('Path does not match any policy'));\n}\n\n/**\n * Verify a signed request from POST body.\n * Extracts account and signature from the request, verifies the signature,\n * and returns the authenticated account.\n *\n * @typeParam T - Request type containing optional account and signed fields\n *\n * @param request - The request object containing account and signed fields\n * @param getSigningData - Function to extract signable data from the request\n *\n * @returns The authenticated account\n *\n * @throws KeetaAnchorUserError if authentication is missing or invalid\n */\nasync function verifyBodyAuth<T extends { account?: string; signed?: unknown }>(\n\trequest: T,\n\tgetSigningData: (req: T) => Signable\n): Promise<Account> {\n\tif (!request.account || !request.signed) {\n\t\tthrow(new KeetaAnchorUserError('Authentication required'));\n\t}\n\n\tconst account = KeetaNet.lib.Account.fromPublicKeyString(request.account).assertAccount();\n\tconst signable = getSigningData(request);\n\tconst signed = assertHTTPSignedField(request.signed);\n\n\tconst valid = await VerifySignedData(account, signable, signed);\n\tif (!valid) {\n\t\tthrow(new KeetaAnchorUserError('Invalid signature'));\n\t}\n\n\treturn(account);\n}\n\n/**\n * Verify a signed request from URL query parameters.\n * Parses signature from URL, builds a request object, verifies the signature,\n * and returns the authenticated account.\n *\n * @typeParam T - Request type to build from the account public key\n *\n * @param url - The URL containing signature query parameters\n * @param getSigningData - Function to extract signable data from the request\n * @param buildRequest - Function to build a request object from the account public key\n *\n * @returns The authenticated account\n *\n * @throws KeetaAnchorUserError if authentication is missing or invalid\n */\nasync function verifyURLAuth<T>(\n\turl: URL | string,\n\tgetSigningData: (req: T) => Signable,\n\tbuildRequest: (accountPubKey: string) => T\n): Promise<Account> {\n\tlet urlString: string;\n\tif (typeof url === 'string') {\n\t\turlString = url;\n\t} else {\n\t\turlString = url.href;\n\t}\n\n\tconst parsed = parseSignatureFromURL(urlString);\n\tif (!parsed.account || !parsed.signedField) {\n\t\tthrow(new KeetaAnchorUserError('Authentication required'));\n\t}\n\n\tconst request = buildRequest(parsed.account.publicKeyString.get());\n\tconst signable = getSigningData(request);\n\n\tconst valid = await VerifySignedData(parsed.account, signable, parsed.signedField);\n\tif (!valid) {\n\t\tthrow(new KeetaAnchorUserError('Invalid signature'));\n\t}\n\n\treturn(parsed.account);\n}\n\n/**\n * Extract object path from wildcard route parameter.\n * Prepends a leading slash to create a valid storage path.\n *\n * @param params - Route parameters containing the wildcard match\n *\n * @returns The object path with leading slash\n *\n * @throws InvalidPath if wildcard parameter is missing\n */\nfunction extractObjectPath(params: Map<string, string>): string {\n\tconst wildcardPath = params.get('**');\n\tif (!wildcardPath) {\n\t\tthrow(new Errors.InvalidPath());\n\t}\n\n\treturn('/' + wildcardPath);\n}\n\n/**\n * Authorize access to an object path via URL-signed request.\n * Combines path validation, signature verification, and access control.\n *\n * @typeParam T - Request type to build from path and account\n *\n * @param pathPolicies - Array of path policies to check against\n * @param params - Route parameters containing the wildcard path\n * @param url - The URL containing signature query parameters\n * @param operation - The operation being authorized\n * @param getSigningData - Function to extract signable data from the request\n * @param buildRequest - Function to build a request object from path and account\n *\n * @returns The authenticated account and validated object path\n *\n * @throws InvalidPath if path is invalid or doesn't match any policy\n * @throws AccessDenied if user doesn't have access to the path\n * @throws KeetaAnchorUserError if signature is invalid\n */\nasync function authorizeURLAccess<T>(\n\tpathPolicies: PathPolicy<unknown>[],\n\tparams: Map<string, string>,\n\turl: URL | string,\n\toperation: StorageOperation,\n\tgetSigningData: (req: T) => Signable,\n\tbuildRequest: (path: string, accountPubKey: string) => T\n): Promise<{ account: Account; objectPath: string; policy: PathPolicy<unknown>; parsed: unknown }> {\n\tconst objectPath = extractObjectPath(params);\n\tconst { policy, parsed } = parsePath(pathPolicies, objectPath);\n\n\tconst account = await verifyURLAuth(url, getSigningData, function(pubKey) {\n\t\treturn(buildRequest(objectPath, pubKey));\n\t});\n\n\tif (!policy.checkAccess(account, parsed, operation)) {\n\t\tthrow(new Errors.AccessDenied('Can only access your own namespace'));\n\t}\n\n\treturn({ account, objectPath, policy, parsed });\n}\n\n// #endregion\n\n/**\n * Configuration for the Storage Anchor\n *\n * The Storage Anchor provides encrypted object storage with the following operations:\n *\n * PUT (Create/Update):\n * 1. Client creates EncryptedContainer with data, shares with anchor for public objects\n * 2. Client signs request (path, visibility, tags) and sends to server\n * 3. Server reserves quota, validates, stores object, commits reservation\n *\n * GET (Retrieve):\n * 1. Client signs request (path) and sends to server\n * 2. Server verifies access, returns EncryptedContainer\n * 3. Client decrypts with their private key\n *\n * DELETE:\n * 1. Client signs request (path) and sends to server\n * 2. Server verifies ownership, removes object\n *\n * SEARCH:\n * 1. Client signs request with criteria (tags, prefix, etc.)\n * 2. Server returns matching metadata (scoped to user's namespace)\n *\n * PUBLIC ACCESS (Pre-signed URLs):\n * 1. Client generates pre-signed URL with expiry, signed by owner\n * 2. Anyone can fetch via URL (no auth headers)\n * 3. Server verifies signature, expiry, and visibility\n * 4. Server decrypts and returns plaintext content\n *\n *\n * +-------------------+ +---------------------+ +------------------+\n * | Client | | Storage Anchor | | Storage Backend |\n * +-------------------+ +---------------------+ +------------------+\n * | | |\n * (PUT) Create EncryptedContainer | |\n * | Sign(path, visibility, tags) | |\n * |---------------------------------->| |\n * | | reserveUpload() ---------------->|\n * | | validate, put() ---------------->|\n * | | commitUpload() ----------------->|\n * |<--------------------------------- | { ok: true, object: metadata } |\n * | | |\n * (GET) Sign(path) ------------------------>| |\n * | | get() -------------------------->|\n * |<--------------------------------- | EncryptedContainer (binary) |\n * | Decrypt with private key | |\n * | | |\n * (PUBLIC) Generate pre-signed URL | |\n * | URL with expires, signature | |\n * (Anyone) Fetch URL ---------------------->| |\n * | | verify signature, expiry |\n * | | get(), decrypt ----------------->|\n * |<--------------------------------- | Plaintext content |\n */\nexport interface KeetaAnchorStorageServerConfig extends KeetaAnchorHTTPServer.KeetaAnchorHTTPServerConfig {\n\t/**\n\t * The data to use for the index page (optional)\n\t */\n\thomepage?: string | (() => Promise<string> | string);\n\n\t/**\n\t * The storage backend to use for storing documents.\n\t * Must implement full capabilities: CRUD, search, and quota management.\n\t */\n\tbackend: FullStorageBackend;\n\n\t/**\n\t * The anchor's account for decrypting objects.\n\t */\n\tanchorAccount: Account;\n\n\t/**\n\t * Quota configuration for storage limits.\n\t * Partial values are merged with defaults.\n\t */\n\tquotas?: Partial<QuotaConfig>;\n\n\t/**\n\t * Namespace validators for special paths\n\t */\n\tvalidators?: NamespaceValidator[];\n\n\t/**\n\t * Default TTL in seconds for pre-signed URLs (default: 3600)\n\t */\n\tsignedUrlDefaultTTL?: number;\n\n\t/**\n\t * CORS origin for public endpoints (default: false).\n\t * - '*' allows all origins\n\t * - specific origin string restricts to that origin\n\t * - false (default) disables CORS headers on public responses\n\t */\n\tpublicCORSOrigin?: string | false;\n\n\t/**\n\t * CORS origin for authenticated object endpoints (default: '*').\n\t * - '*' allows all origins\n\t * - specific origin string restricts to that origin\n\t */\n\tauthenticatedCORSOrigin?: string;\n\n\t/**\n\t * Path policies for parsing, validating, and access control of storage paths.\n\t * Each policy handles a specific path pattern. First matching policy wins.\n\t */\n\tpathPolicies: PathPolicy<unknown>[];\n\n\t/**\n\t * Tag validation configuration.\n\t */\n\ttagValidation?: {\n\t\t/** Maximum number of tags per object (default: 10) */\n\t\tmaxTags?: number;\n\t\t/** Maximum length of each tag (default: 50) */\n\t\tmaxTagLength?: number;\n\t\t/** Pattern for valid tag characters (default: /^[a-zA-Z0-9_-]+$/) */\n\t\tpattern?: RegExp;\n\t};\n}\n\n// Default quota configuration\nconst DEFAULT_QUOTAS: QuotaConfig = {\n\tmaxObjectSize: 10 * 1024 * 1024, // 10MB\n\tmaxObjectsPerUser: 1000,\n\tmaxStoragePerUser: 100 * 1024 * 1024, // 100MB\n\tmaxSearchLimit: 100,\n\tmaxSignedUrlTTL: 86400 // 24 hours\n};\n\n// Default tag validation configuration\nconst DEFAULT_TAG_VALIDATION = {\n\tmaxTags: 10,\n\tmaxTagLength: 50,\n\tpattern: /^[a-zA-Z0-9_-]+$/\n};\n\nexport class KeetaNetStorageAnchorHTTPServer extends KeetaAnchorHTTPServer.KeetaNetAnchorHTTPServer<KeetaAnchorStorageServerConfig> {\n\treadonly homepage: NonNullable<KeetaAnchorStorageServerConfig['homepage']>;\n\treadonly backend: FullStorageBackend;\n\treadonly anchorAccount: Account;\n\treadonly quotas: QuotaConfig;\n\treadonly validators: NamespaceValidator[];\n\treadonly signedUrlDefaultTTL: number;\n\treadonly publicCorsOrigin: string | false;\n\treadonly authenticatedCorsOrigin: string;\n\treadonly pathPolicies: PathPolicy<unknown>[];\n\treadonly tagValidation: Required<NonNullable<KeetaAnchorStorageServerConfig['tagValidation']>>;\n\n\tconstructor(config: KeetaAnchorStorageServerConfig) {\n\t\tsuper(config);\n\n\t\tthis.homepage = config.homepage ?? '';\n\t\tthis.backend = config.backend;\n\t\tthis.anchorAccount = config.anchorAccount;\n\t\tthis.quotas = { ...DEFAULT_QUOTAS, ...config.quotas };\n\t\tthis.validators = config.validators ?? [];\n\t\tthis.signedUrlDefaultTTL = config.signedUrlDefaultTTL ?? DEFAULT_SIGNED_URL_TTL_SECONDS;\n\t\tthis.publicCorsOrigin = config.publicCORSOrigin ?? false;\n\t\tthis.authenticatedCorsOrigin = config.authenticatedCORSOrigin ?? '*';\n\t\tthis.pathPolicies = config.pathPolicies;\n\t\tthis.tagValidation = {\n\t\t\tmaxTags: config.tagValidation?.maxTags ?? DEFAULT_TAG_VALIDATION.maxTags,\n\t\t\tmaxTagLength: config.tagValidation?.maxTagLength ?? DEFAULT_TAG_VALIDATION.maxTagLength,\n\t\t\tpattern: config.tagValidation?.pattern ?? DEFAULT_TAG_VALIDATION.pattern\n\t\t};\n\n\t\t// Validate anchorAccount has private key\n\t\tif (!this.anchorAccount.hasPrivateKey) {\n\t\t\tthrow(new Error('anchorAccount must have a private key'));\n\t\t}\n\n\t\t// Validate at least one path policy is provided\n\t\tif (this.pathPolicies.length === 0) {\n\t\t\tthrow(new Error('At least one path policy must be provided'));\n\t\t}\n\n\t\t// Validate quota configuration values are positive\n\t\tif (this.quotas.maxObjectSize <= 0) {\n\t\t\tthrow(new Error('quotas.maxObjectSize must be positive'));\n\t\t}\n\t\tif (this.quotas.maxObjectsPerUser <= 0) {\n\t\t\tthrow(new Error('quotas.maxObjectsPerUser must be positive'));\n\t\t}\n\t\tif (this.quotas.maxStoragePerUser <= 0) {\n\t\t\tthrow(new Error('quotas.maxStoragePerUser must be positive'));\n\t\t}\n\t\tif (this.quotas.maxSearchLimit <= 0) {\n\t\t\tthrow(new Error('quotas.maxSearchLimit must be positive'));\n\t\t}\n\t\tif (this.quotas.maxSignedUrlTTL <= 0) {\n\t\t\tthrow(new Error('quotas.maxSignedUrlTTL must be positive'));\n\t\t}\n\n\t\t// Validate tag validation configuration\n\t\tif (this.tagValidation.maxTags <= 0) {\n\t\t\tthrow(new Error('tagValidation.maxTags must be positive'));\n\t\t}\n\t\tif (this.tagValidation.maxTagLength <= 0) {\n\t\t\tthrow(new Error('tagValidation.maxTagLength must be positive'));\n\t\t}\n\t}\n\n\t// Note: We use this.* properties instead of config.*.\n\t// The config parameter is required by the abstract method signature but unused here.\n\tprotected async initRoutes(_ignoreConfig: KeetaAnchorStorageServerConfig): Promise<KeetaAnchorHTTPServer.Routes> {\n\t\tconst routes: KeetaAnchorHTTPServer.Routes = {};\n\t\tconst backend = this.backend;\n\t\tconst anchorAccount = this.anchorAccount;\n\t\tconst quotas = this.quotas;\n\t\tconst validators = this.validators;\n\t\tconst publicCorsOrigin = this.publicCorsOrigin;\n\t\tconst authenticatedCorsOrigin = this.authenticatedCorsOrigin;\n\t\tconst pathPolicies = this.pathPolicies;\n\t\tconst tagValidation = this.tagValidation;\n\t\tconst logger = this.logger;\n\n\t\t/**\n\t\t * Validate tags against configured limits.\n\t\t * @throws Errors.InvalidTag if any tag violates constraints\n\t\t */\n\t\tfunction validateTags(tags: string[]): void {\n\t\t\tconst { maxTags, maxTagLength, pattern: tagPattern } = tagValidation;\n\t\t\tfor (const tag of tags) {\n\t\t\t\tif (tag.length > maxTagLength) {\n\t\t\t\t\tthrow(new Errors.InvalidTag(`Tag exceeds maximum length of ${maxTagLength}: \"${tag}\"`));\n\t\t\t\t}\n\t\t\t\ttagPattern.lastIndex = 0;\n\t\t\t\tif (!tagPattern.test(tag)) {\n\t\t\t\t\tthrow(new Errors.InvalidTag(`Tag contains invalid characters: \"${tag}\"`));\n\t\t\t\t}\n\t\t\t}\n\t\t\tif (tags.length > maxTags) {\n\t\t\t\tthrow(new Errors.InvalidTag(`Too many tags: ${tags.length} exceeds maximum of ${maxTags}`));\n\t\t\t}\n\t\t}\n\n\t\t/**\n\t\t * Build a JSON response with assertion.\n\t\t */\n\t\tfunction jsonResponse<T>(response: T, assertionHandler: (input: unknown) => T): { output: string } {\n\t\t\treturn({ output: JSON.stringify(assertionHandler(response)) });\n\t\t}\n\n\t\t/**\n\t\t * Get an object or throw DocumentNotFound.\n\t\t */\n\t\tasync function requireObject(path: string): Promise<StorageGetResult> {\n\t\t\tconst result = await backend.get(path);\n\t\t\tif (!result) {\n\t\t\t\tthrow(new Errors.DocumentNotFound());\n\t\t\t}\n\n\t\t\treturn(result);\n\t\t}\n\n\t\t/**\n\t\t * Enforce server-side search limit cap.\n\t\t */\n\t\tfunction enforceSearchLimit(pagination: SearchPagination | undefined): SearchPagination {\n\t\t\tconst requestedLimit = pagination?.limit ?? quotas.maxSearchLimit;\n\t\t\treturn({ ...pagination, limit: Math.min(requestedLimit, quotas.maxSearchLimit) });\n\t\t}\n\n\t\t/**\n\t\t * Validate search results match expected constraints.\n\t\t */\n\t\tfunction assertSearchResults(\n\t\t\tresults: SearchResults,\n\t\t\tconstraint: { visibility?: 'public'; owner?: string }\n\t\t): void {\n\t\t\tfor (const obj of results.results) {\n\t\t\t\tif (constraint.visibility && obj.visibility !== constraint.visibility) {\n\t\t\t\t\tthrow(new Errors.InvariantViolation(\n\t\t\t\t\t\t`Backend returned ${obj.visibility} object in ${constraint.visibility} search`\n\t\t\t\t\t));\n\t\t\t\t}\n\t\t\t\tif (constraint.owner && obj.owner !== constraint.owner) {\n\t\t\t\t\tthrow(new Errors.InvariantViolation(\n\t\t\t\t\t\t`Backend returned object owned by ${obj.owner} in search for ${constraint.owner}`\n\t\t\t\t\t));\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\t/**\n\t\t * If a homepage is provided, setup the route for it\n\t\t */\n\t\tconst homepage = this.homepage;\n\t\tif (homepage) {\n\t\t\troutes['GET /'] = async function() {\n\t\t\t\tlet homepageData: string;\n\t\t\t\tif (typeof homepage === 'string') {\n\t\t\t\t\thomepageData = homepage;\n\t\t\t\t} else {\n\t\t\t\t\thomepageData = await homepage();\n\t\t\t\t}\n\n\t\t\t\treturn({\n\t\t\t\t\toutput: homepageData,\n\t\t\t\t\tcontentType: 'text/html'\n\t\t\t\t});\n\t\t\t};\n\t\t}\n\n\t\t// #region API Routes\n\n\t\t// PUT /api/object/* - Create or update an object\n\t\troutes['PUT /api/object/**'] = {\n\t\t\tbodyType: 'raw',\n\t\t\tmaxBodySize: quotas.maxObjectSize,\n\t\t\thandler: async function(params, postData, _headers, url) {\n\t\t\t\tconst objectPath = extractObjectPath(params);\n\n\t\t\t\t// Get metadata from query params\n\t\t\t\tconst parsedUrl = new URL(url);\n\t\t\t\tconst visibilityParam = parsedUrl.searchParams.get('visibility');\n\t\t\t\tconst tagsParam = parsedUrl.searchParams.get('tags');\n\n\t\t\t\t// Default to private when absent, assert valid value otherwise\n\t\t\t\tlet visibility: StorageObjectVisibility = 'private';\n\t\t\t\tif (visibilityParam !== null) {\n\t\t\t\t\tvisibility = assertVisibility(visibilityParam);\n\t\t\t\t}\n\n\t\t\t\tconst rawTags: string[] = (tagsParam ?? '')\n\t\t\t\t\t.split(',')\n\t\t\t\t\t.map(function(t) {\n\t\t\t\t\t\treturn(t.trim());\n\t\t\t\t\t})\n\t\t\t\t\t.filter(function(t) {\n\t\t\t\t\t\treturn(t.length > 0);\n\t\t\t\t\t});\n\n\t\t\t\t// Verify signature\n\t\t\t\tconst account = await verifyURLAuth(url, getKeetaStorageAnchorPutRequestSigningData, function() {\n\t\t\t\t\treturn({ path: objectPath, visibility, tags: rawTags });\n\t\t\t\t});\n\n\t\t\t\tvalidateTags(rawTags);\n\t\t\t\tconst tags = rawTags;\n\n\t\t\t\t// Validate path format, metadata, and ownership\n\t\t\t\tconst { policy, parsed } = assertPathAccess(pathPolicies, account, objectPath, 'put');\n\t\t\t\tconst owner = policy.getOwner(objectPath);\n\n\t\t\t\t// Resolve per-user quota limits, falling back to global config\n\t\t\t\tlet userLimits: QuotaLimits | null = null;\n\t\t\t\tif (backend.getQuotaLimits) {\n\t\t\t\t\tuserLimits = await backend.getQuotaLimits(owner);\n\t\t\t\t}\n\n\t\t\t\tconst effectiveLimits = userLimits ?? quotas;\n\t\t\t\t// Body is raw binary (EncryptedContainer)\n\t\t\t\tconst data = arrayBufferLikeToBuffer(postData);\n\t\t\t\tconst objectSize = data.byteLength;\n\t\t\t\tif (objectSize > effectiveLimits.maxObjectSize) {\n\t\t\t\t\tthrow(new Errors.QuotaExceeded({\n\t\t\t\t\t\tquotaType: 'maxObjectSize',\n\t\t\t\t\t\tlimit: effectiveLimits.maxObjectSize,\n\t\t\t\t\t\tcurrent: objectSize\n\t\t\t\t\t}));\n\t\t\t\t}\n\n\t\t\t\tconst needsValidation = requiresValidation(objectPath, validators);\n\t\t\t\tconst needsContextValidation = !!policy.validateContext;\n\t\t\t\tconst needsAnchorDecryption = needsValidation || visibility === 'public';\n\t\t\t\tif (needsContextValidation || needsAnchorDecryption) {\n\t\t\t\t\ttry {\n\t\t\t\t\t\tconst container = EncryptedContainer.fromEncryptedBuffer(data, [anchorAccount]);\n\n\t\t\t\t\t\tif (policy.validateContext) {\n\t\t\t\t\t\t\tpolicy.validateContext(parsed, { operation: 'put', account, metadata: { owner, tags, visibility }, container });\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tif (needsAnchorDecryption) {\n\t\t\t\t\t\t\tconst plaintext = await container.getPlaintext();\n\t\t\t\t\t\t\tif (needsValidation) {\n\t\t\t\t\t\t\t\t// Extract content and mimeType from encrypted payload\n\t\t\t\t\t\t\t\tconst { content, mimeType } = parseContainerPayload(plaintext);\n\t\t\t\t\t\t\t\tconst matchingValidators = findMatchingValidators(objectPath, validators);\n\t\t\t\t\t\t\t\tfor (const validator of matchingValidators) {\n\t\t\t\t\t\t\t\t\tconst result = await validator.validate(objectPath, content, mimeType);\n\t\t\t\t\t\t\t\t\tif (!result.valid) {\n\t\t\t\t\t\t\t\t\t\tthrow(new Errors.ValidationFailed(result.error));\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t} catch (e) {\n\t\t\t\t\t\tif (Errors.InvalidMetadata.isInstance(e)) {\n\t\t\t\t\t\t\tthrow(e);\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (Errors.ValidationFailed.isInstance(e)) {\n\t\t\t\t\t\t\tthrow(e);\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (EncryptedContainerError.isInstance(e)) {\n\t\t\t\t\t\t\tif (e.code.startsWith('MALFORMED_')) {\n\t\t\t\t\t\t\t\tthrow(new Errors.ValidationFailed(`Invalid encrypted container: ${e.message}`));\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tif (e.code === 'NO_MATCHING_KEY' || e.code === 'DECRYPTION_FAILED') {\n\t\t\t\t\t\t\t\tthrow(new Errors.AnchorPrincipalRequired());\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tthrow(e);\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// Reserve quota before upload\n\t\t\t\tconst reservation = await backend.reserveUpload(owner, objectPath, objectSize, {\n\t\t\t\t\tquotaLimits: {\n\t\t\t\t\t\tmaxObjectsPerUser: effectiveLimits.maxObjectsPerUser,\n\t\t\t\t\t\tmaxStoragePerUser: effectiveLimits.maxStoragePerUser\n\t\t\t\t\t}\n\t\t\t\t});\n\n\t\t\t\tlet objectMetadata: StorageObjectMetadata;\n\t\t\t\ttry {\n\t\t\t\t\tobjectMetadata = await backend.put(objectPath, data, {\n\t\t\t\t\t\towner,\n\t\t\t\t\t\ttags,\n\t\t\t\t\t\tvisibility\n\t\t\t\t\t});\n\n\t\t\t\t\tawait backend.commitUpload(reservation.id);\n\t\t\t\t} catch (e) {\n\t\t\t\t\ttry {\n\t\t\t\t\t\tawait backend.releaseUpload(reservation.id);\n\t\t\t\t\t} catch (releaseError) {\n\t\t\t\t\t\t/**\n\t\t\t\t\t\t * This provides a hint for cleanup\n\t\t\t\t\t\t */\n\t\t\t\t\t\tlogger?.warn('Failed to release upload reservation', { reservationId: reservation.id, error: releaseError });\n\t\t\t\t\t}\n\t\t\t\t\tthrow(e);\n\t\t\t\t}\n\n\t\t\t\tconst response: KeetaStorageAnchorPutResponse = {\n\t\t\t\t\tok: true,\n\t\t\t\t\tobject: objectMetadata\n\t\t\t\t};\n\n\t\t\t\treturn(jsonResponse(response, assertKeetaStorageAnchorPutResponse));\n\t\t\t}\n\t\t};\n\n\t\t// GET /api/object/* - Retrieve an object\n\t\troutes['GET /api/object/**'] = async function(params, _postData, _headers, url) {\n\t\t\tconst { objectPath, policy, parsed, account } = await authorizeURLAccess(\n\t\t\t\tpathPolicies,\n\t\t\t\tparams,\n\t\t\t\turl,\n\t\t\t\t'get',\n\t\t\t\tgetKeetaStorageAnchorGetRequestSigningData,\n\t\t\t\tfunction(path, pubKey) {\n\t\t\t\t\treturn(assertKeetaStorageAnchorGetRequest({ path, account: pubKey }));\n\t\t\t\t}\n\t\t\t);\n\n\t\t\tif (policy.validateContext) {\n\t\t\t\tpolicy.validateContext(parsed, { operation: 'get', account });\n\t\t\t}\n\n\t\t\tconst headers: { [key: string]: string } = {};\n\t\t\tif (authenticatedCorsOrigin) {\n\t\t\t\theaders['Access-Control-Allow-Origin'] = authenticatedCorsOrigin;\n\t\t\t}\n\n\t\t\tconst result = await requireObject(objectPath);\n\t\t\treturn({\n\t\t\t\theaders,\n\t\t\t\toutput: result.data,\n\t\t\t\tcontentType: CONTENT_TYPE_OCTET_STREAM\n\t\t\t});\n\t\t};\n\n\t\t// DELETE /api/object/* - Delete an object\n\t\troutes['DELETE /api/object/**'] = async function(params, _postData, _headers, url) {\n\t\t\tconst { objectPath, policy, parsed, account } = await authorizeURLAccess(\n\t\t\t\tpathPolicies,\n\t\t\t\tparams,\n\t\t\t\turl,\n\t\t\t\t'delete',\n\t\t\t\tgetKeetaStorageAnchorDeleteRequestSigningData,\n\t\t\t\tfunction(path, pubKey) {\n\t\t\t\t\treturn({ path, account: pubKey });\n\t\t\t\t}\n\t\t\t);\n\n\t\t\tif (policy.validateContext) {\n\t\t\t\tpolicy.validateContext(parsed, { operation: 'delete', account });\n\t\t\t}\n\n\t\t\tconst deleted = await backend.delete(objectPath);\n\t\t\tconst response: KeetaStorageAnchorDeleteResponse = {\n\t\t\t\tok: true,\n\t\t\t\tdeleted\n\t\t\t};\n\n\t\t\treturn(jsonResponse(response, assertKeetaStorageAnchorDeleteResponse));\n\t\t};\n\n\t\t// GET /api/metadata/* - Get object metadata\n\t\troutes['GET /api/metadata/**'] = async function(params, _postData, _headers, url) {\n\t\t\tconst { objectPath, policy, parsed, account } = await authorizeURLAccess(\n\t\t\t\tpathPolicies,\n\t\t\t\tparams,\n\t\t\t\turl,\n\t\t\t\t'metadata',\n\t\t\t\tgetKeetaStorageAnchorGetRequestSigningData,\n\t\t\t\tfunction(path, pubKey) {\n\t\t\t\t\treturn(assertKeetaStorageAnchorGetRequest({ path, account: pubKey }));\n\t\t\t\t}\n\t\t\t);\n\n\t\t\tif (policy.validateContext) {\n\t\t\t\tpolicy.validateContext(parsed, { operation: 'metadata', account });\n\t\t\t}\n\n\t\t\tconst result = await requireObject(objectPath);\n\t\t\treturn(jsonResponse({ ok: true, object: result.metadata }, assertKeetaStorageAnchorPutResponse));\n\t\t};\n\n\t\t// PUT /api/metadata/* - Update object metadata without re-uploading data\n\t\troutes['PUT /api/metadata/**'] = async function(params, postData) {\n\t\t\tconst objectPath = extractObjectPath(params);\n\t\t\tconst request = assertKeetaStorageAnchorUpdateMetadataRequest(postData);\n\n\t\t\tconst signable = getKeetaStorageAnchorUpdateMetadataRequestSigningData({\n\t\t\t\tpath: objectPath,\n\t\t\t\tvisibility: request.visibility,\n\t\t\t\ttags: request.tags\n\t\t\t});\n\t\t\tconst account = await verifyBodyAuth(request, function() { return(signable); });\n\n\t\t\tconst { policy, parsed } = assertPathAccess(pathPolicies, account, objectPath, 'updateMetadata');\n\n\t\t\tvalidateTags(request.tags);\n\n\t\t\tconst visibility = assertVisibility(request.visibility);\n\t\t\tconst tags = request.tags;\n\n\t\t\t// Confirm object exists and preserve existing owner\n\t\t\tconst existing = await requireObject(objectPath);\n\t\t\tif (policy.validateContext) {\n\t\t\t\tpolicy.validateContext(parsed, { operation: 'updateMetadata', account, metadata: { owner: existing.metadata.owner, tags, visibility }, current: existing.metadata });\n\t\t\t}\n\n\t\t\tif (!backend.updateMetadata) {\n\t\t\t\tthrow(new Errors.OperationNotSupported('updateMetadata'));\n\t\t\t}\n\n\t\t\tconst updated = await backend.updateMetadata(objectPath, { tags, visibility });\n\t\t\tif (!updated) {\n\t\t\t\tthrow(new Errors.DocumentNotFound());\n\t\t\t}\n\n\t\t\treturn(jsonResponse({ ok: true, object: updated }, assertKeetaStorageAnchorPutResponse));\n\t\t};\n\n\t\t// POST /api/search - Search for objects\n\t\troutes['POST /api/search'] = async function(_params, postData) {\n\t\t\tconst request = assertKeetaStorageAnchorSearchRequest(postData);\n\t\t\tconst account = await verifyBodyAuth(request, getKeetaStorageAnchorSearchRequestSigningData);\n\t\t\tconst accountPubKey = account.publicKeyString.get();\n\n\t\t\t// Check if searching for public objects outside namespace\n\t\t\tconst searchingPublic = request.criteria.visibility === 'public';\n\t\t\tif (searchingPublic) {\n\t\t\t\t// When searching for public objects, we allow searching outside the caller's namespace\n\t\t\t\t// but only for objects with visibility: 'public'\n\t\t\t\tconst scopedCriteria = {\n\t\t\t\t\t...request.criteria,\n\t\t\t\t\tvisibility: 'public' as const\n\t\t\t\t};\n\n\t\t\t\tconst results = await backend.search(\n\t\t\t\t\tscopedCriteria,\n\t\t\t\t\tenforceSearchLimit(request.pagination)\n\t\t\t\t);\n\n\t\t\t\tassertSearchResults(results, { visibility: 'public' });\n\n\t\t\t\treturn(jsonResponse(buildSearchResponse(results), assertKeetaStorageAnchorSearchResponse));\n\t\t\t}\n\n\t\t\t// Scope search to authenticated account's namespace\n\t\t\tconst scopedCriteria = {\n\t\t\t\t...request.criteria,\n\t\t\t\towner: accountPubKey\n\t\t\t};\n\n\t\t\tconst results = await backend.search(\n\t\t\t\tscopedCriteria,\n\t\t\t\tenforceSearchLimit(request.pagination)\n\t\t\t);\n\n\t\t\tassertSearchResults(results, { owner: accountPubKey });\n\n\t\t\treturn(jsonResponse(buildSearchResponse(results), assertKeetaStorageAnchorSearchResponse));\n\t\t};\n\n\t\t// GET /api/quota - Get quota status\n\t\troutes['GET /api/quota'] = async function(_params, _postData, _headers, url) {\n\t\t\tconst account = await verifyURLAuth(\n\t\t\t\turl,\n\t\t\t\tgetKeetaStorageAnchorQuotaRequestSigningData,\n\t\t\t\tfunction() { return({}); }\n\t\t\t);\n\n\t\t\t// Get current usage from backend and compute remaining using per-user or global limits\n\t\t\tconst owner = account.publicKeyString.get();\n\t\t\tlet userLimits: QuotaLimits | null = null;\n\t\t\tif (backend.getQuotaLimits) {\n\t\t\t\tuserLimits = await backend.getQuotaLimits(owner);\n\t\t\t}\n\n\t\t\tconst effectiveLimits = userLimits ?? quotas;\n\t\t\tconst backendStatus = await backend.getQuotaStatus(owner);\n\n\t\t\t// Compute remaining from config limits\n\t\t\tlet remainingObjects = Math.max(0, effectiveLimits.maxObjectsPerUser - backendStatus.objectCount);\n\t\t\tlet remainingSize = Math.max(0, effectiveLimits.maxStoragePerUser - backendStatus.totalSize);\n\n\t\t\t// If backend reports its own remaining values, use the tighter constraint\n\t\t\tif (backendStatus.remainingObjects !== undefined && backendStatus.remainingObjects > 0) {\n\t\t\t\tremainingObjects = Math.min(backendStatus.remainingObjects, remainingObjects);\n\t\t\t}\n\t\t\tif (backendStatus.remainingSize !== undefined && backendStatus.remainingSize > 0) {\n\t\t\t\tremainingSize = Math.min(backendStatus.remainingSize, remainingSize);\n\t\t\t}\n\n\t\t\tconst response: KeetaStorageAnchorQuotaResponse = {\n\t\t\t\tok: true,\n\t\t\t\tquota: {\n\t\t\t\t\tobjectCount: backendStatus.objectCount,\n\t\t\t\t\ttotalSize: backendStatus.totalSize,\n\t\t\t\t\tremainingObjects,\n\t\t\t\t\tremainingSize\n\t\t\t\t}\n\t\t\t};\n\n\t\t\treturn(jsonResponse(response, assertKeetaStorageAnchorQuotaResponse));\n\t\t};\n\n\t\t// GET /api/public/** - Public object access via pre-signed URL\n\t\troutes['GET /api/public/**'] = async function(params, _postData, _headers, url) {\n\t\t\tconst objectPath = extractObjectPath(params);\n\t\t\tconst { policy, parsed } = parsePath(pathPolicies, objectPath);\n\n\t\t\t// Parse signature using standard signed field convention\n\t\t\tconst urlParsed = parseSignatureFromURL(url);\n\t\t\tif (!urlParsed.signedField) {\n\t\t\t\tthrow(new Errors.SignatureInvalid('Missing required signature parameters'));\n\t\t\t}\n\n\t\t\t// Resolve signer: policy-specified or from URL account param (any-signer for public objects)\n\t\t\tconst signerAccount = policy.getAuthorizedSigner(parsed) ?? urlParsed.account ?? null;\n\t\t\tif (!signerAccount) {\n\t\t\t\tthrow(new Errors.SignatureInvalid('Missing signer'));\n\t\t\t}\n\t\t\tconst signerPubKey = signerAccount.publicKeyString.get();\n\n\t\t\t// Parse and validate expires param\n\t\t\tconst parsedUrl = typeof url === 'string' ? new URL(url) : url;\n\t\t\tconst expiresParam = parsedUrl.searchParams.get('expires');\n\t\t\tif (!expiresParam) {\n\t\t\t\tthrow(new Errors.SignatureInvalid('Missing expires parameter'));\n\t\t\t}\n\t\t\tconst expiresAt = parseInt(expiresParam, 10);\n\t\t\tif (!Number.isFinite(expiresAt)) {\n\t\t\t\tthrow(new Errors.SignatureInvalid('Invalid expires parameter'));\n\t\t\t}\n\t\t\tif (Date.now() > expiresAt * 1000) {\n\t\t\t\tthrow(new Errors.SignatureExpired());\n\t\t\t}\n\n\t\t\t// Enforce maximum TTL\n\t\t\tconst maxExpiresAt = Math.floor(Date.now() / 1000) + quotas.maxSignedUrlTTL;\n\t\t\tif (expiresAt > maxExpiresAt) {\n\t\t\t\tthrow(new Errors.SignatureExpired('Signed URL TTL exceeds maximum allowed'));\n\t\t\t}\n\n\t\t\t// Pre-validate signature is valid base64 with reasonable length\n\t\t\tconst signatureBuffer = Buffer.from(urlParsed.signedField.signature, 'base64');\n\t\t\tif (signatureBuffer.length < 64 || signatureBuffer.length > 256) {\n\t\t\t\tthrow(new Errors.SignatureInvalid('Invalid signature format'));\n\t\t\t}\n\n\t\t\ttry {\n\t\t\t\t// Allow 5 minutes of clock skew for signature verification\n\t\t\t\tconst valid = await VerifySignedData(signerAccount, [objectPath, expiresAt, signerPubKey], urlParsed.signedField, {\n\t\t\t\t\tmaxSkewMs: 5 * 60 * 1000\n\t\t\t\t});\n\t\t\t\tif (!valid) {\n\t\t\t\t\tthrow(new Errors.SignatureInvalid());\n\t\t\t\t}\n\t\t\t} catch (e) {\n\t\t\t\tif (Errors.SignatureInvalid.isInstance(e)) {\n\t\t\t\t\tthrow(e);\n\t\t\t\t}\n\n\t\t\t\tthrow(new Errors.SignatureInvalid('Signature verification failed'));\n\t\t\t}\n\n\t\t\tif (policy.validateContext) {\n\t\t\t\tpolicy.validateContext(parsed, { operation: 'get', account: signerAccount });\n\t\t\t}\n\n\t\t\tconst result = await requireObject(objectPath);\n\t\t\tif (result.metadata.visibility !== 'public') {\n\t\t\t\tthrow(new Errors.AccessDenied('Object is not public'));\n\t\t\t}\n\n\t\t\t// Decrypt using anchor account and extract mimeType from encrypted payload\n\t\t\tconst data = arrayBufferLikeToBuffer(result.data);\n\t\t\tconst container = EncryptedContainer.fromEncryptedBuffer(data, [anchorAccount]);\n\t\t\tconst plaintext = await container.getPlaintext();\n\t\t\tconst { content, mimeType } = parseContainerPayload(plaintext);\n\n\t\t\tconst headers: { [key: string]: string } = {};\n\t\t\tif (publicCorsOrigin) {\n\t\t\t\theaders['Access-Control-Allow-Origin'] = publicCorsOrigin;\n\t\t\t}\n\n\t\t\treturn({\n\t\t\t\toutput: content,\n\t\t\t\tcontentType: mimeType,\n\t\t\t\theaders\n\t\t\t});\n\t\t};\n\n\t\t// #endregion\n\n\t\treturn(routes);\n\t}\n\n\tasync serviceMetadata(): Promise<NonNullable<ServiceMetadata['services']['storage']>[string]> {\n\t\tconst authRequired = { options: { authentication: { type: 'required' as const, method: 'keeta-account' as const }}};\n\t\tconst operations: NonNullable<ServiceMetadata['services']['storage']>[string]['operations'] = {\n\t\t\tput: { url: (new URL('/api/object', this.url)).toString(), ...authRequired },\n\t\t\tget: { url: (new URL('/api/object', this.url)).toString(), ...authRequired },\n\t\t\tdelete: { url: (new URL('/api/object', this.url)).toString(), ...authRequired },\n\t\t\tmetadata: { url: (new URL('/api/metadata', this.url)).toString(), ...authRequired },\n\t\t\tupdateMetadata: { url: (new URL('/api/metadata', this.url)).toString(), ...authRequired },\n\t\t\tsearch: { url: (new URL('/api/search', this.url)).toString(), ...authRequired },\n\t\t\tpublic: (new URL('/api/public', this.url)).toString(),\n\t\t\tquota: { url: (new URL('/api/quota', this.url)).toString(), ...authRequired }\n\t\t};\n\n\t\treturn({\n\t\t\toperations,\n\t\t\tanchorAccount: this.anchorAccount.publicKeyString.get(),\n\t\t\tquotas: this.quotas,\n\t\t\tsignedUrlDefaultTTL: this.signedUrlDefaultTTL,\n\t\t\tsearchableFields: ['owner', 'tags', 'visibility', 'pathPrefix']\n\t\t});\n\t}\n}\n"]}
package/services/storage/test-utils.d.ts CHANGED
@@ -1,4 +1,4 @@
1
- import type { PathPolicy, FullStorageBackend, StorageObjectMetadata, StoragePutMetadata, StorageGetResult, SearchCriteria, SearchPagination, SearchResults, QuotaStatus, QuotaLimits, UploadReservation } from './common.js';
1
+ import type { PathPolicy, PathPolicyContext, FullStorageBackend, StorageObjectMetadata, StoragePutMetadata, StorageGetResult, SearchCriteria, SearchPagination, SearchResults, QuotaStatus, QuotaLimits, UploadReservation } from './common.js';
2
2
  import type { KeetaStorageAnchorProvider } from './client.js';
3
3
  import { KeetaNet } from '../../client/index.js';
4
4
  import { Buffer } from '../../lib/utils/buffer.js';
@@ -22,7 +22,8 @@ export declare class TestPathPolicy implements PathPolicy<TestParsedPath> {
22
22
  isValid(path: string): boolean;
23
23
  checkAccess(account: InstanceType<typeof KeetaNet.lib.Account>, parsed: TestParsedPath, _ignoreOperation: 'get' | 'put' | 'delete' | 'search' | 'metadata'): boolean;
24
24
  getAuthorizedSigner(parsed: TestParsedPath): InstanceType<typeof KeetaNet.lib.Account> | null;
25
- validateMetadata(parsed: TestParsedPath, metadata: StoragePutMetadata): void;
25
+ getOwner(path: string): string;
26
+ validateContext(parsed: TestParsedPath, context: PathPolicyContext): void;
26
27
  /**
27
28
  * Helper to construct a path for a given owner and relative path.
28
29
  */
@@ -40,6 +41,10 @@ export declare const testPathPolicy: TestPathPolicy;
40
41
  * Create test metadata with sensible defaults.
41
42
  */
42
43
  export declare function testMetadata(owner: string, overrides?: Partial<StoragePutMetadata>): StoragePutMetadata;
44
+ /**
45
+ * Create test object metadata with sensible defaults.
46
+ */
47
+ export declare function testObjectMetadata(path: string, owner: string, overrides?: Partial<StorageObjectMetadata>): StorageObjectMetadata;
43
48
  /**
44
49
  * In-memory storage backend with full capabilities: CRUD, search, and quota management.
45
50
  * Intended for testing and development purposes.
package/services/storage/test-utils.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"test-utils.d.ts","sourceRoot":"","sources":["../../../src/services/storage/test-utils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACX,UAAU,EACV,kBAAkB,EAClB,qBAAqB,EACrB,kBAAkB,EAClB,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,aAAa,EACb,WAAW,EACX,WAAW,EACX,iBAAiB,EACjB,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,aAAa,CAAC;AAC9D,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAIjD,OAAO,EAAE,MAAM,EAAE,MAAM,2BAA2B,CAAC;AAEnD,OAAO,wBAAwB,MAAM,aAAa,CAAC;AAInD;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF;;;GAGG;AACH,qBAAa,cAAe,YAAW,UAAU,CAAC,cAAc,CAAC;;IAIhE,KAAK,CAAC,IAAI,EAAE,MAAM,GAAG,cAAc,GAAG,IAAI;IAS1C,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,cAAc;IAsBtC,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAI9B,WAAW,CACV,OAAO,EAAE,YAAY,CAAC,OAAO,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,EAClD,MAAM,EAAE,cAAc,EACtB,gBAAgB,EAAE,KAAK,GAAG,KAAK,GAAG,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAChE,OAAO;IAKV,mBAAmB,CAAC,MAAM,EAAE,cAAc,GAAG,YAAY,CAAC,OAAO,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI;IAI7F,gBAAgB,CAAC,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE,kBAAkB,GAAG,IAAI;IAO5E;;OAEG;IACH,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,MAAM;IAIrD;;OAEG;IACH,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;CAGzC;AAED;;GAEG;AACH,eAAO,MAAM,cAAc,EAAE,cAAqC,CAAC;AAEnE;;GAEG;AACH,wBAAgB,YAAY,CAC3B,KAAK,EAAE,MAAM,EACb,SAAS,CAAC,EAAE,OAAO,CAAC,kBAAkB,CAAC,GACrC,kBAAkB,CAOpB;AAyJD;;;GAGG;AACH,qBAAa,oBAAqB,YAAW,kBAAkB;;IAC9D,OAAO,CAAC,OAAO,CAAmC;IAClD,OAAO,CAAC,YAAY,CAAwC;IAE5D,OAAO,CAAC,kBAAkB,CAAK;IAG/B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAG1B;IAeI,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,kBAAkB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAI7F,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAInD,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAItC,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,CAAC,kBAAkB,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC;IAkBhH,MAAM,CAAC,QAAQ,EAAE,cAAc,EAAE,UAAU,EAAE,gBAAgB,GAAG,OAAO,CAAC,aAAa,CAAC;IAItF,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAiCnD,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAIhE,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,GAAG,IAAI;IAIlD,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QACxE,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,WAAW,CAAC,EAAE;YAAE,iBAAiB,EAAE,MAAM,CAAC;YAAC,iBAAiB,EAAE,MAAM,CAAA;SAAE,CAAC;KACvE,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAoFxB,YAAY,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUlD,aAAa,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUzD,KAAK,IAAI,IAAI;IAMb,IAAI,IAAI,IAAI,MAAM,CAEjB;CACD;AAMD,MAAM,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AAEhE,wBAAgB,UAAU,IAAI,MAAM,GAAG,WAAW,CAEjD;AAED,MAAM,WAAW,0BAA0B;IAC1C,QAAQ,EAAE,0BAA0B,CAAC;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,aAAa,EAAE,wBAAwB,CAAC;CACxC;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACxC,IAAI,EAAE,MAAM,GAAG,WAAW,EAC1B,YAAY,EAAE,CAAC,GAAG,EAAE,0BAA0B,KAAK,OAAO,CAAC,IAAI,CAAC,GAC9D,OAAO,CAAC,IAAI,CAAC,CA6Cf"}
1
+ {"version":3,"file":"test-utils.d.ts","sourceRoot":"","sources":["../../../src/services/storage/test-utils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACX,UAAU,EACV,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,EACrB,kBAAkB,EAClB,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,aAAa,EACb,WAAW,EACX,WAAW,EACX,iBAAiB,EACjB,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,aAAa,CAAC;AAC9D,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAIjD,OAAO,EAAE,MAAM,EAAE,MAAM,2BAA2B,CAAC;AAEnD,OAAO,wBAAwB,MAAM,aAAa,CAAC;AAInD;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF;;;GAGG;AACH,qBAAa,cAAe,YAAW,UAAU,CAAC,cAAc,CAAC;;IAIhE,KAAK,CAAC,IAAI,EAAE,MAAM,GAAG,cAAc,GAAG,IAAI;IAS1C,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,cAAc;IAsBtC,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAI9B,WAAW,CACV,OAAO,EAAE,YAAY,CAAC,OAAO,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,EAClD,MAAM,EAAE,cAAc,EACtB,gBAAgB,EAAE,KAAK,GAAG,KAAK,GAAG,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAChE,OAAO;IAKV,mBAAmB,CAAC,MAAM,EAAE,cAAc,GAAG,YAAY,CAAC,OAAO,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI;IAI7F,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;IAI9B,eAAe,CAAC,MAAM,EAAE,cAAc,EAAE,OAAO,EAAE,iBAAiB,GAAG,IAAI;IAQzE;;OAEG;IACH,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,MAAM;IAIrD;;OAEG;IACH,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;CAGzC;AAED;;GAEG;AACH,eAAO,MAAM,cAAc,EAAE,cAAqC,CAAC;AAEnE;;GAEG;AACH,wBAAgB,YAAY,CAC3B,KAAK,EAAE,MAAM,EACb,SAAS,CAAC,EAAE,OAAO,CAAC,kBAAkB,CAAC,GACrC,kBAAkB,CAOpB;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CACjC,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,EACb,SAAS,CAAC,EAAE,OAAO,CAAC,qBAAqB,CAAC,GACxC,qBAAqB,CAUvB;AAyJD;;;GAGG;AACH,qBAAa,oBAAqB,YAAW,kBAAkB;;IAC9D,OAAO,CAAC,OAAO,CAAmC;IAClD,OAAO,CAAC,YAAY,CAAwC;IAE5D,OAAO,CAAC,kBAAkB,CAAK;IAG/B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAG1B;IAeI,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,kBAAkB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAI7F,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAInD,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAItC,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,CAAC,kBAAkB,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC;IAkBhH,MAAM,CAAC,QAAQ,EAAE,cAAc,EAAE,UAAU,EAAE,gBAAgB,GAAG,OAAO,CAAC,aAAa,CAAC;IAItF,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAiCnD,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAIhE,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,GAAG,IAAI;IAIlD,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QACxE,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,WAAW,CAAC,EAAE;YAAE,iBAAiB,EAAE,MAAM,CAAC;YAAC,iBAAiB,EAAE,MAAM,CAAA;SAAE,CAAC;KACvE,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAoFxB,YAAY,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUlD,aAAa,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUzD,KAAK,IAAI,IAAI;IAMb,IAAI,IAAI,IAAI,MAAM,CAEjB;CACD;AAMD,MAAM,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AAEhE,wBAAgB,UAAU,IAAI,MAAM,GAAG,WAAW,CAEjD;AAED,MAAM,WAAW,0BAA0B;IAC1C,QAAQ,EAAE,0BAA0B,CAAC;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,aAAa,EAAE,wBAAwB,CAAC;CACxC;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACxC,IAAI,EAAE,MAAM,GAAG,WAAW,EAC1B,YAAY,EAAE,CAAC,GAAG,EAAE,0BAA0B,KAAK,OAAO,CAAC,IAAI,CAAC,GAC9D,OAAO,CAAC,IAAI,CAAC,CA6Cf"}
package/services/storage/test-utils.js CHANGED
@@ -48,10 +48,14 @@ export class TestPathPolicy {
48
48
  getAuthorizedSigner(parsed) {
49
49
  return (KeetaNet.lib.Account.fromPublicKeyString(parsed.owner).assertAccount());
50
50
  }
51
- validateMetadata(parsed, metadata) {
52
- // Require public visibility for paths under public/
53
- if (parsed.relativePath.startsWith('public/') && metadata.visibility !== 'public') {
54
- throw (new Errors.InvalidMetadata('Objects under /public/ must have public visibility'));
51
+ getOwner(path) {
52
+ return (this.validate(path).owner);
53
+ }
54
+ validateContext(parsed, context) {
55
+ if (context.operation === 'put' || context.operation === 'updateMetadata') {
56
+ if (parsed.relativePath.startsWith('public/') && context.metadata.visibility !== 'public') {
57
+ throw (new Errors.InvalidMetadata('Objects under /public/ must have public visibility'));
58
+ }
55
59
  }
56
60
  }
57
61
  /**
@@ -82,6 +86,20 @@ export function testMetadata(owner, overrides) {
82
86
  ...overrides
83
87
  });
84
88
  }
89
+ /**
90
+ * Create test object metadata with sensible defaults.
91
+ */
92
+ export function testObjectMetadata(path, owner, overrides) {
93
+ return ({
94
+ path,
95
+ owner,
96
+ tags: [],
97
+ visibility: 'private',
98
+ size: 0,
99
+ createdAt: new Date().toISOString(),
100
+ ...overrides
101
+ });
102
+ }
85
103
  // #endregion
86
104
  // #region Shared Storage Operations
87
105
  function putToStorage(storage, path, data, metadata) {