@kya-os/mcp-i-cloudflare 1.9.6 → 1.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (122) hide show
  1. package/dist/adapter.d.ts.map +1 -1
  2. package/dist/adapter.js +47 -16
  3. package/dist/adapter.js.map +1 -1
  4. package/dist/agent.d.ts +9 -0
  5. package/dist/agent.d.ts.map +1 -1
  6. package/dist/agent.js +203 -53
  7. package/dist/agent.js.map +1 -1
  8. package/dist/app.d.ts.map +1 -1
  9. package/dist/app.js +86 -3
  10. package/dist/app.js.map +1 -1
  11. package/dist/config.d.ts +54 -0
  12. package/dist/config.d.ts.map +1 -1
  13. package/dist/config.js +58 -0
  14. package/dist/config.js.map +1 -1
  15. package/dist/constants/storage-keys.d.ts +6 -0
  16. package/dist/constants/storage-keys.d.ts.map +1 -1
  17. package/dist/constants/storage-keys.js +6 -0
  18. package/dist/constants/storage-keys.js.map +1 -1
  19. package/dist/delegation-http/anchor-do.d.ts +84 -0
  20. package/dist/delegation-http/anchor-do.d.ts.map +1 -0
  21. package/dist/delegation-http/anchor-do.js +253 -0
  22. package/dist/delegation-http/anchor-do.js.map +1 -0
  23. package/dist/delegation-http/anchor-routing.d.ts +20 -0
  24. package/dist/delegation-http/anchor-routing.d.ts.map +1 -0
  25. package/dist/delegation-http/anchor-routing.js +27 -0
  26. package/dist/delegation-http/anchor-routing.js.map +1 -0
  27. package/dist/delegation-http/bearer-retry.d.ts +54 -0
  28. package/dist/delegation-http/bearer-retry.d.ts.map +1 -0
  29. package/dist/delegation-http/bearer-retry.js +195 -0
  30. package/dist/delegation-http/bearer-retry.js.map +1 -0
  31. package/dist/delegation-http/challenge-middleware.d.ts +28 -0
  32. package/dist/delegation-http/challenge-middleware.d.ts.map +1 -0
  33. package/dist/delegation-http/challenge-middleware.js +190 -0
  34. package/dist/delegation-http/challenge-middleware.js.map +1 -0
  35. package/dist/delegation-http/challenge.d.ts +86 -0
  36. package/dist/delegation-http/challenge.d.ts.map +1 -0
  37. package/dist/delegation-http/challenge.js +173 -0
  38. package/dist/delegation-http/challenge.js.map +1 -0
  39. package/dist/delegation-http/consent-anchor-bridge.d.ts +35 -0
  40. package/dist/delegation-http/consent-anchor-bridge.d.ts.map +1 -0
  41. package/dist/delegation-http/consent-anchor-bridge.js +355 -0
  42. package/dist/delegation-http/consent-anchor-bridge.js.map +1 -0
  43. package/dist/delegation-http/constants.d.ts +51 -0
  44. package/dist/delegation-http/constants.d.ts.map +1 -0
  45. package/dist/delegation-http/constants.js +60 -0
  46. package/dist/delegation-http/constants.js.map +1 -0
  47. package/dist/delegation-http/hash.d.ts +21 -0
  48. package/dist/delegation-http/hash.d.ts.map +1 -0
  49. package/dist/delegation-http/hash.js +92 -0
  50. package/dist/delegation-http/hash.js.map +1 -0
  51. package/dist/delegation-http/pickup-routes.d.ts +42 -0
  52. package/dist/delegation-http/pickup-routes.d.ts.map +1 -0
  53. package/dist/delegation-http/pickup-routes.js +79 -0
  54. package/dist/delegation-http/pickup-routes.js.map +1 -0
  55. package/dist/delegation-http/register.d.ts +19 -0
  56. package/dist/delegation-http/register.d.ts.map +1 -0
  57. package/dist/delegation-http/register.js +72 -0
  58. package/dist/delegation-http/register.js.map +1 -0
  59. package/dist/delegation-http/sid.d.ts +20 -0
  60. package/dist/delegation-http/sid.d.ts.map +1 -0
  61. package/dist/delegation-http/sid.js +32 -0
  62. package/dist/delegation-http/sid.js.map +1 -0
  63. package/dist/delegation-http/types.d.ts +64 -0
  64. package/dist/delegation-http/types.d.ts.map +1 -0
  65. package/dist/delegation-http/types.js +11 -0
  66. package/dist/delegation-http/types.js.map +1 -0
  67. package/dist/helpers/env-mapper.d.ts.map +1 -1
  68. package/dist/helpers/env-mapper.js +24 -0
  69. package/dist/helpers/env-mapper.js.map +1 -1
  70. package/dist/index.d.ts +5 -2
  71. package/dist/index.d.ts.map +1 -1
  72. package/dist/index.js +10 -2
  73. package/dist/index.js.map +1 -1
  74. package/dist/providers/crypto.d.ts +1 -1
  75. package/dist/providers/crypto.d.ts.map +1 -1
  76. package/dist/providers/crypto.js +1 -1
  77. package/dist/providers/crypto.js.map +1 -1
  78. package/dist/providers/kv-identity.d.ts +2 -2
  79. package/dist/providers/kv-identity.d.ts.map +1 -1
  80. package/dist/providers/kv-identity.js +1 -1
  81. package/dist/providers/kv-identity.js.map +1 -1
  82. package/dist/providers/storage.d.ts +1 -1
  83. package/dist/providers/storage.d.ts.map +1 -1
  84. package/dist/providers/storage.js +1 -1
  85. package/dist/providers/storage.js.map +1 -1
  86. package/dist/runtime/audit-logger.d.ts +1 -1
  87. package/dist/runtime/audit-logger.d.ts.map +1 -1
  88. package/dist/runtime/oauth-handler.d.ts.map +1 -1
  89. package/dist/runtime/oauth-handler.js +31 -3
  90. package/dist/runtime/oauth-handler.js.map +1 -1
  91. package/dist/runtime/oidc/authorize-url.d.ts +19 -0
  92. package/dist/runtime/oidc/authorize-url.d.ts.map +1 -0
  93. package/dist/runtime/oidc/authorize-url.js +94 -0
  94. package/dist/runtime/oidc/authorize-url.js.map +1 -0
  95. package/dist/runtime/oidc/token-exchange.d.ts +62 -0
  96. package/dist/runtime/oidc/token-exchange.d.ts.map +1 -0
  97. package/dist/runtime/oidc/token-exchange.js +75 -0
  98. package/dist/runtime/oidc/token-exchange.js.map +1 -0
  99. package/dist/runtime.d.ts +1 -1
  100. package/dist/runtime.d.ts.map +1 -1
  101. package/dist/services/consent-audit.service.d.ts +1 -1
  102. package/dist/services/consent-audit.service.d.ts.map +1 -1
  103. package/dist/services/consent-audit.service.js.map +1 -1
  104. package/dist/services/consent.service.d.ts +2 -2
  105. package/dist/services/consent.service.d.ts.map +1 -1
  106. package/dist/services/consent.service.js +48 -59
  107. package/dist/services/consent.service.js.map +1 -1
  108. package/dist/services/delegation.service.d.ts +9 -0
  109. package/dist/services/delegation.service.d.ts.map +1 -1
  110. package/dist/services/delegation.service.js +21 -7
  111. package/dist/services/delegation.service.js.map +1 -1
  112. package/dist/services/oauth-security.service.d.ts.map +1 -1
  113. package/dist/services/oauth-security.service.js +6 -10
  114. package/dist/services/oauth-security.service.js.map +1 -1
  115. package/dist/services/provider-loader.service.js +1 -1
  116. package/dist/services/provider-loader.service.js.map +1 -1
  117. package/dist/types.d.ts +5 -1
  118. package/dist/types.d.ts.map +1 -1
  119. package/dist/utils/known-clients.d.ts.map +1 -1
  120. package/dist/utils/known-clients.js +19 -10
  121. package/dist/utils/known-clients.js.map +1 -1
  122. package/package.json +3 -1
@@ -0,0 +1,355 @@
1
+ /**
2
+ * draft-kya-http-02 delegation layer — consent → pickup bridge.
3
+ *
4
+ * The worker is its own Tier-2 authorization host: the §8.1 challenge points the
5
+ * caller's user at `consent_uri = /consent?sid=kya-…`, served here. This module is
6
+ * the route-order interception that `register.ts` wires BEFORE the legacy `/consent`
7
+ * routes; it only ever handles requests whose query carries an anchor sid (the
8
+ * `next()` fall-through for everything else lives in `register.ts`), so the legacy
9
+ * consent service is untouched.
10
+ *
11
+ * - `GET /consent?sid=kya-…` reads the anchor via `INTERNAL_PICKUP_INFO`. An unknown
12
+ * sid → 404 page; an expired sid → a "link expired" page; otherwise a minimal
13
+ * approve form (the consent-only scope list + a CSRF-protected POST).
14
+ * - `POST /consent/approve?sid=kya-…` mints a delegation VC-JWT using the SAME
15
+ * `@kya-os/mcp` primitives `consent.service.ts` uses (`wrapDelegationAsVC` →
16
+ * `createUnsignedVCJWT` → sign → `completeVCJWT`) — calling them directly here, NOT
17
+ * editing the service — then parks it on the anchor via `INTERNAL_PICKUP_APPROVE`.
18
+ * If the anchor is gone (DO 410/404) the approval FAILS with an error page and
19
+ * mints nothing reachable: consent on an EXPIRED anchor MUST fail.
20
+ *
21
+ * @module @kya-os/mcp-i-cloudflare/delegation-http/consent-anchor-bridge
22
+ */
23
+ import { wrapDelegationAsVC, createUnsignedVCJWT, completeVCJWT, base64urlEncodeFromBytes, generateDidKeyFromBase64, didKeyFragment, } from "@kya-os/mcp";
24
+ import { WebCryptoProvider } from "../providers/crypto";
25
+ import { escapeHtml } from "../services/consent-templates/base/escape";
26
+ import { getAnchorStub } from "./anchor-routing";
27
+ import { INTERNAL_PICKUP_INFO, INTERNAL_PICKUP_APPROVE } from "./constants";
28
+ /** Internal origin for durable-object stub fetches — the DO routes by pathname only. */
29
+ const DO_INTERNAL_ORIGIN = "https://do.internal";
30
+ /**
31
+ * POST a JSON body to one of the anchor's `/_internal/pickup/*` routes. Returns the
32
+ * durable-object response so callers can branch on its status.
33
+ */
34
+ async function callAnchor(env, sid, internalPath, body) {
35
+ const stub = getAnchorStub(env, sid);
36
+ const response = await stub.fetch(new URL(internalPath, DO_INTERNAL_ORIGIN).toString(), {
37
+ method: "POST",
38
+ headers: { "Content-Type": "application/json" },
39
+ body: JSON.stringify(body),
40
+ });
41
+ return response;
42
+ }
43
+ /** An HTML response with the mandated `Cache-Control: no-store`. */
44
+ function htmlResponse(html, status) {
45
+ return new Response(html, {
46
+ status,
47
+ headers: {
48
+ "Content-Type": "text/html; charset=utf-8",
49
+ "Cache-Control": "no-store",
50
+ },
51
+ });
52
+ }
53
+ /** Minimal self-contained HTML page shell (no external bundle dependency). */
54
+ function page(title, bodyInner) {
55
+ return `<!DOCTYPE html>
56
+ <html lang="en">
57
+ <head>
58
+ <meta charset="UTF-8">
59
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
60
+ <title>${escapeHtml(title)}</title>
61
+ </head>
62
+ <body>
63
+ ${bodyInner}
64
+ </body>
65
+ </html>`;
66
+ }
67
+ /** "Link expired" page for an anchor past its TTL. */
68
+ function expiredPage() {
69
+ return htmlResponse(page("Authorization link expired", `<main class="kya-consent-expired">
70
+ <h1>Authorization link expired</h1>
71
+ <p>This authorization request is no longer valid. Please start over to request a new one.</p>
72
+ </main>`), 410);
73
+ }
74
+ /** 404 page for an unknown anchor sid. */
75
+ function notFoundPage() {
76
+ return htmlResponse(page("Authorization request not found", `<main class="kya-consent-notfound">
77
+ <h1>Authorization request not found</h1>
78
+ <p>We could not find this authorization request. It may have already completed or been cancelled.</p>
79
+ </main>`), 404);
80
+ }
81
+ /** Generic approval-failed page (e.g. the anchor expired between GET and POST). */
82
+ function approvalFailedPage(message, status = 410) {
83
+ return htmlResponse(page("Authorization failed", `<main class="kya-consent-failed">
84
+ <h1>Authorization failed</h1>
85
+ <p>${escapeHtml(message)}</p>
86
+ </main>`), status);
87
+ }
88
+ /** Success page after a delegation is parked on the anchor. */
89
+ function successPage() {
90
+ return htmlResponse(page("Authorization complete", `<main class="kya-consent-success">
91
+ <h1>Authorization complete</h1>
92
+ <p>You have authorized the request. You can close this window and return to the application.</p>
93
+ </main>`), 200);
94
+ }
95
+ /**
96
+ * Render the minimal anchor approve form. Reuses the consent-only scope-list shape
97
+ * (escaped scope items) and posts to `/consent/approve?sid=…` with a CSRF token.
98
+ */
99
+ function approveFormPage(sid, info, csrfToken) {
100
+ const scopeItems = info.requiredScopes.length > 0
101
+ ? info.requiredScopes
102
+ .map((s) => `<li class="kya-scope-item">${escapeHtml(s)}</li>`)
103
+ .join("")
104
+ : `<li class="kya-scope-item">No specific permissions required.</li>`;
105
+ return page("Permission Request", `<main class="kya-consent">
106
+ <h1>Authorize delegation</h1>
107
+ <p class="kya-permissions-header">This request needs the following permissions:</p>
108
+ <ul class="kya-permissions-list">${scopeItems}</ul>
109
+ <form method="POST" action="/consent/approve?sid=${encodeURIComponent(sid)}">
110
+ <input type="hidden" name="sid" value="${escapeHtml(sid)}">
111
+ <input type="hidden" name="csrf_token" value="${escapeHtml(csrfToken)}">
112
+ <button type="submit" class="kya-consent-allow">Allow</button>
113
+ </form>
114
+ </main>`);
115
+ }
116
+ // ── CSRF (mirrors consent.service's HMAC token format, bound to the anchor sid) ──
117
+ /** Base64url-encode bytes without padding. */
118
+ function base64UrlEncodeBytes(bytes) {
119
+ return btoa(String.fromCharCode(...bytes))
120
+ .replace(/\+/g, "-")
121
+ .replace(/\//g, "_")
122
+ .replace(/=/g, "");
123
+ }
124
+ /** Base64url-encode a UTF-8 string without padding. */
125
+ function base64UrlEncodeString(value) {
126
+ return base64UrlEncodeBytes(new TextEncoder().encode(value));
127
+ }
128
+ /** Base64url-decode to a UTF-8 string (re-adding the stripped `=` padding for atob). */
129
+ function base64UrlDecodeString(value) {
130
+ const b64 = value.replace(/-/g, "+").replace(/_/g, "/");
131
+ return atob(b64 + "=".repeat((4 - (b64.length % 4)) % 4));
132
+ }
133
+ /**
134
+ * Compute the domain-separated CSRF HMAC (`csrf:<secret>` key material), matching
135
+ * `consent.service.ts` so the two never collide on the same secret.
136
+ */
137
+ async function computeCsrfHmac(secret, data) {
138
+ const encoder = new TextEncoder();
139
+ const key = await crypto.subtle.importKey("raw", encoder.encode(`csrf:${secret}`), { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
140
+ return crypto.subtle.sign("HMAC", key, encoder.encode(data));
141
+ }
142
+ /** Constant-time string comparison to avoid CSRF token timing oracles. */
143
+ function constantTimeEqual(a, b) {
144
+ if (a.length !== b.length)
145
+ return false;
146
+ let diff = 0;
147
+ for (let i = 0; i < a.length; i++) {
148
+ diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
149
+ }
150
+ return diff === 0;
151
+ }
152
+ /**
153
+ * Mint a CSRF token bound to the anchor `sid`: `${hmacB64}.${payloadB64}` over
154
+ * `{ sid, exp }`. Returns a non-validating random token when no secret is configured
155
+ * (graceful degradation — the form still renders).
156
+ */
157
+ async function mintCsrfToken(env, sid) {
158
+ const secret = env.OAUTH_ENCRYPTION_SECRET;
159
+ if (!secret) {
160
+ return base64UrlEncodeBytes(crypto.getRandomValues(new Uint8Array(32)));
161
+ }
162
+ const exp = Math.floor(Date.now() / 1000) + 600;
163
+ const payloadB64 = base64UrlEncodeString(JSON.stringify({ sid, exp }));
164
+ const hmacB64 = base64UrlEncodeBytes(new Uint8Array(await computeCsrfHmac(secret, payloadB64)));
165
+ return `${hmacB64}.${payloadB64}`;
166
+ }
167
+ /** Validate a CSRF token against the anchor `sid` (HMAC + `sid` binding + expiry). */
168
+ async function validateCsrfToken(env, sid, token) {
169
+ if (!token)
170
+ return false;
171
+ const secret = env.OAUTH_ENCRYPTION_SECRET;
172
+ if (!secret) {
173
+ // Fail CLOSED: with no secret we cannot validate the double-submit token, so an
174
+ // anchor consent-approve POST on this state-changing endpoint must be rejected.
175
+ // (Inheriting consent.service's legacy "graceful degradation to no-CSRF" is not
176
+ // acceptable on this new surface.) Set OAUTH_ENCRYPTION_SECRET, or use
177
+ // MCPI_TEST_CONSENT in an explicit development environment for local testing.
178
+ console.warn(`[kya-http] OAUTH_ENCRYPTION_SECRET unset; rejecting anchor consent approval (sid=${sid})`);
179
+ return false;
180
+ }
181
+ const dot = token.indexOf(".");
182
+ if (dot === -1)
183
+ return false;
184
+ const hmacB64 = token.substring(0, dot);
185
+ const payloadB64 = token.substring(dot + 1);
186
+ try {
187
+ const payload = JSON.parse(base64UrlDecodeString(payloadB64));
188
+ if (payload.sid !== sid)
189
+ return false;
190
+ if (typeof payload.exp === "number" &&
191
+ payload.exp < Math.floor(Date.now() / 1000)) {
192
+ return false;
193
+ }
194
+ const expectedB64 = base64UrlEncodeBytes(new Uint8Array(await computeCsrfHmac(secret, payloadB64)));
195
+ return constantTimeEqual(hmacB64, expectedB64);
196
+ }
197
+ catch {
198
+ return false;
199
+ }
200
+ }
201
+ /**
202
+ * Whether CSRF is relaxed for local/miniflare testing. Requires BOTH
203
+ * `MCPI_TEST_CONSENT === "true"` AND an explicit development environment (W3): the
204
+ * flag alone must NEVER disable CSRF on a production/default deployment.
205
+ */
206
+ function isTestConsentMode(env) {
207
+ // `MCPI_TEST_CONSENT` / `ENVIRONMENT` are deploy-time vars not declared on the
208
+ // strict CloudflareEnv interface (mirrors config.ts reading `MCPI_HTTP_CHALLENGE`).
209
+ const bag = env;
210
+ if (String(bag.MCPI_TEST_CONSENT) !== "true")
211
+ return false;
212
+ // Fail closed: only an explicit development environment may relax CSRF. Production,
213
+ // staging, unset, and empty all keep CSRF enforced.
214
+ const environment = String(bag.ENVIRONMENT ?? bag.MCPI_ENV ?? "").toLowerCase();
215
+ return environment === "development";
216
+ }
217
+ // ── VC-JWT minting (same primitive chain as consent.service.issueDelegationVC) ──
218
+ /**
219
+ * Mint a delegation VC-JWT for an approved anchor. Generates an ephemeral did:key
220
+ * holder, wraps a delegation record as a VC, and signs it — exactly the primitive
221
+ * chain `consent.service.ts` uses, called here directly (the service is a hot file
222
+ * and is never edited).
223
+ */
224
+ async function mintDelegationVcJwt(env, sid, info, expiresInS) {
225
+ const cryptoProvider = new WebCryptoProvider();
226
+ const rawKeyPair = await cryptoProvider.generateKeyPair();
227
+ const userDid = generateDidKeyFromBase64(rawKeyPair.publicKey);
228
+ const keyId = `${userDid}#${didKeyFragment(userDid)}`;
229
+ // Subject (the agent the delegation is granted to). The anchor does not carry the
230
+ // agent DID, so fall back to the worker's configured agent DID when present; the
231
+ // holder did is the issuer either way.
232
+ const agentDid = env.MCP_IDENTITY_AGENT_DID || userDid;
233
+ const nowS = Math.floor(Date.now() / 1000);
234
+ const delegation = {
235
+ id: `urn:uuid:${sid}`,
236
+ issuerDid: userDid,
237
+ subjectDid: agentDid,
238
+ vcId: `urn:uuid:${sid}`,
239
+ constraints: {
240
+ scopes: info.requiredScopes,
241
+ notBefore: nowS,
242
+ notAfter: nowS + expiresInS,
243
+ },
244
+ signature: "",
245
+ status: "active",
246
+ createdAt: nowS,
247
+ };
248
+ const unsignedVC = wrapDelegationAsVC(delegation, {
249
+ id: `urn:uuid:${sid}`,
250
+ issuanceDate: new Date().toISOString(),
251
+ });
252
+ const vcWithIssuer = { ...unsignedVC, issuer: userDid };
253
+ const { signingInput } = createUnsignedVCJWT(vcWithIssuer, { keyId });
254
+ const signatureBytes = await cryptoProvider.sign(new TextEncoder().encode(signingInput), rawKeyPair.privateKey);
255
+ const signature = base64urlEncodeFromBytes(signatureBytes);
256
+ return completeVCJWT(signingInput, signature);
257
+ }
258
+ // ── Public handlers ──────────────────────────────────────────────────────────
259
+ /**
260
+ * Render the anchor consent surface for `GET /consent?sid=kya-…`.
261
+ */
262
+ export async function handleAnchorConsentGet(c, sid, env, _cfg) {
263
+ const infoResponse = await callAnchor(env, sid, INTERNAL_PICKUP_INFO, {
264
+ sid,
265
+ });
266
+ if (infoResponse.status === 404)
267
+ return notFoundPage();
268
+ if (infoResponse.status === 410)
269
+ return expiredPage();
270
+ if (!infoResponse.ok) {
271
+ return approvalFailedPage("This authorization request could not be loaded. Please start over.", 502);
272
+ }
273
+ const info = (await infoResponse.json());
274
+ const csrfToken = await mintCsrfToken(env, sid);
275
+ return htmlResponse(approveFormPage(sid, info, csrfToken), 200);
276
+ }
277
+ /**
278
+ * Handle anchor approval for `POST /consent/approve?sid=kya-…`. Mints a VC-JWT and
279
+ * parks it on the anchor; an expired/unknown anchor makes the approval FAIL.
280
+ */
281
+ export async function handleAnchorConsentApprove(c, sid, env, cfg) {
282
+ // CSRF, unless test mode relaxes it for miniflare POSTs.
283
+ if (!isTestConsentMode(env)) {
284
+ const csrfToken = await readCsrfTokenFromBody(c);
285
+ const valid = await validateCsrfToken(env, sid, csrfToken);
286
+ if (!valid) {
287
+ return htmlResponse(page("Authorization failed", `<main class="kya-consent-failed"><h1>Authorization failed</h1><p>Invalid or missing security token. Please reload and try again.</p></main>`), 403);
288
+ }
289
+ }
290
+ // Read the anchor first: if it is already gone, fail BEFORE minting anything.
291
+ const infoResponse = await callAnchor(env, sid, INTERNAL_PICKUP_INFO, {
292
+ sid,
293
+ });
294
+ if (infoResponse.status === 404)
295
+ return notFoundPage();
296
+ if (infoResponse.status === 410) {
297
+ return approvalFailedPage("This authorization request has expired. Nothing was authorized.");
298
+ }
299
+ if (!infoResponse.ok) {
300
+ return approvalFailedPage("This authorization request could not be loaded. Please start over.", 502);
301
+ }
302
+ const info = (await infoResponse.json());
303
+ let vcJwt;
304
+ try {
305
+ vcJwt = await mintDelegationVcJwt(env, sid, info, cfg.delegationExpiresInS);
306
+ }
307
+ catch (error) {
308
+ // A mint failure (keygen/sign) must surface as a styled no-store error page, not
309
+ // an unhandled throw that escapes to a bare 500 — and must park nothing (we fail
310
+ // before the INTERNAL_PICKUP_APPROVE call below).
311
+ console.warn(`[kya-http] delegation mint failed (sid=${sid}):`, error instanceof Error ? error.message : String(error));
312
+ return approvalFailedPage("We could not complete the authorization. Please start over.", 500);
313
+ }
314
+ const approveResponse = await callAnchor(env, sid, INTERNAL_PICKUP_APPROVE, {
315
+ sid,
316
+ vcJwt,
317
+ expiresInS: cfg.delegationExpiresInS,
318
+ });
319
+ // Consent on an EXPIRED (410) or unknown (404) anchor MUST fail and mint nothing
320
+ // reachable — the minted JWT is never returned to the caller in that case.
321
+ if (approveResponse.status === 410) {
322
+ return approvalFailedPage("This authorization request expired before it could be completed. Nothing was authorized.");
323
+ }
324
+ if (approveResponse.status === 404)
325
+ return notFoundPage();
326
+ if (!approveResponse.ok) {
327
+ return approvalFailedPage("We could not complete the authorization. Please start over.", 502);
328
+ }
329
+ return successPage();
330
+ }
331
+ /**
332
+ * Read the `csrf_token` form field from the POST body via the underlying native
333
+ * Request (`c.req.raw`). The sid travels in the query, so consuming the body here
334
+ * never interferes with route-order interception. Returns undefined on parse failure.
335
+ */
336
+ async function readCsrfTokenFromBody(c) {
337
+ const raw = c.req?.raw;
338
+ if (!raw)
339
+ return undefined;
340
+ try {
341
+ const contentType = raw.headers.get("Content-Type") || "";
342
+ if (contentType.includes("application/json")) {
343
+ const body = (await raw.clone().json());
344
+ const token = body?.csrf_token;
345
+ return typeof token === "string" ? token : undefined;
346
+ }
347
+ const form = await raw.clone().formData();
348
+ const token = form.get("csrf_token");
349
+ return typeof token === "string" ? token : undefined;
350
+ }
351
+ catch {
352
+ return undefined;
353
+ }
354
+ }
355
+ //# sourceMappingURL=consent-anchor-bridge.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"consent-anchor-bridge.js","sourceRoot":"","sources":["../../src/delegation-http/consent-anchor-bridge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,aAAa,EACb,wBAAwB,EACxB,wBAAwB,EACxB,cAAc,GAEf,MAAM,aAAa,CAAC;AAIrB,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,2CAA2C,CAAC;AACvE,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,MAAM,aAAa,CAAC;AAE5E,wFAAwF;AACxF,MAAM,kBAAkB,GAAG,qBAAqB,CAAC;AAqBjD;;;GAGG;AACH,KAAK,UAAU,UAAU,CACvB,GAAkB,EAClB,GAAW,EACX,YAAoB,EACpB,IAAa;IAEb,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAC/B,IAAI,GAAG,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC,QAAQ,EAAE,EACpD;QACE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;KAC3B,CACF,CAAC;IACF,OAAO,QAA0C,CAAC;AACpD,CAAC;AAED,oEAAoE;AACpE,SAAS,YAAY,CAAC,IAAY,EAAE,MAAc;IAChD,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;QACxB,MAAM;QACN,OAAO,EAAE;YACP,cAAc,EAAE,0BAA0B;YAC1C,eAAe,EAAE,UAAU;SAC5B;KACF,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,SAAS,IAAI,CAAC,KAAa,EAAE,SAAiB;IAC5C,OAAO;;;;;SAKA,UAAU,CAAC,KAAK,CAAC;;;EAGxB,SAAS;;QAEH,CAAC;AACT,CAAC;AAED,sDAAsD;AACtD,SAAS,WAAW;IAClB,OAAO,YAAY,CACjB,IAAI,CACF,4BAA4B,EAC5B;;;QAGE,CACH,EACD,GAAG,CACJ,CAAC;AACJ,CAAC;AAED,0CAA0C;AAC1C,SAAS,YAAY;IACnB,OAAO,YAAY,CACjB,IAAI,CACF,iCAAiC,EACjC;;;QAGE,CACH,EACD,GAAG,CACJ,CAAC;AACJ,CAAC;AAED,mFAAmF;AACnF,SAAS,kBAAkB,CAAC,OAAe,EAAE,MAAM,GAAG,GAAG;IACvD,OAAO,YAAY,CACjB,IAAI,CACF,sBAAsB,EACtB;;KAED,UAAU,CAAC,OAAO,CAAC;QAChB,CACH,EACD,MAAM,CACP,CAAC;AACJ,CAAC;AAED,+DAA+D;AAC/D,SAAS,WAAW;IAClB,OAAO,YAAY,CACjB,IAAI,CACF,wBAAwB,EACxB;;;QAGE,CACH,EACD,GAAG,CACJ,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe,CACtB,GAAW,EACX,IAAgB,EAChB,SAAiB;IAEjB,MAAM,UAAU,GACd,IAAI,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC;QAC5B,CAAC,CAAC,IAAI,CAAC,cAAc;aAChB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,8BAA8B,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC;aAC9D,IAAI,CAAC,EAAE,CAAC;QACb,CAAC,CAAC,mEAAmE,CAAC;IAE1E,OAAO,IAAI,CACT,oBAAoB,EACpB;;;mCAG+B,UAAU;mDACM,kBAAkB,CAAC,GAAG,CAAC;yCACjC,UAAU,CAAC,GAAG,CAAC;gDACR,UAAU,CAAC,SAAS,CAAC;;;QAG7D,CACL,CAAC;AACJ,CAAC;AAED,oFAAoF;AAEpF,8CAA8C;AAC9C,SAAS,oBAAoB,CAAC,KAAiB;IAC7C,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,CAAC;SACvC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AACvB,CAAC;AAED,uDAAuD;AACvD,SAAS,qBAAqB,CAAC,KAAa;IAC1C,OAAO,oBAAoB,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;AAC/D,CAAC;AAED,wFAAwF;AACxF,SAAS,qBAAqB,CAAC,KAAa;IAC1C,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACxD,OAAO,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,eAAe,CAC5B,MAAc,EACd,IAAY;IAEZ,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,OAAO,CAAC,MAAM,CAAC,QAAQ,MAAM,EAAE,CAAC,EAChC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;IACF,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;AAC/D,CAAC;AAED,0EAA0E;AAC1E,SAAS,iBAAiB,CAAC,CAAS,EAAE,CAAS;IAC7C,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,IAAI,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,IAAI,KAAK,CAAC,CAAC;AACpB,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,aAAa,CAAC,GAAkB,EAAE,GAAW;IAC1D,MAAM,MAAM,GAAG,GAAG,CAAC,uBAAuB,CAAC;IAC3C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,oBAAoB,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC1E,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC;IAChD,MAAM,UAAU,GAAG,qBAAqB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;IACvE,MAAM,OAAO,GAAG,oBAAoB,CAClC,IAAI,UAAU,CAAC,MAAM,eAAe,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAC1D,CAAC;IACF,OAAO,GAAG,OAAO,IAAI,UAAU,EAAE,CAAC;AACpC,CAAC;AAED,sFAAsF;AACtF,KAAK,UAAU,iBAAiB,CAC9B,GAAkB,EAClB,GAAW,EACX,KAAyB;IAEzB,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,MAAM,MAAM,GAAG,GAAG,CAAC,uBAAuB,CAAC;IAC3C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,gFAAgF;QAChF,gFAAgF;QAChF,gFAAgF;QAChF,uEAAuE;QACvE,8EAA8E;QAC9E,OAAO,CAAC,IAAI,CACV,oFAAoF,GAAG,GAAG,CAC3F,CAAC;QACF,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,GAAG,KAAK,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC7B,MAAM,OAAO,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACxC,MAAM,UAAU,GAAG,KAAK,CAAC,SAAS,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;IAC5C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,qBAAqB,CAAC,UAAU,CAAC,CAG3D,CAAC;QACF,IAAI,OAAO,CAAC,GAAG,KAAK,GAAG;YAAE,OAAO,KAAK,CAAC;QACtC,IACE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;YAC/B,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAC3C,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,WAAW,GAAG,oBAAoB,CACtC,IAAI,UAAU,CAAC,MAAM,eAAe,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAC1D,CAAC;QACF,OAAO,iBAAiB,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,GAAkB;IAC3C,+EAA+E;IAC/E,oFAAoF;IACpF,MAAM,GAAG,GAAG,GAAyC,CAAC;IACtD,IAAI,MAAM,CAAC,GAAG,CAAC,iBAAiB,CAAC,KAAK,MAAM;QAAE,OAAO,KAAK,CAAC;IAC3D,oFAAoF;IACpF,oDAAoD;IACpD,MAAM,WAAW,GAAG,MAAM,CACxB,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,QAAQ,IAAI,EAAE,CACtC,CAAC,WAAW,EAAE,CAAC;IAChB,OAAO,WAAW,KAAK,aAAa,CAAC;AACvC,CAAC;AAED,mFAAmF;AAEnF;;;;;GAKG;AACH,KAAK,UAAU,mBAAmB,CAChC,GAAkB,EAClB,GAAW,EACX,IAAgB,EAChB,UAAkB;IAElB,MAAM,cAAc,GAAG,IAAI,iBAAiB,EAAE,CAAC;IAC/C,MAAM,UAAU,GAAG,MAAM,cAAc,CAAC,eAAe,EAAE,CAAC;IAC1D,MAAM,OAAO,GAAG,wBAAwB,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IAC/D,MAAM,KAAK,GAAG,GAAG,OAAO,IAAI,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC;IAEtD,kFAAkF;IAClF,iFAAiF;IACjF,uCAAuC;IACvC,MAAM,QAAQ,GAAG,GAAG,CAAC,sBAAsB,IAAI,OAAO,CAAC;IAEvD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC3C,MAAM,UAAU,GAAqB;QACnC,EAAE,EAAE,YAAY,GAAG,EAAE;QACrB,SAAS,EAAE,OAAO;QAClB,UAAU,EAAE,QAAQ;QACpB,IAAI,EAAE,YAAY,GAAG,EAAE;QACvB,WAAW,EAAE;YACX,MAAM,EAAE,IAAI,CAAC,cAAc;YAC3B,SAAS,EAAE,IAAI;YACf,QAAQ,EAAE,IAAI,GAAG,UAAU;SAC5B;QACD,SAAS,EAAE,EAAE;QACb,MAAM,EAAE,QAAQ;QAChB,SAAS,EAAE,IAAI;KAChB,CAAC;IAEF,MAAM,UAAU,GAAG,kBAAkB,CAAC,UAAU,EAAE;QAChD,EAAE,EAAE,YAAY,GAAG,EAAE;QACrB,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACvC,CAAC,CAAC;IACH,MAAM,YAAY,GAAG,EAAE,GAAG,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IAExD,MAAM,EAAE,YAAY,EAAE,GAAG,mBAAmB,CAC1C,YAAuC,EACvC,EAAE,KAAK,EAAE,CACV,CAAC;IACF,MAAM,cAAc,GAAG,MAAM,cAAc,CAAC,IAAI,CAC9C,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EACtC,UAAU,CAAC,UAAU,CACtB,CAAC;IACF,MAAM,SAAS,GAAG,wBAAwB,CAAC,cAAc,CAAC,CAAC;IAE3D,OAAO,aAAa,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;AAChD,CAAC;AAED,gFAAgF;AAEhF;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,CAAc,EACd,GAAW,EACX,GAAkB,EAClB,IAAmC;IAEnC,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,oBAAoB,EAAE;QACpE,GAAG;KACJ,CAAC,CAAC;IAEH,IAAI,YAAY,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,YAAY,EAAE,CAAC;IACvD,IAAI,YAAY,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,WAAW,EAAE,CAAC;IACtD,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC;QACrB,OAAO,kBAAkB,CACvB,oEAAoE,EACpE,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,YAAY,CAAC,IAAI,EAAE,CAAe,CAAC;IACvD,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAChD,OAAO,YAAY,CAAC,eAAe,CAAC,GAAG,EAAE,IAAI,EAAE,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC;AAClE,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,CAAc,EACd,GAAW,EACX,GAAkB,EAClB,GAAkC;IAElC,yDAAyD;IACzD,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,SAAS,GAAG,MAAM,qBAAqB,CAAC,CAAC,CAAC,CAAC;QACjD,MAAM,KAAK,GAAG,MAAM,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;QAC3D,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,YAAY,CACjB,IAAI,CACF,sBAAsB,EACtB,6IAA6I,CAC9I,EACD,GAAG,CACJ,CAAC;QACJ,CAAC;IACH,CAAC;IAED,8EAA8E;IAC9E,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,oBAAoB,EAAE;QACpE,GAAG;KACJ,CAAC,CAAC;IACH,IAAI,YAAY,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,YAAY,EAAE,CAAC;IACvD,IAAI,YAAY,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAChC,OAAO,kBAAkB,CACvB,iEAAiE,CAClE,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC;QACrB,OAAO,kBAAkB,CACvB,oEAAoE,EACpE,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,YAAY,CAAC,IAAI,EAAE,CAAe,CAAC;IAEvD,IAAI,KAAa,CAAC;IAClB,IAAI,CAAC;QACH,KAAK,GAAG,MAAM,mBAAmB,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAC9E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,iFAAiF;QACjF,iFAAiF;QACjF,kDAAkD;QAClD,OAAO,CAAC,IAAI,CACV,0CAA0C,GAAG,IAAI,EACjD,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CACvD,CAAC;QACF,OAAO,kBAAkB,CACvB,6DAA6D,EAC7D,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,MAAM,eAAe,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,uBAAuB,EAAE;QAC1E,GAAG;QACH,KAAK;QACL,UAAU,EAAE,GAAG,CAAC,oBAAoB;KACrC,CAAC,CAAC;IAEH,iFAAiF;IACjF,2EAA2E;IAC3E,IAAI,eAAe,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QACnC,OAAO,kBAAkB,CACvB,0FAA0F,CAC3F,CAAC;IACJ,CAAC;IACD,IAAI,eAAe,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,YAAY,EAAE,CAAC;IAC1D,IAAI,CAAC,eAAe,CAAC,EAAE,EAAE,CAAC;QACxB,OAAO,kBAAkB,CACvB,6DAA6D,EAC7D,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,OAAO,WAAW,EAAE,CAAC;AACvB,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,qBAAqB,CAClC,CAAc;IAEd,MAAM,GAAG,GAAI,CAA4C,CAAC,GAAG,EAAE,GAAG,CAAC;IACnE,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;QAC1D,IAAI,WAAW,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC7C,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,CAA4B,CAAC;YACnE,MAAM,KAAK,GAAG,IAAI,EAAE,UAAU,CAAC;YAC/B,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QACvD,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACrC,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC"}
@@ -0,0 +1,51 @@
1
+ /**
2
+ * draft-kya-http-02 delegation layer — frozen constants.
3
+ *
4
+ * Wire contract source of truth: the vendored golden fixtures under
5
+ * `src/__tests__/fixtures/kya-http/`. These values are byte-significant for §8.1
6
+ * challenges, §8.2 worker-served pickup, and the §9 error registry. Do not edit
7
+ * without re-vendoring the fixtures from checkpoint.
8
+ *
9
+ * @module @kya-os/mcp-i-cloudflare/delegation-http/constants
10
+ */
11
+ /** Worker-served pickup endpoint (§8.2). Hono route pattern with a `:sid` param. */
12
+ export declare const PICKUP_ROUTE = "/api/delegation/pickup/:sid";
13
+ /**
14
+ * Consent surface. The legacy consent service owns this path; the kya-http bridge
15
+ * only intercepts requests carrying an anchor sid (`?sid=kya-…`) and otherwise
16
+ * falls through with `next()`.
17
+ */
18
+ export declare const CONSENT_ROUTE = "/consent";
19
+ /** Raw pickup-token header for token-path holders (hashed before storage). */
20
+ export declare const PICKUP_TOKEN_HEADER = "X-KYA-Pickup-Token";
21
+ /** Fallback delegation header used when `Authorization` is occupied by an OAuth bearer. */
22
+ export declare const FALLBACK_DELEGATION_HEADER = "KYA-Delegation";
23
+ /**
24
+ * Param order for the `WWW-Authenticate: Delegation` challenge (§8.1), byte-exact.
25
+ * Mirrors `challenge.delegation.full.json` → `conformance.param_order`.
26
+ */
27
+ export declare const CHALLENGE_PARAM_ORDER: readonly ["realm", "sid", "consent_uri", "pickup_uri", "scope", "min_assurance", "interval", "kind"];
28
+ /**
29
+ * The `kyaos/*` error registry (§9). Every value MUST be present in the vendored
30
+ * `error-codes.json` (asserted by the contract test). Emitters MUST use these exact
31
+ * strings.
32
+ */
33
+ export declare const KYAOS_ERRORS: {
34
+ readonly authorizationRequired: "kyaos/authorization-required";
35
+ readonly pickupPinned: "kyaos/pickup-pinned";
36
+ readonly invalidSession: "kyaos/invalid-session";
37
+ readonly pickupExpired: "kyaos/pickup-expired";
38
+ readonly expired: "kyaos/expired";
39
+ readonly chainBroken: "kyaos/chain-broken";
40
+ readonly scopeInsufficient: "kyaos/scope-insufficient";
41
+ };
42
+ /**
43
+ * Internal DO route paths for the pickup-anchor durable object. Dispatched at the
44
+ * top of `MCPICloudflareAgent.fetch` (see `agent.ts`) and proxied to via
45
+ * `getAnchorStub(env, sid)`.
46
+ */
47
+ export declare const INTERNAL_PICKUP_CREATE = "/_internal/pickup/create";
48
+ export declare const INTERNAL_PICKUP_POLL = "/_internal/pickup/poll";
49
+ export declare const INTERNAL_PICKUP_APPROVE = "/_internal/pickup/approve";
50
+ export declare const INTERNAL_PICKUP_INFO = "/_internal/pickup/info";
51
+ //# sourceMappingURL=constants.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/delegation-http/constants.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,oFAAoF;AACpF,eAAO,MAAM,YAAY,gCAAgC,CAAC;AAE1D;;;;GAIG;AACH,eAAO,MAAM,aAAa,aAAa,CAAC;AAExC,8EAA8E;AAC9E,eAAO,MAAM,mBAAmB,uBAAuB,CAAC;AAExD,2FAA2F;AAC3F,eAAO,MAAM,0BAA0B,mBAAmB,CAAC;AAE3D;;;GAGG;AACH,eAAO,MAAM,qBAAqB,sGASxB,CAAC;AAEX;;;;GAIG;AACH,eAAO,MAAM,YAAY;;;;;;;;CAQf,CAAC;AAEX;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,6BAA6B,CAAC;AACjE,eAAO,MAAM,oBAAoB,2BAA2B,CAAC;AAC7D,eAAO,MAAM,uBAAuB,8BAA8B,CAAC;AACnE,eAAO,MAAM,oBAAoB,2BAA2B,CAAC"}
@@ -0,0 +1,60 @@
1
+ /**
2
+ * draft-kya-http-02 delegation layer — frozen constants.
3
+ *
4
+ * Wire contract source of truth: the vendored golden fixtures under
5
+ * `src/__tests__/fixtures/kya-http/`. These values are byte-significant for §8.1
6
+ * challenges, §8.2 worker-served pickup, and the §9 error registry. Do not edit
7
+ * without re-vendoring the fixtures from checkpoint.
8
+ *
9
+ * @module @kya-os/mcp-i-cloudflare/delegation-http/constants
10
+ */
11
+ /** Worker-served pickup endpoint (§8.2). Hono route pattern with a `:sid` param. */
12
+ export const PICKUP_ROUTE = "/api/delegation/pickup/:sid";
13
+ /**
14
+ * Consent surface. The legacy consent service owns this path; the kya-http bridge
15
+ * only intercepts requests carrying an anchor sid (`?sid=kya-…`) and otherwise
16
+ * falls through with `next()`.
17
+ */
18
+ export const CONSENT_ROUTE = "/consent";
19
+ /** Raw pickup-token header for token-path holders (hashed before storage). */
20
+ export const PICKUP_TOKEN_HEADER = "X-KYA-Pickup-Token";
21
+ /** Fallback delegation header used when `Authorization` is occupied by an OAuth bearer. */
22
+ export const FALLBACK_DELEGATION_HEADER = "KYA-Delegation";
23
+ /**
24
+ * Param order for the `WWW-Authenticate: Delegation` challenge (§8.1), byte-exact.
25
+ * Mirrors `challenge.delegation.full.json` → `conformance.param_order`.
26
+ */
27
+ export const CHALLENGE_PARAM_ORDER = [
28
+ "realm",
29
+ "sid",
30
+ "consent_uri",
31
+ "pickup_uri",
32
+ "scope",
33
+ "min_assurance",
34
+ "interval",
35
+ "kind",
36
+ ];
37
+ /**
38
+ * The `kyaos/*` error registry (§9). Every value MUST be present in the vendored
39
+ * `error-codes.json` (asserted by the contract test). Emitters MUST use these exact
40
+ * strings.
41
+ */
42
+ export const KYAOS_ERRORS = {
43
+ authorizationRequired: "kyaos/authorization-required",
44
+ pickupPinned: "kyaos/pickup-pinned",
45
+ invalidSession: "kyaos/invalid-session",
46
+ pickupExpired: "kyaos/pickup-expired",
47
+ expired: "kyaos/expired",
48
+ chainBroken: "kyaos/chain-broken",
49
+ scopeInsufficient: "kyaos/scope-insufficient",
50
+ };
51
+ /**
52
+ * Internal DO route paths for the pickup-anchor durable object. Dispatched at the
53
+ * top of `MCPICloudflareAgent.fetch` (see `agent.ts`) and proxied to via
54
+ * `getAnchorStub(env, sid)`.
55
+ */
56
+ export const INTERNAL_PICKUP_CREATE = "/_internal/pickup/create";
57
+ export const INTERNAL_PICKUP_POLL = "/_internal/pickup/poll";
58
+ export const INTERNAL_PICKUP_APPROVE = "/_internal/pickup/approve";
59
+ export const INTERNAL_PICKUP_INFO = "/_internal/pickup/info";
60
+ //# sourceMappingURL=constants.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/delegation-http/constants.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,oFAAoF;AACpF,MAAM,CAAC,MAAM,YAAY,GAAG,6BAA6B,CAAC;AAE1D;;;;GAIG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,UAAU,CAAC;AAExC,8EAA8E;AAC9E,MAAM,CAAC,MAAM,mBAAmB,GAAG,oBAAoB,CAAC;AAExD,2FAA2F;AAC3F,MAAM,CAAC,MAAM,0BAA0B,GAAG,gBAAgB,CAAC;AAE3D;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,OAAO;IACP,KAAK;IACL,aAAa;IACb,YAAY;IACZ,OAAO;IACP,eAAe;IACf,UAAU;IACV,MAAM;CACE,CAAC;AAEX;;;;GAIG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,qBAAqB,EAAE,8BAA8B;IACrD,YAAY,EAAE,qBAAqB;IACnC,cAAc,EAAE,uBAAuB;IACvC,aAAa,EAAE,sBAAsB;IACrC,OAAO,EAAE,eAAe;IACxB,WAAW,EAAE,oBAAoB;IACjC,iBAAiB,EAAE,0BAA0B;CACrC,CAAC;AAEX;;;;GAIG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,0BAA0B,CAAC;AACjE,MAAM,CAAC,MAAM,oBAAoB,GAAG,wBAAwB,CAAC;AAC7D,MAAM,CAAC,MAAM,uBAAuB,GAAG,2BAA2B,CAAC;AACnE,MAAM,CAAC,MAAM,oBAAoB,GAAG,wBAAwB,CAAC"}
@@ -0,0 +1,21 @@
1
+ /**
2
+ * draft-kya-http-02 delegation layer — synchronous SHA-256.
3
+ *
4
+ * The §13 pickup-anchor reducers are pure and synchronous (frozen contract:
5
+ * `reducePoll(...)` returns a plain object, not a `Promise`), yet they must hash the
6
+ * holder secret so that only its digest — never the raw token/keyid — is ever stored
7
+ * or compared. The Workers runtime exposes SHA-256 only through the *async*
8
+ * `crypto.subtle` API, so a synchronous, dependency-free implementation is required
9
+ * to keep the reducers pure. This is a verbatim FIPS 180-4 SHA-256 over the UTF-8
10
+ * bytes of the input; it is asserted against the canonical vectors and against
11
+ * `crypto.subtle.digest` in `anchor-reducer.test.ts`.
12
+ *
13
+ * @module @kya-os/mcp-i-cloudflare/delegation-http/hash
14
+ */
15
+ /**
16
+ * Compute the lowercase hex SHA-256 digest of a string's UTF-8 bytes.
17
+ *
18
+ * Synchronous and pure — safe to call inside the anchor reducers.
19
+ */
20
+ export declare function sha256Hex(input: string): string;
21
+ //# sourceMappingURL=hash.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"hash.d.ts","sourceRoot":"","sources":["../../src/delegation-http/hash.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAsBH;;;;GAIG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CA2E/C"}
@@ -0,0 +1,92 @@
1
+ /**
2
+ * draft-kya-http-02 delegation layer — synchronous SHA-256.
3
+ *
4
+ * The §13 pickup-anchor reducers are pure and synchronous (frozen contract:
5
+ * `reducePoll(...)` returns a plain object, not a `Promise`), yet they must hash the
6
+ * holder secret so that only its digest — never the raw token/keyid — is ever stored
7
+ * or compared. The Workers runtime exposes SHA-256 only through the *async*
8
+ * `crypto.subtle` API, so a synchronous, dependency-free implementation is required
9
+ * to keep the reducers pure. This is a verbatim FIPS 180-4 SHA-256 over the UTF-8
10
+ * bytes of the input; it is asserted against the canonical vectors and against
11
+ * `crypto.subtle.digest` in `anchor-reducer.test.ts`.
12
+ *
13
+ * @module @kya-os/mcp-i-cloudflare/delegation-http/hash
14
+ */
15
+ /** FIPS 180-4 §4.2.2 round constants (first 32 bits of the cube roots of the first 64 primes). */
16
+ const K = new Uint32Array([
17
+ 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
18
+ 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
19
+ 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
20
+ 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
21
+ 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
22
+ 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
23
+ 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
24
+ 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
25
+ 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
26
+ 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
27
+ 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,
28
+ ]);
29
+ /** Right-rotate a 32-bit word (`>>> 0` because the left shift can set the sign bit). */
30
+ function ror(x, n) {
31
+ return ((x >>> n) | (x << (32 - n))) >>> 0;
32
+ }
33
+ /**
34
+ * Compute the lowercase hex SHA-256 digest of a string's UTF-8 bytes.
35
+ *
36
+ * Synchronous and pure — safe to call inside the anchor reducers.
37
+ */
38
+ export function sha256Hex(input) {
39
+ const bytes = new TextEncoder().encode(input);
40
+ const bitLen = bytes.length * 8;
41
+ // Pad: 0x80, then zeros to 56 mod 64, then the 64-bit big-endian bit length.
42
+ const withPad = ((bytes.length + 8) >> 6) + 1; // number of 64-byte blocks
43
+ const padded = new Uint8Array(withPad * 64);
44
+ padded.set(bytes);
45
+ padded[bytes.length] = 0x80;
46
+ // Bit length as 64-bit big-endian (high word is 0 for any realistic input).
47
+ const dv = new DataView(padded.buffer);
48
+ dv.setUint32(padded.length - 8, Math.floor(bitLen / 0x100000000));
49
+ dv.setUint32(padded.length - 4, bitLen >>> 0);
50
+ // FIPS 180-4 §5.3.3 initial hash value.
51
+ let h0 = 0x6a09e667, h1 = 0xbb67ae85, h2 = 0x3c6ef372, h3 = 0xa54ff53a, h4 = 0x510e527f, h5 = 0x9b05688c, h6 = 0x1f83d9ab, h7 = 0x5be0cd19;
52
+ const w = new Uint32Array(64);
53
+ for (let block = 0; block < padded.length; block += 64) {
54
+ for (let t = 0; t < 16; t++) {
55
+ w[t] = dv.getUint32(block + t * 4);
56
+ }
57
+ for (let t = 16; t < 64; t++) {
58
+ const s0 = ror(w[t - 15], 7) ^ ror(w[t - 15], 18) ^ (w[t - 15] >>> 3);
59
+ const s1 = ror(w[t - 2], 17) ^ ror(w[t - 2], 19) ^ (w[t - 2] >>> 10);
60
+ w[t] = (w[t - 16] + s0 + w[t - 7] + s1) >>> 0;
61
+ }
62
+ let a = h0, b = h1, c = h2, d = h3, e = h4, f = h5, g = h6, h = h7;
63
+ for (let t = 0; t < 64; t++) {
64
+ const S1 = ror(e, 6) ^ ror(e, 11) ^ ror(e, 25);
65
+ const ch = (e & f) ^ (~e & g);
66
+ const t1 = (h + S1 + ch + K[t] + w[t]) >>> 0;
67
+ const S0 = ror(a, 2) ^ ror(a, 13) ^ ror(a, 22);
68
+ const maj = (a & b) ^ (a & c) ^ (b & c);
69
+ const t2 = (S0 + maj) >>> 0;
70
+ h = g;
71
+ g = f;
72
+ f = e;
73
+ e = (d + t1) >>> 0;
74
+ d = c;
75
+ c = b;
76
+ b = a;
77
+ a = (t1 + t2) >>> 0;
78
+ }
79
+ h0 = (h0 + a) >>> 0;
80
+ h1 = (h1 + b) >>> 0;
81
+ h2 = (h2 + c) >>> 0;
82
+ h3 = (h3 + d) >>> 0;
83
+ h4 = (h4 + e) >>> 0;
84
+ h5 = (h5 + f) >>> 0;
85
+ h6 = (h6 + g) >>> 0;
86
+ h7 = (h7 + h) >>> 0;
87
+ }
88
+ return [h0, h1, h2, h3, h4, h5, h6, h7]
89
+ .map((x) => x.toString(16).padStart(8, "0"))
90
+ .join("");
91
+ }
92
+ //# sourceMappingURL=hash.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"hash.js","sourceRoot":"","sources":["../../src/delegation-http/hash.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,kGAAkG;AAClG,MAAM,CAAC,GAAG,IAAI,WAAW,CAAC;IACxB,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;CAC/C,CAAC,CAAC;AAEH,wFAAwF;AACxF,SAAS,GAAG,CAAC,CAAS,EAAE,CAAS;IAC/B,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;AAC7C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;IAEhC,6EAA6E;IAC7E,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,2BAA2B;IAC1E,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,OAAO,GAAG,EAAE,CAAC,CAAC;IAC5C,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAClB,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;IAC5B,4EAA4E;IAC5E,MAAM,EAAE,GAAG,IAAI,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACvC,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC;IAClE,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,MAAM,KAAK,CAAC,CAAC,CAAC;IAE9C,wCAAwC;IACxC,IAAI,EAAE,GAAG,UAAU,EACjB,EAAE,GAAG,UAAU,EACf,EAAE,GAAG,UAAU,EACf,EAAE,GAAG,UAAU,EACf,EAAE,GAAG,UAAU,EACf,EAAE,GAAG,UAAU,EACf,EAAE,GAAG,UAAU,EACf,EAAE,GAAG,UAAU,CAAC;IAElB,MAAM,CAAC,GAAG,IAAI,WAAW,CAAC,EAAE,CAAC,CAAC;IAE9B,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,IAAI,EAAE,EAAE,CAAC;QACvD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5B,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,KAAK,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;QACrC,CAAC;QACD,KAAK,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YAC7B,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;YACtE,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;YACrE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC;QAChD,CAAC;QAED,IAAI,CAAC,GAAG,EAAE,EACR,CAAC,GAAG,EAAE,EACN,CAAC,GAAG,EAAE,EACN,CAAC,GAAG,EAAE,EACN,CAAC,GAAG,EAAE,EACN,CAAC,GAAG,EAAE,EACN,CAAC,GAAG,EAAE,EACN,CAAC,GAAG,EAAE,CAAC;QAET,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5B,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC/C,MAAM,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC9B,MAAM,EAAE,GAAG,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC/C,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACxC,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC;YAC5B,CAAC,GAAG,CAAC,CAAC;YACN,CAAC,GAAG,CAAC,CAAC;YACN,CAAC,GAAG,CAAC,CAAC;YACN,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC;YACnB,CAAC,GAAG,CAAC,CAAC;YACN,CAAC,GAAG,CAAC,CAAC;YACN,CAAC,GAAG,CAAC,CAAC;YACN,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;QAED,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACpB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACpB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACpB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACpB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACpB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACpB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACpB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;IAED,OAAO,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC;SACpC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC"}