@kyaki/agents 0.1.0

package/dist/index.js

@@ -0,0 +1,8 @@
+export { MockMarket } from './market.js';
+export { ApprovalInbox, signApproval, verifyApproval } from './approvals.js';
+export { ProcurerAgent } from './procurer.js';
+export { Treasurer, StaticFX, TreasuryApprovalInbox, } from './treasury.js';
+export { AuditorAgent, verifyAuditAttestation, } from './auditor.js';
+export { ContinuousAuditor } from './continuous-auditor.js';
+export { Steward, verifyGovernanceAttestation, } from './steward.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAYA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,cAAc,EAAuB,MAAM,gBAAgB,CAAC;AAClG,OAAO,EAAE,aAAa,EAAuB,MAAM,eAAe,CAAC;AACnE,OAAO,EACL,SAAS,EAAE,QAAQ,EAAE,qBAAqB,GAI3C,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,YAAY,EAAE,sBAAsB,GAGrC,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,iBAAiB,EAAoB,MAAM,yBAAyB,CAAC;AAC9E,OAAO,EACL,OAAO,EAAE,2BAA2B,GAErC,MAAM,cAAc,CAAC"}

package/dist/market.d.ts

@@ -0,0 +1,10 @@
+/**
+ * market.ts — Mock RFQ market for demos and tests.
+ */
+import type { Market, VendorOffer } from './types.js';
+export declare class MockMarket implements Market {
+    private readonly book;
+    constructor(book: Record<string, VendorOffer[]>);
+    offersFor(needId: string): VendorOffer[];
+}
+//# sourceMappingURL=market.d.ts.map

package/dist/market.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"market.d.ts","sourceRoot":"","sources":["../src/market.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEtD,qBAAa,UAAW,YAAW,MAAM;IAC3B,OAAO,CAAC,QAAQ,CAAC,IAAI;gBAAJ,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,EAAE,CAAC;IAChE,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,WAAW,EAAE;CAGzC"}

package/dist/market.js

@@ -0,0 +1,10 @@
+export class MockMarket {
+    book;
+    constructor(book) {
+        this.book = book;
+    }
+    offersFor(needId) {
+        return [...(this.book[needId] ?? [])];
+    }
+}
+//# sourceMappingURL=market.js.map

package/dist/market.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"market.js","sourceRoot":"","sources":["../src/market.ts"],"names":[],"mappings":"AAKA,MAAM,OAAO,UAAU;IACQ;IAA7B,YAA6B,IAAmC;QAAnC,SAAI,GAAJ,IAAI,CAA+B;IAAG,CAAC;IACpE,SAAS,CAAC,MAAc;QACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACxC,CAAC;CACF"}

package/dist/procurer.d.ts

@@ -0,0 +1,54 @@
+/**
+ * procurer.ts — The Procurer: first autonomous agent on the Mandate OS.
+ * RFQ across vendors, COMPLIANCE-FILTERED sourcing (a cheaper off-policy
+ * vendor is refused, not bought), tri-state execution through the policy
+ * engine, signed-approval workflow, and a savings report where every claimed
+ * saving resolves to a signed transaction id in the hash-chained audit log.
+ */
+import { type AgentKeys, type AuditLog, type SpendMandate, type VerificationContext } from '@kyaki/core';
+import { type AutonomyLadder, type OrgSpendLedger, type SpendPolicy } from '@kyaki/policy';
+import { type ApprovalInbox, type SignedApproval } from './approvals.js';
+import type { CommittedSpend } from './auditor.js';
+import type { Market, ProcurementNeed, ProcurementOutcome } from './types.js';
+export interface ProcurerConfig {
+    agentKeys: AgentKeys;
+    mandate: SpendMandate;
+    approvalAbove?: number;
+    policy: SpendPolicy;
+    ladder?: AutonomyLadder;
+    orgLedger?: OrgSpendLedger;
+    kernelCtx: VerificationContext;
+    market: Market;
+    approvals: ApprovalInbox;
+    audit?: AuditLog;
+}
+interface PurchaseLine {
+    needId: string;
+    vendor: string;
+    paid: number;
+    baseline: number;
+    txnId: string;
+}
+export declare class ProcurerAgent {
+    private readonly cfg;
+    private purchases;
+    private committed;
+    constructor(cfg: ProcurerConfig);
+    private scope;
+    private complianceFailure;
+    private intentFor;
+    run(needs: ProcurementNeed[]): Promise<ProcurementOutcome[]>;
+    source(need: ProcurementNeed): Promise<ProcurementOutcome>;
+    executeApproved(approvalId: string, approval: SignedApproval): Promise<ProcurementOutcome>;
+    /** The signed {intent, mandate} pairs this agent actually committed — the
+     *  Auditor's input. Surfacing them lets L3 oversight reconcile real output. */
+    committedSpends(): CommittedSpend[];
+    savingsReport(): {
+        lines: PurchaseLine[];
+        totalSaved: number;
+        totalPaid: number;
+        chainValid: boolean;
+    };
+}
+export {};
+//# sourceMappingURL=procurer.d.ts.map

package/dist/procurer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"procurer.d.ts","sourceRoot":"","sources":["../src/procurer.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EACoB,KAAK,SAAS,EAAE,KAAK,QAAQ,EAAE,KAAK,YAAY,EACjD,KAAK,mBAAmB,EACjD,MAAM,aAAa,CAAC;AACrB,OAAO,EACe,KAAK,cAAc,EAAE,KAAK,cAAc,EAAE,KAAK,WAAW,EAC/E,MAAM,eAAe,CAAC;AACvB,OAAO,EAAkB,KAAK,aAAa,EAAE,KAAK,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACzF,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AACnD,OAAO,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,kBAAkB,EAA6B,MAAM,YAAY,CAAC;AAEzG,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,SAAS,CAAC;IACrB,OAAO,EAAE,YAAY,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,WAAW,CAAC;IACpB,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,SAAS,CAAC,EAAE,cAAc,CAAC;IAC3B,SAAS,EAAE,mBAAmB,CAAC;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,aAAa,CAAC;IACzB,KAAK,CAAC,EAAE,QAAQ,CAAC;CAClB;AAED,UAAU,YAAY;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,qBAAa,aAAa;IAIZ,OAAO,CAAC,QAAQ,CAAC,GAAG;IAHhC,OAAO,CAAC,SAAS,CAAsB;IACvC,OAAO,CAAC,SAAS,CAAwB;gBAEZ,GAAG,EAAE,cAAc;IAEhD,OAAO,CAAC,KAAK;IAEb,OAAO,CAAC,iBAAiB;IAWzB,OAAO,CAAC,SAAS;IAaX,GAAG,CAAC,KAAK,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAM5D,MAAM,CAAC,IAAI,EAAE,eAAe,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA+C1D,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,cAAc,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAoChG;mFAC+E;IAC/E,eAAe,IAAI,cAAc,EAAE;IAInC,aAAa,IAAI;QAAE,KAAK,EAAE,YAAY,EAAE,CAAC;QAAC,UAAU,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,OAAO,CAAA;KAAE;CAgBvG"}

package/dist/procurer.js

@@ -0,0 +1,142 @@
+/**
+ * procurer.ts — The Procurer: first autonomous agent on the Mandate OS.
+ * RFQ across vendors, COMPLIANCE-FILTERED sourcing (a cheaper off-policy
+ * vendor is refused, not bought), tri-state execution through the policy
+ * engine, signed-approval workflow, and a savings report where every claimed
+ * saving resolves to a signed transaction id in the hash-chained audit log.
+ */
+import { createTransactionIntent, } from '@kyaki/core';
+import { evaluateWithPolicy, } from '@kyaki/policy';
+import { verifyApproval } from './approvals.js';
+export class ProcurerAgent {
+    cfg;
+    purchases = [];
+    committed = [];
+    constructor(cfg) {
+        this.cfg = cfg;
+    }
+    scope() { return this.cfg.mandate.credentialSubject.scope; }
+    complianceFailure(offer, need) {
+        const scope = this.scope();
+        if (offer.currency !== scope.currency)
+            return 'CURRENCY_MISMATCH';
+        if (scope.merchantAllowlist && scope.merchantAllowlist.length > 0 && !scope.merchantAllowlist.includes(offer.vendor)) {
+            return 'MERCHANT_NOT_ALLOWED';
+        }
+        if (offer.price > scope.maxPerTransaction)
+            return 'AMOUNT_EXCEEDS_PER_TXN_CAP';
+        if (need.maxBudget !== undefined && offer.price > need.maxBudget)
+            return 'OVER_NEED_BUDGET';
+        return null;
+    }
+    intentFor(offer, need) {
+        return createTransactionIntent({
+            agent: this.cfg.agentKeys,
+            mandateId: this.cfg.mandate.id,
+            merchant: offer.vendor,
+            amount: offer.price,
+            currency: offer.currency,
+            ...(need.category ? { category: need.category } : {}),
+            description: need.description,
+            ...(this.cfg.kernelCtx.now ? { now: this.cfg.kernelCtx.now } : {}),
+        });
+    }
+    async run(needs) {
+        const outcomes = [];
+        for (const need of needs)
+            outcomes.push(await this.source(need));
+        return outcomes;
+    }
+    async source(need) {
+        const audit = this.cfg.audit;
+        const offers = [...(await this.cfg.market.offersFor(need.id))].sort((a, b) => a.price - b.price);
+        const compliant = [];
+        const skipped = [];
+        for (const offer of offers) {
+            const failure = this.complianceFailure(offer, need);
+            if (failure === null)
+                compliant.push(offer);
+            else
+                skipped.push({ vendor: offer.vendor, price: offer.price, reason: failure });
+        }
+        if (compliant.length === 0) {
+            audit?.append({ type: 'procurement.refused', needId: need.id, description: need.description, skipped });
+            return { need, status: 'no_compliant_vendor', skippedNonCompliant: skipped };
+        }
+        const best = compliant[0];
+        const baseline = compliant[compliant.length - 1].price;
+        const temptations = skipped.filter((s) => s.price < best.price);
+        const intent = this.intentFor(best, need);
+        const result = await evaluateWithPolicy({
+            policy: this.cfg.policy, mandate: this.cfg.mandate, intent,
+            ...(this.cfg.approvalAbove !== undefined ? { approvalAbove: this.cfg.approvalAbove } : {}),
+            ...(this.cfg.ladder ? { ladder: this.cfg.ladder } : {}),
+            ...(this.cfg.orgLedger ? { orgLedger: this.cfg.orgLedger } : {}),
+            kernelCtx: this.cfg.kernelCtx,
+        });
+        if (result.decision === 'allow') {
+            this.purchases.push({ needId: need.id, vendor: best.vendor, paid: best.price, baseline, txnId: intent.id });
+            this.committed.push({ intent, mandate: this.cfg.mandate });
+            audit?.append({ type: 'procurement.purchased', needId: need.id, vendor: best.vendor, amount: best.price, currency: best.currency, txnId: intent.id });
+            return { need, status: 'purchased', offer: best, txnId: intent.id, ...(temptations.length > 0 ? { skippedNonCompliant: temptations } : {}) };
+        }
+        if (result.decision === 'escalate') {
+            const request = this.cfg.approvals.submit({ intent, mandate: this.cfg.mandate, need, offer: best, reason: result.policy.reasons.join(',') });
+            audit?.append({ type: 'procurement.escalated', needId: need.id, vendor: best.vendor, amount: best.price, approvalId: request.id, intentId: intent.id });
+            return { need, status: 'pending_approval', offer: best, approvalId: request.id, ...(temptations.length > 0 ? { skippedNonCompliant: temptations } : {}) };
+        }
+        audit?.append({ type: 'procurement.deferred', needId: need.id, vendor: best.vendor, amount: best.price, reasons: [...result.kernel.reasons, ...result.policy.reasons] });
+        return { need, status: 'deferred', offer: best, reasons: [...result.kernel.reasons, ...result.policy.reasons] };
+    }
+    async executeApproved(approvalId, approval) {
+        const request = this.cfg.approvals.get(approvalId);
+        if (!request)
+            throw new Error(`No approval request ${approvalId}`);
+        if (!verifyApproval(approval) || approval.intentId !== request.intent.id) {
+            return { need: request.need, status: 'deferred', reasons: ['APPROVAL_SIGNATURE_INVALID'] };
+        }
+        if (!this.cfg.approvals.markExecuted(approvalId)) {
+            return { need: request.need, status: 'deferred', reasons: ['ALREADY_EXECUTED'] };
+        }
+        const result = await evaluateWithPolicy({
+            policy: this.cfg.policy, mandate: this.cfg.mandate, intent: request.intent,
+            ...(this.cfg.approvalAbove !== undefined ? { approvalAbove: this.cfg.approvalAbove } : {}),
+            humanApproval: approval,
+            ...(this.cfg.ladder ? { ladder: this.cfg.ladder } : {}),
+            ...(this.cfg.orgLedger ? { orgLedger: this.cfg.orgLedger } : {}),
+            kernelCtx: this.cfg.kernelCtx,
+        });
+        if (result.decision !== 'allow') {
+            this.cfg.audit?.append({ type: 'approval.execution_denied', approvalId, intentId: request.intent.id, reasons: [...result.kernel.reasons, ...result.policy.reasons] });
+            return { need: request.need, status: 'deferred', offer: request.offer, reasons: [...result.kernel.reasons, ...result.policy.reasons] };
+        }
+        const offers = [...(await this.cfg.market.offersFor(request.need.id))]
+            .filter((o) => this.complianceFailure(o, request.need) === null)
+            .sort((a, b) => a.price - b.price);
+        const baseline = offers.length > 0 ? offers[offers.length - 1].price : request.offer.price;
+        this.purchases.push({ needId: request.need.id, vendor: request.offer.vendor, paid: request.offer.price, baseline, txnId: request.intent.id });
+        this.committed.push({ intent: request.intent, mandate: this.cfg.mandate });
+        this.cfg.audit?.append({ type: 'approval.executed', approvalId, intentId: request.intent.id, approvedBy: approval.approvedBy, approvalSignature: approval.signature, amount: request.offer.price, vendor: request.offer.vendor });
+        return { need: request.need, status: 'purchased', offer: request.offer, txnId: request.intent.id };
+    }
+    /** The signed {intent, mandate} pairs this agent actually committed — the
+     *  Auditor's input. Surfacing them lets L3 oversight reconcile real output. */
+    committedSpends() {
+        return [...this.committed];
+    }
+    savingsReport() {
+        const audit = this.cfg.audit;
+        const chainValid = audit ? audit.verifyChain() : false;
+        const provenTxnIds = new Set((audit?.entries() ?? [])
+            .filter((e) => e.event.type === 'procurement.purchased' || e.event.type === 'approval.executed')
+            .map((e) => e.event.txnId ?? e.event.intentId));
+        const lines = this.purchases.filter((p) => chainValid && provenTxnIds.has(p.txnId));
+        return {
+            lines,
+            totalSaved: lines.reduce((s, l) => s + (l.baseline - l.paid), 0),
+            totalPaid: lines.reduce((s, l) => s + l.paid, 0),
+            chainValid,
+        };
+    }
+}
+//# sourceMappingURL=procurer.js.map

package/dist/procurer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"procurer.js","sourceRoot":"","sources":["../src/procurer.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EACL,uBAAuB,GAExB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,kBAAkB,GACnB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,cAAc,EAA2C,MAAM,gBAAgB,CAAC;AAyBzF,MAAM,OAAO,aAAa;IAIK;IAHrB,SAAS,GAAmB,EAAE,CAAC;IAC/B,SAAS,GAAqB,EAAE,CAAC;IAEzC,YAA6B,GAAmB;QAAnB,QAAG,GAAH,GAAG,CAAgB;IAAG,CAAC;IAE5C,KAAK,KAAK,OAAO,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC,CAAC;IAE5D,iBAAiB,CAAC,KAAkB,EAAE,IAAqB;QACjE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QAC3B,IAAI,KAAK,CAAC,QAAQ,KAAK,KAAK,CAAC,QAAQ;YAAE,OAAO,mBAAmB,CAAC;QAClE,IAAI,KAAK,CAAC,iBAAiB,IAAI,KAAK,CAAC,iBAAiB,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;YACrH,OAAO,sBAAsB,CAAC;QAChC,CAAC;QACD,IAAI,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,iBAAiB;YAAE,OAAO,4BAA4B,CAAC;QAC/E,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,IAAI,KAAK,CAAC,KAAK,GAAG,IAAI,CAAC,SAAS;YAAE,OAAO,kBAAkB,CAAC;QAC5F,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,SAAS,CAAC,KAAkB,EAAE,IAAqB;QACzD,OAAO,uBAAuB,CAAC;YAC7B,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS;YACzB,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE;YAC9B,QAAQ,EAAE,KAAK,CAAC,MAAM;YACtB,MAAM,EAAE,KAAK,CAAC,KAAK;YACnB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACrD,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACnE,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,KAAwB;QAChC,MAAM,QAAQ,GAAyB,EAAE,CAAC;QAC1C,KAAK,MAAM,IAAI,IAAI,KAAK;YAAE,QAAQ,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;QACjE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,IAAqB;QAChC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC;QAC7B,MAAM,MAAM,GAAG,CAAC,GAAG,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QAEjG,MAAM,SAAS,GAAkB,EAAE,CAAC;QACpC,MAAM,OAAO,GAAmB,EAAE,CAAC;QACnC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YACpD,IAAI,OAAO,KAAK,IAAI;gBAAE,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;;gBACvC,OAAO,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;QACnF,CAAC;QAED,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3B,KAAK,EAAE,MAAM,CAAC,EAAE,IAAI,EAAE,qBAAqB,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;YACxG,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,OAAO,EAAE,CAAC;QAC/E,CAAC;QAED,MAAM,IAAI,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,SAAS,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAE,CAAC,KAAK,CAAC;QACxD,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QAEhE,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC;YACtC,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM;YAC1D,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1F,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACvD,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAChE,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS;SAC9B,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YAChC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC;YAC5G,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YAC3D,KAAK,EAAE,MAAM,CAAC,EAAE,IAAI,EAAE,uBAAuB,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC;YACtJ,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,EAAE,EAAE,GAAG,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,mBAAmB,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;QAC/I,CAAC;QAED,IAAI,MAAM,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;YACnC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC7I,KAAK,EAAE,MAAM,CAAC,EAAE,IAAI,EAAE,uBAAuB,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,KAAK,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC;YACxJ,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,kBAAkB,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,EAAE,GAAG,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,mBAAmB,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;QAC5J,CAAC;QAED,KAAK,EAAE,MAAM,CAAC,EAAE,IAAI,EAAE,sBAAsB,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACzK,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;IAClH,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,UAAkB,EAAE,QAAwB;QAChE,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACnD,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,UAAU,EAAE,CAAC,CAAC;QAEnE,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,QAAQ,KAAK,OAAO,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;YACzE,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,4BAA4B,CAAC,EAAE,CAAC;QAC7F,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,CAAC;YACjD,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACnF,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC;YACtC,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM;YAC1E,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1F,aAAa,EAAE,QAAQ;YACvB,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACvD,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAChE,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS;SAC9B,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YAChC,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,IAAI,EAAE,2BAA2B,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,EAAE,OAAO,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YACtK,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;QACzI,CAAC;QAED,MAAM,MAAM,GAAG,CAAC,GAAG,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;aACnE,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC;aAC/D,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACrC,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAE,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC;QAE5F,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC;QAC9I,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3E,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,IAAI,EAAE,mBAAmB,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,EAAE,UAAU,EAAE,QAAQ,CAAC,UAAU,EAAE,iBAAiB,EAAE,QAAQ,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAClO,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;IACrG,CAAC;IAED;mFAC+E;IAC/E,eAAe;QACb,OAAO,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC;IAC7B,CAAC;IAED,aAAa;QACX,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC;QAC7B,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;QACvD,MAAM,YAAY,GAAG,IAAI,GAAG,CAC1B,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;aACrB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,KAAK,uBAAuB,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,KAAK,mBAAmB,CAAC;aAC/F,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAE,CAAC,CAAC,KAA+C,CAAC,KAAK,IAAK,CAAC,CAAC,KAA+B,CAAC,QAAQ,CAAC,CACvH,CAAC;QACF,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,IAAI,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;QACpF,OAAO;YACL,KAAK;YACL,UAAU,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAChE,SAAS,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YAChD,UAAU;SACX,CAAC;IACJ,CAAC;CACF"}

package/dist/steward.d.ts

@@ -0,0 +1,89 @@
+/**
+ * steward.ts — The Steward: KYA's fourth agent, and the only one that acts on
+ * the PRINCIPAL's key.
+ *
+ * Where the Procurer pushes money outward and the Treasurer moves the balance
+ * sheet (both under DELEGATED authority), and the Auditor merely observes, the
+ * Steward GRANTS and REVOKES authority itself. It operationalizes KYA's third
+ * pillar — "authorization, *revocation*, and audit" — the one with no agent
+ * until now. It spends nothing.
+ *
+ * Two motions:
+ *   - issueFor(target) — compile a scoped mandate from org policy (L1
+ *     `compileScope`) and sign it with the principal's key (L0 `issueMandate`),
+ *     so delegations are born from policy-as-code, not by hand.
+ *   - govern(report)   — read the Auditor's verdict (`report.demoted`, the
+ *     provably-misbehaving agents) and REVOKE their mandates in the kernel's
+ *     live revocation registry. The next spend on a revoked mandate is denied
+ *     by the kernel (`MANDATE_REVOKED`). The Auditor adjusts the autonomy TIER;
+ *     the Steward terminates the AUTHORITY. Detect → respond, closed.
+ *
+ * Every issuance and revocation appends to the Steward's own hash-chained
+ * governance log, and `attest()` signs its head — so authority changes are
+ * themselves tamper-evident, exactly like a mandate, an intent, or an audit.
+ */
+import { type AuditLog, type Identity, type RevocationStore, type SpendMandate } from '@kyaki/core';
+import { type SpendPolicy } from '@kyaki/policy';
+import type { AuditReport } from './auditor.js';
+export type AuthorityActionKind = 'issued' | 'revoked' | 'noop';
+export interface AuthorityAction {
+    kind: AuthorityActionKind;
+    agentDid: string;
+    mandateId?: string;
+    reasons: string[];
+    /** Present on `issued` — the freshly signed delegation. */
+    mandate?: SpendMandate;
+}
+export interface GovernanceAttestation {
+    type: 'KyaGovernanceAttestation';
+    steward: string;
+    chainHead: string;
+    at: string;
+    signature: string;
+}
+/** Re-check a governance attestation offline — tampering with the chain head or
+ *  the timestamp invalidates it, exactly like a mandate or an audit. */
+export declare function verifyGovernanceAttestation(att: GovernanceAttestation): boolean;
+export interface StewardConfig {
+    /** The principal's key — issues and revokes delegated authority. */
+    principal: Identity;
+    /** The Steward's own key — signs governance attestations. */
+    stewardKeys: Identity;
+    policy: SpendPolicy;
+    /** The kernel's LIVE revocation registry — must be the same instance the
+     *  agents' VerificationContext consults, or revocation won't bite. */
+    revocations: RevocationStore;
+    /** The Steward's own lifecycle chain; every issue/revoke is anchored here. */
+    governance?: AuditLog;
+    now?: Date;
+}
+export declare class Steward {
+    private readonly cfg;
+    private readonly byAgent;
+    private readonly owner;
+    constructor(cfg: StewardConfig);
+    private now;
+    /** Issue a policy-derived, principal-signed mandate for an agent/role. */
+    issueFor(target: {
+        agentDid: string;
+        role?: string;
+    }, opts?: {
+        validForSeconds?: number;
+    }): AuthorityAction;
+    /** Register an externally-issued mandate so the Steward can later revoke it. */
+    track(mandate: SpendMandate): void;
+    mandatesOf(agentDid: string): string[];
+    isRevoked(mandateId: string): Promise<boolean>;
+    /** Revoke a single mandate in the kernel's live registry, audited. */
+    revoke(mandateId: string, reasons: string[]): Promise<AuthorityAction>;
+    /**
+     * Respond to an audit: revoke the mandates of every agent the Auditor
+     * provably caught (`report.demoted`). The Steward enacts the consequence the
+     * Auditor's demotion only signals. Idempotent — an already-revoked mandate is
+     * a noop, so re-running the same report never double-revokes.
+     */
+    govern(report: Pick<AuditReport, 'demoted' | 'findings'>): Promise<AuthorityAction[]>;
+    /** Sign the governance chain head — the authority-change history, verifiable. */
+    attest(): GovernanceAttestation;
+}
+//# sourceMappingURL=steward.d.ts.map

package/dist/steward.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"steward.d.ts","sourceRoot":"","sources":["../src/steward.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,OAAO,EAEL,KAAK,QAAQ,EAAE,KAAK,QAAQ,EAAE,KAAK,eAAe,EAAE,KAAK,YAAY,EACtE,MAAM,aAAa,CAAC;AACrB,OAAO,EAAgB,KAAK,WAAW,EAAE,MAAM,eAAe,CAAC;AAC/D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAIhD,MAAM,MAAM,mBAAmB,GAAG,QAAQ,GAAG,SAAS,GAAG,MAAM,CAAC;AAEhE,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,mBAAmB,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,2DAA2D;IAC3D,OAAO,CAAC,EAAE,YAAY,CAAC;CACxB;AAED,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,0BAA0B,CAAC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;wEACwE;AACxE,wBAAgB,2BAA2B,CAAC,GAAG,EAAE,qBAAqB,GAAG,OAAO,CAO/E;AAED,MAAM,WAAW,aAAa;IAC5B,oEAAoE;IACpE,SAAS,EAAE,QAAQ,CAAC;IACpB,6DAA6D;IAC7D,WAAW,EAAE,QAAQ,CAAC;IACtB,MAAM,EAAE,WAAW,CAAC;IACpB;0EACsE;IACtE,WAAW,EAAE,eAAe,CAAC;IAC7B,8EAA8E;IAC9E,UAAU,CAAC,EAAE,QAAQ,CAAC;IACtB,GAAG,CAAC,EAAE,IAAI,CAAC;CACZ;AAED,qBAAa,OAAO;IAIN,OAAO,CAAC,QAAQ,CAAC,GAAG;IAHhC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAkC;IAC1D,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA6B;gBAEtB,GAAG,EAAE,aAAa;IAE/C,OAAO,CAAC,GAAG;IAEX,0EAA0E;IAC1E,QAAQ,CAAC,MAAM,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,EAAE,IAAI,GAAE;QAAE,eAAe,CAAC,EAAE,MAAM,CAAA;KAAO,GAAG,eAAe;IAkB/G,gFAAgF;IAChF,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,IAAI;IAQlC,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE;IAItC,SAAS,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAI9C,sEAAsE;IAChE,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,eAAe,CAAC;IAO5E;;;;;OAKG;IACG,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,WAAW,EAAE,SAAS,GAAG,UAAU,CAAC,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC;IAoB3F,iFAAiF;IACjF,MAAM,IAAI,qBAAqB;CAWhC"}

package/dist/steward.js

@@ -0,0 +1,121 @@
+/**
+ * steward.ts — The Steward: KYA's fourth agent, and the only one that acts on
+ * the PRINCIPAL's key.
+ *
+ * Where the Procurer pushes money outward and the Treasurer moves the balance
+ * sheet (both under DELEGATED authority), and the Auditor merely observes, the
+ * Steward GRANTS and REVOKES authority itself. It operationalizes KYA's third
+ * pillar — "authorization, *revocation*, and audit" — the one with no agent
+ * until now. It spends nothing.
+ *
+ * Two motions:
+ *   - issueFor(target) — compile a scoped mandate from org policy (L1
+ *     `compileScope`) and sign it with the principal's key (L0 `issueMandate`),
+ *     so delegations are born from policy-as-code, not by hand.
+ *   - govern(report)   — read the Auditor's verdict (`report.demoted`, the
+ *     provably-misbehaving agents) and REVOKE their mandates in the kernel's
+ *     live revocation registry. The next spend on a revoked mandate is denied
+ *     by the kernel (`MANDATE_REVOKED`). The Auditor adjusts the autonomy TIER;
+ *     the Steward terminates the AUTHORITY. Detect → respond, closed.
+ *
+ * Every issuance and revocation appends to the Steward's own hash-chained
+ * governance log, and `attest()` signs its head — so authority changes are
+ * themselves tamper-evident, exactly like a mandate, an intent, or an audit.
+ */
+import { canonicalBytes, fromBase58, issueMandate, publicKeyFromDid, sign, toBase58, verifySignature, } from '@kyaki/core';
+import { compileScope } from '@kyaki/policy';
+const GENESIS = '0'.repeat(64);
+/** Re-check a governance attestation offline — tampering with the chain head or
+ *  the timestamp invalidates it, exactly like a mandate or an audit. */
+export function verifyGovernanceAttestation(att) {
+    try {
+        const { signature, ...doc } = att;
+        return verifySignature(fromBase58(signature), canonicalBytes(doc), publicKeyFromDid(att.steward));
+    }
+    catch {
+        return false;
+    }
+}
+export class Steward {
+    cfg;
+    byAgent = new Map(); // agentDid -> mandateIds
+    owner = new Map(); // mandateId -> agentDid
+    constructor(cfg) {
+        this.cfg = cfg;
+    }
+    now() { return this.cfg.now ?? new Date(); }
+    /** Issue a policy-derived, principal-signed mandate for an agent/role. */
+    issueFor(target, opts = {}) {
+        const compiled = compileScope(this.cfg.policy, {
+            agentDid: target.agentDid, ...(target.role ? { role: target.role } : {}),
+        });
+        const validForSeconds = opts.validForSeconds ?? compiled.validForSeconds;
+        const mandate = issueMandate({
+            principal: this.cfg.principal, agentDid: target.agentDid, scope: compiled.scope,
+            ...(this.cfg.now ? { validFrom: this.cfg.now } : {}),
+            ...(validForSeconds !== undefined ? { validForSeconds } : {}),
+        });
+        this.track(mandate);
+        this.cfg.governance?.append({ type: 'authority.issued', mandateId: mandate.id, agentDid: target.agentDid, ruleId: compiled.ruleId }, this.now());
+        return { kind: 'issued', agentDid: target.agentDid, mandateId: mandate.id, reasons: [compiled.ruleId], mandate };
+    }
+    /** Register an externally-issued mandate so the Steward can later revoke it. */
+    track(mandate) {
+        const agentDid = mandate.credentialSubject.id;
+        this.owner.set(mandate.id, agentDid);
+        const set = this.byAgent.get(agentDid) ?? new Set();
+        set.add(mandate.id);
+        this.byAgent.set(agentDid, set);
+    }
+    mandatesOf(agentDid) {
+        return [...(this.byAgent.get(agentDid) ?? [])];
+    }
+    isRevoked(mandateId) {
+        return this.cfg.revocations.isRevoked(mandateId);
+    }
+    /** Revoke a single mandate in the kernel's live registry, audited. */
+    async revoke(mandateId, reasons) {
+        const agentDid = this.owner.get(mandateId) ?? '—';
+        await this.cfg.revocations.revoke(mandateId);
+        this.cfg.governance?.append({ type: 'authority.revoked', mandateId, agentDid, reasons }, this.now());
+        return { kind: 'revoked', agentDid, mandateId, reasons };
+    }
+    /**
+     * Respond to an audit: revoke the mandates of every agent the Auditor
+     * provably caught (`report.demoted`). The Steward enacts the consequence the
+     * Auditor's demotion only signals. Idempotent — an already-revoked mandate is
+     * a noop, so re-running the same report never double-revokes.
+     */
+    async govern(report) {
+        const actions = [];
+        for (const agentDid of report.demoted) {
+            const reasons = report.findings.filter((f) => f.agentDid === agentDid).map((f) => f.code);
+            const mandateIds = this.mandatesOf(agentDid);
+            if (mandateIds.length === 0) {
+                actions.push({ kind: 'noop', agentDid, reasons: ['NO_TRACKED_MANDATE'] });
+                continue;
+            }
+            for (const mandateId of mandateIds) {
+                if (await this.cfg.revocations.isRevoked(mandateId)) {
+                    actions.push({ kind: 'noop', agentDid, mandateId, reasons: ['ALREADY_REVOKED'] });
+                    continue;
+                }
+                actions.push(await this.revoke(mandateId, reasons.length > 0 ? reasons : ['AGENT_DEMOTED']));
+            }
+        }
+        return actions;
+    }
+    /** Sign the governance chain head — the authority-change history, verifiable. */
+    attest() {
+        const entries = this.cfg.governance?.entries() ?? [];
+        const chainHead = entries.length > 0 ? entries[entries.length - 1].hash : GENESIS;
+        const doc = {
+            type: 'KyaGovernanceAttestation',
+            steward: this.cfg.stewardKeys.did,
+            chainHead,
+            at: this.now().toISOString(),
+        };
+        return { ...doc, signature: toBase58(sign(canonicalBytes(doc), this.cfg.stewardKeys.privateKey)) };
+    }
+}
+//# sourceMappingURL=steward.js.map

package/dist/steward.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"steward.js","sourceRoot":"","sources":["../src/steward.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,OAAO,EACL,cAAc,EAAE,UAAU,EAAE,YAAY,EAAE,gBAAgB,EAAE,IAAI,EAAE,QAAQ,EAAE,eAAe,GAE5F,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,YAAY,EAAoB,MAAM,eAAe,CAAC;AAG/D,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;AAqB/B;wEACwE;AACxE,MAAM,UAAU,2BAA2B,CAAC,GAA0B;IACpE,IAAI,CAAC;QACH,MAAM,EAAE,SAAS,EAAE,GAAG,GAAG,EAAE,GAAG,GAAG,CAAC;QAClC,OAAO,eAAe,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,cAAc,CAAC,GAAG,CAAC,EAAE,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;IACpG,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAgBD,MAAM,OAAO,OAAO;IAIW;IAHZ,OAAO,GAAG,IAAI,GAAG,EAAuB,CAAC,CAAG,yBAAyB;IACrE,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC,CAAU,wBAAwB;IAErF,YAA6B,GAAkB;QAAlB,QAAG,GAAH,GAAG,CAAe;IAAG,CAAC;IAE3C,GAAG,KAAW,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC;IAE1D,0EAA0E;IAC1E,QAAQ,CAAC,MAA2C,EAAE,OAAqC,EAAE;QAC3F,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE;YAC7C,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACzE,CAAC,CAAC;QACH,MAAM,eAAe,GAAG,IAAI,CAAC,eAAe,IAAI,QAAQ,CAAC,eAAe,CAAC;QACzE,MAAM,OAAO,GAAG,YAAY,CAAC;YAC3B,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK;YAC/E,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACpD,GAAG,CAAC,eAAe,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC9D,CAAC,CAAC;QACH,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACpB,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,MAAM,CACzB,EAAE,IAAI,EAAE,kBAAkB,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,EACvG,IAAI,CAAC,GAAG,EAAE,CACX,CAAC;QACF,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,OAAO,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,EAAE,CAAC;IACnH,CAAC;IAED,gFAAgF;IAChF,KAAK,CAAC,OAAqB;QACzB,MAAM,QAAQ,GAAG,OAAO,CAAC,iBAAiB,CAAC,EAAE,CAAC;QAC9C,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;QACrC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAI,GAAG,EAAU,CAAC;QAC5D,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACpB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAClC,CAAC;IAED,UAAU,CAAC,QAAgB;QACzB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,SAAS,CAAC,SAAiB;QACzB,OAAO,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IACnD,CAAC;IAED,sEAAsE;IACtE,KAAK,CAAC,MAAM,CAAC,SAAiB,EAAE,OAAiB;QAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC;QAClD,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC7C,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC,EAAE,IAAI,EAAE,mBAAmB,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QACrG,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;IAC3D,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,MAAM,CAAC,MAAiD;QAC5D,MAAM,OAAO,GAAsB,EAAE,CAAC;QACtC,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YAC1F,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YAC7C,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC5B,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,oBAAoB,CAAC,EAAE,CAAC,CAAC;gBAC1E,SAAS;YACX,CAAC;YACD,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;gBACnC,IAAI,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC;oBACpD,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC;oBAClF,SAAS;gBACX,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC/F,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,iFAAiF;IACjF,MAAM;QACJ,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QACrD,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAE,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC;QACnF,MAAM,GAAG,GAAG;YACV,IAAI,EAAE,0BAAmC;YACzC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG;YACjC,SAAS;YACT,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE;SAC7B,CAAC;QACF,OAAO,EAAE,GAAG,GAAG,EAAE,SAAS,EAAE,QAAQ,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;IACrG,CAAC;CACF"}

package/dist/treasury.d.ts

@@ -0,0 +1,134 @@
+import { type AgentKeys, type AuditLog, type Identity, type SpendMandate, type TransactionIntent, type VerificationContext } from '@kyaki/core';
+import { type AutonomyLadder, type OrgSpendLedger, type SpendPolicy } from '@kyaki/policy';
+import { type SignedApproval } from './approvals.js';
+export type AccountType = 'operating' | 'reserve' | 'yield';
+export interface Account {
+    id: string;
+    currency: string;
+    balance: number;
+    type: AccountType;
+    /** Operating accounts keep at least this much; the excess is sweepable. */
+    minBuffer?: number;
+}
+export interface Obligation {
+    id: string;
+    payee: string;
+    category: string;
+    amount: number;
+    currency: string;
+    /** Epoch ms. Funded only once `dueAt <= now`. */
+    dueAt: number;
+}
+export interface FXProvider {
+    /** Units of `to` per one unit of `from`. */
+    rate(from: string, to: string): number;
+}
+/** A deterministic FX desk for demos and tests. */
+export declare class StaticFX implements FXProvider {
+    private readonly table;
+    constructor(table: Record<string, number>);
+    rate(from: string, to: string): number;
+}
+export type ActionKind = 'obligation_payment' | 'fx_conversion' | 'liquidity_sweep';
+export type ActionStatus = 'committed' | 'pending_approval' | 'denied' | 'skipped';
+export interface TreasuryAction {
+    kind: ActionKind;
+    status: ActionStatus;
+    accountId: string;
+    payee: string;
+    category: string;
+    /** Amount actually moved, in the SOURCE account's (held) currency. */
+    amount: number;
+    currency: string;
+    obligationId?: string;
+    intentId?: string;
+    approvalId?: string;
+    reasons?: string[];
+}
+export interface CashPosition {
+    baseCurrency: string;
+    byCurrency: Record<string, number>;
+    totalInBase: number;
+    nearTermObligationsInBase: number;
+    netLiquidityInBase: number;
+}
+export type MovementStatus = 'pending' | 'approved' | 'executing' | 'executed' | 'rejected' | 'failed';
+export interface PendingMovement {
+    id: string;
+    intent: TransactionIntent;
+    mandate: SpendMandate;
+    kind: ActionKind;
+    accountId: string;
+    payee: string;
+    category: string;
+    amount: number;
+    currency: string;
+    obligationId?: string;
+    reason: string;
+    submittedAt: string;
+    status: MovementStatus;
+    decidedBy?: string;
+    decidedAt?: string;
+    failureReasons?: string[];
+}
+export declare class TreasuryApprovalInbox {
+    private movements;
+    submit(input: Omit<PendingMovement, 'id' | 'submittedAt' | 'status'>): PendingMovement;
+    get(id: string): PendingMovement | undefined;
+    pending(): PendingMovement[];
+    all(): PendingMovement[];
+    /** The CFO countersigns a parked movement with their own key. */
+    approve(id: string, approver: Identity): SignedApproval;
+    reject(id: string, approver: Identity): PendingMovement;
+    /** Atomic exactly-once gate: 'approved' -> 'executing'. True iff WE won. */
+    claimExecution(id: string): boolean;
+    confirmExecuted(id: string): void;
+    /** Transient deny: stays retryable. */
+    revertToApproved(id: string, reasons: string[]): void;
+    /** Security failure: terminal AND visible. */
+    markFailed(id: string, reasons: string[]): void;
+}
+export interface TreasurerConfig {
+    agentKeys: AgentKeys;
+    mandate: SpendMandate;
+    policy: SpendPolicy;
+    accounts: Account[];
+    fx: FXProvider;
+    baseCurrency: string;
+    approvalAbove?: number;
+    ladder?: AutonomyLadder;
+    orgLedger?: OrgSpendLedger;
+    kernelCtx: VerificationContext;
+    approvals: TreasuryApprovalInbox;
+    audit?: AuditLog;
+}
+export declare class Treasurer {
+    private readonly cfg;
+    private readonly accounts;
+    constructor(cfg: TreasurerConfig);
+    account(id: string): Account | undefined;
+    /** The signed {intent, mandate} pairs this agent committed — Auditor input. */
+    committedSpends(): {
+        intent: TransactionIntent;
+        mandate: SpendMandate;
+    }[];
+    private committed;
+    private operatingFor;
+    private intentFor;
+    /**
+     * The shared movement pipeline. Balance is debited ONLY on a committed
+     * allow. On escalate the movement parks (nothing debited); on deny it
+     * aborts (nothing debited). evaluateWithPolicy handles the org-exposure
+     * reserve/release and the atomic kernel commit internally.
+     */
+    private execute;
+    /** Fund a single obligation, routing through FX if we don't hold its currency. */
+    private fundObligation;
+    /** A full treasury cycle: pay due obligations FIRST, then sweep idle cash. */
+    runCycle(obligations: Obligation[], now?: Date): Promise<TreasuryAction[]>;
+    /** Finalize an escalated movement with a signed CFO approval (two-phase). */
+    applyApproval(approvalId: string, approval: SignedApproval): Promise<TreasuryAction>;
+    /** Multi-currency cash position, converted to base, net of near-term obligations. */
+    cashPosition(obligations: Obligation[], horizonMs?: number, now?: Date): CashPosition;
+}
+//# sourceMappingURL=treasury.d.ts.map

package/dist/treasury.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"treasury.d.ts","sourceRoot":"","sources":["../src/treasury.ts"],"names":[],"mappings":"AAyBA,OAAO,EAEL,KAAK,SAAS,EACd,KAAK,QAAQ,EACb,KAAK,QAAQ,EACb,KAAK,YAAY,EACjB,KAAK,iBAAiB,EACtB,KAAK,mBAAmB,EACzB,MAAM,aAAa,CAAC;AACrB,OAAO,EAGL,KAAK,cAAc,EACnB,KAAK,cAAc,EACnB,KAAK,WAAW,EACjB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAgC,KAAK,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAInF,MAAM,MAAM,WAAW,GAAG,WAAW,GAAG,SAAS,GAAG,OAAO,CAAC;AAE5D,MAAM,WAAW,OAAO;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,WAAW,CAAC;IAClB,2EAA2E;IAC3E,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,iDAAiD;IACjD,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,4CAA4C;IAC5C,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,MAAM,CAAC;CACxC;AAED,mDAAmD;AACnD,qBAAa,QAAS,YAAW,UAAU;IAC7B,OAAO,CAAC,QAAQ,CAAC,KAAK;gBAAL,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAC1D,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,MAAM;CAQvC;AAeD,MAAM,MAAM,UAAU,GAAG,oBAAoB,GAAG,eAAe,GAAG,iBAAiB,CAAC;AACpF,MAAM,MAAM,YAAY,GAAG,WAAW,GAAG,kBAAkB,GAAG,QAAQ,GAAG,SAAS,CAAC;AAEnF,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,UAAU,CAAC;IACjB,MAAM,EAAE,YAAY,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,sEAAsE;IACtE,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,YAAY;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,yBAAyB,EAAE,MAAM,CAAC;IAClC,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAID,MAAM,MAAM,cAAc,GACtB,SAAS,GAAG,UAAU,GAAG,WAAW,GAAG,UAAU,GAAG,UAAU,GAAG,QAAQ,CAAC;AAE9E,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,iBAAiB,CAAC;IAC1B,OAAO,EAAE,YAAY,CAAC;IACtB,IAAI,EAAE,UAAU,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,cAAc,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,qBAAa,qBAAqB;IAChC,OAAO,CAAC,SAAS,CAAsC;IAEvD,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,eAAe,EAAE,IAAI,GAAG,aAAa,GAAG,QAAQ,CAAC,GAAG,eAAe;IAWtF,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS;IAC5C,OAAO,IAAI,eAAe,EAAE;IAC5B,GAAG,IAAI,eAAe,EAAE;IAExB,iEAAiE;IACjE,OAAO,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG,cAAc;IAWvD,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG,eAAe;IAUvD,4EAA4E;IAC5E,cAAc,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAMnC,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI;IAIjC,uCAAuC;IACvC,gBAAgB,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI;IAIrD,8CAA8C;IAC9C,UAAU,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI;CAIhD;AAID,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,SAAS,CAAC;IACrB,OAAO,EAAE,YAAY,CAAC;IACtB,MAAM,EAAE,WAAW,CAAC;IACpB,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,EAAE,EAAE,UAAU,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,SAAS,CAAC,EAAE,cAAc,CAAC;IAC3B,SAAS,EAAE,mBAAmB,CAAC;IAC/B,SAAS,EAAE,qBAAqB,CAAC;IACjC,KAAK,CAAC,EAAE,QAAQ,CAAC;CAClB;AAED,qBAAa,SAAS;IAGR,OAAO,CAAC,QAAQ,CAAC,GAAG;IAFhC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAuB;gBAEnB,GAAG,EAAE,eAAe;IAIjD,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS;IAKxC,+EAA+E;IAC/E,eAAe,IAAI;QAAE,MAAM,EAAE,iBAAiB,CAAC;QAAC,OAAO,EAAE,YAAY,CAAA;KAAE,EAAE;IAGzE,OAAO,CAAC,SAAS,CAA8D;IAE/E,OAAO,CAAC,YAAY;IAIpB,OAAO,CAAC,SAAS;IAajB;;;;;OAKG;YACW,OAAO;IA6DrB,kFAAkF;YACpE,cAAc;IA+B5B,8EAA8E;IACxE,QAAQ,CAAC,WAAW,EAAE,UAAU,EAAE,EAAE,GAAG,CAAC,EAAE,IAAI,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;IAqBhF,6EAA6E;IACvE,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;IAwD1F,qFAAqF;IACrF,YAAY,CAAC,WAAW,EAAE,UAAU,EAAE,EAAE,SAAS,SAAwB,EAAE,GAAG,CAAC,EAAE,IAAI,GAAG,YAAY;CAgBrG"}