npm - @middag-io/licensing - Versions diffs - 0.1.0 - Mend

@middag-io/licensing 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/README.md +72 -0
package/dist/build/index.d.ts +47 -0
package/dist/build/index.d.ts.map +1 -0
package/dist/build/index.js +113 -0
package/dist/build/index.js.map +1 -0
package/dist/client/index.d.ts +74 -0
package/dist/client/index.d.ts.map +1 -0
package/dist/client/index.js +912 -0
package/dist/client/index.js.map +1 -0
package/dist/contract/index.d.ts +138 -0
package/dist/contract/index.d.ts.map +1 -0
package/dist/contract/index.js +33 -0
package/dist/contract/index.js.map +1 -0
package/dist/index.d.ts +9 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +2 -0
package/package.json +48 -0

package/dist/client/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","names":["decodeBase64URL","jwk.isJWK","jwk.isSecretJWK","invalidKeyInput","jwk.isPrivateJWK","jwk.isPublicJWK","b64u"],"sources":["../../node_modules/jose/dist/webapi/lib/buffer_utils.js","../../node_modules/jose/dist/webapi/lib/base64.js","../../node_modules/jose/dist/webapi/util/base64url.js","../../node_modules/jose/dist/webapi/lib/crypto_key.js","../../node_modules/jose/dist/webapi/lib/invalid_key_input.js","../../node_modules/jose/dist/webapi/util/errors.js","../../node_modules/jose/dist/webapi/lib/is_key_like.js","../../node_modules/jose/dist/webapi/lib/helpers.js","../../node_modules/jose/dist/webapi/lib/type_checks.js","../../node_modules/jose/dist/webapi/lib/signing.js","../../node_modules/jose/dist/webapi/lib/jwk_to_key.js","../../node_modules/jose/dist/webapi/lib/normalize_key.js","../../node_modules/jose/dist/webapi/key/import.js","../../node_modules/jose/dist/webapi/lib/validate_crit.js","../../node_modules/jose/dist/webapi/lib/validate_algorithms.js","../../node_modules/jose/dist/webapi/lib/check_key_type.js","../../node_modules/jose/dist/webapi/jws/flattened/verify.js","../../node_modules/jose/dist/webapi/jws/compact/verify.js","../../src/client/index.ts"],"sourcesContent":["export const encoder = new TextEncoder();\nexport const decoder = new TextDecoder();\nconst MAX_INT32 = 2 ** 32;\nexport function concat(...buffers) {\n const size = buffers.reduce((acc, { length }) => acc + length, 0);\n const buf = new Uint8Array(size);\n let i = 0;\n for (const buffer of buffers) {\n buf.set(buffer, i);\n i += buffer.length;\n }\n return buf;\n}\nfunction writeUInt32BE(buf, value, offset) {\n if (value < 0 || value >= MAX_INT32) {\n throw new RangeError(`value must be >= 0 and <= ${MAX_INT32 - 1}. Received ${value}`);\n }\n buf.set([value >>> 24, value >>> 16, value >>> 8, value & 0xff], offset);\n}\nexport function uint64be(value) {\n const high = Math.floor(value / MAX_INT32);\n const low = value % MAX_INT32;\n const buf = new Uint8Array(8);\n writeUInt32BE(buf, high, 0);\n writeUInt32BE(buf, low, 4);\n return buf;\n}\nexport function uint32be(value) {\n const buf = new Uint8Array(4);\n writeUInt32BE(buf, value);\n return buf;\n}\nexport function encode(string) {\n const bytes = new Uint8Array(string.length);\n for (let i = 0; i < string.length; i++) {\n const code = string.charCodeAt(i);\n if (code > 127) {\n throw new TypeError('non-ASCII string encountered in encode()');\n }\n bytes[i] = code;\n }\n return bytes;\n}\n","export function encodeBase64(input) {\n if (Uint8Array.prototype.toBase64) {\n return input.toBase64();\n }\n const CHUNK_SIZE = 0x8000;\n const arr = [];\n for (let i = 0; i < input.length; i += CHUNK_SIZE) {\n arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));\n }\n return btoa(arr.join(''));\n}\nexport function decodeBase64(encoded) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(encoded);\n }\n const binary = atob(encoded);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n}\n","import { encoder, decoder } from '../lib/buffer_utils.js';\nimport { encodeBase64, decodeBase64 } from '../lib/base64.js';\nexport function decode(input) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(typeof input === 'string' ? input : decoder.decode(input), {\n alphabet: 'base64url',\n });\n }\n let encoded = input;\n if (encoded instanceof Uint8Array) {\n encoded = decoder.decode(encoded);\n }\n encoded = encoded.replace(/-/g, '+').replace(/_/g, '/');\n try {\n return decodeBase64(encoded);\n }\n catch {\n throw new TypeError('The input to be decoded is not correctly encoded.');\n }\n}\nexport function encode(input) {\n let unencoded = input;\n if (typeof unencoded === 'string') {\n unencoded = encoder.encode(unencoded);\n }\n if (Uint8Array.prototype.toBase64) {\n return unencoded.toBase64({ alphabet: 'base64url', omitPadding: true });\n }\n return encodeBase64(unencoded).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n}\n","const unusable = (name, prop = 'algorithm.name') => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);\nconst isAlgorithm = (algorithm, name) => algorithm.name === name;\nfunction getHashLength(hash) {\n return parseInt(hash.name.slice(4), 10);\n}\nfunction checkHashLength(algorithm, expected) {\n const actual = getHashLength(algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n}\nfunction getNamedCurve(alg) {\n switch (alg) {\n case 'ES256':\n return 'P-256';\n case 'ES384':\n return 'P-384';\n case 'ES512':\n return 'P-521';\n default:\n throw new Error('unreachable');\n }\n}\nfunction checkUsage(key, usage) {\n if (usage && !key.usages.includes(usage)) {\n throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);\n }\n}\nexport function checkSigCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512': {\n if (!isAlgorithm(key.algorithm, 'HMAC'))\n throw unusable('HMAC');\n checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));\n break;\n }\n case 'RS256':\n case 'RS384':\n case 'RS512': {\n if (!isAlgorithm(key.algorithm, 'RSASSA-PKCS1-v1_5'))\n throw unusable('RSASSA-PKCS1-v1_5');\n checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));\n break;\n }\n case 'PS256':\n case 'PS384':\n case 'PS512': {\n if (!isAlgorithm(key.algorithm, 'RSA-PSS'))\n throw unusable('RSA-PSS');\n checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));\n break;\n }\n case 'Ed25519':\n case 'EdDSA': {\n if (!isAlgorithm(key.algorithm, 'Ed25519'))\n throw unusable('Ed25519');\n break;\n }\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87': {\n if (!isAlgorithm(key.algorithm, alg))\n throw unusable(alg);\n break;\n }\n case 'ES256':\n case 'ES384':\n case 'ES512': {\n if (!isAlgorithm(key.algorithm, 'ECDSA'))\n throw unusable('ECDSA');\n const expected = getNamedCurve(alg);\n const actual = key.algorithm.namedCurve;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.namedCurve');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\nexport function checkEncCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'A128GCM':\n case 'A192GCM':\n case 'A256GCM': {\n if (!isAlgorithm(key.algorithm, 'AES-GCM'))\n throw unusable('AES-GCM');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'A128KW':\n case 'A192KW':\n case 'A256KW': {\n if (!isAlgorithm(key.algorithm, 'AES-KW'))\n throw unusable('AES-KW');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'ECDH': {\n switch (key.algorithm.name) {\n case 'ECDH':\n case 'X25519':\n break;\n default:\n throw unusable('ECDH or X25519');\n }\n break;\n }\n case 'PBES2-HS256+A128KW':\n case 'PBES2-HS384+A192KW':\n case 'PBES2-HS512+A256KW':\n if (!isAlgorithm(key.algorithm, 'PBKDF2'))\n throw unusable('PBKDF2');\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512': {\n if (!isAlgorithm(key.algorithm, 'RSA-OAEP'))\n throw unusable('RSA-OAEP');\n checkHashLength(key.algorithm, parseInt(alg.slice(9), 10) || 1);\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\n","function message(msg, actual, ...types) {\n types = types.filter(Boolean);\n if (types.length > 2) {\n const last = types.pop();\n msg += `one of type ${types.join(', ')}, or ${last}.`;\n }\n else if (types.length === 2) {\n msg += `one of type ${types[0]} or ${types[1]}.`;\n }\n else {\n msg += `of type ${types[0]}.`;\n }\n if (actual == null) {\n msg += ` Received ${actual}`;\n }\n else if (typeof actual === 'function' && actual.name) {\n msg += ` Received function ${actual.name}`;\n }\n else if (typeof actual === 'object' && actual != null) {\n if (actual.constructor?.name) {\n msg += ` Received an instance of ${actual.constructor.name}`;\n }\n }\n return msg;\n}\nexport const invalidKeyInput = (actual, ...types) => message('Key must be ', actual, ...types);\nexport const withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);\n","export class JOSEError extends Error {\n static code = 'ERR_JOSE_GENERIC';\n code = 'ERR_JOSE_GENERIC';\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class JWTClaimValidationFailed extends JOSEError {\n static code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JWTExpired extends JOSEError {\n static code = 'ERR_JWT_EXPIRED';\n code = 'ERR_JWT_EXPIRED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JOSEAlgNotAllowed extends JOSEError {\n static code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n}\nexport class JOSENotSupported extends JOSEError {\n static code = 'ERR_JOSE_NOT_SUPPORTED';\n code = 'ERR_JOSE_NOT_SUPPORTED';\n}\nexport class JWEDecryptionFailed extends JOSEError {\n static code = 'ERR_JWE_DECRYPTION_FAILED';\n code = 'ERR_JWE_DECRYPTION_FAILED';\n constructor(message = 'decryption operation failed', options) {\n super(message, options);\n }\n}\nexport class JWEInvalid extends JOSEError {\n static code = 'ERR_JWE_INVALID';\n code = 'ERR_JWE_INVALID';\n}\nexport class JWSInvalid extends JOSEError {\n static code = 'ERR_JWS_INVALID';\n code = 'ERR_JWS_INVALID';\n}\nexport class JWTInvalid extends JOSEError {\n static code = 'ERR_JWT_INVALID';\n code = 'ERR_JWT_INVALID';\n}\nexport class JWKInvalid extends JOSEError {\n static code = 'ERR_JWK_INVALID';\n code = 'ERR_JWK_INVALID';\n}\nexport class JWKSInvalid extends JOSEError {\n static code = 'ERR_JWKS_INVALID';\n code = 'ERR_JWKS_INVALID';\n}\nexport class JWKSNoMatchingKey extends JOSEError {\n static code = 'ERR_JWKS_NO_MATCHING_KEY';\n code = 'ERR_JWKS_NO_MATCHING_KEY';\n constructor(message = 'no applicable key found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSMultipleMatchingKeys extends JOSEError {\n [Symbol.asyncIterator];\n static code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n constructor(message = 'multiple matching keys found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSTimeout extends JOSEError {\n static code = 'ERR_JWKS_TIMEOUT';\n code = 'ERR_JWKS_TIMEOUT';\n constructor(message = 'request timed out', options) {\n super(message, options);\n }\n}\nexport class JWSSignatureVerificationFailed extends JOSEError {\n static code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n constructor(message = 'signature verification failed', options) {\n super(message, options);\n }\n}\n","export function assertCryptoKey(key) {\n if (!isCryptoKey(key)) {\n throw new Error('CryptoKey instance expected');\n }\n}\nexport const isCryptoKey = (key) => {\n if (key?.[Symbol.toStringTag] === 'CryptoKey')\n return true;\n try {\n return key instanceof CryptoKey;\n }\n catch {\n return false;\n }\n};\nexport const isKeyObject = (key) => key?.[Symbol.toStringTag] === 'KeyObject';\nexport const isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);\n","import { decode } from '../util/base64url.js';\nexport const unprotected = Symbol();\nexport function assertNotSet(value, name) {\n if (value) {\n throw new TypeError(`${name} can only be called once`);\n }\n}\nexport function decodeBase64url(value, label, ErrorClass) {\n try {\n return decode(value);\n }\n catch {\n throw new ErrorClass(`Failed to base64url decode the ${label}`);\n }\n}\nexport async function digest(algorithm, data) {\n const subtleDigest = `SHA-${algorithm.slice(-3)}`;\n return new Uint8Array(await crypto.subtle.digest(subtleDigest, data));\n}\n","const isObjectLike = (value) => typeof value === 'object' && value !== null;\nexport function isObject(input) {\n if (!isObjectLike(input) || Object.prototype.toString.call(input) !== '[object Object]') {\n return false;\n }\n if (Object.getPrototypeOf(input) === null) {\n return true;\n }\n let proto = input;\n while (Object.getPrototypeOf(proto) !== null) {\n proto = Object.getPrototypeOf(proto);\n }\n return Object.getPrototypeOf(input) === proto;\n}\nexport function isDisjoint(...headers) {\n const sources = headers.filter(Boolean);\n if (sources.length === 0 || sources.length === 1) {\n return true;\n }\n let acc;\n for (const header of sources) {\n const parameters = Object.keys(header);\n if (!acc || acc.size === 0) {\n acc = new Set(parameters);\n continue;\n }\n for (const parameter of parameters) {\n if (acc.has(parameter)) {\n return false;\n }\n acc.add(parameter);\n }\n }\n return true;\n}\nexport const isJWK = (key) => isObject(key) && typeof key.kty === 'string';\nexport const isPrivateJWK = (key) => key.kty !== 'oct' &&\n ((key.kty === 'AKP' && typeof key.priv === 'string') || typeof key.d === 'string');\nexport const isPublicJWK = (key) => key.kty !== 'oct' && key.d === undefined && key.priv === undefined;\nexport const isSecretJWK = (key) => key.kty === 'oct' && typeof key.k === 'string';\n","import { JOSENotSupported } from '../util/errors.js';\nimport { checkSigCryptoKey } from './crypto_key.js';\nimport { invalidKeyInput } from './invalid_key_input.js';\nexport function checkKeyLength(alg, key) {\n if (alg.startsWith('RS') || alg.startsWith('PS')) {\n const { modulusLength } = key.algorithm;\n if (typeof modulusLength !== 'number' || modulusLength < 2048) {\n throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);\n }\n }\n}\nfunction subtleAlgorithm(alg, algorithm) {\n const hash = `SHA-${alg.slice(-3)}`;\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512':\n return { hash, name: 'HMAC' };\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { hash, name: 'RSA-PSS', saltLength: parseInt(alg.slice(-3), 10) >> 3 };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { hash, name: 'RSASSA-PKCS1-v1_5' };\n case 'ES256':\n case 'ES384':\n case 'ES512':\n return { hash, name: 'ECDSA', namedCurve: algorithm.namedCurve };\n case 'Ed25519':\n case 'EdDSA':\n return { name: 'Ed25519' };\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n return { name: alg };\n default:\n throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);\n }\n}\nasync function getSigKey(alg, key, usage) {\n if (key instanceof Uint8Array) {\n if (!alg.startsWith('HS')) {\n throw new TypeError(invalidKeyInput(key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n return crypto.subtle.importKey('raw', key, { hash: `SHA-${alg.slice(-3)}`, name: 'HMAC' }, false, [usage]);\n }\n checkSigCryptoKey(key, alg, usage);\n return key;\n}\nexport async function sign(alg, key, data) {\n const cryptoKey = await getSigKey(alg, key, 'sign');\n checkKeyLength(alg, cryptoKey);\n const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);\n return new Uint8Array(signature);\n}\nexport async function verify(alg, key, signature, data) {\n const cryptoKey = await getSigKey(alg, key, 'verify');\n checkKeyLength(alg, cryptoKey);\n const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);\n try {\n return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);\n }\n catch {\n return false;\n }\n}\n","import { JOSENotSupported } from '../util/errors.js';\nconst unsupportedAlg = 'Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value';\nfunction subtleMapping(jwk) {\n let algorithm;\n let keyUsages;\n switch (jwk.kty) {\n case 'AKP': {\n switch (jwk.alg) {\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n algorithm = { name: jwk.alg };\n keyUsages = jwk.priv ? ['sign'] : ['verify'];\n break;\n default:\n throw new JOSENotSupported(unsupportedAlg);\n }\n break;\n }\n case 'RSA': {\n switch (jwk.alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n algorithm = { name: 'RSA-PSS', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RS256':\n case 'RS384':\n case 'RS512':\n algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512':\n algorithm = {\n name: 'RSA-OAEP',\n hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`,\n };\n keyUsages = jwk.d ? ['decrypt', 'unwrapKey'] : ['encrypt', 'wrapKey'];\n break;\n default:\n throw new JOSENotSupported(unsupportedAlg);\n }\n break;\n }\n case 'EC': {\n switch (jwk.alg) {\n case 'ES256':\n case 'ES384':\n case 'ES512':\n algorithm = {\n name: 'ECDSA',\n namedCurve: { ES256: 'P-256', ES384: 'P-384', ES512: 'P-521' }[jwk.alg],\n };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: 'ECDH', namedCurve: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported(unsupportedAlg);\n }\n break;\n }\n case 'OKP': {\n switch (jwk.alg) {\n case 'Ed25519':\n case 'EdDSA':\n algorithm = { name: 'Ed25519' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported(unsupportedAlg);\n }\n break;\n }\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"kty\" (Key Type) Parameter value');\n }\n return { algorithm, keyUsages };\n}\nexport async function jwkToKey(jwk) {\n if (!jwk.alg) {\n throw new TypeError('\"alg\" argument is required when \"jwk.alg\" is not present');\n }\n const { algorithm, keyUsages } = subtleMapping(jwk);\n const keyData = { ...jwk };\n if (keyData.kty !== 'AKP') {\n delete keyData.alg;\n }\n delete keyData.use;\n return crypto.subtle.importKey('jwk', keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);\n}\n","import { isJWK } from './type_checks.js';\nimport { decode } from '../util/base64url.js';\nimport { jwkToKey } from './jwk_to_key.js';\nimport { isCryptoKey, isKeyObject } from './is_key_like.js';\nconst unusableForAlg = 'given KeyObject instance cannot be used for this algorithm';\nlet cache;\nconst handleJWK = async (key, jwk, alg, freeze = false) => {\n cache ||= new WeakMap();\n let cached = cache.get(key);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const cryptoKey = await jwkToKey({ ...jwk, alg });\n if (freeze)\n Object.freeze(key);\n if (!cached) {\n cache.set(key, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nconst handleKeyObject = (keyObject, alg) => {\n cache ||= new WeakMap();\n let cached = cache.get(keyObject);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const isPublic = keyObject.type === 'public';\n const extractable = isPublic ? true : false;\n let cryptoKey;\n if (keyObject.asymmetricKeyType === 'x25519') {\n switch (alg) {\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n break;\n default:\n throw new TypeError(unusableForAlg);\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ['deriveBits']);\n }\n if (keyObject.asymmetricKeyType === 'ed25519') {\n if (alg !== 'EdDSA' && alg !== 'Ed25519') {\n throw new TypeError(unusableForAlg);\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n switch (keyObject.asymmetricKeyType) {\n case 'ml-dsa-44':\n case 'ml-dsa-65':\n case 'ml-dsa-87': {\n if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {\n throw new TypeError(unusableForAlg);\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n }\n if (keyObject.asymmetricKeyType === 'rsa') {\n let hash;\n switch (alg) {\n case 'RSA-OAEP':\n hash = 'SHA-1';\n break;\n case 'RS256':\n case 'PS256':\n case 'RSA-OAEP-256':\n hash = 'SHA-256';\n break;\n case 'RS384':\n case 'PS384':\n case 'RSA-OAEP-384':\n hash = 'SHA-384';\n break;\n case 'RS512':\n case 'PS512':\n case 'RSA-OAEP-512':\n hash = 'SHA-512';\n break;\n default:\n throw new TypeError(unusableForAlg);\n }\n if (alg.startsWith('RSA-OAEP')) {\n return keyObject.toCryptoKey({\n name: 'RSA-OAEP',\n hash,\n }, extractable, isPublic ? ['encrypt'] : ['decrypt']);\n }\n cryptoKey = keyObject.toCryptoKey({\n name: alg.startsWith('PS') ? 'RSA-PSS' : 'RSASSA-PKCS1-v1_5',\n hash,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (keyObject.asymmetricKeyType === 'ec') {\n const nist = new Map([\n ['prime256v1', 'P-256'],\n ['secp384r1', 'P-384'],\n ['secp521r1', 'P-521'],\n ]);\n const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);\n if (!namedCurve) {\n throw new TypeError(unusableForAlg);\n }\n const expectedCurve = { ES256: 'P-256', ES384: 'P-384', ES512: 'P-521' };\n if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg.startsWith('ECDH-ES')) {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDH',\n namedCurve,\n }, extractable, isPublic ? [] : ['deriveBits']);\n }\n }\n if (!cryptoKey) {\n throw new TypeError(unusableForAlg);\n }\n if (!cached) {\n cache.set(keyObject, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nexport async function normalizeKey(key, alg) {\n if (key instanceof Uint8Array) {\n return key;\n }\n if (isCryptoKey(key)) {\n return key;\n }\n if (isKeyObject(key)) {\n if (key.type === 'secret') {\n return key.export();\n }\n if ('toCryptoKey' in key && typeof key.toCryptoKey === 'function') {\n try {\n return handleKeyObject(key, alg);\n }\n catch (err) {\n if (err instanceof TypeError) {\n throw err;\n }\n }\n }\n let jwk = key.export({ format: 'jwk' });\n return handleJWK(key, jwk, alg);\n }\n if (isJWK(key)) {\n if (key.k) {\n return decode(key.k);\n }\n return handleJWK(key, key, alg, true);\n }\n throw new Error('unreachable');\n}\n","import { decode as decodeBase64URL } from '../util/base64url.js';\nimport { fromSPKI, fromPKCS8, fromX509 } from '../lib/asn1.js';\nimport { jwkToKey } from '../lib/jwk_to_key.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport { isObject } from '../lib/type_checks.js';\nexport async function importSPKI(spki, alg, options) {\n if (typeof spki !== 'string' || spki.indexOf('-----BEGIN PUBLIC KEY-----') !== 0) {\n throw new TypeError('\"spki\" must be SPKI formatted string');\n }\n return fromSPKI(spki, alg, options);\n}\nexport async function importX509(x509, alg, options) {\n if (typeof x509 !== 'string' || x509.indexOf('-----BEGIN CERTIFICATE-----') !== 0) {\n throw new TypeError('\"x509\" must be X.509 formatted string');\n }\n return fromX509(x509, alg, options);\n}\nexport async function importPKCS8(pkcs8, alg, options) {\n if (typeof pkcs8 !== 'string' || pkcs8.indexOf('-----BEGIN PRIVATE KEY-----') !== 0) {\n throw new TypeError('\"pkcs8\" must be PKCS#8 formatted string');\n }\n return fromPKCS8(pkcs8, alg, options);\n}\nexport async function importJWK(jwk, alg, options) {\n if (!isObject(jwk)) {\n throw new TypeError('JWK must be an object');\n }\n let ext;\n alg ??= jwk.alg;\n ext ??= options?.extractable ?? jwk.ext;\n switch (jwk.kty) {\n case 'oct':\n if (typeof jwk.k !== 'string' || !jwk.k) {\n throw new TypeError('missing \"k\" (Key Value) Parameter value');\n }\n return decodeBase64URL(jwk.k);\n case 'RSA':\n if ('oth' in jwk && jwk.oth !== undefined) {\n throw new JOSENotSupported('RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported');\n }\n return jwkToKey({ ...jwk, alg, ext });\n case 'AKP': {\n if (typeof jwk.alg !== 'string' || !jwk.alg) {\n throw new TypeError('missing \"alg\" (Algorithm) Parameter value');\n }\n if (alg !== undefined && alg !== jwk.alg) {\n throw new TypeError('JWK alg and alg option value mismatch');\n }\n return jwkToKey({ ...jwk, ext });\n }\n case 'EC':\n case 'OKP':\n return jwkToKey({ ...jwk, alg, ext });\n default:\n throw new JOSENotSupported('Unsupported \"kty\" (Key Type) Parameter value');\n }\n}\n","import { JOSENotSupported, JWEInvalid, JWSInvalid } from '../util/errors.js';\nexport function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {\n if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be integrity protected');\n }\n if (!protectedHeader || protectedHeader.crit === undefined) {\n return new Set();\n }\n if (!Array.isArray(protectedHeader.crit) ||\n protectedHeader.crit.length === 0 ||\n protectedHeader.crit.some((input) => typeof input !== 'string' || input.length === 0)) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present');\n }\n let recognized;\n if (recognizedOption !== undefined) {\n recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);\n }\n else {\n recognized = recognizedDefault;\n }\n for (const parameter of protectedHeader.crit) {\n if (!recognized.has(parameter)) {\n throw new JOSENotSupported(`Extension Header Parameter \"${parameter}\" is not recognized`);\n }\n if (joseHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" is missing`);\n }\n if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" MUST be integrity protected`);\n }\n }\n return new Set(protectedHeader.crit);\n}\n","export function validateAlgorithms(option, algorithms) {\n if (algorithms !== undefined &&\n (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== 'string'))) {\n throw new TypeError(`\"${option}\" option must be an array of strings`);\n }\n if (!algorithms) {\n return undefined;\n }\n return new Set(algorithms);\n}\n","import { withAlg as invalidKeyInput } from './invalid_key_input.js';\nimport { isKeyLike } from './is_key_like.js';\nimport * as jwk from './type_checks.js';\nconst tag = (key) => key?.[Symbol.toStringTag];\nconst jwkMatchesOp = (alg, key, usage) => {\n if (key.use !== undefined) {\n let expected;\n switch (usage) {\n case 'sign':\n case 'verify':\n expected = 'sig';\n break;\n case 'encrypt':\n case 'decrypt':\n expected = 'enc';\n break;\n }\n if (key.use !== expected) {\n throw new TypeError(`Invalid key for this operation, its \"use\" must be \"${expected}\" when present`);\n }\n }\n if (key.alg !== undefined && key.alg !== alg) {\n throw new TypeError(`Invalid key for this operation, its \"alg\" must be \"${alg}\" when present`);\n }\n if (Array.isArray(key.key_ops)) {\n let expectedKeyOp;\n switch (true) {\n case usage === 'sign' || usage === 'verify':\n case alg === 'dir':\n case alg.includes('CBC-HS'):\n expectedKeyOp = usage;\n break;\n case alg.startsWith('PBES2'):\n expectedKeyOp = 'deriveBits';\n break;\n case /^A\\d{3}(?:GCM)?(?:KW)?$/.test(alg):\n if (!alg.includes('GCM') && alg.endsWith('KW')) {\n expectedKeyOp = usage === 'encrypt' ? 'wrapKey' : 'unwrapKey';\n }\n else {\n expectedKeyOp = usage;\n }\n break;\n case usage === 'encrypt' && alg.startsWith('RSA'):\n expectedKeyOp = 'wrapKey';\n break;\n case usage === 'decrypt':\n expectedKeyOp = alg.startsWith('RSA') ? 'unwrapKey' : 'deriveBits';\n break;\n }\n if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) {\n throw new TypeError(`Invalid key for this operation, its \"key_ops\" must include \"${expectedKeyOp}\" when present`);\n }\n }\n return true;\n};\nconst symmetricTypeCheck = (alg, key, usage) => {\n if (key instanceof Uint8Array)\n return;\n if (jwk.isJWK(key)) {\n if (jwk.isSecretJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK \"kty\" (Key Type) equal to \"oct\" and the JWK \"k\" (Key Value) present`);\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key', 'Uint8Array'));\n }\n if (key.type !== 'secret') {\n throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type \"secret\"`);\n }\n};\nconst asymmetricTypeCheck = (alg, key, usage) => {\n if (jwk.isJWK(key)) {\n switch (usage) {\n case 'decrypt':\n case 'sign':\n if (jwk.isPrivateJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a private JWK`);\n case 'encrypt':\n case 'verify':\n if (jwk.isPublicJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a public JWK`);\n }\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n if (key.type === 'secret') {\n throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type \"secret\"`);\n }\n if (key.type === 'public') {\n switch (usage) {\n case 'sign':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type \"private\"`);\n case 'decrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type \"private\"`);\n }\n }\n if (key.type === 'private') {\n switch (usage) {\n case 'verify':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type \"public\"`);\n case 'encrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type \"public\"`);\n }\n }\n};\nexport function checkKeyType(alg, key, usage) {\n switch (alg.substring(0, 2)) {\n case 'A1':\n case 'A2':\n case 'di':\n case 'HS':\n case 'PB':\n symmetricTypeCheck(alg, key, usage);\n break;\n default:\n asymmetricTypeCheck(alg, key, usage);\n }\n}\n","import { decode as b64u } from '../../util/base64url.js';\nimport { verify } from '../../lib/signing.js';\nimport { JOSEAlgNotAllowed, JWSInvalid, JWSSignatureVerificationFailed } from '../../util/errors.js';\nimport { concat, encoder, decoder, encode } from '../../lib/buffer_utils.js';\nimport { decodeBase64url } from '../../lib/helpers.js';\nimport { isDisjoint } from '../../lib/type_checks.js';\nimport { isObject } from '../../lib/type_checks.js';\nimport { checkKeyType } from '../../lib/check_key_type.js';\nimport { validateCrit } from '../../lib/validate_crit.js';\nimport { validateAlgorithms } from '../../lib/validate_algorithms.js';\nimport { normalizeKey } from '../../lib/normalize_key.js';\nexport async function flattenedVerify(jws, key, options) {\n if (!isObject(jws)) {\n throw new JWSInvalid('Flattened JWS must be an object');\n }\n if (jws.protected === undefined && jws.header === undefined) {\n throw new JWSInvalid('Flattened JWS must have either of the \"protected\" or \"header\" members');\n }\n if (jws.protected !== undefined && typeof jws.protected !== 'string') {\n throw new JWSInvalid('JWS Protected Header incorrect type');\n }\n if (jws.payload === undefined) {\n throw new JWSInvalid('JWS Payload missing');\n }\n if (typeof jws.signature !== 'string') {\n throw new JWSInvalid('JWS Signature missing or incorrect type');\n }\n if (jws.header !== undefined && !isObject(jws.header)) {\n throw new JWSInvalid('JWS Unprotected Header incorrect type');\n }\n let parsedProt = {};\n if (jws.protected) {\n try {\n const protectedHeader = b64u(jws.protected);\n parsedProt = JSON.parse(decoder.decode(protectedHeader));\n }\n catch {\n throw new JWSInvalid('JWS Protected Header is invalid');\n }\n }\n if (!isDisjoint(parsedProt, jws.header)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...parsedProt,\n ...jws.header,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options?.crit, parsedProt, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = parsedProt.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n const algorithms = options && validateAlgorithms('algorithms', options.algorithms);\n if (algorithms && !algorithms.has(alg)) {\n throw new JOSEAlgNotAllowed('\"alg\" (Algorithm) Header Parameter value not allowed');\n }\n if (b64) {\n if (typeof jws.payload !== 'string') {\n throw new JWSInvalid('JWS Payload must be a string');\n }\n }\n else if (typeof jws.payload !== 'string' && !(jws.payload instanceof Uint8Array)) {\n throw new JWSInvalid('JWS Payload must be a string or an Uint8Array instance');\n }\n let resolvedKey = false;\n if (typeof key === 'function') {\n key = await key(parsedProt, jws);\n resolvedKey = true;\n }\n checkKeyType(alg, key, 'verify');\n const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array(), encode('.'), typeof jws.payload === 'string'\n ? b64\n ? encode(jws.payload)\n : encoder.encode(jws.payload)\n : jws.payload);\n const signature = decodeBase64url(jws.signature, 'signature', JWSInvalid);\n const k = await normalizeKey(key, alg);\n const verified = await verify(alg, k, signature, data);\n if (!verified) {\n throw new JWSSignatureVerificationFailed();\n }\n let payload;\n if (b64) {\n payload = decodeBase64url(jws.payload, 'payload', JWSInvalid);\n }\n else if (typeof jws.payload === 'string') {\n payload = encoder.encode(jws.payload);\n }\n else {\n payload = jws.payload;\n }\n const result = { payload };\n if (jws.protected !== undefined) {\n result.protectedHeader = parsedProt;\n }\n if (jws.header !== undefined) {\n result.unprotectedHeader = jws.header;\n }\n if (resolvedKey) {\n return { ...result, key: k };\n }\n return result;\n}\n","import { flattenedVerify } from '../flattened/verify.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { decoder } from '../../lib/buffer_utils.js';\nexport async function compactVerify(jws, key, options) {\n if (jws instanceof Uint8Array) {\n jws = decoder.decode(jws);\n }\n if (typeof jws !== 'string') {\n throw new JWSInvalid('Compact JWS must be a string or Uint8Array');\n }\n const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split('.');\n if (length !== 3) {\n throw new JWSInvalid('Invalid Compact JWS');\n }\n const verified = await flattenedVerify({ payload, protected: protectedHeader, signature }, key, options);\n const result = { payload: verified.payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","/**\n * Runtime loader for @middag-io/licensing.\n *\n * Runs inside the consuming host (Moodle, WordPress, ...). The browser never\n * calls the worker's HMAC-protected `/v1/protected/manifest` endpoint — the\n * PHP host bridge does that, persists the `ManifestResponse`, and serves it\n * to the browser at `manifest_url` (per ADR-012 §\"Server-side host bridge\").\n *\n * This loader:\n *\n * 1. Fetches the manifest JSON from the host-served URL (or via a caller-\n * supplied `fetchManifest` for embedded use cases).\n * 2. Verifies the JWS signature against the worker's JWKS endpoint\n * `${workerOrigin}/api/protected/jwks` (cached in-memory per kid).\n * 3. Validates the decoded payload against the bootstrap context\n * (`install_id`, `host_origin`, `host_type`, `product`, `contract_version`)\n * so a manifest swapped between installs is rejected client-side.\n * 4. Loads a requested module by fetching its CDN URL, recomputing the\n * SRI hash against the bytes, and dynamic-importing from a Blob URL.\n * Native `import()` does not yet take an integrity attribute, so we\n * compute SRI ourselves before handing the bytes to the JS engine.\n */\n\nimport { compactVerify, importJWK, type JWK } from \"jose\";\nimport {\n CONTRACT_VERSION,\n type AuthorizedManifest,\n type HostType,\n type ManifestResponse,\n} from \"../contract/index.js\";\n\nexport interface CreateLicensingClientOptions {\n hostType: HostType;\n hostOrigin: string;\n product: string;\n installId: string;\n /**\n * Worker base origin used to fetch the JWKS, e.g.\n * `https://licensing.middag.io`. Required unless `jwks` is supplied.\n */\n workerOrigin?: string;\n /**\n * Static JWKS document (escape hatch for tests / pre-fetched keys).\n * When supplied, the loader skips the network fetch.\n */\n jwks?: { keys: JWK[] };\n /**\n * Manifest URL served by the host (PHP bridge). The body must be the\n * JSON shape worker returns from POST /v1/protected/manifest.\n */\n manifestUrl?: string;\n /** Caller-supplied manifest fetcher; overrides `manifestUrl` when given. */\n fetchManifest?: () => Promise<ManifestResponse>;\n /**\n * Fetch implementation override. Defaults to `globalThis.fetch`. Tests\n * can pass a mock here; SSR contexts can pass a polyfill.\n */\n fetch?: typeof fetch;\n /**\n * Clock skew tolerance in seconds when checking `bundle_expires_at`.\n * Defaults to 60s.\n */\n clockSkewSeconds?: number;\n}\n\nexport interface LicensingClient {\n readonly manifest: AuthorizedManifest;\n readonly response: ManifestResponse;\n has(moduleName: string): boolean;\n loadModule<T = unknown>(moduleName: string): Promise<T>;\n refresh(): Promise<AuthorizedManifest>;\n}\n\ninterface JwksDocument {\n keys: JWK[];\n}\n\nconst JWKS_PATH = \"/api/protected/jwks\";\n\nclass JwksCache {\n private byKid = new Map<string, CryptoKey>();\n constructor(\n private readonly fetcher: typeof fetch,\n private readonly endpoint: string | undefined,\n private readonly staticDoc?: JwksDocument,\n ) {}\n\n async resolve(kid: string): Promise<CryptoKey> {\n const cached = this.byKid.get(kid);\n if (cached) return cached;\n\n const doc = await this.loadDocument();\n const jwk = doc.keys.find((k) => k.kid === kid);\n if (!jwk) {\n throw new LicensingError(\n \"jwks_kid_not_found\",\n `manifest signing kid \"${kid}\" not present in JWKS`,\n );\n }\n const key = (await importJWK(jwk, \"EdDSA\")) as CryptoKey;\n this.byKid.set(kid, key);\n return key;\n }\n\n private async loadDocument(): Promise<JwksDocument> {\n if (this.staticDoc) return this.staticDoc;\n if (!this.endpoint) {\n throw new LicensingError(\n \"jwks_endpoint_missing\",\n \"workerOrigin (or static jwks) must be supplied to verify the manifest\",\n );\n }\n const res = await this.fetcher(this.endpoint, {\n headers: { accept: \"application/json\" },\n });\n if (!res.ok) {\n throw new LicensingError(\n \"jwks_fetch_failed\",\n `JWKS fetch failed: ${res.status} ${res.statusText}`,\n );\n }\n const doc = (await res.json()) as JwksDocument;\n if (!doc || !Array.isArray(doc.keys)) {\n throw new LicensingError(\"jwks_malformed\", \"JWKS response did not contain a keys array\");\n }\n return doc;\n }\n}\n\nexport class LicensingError extends Error {\n constructor(\n public readonly code: string,\n message: string,\n ) {\n super(message);\n this.name = \"LicensingError\";\n }\n}\n\nfunction nowSec(): number {\n return Math.floor(Date.now() / 1000);\n}\n\nasync function fetchManifestDefault(fetcher: typeof fetch, url: string): Promise<ManifestResponse> {\n const res = await fetcher(url, { headers: { accept: \"application/json\" } });\n if (!res.ok) {\n throw new LicensingError(\n \"manifest_fetch_failed\",\n `manifest fetch failed: ${res.status} ${res.statusText}`,\n );\n }\n return (await res.json()) as ManifestResponse;\n}\n\nfunction decodeJwsHeader(jws: string): { alg: string; kid: string; typ?: string } {\n const dot = jws.indexOf(\".\");\n if (dot <= 0) {\n throw new LicensingError(\"jws_malformed\", \"JWS missing header segment\");\n }\n const headerB64 = jws.slice(0, dot);\n const json = atob(headerB64.replace(/-/g, \"+\").replace(/_/g, \"/\"));\n const header = JSON.parse(json) as { alg?: string; kid?: string; typ?: string };\n if (typeof header.alg !== \"string\" || typeof header.kid !== \"string\") {\n throw new LicensingError(\"jws_header_invalid\", \"JWS header missing alg or kid\");\n }\n return { alg: header.alg, kid: header.kid, typ: header.typ };\n}\n\nfunction assertEqual(field: string, actual: unknown, expected: unknown): void {\n if (actual !== expected) {\n throw new LicensingError(\n \"manifest_field_mismatch\",\n `manifest ${field} does not match bootstrap (got ${JSON.stringify(actual)}, expected ${JSON.stringify(expected)})`,\n );\n }\n}\n\ninterface VerifiedManifest {\n payload: AuthorizedManifest;\n response: ManifestResponse;\n}\n\nasync function verifyAndValidate(\n options: CreateLicensingClientOptions,\n jwks: JwksCache,\n response: ManifestResponse,\n): Promise<VerifiedManifest> {\n const header = decodeJwsHeader(response.jws);\n if (header.alg !== \"EdDSA\") {\n throw new LicensingError(\n \"jws_alg_unsupported\",\n `unsupported JWS alg \"${header.alg}\" — expected EdDSA`,\n );\n }\n if (header.kid !== response.signing_kid) {\n throw new LicensingError(\n \"jws_kid_mismatch\",\n \"JWS header kid does not match response signing_kid\",\n );\n }\n\n const key = await jwks.resolve(header.kid);\n let verified;\n try {\n verified = await compactVerify(response.jws, key);\n } catch (err) {\n throw new LicensingError(\n \"jws_signature_invalid\",\n `JWS verification failed: ${(err as Error).message}`,\n );\n }\n\n const payload = JSON.parse(new TextDecoder().decode(verified.payload)) as AuthorizedManifest;\n\n const skew = options.clockSkewSeconds ?? 60;\n const now = nowSec();\n if (payload.bundle_expires_at + skew < now) {\n throw new LicensingError(\n \"manifest_expired\",\n `manifest expired at ${payload.bundle_expires_at} (now=${now})`,\n );\n }\n\n assertEqual(\"install_id\", payload.install_id, options.installId);\n assertEqual(\"host_origin\", payload.host_origin, options.hostOrigin);\n assertEqual(\"host_type\", payload.host_type, options.hostType);\n assertEqual(\"product\", payload.product, options.product);\n assertEqual(\"contract_version\", payload.contract_version, CONTRACT_VERSION);\n\n return { payload, response };\n}\n\nasync function loadModuleBytes(\n fetcher: typeof fetch,\n url: string,\n integrity: string,\n): Promise<ArrayBuffer> {\n const res = await fetcher(url, {\n headers: { accept: \"application/javascript, text/javascript\" },\n });\n if (!res.ok) {\n throw new LicensingError(\n \"module_fetch_failed\",\n `module fetch failed for ${url}: ${res.status} ${res.statusText}`,\n );\n }\n const bytes = await res.arrayBuffer();\n await assertSri(bytes, integrity, url);\n return bytes;\n}\n\nasync function assertSri(bytes: ArrayBuffer, integrity: string, url: string): Promise<void> {\n const match = /^sha384-(.+)$/.exec(integrity);\n if (!match) {\n throw new LicensingError(\n \"module_integrity_unsupported\",\n `unsupported integrity hash format for ${url}: ${integrity}`,\n );\n }\n const expected = match[1]!;\n const digest = await crypto.subtle.digest(\"SHA-384\", bytes);\n const actual = bytesToBase64(new Uint8Array(digest));\n if (actual !== expected) {\n throw new LicensingError(\n \"module_integrity_mismatch\",\n `module bytes did not match SRI for ${url}`,\n );\n }\n}\n\nfunction bytesToBase64(bytes: Uint8Array): string {\n let bin = \"\";\n for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]!);\n return btoa(bin);\n}\n\nexport async function createLicensingClient(\n options: CreateLicensingClientOptions,\n): Promise<LicensingClient> {\n const fetcher = options.fetch ?? globalThis.fetch?.bind(globalThis);\n if (!fetcher) {\n throw new LicensingError(\"fetch_unavailable\", \"no global fetch and no options.fetch supplied\");\n }\n\n const jwksEndpoint = options.workerOrigin\n ? `${options.workerOrigin.replace(/\\/$/, \"\")}${JWKS_PATH}`\n : undefined;\n const jwks = new JwksCache(fetcher, jwksEndpoint, options.jwks);\n\n const fetchManifestFn = async (): Promise<ManifestResponse> => {\n if (options.fetchManifest) return options.fetchManifest();\n if (!options.manifestUrl) {\n throw new LicensingError(\n \"manifest_source_missing\",\n \"either manifestUrl or fetchManifest must be supplied\",\n );\n }\n return fetchManifestDefault(fetcher, options.manifestUrl);\n };\n\n let current = await verifyAndValidate(options, jwks, await fetchManifestFn());\n\n const moduleCache = new Map<string, unknown>();\n\n async function loadModule<T>(name: string): Promise<T> {\n if (moduleCache.has(name)) return moduleCache.get(name) as T;\n const mod = current.payload.modules.find((m) => m.name === name);\n if (!mod) {\n throw new LicensingError(\n \"module_not_authorized\",\n `module \"${name}\" is not present in the current manifest`,\n );\n }\n const bytes = await loadModuleBytes(fetcher, mod.url, mod.integrity);\n const blob = new Blob([bytes], { type: \"application/javascript\" });\n const blobUrl = URL.createObjectURL(blob);\n try {\n const imported = (await import(/* @vite-ignore */ blobUrl)) as T;\n moduleCache.set(name, imported);\n return imported;\n } finally {\n URL.revokeObjectURL(blobUrl);\n }\n }\n\n async function refresh(): Promise<AuthorizedManifest> {\n const next = await verifyAndValidate(options, jwks, await fetchManifestFn());\n current = next;\n moduleCache.clear();\n return next.payload;\n }\n\n return {\n get manifest() {\n return current.payload;\n },\n get response() {\n return current.response;\n },\n has(moduleName: string) {\n return current.payload.modules.some((m) => m.name === moduleName);\n },\n loadModule,\n refresh,\n };\n}\n\nexport { CONTRACT_VERSION };\nexport type { AuthorizedManifest, HostType, ManifestResponse };\n"],"x_google_ignoreList":[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17],"mappings":";;AAAA,IAAa,UAAU,IAAI,YAAY;AACvC,IAAa,UAAU,IAAI,YAAY;AAEvC,SAAgB,OAAO,GAAG,SAAS;CAC/B,MAAM,OAAO,QAAQ,QAAQ,KAAK,EAAE,aAAa,MAAM,QAAQ,CAAC;CAChE,MAAM,MAAM,IAAI,WAAW,IAAI;CAC/B,IAAI,IAAI;CACR,KAAK,MAAM,UAAU,SAAS;EAC1B,IAAI,IAAI,QAAQ,CAAC;EACjB,KAAK,OAAO;CAChB;CACA,OAAO;AACX;AAoBA,SAAgB,OAAO,QAAQ;CAC3B,MAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;CAC1C,KAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;EACpC,MAAM,OAAO,OAAO,WAAW,CAAC;EAChC,IAAI,OAAO,KACP,MAAM,IAAI,UAAU,0CAA0C;EAElE,MAAM,KAAK;CACf;CACA,OAAO;AACX;;;AC/BA,SAAgB,aAAa,SAAS;CAClC,IAAI,WAAW,YACX,OAAO,WAAW,WAAW,OAAO;CAExC,MAAM,SAAS,KAAK,OAAO;CAC3B,MAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;CAC1C,KAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,KAC/B,MAAM,KAAK,OAAO,WAAW,CAAC;CAElC,OAAO;AACX;;;ACnBA,SAAgB,OAAO,OAAO;CAC1B,IAAI,WAAW,YACX,OAAO,WAAW,WAAW,OAAO,UAAU,WAAW,QAAQ,QAAQ,OAAO,KAAK,GAAG,EACpF,UAAU,YACd,CAAC;CAEL,IAAI,UAAU;CACd,IAAI,mBAAmB,YACnB,UAAU,QAAQ,OAAO,OAAO;CAEpC,UAAU,QAAQ,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;CACtD,IAAI;EACA,OAAO,aAAa,OAAO;CAC/B,QACM;EACF,MAAM,IAAI,UAAU,mDAAmD;CAC3E;AACJ;;;ACnBA,IAAM,YAAY,MAAM,OAAO,qCAAqB,IAAI,UAAU,kDAAkD,KAAK,WAAW,MAAM;AAC1I,IAAM,eAAe,WAAW,SAAS,UAAU,SAAS;AAC5D,SAAS,cAAc,MAAM;CACzB,OAAO,SAAS,KAAK,KAAK,MAAM,CAAC,GAAG,EAAE;AAC1C;AACA,SAAS,gBAAgB,WAAW,UAAU;CAE1C,IADe,cAAc,UAAU,IAC9B,MAAM,UACX,MAAM,SAAS,OAAO,YAAY,gBAAgB;AAC1D;AACA,SAAS,cAAc,KAAK;CACxB,QAAQ,KAAR;EACI,KAAK,SACD,OAAO;EACX,KAAK,SACD,OAAO;EACX,KAAK,SACD,OAAO;EACX,SACI,MAAM,IAAI,MAAM,aAAa;CACrC;AACJ;AACA,SAAS,WAAW,KAAK,OAAO;CAC5B,IAAI,SAAS,CAAC,IAAI,OAAO,SAAS,KAAK,GACnC,MAAM,IAAI,UAAU,sEAAsE,MAAM,EAAE;AAE1G;AACA,SAAgB,kBAAkB,KAAK,KAAK,OAAO;CAC/C,QAAQ,KAAR;EACI,KAAK;EACL,KAAK;EACL,KAAK;GACD,IAAI,CAAC,YAAY,IAAI,WAAW,MAAM,GAClC,MAAM,SAAS,MAAM;GACzB,gBAAgB,IAAI,WAAW,SAAS,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;GACzD;EAEJ,KAAK;EACL,KAAK;EACL,KAAK;GACD,IAAI,CAAC,YAAY,IAAI,WAAW,mBAAmB,GAC/C,MAAM,SAAS,mBAAmB;GACtC,gBAAgB,IAAI,WAAW,SAAS,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;GACzD;EAEJ,KAAK;EACL,KAAK;EACL,KAAK;GACD,IAAI,CAAC,YAAY,IAAI,WAAW,SAAS,GACrC,MAAM,SAAS,SAAS;GAC5B,gBAAgB,IAAI,WAAW,SAAS,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;GACzD;EAEJ,KAAK;EACL,KAAK;GACD,IAAI,CAAC,YAAY,IAAI,WAAW,SAAS,GACrC,MAAM,SAAS,SAAS;GAC5B;EAEJ,KAAK;EACL,KAAK;EACL,KAAK;GACD,IAAI,CAAC,YAAY,IAAI,WAAW,GAAG,GAC/B,MAAM,SAAS,GAAG;GACtB;EAEJ,KAAK;EACL,KAAK;EACL,KAAK,SAAS;GACV,IAAI,CAAC,YAAY,IAAI,WAAW,OAAO,GACnC,MAAM,SAAS,OAAO;GAC1B,MAAM,WAAW,cAAc,GAAG;GAElC,IADe,IAAI,UAAU,eACd,UACX,MAAM,SAAS,UAAU,sBAAsB;GACnD;EACJ;EACA,SACI,MAAM,IAAI,UAAU,2CAA2C;CACvE;CACA,WAAW,KAAK,KAAK;AACzB;;;ACjFA,SAAS,QAAQ,KAAK,QAAQ,GAAG,OAAO;CACpC,QAAQ,MAAM,OAAO,OAAO;CAC5B,IAAI,MAAM,SAAS,GAAG;EAClB,MAAM,OAAO,MAAM,IAAI;EACvB,OAAO,eAAe,MAAM,KAAK,IAAI,EAAE,OAAO,KAAK;CACvD,OACK,IAAI,MAAM,WAAW,GACtB,OAAO,eAAe,MAAM,GAAG,MAAM,MAAM,GAAG;MAG9C,OAAO,WAAW,MAAM,GAAG;CAE/B,IAAI,UAAU,MACV,OAAO,aAAa;MAEnB,IAAI,OAAO,WAAW,cAAc,OAAO,MAC5C,OAAO,sBAAsB,OAAO;MAEnC,IAAI,OAAO,WAAW,YAAY,UAAU;MACzC,OAAO,aAAa,MACpB,OAAO,4BAA4B,OAAO,YAAY;CAAA;CAG9D,OAAO;AACX;AACA,IAAa,mBAAmB,QAAQ,GAAG,UAAU,QAAQ,gBAAgB,QAAQ,GAAG,KAAK;AAC7F,IAAa,WAAW,KAAK,QAAQ,GAAG,UAAU,QAAQ,eAAe,IAAI,sBAAsB,QAAQ,GAAG,KAAK;;;AC1BnH,IAAa,YAAb,cAA+B,MAAM;CACjC,OAAO,OAAO;CACd,OAAO;CACP,YAAY,SAAS,SAAS;EAC1B,MAAM,SAAS,OAAO;EACtB,KAAK,OAAO,KAAK,YAAY;EAC7B,MAAM,oBAAoB,MAAM,KAAK,WAAW;CACpD;AACJ;AA2BA,IAAa,oBAAb,cAAuC,UAAU;CAC7C,OAAO,OAAO;CACd,OAAO;AACX;AACA,IAAa,mBAAb,cAAsC,UAAU;CAC5C,OAAO,OAAO;CACd,OAAO;AACX;AAYA,IAAa,aAAb,cAAgC,UAAU;CACtC,OAAO,OAAO;CACd,OAAO;AACX;AAmCA,IAAa,iCAAb,cAAoD,UAAU;CAC1D,OAAO,OAAO;CACd,OAAO;CACP,YAAY,UAAU,iCAAiC,SAAS;EAC5D,MAAM,SAAS,OAAO;CAC1B;AACJ;;;AC7FA,IAAa,eAAe,QAAQ;CAChC,IAAI,MAAM,OAAO,iBAAiB,aAC9B,OAAO;CACX,IAAI;EACA,OAAO,eAAe;CAC1B,QACM;EACF,OAAO;CACX;AACJ;AACA,IAAa,eAAe,QAAQ,MAAM,OAAO,iBAAiB;AAClE,IAAa,aAAa,QAAQ,YAAY,GAAG,KAAK,YAAY,GAAG;;;ACTrE,SAAgB,gBAAgB,OAAO,OAAO,YAAY;CACtD,IAAI;EACA,OAAO,OAAO,KAAK;CACvB,QACM;EACF,MAAM,IAAI,WAAW,kCAAkC,OAAO;CAClE;AACJ;;;ACdA,IAAM,gBAAgB,UAAU,OAAO,UAAU,YAAY,UAAU;AACvE,SAAgB,SAAS,OAAO;CAC5B,IAAI,CAAC,aAAa,KAAK,KAAK,OAAO,UAAU,SAAS,KAAK,KAAK,MAAM,mBAClE,OAAO;CAEX,IAAI,OAAO,eAAe,KAAK,MAAM,MACjC,OAAO;CAEX,IAAI,QAAQ;CACZ,OAAO,OAAO,eAAe,KAAK,MAAM,MACpC,QAAQ,OAAO,eAAe,KAAK;CAEvC,OAAO,OAAO,eAAe,KAAK,MAAM;AAC5C;AACA,SAAgB,WAAW,GAAG,SAAS;CACnC,MAAM,UAAU,QAAQ,OAAO,OAAO;CACtC,IAAI,QAAQ,WAAW,KAAK,QAAQ,WAAW,GAC3C,OAAO;CAEX,IAAI;CACJ,KAAK,MAAM,UAAU,SAAS;EAC1B,MAAM,aAAa,OAAO,KAAK,MAAM;EACrC,IAAI,CAAC,OAAO,IAAI,SAAS,GAAG;GACxB,MAAM,IAAI,IAAI,UAAU;GACxB;EACJ;EACA,KAAK,MAAM,aAAa,YAAY;GAChC,IAAI,IAAI,IAAI,SAAS,GACjB,OAAO;GAEX,IAAI,IAAI,SAAS;EACrB;CACJ;CACA,OAAO;AACX;AACA,IAAa,SAAS,QAAQ,SAAS,GAAG,KAAK,OAAO,IAAI,QAAQ;AAClE,IAAa,gBAAgB,QAAQ,IAAI,QAAQ,UAC3C,IAAI,QAAQ,SAAS,OAAO,IAAI,SAAS,YAAa,OAAO,IAAI,MAAM;AAC7E,IAAa,eAAe,QAAQ,IAAI,QAAQ,SAAS,IAAI,MAAM,KAAA,KAAa,IAAI,SAAS,KAAA;AAC7F,IAAa,eAAe,QAAQ,IAAI,QAAQ,SAAS,OAAO,IAAI,MAAM;;;ACpC1E,SAAgB,eAAe,KAAK,KAAK;CACrC,IAAI,IAAI,WAAW,IAAI,KAAK,IAAI,WAAW,IAAI,GAAG;EAC9C,MAAM,EAAE,kBAAkB,IAAI;EAC9B,IAAI,OAAO,kBAAkB,YAAY,gBAAgB,MACrD,MAAM,IAAI,UAAU,GAAG,IAAI,sDAAsD;CAEzF;AACJ;AACA,SAAS,gBAAgB,KAAK,WAAW;CACrC,MAAM,OAAO,OAAO,IAAI,MAAM,EAAE;CAChC,QAAQ,KAAR;EACI,KAAK;EACL,KAAK;EACL,KAAK,SACD,OAAO;GAAE;GAAM,MAAM;EAAO;EAChC,KAAK;EACL,KAAK;EACL,KAAK,SACD,OAAO;GAAE;GAAM,MAAM;GAAW,YAAY,SAAS,IAAI,MAAM,EAAE,GAAG,EAAE,KAAK;EAAE;EACjF,KAAK;EACL,KAAK;EACL,KAAK,SACD,OAAO;GAAE;GAAM,MAAM;EAAoB;EAC7C,KAAK;EACL,KAAK;EACL,KAAK,SACD,OAAO;GAAE;GAAM,MAAM;GAAS,YAAY,UAAU;EAAW;EACnE,KAAK;EACL,KAAK,SACD,OAAO,EAAE,MAAM,UAAU;EAC7B,KAAK;EACL,KAAK;EACL,KAAK,aACD,OAAO,EAAE,MAAM,IAAI;EACvB,SACI,MAAM,IAAI,iBAAiB,OAAO,IAAI,4DAA4D;CAC1G;AACJ;AACA,eAAe,UAAU,KAAK,KAAK,OAAO;CACtC,IAAI,eAAe,YAAY;EAC3B,IAAI,CAAC,IAAI,WAAW,IAAI,GACpB,MAAM,IAAI,UAAU,gBAAgB,KAAK,aAAa,aAAa,cAAc,CAAC;EAEtF,OAAO,OAAO,OAAO,UAAU,OAAO,KAAK;GAAE,MAAM,OAAO,IAAI,MAAM,EAAE;GAAK,MAAM;EAAO,GAAG,OAAO,CAAC,KAAK,CAAC;CAC7G;CACA,kBAAkB,KAAK,KAAK,KAAK;CACjC,OAAO;AACX;AAOA,eAAsB,OAAO,KAAK,KAAK,WAAW,MAAM;CACpD,MAAM,YAAY,MAAM,UAAU,KAAK,KAAK,QAAQ;CACpD,eAAe,KAAK,SAAS;CAC7B,MAAM,YAAY,gBAAgB,KAAK,UAAU,SAAS;CAC1D,IAAI;EACA,OAAO,MAAM,OAAO,OAAO,OAAO,WAAW,WAAW,WAAW,IAAI;CAC3E,QACM;EACF,OAAO;CACX;AACJ;;;AClEA,IAAM,iBAAiB;AACvB,SAAS,cAAc,KAAK;CACxB,IAAI;CACJ,IAAI;CACJ,QAAQ,IAAI,KAAZ;EACI,KAAK;GACD,QAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY,EAAE,MAAM,IAAI,IAAI;KAC5B,YAAY,IAAI,OAAO,CAAC,MAAM,IAAI,CAAC,QAAQ;KAC3C;IACJ,SACI,MAAM,IAAI,iBAAiB,cAAc;GACjD;GACA;EAEJ,KAAK;GACD,QAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY;MAAE,MAAM;MAAW,MAAM,OAAO,IAAI,IAAI,MAAM,EAAE;KAAI;KAChE,YAAY,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;KACxC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY;MAAE,MAAM;MAAqB,MAAM,OAAO,IAAI,IAAI,MAAM,EAAE;KAAI;KAC1E,YAAY,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;KACxC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY;MACR,MAAM;MACN,MAAM,OAAO,SAAS,IAAI,IAAI,MAAM,EAAE,GAAG,EAAE,KAAK;KACpD;KACA,YAAY,IAAI,IAAI,CAAC,WAAW,WAAW,IAAI,CAAC,WAAW,SAAS;KACpE;IACJ,SACI,MAAM,IAAI,iBAAiB,cAAc;GACjD;GACA;EAEJ,KAAK;GACD,QAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY;MACR,MAAM;MACN,YAAY;OAAE,OAAO;OAAS,OAAO;OAAS,OAAO;MAAQ,EAAE,IAAI;KACvE;KACA,YAAY,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;KACxC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY;MAAE,MAAM;MAAQ,YAAY,IAAI;KAAI;KAChD,YAAY,IAAI,IAAI,CAAC,YAAY,IAAI,CAAC;KACtC;IACJ,SACI,MAAM,IAAI,iBAAiB,cAAc;GACjD;GACA;EAEJ,KAAK;GACD,QAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;KACD,YAAY,EAAE,MAAM,UAAU;KAC9B,YAAY,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;KACxC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY,EAAE,MAAM,IAAI,IAAI;KAC5B,YAAY,IAAI,IAAI,CAAC,YAAY,IAAI,CAAC;KACtC;IACJ,SACI,MAAM,IAAI,iBAAiB,cAAc;GACjD;GACA;EAEJ,SACI,MAAM,IAAI,iBAAiB,+DAA6D;CAChG;CACA,OAAO;EAAE;EAAW;CAAU;AAClC;AACA,eAAsB,SAAS,KAAK;CAChC,IAAI,CAAC,IAAI,KACL,MAAM,IAAI,UAAU,8DAA0D;CAElF,MAAM,EAAE,WAAW,cAAc,cAAc,GAAG;CAClD,MAAM,UAAU,EAAE,GAAG,IAAI;CACzB,IAAI,QAAQ,QAAQ,OAChB,OAAO,QAAQ;CAEnB,OAAO,QAAQ;CACf,OAAO,OAAO,OAAO,UAAU,OAAO,SAAS,WAAW,IAAI,QAAQ,IAAI,KAAK,IAAI,OAAO,QAAQ,OAAO,IAAI,WAAW,SAAS;AACrI;;;ACtGA,IAAM,iBAAiB;AACvB,IAAI;AACJ,IAAM,YAAY,OAAO,KAAK,KAAK,KAAK,SAAS,UAAU;CACvD,0BAAU,IAAI,QAAQ;CACtB,IAAI,SAAS,MAAM,IAAI,GAAG;CAC1B,IAAI,SAAS,MACT,OAAO,OAAO;CAElB,MAAM,YAAY,MAAM,SAAS;EAAE,GAAG;EAAK;CAAI,CAAC;CAChD,IAAI,QACA,OAAO,OAAO,GAAG;CACrB,IAAI,CAAC,QACD,MAAM,IAAI,KAAK,GAAG,MAAM,UAAU,CAAC;MAGnC,OAAO,OAAO;CAElB,OAAO;AACX;AACA,IAAM,mBAAmB,WAAW,QAAQ;CACxC,0BAAU,IAAI,QAAQ;CACtB,IAAI,SAAS,MAAM,IAAI,SAAS;CAChC,IAAI,SAAS,MACT,OAAO,OAAO;CAElB,MAAM,WAAW,UAAU,SAAS;CACpC,MAAM,cAAc,WAAW,OAAO;CACtC,IAAI;CACJ,IAAI,UAAU,sBAAsB,UAAU;EAC1C,QAAQ,KAAR;GACI,KAAK;GACL,KAAK;GACL,KAAK;GACL,KAAK,kBACD;GACJ,SACI,MAAM,IAAI,UAAU,cAAc;EAC1C;EACA,YAAY,UAAU,YAAY,UAAU,mBAAmB,aAAa,WAAW,CAAC,IAAI,CAAC,YAAY,CAAC;CAC9G;CACA,IAAI,UAAU,sBAAsB,WAAW;EAC3C,IAAI,QAAQ,WAAW,QAAQ,WAC3B,MAAM,IAAI,UAAU,cAAc;EAEtC,YAAY,UAAU,YAAY,UAAU,mBAAmB,aAAa,CACxE,WAAW,WAAW,MAC1B,CAAC;CACL;CACA,QAAQ,UAAU,mBAAlB;EACI,KAAK;EACL,KAAK;EACL,KAAK;GACD,IAAI,QAAQ,UAAU,kBAAkB,YAAY,GAChD,MAAM,IAAI,UAAU,cAAc;GAEtC,YAAY,UAAU,YAAY,UAAU,mBAAmB,aAAa,CACxE,WAAW,WAAW,MAC1B,CAAC;CAET;CACA,IAAI,UAAU,sBAAsB,OAAO;EACvC,IAAI;EACJ,QAAQ,KAAR;GACI,KAAK;IACD,OAAO;IACP;GACJ,KAAK;GACL,KAAK;GACL,KAAK;IACD,OAAO;IACP;GACJ,KAAK;GACL,KAAK;GACL,KAAK;IACD,OAAO;IACP;GACJ,KAAK;GACL,KAAK;GACL,KAAK;IACD,OAAO;IACP;GACJ,SACI,MAAM,IAAI,UAAU,cAAc;EAC1C;EACA,IAAI,IAAI,WAAW,UAAU,GACzB,OAAO,UAAU,YAAY;GACzB,MAAM;GACN;EACJ,GAAG,aAAa,WAAW,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC;EAExD,YAAY,UAAU,YAAY;GAC9B,MAAM,IAAI,WAAW,IAAI,IAAI,YAAY;GACzC;EACJ,GAAG,aAAa,CAAC,WAAW,WAAW,MAAM,CAAC;CAClD;CACA,IAAI,UAAU,sBAAsB,MAAM;EAMtC,MAAM,aAAa,IALF,IAAI;GACjB,CAAC,cAAc,OAAO;GACtB,CAAC,aAAa,OAAO;GACrB,CAAC,aAAa,OAAO;EACzB,CACsB,EAAE,IAAI,UAAU,sBAAsB,UAAU;EACtE,IAAI,CAAC,YACD,MAAM,IAAI,UAAU,cAAc;EAEtC,MAAM,gBAAgB;GAAE,OAAO;GAAS,OAAO;GAAS,OAAO;EAAQ;EACvE,IAAI,cAAc,QAAQ,eAAe,cAAc,MACnD,YAAY,UAAU,YAAY;GAC9B,MAAM;GACN;EACJ,GAAG,aAAa,CAAC,WAAW,WAAW,MAAM,CAAC;EAElD,IAAI,IAAI,WAAW,SAAS,GACxB,YAAY,UAAU,YAAY;GAC9B,MAAM;GACN;EACJ,GAAG,aAAa,WAAW,CAAC,IAAI,CAAC,YAAY,CAAC;CAEtD;CACA,IAAI,CAAC,WACD,MAAM,IAAI,UAAU,cAAc;CAEtC,IAAI,CAAC,QACD,MAAM,IAAI,WAAW,GAAG,MAAM,UAAU,CAAC;MAGzC,OAAO,OAAO;CAElB,OAAO;AACX;AACA,eAAsB,aAAa,KAAK,KAAK;CACzC,IAAI,eAAe,YACf,OAAO;CAEX,IAAI,YAAY,GAAG,GACf,OAAO;CAEX,IAAI,YAAY,GAAG,GAAG;EAClB,IAAI,IAAI,SAAS,UACb,OAAO,IAAI,OAAO;EAEtB,IAAI,iBAAiB,OAAO,OAAO,IAAI,gBAAgB,YACnD,IAAI;GACA,OAAO,gBAAgB,KAAK,GAAG;EACnC,SACO,KAAK;GACR,IAAI,eAAe,WACf,MAAM;EAEd;EAGJ,OAAO,UAAU,KADP,IAAI,OAAO,EAAE,QAAQ,MAAM,CACb,GAAG,GAAG;CAClC;CACA,IAAI,MAAM,GAAG,GAAG;EACZ,IAAI,IAAI,GACJ,OAAO,OAAO,IAAI,CAAC;EAEvB,OAAO,UAAU,KAAK,KAAK,KAAK,IAAI;CACxC;CACA,MAAM,IAAI,MAAM,aAAa;AACjC;;;AC9IA,eAAsB,UAAU,KAAK,KAAK,SAAS;CAC/C,IAAI,CAAC,SAAS,GAAG,GACb,MAAM,IAAI,UAAU,uBAAuB;CAE/C,IAAI;CACJ,QAAQ,IAAI;CACZ,QAAQ,SAAS,eAAe,IAAI;CACpC,QAAQ,IAAI,KAAZ;EACI,KAAK;GACD,IAAI,OAAO,IAAI,MAAM,YAAY,CAAC,IAAI,GAClC,MAAM,IAAI,UAAU,2CAAyC;GAEjE,OAAOA,OAAgB,IAAI,CAAC;EAChC,KAAK;GACD,IAAI,SAAS,OAAO,IAAI,QAAQ,KAAA,GAC5B,MAAM,IAAI,iBAAiB,sEAAoE;GAEnG,OAAO,SAAS;IAAE,GAAG;IAAK;IAAK;GAAI,CAAC;EACxC,KAAK;GACD,IAAI,OAAO,IAAI,QAAQ,YAAY,CAAC,IAAI,KACpC,MAAM,IAAI,UAAU,6CAA2C;GAEnE,IAAI,QAAQ,KAAA,KAAa,QAAQ,IAAI,KACjC,MAAM,IAAI,UAAU,uCAAuC;GAE/D,OAAO,SAAS;IAAE,GAAG;IAAK;GAAI,CAAC;EAEnC,KAAK;EACL,KAAK,OACD,OAAO,SAAS;GAAE,GAAG;GAAK;GAAK;EAAI,CAAC;EACxC,SACI,MAAM,IAAI,iBAAiB,gDAA8C;CACjF;AACJ;;;ACvDA,SAAgB,aAAa,KAAK,mBAAmB,kBAAkB,iBAAiB,YAAY;CAChG,IAAI,WAAW,SAAS,KAAA,KAAa,iBAAiB,SAAS,KAAA,GAC3D,MAAM,IAAI,IAAI,kEAAgE;CAElF,IAAI,CAAC,mBAAmB,gBAAgB,SAAS,KAAA,GAC7C,uBAAO,IAAI,IAAI;CAEnB,IAAI,CAAC,MAAM,QAAQ,gBAAgB,IAAI,KACnC,gBAAgB,KAAK,WAAW,KAChC,gBAAgB,KAAK,MAAM,UAAU,OAAO,UAAU,YAAY,MAAM,WAAW,CAAC,GACpF,MAAM,IAAI,IAAI,yFAAuF;CAEzG,IAAI;CACJ,IAAI,qBAAqB,KAAA,GACrB,aAAa,IAAI,IAAI,CAAC,GAAG,OAAO,QAAQ,gBAAgB,GAAG,GAAG,kBAAkB,QAAQ,CAAC,CAAC;MAG1F,aAAa;CAEjB,KAAK,MAAM,aAAa,gBAAgB,MAAM;EAC1C,IAAI,CAAC,WAAW,IAAI,SAAS,GACzB,MAAM,IAAI,iBAAiB,+BAA+B,UAAU,oBAAoB;EAE5F,IAAI,WAAW,eAAe,KAAA,GAC1B,MAAM,IAAI,IAAI,+BAA+B,UAAU,aAAa;EAExE,IAAI,WAAW,IAAI,SAAS,KAAK,gBAAgB,eAAe,KAAA,GAC5D,MAAM,IAAI,IAAI,+BAA+B,UAAU,8BAA8B;CAE7F;CACA,OAAO,IAAI,IAAI,gBAAgB,IAAI;AACvC;;;AChCA,SAAgB,mBAAmB,QAAQ,YAAY;CACnD,IAAI,eAAe,KAAA,MACd,CAAC,MAAM,QAAQ,UAAU,KAAK,WAAW,MAAM,MAAM,OAAO,MAAM,QAAQ,IAC3E,MAAM,IAAI,UAAU,IAAI,OAAO,qCAAqC;CAExE,IAAI,CAAC,YACD;CAEJ,OAAO,IAAI,IAAI,UAAU;AAC7B;;;ACNA,IAAM,OAAO,QAAQ,MAAM,OAAO;AAClC,IAAM,gBAAgB,KAAK,KAAK,UAAU;CACtC,IAAI,IAAI,QAAQ,KAAA,GAAW;EACvB,IAAI;EACJ,QAAQ,OAAR;GACI,KAAK;GACL,KAAK;IACD,WAAW;IACX;GACJ,KAAK;GACL,KAAK;IACD,WAAW;IACX;EACR;EACA,IAAI,IAAI,QAAQ,UACZ,MAAM,IAAI,UAAU,sDAAsD,SAAS,eAAe;CAE1G;CACA,IAAI,IAAI,QAAQ,KAAA,KAAa,IAAI,QAAQ,KACrC,MAAM,IAAI,UAAU,sDAAsD,IAAI,eAAe;CAEjG,IAAI,MAAM,QAAQ,IAAI,OAAO,GAAG;EAC5B,IAAI;EACJ,QAAQ,MAAR;GACI,KAAK,UAAU,UAAU,UAAU;GACnC,KAAK,QAAQ;GACb,KAAK,IAAI,SAAS,QAAQ;IACtB,gBAAgB;IAChB;GACJ,KAAK,IAAI,WAAW,OAAO;IACvB,gBAAgB;IAChB;GACJ,KAAK,0BAA0B,KAAK,GAAG;IACnC,IAAI,CAAC,IAAI,SAAS,KAAK,KAAK,IAAI,SAAS,IAAI,GACzC,gBAAgB,UAAU,YAAY,YAAY;SAGlD,gBAAgB;IAEpB;GACJ,KAAK,UAAU,aAAa,IAAI,WAAW,KAAK;IAC5C,gBAAgB;IAChB;GACJ,KAAK,UAAU;IACX,gBAAgB,IAAI,WAAW,KAAK,IAAI,cAAc;IACtD;EACR;EACA,IAAI,iBAAiB,IAAI,SAAS,WAAW,aAAa,MAAM,OAC5D,MAAM,IAAI,UAAU,+DAA+D,cAAc,eAAe;CAExH;CACA,OAAO;AACX;AACA,IAAM,sBAAsB,KAAK,KAAK,UAAU;CAC5C,IAAI,eAAe,YACf;CACJ,IAAIC,MAAU,GAAG,GAAG;EAChB,IAAIC,YAAgB,GAAG,KAAK,aAAa,KAAK,KAAK,KAAK,GACpD;EACJ,MAAM,IAAI,UAAU,yHAAyH;CACjJ;CACA,IAAI,CAAC,UAAU,GAAG,GACd,MAAM,IAAI,UAAUC,QAAgB,KAAK,KAAK,aAAa,aAAa,gBAAgB,YAAY,CAAC;CAEzG,IAAI,IAAI,SAAS,UACb,MAAM,IAAI,UAAU,GAAG,IAAI,GAAG,EAAE,6DAA6D;AAErG;AACA,IAAM,uBAAuB,KAAK,KAAK,UAAU;CAC7C,IAAIF,MAAU,GAAG,GACb,QAAQ,OAAR;EACI,KAAK;EACL,KAAK;GACD,IAAIG,aAAiB,GAAG,KAAK,aAAa,KAAK,KAAK,KAAK,GACrD;GACJ,MAAM,IAAI,UAAU,uDAAuD;EAC/E,KAAK;EACL,KAAK;GACD,IAAIC,YAAgB,GAAG,KAAK,aAAa,KAAK,KAAK,KAAK,GACpD;GACJ,MAAM,IAAI,UAAU,sDAAsD;CAClF;CAEJ,IAAI,CAAC,UAAU,GAAG,GACd,MAAM,IAAI,UAAUF,QAAgB,KAAK,KAAK,aAAa,aAAa,cAAc,CAAC;CAE3F,IAAI,IAAI,SAAS,UACb,MAAM,IAAI,UAAU,GAAG,IAAI,GAAG,EAAE,kEAAkE;CAEtG,IAAI,IAAI,SAAS,UACb,QAAQ,OAAR;EACI,KAAK,QACD,MAAM,IAAI,UAAU,GAAG,IAAI,GAAG,EAAE,sEAAsE;EAC1G,KAAK,WACD,MAAM,IAAI,UAAU,GAAG,IAAI,GAAG,EAAE,yEAAyE;CACjH;CAEJ,IAAI,IAAI,SAAS,WACb,QAAQ,OAAR;EACI,KAAK,UACD,MAAM,IAAI,UAAU,GAAG,IAAI,GAAG,EAAE,uEAAuE;EAC3G,KAAK,WACD,MAAM,IAAI,UAAU,GAAG,IAAI,GAAG,EAAE,wEAAwE;CAChH;AAER;AACA,SAAgB,aAAa,KAAK,KAAK,OAAO;CAC1C,QAAQ,IAAI,UAAU,GAAG,CAAC,GAA1B;EACI,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;GACD,mBAAmB,KAAK,KAAK,KAAK;GAClC;EACJ,SACI,oBAAoB,KAAK,KAAK,KAAK;CAC3C;AACJ;;;AC9GA,eAAsB,gBAAgB,KAAK,KAAK,SAAS;CACrD,IAAI,CAAC,SAAS,GAAG,GACb,MAAM,IAAI,WAAW,iCAAiC;CAE1D,IAAI,IAAI,cAAc,KAAA,KAAa,IAAI,WAAW,KAAA,GAC9C,MAAM,IAAI,WAAW,2EAAuE;CAEhG,IAAI,IAAI,cAAc,KAAA,KAAa,OAAO,IAAI,cAAc,UACxD,MAAM,IAAI,WAAW,qCAAqC;CAE9D,IAAI,IAAI,YAAY,KAAA,GAChB,MAAM,IAAI,WAAW,qBAAqB;CAE9C,IAAI,OAAO,IAAI,cAAc,UACzB,MAAM,IAAI,WAAW,yCAAyC;CAElE,IAAI,IAAI,WAAW,KAAA,KAAa,CAAC,SAAS,IAAI,MAAM,GAChD,MAAM,IAAI,WAAW,uCAAuC;CAEhE,IAAI,aAAa,CAAC;CAClB,IAAI,IAAI,WACJ,IAAI;EACA,MAAM,kBAAkBG,OAAK,IAAI,SAAS;EAC1C,aAAa,KAAK,MAAM,QAAQ,OAAO,eAAe,CAAC;CAC3D,QACM;EACF,MAAM,IAAI,WAAW,iCAAiC;CAC1D;CAEJ,IAAI,CAAC,WAAW,YAAY,IAAI,MAAM,GAClC,MAAM,IAAI,WAAW,2EAA2E;CAEpG,MAAM,aAAa;EACf,GAAG;EACH,GAAG,IAAI;CACX;CACA,MAAM,aAAa,aAAa,YAAY,IAAI,IAAI,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,GAAG,SAAS,MAAM,YAAY,UAAU;CAC3G,IAAI,MAAM;CACV,IAAI,WAAW,IAAI,KAAK,GAAG;EACvB,MAAM,WAAW;EACjB,IAAI,OAAO,QAAQ,WACf,MAAM,IAAI,WAAW,2EAAyE;CAEtG;CACA,MAAM,EAAE,QAAQ;CAChB,IAAI,OAAO,QAAQ,YAAY,CAAC,KAC5B,MAAM,IAAI,WAAW,6DAA2D;CAEpF,MAAM,aAAa,WAAW,mBAAmB,cAAc,QAAQ,UAAU;CACjF,IAAI,cAAc,CAAC,WAAW,IAAI,GAAG,GACjC,MAAM,IAAI,kBAAkB,wDAAsD;CAEtF,IAAI;MACI,OAAO,IAAI,YAAY,UACvB,MAAM,IAAI,WAAW,8BAA8B;CAAA,OAGtD,IAAI,OAAO,IAAI,YAAY,YAAY,EAAE,IAAI,mBAAmB,aACjE,MAAM,IAAI,WAAW,wDAAwD;CAEjF,IAAI,cAAc;CAClB,IAAI,OAAO,QAAQ,YAAY;EAC3B,MAAM,MAAM,IAAI,YAAY,GAAG;EAC/B,cAAc;CAClB;CACA,aAAa,KAAK,KAAK,QAAQ;CAC/B,MAAM,OAAO,OAAO,IAAI,cAAc,KAAA,IAAY,OAAO,IAAI,SAAS,IAAI,IAAI,WAAW,GAAG,OAAO,GAAG,GAAG,OAAO,IAAI,YAAY,WAC1H,MACI,OAAO,IAAI,OAAO,IAClB,QAAQ,OAAO,IAAI,OAAO,IAC9B,IAAI,OAAO;CACjB,MAAM,YAAY,gBAAgB,IAAI,WAAW,aAAa,UAAU;CACxE,MAAM,IAAI,MAAM,aAAa,KAAK,GAAG;CAErC,IAAI,CAAC,MADkB,OAAO,KAAK,GAAG,WAAW,IAAI,GAEjD,MAAM,IAAI,+BAA+B;CAE7C,IAAI;CACJ,IAAI,KACA,UAAU,gBAAgB,IAAI,SAAS,WAAW,UAAU;MAE3D,IAAI,OAAO,IAAI,YAAY,UAC5B,UAAU,QAAQ,OAAO,IAAI,OAAO;MAGpC,UAAU,IAAI;CAElB,MAAM,SAAS,EAAE,QAAQ;CACzB,IAAI,IAAI,cAAc,KAAA,GAClB,OAAO,kBAAkB;CAE7B,IAAI,IAAI,WAAW,KAAA,GACf,OAAO,oBAAoB,IAAI;CAEnC,IAAI,aACA,OAAO;EAAE,GAAG;EAAQ,KAAK;CAAE;CAE/B,OAAO;AACX;;;AC1GA,eAAsB,cAAc,KAAK,KAAK,SAAS;CACnD,IAAI,eAAe,YACf,MAAM,QAAQ,OAAO,GAAG;CAE5B,IAAI,OAAO,QAAQ,UACf,MAAM,IAAI,WAAW,4CAA4C;CAErE,MAAM,EAAE,GAAG,iBAAiB,GAAG,SAAS,GAAG,WAAW,WAAW,IAAI,MAAM,GAAG;CAC9E,IAAI,WAAW,GACX,MAAM,IAAI,WAAW,qBAAqB;CAE9C,MAAM,WAAW,MAAM,gBAAgB;EAAE;EAAS,WAAW;EAAiB;CAAU,GAAG,KAAK,OAAO;CACvG,MAAM,SAAS;EAAE,SAAS,SAAS;EAAS,iBAAiB,SAAS;CAAgB;CACtF,IAAI,OAAO,QAAQ,YACf,OAAO;EAAE,GAAG;EAAQ,KAAK,SAAS;CAAI;CAE1C,OAAO;AACX;;;;;;;;;;;;;;;;;;;;;;;;;ACyDA,IAAM,YAAY;AAElB,IAAM,YAAN,MAAgB;CAGK;CACA;CACA;CAJnB,wBAAgB,IAAI,IAAuB;CAC3C,YACE,SACA,UACA,WACA;EAHiB,KAAA,UAAA;EACA,KAAA,WAAA;EACA,KAAA,YAAA;CAChB;CAEH,MAAM,QAAQ,KAAiC;EAC7C,MAAM,SAAS,KAAK,MAAM,IAAI,GAAG;EACjC,IAAI,QAAQ,OAAO;EAGnB,MAAM,OAAM,MADM,KAAK,aAAa,GACpB,KAAK,MAAM,MAAM,EAAE,QAAQ,GAAG;EAC9C,IAAI,CAAC,KACH,MAAM,IAAI,eACR,sBACA,yBAAyB,IAAI,sBAC/B;EAEF,MAAM,MAAO,MAAM,UAAU,KAAK,OAAO;EACzC,KAAK,MAAM,IAAI,KAAK,GAAG;EACvB,OAAO;CACT;CAEA,MAAc,eAAsC;EAClD,IAAI,KAAK,WAAW,OAAO,KAAK;EAChC,IAAI,CAAC,KAAK,UACR,MAAM,IAAI,eACR,yBACA,uEACF;EAEF,MAAM,MAAM,MAAM,KAAK,QAAQ,KAAK,UAAU,EAC5C,SAAS,EAAE,QAAQ,mBAAmB,EACxC,CAAC;EACD,IAAI,CAAC,IAAI,IACP,MAAM,IAAI,eACR,qBACA,sBAAsB,IAAI,OAAO,GAAG,IAAI,YAC1C;EAEF,MAAM,MAAO,MAAM,IAAI,KAAK;EAC5B,IAAI,CAAC,OAAO,CAAC,MAAM,QAAQ,IAAI,IAAI,GACjC,MAAM,IAAI,eAAe,kBAAkB,4CAA4C;EAEzF,OAAO;CACT;AACF;AAEA,IAAa,iBAAb,cAAoC,MAAM;CAEtB;CADlB,YACE,MACA,SACA;EACA,MAAM,OAAO;EAHG,KAAA,OAAA;EAIhB,KAAK,OAAO;CACd;AACF;AAEA,SAAS,SAAiB;CACxB,OAAO,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACrC;AAEA,eAAe,qBAAqB,SAAuB,KAAwC;CACjG,MAAM,MAAM,MAAM,QAAQ,KAAK,EAAE,SAAS,EAAE,QAAQ,mBAAmB,EAAE,CAAC;CAC1E,IAAI,CAAC,IAAI,IACP,MAAM,IAAI,eACR,yBACA,0BAA0B,IAAI,OAAO,GAAG,IAAI,YAC9C;CAEF,OAAQ,MAAM,IAAI,KAAK;AACzB;AAEA,SAAS,gBAAgB,KAAyD;CAChF,MAAM,MAAM,IAAI,QAAQ,GAAG;CAC3B,IAAI,OAAO,GACT,MAAM,IAAI,eAAe,iBAAiB,4BAA4B;CAExE,MAAM,YAAY,IAAI,MAAM,GAAG,GAAG;CAClC,MAAM,OAAO,KAAK,UAAU,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,CAAC;CACjE,MAAM,SAAS,KAAK,MAAM,IAAI;CAC9B,IAAI,OAAO,OAAO,QAAQ,YAAY,OAAO,OAAO,QAAQ,UAC1D,MAAM,IAAI,eAAe,sBAAsB,+BAA+B;CAEhF,OAAO;EAAE,KAAK,OAAO;EAAK,KAAK,OAAO;EAAK,KAAK,OAAO;CAAI;AAC7D;AAEA,SAAS,YAAY,OAAe,QAAiB,UAAyB;CAC5E,IAAI,WAAW,UACb,MAAM,IAAI,eACR,2BACA,YAAY,MAAM,iCAAiC,KAAK,UAAU,MAAM,EAAE,aAAa,KAAK,UAAU,QAAQ,EAAE,EAClH;AAEJ;AAOA,eAAe,kBACb,SACA,MACA,UAC2B;CAC3B,MAAM,SAAS,gBAAgB,SAAS,GAAG;CAC3C,IAAI,OAAO,QAAQ,SACjB,MAAM,IAAI,eACR,uBACA,wBAAwB,OAAO,IAAI,mBACrC;CAEF,IAAI,OAAO,QAAQ,SAAS,aAC1B,MAAM,IAAI,eACR,oBACA,oDACF;CAGF,MAAM,MAAM,MAAM,KAAK,QAAQ,OAAO,GAAG;CACzC,IAAI;CACJ,IAAI;EACF,WAAW,MAAM,cAAc,SAAS,KAAK,GAAG;CAClD,SAAS,KAAK;EACZ,MAAM,IAAI,eACR,yBACA,4BAA6B,IAAc,SAC7C;CACF;CAEA,MAAM,UAAU,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,SAAS,OAAO,CAAC;CAErE,MAAM,OAAO,QAAQ,oBAAoB;CACzC,MAAM,MAAM,OAAO;CACnB,IAAI,QAAQ,oBAAoB,OAAO,KACrC,MAAM,IAAI,eACR,oBACA,uBAAuB,QAAQ,kBAAkB,QAAQ,IAAI,EAC/D;CAGF,YAAY,cAAc,QAAQ,YAAY,QAAQ,SAAS;CAC/D,YAAY,eAAe,QAAQ,aAAa,QAAQ,UAAU;CAClE,YAAY,aAAa,QAAQ,WAAW,QAAQ,QAAQ;CAC5D,YAAY,WAAW,QAAQ,SAAS,QAAQ,OAAO;CACvD,YAAY,oBAAoB,QAAQ,kBAAkB,gBAAgB;CAE1E,OAAO;EAAE;EAAS;CAAS;AAC7B;AAEA,eAAe,gBACb,SACA,KACA,WACsB;CACtB,MAAM,MAAM,MAAM,QAAQ,KAAK,EAC7B,SAAS,EAAE,QAAQ,0CAA0C,EAC/D,CAAC;CACD,IAAI,CAAC,IAAI,IACP,MAAM,IAAI,eACR,uBACA,2BAA2B,IAAI,IAAI,IAAI,OAAO,GAAG,IAAI,YACvD;CAEF,MAAM,QAAQ,MAAM,IAAI,YAAY;CACpC,MAAM,UAAU,OAAO,WAAW,GAAG;CACrC,OAAO;AACT;AAEA,eAAe,UAAU,OAAoB,WAAmB,KAA4B;CAC1F,MAAM,QAAQ,gBAAgB,KAAK,SAAS;CAC5C,IAAI,CAAC,OACH,MAAM,IAAI,eACR,gCACA,yCAAyC,IAAI,IAAI,WACnD;CAEF,MAAM,WAAW,MAAM;CACvB,MAAM,SAAS,MAAM,OAAO,OAAO,OAAO,WAAW,KAAK;CAE1D,IADe,cAAc,IAAI,WAAW,MAAM,CAC9C,MAAW,UACb,MAAM,IAAI,eACR,6BACA,sCAAsC,KACxC;AAEJ;AAEA,SAAS,cAAc,OAA2B;CAChD,IAAI,MAAM;CACV,KAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK,OAAO,OAAO,aAAa,MAAM,EAAG;CAC3E,OAAO,KAAK,GAAG;AACjB;AAEA,eAAsB,sBACpB,SAC0B;CAC1B,MAAM,UAAU,QAAQ,SAAS,WAAW,OAAO,KAAK,UAAU;CAClE,IAAI,CAAC,SACH,MAAM,IAAI,eAAe,qBAAqB,+CAA+C;CAM/F,MAAM,OAAO,IAAI,UAAU,SAHN,QAAQ,eACzB,GAAG,QAAQ,aAAa,QAAQ,OAAO,EAAE,IAAI,cAC7C,KAAA,GAC8C,QAAQ,IAAI;CAE9D,MAAM,kBAAkB,YAAuC;EAC7D,IAAI,QAAQ,eAAe,OAAO,QAAQ,cAAc;EACxD,IAAI,CAAC,QAAQ,aACX,MAAM,IAAI,eACR,2BACA,sDACF;EAEF,OAAO,qBAAqB,SAAS,QAAQ,WAAW;CAC1D;CAEA,IAAI,UAAU,MAAM,kBAAkB,SAAS,MAAM,MAAM,gBAAgB,CAAC;CAE5E,MAAM,8BAAc,IAAI,IAAqB;CAE7C,eAAe,WAAc,MAA0B;EACrD,IAAI,YAAY,IAAI,IAAI,GAAG,OAAO,YAAY,IAAI,IAAI;EACtD,MAAM,MAAM,QAAQ,QAAQ,QAAQ,MAAM,MAAM,EAAE,SAAS,IAAI;EAC/D,IAAI,CAAC,KACH,MAAM,IAAI,eACR,yBACA,WAAW,KAAK,yCAClB;EAEF,MAAM,QAAQ,MAAM,gBAAgB,SAAS,IAAI,KAAK,IAAI,SAAS;EACnE,MAAM,OAAO,IAAI,KAAK,CAAC,KAAK,GAAG,EAAE,MAAM,yBAAyB,CAAC;EACjE,MAAM,UAAU,IAAI,gBAAgB,IAAI;EACxC,IAAI;GACF,MAAM,WAAY,MAAM;;IAA0B;;GAClD,YAAY,IAAI,MAAM,QAAQ;GAC9B,OAAO;EACT,UAAU;GACR,IAAI,gBAAgB,OAAO;EAC7B;CACF;CAEA,eAAe,UAAuC;EACpD,MAAM,OAAO,MAAM,kBAAkB,SAAS,MAAM,MAAM,gBAAgB,CAAC;EAC3E,UAAU;EACV,YAAY,MAAM;EAClB,OAAO,KAAK;CACd;CAEA,OAAO;EACL,IAAI,WAAW;GACb,OAAO,QAAQ;EACjB;EACA,IAAI,WAAW;GACb,OAAO,QAAQ;EACjB;EACA,IAAI,YAAoB;GACtB,OAAO,QAAQ,QAAQ,QAAQ,MAAM,MAAM,EAAE,SAAS,UAAU;EAClE;EACA;EACA;CACF;AACF"}

package/dist/contract/index.d.ts ADDED Viewed

@@ -0,0 +1,138 @@
+/**
+ * Shared contract for @middag-io/licensing.
+ *
+ * Owns the technical schema of manifest, placeholders, and TypeScript types
+ * exchanged between build, client, and worker. Policy values (license state,
+ * authorized installs, entitlements, signed URLs) are owned by the worker.
+ *
+ * Adding a placeholder or breaking a manifest field bumps CONTRACT_VERSION.
+ */
+export declare const CONTRACT_VERSION: "1.0.0";
+/**
+ * Tokens substituted by the worker at materialization time. The names are
+ * semantic so a developer reading a protected source can tell what each
+ * marker becomes — the protection comes from server-side authorization, not
+ * obfuscation of the marker. See ADR-012 §"Protection model".
+ *
+ * These 5 tokens are the locked contract. Worker code at
+ * `src/lib/manifest-materialize.ts:PLACEHOLDERS` MUST mirror this set.
+ * Adding, renaming, or removing a token bumps CONTRACT_VERSION.
+ */
+export declare const PLACEHOLDERS: {
+    readonly host_origin: "__MIDDAG_HOST_ORIGIN__";
+    readonly install_id: "__MIDDAG_INSTALL_ID__";
+    readonly kid: "__MIDDAG_KID__";
+    readonly bundle_expires_at: "__MIDDAG_BUNDLE_EXPIRES_AT__";
+    readonly nonce: "__MIDDAG_NONCE__";
+};
+export type PlaceholderKey = keyof typeof PLACEHOLDERS;
+export type PlaceholderToken = (typeof PLACEHOLDERS)[PlaceholderKey];
+export declare const PLACEHOLDER_TOKENS: readonly PlaceholderToken[];
+export type HostType = "moodle" | "wordpress" | (string & {});
+/**
+ * Canonical host identity. Products map their platform-specific fields
+ * (Moodle `wwwroot`, WordPress `wp_home`, etc.) into these names. `host_key`
+ * is computed server-side (sha256 of host_origin) and never round-tripped
+ * from the client.
+ */
+export interface HostIdentity {
+    host_origin: string;
+    host_type: HostType;
+    install_id: string;
+}
+/**
+ * Per-module entry shape used by the build plugin. The worker resolves the
+ * final URL and SRI at materialization; the build plugin only declares which
+ * compiled artifact carries which logical module name.
+ */
+export interface ModuleDefinition {
+    /** Logical module name used in the AuthorizedManifest. */
+    name: string;
+    /** Path to the emitted artifact, relative to Vite `outDir`. */
+    entry: string;
+    /** Optional commercial/functional grouping. */
+    extension?: string;
+    /** Entitlement keys that gate this module. Empty = always allowed. */
+    entitlements?: string[];
+}
+/**
+ * Template manifest emitted by the build plugin. Carries no install state.
+ * The worker consumes it as the source of truth for "what modules exist for
+ * this product/release/build" and produces an `AuthorizedManifest` from it.
+ *
+ * `hash_sha384` is computed over the *placeholder-bearing* template bytes.
+ * It is informational at this stage — the worker recomputes a fresh
+ * post-substitution SRI hash per install.
+ */
+export interface ManifestTemplate {
+    contract_version: typeof CONTRACT_VERSION;
+    product: string;
+    release: string;
+    build_id: string;
+    modules: Array<ModuleDefinition & {
+        filename: string;
+        hash_sha384: string;
+        placeholders_seen: PlaceholderKey[];
+    }>;
+}
+/**
+ * Decoded payload of the JWS the worker issues per install. Mirrors the
+ * payload built in `src/routes/protected-manifest.ts:manifestHandler`.
+ *
+ * `bundle_expires_at` and `issued_at` are unix seconds (UTC) so they survive
+ * JSON without ISO-string parsing cost. Modules carry post-substitution
+ * SRI integrity strings (`sha384-...`).
+ */
+export interface AuthorizedManifest {
+    iss: string;
+    install_id: string;
+    host_origin: string;
+    host_type: HostType;
+    product: string;
+    release: string;
+    build_id: string;
+    bundle_kid: string;
+    contract_version: string;
+    bundle_expires_at: number;
+    issued_at: number;
+    nonce: string;
+    modules: Array<{
+        name: string;
+        url: string;
+        integrity: string;
+    }>;
+}
+/**
+ * HTTP response shape from the worker's POST /v1/protected/manifest endpoint.
+ * The PHP host bridge calls the worker (HMAC-authenticated) and persists
+ * this payload. The browser client receives the same shape via the
+ * Inertia bootstrap or a host-served `/manifest` URL — it never calls the
+ * worker directly because the browser cannot hold the ingest secret.
+ */
+export interface ManifestResponse {
+    jws: string;
+    signing_kid: string;
+    bundle_kid: string;
+    build_id: string;
+    contract_version: string;
+    bundle_expires_at: number;
+    materialized_at: number;
+    etag: string;
+    modules_count: number;
+}
+/**
+ * Inertia SharedProps payload the PHP library hands to the page so the JS
+ * client knows where to fetch the manifest and which keys to expect. Names
+ * mirror the worker contract so no per-host translation is needed.
+ */
+export interface LicensingBootstrap {
+    install_id: string;
+    host_origin: string;
+    host_type: HostType;
+    product: string;
+    manifest_url: string;
+    manifest_etag?: string;
+    expires_at: number;
+    contract_version: string;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/contract/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/contract/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,eAAO,MAAM,gBAAgB,EAAG,OAAgB,CAAC;AAEjD;;;;;;;;;GASG;AACH,eAAO,MAAM,YAAY;;;;;;CAMf,CAAC;AAEX,MAAM,MAAM,cAAc,GAAG,MAAM,OAAO,YAAY,CAAC;AACvD,MAAM,MAAM,gBAAgB,GAAG,CAAC,OAAO,YAAY,CAAC,CAAC,cAAc,CAAC,CAAC;AAErE,eAAO,MAAM,kBAAkB,EAAE,SAAS,gBAAgB,EAAgC,CAAC;AAE3F,MAAM,MAAM,QAAQ,GAAG,QAAQ,GAAG,WAAW,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAE9D;;;;;GAKG;AACH,MAAM,WAAW,YAAY;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,QAAQ,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,0DAA0D;IAC1D,IAAI,EAAE,MAAM,CAAC;IACb,+DAA+D;IAC/D,KAAK,EAAE,MAAM,CAAC;IACd,+CAA+C;IAC/C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sEAAsE;IACtE,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,gBAAgB;IAC/B,gBAAgB,EAAE,OAAO,gBAAgB,CAAC;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,KAAK,CACZ,gBAAgB,GAAG;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,iBAAiB,EAAE,cAAc,EAAE,CAAC;KACrC,CACF,CAAC;CACH;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,QAAQ,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,gBAAgB,EAAE,MAAM,CAAC;IACzB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,KAAK,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,GAAG,EAAE,MAAM,CAAC;QACZ,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC,CAAC;CACJ;AAED;;;;;;GAMG;AACH,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,EAAE,MAAM,CAAC;IACzB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,eAAe,EAAE,MAAM,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,QAAQ,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,gBAAgB,EAAE,MAAM,CAAC;CAC1B"}

package/dist/contract/index.js ADDED Viewed

@@ -0,0 +1,33 @@
+//#region src/contract/index.ts
+/**
+* Shared contract for @middag-io/licensing.
+*
+* Owns the technical schema of manifest, placeholders, and TypeScript types
+* exchanged between build, client, and worker. Policy values (license state,
+* authorized installs, entitlements, signed URLs) are owned by the worker.
+*
+* Adding a placeholder or breaking a manifest field bumps CONTRACT_VERSION.
+*/
+var CONTRACT_VERSION = "1.0.0";
+/**
+* Tokens substituted by the worker at materialization time. The names are
+* semantic so a developer reading a protected source can tell what each
+* marker becomes — the protection comes from server-side authorization, not
+* obfuscation of the marker. See ADR-012 §"Protection model".
+*
+* These 5 tokens are the locked contract. Worker code at
+* `src/lib/manifest-materialize.ts:PLACEHOLDERS` MUST mirror this set.
+* Adding, renaming, or removing a token bumps CONTRACT_VERSION.
+*/
+var PLACEHOLDERS = {
+	host_origin: "__MIDDAG_HOST_ORIGIN__",
+	install_id: "__MIDDAG_INSTALL_ID__",
+	kid: "__MIDDAG_KID__",
+	bundle_expires_at: "__MIDDAG_BUNDLE_EXPIRES_AT__",
+	nonce: "__MIDDAG_NONCE__"
+};
+var PLACEHOLDER_TOKENS = Object.values(PLACEHOLDERS);
+//#endregion
+export { CONTRACT_VERSION, PLACEHOLDERS, PLACEHOLDER_TOKENS };
+//# sourceMappingURL=index.js.map

package/dist/contract/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","names":[],"sources":["../../src/contract/index.ts"],"sourcesContent":["/**\n * Shared contract for @middag-io/licensing.\n *\n * Owns the technical schema of manifest, placeholders, and TypeScript types\n * exchanged between build, client, and worker. Policy values (license state,\n * authorized installs, entitlements, signed URLs) are owned by the worker.\n *\n * Adding a placeholder or breaking a manifest field bumps CONTRACT_VERSION.\n */\n\nexport const CONTRACT_VERSION = \"1.0.0\" as const;\n\n/**\n * Tokens substituted by the worker at materialization time. The names are\n * semantic so a developer reading a protected source can tell what each\n * marker becomes — the protection comes from server-side authorization, not\n * obfuscation of the marker. See ADR-012 §\"Protection model\".\n *\n * These 5 tokens are the locked contract. Worker code at\n * `src/lib/manifest-materialize.ts:PLACEHOLDERS` MUST mirror this set.\n * Adding, renaming, or removing a token bumps CONTRACT_VERSION.\n */\nexport const PLACEHOLDERS = {\n host_origin: \"__MIDDAG_HOST_ORIGIN__\",\n install_id: \"__MIDDAG_INSTALL_ID__\",\n kid: \"__MIDDAG_KID__\",\n bundle_expires_at: \"__MIDDAG_BUNDLE_EXPIRES_AT__\",\n nonce: \"__MIDDAG_NONCE__\",\n} as const;\n\nexport type PlaceholderKey = keyof typeof PLACEHOLDERS;\nexport type PlaceholderToken = (typeof PLACEHOLDERS)[PlaceholderKey];\n\nexport const PLACEHOLDER_TOKENS: readonly PlaceholderToken[] = Object.values(PLACEHOLDERS);\n\nexport type HostType = \"moodle\" | \"wordpress\" | (string & {});\n\n/**\n * Canonical host identity. Products map their platform-specific fields\n * (Moodle `wwwroot`, WordPress `wp_home`, etc.) into these names. `host_key`\n * is computed server-side (sha256 of host_origin) and never round-tripped\n * from the client.\n */\nexport interface HostIdentity {\n host_origin: string;\n host_type: HostType;\n install_id: string;\n}\n\n/**\n * Per-module entry shape used by the build plugin. The worker resolves the\n * final URL and SRI at materialization; the build plugin only declares which\n * compiled artifact carries which logical module name.\n */\nexport interface ModuleDefinition {\n /** Logical module name used in the AuthorizedManifest. */\n name: string;\n /** Path to the emitted artifact, relative to Vite `outDir`. */\n entry: string;\n /** Optional commercial/functional grouping. */\n extension?: string;\n /** Entitlement keys that gate this module. Empty = always allowed. */\n entitlements?: string[];\n}\n\n/**\n * Template manifest emitted by the build plugin. Carries no install state.\n * The worker consumes it as the source of truth for \"what modules exist for\n * this product/release/build\" and produces an `AuthorizedManifest` from it.\n *\n * `hash_sha384` is computed over the *placeholder-bearing* template bytes.\n * It is informational at this stage — the worker recomputes a fresh\n * post-substitution SRI hash per install.\n */\nexport interface ManifestTemplate {\n contract_version: typeof CONTRACT_VERSION;\n product: string;\n release: string;\n build_id: string;\n modules: Array<\n ModuleDefinition & {\n filename: string;\n hash_sha384: string;\n placeholders_seen: PlaceholderKey[];\n }\n >;\n}\n\n/**\n * Decoded payload of the JWS the worker issues per install. Mirrors the\n * payload built in `src/routes/protected-manifest.ts:manifestHandler`.\n *\n * `bundle_expires_at` and `issued_at` are unix seconds (UTC) so they survive\n * JSON without ISO-string parsing cost. Modules carry post-substitution\n * SRI integrity strings (`sha384-...`).\n */\nexport interface AuthorizedManifest {\n iss: string;\n install_id: string;\n host_origin: string;\n host_type: HostType;\n product: string;\n release: string;\n build_id: string;\n bundle_kid: string;\n contract_version: string;\n bundle_expires_at: number;\n issued_at: number;\n nonce: string;\n modules: Array<{\n name: string;\n url: string;\n integrity: string;\n }>;\n}\n\n/**\n * HTTP response shape from the worker's POST /v1/protected/manifest endpoint.\n * The PHP host bridge calls the worker (HMAC-authenticated) and persists\n * this payload. The browser client receives the same shape via the\n * Inertia bootstrap or a host-served `/manifest` URL — it never calls the\n * worker directly because the browser cannot hold the ingest secret.\n */\nexport interface ManifestResponse {\n jws: string;\n signing_kid: string;\n bundle_kid: string;\n build_id: string;\n contract_version: string;\n bundle_expires_at: number;\n materialized_at: number;\n etag: string;\n modules_count: number;\n}\n\n/**\n * Inertia SharedProps payload the PHP library hands to the page so the JS\n * client knows where to fetch the manifest and which keys to expect. Names\n * mirror the worker contract so no per-host translation is needed.\n */\nexport interface LicensingBootstrap {\n install_id: string;\n host_origin: string;\n host_type: HostType;\n product: string;\n manifest_url: string;\n manifest_etag?: string;\n expires_at: number;\n contract_version: string;\n}\n"],"mappings":";;;;;;;;;;AAUA,IAAa,mBAAmB;;;;;;;;;;;AAYhC,IAAa,eAAe;CAC1B,aAAa;CACb,YAAY;CACZ,KAAK;CACL,mBAAmB;CACnB,OAAO;AACT;AAKA,IAAa,qBAAkD,OAAO,OAAO,YAAY"}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * Root barrel for @middag-io/licensing.
+ *
+ * Re-exports the contract surface so consumers can pull shared types from
+ * the root import. Build- and client-only code stay behind their subpath
+ * exports (`/build`, `/client`).
+ */
+export * from "./contract/index.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,cAAc,qBAAqB,CAAC"}

package/dist/index.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import { CONTRACT_VERSION, PLACEHOLDERS, PLACEHOLDER_TOKENS } from "./contract/index.js";
2	+ export { CONTRACT_VERSION, PLACEHOLDERS, PLACEHOLDER_TOKENS };

package/package.json ADDED Viewed

@@ -0,0 +1,48 @@
+{
+  "name": "@middag-io/licensing",
+  "version": "0.1.0",
+  "type": "module",
+  "description": "MIDDAG protected code delivery — build-time placeholder injection, manifest contract, and runtime loader for licensed JS modules",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/middag-io/middag-js-licensing.git"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "main": "dist/index.js",
+  "module": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    },
+    "./contract": {
+      "import": "./dist/contract/index.js",
+      "types": "./dist/contract/index.d.ts"
+    },
+    "./build": {
+      "import": "./dist/build/index.js",
+      "types": "./dist/build/index.d.ts"
+    },
+    "./client": {
+      "import": "./dist/client/index.js",
+      "types": "./dist/client/index.d.ts"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "peerDependencies": {
+    "vite": "^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0"
+  },
+  "peerDependenciesMeta": {
+    "vite": {
+      "optional": true
+    }
+  },
+  "dependencies": {
+    "jose": "^6.2.3"
+  }
+}