@motebit/crypto 0.8.0 → 1.1.0

package/dist/artifacts.d.ts

@@ -5,7 +5,7 @@
  * artifacts. A third party needs these to produce valid signed artifacts that
  * any verifier will accept.
  *
- * Moved from BSL @motebit/crypto to MIT @motebit/crypto.
+ * Moved from BSL @motebit/encryption to the permissive floor in @motebit/crypto (Apache-2.0).
  */
 /**
  * Shape of an execution receipt for signing/verification.
@@ -28,22 +28,140 @@ export interface SignableReceipt {
     delegation_receipts?: SignableReceipt[];
     relay_task_id?: string;
     delegated_scope?: string;
+    /**
+     * Cryptosuite discriminator. Always `"motebit-jcs-ed25519-b64-v1"` today —
+     * the verification recipe is JCS canonicalization of the unsigned body,
+     * Ed25519 primitive, base64url signature encoding. Every ExecutionReceipt
+     * on the wire carries this field; verifiers reject missing or unknown
+     * values fail-closed. Widening this literal to add a PQ suite is a
+     * deliberate registry change (see @motebit/protocol `SuiteId`).
+     */
+    suite: "motebit-jcs-ed25519-b64-v1";
     signature: string;
 }
+/** The one suite ExecutionReceipts sign under today. */
+export declare const EXECUTION_RECEIPT_SUITE: "motebit-jcs-ed25519-b64-v1";
 /**
- * Sign an execution receipt. Produces a canonical JSON representation
- * of all fields except `signature`, signs it with Ed25519, and sets
- * the `signature` field to the base64url-encoded result.
+ * Sign an execution receipt. Stamps the cryptosuite discriminator into
+ * the receipt body, canonicalizes with JCS, dispatches the primitive
+ * signature through `signBySuite`, and encodes as base64url per the
+ * suite's rules.
+ *
+ * Callers pass a receipt *without* `signature` or `suite`; the signer
+ * owns both. The returned object is a full `SignableReceipt` with
+ * `suite` and `signature` set.
  */
-export declare function signExecutionReceipt<T extends Omit<SignableReceipt, "signature">>(receipt: T, privateKey: Uint8Array, publicKey?: Uint8Array): Promise<T & {
+export declare function signExecutionReceipt<T extends Omit<SignableReceipt, "signature" | "suite">>(receipt: T, privateKey: Uint8Array, publicKey?: Uint8Array): Promise<T & {
+    suite: typeof EXECUTION_RECEIPT_SUITE;
     signature: string;
 }>;
 /**
- * Verify an execution receipt's Ed25519 signature.
- * Reconstructs the canonical JSON from all fields except `signature`
- * and verifies against the provided public key.
+ * Verify an execution receipt's signature by dispatching through the
+ * recipe named in `receipt.suite`. Reconstructs the canonical JSON from
+ * all fields except `signature` (the suite IS part of the signed body,
+ * so tampering with it breaks verification).
+ *
+ * Fail-closed on:
+ *   - unknown suite value (dispatcher rejects)
+ *   - suite other than `EXECUTION_RECEIPT_SUITE` (until a PQ variant
+ *     lands in the registry, this narrow check rejects any other
+ *     value — widens when the union widens)
+ *   - base64url decode errors
+ *   - primitive-level verification failure
  */
 export declare function verifyExecutionReceipt(receipt: SignableReceipt, publicKey: Uint8Array): Promise<boolean>;
+/**
+ * Companion to `verifyExecutionReceipt` that returns diagnostic detail
+ * alongside the boolean verdict. Intended for failure-path observability:
+ * when verification fails, the caller can log `canonical_sha256` and
+ * `canonical_preview` and the producer can byte-diff against its own
+ * sign-time hash to localize the mutation. Same canonicalization recipe
+ * as the boolean function — the diagnostic is derived from the exact bytes
+ * the verifier checked.
+ *
+ * Cost: one extra `canonicalJson` + SHA-256 per call. Negligible for the
+ * verify-failed path (rare); callers on the hot success path should still
+ * use `verifyExecutionReceipt` directly.
+ */
+export interface ReceiptVerifyDetail {
+    valid: boolean;
+    /** Hex SHA-256 of the canonical bytes the verifier checked. */
+    canonical_sha256: string;
+    /** First 256 chars of the canonical JSON — enough to spot most field-level diffs. */
+    canonical_preview: string;
+    /** Reason category if valid is false; `"ok"` if true. */
+    reason: "ok" | "wrong_suite" | "bad_base64" | "ed25519_mismatch";
+}
+export declare function verifyExecutionReceiptDetailed(receipt: SignableReceipt, publicKey: Uint8Array): Promise<ReceiptVerifyDetail>;
+/**
+ * Shape of a tool-invocation receipt for signing/verification.
+ * Structurally compatible with `@motebit/protocol` ToolInvocationReceipt.
+ *
+ * A per-tool-call signed artifact: one receipt per invocation of a tool
+ * during an agent turn. The slab emits these live as tool calls
+ * complete. Binding to the enclosing task is by `task_id`; a verifier
+ * can gather all invocations for a task by matching it.
+ *
+ * Commits to structural facts only — tool name, canonical-JSON SHA-256
+ * hashes of args and result, timestamps, identities. The raw args and
+ * raw result bytes are *not* part of the receipt; a verifier who holds
+ * them can recompute the hash and check against the signature.
+ */
+export interface SignableToolInvocationReceipt {
+    invocation_id: string;
+    task_id: string;
+    motebit_id: string;
+    /** Signer's Ed25519 public key (hex). Enables verification without relay lookup. */
+    public_key?: string;
+    device_id: string;
+    tool_name: string;
+    started_at: number;
+    completed_at: number;
+    status: "completed" | "failed" | "denied";
+    args_hash: string;
+    result_hash: string;
+    /** Optional surface-determinism discriminator; signature-bound when present. */
+    invocation_origin?: "user-tap" | "ai-loop" | "scheduled" | "agent-to-agent";
+    /**
+     * Cryptosuite discriminator. Always `"motebit-jcs-ed25519-b64-v1"` for
+     * this artifact today — same verification recipe as `ExecutionReceipt`.
+     * Narrowed to the single suite today so widening requires intentional
+     * registry + type change.
+     */
+    suite: "motebit-jcs-ed25519-b64-v1";
+    signature: string;
+}
+/** The one suite ToolInvocationReceipts sign under today. */
+export declare const TOOL_INVOCATION_RECEIPT_SUITE: "motebit-jcs-ed25519-b64-v1";
+/**
+ * Compute the `args_hash` / `result_hash` for a tool-invocation receipt.
+ * JCS-canonicalizes the value, then SHA-256s the UTF-8 bytes. Returns
+ * hex. Use on both sides of the wire: the producer computes the hash at
+ * sign time; a verifier with the raw value recomputes and matches.
+ *
+ * For `string` values (e.g., a plain result string), the canonicalization
+ * is the value itself wrapped with JSON escaping rules; `canonicalJson`
+ * handles both scalar and object inputs uniformly.
+ */
+export declare function hashToolPayload(value: unknown): Promise<string>;
+/**
+ * Sign a tool-invocation receipt. Mirrors `signExecutionReceipt`:
+ * stamps the cryptosuite into the body, canonicalizes with JCS,
+ * dispatches through `signBySuite`, and encodes as base64url.
+ *
+ * Callers pass a receipt *without* `signature` or `suite`; the signer
+ * owns both. Also embeds the public key (hex) so the receipt is
+ * independently verifiable with no relay lookup.
+ */
+export declare function signToolInvocationReceipt<T extends Omit<SignableToolInvocationReceipt, "signature" | "suite">>(receipt: T, privateKey: Uint8Array, publicKey?: Uint8Array): Promise<T & {
+    suite: typeof TOOL_INVOCATION_RECEIPT_SUITE;
+    signature: string;
+}>;
+/**
+ * Verify a tool-invocation receipt. Fails closed on unknown suite, bad
+ * base64, or signature mismatch — same rules as `verifyExecutionReceipt`.
+ */
+export declare function verifyToolInvocationReceipt(receipt: SignableToolInvocationReceipt, publicKey: Uint8Array): Promise<boolean>;
 /**
  * Inputs for a sovereign payment receipt — produced by the *payee* when
  * a counterparty pays them directly via an onchain wallet rail (Solana,
@@ -132,28 +250,39 @@ export declare function verifyReceiptSequence(chain: ReceiptChainEntry[]): Promi
     index?: number;
 }>;
 /**
- * A signed delegation token authorizing one entity to act on behalf of another.
- * The delegator signs (delegator_id, delegate_id, scope, issued_at, expires_at)
- * with their private key, proving they authorized the delegate.
- */
-export interface DelegationToken {
-    delegator_id: string;
-    delegator_public_key: string;
-    delegate_id: string;
-    delegate_public_key: string;
-    scope: string;
-    issued_at: number;
-    expires_at: number;
-    signature: string;
-}
+ * Re-export `DelegationToken` from the canonical protocol type package.
+ * The interface body lives in `@motebit/protocol` because `DelegationToken`
+ * is a wire-format type (per the synchronization-invariant doctrine,
+ * every spec-declared wire type must be exported from `@motebit/protocol`).
+ *
+ * Two statements so check-deps sees the `import type` prefix on the one
+ * line that references another workspace package — a bare
+ * `export type { X } from "..."` is technically type-only by TypeScript
+ * semantics, but the drift probe's regex only recognizes `import type`.
+ */
+import type { DelegationToken } from "@motebit/protocol";
+export type { DelegationToken };
+/** The one suite DelegationTokens sign under today. */
+export declare const DELEGATION_TOKEN_SUITE: "motebit-jcs-ed25519-b64-v1";
 /**
  * Sign a delegation token. The delegator authorizes the delegate to act
- * within the given scope. The signature covers all fields except `signature`.
+ * within the given scope. Stamps the cryptosuite into the signed body,
+ * dispatches the primitive signature through `signBySuite`.
+ *
+ * Callers pass the token without `signature` or `suite`; the signer owns
+ * both. Public keys must already be hex-encoded — this signer does not
+ * transcode, so the input carries the same encoding the output will.
  */
-export declare function signDelegation(delegation: Omit<DelegationToken, "signature">, delegatorPrivateKey: Uint8Array): Promise<DelegationToken>;
+export declare function signDelegation(delegation: Omit<DelegationToken, "signature" | "suite">, delegatorPrivateKey: Uint8Array): Promise<DelegationToken>;
 /**
  * Verify a delegation token's signature and (optionally) expiration.
  *
+ * Rejects fail-closed on:
+ *   - missing or unknown `suite` value (anything other than `DELEGATION_TOKEN_SUITE`)
+ *   - expired token (unless `options.checkExpiry === false`)
+ *   - malformed hex public key or base64url signature
+ *   - primitive-level verification failure
+ *
  * @param delegation - The delegation token to verify
  * @param options.checkExpiry - If true (default), reject expired tokens. Pass false
  *   only when verifying historical chains where expiration is irrelevant.
@@ -177,6 +306,205 @@ export declare function verifyDelegationChain(chain: DelegationToken[]): Promise
     valid: boolean;
     error?: string;
 }>;
+import type { AdjudicatorVote, DisputeAppeal, DisputeEvidence, DisputeRequest, DisputeResolution } from "@motebit/protocol";
+export type { AdjudicatorVote, DisputeAppeal, DisputeEvidence, DisputeRequest, DisputeResolution };
+/** The one suite AdjudicatorVotes sign under today — matches spec/dispute-v1.md §6.4. */
+export declare const ADJUDICATOR_VOTE_SUITE: "motebit-jcs-ed25519-b64-v1";
+/** The one suite DisputeResolutions sign under today — matches spec/dispute-v1.md §6.4. */
+export declare const DISPUTE_RESOLUTION_SUITE: "motebit-jcs-ed25519-b64-v1";
+/** The one suite DisputeRequest filings sign under today — spec/dispute-v1.md §4.2. */
+export declare const DISPUTE_REQUEST_SUITE: "motebit-jcs-ed25519-b64-v1";
+/** The one suite DisputeEvidence submissions sign under today — spec/dispute-v1.md §5.2. */
+export declare const DISPUTE_EVIDENCE_SUITE: "motebit-jcs-ed25519-b64-v1";
+/** The one suite DisputeAppeal filings sign under today — spec/dispute-v1.md §8.2. */
+export declare const DISPUTE_APPEAL_SUITE: "motebit-jcs-ed25519-b64-v1";
+/**
+ * Sign a federation peer's adjudication vote. The `dispute_id` IS part
+ * of the signed body — spec §6.5 Foundation Law: "Each AdjudicatorVote
+ * signature MUST cover its `dispute_id`. Votes are not portable across
+ * disputes — a malicious adjudicator collecting old votes from other
+ * disputes cannot stuff them into a new resolution because the
+ * dispute_id binding breaks the signature."
+ *
+ * Callers pass the body without `signature` or `suite`; the signer owns
+ * both.
+ */
+export declare function signAdjudicatorVote(vote: Omit<AdjudicatorVote, "signature" | "suite">, peerPrivateKey: Uint8Array): Promise<AdjudicatorVote>;
+/**
+ * Verify an adjudicator vote against the voting peer's public key.
+ * Fail-closed on unknown suite, base64url decode error, and primitive
+ * verification failure. Matching of `peer_id` to a legitimate federation
+ * peer is the caller's responsibility (this function verifies the
+ * signature; peer-membership is a trust decision).
+ */
+export declare function verifyAdjudicatorVote(vote: AdjudicatorVote, peerPublicKey: Uint8Array): Promise<boolean>;
+/**
+ * Sign a dispute resolution. For single-relay adjudication
+ * (`adjudicator_votes: []`) the relay signs with its own identity key.
+ * For federation resolutions, the leader collects signed
+ * `AdjudicatorVote` entries, then signs the aggregate.
+ *
+ * Callers pass the body without `signature` or `suite`; the signer
+ * owns both.
+ *
+ * Per spec §6.5 Foundation Law, a federation resolution MUST include
+ * individual `AdjudicatorVote` entries — aggregated-only verdicts are
+ * rejected. This signer does not enforce that at sign time (the
+ * orchestrator decides whether federation is required); the verifier
+ * re-checks every embedded vote signature when the array is non-empty.
+ */
+export declare function signDisputeResolution(resolution: Omit<DisputeResolution, "signature" | "suite">, adjudicatorPrivateKey: Uint8Array): Promise<DisputeResolution>;
+/**
+ * Verify a dispute resolution. Two layers:
+ *   1. Outer signature verifies against `adjudicatorPublicKey`.
+ *   2. When `adjudicator_votes.length > 0`, every embedded
+ *      AdjudicatorVote's signature is re-checked against the
+ *      corresponding `peerKeys` entry (lookup by `peer_id`). Per §6.5,
+ *      aggregated-only verdicts without individual peer signatures are
+ *      rejected — a missing peer key in the lookup is treated as a
+ *      verification failure.
+ *
+ * Fail-closed on unknown suite, decode errors, primitive verification
+ * failures, any missing peer key, and any invalid embedded vote.
+ */
+export declare function verifyDisputeResolution(resolution: DisputeResolution, adjudicatorPublicKey: Uint8Array, peerKeys?: Map<string, Uint8Array>): Promise<boolean>;
+/**
+ * Sign a DisputeRequest. Filing party signs over canonical JSON of
+ * every field except `signature`. The relay verifies against the
+ * filer's registered public key before accepting the filing — without
+ * the signature, anyone could file a dispute as anyone (foundation
+ * law §4.4: filing party must be a direct party to the task; without
+ * the signature binding, the relay cannot enforce that). Callers pass
+ * the body without `signature` or `suite`; the signer owns both.
+ */
+export declare function signDisputeRequest(request: Omit<DisputeRequest, "signature" | "suite">, filerPrivateKey: Uint8Array): Promise<DisputeRequest>;
+/**
+ * Verify a DisputeRequest against the filing party's public key.
+ * Fail-closed on unknown suite, base64url decode error, and primitive
+ * verification failure. Eligibility checks (`filed_by` is a real party
+ * to `task_id`, trust threshold, evidence_refs non-empty) are the
+ * caller's responsibility — this verifies the signature only.
+ */
+export declare function verifyDisputeRequest(request: DisputeRequest, filerPublicKey: Uint8Array): Promise<boolean>;
+/**
+ * Sign a DisputeEvidence submission. The submitting party — either
+ * the dispute's filer or respondent — signs over the canonical JSON
+ * of every field except `signature`. The relay verifies against the
+ * submitter's registered public key (foundation law §5.4: evidence
+ * must be cryptographically verifiable; unsigned/tampered evidence
+ * is rejected).
+ */
+export declare function signDisputeEvidence(evidence: Omit<DisputeEvidence, "signature" | "suite">, submitterPrivateKey: Uint8Array): Promise<DisputeEvidence>;
+/**
+ * Verify a DisputeEvidence submission against the submitting party's
+ * public key. Inner `evidence_data` validation against its own per-
+ * type schema (e.g. ExecutionReceiptSchema for `execution_receipt`)
+ * is the adjudicator's responsibility — this verifies the outer
+ * envelope signature only.
+ */
+export declare function verifyDisputeEvidence(evidence: DisputeEvidence, submitterPublicKey: Uint8Array): Promise<boolean>;
+/**
+ * Sign a DisputeAppeal. The appealing party — filer or respondent —
+ * signs over the canonical JSON of every field except `signature`.
+ * Foundation law §8.4: one appeal per dispute; the post-appeal state
+ * is terminal. The relay verifies against the appealer's registered
+ * public key before transitioning the dispute to `appealed`.
+ */
+export declare function signDisputeAppeal(appeal: Omit<DisputeAppeal, "signature" | "suite">, appealerPrivateKey: Uint8Array): Promise<DisputeAppeal>;
+/**
+ * Verify a DisputeAppeal against the appealing party's public key.
+ * Fail-closed on unknown suite, base64url decode error, and primitive
+ * verification failure.
+ */
+export declare function verifyDisputeAppeal(appeal: DisputeAppeal, appealerPublicKey: Uint8Array): Promise<boolean>;
+import type { ConsolidationReceipt } from "@motebit/protocol";
+export type { ConsolidationReceipt };
+/** The one suite ConsolidationReceipts sign under today. */
+export declare const CONSOLIDATION_RECEIPT_SUITE: "motebit-jcs-ed25519-b64-v1";
+/**
+ * Sign a consolidation receipt. The motebit's Ed25519 identity key
+ * commits to the structural counts of work performed during a
+ * consolidation cycle. Receipt is self-attesting: any holder of the
+ * signer's public key verifies without contacting any relay.
+ *
+ * Callers pass the body without `signature` or `suite`; the signer
+ * owns both. Pass `publicKey` to embed it in the receipt for portable
+ * verification (recommended — third parties verify from the receipt
+ * alone).
+ *
+ * The signed receipt is `Object.freeze`d before return so any
+ * post-sign mutation throws synchronously at the producer instead of
+ * surfacing as wire-corruption noise on a downstream verifier.
+ */
+export declare function signConsolidationReceipt(receipt: Omit<ConsolidationReceipt, "signature" | "suite" | "public_key">, privateKey: Uint8Array, publicKey?: Uint8Array): Promise<ConsolidationReceipt>;
+/**
+ * Verify a consolidation receipt against the signer's public key.
+ * Fail-closed on unknown `suite`, base64url decode error, primitive
+ * verification failure. The caller is responsible for matching
+ * `motebit_id` to whoever they expect signed; the cryptographic
+ * property here is "this body was signed by the holder of this key."
+ */
+export declare function verifyConsolidationReceipt(receipt: ConsolidationReceipt, publicKey: Uint8Array): Promise<boolean>;
+import type { BalanceWaiver } from "@motebit/protocol";
+export type { BalanceWaiver };
+/** The one suite BalanceWaivers sign under today — matches spec/migration-v1.md §7.2. */
+export declare const BALANCE_WAIVER_SUITE: "motebit-jcs-ed25519-b64-v1";
+/**
+ * Sign a balance waiver. The agent forfeits a named micro-unit amount to
+ * expedite departure from a relay (spec/migration-v1.md §7.2 + §7.3 — a
+ * waiver is one of the two terminal authorizations the depart route will
+ * accept, the other being a confirmed withdrawal).
+ *
+ * Callers pass the body without `signature` or `suite`; the signer owns
+ * both. The agent's identity key signs canonical JSON of the unsigned
+ * body (with `suite` stamped in), base64url-encoded.
+ */
+export declare function signBalanceWaiver(waiver: Omit<BalanceWaiver, "signature" | "suite">, agentPrivateKey: Uint8Array): Promise<BalanceWaiver>;
+/**
+ * Verify a balance waiver against the agent's public key. Rejects
+ * fail-closed on unknown `suite`, base64url decode error, and primitive
+ * verification failure. Matching of `motebit_id` to the authorizing
+ * agent, and `waived_amount` to the actual virtual-account balance, is
+ * the caller's responsibility (neither is a cryptographic property).
+ */
+export declare function verifyBalanceWaiver(waiver: BalanceWaiver, agentPublicKey: Uint8Array): Promise<boolean>;
+import type { SettlementRecord } from "@motebit/protocol";
+export type { SettlementRecord };
+/** The one suite SettlementRecords sign under today. */
+export declare const SETTLEMENT_RECORD_SUITE: "motebit-jcs-ed25519-b64-v1";
+/**
+ * Sign a settlement record. The issuing relay commits to the (amount,
+ * fee, rate, status) tuple; a malicious relay therefore cannot issue
+ * inconsistent records to different observers.
+ *
+ * Callers pass the record without `signature` or `suite`; the signer
+ * owns both.
+ *
+ * Foundation Law (services/api/CLAUDE.md rule 6): every truth the
+ * relay asserts is independently verifiable. Per-agent settlements
+ * deliver this through the signature; federation settlements
+ * additionally get Merkle-batched and onchain-anchored.
+ */
+export declare function signSettlement(settlement: Omit<SettlementRecord, "signature" | "suite">, issuerPrivateKey: Uint8Array): Promise<SettlementRecord>;
+/**
+ * Verify a settlement record's signature. Reconstructs canonical JSON
+ * over all fields except `signature` and verifies Ed25519 against the
+ * issuing relay's public key.
+ *
+ * The caller supplies the public key — typically resolved from the
+ * `issuer_relay_id` via the federation peer registry or a known-keys
+ * store. The signature alone proves the record was issued by the
+ * holder of `issuerPublicKey`; trust in that key is a separate
+ * concern (federation membership, key rotation chain, etc).
+ *
+ * Fail-closed on:
+ *   - missing or unknown `suite` value
+ *   - base64url decode errors
+ *   - primitive-level verification failure
+ */
+export declare function verifySettlement(settlement: SettlementRecord, issuerPublicKey: Uint8Array): Promise<boolean>;
+/** The one suite KeySuccessionRecords sign under today. */
+export declare const KEY_SUCCESSION_SUITE: "motebit-jcs-ed25519-hex-v1";
 /**
  * A key succession record proving that one Ed25519 key has been replaced by another.
  * Normal rotation: both old and new keys sign. Guardian recovery: guardian + new key sign.
@@ -186,6 +514,13 @@ export interface KeySuccessionRecord {
     new_public_key: string;
     timestamp: number;
     reason?: string;
+    /**
+     * Cryptosuite discriminator. Always `"motebit-jcs-ed25519-hex-v1"` —
+     * JCS canonicalization of the unsigned payload, Ed25519 primitive,
+     * hex signature encoding, hex public-key encoding. Structurally
+     * compatible with `@motebit/protocol` `KeySuccessionRecord`.
+     */
+    suite: typeof KEY_SUCCESSION_SUITE;
     old_key_signature?: string;
     new_key_signature: string;
     /** True when succession was authorized by guardian, not old key. */
@@ -195,6 +530,8 @@ export interface KeySuccessionRecord {
 }
 /**
  * Create a key succession record signed by both the old and new keys.
+ * Dispatches primitive signing through `signBySuite` per the
+ * `motebit-jcs-ed25519-hex-v1` suite.
  */
 export declare function signKeySuccession(oldPrivateKey: Uint8Array, newPrivateKey: Uint8Array, newPublicKey: Uint8Array, oldPublicKey: Uint8Array, reason?: string): Promise<KeySuccessionRecord>;
 /**
@@ -204,8 +541,10 @@ export declare function signKeySuccession(oldPrivateKey: Uint8Array, newPrivateK
  */
 export declare function signGuardianRecoverySuccession(guardianPrivateKey: Uint8Array, newPrivateKey: Uint8Array, oldPublicKey: Uint8Array, newPublicKey: Uint8Array, reason?: string): Promise<KeySuccessionRecord>;
 /**
- * Verify a key succession record. For normal rotation, checks old_key_signature + new_key_signature.
- * For guardian recovery (recovery: true), checks guardian_signature + new_key_signature.
+ * Verify a key succession record. For normal rotation, checks
+ * old_key_signature + new_key_signature. For guardian recovery
+ * (recovery: true), checks guardian_signature + new_key_signature.
+ * Rejects records whose `suite` is missing or not the succession suite.
  */
 export declare function verifyKeySuccession(record: KeySuccessionRecord, guardianPublicKeyHex?: string): Promise<boolean>;
 /** Result of verifying a key succession chain. */
@@ -224,9 +563,12 @@ export interface SuccessionChainResult {
  * representing a sequence of key rotations from a genesis key to the current active key.
  */
 export declare function verifySuccessionChain(chain: KeySuccessionRecord[], guardianPublicKeyHex?: string): Promise<SuccessionChainResult>;
+/** Guardian revocation shares the identity-file suite (JCS + hex). */
+export declare const GUARDIAN_REVOCATION_SUITE: "motebit-jcs-ed25519-hex-v1";
 /**
  * Sign a guardian revocation payload — requires BOTH identity and guardian keys.
  * Neither party can unilaterally dissolve the custody relationship.
+ * Dispatches the primitive through `signBySuite`.
  */
 export declare function signGuardianRevocation(identityPrivateKey: Uint8Array, guardianPrivateKey: Uint8Array, timestamp?: number): Promise<{
     payload: string;
@@ -236,33 +578,90 @@ export declare function signGuardianRevocation(identityPrivateKey: Uint8Array, g
 }>;
 /**
  * Verify a guardian revocation proof — both signatures must be valid.
+ * Dispatches primitive verification through `verifyBySuite`.
  */
 export declare function verifyGuardianRevocation(revocation: {
     identity_signature: string;
     guardian_signature: string;
     timestamp: number;
 }, identityPublicKeyHex: string, guardianPublicKeyHex: string): Promise<boolean>;
+/** The one suite CollaborativeReceipts sign under today. */
+export declare const COLLABORATIVE_RECEIPT_SUITE: "motebit-jcs-ed25519-b64-v1";
 export interface SignableCollaborativeReceipt {
     proposal_id: string;
     plan_id: string;
     participant_receipts: SignableReceipt[];
     content_hash: string;
+    /**
+     * Cryptosuite discriminator. Always `"motebit-jcs-ed25519-b64-v1"` —
+     * JCS canonicalization over the signing payload, Ed25519 primitive,
+     * base64url signature encoding. Same recipe as ExecutionReceipt.
+     */
+    suite: typeof COLLABORATIVE_RECEIPT_SUITE;
     initiator_signature: string;
 }
 /**
  * Sign a collaborative receipt. Computes a content hash over the canonical
- * JSON of all participant receipts, then signs the aggregate with the
- * initiator's Ed25519 private key.
+ * JSON of all participant receipts, then signs the aggregate through
+ * `signBySuite` under `motebit-jcs-ed25519-b64-v1`.
  */
-export declare function signCollaborativeReceipt(receipt: Omit<SignableCollaborativeReceipt, "content_hash" | "initiator_signature">, initiatorPrivateKey: Uint8Array): Promise<SignableCollaborativeReceipt>;
+export declare function signCollaborativeReceipt(receipt: Omit<SignableCollaborativeReceipt, "content_hash" | "initiator_signature" | "suite">, initiatorPrivateKey: Uint8Array): Promise<SignableCollaborativeReceipt>;
 /**
  * Verify a collaborative receipt:
- * 1. Recomputes content hash from participant receipts and checks it matches.
- * 2. Verifies the initiator's Ed25519 signature over the aggregate.
- * 3. Optionally verifies each participant receipt against known keys.
+ * 1. Rejects any record whose `suite` is missing or not the collaborative suite.
+ * 2. Recomputes content hash from participant receipts and checks it matches.
+ * 3. Verifies the initiator's Ed25519 signature over the aggregate via `verifyBySuite`.
+ * 4. Optionally verifies each participant receipt against known keys.
  */
 export declare function verifyCollaborativeReceipt(receipt: SignableCollaborativeReceipt, initiatorPublicKey: Uint8Array, participantKeys?: KnownKeys): Promise<{
     valid: boolean;
     error?: string;
 }>;
+/** The one suite device-registration requests sign under today. */
+export declare const DEVICE_REGISTRATION_SUITE: "motebit-jcs-ed25519-b64-v1";
+/**
+ * Shape of a device-registration request for signing/verification.
+ * Structurally compatible with @motebit/protocol `DeviceRegistrationRequest`.
+ */
+export interface SignableDeviceRegistration {
+    motebit_id: string;
+    device_id: string;
+    public_key: string;
+    device_name?: string;
+    owner_id?: string;
+    timestamp: number;
+    suite: typeof DEVICE_REGISTRATION_SUITE;
+    signature: string;
+}
+/**
+ * Sign a device-registration request. Stamps the cryptosuite into the body,
+ * canonicalizes with JCS, dispatches the primitive signature through
+ * `signBySuite`, and encodes as base64url per the suite's rules.
+ *
+ * Callers pass the body without `signature` and (optionally) without `suite`;
+ * the signer owns both. The returned object is a complete signed request
+ * ready to POST to a relay's self-register endpoint.
+ */
+export declare function signDeviceRegistration<T extends Omit<SignableDeviceRegistration, "signature" | "suite">>(body: T, privateKey: Uint8Array): Promise<T & {
+    suite: typeof DEVICE_REGISTRATION_SUITE;
+    signature: string;
+}>;
+/**
+ * Verify a device-registration request's signature against the public key
+ * carried in the request itself. The `now` parameter (defaulting to
+ * `Date.now()`) lets tests pin the clock for replay-window assertions; in
+ * production callers pass the relay's wall-clock at request receipt.
+ *
+ * Returns a discriminated reason on failure so callers can map to wire-level
+ * status codes (per `spec/device-self-registration-v1.md` §5.1).
+ */
+export type DeviceRegistrationVerifyResult = {
+    valid: true;
+} | {
+    valid: false;
+    reason: "malformed" | "stale" | "unsupported_suite" | "bad_signature";
+};
+/** Maximum drift between the signer's claimed timestamp and the verifier's clock. */
+export declare const DEVICE_REGISTRATION_MAX_AGE_MS: number;
+export declare function verifyDeviceRegistration(body: SignableDeviceRegistration, now?: number): Promise<DeviceRegistrationVerifyResult>;
 //# sourceMappingURL=artifacts.d.ts.map

package/dist/artifacts.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"artifacts.d.ts","sourceRoot":"","sources":["../src/artifacts.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAgBH;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,oFAAoF;IACpF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,WAAW,GAAG,QAAQ,GAAG,QAAQ,CAAC;IAC1C,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,eAAe,EAAE,CAAC;IACxC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;GAIG;AACH,wBAAsB,oBAAoB,CAAC,CAAC,SAAS,IAAI,CAAC,eAAe,EAAE,WAAW,CAAC,EACrF,OAAO,EAAE,CAAC,EACV,UAAU,EAAE,UAAU,EACtB,SAAS,CAAC,EAAE,UAAU,GACrB,OAAO,CAAC,CAAC,GAAG;IAAE,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC,CAOpC;AAED;;;;GAIG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,eAAe,EACxB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,OAAO,CAAC,CAUlB;AAID;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,4BAA4B;IAC3C,uEAAuE;IACvE,gBAAgB,EAAE,MAAM,CAAC;IACzB,6BAA6B;IAC7B,eAAe,EAAE,MAAM,CAAC;IACxB,0EAA0E;IAC1E,gBAAgB,EAAE,MAAM,CAAC;IACzB,iFAAiF;IACjF,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,2DAA2D;IAC3D,YAAY,EAAE,MAAM,CAAC;IACrB,mCAAmC;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,gEAAgE;IAChE,mBAAmB,EAAE,MAAM,CAAC;IAC5B,2CAA2C;IAC3C,WAAW,EAAE,MAAM,CAAC;IACpB,0CAA0C;IAC1C,WAAW,EAAE,MAAM,CAAC;IACpB,oFAAoF;IACpF,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,2CAA2C;IAC3C,YAAY,EAAE,MAAM,CAAC;IACrB,yCAAyC;IACzC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;;GAQG;AACH,wBAAsB,2BAA2B,CAC/C,KAAK,EAAE,4BAA4B,EACnC,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,eAAe,CAAC,CAgB1B;AAID,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,mBAAmB,EAAE,CAAC;CACpC;AAED;;;GAGG;AACH,MAAM,MAAM,SAAS,GAAG,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;AAEhD;;;;GAIG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,eAAe,EACxB,SAAS,EAAE,SAAS,GACnB,OAAO,CAAC,mBAAmB,CAAC,CA+B9B;AAcD,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,eAAe,CAAC;IACzB,iBAAiB,EAAE,UAAU,CAAC;CAC/B;AAED;;;;;;;;;GASG;AACH,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,iBAAiB,EAAE,GACzB,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAwB7D;AAID;;;;GAIG;AACH,MAAM,WAAW,eAAe;IAC9B,YAAY,EAAE,MAAM,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,UAAU,EAAE,IAAI,CAAC,eAAe,EAAE,WAAW,CAAC,EAC9C,mBAAmB,EAAE,UAAU,GAC9B,OAAO,CAAC,eAAe,CAAC,CAK1B;AAED;;;;;;;GAOG;AACH,wBAAsB,gBAAgB,CACpC,UAAU,EAAE,eAAe,EAC3B,OAAO,CAAC,EAAE;IAAE,WAAW,CAAC,EAAE,OAAO,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAChD,OAAO,CAAC,OAAO,CAAC,CAiBlB;AAED;;;;;;;;;GASG;AACH,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,eAAe,EAAE,GACvB,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAoC7C;AAID;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oEAAoE;IACpE,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,+DAA+D;IAC/D,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AA0BD;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,aAAa,EAAE,UAAU,EACzB,aAAa,EAAE,UAAU,EACzB,YAAY,EAAE,UAAU,EACxB,YAAY,EAAE,UAAU,EACxB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,mBAAmB,CAAC,CAmB9B;AAED;;;;GAIG;AACH,wBAAsB,8BAA8B,CAClD,kBAAkB,EAAE,UAAU,EAC9B,aAAa,EAAE,UAAU,EACzB,YAAY,EAAE,UAAU,EACxB,YAAY,EAAE,UAAU,EACxB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,mBAAmB,CAAC,CA2B9B;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,mBAAmB,EAC3B,oBAAoB,CAAC,EAAE,MAAM,GAC5B,OAAO,CAAC,OAAO,CAAC,CA+BlB;AAID,kDAAkD;AAClD,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,OAAO,CAAC;IACf,kBAAkB,EAAE,MAAM,CAAC;IAC3B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;CAC5C;AAED;;;GAGG;AACH,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,mBAAmB,EAAE,EAC5B,oBAAoB,CAAC,EAAE,MAAM,GAC5B,OAAO,CAAC,qBAAqB,CAAC,CA+EhC;AAID;;;GAGG;AACH,wBAAsB,sBAAsB,CAC1C,kBAAkB,EAAE,UAAU,EAC9B,kBAAkB,EAAE,UAAU,EAC9B,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC;IACT,OAAO,EAAE,MAAM,CAAC;IAChB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC,CAcD;AAED;;GAEG;AACH,wBAAsB,wBAAwB,CAC5C,UAAU,EAAE;IACV,kBAAkB,EAAE,MAAM,CAAC;IAC3B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,SAAS,EAAE,MAAM,CAAC;CACnB,EACD,oBAAoB,EAAE,MAAM,EAC5B,oBAAoB,EAAE,MAAM,GAC3B,OAAO,CAAC,OAAO,CAAC,CAiBlB;AAID,MAAM,WAAW,4BAA4B;IAC3C,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,oBAAoB,EAAE,eAAe,EAAE,CAAC;IACxC,YAAY,EAAE,MAAM,CAAC;IACrB,mBAAmB,EAAE,MAAM,CAAC;CAC7B;AAED;;;;GAIG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,IAAI,CAAC,4BAA4B,EAAE,cAAc,GAAG,qBAAqB,CAAC,EACnF,mBAAmB,EAAE,UAAU,GAC9B,OAAO,CAAC,4BAA4B,CAAC,CAkBvC;AAED;;;;;GAKG;AACH,wBAAsB,0BAA0B,CAC9C,OAAO,EAAE,4BAA4B,EACrC,kBAAkB,EAAE,UAAU,EAC9B,eAAe,CAAC,EAAE,SAAS,GAC1B,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAiD7C"}
+{"version":3,"file":"artifacts.d.ts","sourceRoot":"","sources":["../src/artifacts.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAwCH;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,oFAAoF;IACpF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,WAAW,GAAG,QAAQ,GAAG,QAAQ,CAAC;IAC1C,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,eAAe,EAAE,CAAC;IACxC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;;;;;;;OAOG;IACH,KAAK,EAAE,4BAA4B,CAAC;IACpC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wDAAwD;AACxD,eAAO,MAAM,uBAAuB,EAAG,4BAAqC,CAAC;AAE7E;;;;;;;;;GASG;AACH,wBAAsB,oBAAoB,CAAC,CAAC,SAAS,IAAI,CAAC,eAAe,EAAE,WAAW,GAAG,OAAO,CAAC,EAC/F,OAAO,EAAE,CAAC,EACV,UAAU,EAAE,UAAU,EACtB,SAAS,CAAC,EAAE,UAAU,GACrB,OAAO,CAAC,CAAC,GAAG;IAAE,KAAK,EAAE,OAAO,uBAAuB,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC,CAgC3E;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,eAAe,EACxB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,OAAO,CAAC,CA+BlB;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,OAAO,CAAC;IACf,+DAA+D;IAC/D,gBAAgB,EAAE,MAAM,CAAC;IACzB,qFAAqF;IACrF,iBAAiB,EAAE,MAAM,CAAC;IAC1B,yDAAyD;IACzD,MAAM,EAAE,IAAI,GAAG,aAAa,GAAG,YAAY,GAAG,kBAAkB,CAAC;CAClE;AAED,wBAAsB,8BAA8B,CAClD,OAAO,EAAE,eAAe,EACxB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,mBAAmB,CAAC,CAiC9B;AAID;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,6BAA6B;IAC5C,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,oFAAoF;IACpF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,WAAW,GAAG,QAAQ,GAAG,QAAQ,CAAC;IAC1C,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,gFAAgF;IAChF,iBAAiB,CAAC,EAAE,UAAU,GAAG,SAAS,GAAG,WAAW,GAAG,gBAAgB,CAAC;IAC5E;;;;;OAKG;IACH,KAAK,EAAE,4BAA4B,CAAC;IACpC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,6DAA6D;AAC7D,eAAO,MAAM,6BAA6B,EAAG,4BAAqC,CAAC;AAEnF;;;;;;;;;GASG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAErE;AAED;;;;;;;;GAQG;AACH,wBAAsB,yBAAyB,CAC7C,CAAC,SAAS,IAAI,CAAC,6BAA6B,EAAE,WAAW,GAAG,OAAO,CAAC,EAEpE,OAAO,EAAE,CAAC,EACV,UAAU,EAAE,UAAU,EACtB,SAAS,CAAC,EAAE,UAAU,GACrB,OAAO,CAAC,CAAC,GAAG;IAAE,KAAK,EAAE,OAAO,6BAA6B,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC,CAsBjF;AAED;;;GAGG;AACH,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE,6BAA6B,EACtC,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,OAAO,CAAC,CA+BlB;AAID;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,4BAA4B;IAC3C,uEAAuE;IACvE,gBAAgB,EAAE,MAAM,CAAC;IACzB,6BAA6B;IAC7B,eAAe,EAAE,MAAM,CAAC;IACxB,0EAA0E;IAC1E,gBAAgB,EAAE,MAAM,CAAC;IACzB,iFAAiF;IACjF,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,2DAA2D;IAC3D,YAAY,EAAE,MAAM,CAAC;IACrB,mCAAmC;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,gEAAgE;IAChE,mBAAmB,EAAE,MAAM,CAAC;IAC5B,2CAA2C;IAC3C,WAAW,EAAE,MAAM,CAAC;IACpB,0CAA0C;IAC1C,WAAW,EAAE,MAAM,CAAC;IACpB,oFAAoF;IACpF,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,2CAA2C;IAC3C,YAAY,EAAE,MAAM,CAAC;IACrB,yCAAyC;IACzC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;;GAQG;AACH,wBAAsB,2BAA2B,CAC/C,KAAK,EAAE,4BAA4B,EACnC,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,eAAe,CAAC,CAiB1B;AAID,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,mBAAmB,EAAE,CAAC;CACpC;AAED;;;GAGG;AACH,MAAM,MAAM,SAAS,GAAG,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;AAEhD;;;;GAIG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,eAAe,EACxB,SAAS,EAAE,SAAS,GACnB,OAAO,CAAC,mBAAmB,CAAC,CA+B9B;AAcD,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,eAAe,CAAC;IACzB,iBAAiB,EAAE,UAAU,CAAC;CAC/B;AAED;;;;;;;;;GASG;AACH,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,iBAAiB,EAAE,GACzB,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAwB7D;AAID;;;;;;;;;;GAUG;AACH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACzD,YAAY,EAAE,eAAe,EAAE,CAAC;AAEhC,uDAAuD;AACvD,eAAO,MAAM,sBAAsB,EAAG,4BAAqC,CAAC;AAE5E;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAClC,UAAU,EAAE,IAAI,CAAC,eAAe,EAAE,WAAW,GAAG,OAAO,CAAC,EACxD,mBAAmB,EAAE,UAAU,GAC9B,OAAO,CAAC,eAAe,CAAC,CAM1B;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,gBAAgB,CACpC,UAAU,EAAE,eAAe,EAC3B,OAAO,CAAC,EAAE;IAAE,WAAW,CAAC,EAAE,OAAO,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAChD,OAAO,CAAC,OAAO,CAAC,CAmBlB;AAED;;;;;;;;;GASG;AACH,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,eAAe,EAAE,GACvB,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAoC7C;AAMD,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,eAAe,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAC5H,YAAY,EAAE,eAAe,EAAE,aAAa,EAAE,eAAe,EAAE,cAAc,EAAE,iBAAiB,EAAE,CAAC;AAEnG,yFAAyF;AACzF,eAAO,MAAM,sBAAsB,EAAG,4BAAqC,CAAC;AAE5E,2FAA2F;AAC3F,eAAO,MAAM,wBAAwB,EAAG,4BAAqC,CAAC;AAE9E,uFAAuF;AACvF,eAAO,MAAM,qBAAqB,EAAG,4BAAqC,CAAC;AAE3E,4FAA4F;AAC5F,eAAO,MAAM,sBAAsB,EAAG,4BAAqC,CAAC;AAE5E,sFAAsF;AACtF,eAAO,MAAM,oBAAoB,EAAG,4BAAqC,CAAC;AAE1E;;;;;;;;;;GAUG;AACH,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,IAAI,CAAC,eAAe,EAAE,WAAW,GAAG,OAAO,CAAC,EAClD,cAAc,EAAE,UAAU,GACzB,OAAO,CAAC,eAAe,CAAC,CAM1B;AAED;;;;;;GAMG;AACH,wBAAsB,qBAAqB,CACzC,IAAI,EAAE,eAAe,EACrB,aAAa,EAAE,UAAU,GACxB,OAAO,CAAC,OAAO,CAAC,CAWlB;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,qBAAqB,CACzC,UAAU,EAAE,IAAI,CAAC,iBAAiB,EAAE,WAAW,GAAG,OAAO,CAAC,EAC1D,qBAAqB,EAAE,UAAU,GAChC,OAAO,CAAC,iBAAiB,CAAC,CAM5B;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,uBAAuB,CAC3C,UAAU,EAAE,iBAAiB,EAC7B,oBAAoB,EAAE,UAAU,EAChC,QAAQ,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,GACjC,OAAO,CAAC,OAAO,CAAC,CA2BlB;AAED;;;;;;;;GAQG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,IAAI,CAAC,cAAc,EAAE,WAAW,GAAG,OAAO,CAAC,EACpD,eAAe,EAAE,UAAU,GAC1B,OAAO,CAAC,cAAc,CAAC,CAMzB;AAED;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,cAAc,EACvB,cAAc,EAAE,UAAU,GACzB,OAAO,CAAC,OAAO,CAAC,CAWlB;AAED;;;;;;;GAOG;AACH,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,IAAI,CAAC,eAAe,EAAE,WAAW,GAAG,OAAO,CAAC,EACtD,mBAAmB,EAAE,UAAU,GAC9B,OAAO,CAAC,eAAe,CAAC,CAM1B;AAED;;;;;;GAMG;AACH,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,eAAe,EACzB,kBAAkB,EAAE,UAAU,GAC7B,OAAO,CAAC,OAAO,CAAC,CAWlB;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,IAAI,CAAC,aAAa,EAAE,WAAW,GAAG,OAAO,CAAC,EAClD,kBAAkB,EAAE,UAAU,GAC7B,OAAO,CAAC,aAAa,CAAC,CAMxB;AAED;;;;GAIG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,aAAa,EACrB,iBAAiB,EAAE,UAAU,GAC5B,OAAO,CAAC,OAAO,CAAC,CAWlB;AAID,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAC9D,YAAY,EAAE,oBAAoB,EAAE,CAAC;AAErC,4DAA4D;AAC5D,eAAO,MAAM,2BAA2B,EAAG,4BAAqC,CAAC;AAEjF;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,IAAI,CAAC,oBAAoB,EAAE,WAAW,GAAG,OAAO,GAAG,YAAY,CAAC,EACzE,UAAU,EAAE,UAAU,EACtB,SAAS,CAAC,EAAE,UAAU,GACrB,OAAO,CAAC,oBAAoB,CAAC,CAS/B;AAED;;;;;;GAMG;AACH,wBAAsB,0BAA0B,CAC9C,OAAO,EAAE,oBAAoB,EAC7B,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,OAAO,CAAC,CAWlB;AAID,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AACvD,YAAY,EAAE,aAAa,EAAE,CAAC;AAE9B,yFAAyF;AACzF,eAAO,MAAM,oBAAoB,EAAG,4BAAqC,CAAC;AAE1E;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,IAAI,CAAC,aAAa,EAAE,WAAW,GAAG,OAAO,CAAC,EAClD,eAAe,EAAE,UAAU,GAC1B,OAAO,CAAC,aAAa,CAAC,CAMxB;AAED;;;;;;GAMG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,aAAa,EACrB,cAAc,EAAE,UAAU,GACzB,OAAO,CAAC,OAAO,CAAC,CAWlB;AAID,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAC1D,YAAY,EAAE,gBAAgB,EAAE,CAAC;AAEjC,wDAAwD;AACxD,eAAO,MAAM,uBAAuB,EAAG,4BAAqC,CAAC;AAE7E;;;;;;;;;;;;GAYG;AACH,wBAAsB,cAAc,CAClC,UAAU,EAAE,IAAI,CAAC,gBAAgB,EAAE,WAAW,GAAG,OAAO,CAAC,EACzD,gBAAgB,EAAE,UAAU,GAC3B,OAAO,CAAC,gBAAgB,CAAC,CAM3B;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,gBAAgB,CACpC,UAAU,EAAE,gBAAgB,EAC5B,eAAe,EAAE,UAAU,GAC1B,OAAO,CAAC,OAAO,CAAC,CAWlB;AAID,2DAA2D;AAC3D,eAAO,MAAM,oBAAoB,EAAG,4BAAqC,CAAC;AAE1E;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;;OAKG;IACH,KAAK,EAAE,OAAO,oBAAoB,CAAC;IACnC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oEAAoE;IACpE,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,+DAA+D;IAC/D,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AA6BD;;;;GAIG;AACH,wBAAsB,iBAAiB,CACrC,aAAa,EAAE,UAAU,EACzB,aAAa,EAAE,UAAU,EACzB,YAAY,EAAE,UAAU,EACxB,YAAY,EAAE,UAAU,EACxB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,mBAAmB,CAAC,CAoB9B;AAED;;;;GAIG;AACH,wBAAsB,8BAA8B,CAClD,kBAAkB,EAAE,UAAU,EAC9B,aAAa,EAAE,UAAU,EACzB,YAAY,EAAE,UAAU,EACxB,YAAY,EAAE,UAAU,EACxB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,mBAAmB,CAAC,CA4B9B;AAED;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,mBAAmB,EAC3B,oBAAoB,CAAC,EAAE,MAAM,GAC5B,OAAO,CAAC,OAAO,CAAC,CAgClB;AAID,kDAAkD;AAClD,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,OAAO,CAAC;IACf,kBAAkB,EAAE,MAAM,CAAC;IAC3B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;CAC5C;AAED;;;GAGG;AACH,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,mBAAmB,EAAE,EAC5B,oBAAoB,CAAC,EAAE,MAAM,GAC5B,OAAO,CAAC,qBAAqB,CAAC,CA+EhC;AAID,sEAAsE;AACtE,eAAO,MAAM,yBAAyB,EAAG,4BAAqC,CAAC;AAE/E;;;;GAIG;AACH,wBAAsB,sBAAsB,CAC1C,kBAAkB,EAAE,UAAU,EAC9B,kBAAkB,EAAE,UAAU,EAC9B,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC;IACT,OAAO,EAAE,MAAM,CAAC;IAChB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC,CAkBD;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,CAC5C,UAAU,EAAE;IACV,kBAAkB,EAAE,MAAM,CAAC;IAC3B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,SAAS,EAAE,MAAM,CAAC;CACnB,EACD,oBAAoB,EAAE,MAAM,EAC5B,oBAAoB,EAAE,MAAM,GAC3B,OAAO,CAAC,OAAO,CAAC,CA+BlB;AAID,4DAA4D;AAC5D,eAAO,MAAM,2BAA2B,EAAG,4BAAqC,CAAC;AAEjF,MAAM,WAAW,4BAA4B;IAC3C,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,oBAAoB,EAAE,eAAe,EAAE,CAAC;IACxC,YAAY,EAAE,MAAM,CAAC;IACrB;;;;OAIG;IACH,KAAK,EAAE,OAAO,2BAA2B,CAAC;IAC1C,mBAAmB,EAAE,MAAM,CAAC;CAC7B;AAED;;;;GAIG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,IAAI,CAAC,4BAA4B,EAAE,cAAc,GAAG,qBAAqB,GAAG,OAAO,CAAC,EAC7F,mBAAmB,EAAE,UAAU,GAC9B,OAAO,CAAC,4BAA4B,CAAC,CAoBvC;AAED;;;;;;GAMG;AACH,wBAAsB,0BAA0B,CAC9C,OAAO,EAAE,4BAA4B,EACrC,kBAAkB,EAAE,UAAU,EAC9B,eAAe,CAAC,EAAE,SAAS,GAC1B,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAuD7C;AAcD,mEAAmE;AACnE,eAAO,MAAM,yBAAyB,EAAG,4BAAqC,CAAC;AAE/E;;;GAGG;AACH,MAAM,WAAW,0BAA0B;IACzC,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,OAAO,yBAAyB,CAAC;IACxC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;GAQG;AACH,wBAAsB,sBAAsB,CAC1C,CAAC,SAAS,IAAI,CAAC,0BAA0B,EAAE,WAAW,GAAG,OAAO,CAAC,EAEjE,IAAI,EAAE,CAAC,EACP,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,CAAC,GAAG;IAAE,KAAK,EAAE,OAAO,yBAAyB,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC,CAS7E;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,8BAA8B,GACtC;IAAE,KAAK,EAAE,IAAI,CAAA;CAAE,GACf;IAAE,KAAK,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,WAAW,GAAG,OAAO,GAAG,mBAAmB,GAAG,eAAe,CAAA;CAAE,CAAC;AAE5F,qFAAqF;AACrF,eAAO,MAAM,8BAA8B,QAAgB,CAAC;AAE5D,wBAAsB,wBAAwB,CAC5C,IAAI,EAAE,0BAA0B,EAChC,GAAG,GAAE,MAAmB,GACvB,OAAO,CAAC,8BAA8B,CAAC,CAoCzC"}