@motebit/crypto 0.8.0 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +198 -18
- package/NOTICE +19 -0
- package/README.md +11 -3
- package/dist/artifacts.d.ts +431 -32
- package/dist/artifacts.d.ts.map +1 -1
- package/dist/credential-anchor.d.ts +76 -2
- package/dist/credential-anchor.d.ts.map +1 -1
- package/dist/credentials.d.ts +26 -1
- package/dist/credentials.d.ts.map +1 -1
- package/dist/hardware-attestation.d.ts +268 -0
- package/dist/hardware-attestation.d.ts.map +1 -0
- package/dist/index.d.ts +56 -3
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +3597 -153
- package/dist/signing.d.ts +52 -17
- package/dist/signing.d.ts.map +1 -1
- package/dist/suite-dispatch.d.ts +103 -0
- package/dist/suite-dispatch.d.ts.map +1 -0
- package/dist/suite-dispatch.js +3233 -0
- package/package.json +20 -5
- package/dist/artifacts.js +0 -506
- package/dist/artifacts.js.map +0 -1
- package/dist/credential-anchor.js +0 -159
- package/dist/credential-anchor.js.map +0 -1
- package/dist/credentials.js +0 -209
- package/dist/credentials.js.map +0 -1
- package/dist/index.js.map +0 -1
- package/dist/signing.js +0 -282
- package/dist/signing.js.map +0 -1
|
@@ -1,11 +1,14 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Credential anchor — leaf hashing and self-verification.
|
|
3
3
|
*
|
|
4
|
-
*
|
|
5
|
-
* can compute credential leaves and verify anchor proofs
|
|
4
|
+
* Permissive floor (Apache-2.0): these functions are part of the open protocol.
|
|
5
|
+
* Any implementation can compute credential leaves and verify anchor proofs
|
|
6
|
+
* using this module.
|
|
6
7
|
*
|
|
7
8
|
* motebit/credential-anchor@1.0 §3 (leaf hash) and §5.2 (verification).
|
|
8
9
|
*/
|
|
10
|
+
/** The one suite CredentialAnchorBatch records sign under today. */
|
|
11
|
+
export declare const CREDENTIAL_ANCHOR_SUITE: "motebit-jcs-ed25519-hex-v1";
|
|
9
12
|
/**
|
|
10
13
|
* Compute a credential leaf hash for Merkle anchoring.
|
|
11
14
|
*
|
|
@@ -64,6 +67,13 @@ export interface CredentialAnchorProofFields {
|
|
|
64
67
|
layer_sizes: number[];
|
|
65
68
|
relay_id: string;
|
|
66
69
|
relay_public_key: string;
|
|
70
|
+
/**
|
|
71
|
+
* Cryptosuite discriminator for `batch_signature`. Always
|
|
72
|
+
* `"motebit-jcs-ed25519-hex-v1"` — JCS canonicalization of the batch
|
|
73
|
+
* payload, Ed25519 primitive, hex signature encoding. Verifiers
|
|
74
|
+
* reject missing or unknown values fail-closed.
|
|
75
|
+
*/
|
|
76
|
+
suite: typeof CREDENTIAL_ANCHOR_SUITE;
|
|
67
77
|
batch_signature: string;
|
|
68
78
|
anchor: {
|
|
69
79
|
chain: string;
|
|
@@ -94,4 +104,68 @@ export interface CredentialAnchorProofFields {
|
|
|
94
104
|
* ```
|
|
95
105
|
*/
|
|
96
106
|
export declare function verifyCredentialAnchor(credential: Record<string, unknown>, anchorProof: CredentialAnchorProofFields, chainVerifier?: ChainAnchorVerifier): Promise<CredentialAnchorVerifyResult>;
|
|
107
|
+
/** Result of verifying an onchain revocation anchor. */
|
|
108
|
+
export interface RevocationAnchorVerifyResult {
|
|
109
|
+
/** Whether the revocation anchor is valid. */
|
|
110
|
+
valid: boolean;
|
|
111
|
+
/** Individual step results. */
|
|
112
|
+
steps: {
|
|
113
|
+
/** Step 1: memo format is valid and contains the expected public key. */
|
|
114
|
+
memo_valid: boolean;
|
|
115
|
+
/** Step 2: relay's Ed25519 signature over the revocation payload is valid. */
|
|
116
|
+
relay_signature_valid: boolean;
|
|
117
|
+
/** Step 3: onchain anchor verified (null if not checked). */
|
|
118
|
+
chain_verified: boolean | null;
|
|
119
|
+
};
|
|
120
|
+
/** Error messages for failed steps. */
|
|
121
|
+
errors: string[];
|
|
122
|
+
}
|
|
123
|
+
/** The one suite revocation anchor events sign under today (utf8-concat). */
|
|
124
|
+
export declare const REVOCATION_ANCHOR_SUITE: "motebit-concat-ed25519-hex-v1";
|
|
125
|
+
/** Fields needed to verify a revocation anchor. */
|
|
126
|
+
export interface RevocationAnchorProof {
|
|
127
|
+
/** Hex-encoded public key that was revoked. */
|
|
128
|
+
revoked_public_key: string;
|
|
129
|
+
/** Millisecond timestamp of the revocation event. */
|
|
130
|
+
timestamp: number;
|
|
131
|
+
/**
|
|
132
|
+
* Cryptosuite discriminator. Always `"motebit-concat-ed25519-hex-v1"` —
|
|
133
|
+
* UTF-8 concatenation template + Ed25519 primitive + hex signature.
|
|
134
|
+
* Same suite as federation heartbeat.
|
|
135
|
+
*/
|
|
136
|
+
suite: typeof REVOCATION_ANCHOR_SUITE;
|
|
137
|
+
/** Hex-encoded Ed25519 signature over the revocation payload by the relay. */
|
|
138
|
+
signature: string;
|
|
139
|
+
/** Hex-encoded Ed25519 public key of the relay that signed the revocation. */
|
|
140
|
+
relay_public_key: string;
|
|
141
|
+
/** Onchain anchor metadata, or null if not yet submitted. */
|
|
142
|
+
anchor: {
|
|
143
|
+
chain: string;
|
|
144
|
+
network: string;
|
|
145
|
+
tx_hash: string;
|
|
146
|
+
} | null;
|
|
147
|
+
}
|
|
148
|
+
/**
|
|
149
|
+
* Verify a revocation anchor — confirm a key was revoked.
|
|
150
|
+
*
|
|
151
|
+
* The revocation memo format is: "motebit:revocation:v1:{public_key_hex}:{timestamp}"
|
|
152
|
+
* The relay signs the payload "revocation:{type}:{motebit_id}:{timestamp}" with its
|
|
153
|
+
* identity key. This function verifies:
|
|
154
|
+
*
|
|
155
|
+
* 1. The relay's Ed25519 signature over the revocation event
|
|
156
|
+
* 2. Optionally, the onchain memo transaction via a callback
|
|
157
|
+
*
|
|
158
|
+
* Both steps are offline-verifiable given the relay's public key. The onchain
|
|
159
|
+
* step requires network access but ensures the relay cannot deny the revocation.
|
|
160
|
+
*
|
|
161
|
+
* @param proof - The revocation anchor proof fields
|
|
162
|
+
* @param revocationPayload - The exact signed payload string (e.g., "revocation:key_rotated:mid-xxx:1712345678")
|
|
163
|
+
* @param chainVerifier - Optional callback: given tx_hash + expected memo, verify onchain
|
|
164
|
+
*/
|
|
165
|
+
export declare function verifyRevocationAnchor(proof: RevocationAnchorProof, revocationPayload: string, chainVerifier?: (anchor: {
|
|
166
|
+
chain: string;
|
|
167
|
+
network: string;
|
|
168
|
+
tx_hash: string;
|
|
169
|
+
expected_memo: string;
|
|
170
|
+
}) => Promise<boolean>): Promise<RevocationAnchorVerifyResult>;
|
|
97
171
|
//# sourceMappingURL=credential-anchor.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"credential-anchor.d.ts","sourceRoot":"","sources":["../src/credential-anchor.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"credential-anchor.d.ts","sourceRoot":"","sources":["../src/credential-anchor.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,oEAAoE;AACpE,eAAO,MAAM,uBAAuB,EAAG,4BAAqC,CAAC;AA2B7E;;;;;;;;;GASG;AACH,wBAAsB,qBAAqB,CAAC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAIhG;AA4CD,qDAAqD;AACrD,MAAM,WAAW,4BAA4B;IAC3C,wCAAwC;IACxC,KAAK,EAAE,OAAO,CAAC;IACf,+BAA+B;IAC/B,KAAK,EAAE;QACL,wDAAwD;QACxD,UAAU,EAAE,OAAO,CAAC;QACpB,6DAA6D;QAC7D,YAAY,EAAE,OAAO,CAAC;QACtB,yEAAyE;QACzE,qBAAqB,EAAE,OAAO,CAAC;QAC/B,6DAA6D;QAC7D,cAAc,EAAE,OAAO,GAAG,IAAI,CAAC;KAChC,CAAC;IACF,uCAAuC;IACvC,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,MAAM,EAAE;IACzC,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;CACvB,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;AAEvB,uDAAuD;AACvD,MAAM,WAAW,2BAA2B;IAC1C,eAAe,EAAE,MAAM,CAAC;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,MAAM,CAAC;IACxB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,EAAE,MAAM,CAAC;IACzB;;;;;OAKG;IACH,KAAK,EAAE,OAAO,uBAAuB,CAAC;IACtC,eAAe,EAAE,MAAM,CAAC;IACxB,MAAM,EAAE;QACN,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,EAAE,MAAM,CAAC;KACrB,GAAG,IAAI,CAAC;CACV;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,sBAAsB,CAC1C,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACnC,WAAW,EAAE,2BAA2B,EACxC,aAAa,CAAC,EAAE,mBAAmB,GAClC,OAAO,CAAC,4BAA4B,CAAC,CA8FvC;AAID,wDAAwD;AACxD,MAAM,WAAW,4BAA4B;IAC3C,8CAA8C;IAC9C,KAAK,EAAE,OAAO,CAAC;IACf,+BAA+B;IAC/B,KAAK,EAAE;QACL,yEAAyE;QACzE,UAAU,EAAE,OAAO,CAAC;QACpB,8EAA8E;QAC9E,qBAAqB,EAAE,OAAO,CAAC;QAC/B,6DAA6D;QAC7D,cAAc,EAAE,OAAO,GAAG,IAAI,CAAC;KAChC,CAAC;IACF,uCAAuC;IACvC,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,6EAA6E;AAC7E,eAAO,MAAM,uBAAuB,EAAG,+BAAwC,CAAC;AAEhF,mDAAmD;AACnD,MAAM,WAAW,qBAAqB;IACpC,+CAA+C;IAC/C,kBAAkB,EAAE,MAAM,CAAC;IAC3B,qDAAqD;IACrD,SAAS,EAAE,MAAM,CAAC;IAClB;;;;OAIG;IACH,KAAK,EAAE,OAAO,uBAAuB,CAAC;IACtC,8EAA8E;IAC9E,SAAS,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,gBAAgB,EAAE,MAAM,CAAC;IACzB,6DAA6D;IAC7D,MAAM,EAAE;QACN,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;KACjB,GAAG,IAAI,CAAC;CACV;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,qBAAqB,EAC5B,iBAAiB,EAAE,MAAM,EACzB,aAAa,CAAC,EAAE,CAAC,MAAM,EAAE;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,EAAE,MAAM,CAAC;CACvB,KAAK,OAAO,CAAC,OAAO,CAAC,GACrB,OAAO,CAAC,4BAA4B,CAAC,CAoEvC"}
|
package/dist/credentials.d.ts
CHANGED
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
* Signing and verification of W3C Verifiable Credentials and Presentations
|
|
5
5
|
* using the protocol's canonical Ed25519 + JCS pipeline.
|
|
6
6
|
*
|
|
7
|
-
* Moved from BSL @motebit/
|
|
7
|
+
* Moved from BSL @motebit/encryption to the permissive floor in @motebit/crypto (Apache-2.0).
|
|
8
8
|
*/
|
|
9
9
|
export interface DataIntegrityProof {
|
|
10
10
|
type: "DataIntegrityProof";
|
|
@@ -67,6 +67,21 @@ export interface TrustCredentialSubject {
|
|
|
67
67
|
failed_tasks: number;
|
|
68
68
|
first_seen_at: number;
|
|
69
69
|
last_seen_at: number;
|
|
70
|
+
/**
|
|
71
|
+
* Optional hardware-attestation claim. Mirror of the same-named
|
|
72
|
+
* field on `TrustCredentialSubject` in `@motebit/protocol`. Set when
|
|
73
|
+
* a peer issuer has verified the subject's self-published
|
|
74
|
+
* hardware-attestation credential and is folding the verified claim
|
|
75
|
+
* into a peer credential about the subject. See
|
|
76
|
+
* `spec/credential-v1.md` §3.4.
|
|
77
|
+
*/
|
|
78
|
+
hardware_attestation?: HardwareAttestationClaim;
|
|
79
|
+
}
|
|
80
|
+
/** Mirror of `HardwareAttestationClaim` in `@motebit/protocol`. */
|
|
81
|
+
export interface HardwareAttestationClaim {
|
|
82
|
+
platform: "secure_enclave" | "tpm" | "play_integrity" | "android_keystore" | "device_check" | "webauthn" | "software";
|
|
83
|
+
key_exported?: boolean;
|
|
84
|
+
attestation_receipt?: string;
|
|
70
85
|
}
|
|
71
86
|
export declare function signVerifiableCredential<T = Record<string, unknown>>(unsignedVC: Omit<VerifiableCredential<T>, "proof">, privateKey: Uint8Array, publicKey: Uint8Array): Promise<VerifiableCredential<T>>;
|
|
72
87
|
export declare function verifyVerifiableCredential<T = Record<string, unknown>>(vc: VerifiableCredential<T>): Promise<boolean>;
|
|
@@ -102,6 +117,16 @@ export declare function issueTrustCredential(trustRecord: {
|
|
|
102
117
|
failed_tasks?: number;
|
|
103
118
|
first_seen_at: number;
|
|
104
119
|
last_seen_at: number;
|
|
120
|
+
/**
|
|
121
|
+
* Optional verified `HardwareAttestationClaim` to embed in the
|
|
122
|
+
* subject. Phase 1 of the hardware-attestation peer flow: the
|
|
123
|
+
* issuer (delegator that consumed the worker's receipt) verifies
|
|
124
|
+
* the worker's self-published claim via
|
|
125
|
+
* `verifyHardwareAttestationClaim` and includes the verified claim
|
|
126
|
+
* here. Routing aggregation reads this via
|
|
127
|
+
* `aggregateHardwareAttestation`. Spec credential-v1 §3.4.
|
|
128
|
+
*/
|
|
129
|
+
hardware_attestation?: HardwareAttestationClaim;
|
|
105
130
|
}, privateKey: Uint8Array, publicKey: Uint8Array, subjectDid: string, validForMs?: number, statusEndpoint?: string): Promise<VerifiableCredential<TrustCredentialSubject>>;
|
|
106
131
|
export declare function createPresentation(credentials: VerifiableCredential[], privateKey: Uint8Array, publicKey: Uint8Array): Promise<VerifiablePresentation>;
|
|
107
132
|
//# sourceMappingURL=credentials.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAeH,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,oBAAoB,CAAC;IAC3B,WAAW,EAAE,gBAAgB,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,YAAY,EAAE,iBAAiB,GAAG,gBAAgB,CAAC;IACnD,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,oBAAoB,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAC/D,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,iBAAiB,EAAE,CAAC,GAAG;QAAE,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gBAAgB,CAAC,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAChD,KAAK,EAAE,kBAAkB,CAAC;CAC3B;AAED,MAAM,WAAW,sBAAsB;IACrC,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,oBAAoB,EAAE,oBAAoB,EAAE,CAAC;IAC7C,KAAK,EAAE,kBAAkB,CAAC;CAC3B;AAKD,MAAM,WAAW,yBAAyB;IACxC,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,sBAAsB,EAAE,MAAM,CAAC;IAC/B,eAAe,EAAE,MAAM,CAAC;IACxB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,2BAA2B;IAC1C,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,sBAAsB;IACrC,EAAE,EAAE,MAAM,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gBAAgB,EAAE,MAAM,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAeH,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,oBAAoB,CAAC;IAC3B,WAAW,EAAE,gBAAgB,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,YAAY,EAAE,iBAAiB,GAAG,gBAAgB,CAAC;IACnD,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,oBAAoB,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAC/D,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,iBAAiB,EAAE,CAAC,GAAG;QAAE,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gBAAgB,CAAC,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAChD,KAAK,EAAE,kBAAkB,CAAC;CAC3B;AAED,MAAM,WAAW,sBAAsB;IACrC,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,oBAAoB,EAAE,oBAAoB,EAAE,CAAC;IAC7C,KAAK,EAAE,kBAAkB,CAAC;CAC3B;AAKD,MAAM,WAAW,yBAAyB;IACxC,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,sBAAsB,EAAE,MAAM,CAAC;IAC/B,eAAe,EAAE,MAAM,CAAC;IACxB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,2BAA2B;IAC1C,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,sBAAsB;IACrC,EAAE,EAAE,MAAM,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gBAAgB,EAAE,MAAM,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB;;;;;;;OAOG;IACH,oBAAoB,CAAC,EAAE,wBAAwB,CAAC;CACjD;AAED,mEAAmE;AACnE,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EACJ,gBAAgB,GAChB,KAAK,GACL,gBAAgB,GAChB,kBAAkB,GAClB,cAAc,GACd,UAAU,GACV,UAAU,CAAC;IACf,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAgGD,wBAAsB,wBAAwB,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxE,UAAU,EAAE,IAAI,CAAC,oBAAoB,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,EAClD,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC,CAQlC;AAED,wBAAsB,0BAA0B,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC1E,EAAE,EAAE,oBAAoB,CAAC,CAAC,CAAC,GAC1B,OAAO,CAAC,OAAO,CAAC,CAMlB;AAID,wBAAsB,0BAA0B,CAC9C,UAAU,EAAE,IAAI,CAAC,sBAAsB,EAAE,OAAO,CAAC,EACjD,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,sBAAsB,CAAC,CAQjC;AAED,wBAAsB,4BAA4B,CAChD,EAAE,EAAE,sBAAsB,GACzB,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,CAoB/C;AAUD,wBAAsB,uBAAuB,CAC3C,QAAQ,EAAE;IACR,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,sBAAsB,EAAE,MAAM,CAAC;IAC/B,eAAe,EAAE,MAAM,CAAC;IACxB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,SAAS,EAAE,MAAM,CAAC;CACnB,EACD,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,UAAU,EACrB,UAAU,CAAC,EAAE,MAAM,EACnB,UAAU,SAAc,EACxB,cAAc,CAAC,EAAE,MAAM,GACtB,OAAO,CAAC,oBAAoB,CAAC,yBAAyB,CAAC,CAAC,CA8B1D;AAED,wBAAsB,yBAAyB,CAC7C,QAAQ,EAAE;IACR,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;CACrB,EACD,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,UAAU,EACrB,UAAU,EAAE,MAAM,EAClB,UAAU,SAAc,EACxB,cAAc,CAAC,EAAE,MAAM,GACtB,OAAO,CAAC,oBAAoB,CAAC,2BAA2B,CAAC,CAAC,CA2B5D;AAED,wBAAsB,oBAAoB,CACxC,WAAW,EAAE;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB;;;;;;;;OAQG;IACH,oBAAoB,CAAC,EAAE,wBAAwB,CAAC;CACjD,EACD,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,UAAU,EACrB,UAAU,EAAE,MAAM,EAClB,UAAU,SAAc,EACxB,cAAc,CAAC,EAAE,MAAM,GACtB,OAAO,CAAC,oBAAoB,CAAC,sBAAsB,CAAC,CAAC,CA6BvD;AAED,wBAAsB,kBAAkB,CACtC,WAAW,EAAE,oBAAoB,EAAE,EACnC,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,sBAAsB,CAAC,CAUjC"}
|
|
@@ -0,0 +1,268 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Hardware attestation — verify that a motebit's Ed25519 identity key
|
|
3
|
+
* is bound to a hardware-backed ECDSA P-256 key held in a platform
|
|
4
|
+
* trust anchor (Apple Secure Enclave today; TPM / Play Integrity /
|
|
5
|
+
* DeviceCheck as future additive adapters).
|
|
6
|
+
*
|
|
7
|
+
* ## Why this exists
|
|
8
|
+
*
|
|
9
|
+
* Motebit's identity key is Ed25519, stored in the OS keyring on
|
|
10
|
+
* desktop and in equivalent app-sandboxed stores on mobile/web. That
|
|
11
|
+
* key is *software-custody*: the private bytes are readable by any
|
|
12
|
+
* process running as the user. The moat thesis — "accumulated trust
|
|
13
|
+
* that a third party can verify" — is categorically weaker without a
|
|
14
|
+
* hardware root. Hardware attestation bridges the gap without forcing
|
|
15
|
+
* a cryptosuite migration: a separate hardware-native keypair (Apple
|
|
16
|
+
* Secure Enclave generates ECDSA P-256) signs a canonical claim that
|
|
17
|
+
* binds itself to the Ed25519 identity. The identity stays where it
|
|
18
|
+
* is; the hardware signature is *additional* evidence a verifier can
|
|
19
|
+
* rank against.
|
|
20
|
+
*
|
|
21
|
+
* Same shape as FIDO / WebAuthn attestation — the platform root key
|
|
22
|
+
* is distinct from the user-facing identity, and one attests the
|
|
23
|
+
* other.
|
|
24
|
+
*
|
|
25
|
+
* ## Receipt format (`platform: "secure_enclave"`)
|
|
26
|
+
*
|
|
27
|
+
* attestation_receipt = base64url(canonical_body_json) + "." +
|
|
28
|
+
* base64url(ecdsa_p256_signature_der)
|
|
29
|
+
*
|
|
30
|
+
* canonical_body_json = JCS-canonicalized JSON of:
|
|
31
|
+
* {
|
|
32
|
+
* version: "1",
|
|
33
|
+
* algorithm: "ecdsa-p256-sha256",
|
|
34
|
+
* motebit_id: string,
|
|
35
|
+
* device_id: string,
|
|
36
|
+
* identity_public_key: Ed25519 hex lowercase,
|
|
37
|
+
* se_public_key: P-256 compressed-point hex lowercase,
|
|
38
|
+
* attested_at: unix ms,
|
|
39
|
+
* }
|
|
40
|
+
*
|
|
41
|
+
* The P-256 signature is over `SHA-256(canonical_body_json)` — standard
|
|
42
|
+
* ECDSA-on-SHA256. The verifier recovers the SE public key from
|
|
43
|
+
* `body.se_public_key` (self-contained; zero relay contact), verifies
|
|
44
|
+
* the signature, then checks that `body.identity_public_key` equals the
|
|
45
|
+
* Ed25519 key the credential subject is claimed for.
|
|
46
|
+
*
|
|
47
|
+
* ## Non-goals in v1
|
|
48
|
+
*
|
|
49
|
+
* - Other platforms (TPM / DeviceCheck / Play Integrity) — each
|
|
50
|
+
* returns `valid: false` + a named-missing-adapter error. Additive
|
|
51
|
+
* platform adapters plug in behind the same result shape.
|
|
52
|
+
* - Revocation — claims expire with their parent credential's
|
|
53
|
+
* expiry. No separate revocation channel.
|
|
54
|
+
* - Chain-of-trust verification — the SE public key is the
|
|
55
|
+
* self-asserted root in v1. Future platform adapters verify the
|
|
56
|
+
* platform's own attestation chain (Apple's root CA, Google's
|
|
57
|
+
* verified-boot chain, etc.) as glucose per the metabolic
|
|
58
|
+
* principle.
|
|
59
|
+
*
|
|
60
|
+
* Permissive floor (Apache-2.0), no I/O, deterministic. Safe to run in any
|
|
61
|
+
* environment that can parse UTF-8 JSON.
|
|
62
|
+
*/
|
|
63
|
+
import type { HardwareAttestationClaim } from "@motebit/protocol";
|
|
64
|
+
/**
|
|
65
|
+
* Platform identifier mirrored from `HardwareAttestationClaim.platform`.
|
|
66
|
+
* Declared locally so hardware-attestation.ts isn't coupled to whether
|
|
67
|
+
* protocol exports it as a named type — the union literal is the
|
|
68
|
+
* contract.
|
|
69
|
+
*/
|
|
70
|
+
export type AttestationPlatform = HardwareAttestationClaim["platform"];
|
|
71
|
+
/**
|
|
72
|
+
* One verification error in the result. Matches the shape used by the
|
|
73
|
+
* other `@motebit/crypto` verify functions so callers can surface
|
|
74
|
+
* errors uniformly.
|
|
75
|
+
*/
|
|
76
|
+
export interface HardwareAttestationError {
|
|
77
|
+
readonly message: string;
|
|
78
|
+
}
|
|
79
|
+
/**
|
|
80
|
+
* Result of verifying one `HardwareAttestationClaim`. `valid` reflects
|
|
81
|
+
* only the platform-verification outcome for the receipt — identity-key
|
|
82
|
+
* binding is checked separately via `expectedIdentityPublicKeyHex`.
|
|
83
|
+
*
|
|
84
|
+
* For the `secure_enclave` platform, a `valid: true` result asserts:
|
|
85
|
+
* 1. The receipt is well-formed JWS-shape (body . signature).
|
|
86
|
+
* 2. The body's algorithm field is `ecdsa-p256-sha256`.
|
|
87
|
+
* 3. The P-256 signature verifies against the body bytes + the
|
|
88
|
+
* SE public key carried inside the body.
|
|
89
|
+
* 4. The body's `identity_public_key` equals the expected Ed25519
|
|
90
|
+
* key the caller provided.
|
|
91
|
+
*
|
|
92
|
+
* Other platforms are not implemented in v1 and return
|
|
93
|
+
* `valid: false, errors: [{message: "...adapter not shipped..."}]`.
|
|
94
|
+
* Adapters plug in behind this same result shape; a verifier that
|
|
95
|
+
* ignores the `se_public_key` field stays forward-compatible.
|
|
96
|
+
*/
|
|
97
|
+
export interface HardwareAttestationVerifyResult {
|
|
98
|
+
readonly valid: boolean;
|
|
99
|
+
readonly platform: AttestationPlatform | null;
|
|
100
|
+
/** P-256 pubkey (compressed hex) recovered from a verified SE receipt. */
|
|
101
|
+
readonly se_public_key?: string;
|
|
102
|
+
/** Unix ms timestamp from a verified body, if any. */
|
|
103
|
+
readonly attested_at?: number;
|
|
104
|
+
readonly errors: readonly HardwareAttestationError[];
|
|
105
|
+
}
|
|
106
|
+
/**
|
|
107
|
+
* Context fields the dispatcher lifts out of the VC subject and hands
|
|
108
|
+
* to the `deviceCheck` arm so it can re-derive the JCS body Apple
|
|
109
|
+
* signed over. motebit_id / device_id / attested_at participate in
|
|
110
|
+
* that body alongside identity_public_key; without them the verifier
|
|
111
|
+
* cannot bind the receipt to the caller's identity. Each field is
|
|
112
|
+
* optional at the type level so an older credential subject that
|
|
113
|
+
* doesn't carry them flows through with `identity_bound: false`
|
|
114
|
+
* rather than crashing the verifier.
|
|
115
|
+
*/
|
|
116
|
+
export interface DeviceCheckVerifierContext {
|
|
117
|
+
readonly expectedMotebitId?: string;
|
|
118
|
+
readonly expectedDeviceId?: string;
|
|
119
|
+
readonly expectedAttestedAt?: number;
|
|
120
|
+
}
|
|
121
|
+
/**
|
|
122
|
+
* Optional platform-verifier dispatch injected at call site by the
|
|
123
|
+
* consumer. Each slot takes the claim + the expected Ed25519 identity
|
|
124
|
+
* key (lowercase hex) and returns a verification result matching the
|
|
125
|
+
* canonical shape.
|
|
126
|
+
*
|
|
127
|
+
* `@motebit/crypto` stays permissive-floor-pure and dep-thin — it never imports a
|
|
128
|
+
* platform adapter. Consumers (CLI, mobile, desktop, relay) wire the
|
|
129
|
+
* leaf packages (`@motebit/crypto-appattest` for device_check;
|
|
130
|
+
* future `@motebit/crypto-tpm`, `@motebit/crypto-play-integrity`) into
|
|
131
|
+
* this object so that dispatch remains explicit, auditable, and
|
|
132
|
+
* tree-shakable: a verifier that doesn't care about App Attest ships
|
|
133
|
+
* zero App Attest code.
|
|
134
|
+
*
|
|
135
|
+
* `deviceCheck` takes an optional third `context` argument carrying
|
|
136
|
+
* the VC-subject fields that participate in the JCS body the Swift
|
|
137
|
+
* mint path signs over (motebit_id / device_id / attested_at). The
|
|
138
|
+
* dispatcher populates this from the credential subject; direct
|
|
139
|
+
* callers threading their own context can too. Older injected
|
|
140
|
+
* verifiers that ignore the third argument still satisfy the type.
|
|
141
|
+
*/
|
|
142
|
+
export interface HardwareAttestationVerifiers {
|
|
143
|
+
readonly deviceCheck?: (claim: HardwareAttestationClaim, expectedIdentityPublicKeyHex: string, context?: DeviceCheckVerifierContext) => HardwareAttestationVerifyResult | PromiseLike<HardwareAttestationVerifyResult> | {
|
|
144
|
+
readonly valid: boolean;
|
|
145
|
+
readonly errors: ReadonlyArray<{
|
|
146
|
+
readonly message: string;
|
|
147
|
+
}>;
|
|
148
|
+
} | PromiseLike<{
|
|
149
|
+
readonly valid: boolean;
|
|
150
|
+
readonly errors: ReadonlyArray<{
|
|
151
|
+
readonly message: string;
|
|
152
|
+
}>;
|
|
153
|
+
}>;
|
|
154
|
+
readonly tpm?: (claim: HardwareAttestationClaim, expectedIdentityPublicKeyHex: string, context?: DeviceCheckVerifierContext) => HardwareAttestationVerifyResult | PromiseLike<HardwareAttestationVerifyResult> | {
|
|
155
|
+
readonly valid: boolean;
|
|
156
|
+
readonly errors: ReadonlyArray<{
|
|
157
|
+
readonly message: string;
|
|
158
|
+
}>;
|
|
159
|
+
} | PromiseLike<{
|
|
160
|
+
readonly valid: boolean;
|
|
161
|
+
readonly errors: ReadonlyArray<{
|
|
162
|
+
readonly message: string;
|
|
163
|
+
}>;
|
|
164
|
+
}>;
|
|
165
|
+
readonly playIntegrity?: (claim: HardwareAttestationClaim, expectedIdentityPublicKeyHex: string, context?: DeviceCheckVerifierContext) => HardwareAttestationVerifyResult | PromiseLike<HardwareAttestationVerifyResult> | {
|
|
166
|
+
readonly valid: boolean;
|
|
167
|
+
readonly errors: ReadonlyArray<{
|
|
168
|
+
readonly message: string;
|
|
169
|
+
}>;
|
|
170
|
+
} | PromiseLike<{
|
|
171
|
+
readonly valid: boolean;
|
|
172
|
+
readonly errors: ReadonlyArray<{
|
|
173
|
+
readonly message: string;
|
|
174
|
+
}>;
|
|
175
|
+
}>;
|
|
176
|
+
readonly webauthn?: (claim: HardwareAttestationClaim, expectedIdentityPublicKeyHex: string, context?: DeviceCheckVerifierContext) => HardwareAttestationVerifyResult | PromiseLike<HardwareAttestationVerifyResult> | {
|
|
177
|
+
readonly valid: boolean;
|
|
178
|
+
readonly errors: ReadonlyArray<{
|
|
179
|
+
readonly message: string;
|
|
180
|
+
}>;
|
|
181
|
+
} | PromiseLike<{
|
|
182
|
+
readonly valid: boolean;
|
|
183
|
+
readonly errors: ReadonlyArray<{
|
|
184
|
+
readonly message: string;
|
|
185
|
+
}>;
|
|
186
|
+
}>;
|
|
187
|
+
readonly androidKeystore?: (claim: HardwareAttestationClaim, expectedIdentityPublicKeyHex: string, context?: DeviceCheckVerifierContext) => HardwareAttestationVerifyResult | PromiseLike<HardwareAttestationVerifyResult> | {
|
|
188
|
+
readonly valid: boolean;
|
|
189
|
+
readonly errors: ReadonlyArray<{
|
|
190
|
+
readonly message: string;
|
|
191
|
+
}>;
|
|
192
|
+
} | PromiseLike<{
|
|
193
|
+
readonly valid: boolean;
|
|
194
|
+
readonly errors: ReadonlyArray<{
|
|
195
|
+
readonly message: string;
|
|
196
|
+
}>;
|
|
197
|
+
}>;
|
|
198
|
+
}
|
|
199
|
+
/**
|
|
200
|
+
* Verify a hardware-attestation claim.
|
|
201
|
+
*
|
|
202
|
+
* - `claim` — the `HardwareAttestationClaim` taken from a credential's
|
|
203
|
+
* `credentialSubject.hardware_attestation`.
|
|
204
|
+
* - `expectedIdentityPublicKeyHex` — the Ed25519 public key (hex) the
|
|
205
|
+
* verifier believes owns the credential. Comes from the credential
|
|
206
|
+
* issuance path (typically the subject's DID pubkey).
|
|
207
|
+
* - `verifiers` — optional injection of platform-specific verifiers for
|
|
208
|
+
* claims other than `secure_enclave`. Consumers pass
|
|
209
|
+
* `{ deviceCheck: deviceCheckVerifier(...) }` from
|
|
210
|
+
* `@motebit/crypto-appattest` to enable App Attest verification. When
|
|
211
|
+
* a claim's platform has no verifier wired, the dispatcher returns a
|
|
212
|
+
* stub `valid: false, errors: [{message:"adapter not yet shipped"}]`
|
|
213
|
+
* so verification remains fail-closed by default.
|
|
214
|
+
* - `deviceCheckContext` — VC-subject fields (motebit_id / device_id /
|
|
215
|
+
* attested_at) lifted from the credential subject; threaded to the
|
|
216
|
+
* injected `deviceCheck` verifier so it can re-derive the JCS body
|
|
217
|
+
* Apple signed over. Ignored for every other platform.
|
|
218
|
+
*
|
|
219
|
+
* Zero throws — every failure lands as `valid: false` with a structured
|
|
220
|
+
* reason so callers can render consistent audit output. The
|
|
221
|
+
* secure_enclave path remains synchronous; device_check (and any other
|
|
222
|
+
* injected adapter) may return a Promise, so callers that dispatch
|
|
223
|
+
* through the `verify()` entrypoint get `await`ed results.
|
|
224
|
+
*/
|
|
225
|
+
export declare function verifyHardwareAttestationClaim(claim: HardwareAttestationClaim, expectedIdentityPublicKeyHex: string, verifiers?: HardwareAttestationVerifiers, deviceCheckContext?: DeviceCheckVerifierContext): HardwareAttestationVerifyResult | Promise<HardwareAttestationVerifyResult>;
|
|
226
|
+
/**
|
|
227
|
+
* Test-only helper — encode a canonical body + signature into the
|
|
228
|
+
* receipt format. Tests that have a P-256 private key (via
|
|
229
|
+
* `@noble/curves/p256`) can call `signBytes` themselves, then hand the
|
|
230
|
+
* resulting body + signature to this helper to produce a well-formed
|
|
231
|
+
* receipt that `verifyHardwareAttestationClaim` will accept. Production
|
|
232
|
+
* callers MUST mint receipts via the Rust Secure Enclave bridge —
|
|
233
|
+
* never through this function.
|
|
234
|
+
*/
|
|
235
|
+
export declare function encodeSecureEnclaveReceiptForTest(bodyBytes: Uint8Array, sigBytes: Uint8Array): string;
|
|
236
|
+
/**
|
|
237
|
+
* Test-only helper — build a canonical body JSON's bytes. Use with
|
|
238
|
+
* `encodeSecureEnclaveReceiptForTest` to produce a full receipt for
|
|
239
|
+
* verification tests. Canonicalization matches what production would
|
|
240
|
+
* emit.
|
|
241
|
+
*/
|
|
242
|
+
export declare function canonicalSecureEnclaveBodyForTest(body: {
|
|
243
|
+
readonly motebit_id: string;
|
|
244
|
+
readonly device_id: string;
|
|
245
|
+
readonly identity_public_key: string;
|
|
246
|
+
readonly se_public_key: string;
|
|
247
|
+
readonly attested_at: number;
|
|
248
|
+
}): Uint8Array;
|
|
249
|
+
/**
|
|
250
|
+
* Test-only convenience — generate a fresh P-256 keypair, sign the
|
|
251
|
+
* canonical body bytes with it, and assemble a `HardwareAttestationClaim`
|
|
252
|
+
* that `verifyHardwareAttestationClaim` accepts. Lets cross-workspace
|
|
253
|
+
* tests exercise the SE verification path without each caller pulling
|
|
254
|
+
* `@noble/curves` into their own dep tree.
|
|
255
|
+
*
|
|
256
|
+
* Production callers MUST mint receipts via the Rust Secure Enclave
|
|
257
|
+
* bridge — never through this function.
|
|
258
|
+
*/
|
|
259
|
+
export declare function mintSecureEnclaveReceiptForTest(input: {
|
|
260
|
+
readonly motebit_id: string;
|
|
261
|
+
readonly device_id: string;
|
|
262
|
+
readonly identity_public_key: string;
|
|
263
|
+
readonly attested_at: number;
|
|
264
|
+
}): Promise<{
|
|
265
|
+
claim: HardwareAttestationClaim;
|
|
266
|
+
sePublicKeyHex: string;
|
|
267
|
+
}>;
|
|
268
|
+
//# sourceMappingURL=hardware-attestation.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"hardware-attestation.d.ts","sourceRoot":"","sources":["../src/hardware-attestation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6DG;AAEH,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,mBAAmB,CAAC;AAKlE;;;;;GAKG;AACH,MAAM,MAAM,mBAAmB,GAAG,wBAAwB,CAAC,UAAU,CAAC,CAAC;AAEvE;;;;GAIG;AACH,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,WAAW,+BAA+B;IAC9C,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,QAAQ,EAAE,mBAAmB,GAAG,IAAI,CAAC;IAC9C,0EAA0E;IAC1E,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,sDAAsD;IACtD,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,MAAM,EAAE,SAAS,wBAAwB,EAAE,CAAC;CACtD;AAiBD;;;;;;;;;GASG;AACH,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;CACtC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,CAAC,WAAW,CAAC,EAAE,CACrB,KAAK,EAAE,wBAAwB,EAC/B,4BAA4B,EAAE,MAAM,EACpC,OAAO,CAAC,EAAE,0BAA0B,KAElC,+BAA+B,GAC/B,WAAW,CAAC,+BAA+B,CAAC,GAC5C;QAAE,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;QAAC,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;YAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;KAAE,GACzF,WAAW,CAAC;QACV,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;QACxB,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;YAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KAC9D,CAAC,CAAC;IACP,QAAQ,CAAC,GAAG,CAAC,EAAE,CACb,KAAK,EAAE,wBAAwB,EAC/B,4BAA4B,EAAE,MAAM,EACpC,OAAO,CAAC,EAAE,0BAA0B,KAElC,+BAA+B,GAC/B,WAAW,CAAC,+BAA+B,CAAC,GAC5C;QAAE,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;QAAC,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;YAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;KAAE,GACzF,WAAW,CAAC;QACV,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;QACxB,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;YAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KAC9D,CAAC,CAAC;IACP,QAAQ,CAAC,aAAa,CAAC,EAAE,CACvB,KAAK,EAAE,wBAAwB,EAC/B,4BAA4B,EAAE,MAAM,EACpC,OAAO,CAAC,EAAE,0BAA0B,KAElC,+BAA+B,GAC/B,WAAW,CAAC,+BAA+B,CAAC,GAC5C;QAAE,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;QAAC,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;YAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;KAAE,GACzF,WAAW,CAAC;QACV,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;QACxB,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;YAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KAC9D,CAAC,CAAC;IACP,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAClB,KAAK,EAAE,wBAAwB,EAC/B,4BAA4B,EAAE,MAAM,EACpC,OAAO,CAAC,EAAE,0BAA0B,KAElC,+BAA+B,GAC/B,WAAW,CAAC,+BAA+B,CAAC,GAC5C;QAAE,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;QAAC,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;YAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;KAAE,GACzF,WAAW,CAAC;QACV,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;QACxB,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;YAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KAC9D,CAAC,CAAC;IACP,QAAQ,CAAC,eAAe,CAAC,EAAE,CACzB,KAAK,EAAE,wBAAwB,EAC/B,4BAA4B,EAAE,MAAM,EACpC,OAAO,CAAC,EAAE,0BAA0B,KAElC,+BAA+B,GAC/B,WAAW,CAAC,+BAA+B,CAAC,GAC5C;QAAE,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;QAAC,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;YAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;KAAE,GACzF,WAAW,CAAC;QACV,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;QACxB,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;YAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KAC9D,CAAC,CAAC;CACR;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,8BAA8B,CAC5C,KAAK,EAAE,wBAAwB,EAC/B,4BAA4B,EAAE,MAAM,EACpC,SAAS,CAAC,EAAE,4BAA4B,EACxC,kBAAkB,CAAC,EAAE,0BAA0B,GAC9C,+BAA+B,GAAG,OAAO,CAAC,+BAA+B,CAAC,CA+E5E;AAoMD;;;;;;;;GAQG;AACH,wBAAgB,iCAAiC,CAC/C,SAAS,EAAE,UAAU,EACrB,QAAQ,EAAE,UAAU,GACnB,MAAM,CAER;AAED;;;;;GAKG;AACH,wBAAgB,iCAAiC,CAAC,IAAI,EAAE;IACtD,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,mBAAmB,EAAE,MAAM,CAAC;IACrC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B,GAAG,UAAU,CAOb;AAED;;;;;;;;;GASG;AACH,wBAAsB,+BAA+B,CAAC,KAAK,EAAE;IAC3D,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,mBAAmB,EAAE,MAAM,CAAC;IACrC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B,GAAG,OAAO,CAAC;IAAE,KAAK,EAAE,wBAAwB,CAAC;IAAC,cAAc,EAAE,MAAM,CAAA;CAAE,CAAC,CAyBvE"}
|
package/dist/index.d.ts
CHANGED
|
@@ -75,6 +75,11 @@ export interface SuccessionRecord {
|
|
|
75
75
|
new_public_key: string;
|
|
76
76
|
timestamp: number;
|
|
77
77
|
reason?: string;
|
|
78
|
+
/**
|
|
79
|
+
* Cryptosuite discriminator. Always `"motebit-jcs-ed25519-hex-v1"`
|
|
80
|
+
* for this artifact today — same suite as the identity frontmatter.
|
|
81
|
+
*/
|
|
82
|
+
suite: "motebit-jcs-ed25519-hex-v1";
|
|
78
83
|
old_key_signature?: string;
|
|
79
84
|
new_key_signature: string;
|
|
80
85
|
/** True when succession was authorized by guardian, not old key. */
|
|
@@ -102,6 +107,9 @@ export interface ExecutionReceipt {
|
|
|
102
107
|
}
|
|
103
108
|
export type { DataIntegrityProof, VerifiableCredential, VerifiablePresentation, } from "./credentials.js";
|
|
104
109
|
import type { VerifiableCredential, VerifiablePresentation } from "./credentials.js";
|
|
110
|
+
export { verifyHardwareAttestationClaim, canonicalSecureEnclaveBodyForTest, encodeSecureEnclaveReceiptForTest, mintSecureEnclaveReceiptForTest, } from "./hardware-attestation.js";
|
|
111
|
+
export type { AttestationPlatform, HardwareAttestationError, HardwareAttestationVerifyResult, HardwareAttestationVerifiers, DeviceCheckVerifierContext, } from "./hardware-attestation.js";
|
|
112
|
+
import type { HardwareAttestationVerifiers, HardwareAttestationVerifyResult } from "./hardware-attestation.js";
|
|
105
113
|
export interface VerificationError {
|
|
106
114
|
message: string;
|
|
107
115
|
path?: string;
|
|
@@ -135,6 +143,14 @@ export interface CredentialVerifyResult extends BaseResult {
|
|
|
135
143
|
issuer?: string;
|
|
136
144
|
subject?: string;
|
|
137
145
|
expired?: boolean;
|
|
146
|
+
/**
|
|
147
|
+
* Hardware-attestation verification outcome. Present only when the
|
|
148
|
+
* credential's subject declared a `hardware_attestation` claim. Absent
|
|
149
|
+
* means "no claim" (not "fails closed" — the credential's own
|
|
150
|
+
* signature is independent of the attestation). Populated by the
|
|
151
|
+
* unified `verify()` dispatcher via `verifyHardwareAttestationClaim`.
|
|
152
|
+
*/
|
|
153
|
+
hardware_attestation?: HardwareAttestationVerifyResult;
|
|
138
154
|
}
|
|
139
155
|
export interface PresentationVerifyResult extends BaseResult {
|
|
140
156
|
type: "presentation";
|
|
@@ -148,8 +164,26 @@ export interface VerifyOptions {
|
|
|
148
164
|
expectedType?: ArtifactType;
|
|
149
165
|
/** Clock skew tolerance in seconds for credential expiry checks. Default: 60. */
|
|
150
166
|
clockSkewSeconds?: number;
|
|
167
|
+
/**
|
|
168
|
+
* Optional injection of platform-specific hardware-attestation
|
|
169
|
+
* verifiers. Consumers that need `device_check` / `tpm` /
|
|
170
|
+
* `play_integrity` verification pass the corresponding leaf package's
|
|
171
|
+
* verifier function here (e.g. `deviceCheckVerifier(...)` from
|
|
172
|
+
* `@motebit/crypto-appattest`). Absence keeps the permissive-floor `@motebit/crypto`
|
|
173
|
+
* path pure: unknown platforms fail-closed with a named-missing-adapter
|
|
174
|
+
* error. See `hardware-attestation.ts::HardwareAttestationVerifiers`.
|
|
175
|
+
*/
|
|
176
|
+
hardwareAttestation?: HardwareAttestationVerifiers;
|
|
151
177
|
}
|
|
152
|
-
/**
|
|
178
|
+
/**
|
|
179
|
+
* @deprecated since 1.0.0, removed in 2.0.0. Use {@link VerifyResult} instead.
|
|
180
|
+
*
|
|
181
|
+
* Reason: pre-0.4.0 return shape with a flat `error: string` field and no
|
|
182
|
+
* type discriminator. The modern {@link VerifyResult} is a discriminated
|
|
183
|
+
* union (`type: "identity" | "receipt" | "credential" | "presentation"`)
|
|
184
|
+
* with a structured `errors: Array<{ message: string }>` — one shape covers
|
|
185
|
+
* every artifact type motebit verifies.
|
|
186
|
+
*/
|
|
153
187
|
export interface LegacyVerifyResult {
|
|
154
188
|
valid: boolean;
|
|
155
189
|
identity: MotebitIdentityFile | null;
|
|
@@ -202,11 +236,30 @@ export declare function verify(artifact: unknown, options?: VerifyOptions): Prom
|
|
|
202
236
|
/**
|
|
203
237
|
* Verify a motebit.md identity file. Backward-compatible with pre-0.4.0.
|
|
204
238
|
*
|
|
205
|
-
* @deprecated Use `verify(content
|
|
239
|
+
* @deprecated since 1.0.0, removed in 2.0.0. Use `verify(content, { expectedType: "identity" })` instead.
|
|
240
|
+
*
|
|
241
|
+
* Reason: `verify()` is the unified dispatcher for every signed artifact
|
|
242
|
+
* type (identity, receipt, credential, presentation) and returns a typed
|
|
243
|
+
* {@link VerifyResult} discriminated union. `verifyIdentityFile` is the
|
|
244
|
+
* pre-0.4.0 identity-only wrapper kept alive for the deprecation window —
|
|
245
|
+
* it reshapes `verify()`'s output into the legacy flat-`error` format.
|
|
246
|
+
*
|
|
247
|
+
* Migration:
|
|
248
|
+
* ```ts
|
|
249
|
+
* // Before:
|
|
250
|
+
* const r = await verifyIdentityFile(content);
|
|
251
|
+
* if (r.valid) console.log(r.did);
|
|
252
|
+
* else console.log(r.error);
|
|
253
|
+
*
|
|
254
|
+
* // After:
|
|
255
|
+
* const r = await verify(content, { expectedType: "identity" });
|
|
256
|
+
* if (r.type === "identity" && r.valid) console.log(r.did);
|
|
257
|
+
* else console.log(r.errors?.[0]?.message);
|
|
258
|
+
* ```
|
|
206
259
|
*/
|
|
207
260
|
export declare function verifyIdentityFile(content: string): Promise<LegacyVerifyResult>;
|
|
208
261
|
export * from "./signing.js";
|
|
209
262
|
export * from "./artifacts.js";
|
|
210
263
|
export { signVerifiableCredential, verifyVerifiableCredential, signVerifiablePresentation, verifyVerifiablePresentation, issueGradientCredential, issueReputationCredential, issueTrustCredential, createPresentation, type GradientCredentialSubject, type ReputationCredentialSubject, type TrustCredentialSubject, } from "./credentials.js";
|
|
211
|
-
export { computeCredentialLeaf, verifyCredentialAnchor, type CredentialAnchorVerifyResult, type CredentialAnchorProofFields, type ChainAnchorVerifier, } from "./credential-anchor.js";
|
|
264
|
+
export { computeCredentialLeaf, verifyCredentialAnchor, verifyRevocationAnchor, type CredentialAnchorVerifyResult, type CredentialAnchorProofFields, type ChainAnchorVerifier, type RevocationAnchorVerifyResult, type RevocationAnchorProof, } from "./credential-anchor.js";
|
|
212
265
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAYH,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IAGjB,IAAI,CAAC,EAAE,UAAU,GAAG,SAAS,GAAG,eAAe,CAAC;IAChD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,QAAQ,EAAE;QACR,SAAS,EAAE,SAAS,CAAC;QACrB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;IAEF,UAAU,EAAE;QACV,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS,CAAC;QAC3C,aAAa,EAAE,MAAM,CAAC;QACtB,sBAAsB,EAAE,MAAM,CAAC;QAC/B,UAAU,EAAE,MAAM,CAAC;QACnB,aAAa,EAAE,OAAO,CAAC;KACxB,CAAC;IAEF,OAAO,EAAE;QACP,mBAAmB,EAAE,MAAM,CAAC;QAC5B,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACvC,WAAW,EAAE,OAAO,CAAC;KACtB,CAAC;IAEF,MAAM,EAAE;QACN,cAAc,EAAE,MAAM,CAAC;QACvB,oBAAoB,EAAE,MAAM,CAAC;QAC7B,cAAc,EAAE,MAAM,CAAC;KACxB,CAAC;IAEF,8EAA8E;IAC9E,QAAQ,CAAC,EAAE;QACT,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,cAAc,EAAE,MAAM,CAAC;QACvB,6DAA6D;QAC7D,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IAEF,OAAO,EAAE,KAAK,CAAC;QACb,SAAS,EAAE,MAAM,CAAC;QAClB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,aAAa,EAAE,MAAM,CAAC;KACvB,CAAC,CAAC;IAEH,UAAU,CAAC,EAAE,KAAK,CAAC,gBAAgB,CAAC,CAAC;CACtC;AAED,MAAM,WAAW,gBAAgB;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,KAAK,EAAE,4BAA4B,CAAC;IACpC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oEAAoE;IACpE,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,+DAA+D;IAC/D,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAMD,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,oFAAoF;IACpF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,gBAAgB,EAAE,CAAC;IACzC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;CACnB;AAOD,YAAY,EACV,kBAAkB,EAClB,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,KAAK,EAEV,oBAAoB,EACpB,sBAAsB,EACvB,MAAM,kBAAkB,CAAC;AAK1B,OAAO,EACL,8BAA8B,EAC9B,iCAAiC,EACjC,iCAAiC,EACjC,+BAA+B,GAChC,MAAM,2BAA2B,CAAC;AACnC,YAAY,EACV,mBAAmB,EACnB,wBAAwB,EACxB,+BAA+B,EAC/B,4BAA4B,EAC5B,0BAA0B,GAC3B,MAAM,2BAA2B,CAAC;AAEnC,OAAO,KAAK,EACV,4BAA4B,EAC5B,+BAA+B,EAChC,MAAM,2BAA2B,CAAC;AAMnC,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,UAAU,UAAU;IAClB,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,iBAAiB,EAAE,CAAC;CAC9B;AAED,MAAM,WAAW,oBAAqB,SAAQ,UAAU;IACtD,IAAI,EAAE,UAAU,CAAC;IACjB,QAAQ,EAAE,mBAAmB,GAAG,IAAI,CAAC;IACrC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,4EAA4E;IAC5E,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE;QACX,KAAK,EAAE,OAAO,CAAC;QACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;QAC5B,SAAS,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAED,MAAM,WAAW,mBAAoB,SAAQ,UAAU;IACrD,IAAI,EAAE,SAAS,CAAC;IAChB,OAAO,EAAE,gBAAgB,GAAG,IAAI,CAAC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,mBAAmB,EAAE,CAAC;CACrC;AAED,MAAM,WAAW,sBAAuB,SAAQ,UAAU;IACxD,IAAI,EAAE,YAAY,CAAC;IACnB,UAAU,EAAE,oBAAoB,GAAG,IAAI,CAAC;IACxC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB;;;;;;OAMG;IACH,oBAAoB,CAAC,EAAE,+BAA+B,CAAC;CACxD;AAED,MAAM,WAAW,wBAAyB,SAAQ,UAAU;IAC1D,IAAI,EAAE,cAAc,CAAC;IACrB,YAAY,EAAE,sBAAsB,GAAG,IAAI,CAAC;IAC5C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,sBAAsB,EAAE,CAAC;CACxC;AAED,MAAM,MAAM,YAAY,GACpB,oBAAoB,GACpB,mBAAmB,GACnB,sBAAsB,GACtB,wBAAwB,CAAC;AAE7B,MAAM,MAAM,YAAY,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;AAEhD,MAAM,WAAW,aAAa;IAC5B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,iFAAiF;IACjF,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;;;;;;;OAQG;IACH,mBAAmB,CAAC,EAAE,4BAA4B,CAAC;CACpD;AAMD;;;;;;;;GAQG;AACH,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,OAAO,CAAC;IACf,QAAQ,EAAE,mBAAmB,GAAG,IAAI,CAAC;IACrC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE;QACX,KAAK,EAAE,OAAO,CAAC;QACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;QAC5B,SAAS,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AA+TD;;;GAGG;AACH,wBAAgB,KAAK,CAAC,OAAO,EAAE,MAAM,GAAG;IACtC,WAAW,EAAE,mBAAmB,CAAC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACxB,CAgCA;AA0jBD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAsB,MAAM,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC,CAgE9F;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CASrF;AAOD,cAAc,cAAc,CAAC;AAC7B,cAAc,gBAAgB,CAAC;AAC/B,OAAO,EACL,wBAAwB,EACxB,0BAA0B,EAC1B,0BAA0B,EAC1B,4BAA4B,EAC5B,uBAAuB,EACvB,yBAAyB,EACzB,oBAAoB,EACpB,kBAAkB,EAClB,KAAK,yBAAyB,EAC9B,KAAK,2BAA2B,EAChC,KAAK,sBAAsB,GAC5B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,sBAAsB,EACtB,KAAK,4BAA4B,EACjC,KAAK,2BAA2B,EAChC,KAAK,mBAAmB,EACxB,KAAK,4BAA4B,EACjC,KAAK,qBAAqB,GAC3B,MAAM,wBAAwB,CAAC"}
|