@motebit/crypto 1.1.0 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/artifacts.d.ts +1 -1
- package/dist/artifacts.js +1158 -0
- package/dist/artifacts.js.map +1 -0
- package/dist/credential-anchor.d.ts.map +1 -1
- package/dist/credential-anchor.js +200 -0
- package/dist/credential-anchor.js.map +1 -0
- package/dist/credentials.js +212 -0
- package/dist/credentials.js.map +1 -0
- package/dist/deletion-certificate.d.ts +256 -0
- package/dist/deletion-certificate.d.ts.map +1 -0
- package/dist/deletion-certificate.js +562 -0
- package/dist/deletion-certificate.js.map +1 -0
- package/dist/hardware-attestation.js +400 -0
- package/dist/hardware-attestation.js.map +1 -0
- package/dist/index.d.ts +120 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1070 -5862
- package/dist/index.js.map +1 -0
- package/dist/merkle.d.ts +34 -0
- package/dist/merkle.d.ts.map +1 -0
- package/dist/merkle.js +84 -0
- package/dist/merkle.js.map +1 -0
- package/dist/signing.js +314 -0
- package/dist/signing.js.map +1 -0
- package/dist/skills.d.ts +95 -0
- package/dist/skills.d.ts.map +1 -0
- package/dist/skills.js +228 -0
- package/dist/skills.js.map +1 -0
- package/dist/suite-dispatch.js +189 -3223
- package/dist/suite-dispatch.js.map +1 -0
- package/dist/witness-omission-dispute.d.ts +98 -0
- package/dist/witness-omission-dispute.d.ts.map +1 -0
- package/dist/witness-omission-dispute.js +237 -0
- package/dist/witness-omission-dispute.js.map +1 -0
- package/package.json +2 -2
|
@@ -0,0 +1,400 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Hardware attestation — verify that a motebit's Ed25519 identity key
|
|
3
|
+
* is bound to a hardware-backed ECDSA P-256 key held in a platform
|
|
4
|
+
* trust anchor (Apple Secure Enclave today; TPM / Play Integrity /
|
|
5
|
+
* DeviceCheck as future additive adapters).
|
|
6
|
+
*
|
|
7
|
+
* ## Why this exists
|
|
8
|
+
*
|
|
9
|
+
* Motebit's identity key is Ed25519, stored in the OS keyring on
|
|
10
|
+
* desktop and in equivalent app-sandboxed stores on mobile/web. That
|
|
11
|
+
* key is *software-custody*: the private bytes are readable by any
|
|
12
|
+
* process running as the user. The moat thesis — "accumulated trust
|
|
13
|
+
* that a third party can verify" — is categorically weaker without a
|
|
14
|
+
* hardware root. Hardware attestation bridges the gap without forcing
|
|
15
|
+
* a cryptosuite migration: a separate hardware-native keypair (Apple
|
|
16
|
+
* Secure Enclave generates ECDSA P-256) signs a canonical claim that
|
|
17
|
+
* binds itself to the Ed25519 identity. The identity stays where it
|
|
18
|
+
* is; the hardware signature is *additional* evidence a verifier can
|
|
19
|
+
* rank against.
|
|
20
|
+
*
|
|
21
|
+
* Same shape as FIDO / WebAuthn attestation — the platform root key
|
|
22
|
+
* is distinct from the user-facing identity, and one attests the
|
|
23
|
+
* other.
|
|
24
|
+
*
|
|
25
|
+
* ## Receipt format (`platform: "secure_enclave"`)
|
|
26
|
+
*
|
|
27
|
+
* attestation_receipt = base64url(canonical_body_json) + "." +
|
|
28
|
+
* base64url(ecdsa_p256_signature_der)
|
|
29
|
+
*
|
|
30
|
+
* canonical_body_json = JCS-canonicalized JSON of:
|
|
31
|
+
* {
|
|
32
|
+
* version: "1",
|
|
33
|
+
* algorithm: "ecdsa-p256-sha256",
|
|
34
|
+
* motebit_id: string,
|
|
35
|
+
* device_id: string,
|
|
36
|
+
* identity_public_key: Ed25519 hex lowercase,
|
|
37
|
+
* se_public_key: P-256 compressed-point hex lowercase,
|
|
38
|
+
* attested_at: unix ms,
|
|
39
|
+
* }
|
|
40
|
+
*
|
|
41
|
+
* The P-256 signature is over `SHA-256(canonical_body_json)` — standard
|
|
42
|
+
* ECDSA-on-SHA256. The verifier recovers the SE public key from
|
|
43
|
+
* `body.se_public_key` (self-contained; zero relay contact), verifies
|
|
44
|
+
* the signature, then checks that `body.identity_public_key` equals the
|
|
45
|
+
* Ed25519 key the credential subject is claimed for.
|
|
46
|
+
*
|
|
47
|
+
* ## Non-goals in v1
|
|
48
|
+
*
|
|
49
|
+
* - Other platforms (TPM / DeviceCheck / Play Integrity) — each
|
|
50
|
+
* returns `valid: false` + a named-missing-adapter error. Additive
|
|
51
|
+
* platform adapters plug in behind the same result shape.
|
|
52
|
+
* - Revocation — claims expire with their parent credential's
|
|
53
|
+
* expiry. No separate revocation channel.
|
|
54
|
+
* - Chain-of-trust verification — the SE public key is the
|
|
55
|
+
* self-asserted root in v1. Future platform adapters verify the
|
|
56
|
+
* platform's own attestation chain (Apple's root CA, Google's
|
|
57
|
+
* verified-boot chain, etc.) as glucose per the metabolic
|
|
58
|
+
* principle.
|
|
59
|
+
*
|
|
60
|
+
* Permissive floor (Apache-2.0), no I/O, deterministic. Safe to run in any
|
|
61
|
+
* environment that can parse UTF-8 JSON.
|
|
62
|
+
*/
|
|
63
|
+
import { canonicalJson, fromBase64Url } from "./signing.js";
|
|
64
|
+
import { verifyP256EcdsaSha256 } from "./suite-dispatch.js";
|
|
65
|
+
/**
|
|
66
|
+
* Verify a hardware-attestation claim.
|
|
67
|
+
*
|
|
68
|
+
* - `claim` — the `HardwareAttestationClaim` taken from a credential's
|
|
69
|
+
* `credentialSubject.hardware_attestation`.
|
|
70
|
+
* - `expectedIdentityPublicKeyHex` — the Ed25519 public key (hex) the
|
|
71
|
+
* verifier believes owns the credential. Comes from the credential
|
|
72
|
+
* issuance path (typically the subject's DID pubkey).
|
|
73
|
+
* - `verifiers` — optional injection of platform-specific verifiers for
|
|
74
|
+
* claims other than `secure_enclave`. Consumers pass
|
|
75
|
+
* `{ deviceCheck: deviceCheckVerifier(...) }` from
|
|
76
|
+
* `@motebit/crypto-appattest` to enable App Attest verification. When
|
|
77
|
+
* a claim's platform has no verifier wired, the dispatcher returns a
|
|
78
|
+
* stub `valid: false, errors: [{message:"adapter not yet shipped"}]`
|
|
79
|
+
* so verification remains fail-closed by default.
|
|
80
|
+
* - `deviceCheckContext` — VC-subject fields (motebit_id / device_id /
|
|
81
|
+
* attested_at) lifted from the credential subject; threaded to the
|
|
82
|
+
* injected `deviceCheck` verifier so it can re-derive the JCS body
|
|
83
|
+
* Apple signed over. Ignored for every other platform.
|
|
84
|
+
*
|
|
85
|
+
* Zero throws — every failure lands as `valid: false` with a structured
|
|
86
|
+
* reason so callers can render consistent audit output. The
|
|
87
|
+
* secure_enclave path remains synchronous; device_check (and any other
|
|
88
|
+
* injected adapter) may return a Promise, so callers that dispatch
|
|
89
|
+
* through the `verify()` entrypoint get `await`ed results.
|
|
90
|
+
*/
|
|
91
|
+
export function verifyHardwareAttestationClaim(claim, expectedIdentityPublicKeyHex, verifiers, deviceCheckContext) {
|
|
92
|
+
const platform = claim.platform;
|
|
93
|
+
const errors = [];
|
|
94
|
+
switch (platform) {
|
|
95
|
+
case "secure_enclave":
|
|
96
|
+
return verifySecureEnclaveClaim(claim, expectedIdentityPublicKeyHex);
|
|
97
|
+
case "software":
|
|
98
|
+
// Truthful "this key is not hardware-backed" claim — valid in
|
|
99
|
+
// the sense of "no deception," but offers no hardware signal. The
|
|
100
|
+
// semiring scores it as `0.1` (see `@motebit/semiring`). Report
|
|
101
|
+
// as `valid: false` for the hardware-verification channel: the
|
|
102
|
+
// claim doesn't prove hardware, and the caller should score it
|
|
103
|
+
// via the semiring, not treat it as attested.
|
|
104
|
+
errors.push({
|
|
105
|
+
message: "platform `software` is a no-hardware sentinel; no verification channel",
|
|
106
|
+
});
|
|
107
|
+
return { valid: false, platform: "software", errors };
|
|
108
|
+
case "device_check":
|
|
109
|
+
if (verifiers?.deviceCheck) {
|
|
110
|
+
return dispatchInjected(platform, verifiers.deviceCheck(claim, expectedIdentityPublicKeyHex, deviceCheckContext));
|
|
111
|
+
}
|
|
112
|
+
errors.push({
|
|
113
|
+
message: `platform \`${platform}\` verifier not wired — pass { deviceCheck: deviceCheckVerifier(...) } from @motebit/crypto-appattest to enable`,
|
|
114
|
+
});
|
|
115
|
+
return { valid: false, platform, errors };
|
|
116
|
+
case "tpm":
|
|
117
|
+
if (verifiers?.tpm) {
|
|
118
|
+
return dispatchInjected(platform, verifiers.tpm(claim, expectedIdentityPublicKeyHex, deviceCheckContext));
|
|
119
|
+
}
|
|
120
|
+
errors.push({
|
|
121
|
+
message: `platform \`${platform}\` verifier not wired — pass { tpm: ... } via the verifiers parameter to enable`,
|
|
122
|
+
});
|
|
123
|
+
return { valid: false, platform, errors };
|
|
124
|
+
case "play_integrity":
|
|
125
|
+
if (verifiers?.playIntegrity) {
|
|
126
|
+
return dispatchInjected(platform, verifiers.playIntegrity(claim, expectedIdentityPublicKeyHex, deviceCheckContext));
|
|
127
|
+
}
|
|
128
|
+
errors.push({
|
|
129
|
+
message: `platform \`${platform}\` verifier not wired — pass { playIntegrity: ... } via the verifiers parameter to enable`,
|
|
130
|
+
});
|
|
131
|
+
return { valid: false, platform, errors };
|
|
132
|
+
case "webauthn":
|
|
133
|
+
if (verifiers?.webauthn) {
|
|
134
|
+
return dispatchInjected(platform, verifiers.webauthn(claim, expectedIdentityPublicKeyHex, deviceCheckContext));
|
|
135
|
+
}
|
|
136
|
+
errors.push({
|
|
137
|
+
message: `platform \`${platform}\` verifier not wired — pass { webauthn: webauthnVerifier(...) } from @motebit/crypto-webauthn to enable`,
|
|
138
|
+
});
|
|
139
|
+
return { valid: false, platform, errors };
|
|
140
|
+
case "android_keystore":
|
|
141
|
+
if (verifiers?.androidKeystore) {
|
|
142
|
+
return dispatchInjected(platform, verifiers.androidKeystore(claim, expectedIdentityPublicKeyHex, deviceCheckContext));
|
|
143
|
+
}
|
|
144
|
+
errors.push({
|
|
145
|
+
message: `platform \`${platform}\` verifier not wired — pass { androidKeystore: androidKeystoreVerifier(...) } from @motebit/crypto-android-keystore to enable`,
|
|
146
|
+
});
|
|
147
|
+
return { valid: false, platform, errors };
|
|
148
|
+
default:
|
|
149
|
+
errors.push({
|
|
150
|
+
message: `unknown platform \`${claim.platform}\` — not in the declared enum`,
|
|
151
|
+
});
|
|
152
|
+
return { valid: false, platform: null, errors };
|
|
153
|
+
}
|
|
154
|
+
}
|
|
155
|
+
/**
|
|
156
|
+
* Normalize the injected verifier's return shape into the canonical
|
|
157
|
+
* `HardwareAttestationVerifyResult`. Injected leaves may return a
|
|
158
|
+
* richer shape (e.g. `@motebit/crypto-appattest`'s
|
|
159
|
+
* `DeviceCheckVerifyResult` carries `attestation_detail`); the
|
|
160
|
+
* canonical fields are lifted out here so the outer VC verify path
|
|
161
|
+
* always sees the same shape.
|
|
162
|
+
*/
|
|
163
|
+
async function dispatchInjected(platform, result) {
|
|
164
|
+
const awaited = await Promise.resolve(result);
|
|
165
|
+
return {
|
|
166
|
+
valid: awaited.valid,
|
|
167
|
+
platform,
|
|
168
|
+
errors: awaited.errors ?? [],
|
|
169
|
+
};
|
|
170
|
+
}
|
|
171
|
+
// ── Secure Enclave path ──────────────────────────────────────────────
|
|
172
|
+
function verifySecureEnclaveClaim(claim, expectedIdentityPublicKeyHex) {
|
|
173
|
+
const errors = [];
|
|
174
|
+
const platform = "secure_enclave";
|
|
175
|
+
if (claim.key_exported === true) {
|
|
176
|
+
// An exported hardware key no longer uniquely holds the material;
|
|
177
|
+
// the signed receipt is historical evidence only. We still verify
|
|
178
|
+
// the signature — it's still meaningful — but the result's caller
|
|
179
|
+
// should score it with the lower semiring value (see
|
|
180
|
+
// `scoreAttestation` in @motebit/semiring: exported → 0.5). We do
|
|
181
|
+
// not short-circuit as invalid — that would conflate "key was
|
|
182
|
+
// exported" with "attestation fraudulent."
|
|
183
|
+
}
|
|
184
|
+
if (!claim.attestation_receipt) {
|
|
185
|
+
errors.push({
|
|
186
|
+
message: "secure_enclave claim missing `attestation_receipt`",
|
|
187
|
+
});
|
|
188
|
+
return { valid: false, platform, errors };
|
|
189
|
+
}
|
|
190
|
+
const parts = claim.attestation_receipt.split(".");
|
|
191
|
+
if (parts.length !== 2) {
|
|
192
|
+
errors.push({
|
|
193
|
+
message: `attestation_receipt must be 2 base64url parts separated by '.'; got ${parts.length}`,
|
|
194
|
+
});
|
|
195
|
+
return { valid: false, platform, errors };
|
|
196
|
+
}
|
|
197
|
+
const [bodyB64, sigB64] = parts;
|
|
198
|
+
let bodyBytes;
|
|
199
|
+
let sigBytes;
|
|
200
|
+
try {
|
|
201
|
+
bodyBytes = fromBase64Url(bodyB64);
|
|
202
|
+
sigBytes = fromBase64Url(sigB64);
|
|
203
|
+
}
|
|
204
|
+
catch (err) {
|
|
205
|
+
errors.push({
|
|
206
|
+
message: `base64url decode failed: ${err instanceof Error ? err.message : String(err)}`,
|
|
207
|
+
});
|
|
208
|
+
return { valid: false, platform, errors };
|
|
209
|
+
}
|
|
210
|
+
let bodyJson;
|
|
211
|
+
try {
|
|
212
|
+
bodyJson = JSON.parse(new TextDecoder().decode(bodyBytes));
|
|
213
|
+
}
|
|
214
|
+
catch (err) {
|
|
215
|
+
errors.push({
|
|
216
|
+
message: `body JSON parse failed: ${err instanceof Error ? err.message : String(err)}`,
|
|
217
|
+
});
|
|
218
|
+
return { valid: false, platform, errors };
|
|
219
|
+
}
|
|
220
|
+
const bodyCheck = parseSecureEnclaveBody(bodyJson);
|
|
221
|
+
if (bodyCheck.kind === "error") {
|
|
222
|
+
errors.push({ message: bodyCheck.reason });
|
|
223
|
+
return { valid: false, platform, errors };
|
|
224
|
+
}
|
|
225
|
+
const body = bodyCheck.body;
|
|
226
|
+
if (body.version !== "1") {
|
|
227
|
+
errors.push({
|
|
228
|
+
message: `unsupported body version '${body.version}' (expected '1')`,
|
|
229
|
+
});
|
|
230
|
+
return { valid: false, platform, errors };
|
|
231
|
+
}
|
|
232
|
+
if (body.algorithm !== "ecdsa-p256-sha256") {
|
|
233
|
+
errors.push({
|
|
234
|
+
message: `unsupported body algorithm '${body.algorithm}' (expected 'ecdsa-p256-sha256')`,
|
|
235
|
+
});
|
|
236
|
+
return { valid: false, platform, errors };
|
|
237
|
+
}
|
|
238
|
+
// Re-canonicalize the body and hash — the signed bytes are what the
|
|
239
|
+
// signer actually signed. The body we parsed is the source of truth
|
|
240
|
+
// for *fields*, but the signed bytes must match the on-wire body
|
|
241
|
+
// bytes exactly (JCS is deterministic, but the signer might have
|
|
242
|
+
// produced the body with trailing whitespace etc. — we verify
|
|
243
|
+
// against the as-received bytes, not our re-canonicalization).
|
|
244
|
+
let sigValid;
|
|
245
|
+
try {
|
|
246
|
+
sigValid = verifyP256EcdsaSha256(body.se_public_key, bodyBytes, sigBytes);
|
|
247
|
+
}
|
|
248
|
+
catch (err) {
|
|
249
|
+
errors.push({
|
|
250
|
+
message: `p-256 verification crashed: ${err instanceof Error ? err.message : String(err)}`,
|
|
251
|
+
});
|
|
252
|
+
return { valid: false, platform, errors };
|
|
253
|
+
}
|
|
254
|
+
if (!sigValid) {
|
|
255
|
+
errors.push({
|
|
256
|
+
message: "p-256 signature does not verify against body + se_public_key",
|
|
257
|
+
});
|
|
258
|
+
return { valid: false, platform, errors };
|
|
259
|
+
}
|
|
260
|
+
// Identity-key binding check — the attestation body names which
|
|
261
|
+
// Ed25519 key this hardware claim is for. The verifier has the
|
|
262
|
+
// expected key from the credential's issuance context.
|
|
263
|
+
if (body.identity_public_key.toLowerCase() !== expectedIdentityPublicKeyHex.toLowerCase()) {
|
|
264
|
+
errors.push({
|
|
265
|
+
message: `identity_public_key mismatch: body names ${body.identity_public_key.slice(0, 16)}…, expected ${expectedIdentityPublicKeyHex.slice(0, 16)}…`,
|
|
266
|
+
});
|
|
267
|
+
return { valid: false, platform, errors };
|
|
268
|
+
}
|
|
269
|
+
return {
|
|
270
|
+
valid: true,
|
|
271
|
+
platform,
|
|
272
|
+
se_public_key: body.se_public_key,
|
|
273
|
+
attested_at: body.attested_at,
|
|
274
|
+
errors: [],
|
|
275
|
+
};
|
|
276
|
+
}
|
|
277
|
+
function parseSecureEnclaveBody(raw) {
|
|
278
|
+
if (raw === null || typeof raw !== "object") {
|
|
279
|
+
return { kind: "error", reason: "body is not a JSON object" };
|
|
280
|
+
}
|
|
281
|
+
const r = raw;
|
|
282
|
+
const fields = [
|
|
283
|
+
"version",
|
|
284
|
+
"algorithm",
|
|
285
|
+
"motebit_id",
|
|
286
|
+
"device_id",
|
|
287
|
+
"identity_public_key",
|
|
288
|
+
"se_public_key",
|
|
289
|
+
"attested_at",
|
|
290
|
+
];
|
|
291
|
+
for (const f of fields) {
|
|
292
|
+
if (!(f in r)) {
|
|
293
|
+
return { kind: "error", reason: `body missing required field '${f}'` };
|
|
294
|
+
}
|
|
295
|
+
}
|
|
296
|
+
if (typeof r.version !== "string" ||
|
|
297
|
+
typeof r.algorithm !== "string" ||
|
|
298
|
+
typeof r.motebit_id !== "string" ||
|
|
299
|
+
typeof r.device_id !== "string" ||
|
|
300
|
+
typeof r.identity_public_key !== "string" ||
|
|
301
|
+
typeof r.se_public_key !== "string" ||
|
|
302
|
+
typeof r.attested_at !== "number") {
|
|
303
|
+
return { kind: "error", reason: "body field types invalid" };
|
|
304
|
+
}
|
|
305
|
+
return {
|
|
306
|
+
kind: "ok",
|
|
307
|
+
body: {
|
|
308
|
+
version: r.version,
|
|
309
|
+
algorithm: r.algorithm,
|
|
310
|
+
motebit_id: r.motebit_id,
|
|
311
|
+
device_id: r.device_id,
|
|
312
|
+
identity_public_key: r.identity_public_key,
|
|
313
|
+
se_public_key: r.se_public_key,
|
|
314
|
+
attested_at: r.attested_at,
|
|
315
|
+
},
|
|
316
|
+
};
|
|
317
|
+
}
|
|
318
|
+
// ── Test helper — mint a valid SE receipt from an in-process P-256 key ─
|
|
319
|
+
/**
|
|
320
|
+
* Test-only helper — encode a canonical body + signature into the
|
|
321
|
+
* receipt format. Tests that have a P-256 private key (via
|
|
322
|
+
* `@noble/curves/p256`) can call `signBytes` themselves, then hand the
|
|
323
|
+
* resulting body + signature to this helper to produce a well-formed
|
|
324
|
+
* receipt that `verifyHardwareAttestationClaim` will accept. Production
|
|
325
|
+
* callers MUST mint receipts via the Rust Secure Enclave bridge —
|
|
326
|
+
* never through this function.
|
|
327
|
+
*/
|
|
328
|
+
export function encodeSecureEnclaveReceiptForTest(bodyBytes, sigBytes) {
|
|
329
|
+
return `${toBase64Url(bodyBytes)}.${toBase64Url(sigBytes)}`;
|
|
330
|
+
}
|
|
331
|
+
/**
|
|
332
|
+
* Test-only helper — build a canonical body JSON's bytes. Use with
|
|
333
|
+
* `encodeSecureEnclaveReceiptForTest` to produce a full receipt for
|
|
334
|
+
* verification tests. Canonicalization matches what production would
|
|
335
|
+
* emit.
|
|
336
|
+
*/
|
|
337
|
+
export function canonicalSecureEnclaveBodyForTest(body) {
|
|
338
|
+
const full = {
|
|
339
|
+
version: "1",
|
|
340
|
+
algorithm: "ecdsa-p256-sha256",
|
|
341
|
+
...body,
|
|
342
|
+
};
|
|
343
|
+
return new TextEncoder().encode(canonicalJson(full));
|
|
344
|
+
}
|
|
345
|
+
/**
|
|
346
|
+
* Test-only convenience — generate a fresh P-256 keypair, sign the
|
|
347
|
+
* canonical body bytes with it, and assemble a `HardwareAttestationClaim`
|
|
348
|
+
* that `verifyHardwareAttestationClaim` accepts. Lets cross-workspace
|
|
349
|
+
* tests exercise the SE verification path without each caller pulling
|
|
350
|
+
* `@noble/curves` into their own dep tree.
|
|
351
|
+
*
|
|
352
|
+
* Production callers MUST mint receipts via the Rust Secure Enclave
|
|
353
|
+
* bridge — never through this function.
|
|
354
|
+
*/
|
|
355
|
+
export async function mintSecureEnclaveReceiptForTest(input) {
|
|
356
|
+
// Lazy import — keeps this helper from being dragged into the
|
|
357
|
+
// production verifier's import graph any earlier than necessary.
|
|
358
|
+
const { p256 } = await import("@noble/curves/p256");
|
|
359
|
+
const privateKey = p256.utils.randomPrivateKey();
|
|
360
|
+
const sePublicKey = p256.getPublicKey(privateKey, true); // compressed
|
|
361
|
+
const sePublicKeyHex = bytesToHexLocal(sePublicKey);
|
|
362
|
+
const bodyBytes = canonicalSecureEnclaveBodyForTest({
|
|
363
|
+
motebit_id: input.motebit_id,
|
|
364
|
+
device_id: input.device_id,
|
|
365
|
+
identity_public_key: input.identity_public_key,
|
|
366
|
+
se_public_key: sePublicKeyHex,
|
|
367
|
+
attested_at: input.attested_at,
|
|
368
|
+
});
|
|
369
|
+
const digest = await sha256Local(bodyBytes);
|
|
370
|
+
const sigBytes = p256.sign(digest, privateKey, { prehash: false }).toDERRawBytes();
|
|
371
|
+
const receipt = encodeSecureEnclaveReceiptForTest(bodyBytes, sigBytes);
|
|
372
|
+
return {
|
|
373
|
+
claim: {
|
|
374
|
+
platform: "secure_enclave",
|
|
375
|
+
key_exported: false,
|
|
376
|
+
attestation_receipt: receipt,
|
|
377
|
+
},
|
|
378
|
+
sePublicKeyHex,
|
|
379
|
+
};
|
|
380
|
+
}
|
|
381
|
+
function bytesToHexLocal(bytes) {
|
|
382
|
+
let hex = "";
|
|
383
|
+
for (let i = 0; i < bytes.length; i++) {
|
|
384
|
+
hex += bytes[i].toString(16).padStart(2, "0");
|
|
385
|
+
}
|
|
386
|
+
return hex;
|
|
387
|
+
}
|
|
388
|
+
async function sha256Local(bytes) {
|
|
389
|
+
const buf = await crypto.subtle.digest("SHA-256", bytes);
|
|
390
|
+
return new Uint8Array(buf);
|
|
391
|
+
}
|
|
392
|
+
function toBase64Url(bytes) {
|
|
393
|
+
// Match the conventions in signing.ts — base64url, no padding.
|
|
394
|
+
let binary = "";
|
|
395
|
+
for (let i = 0; i < bytes.length; i++) {
|
|
396
|
+
binary += String.fromCharCode(bytes[i]);
|
|
397
|
+
}
|
|
398
|
+
return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
|
|
399
|
+
}
|
|
400
|
+
//# sourceMappingURL=hardware-attestation.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"hardware-attestation.js","sourceRoot":"","sources":["../src/hardware-attestation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6DG;AAIH,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC5D,OAAO,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAkK5D;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,UAAU,8BAA8B,CAC5C,KAA+B,EAC/B,4BAAoC,EACpC,SAAwC,EACxC,kBAA+C;IAE/C,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC;IAChC,MAAM,MAAM,GAA+B,EAAE,CAAC;IAE9C,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,gBAAgB;YACnB,OAAO,wBAAwB,CAAC,KAAK,EAAE,4BAA4B,CAAC,CAAC;QACvE,KAAK,UAAU;YACb,8DAA8D;YAC9D,kEAAkE;YAClE,gEAAgE;YAChE,+DAA+D;YAC/D,+DAA+D;YAC/D,8CAA8C;YAC9C,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EAAE,wEAAwE;aAClF,CAAC,CAAC;YACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC;QACxD,KAAK,cAAc;YACjB,IAAI,SAAS,EAAE,WAAW,EAAE,CAAC;gBAC3B,OAAO,gBAAgB,CACrB,QAAQ,EACR,SAAS,CAAC,WAAW,CAAC,KAAK,EAAE,4BAA4B,EAAE,kBAAkB,CAAC,CAC/E,CAAC;YACJ,CAAC;YACD,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EAAE,cAAc,QAAQ,iHAAiH;aACjJ,CAAC,CAAC;YACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;QAC5C,KAAK,KAAK;YACR,IAAI,SAAS,EAAE,GAAG,EAAE,CAAC;gBACnB,OAAO,gBAAgB,CACrB,QAAQ,EACR,SAAS,CAAC,GAAG,CAAC,KAAK,EAAE,4BAA4B,EAAE,kBAAkB,CAAC,CACvE,CAAC;YACJ,CAAC;YACD,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EAAE,cAAc,QAAQ,iFAAiF;aACjH,CAAC,CAAC;YACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;QAC5C,KAAK,gBAAgB;YACnB,IAAI,SAAS,EAAE,aAAa,EAAE,CAAC;gBAC7B,OAAO,gBAAgB,CACrB,QAAQ,EACR,SAAS,CAAC,aAAa,CAAC,KAAK,EAAE,4BAA4B,EAAE,kBAAkB,CAAC,CACjF,CAAC;YACJ,CAAC;YACD,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EAAE,cAAc,QAAQ,2FAA2F;aAC3H,CAAC,CAAC;YACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;QAC5C,KAAK,UAAU;YACb,IAAI,SAAS,EAAE,QAAQ,EAAE,CAAC;gBACxB,OAAO,gBAAgB,CACrB,QAAQ,EACR,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,4BAA4B,EAAE,kBAAkB,CAAC,CAC5E,CAAC;YACJ,CAAC;YACD,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EAAE,cAAc,QAAQ,0GAA0G;aAC1I,CAAC,CAAC;YACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;QAC5C,KAAK,kBAAkB;YACrB,IAAI,SAAS,EAAE,eAAe,EAAE,CAAC;gBAC/B,OAAO,gBAAgB,CACrB,QAAQ,EACR,SAAS,CAAC,eAAe,CAAC,KAAK,EAAE,4BAA4B,EAAE,kBAAkB,CAAC,CACnF,CAAC;YACJ,CAAC;YACD,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EAAE,cAAc,QAAQ,gIAAgI;aAChK,CAAC,CAAC;YACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;QAC5C;YACE,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EAAE,sBAAsB,KAAK,CAAC,QAAQ,+BAA+B;aAC7E,CAAC,CAAC;YACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IACpD,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,KAAK,UAAU,gBAAgB,CAC7B,QAA6B,EAC7B,MAOM;IAEN,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC9C,OAAO;QACL,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,QAAQ;QACR,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,EAAE;KAC7B,CAAC;AACJ,CAAC;AAED,wEAAwE;AAExE,SAAS,wBAAwB,CAC/B,KAA+B,EAC/B,4BAAoC;IAEpC,MAAM,MAAM,GAA+B,EAAE,CAAC;IAC9C,MAAM,QAAQ,GAAwB,gBAAgB,CAAC;IAEvD,IAAI,KAAK,CAAC,YAAY,KAAK,IAAI,EAAE,CAAC;QAChC,kEAAkE;QAClE,kEAAkE;QAClE,kEAAkE;QAClE,qDAAqD;QACrD,kEAAkE;QAClE,8DAA8D;QAC9D,2CAA2C;IAC7C,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,mBAAmB,EAAE,CAAC;QAC/B,MAAM,CAAC,IAAI,CAAC;YACV,OAAO,EAAE,oDAAoD;SAC9D,CAAC,CAAC;QACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IAC5C,CAAC;IAED,MAAM,KAAK,GAAG,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,CAAC,IAAI,CAAC;YACV,OAAO,EAAE,uEAAuE,KAAK,CAAC,MAAM,EAAE;SAC/F,CAAC,CAAC;QACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IAC5C,CAAC;IACD,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,KAAyB,CAAC;IAEpD,IAAI,SAAqB,CAAC;IAC1B,IAAI,QAAoB,CAAC;IACzB,IAAI,CAAC;QACH,SAAS,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;QACnC,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC;YACV,OAAO,EAAE,4BAA4B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;SACxF,CAAC,CAAC;QACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IAC5C,CAAC;IAED,IAAI,QAAiB,CAAC;IACtB,IAAI,CAAC;QACH,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAY,CAAC;IACxE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC;YACV,OAAO,EAAE,2BAA2B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;SACvF,CAAC,CAAC;QACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IAC5C,CAAC;IAED,MAAM,SAAS,GAAG,sBAAsB,CAAC,QAAQ,CAAC,CAAC;IACnD,IAAI,SAAS,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC/B,MAAM,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;QAC3C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IAC5C,CAAC;IACD,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC;IAE5B,IAAI,IAAI,CAAC,OAAO,KAAK,GAAG,EAAE,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC;YACV,OAAO,EAAE,6BAA6B,IAAI,CAAC,OAAO,kBAAkB;SACrE,CAAC,CAAC;QACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IAC5C,CAAC;IACD,IAAI,IAAI,CAAC,SAAS,KAAK,mBAAmB,EAAE,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC;YACV,OAAO,EAAE,+BAA+B,IAAI,CAAC,SAAS,kCAAkC;SACzF,CAAC,CAAC;QACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IAC5C,CAAC;IAED,oEAAoE;IACpE,oEAAoE;IACpE,iEAAiE;IACjE,iEAAiE;IACjE,8DAA8D;IAC9D,+DAA+D;IAC/D,IAAI,QAAiB,CAAC;IACtB,IAAI,CAAC;QACH,QAAQ,GAAG,qBAAqB,CAAC,IAAI,CAAC,aAAa,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;IAC5E,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC;YACV,OAAO,EAAE,+BAA+B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;SAC3F,CAAC,CAAC;QACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IAC5C,CAAC;IAED,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,CAAC,IAAI,CAAC;YACV,OAAO,EAAE,8DAA8D;SACxE,CAAC,CAAC;QACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IAC5C,CAAC;IAED,gEAAgE;IAChE,+DAA+D;IAC/D,uDAAuD;IACvD,IAAI,IAAI,CAAC,mBAAmB,CAAC,WAAW,EAAE,KAAK,4BAA4B,CAAC,WAAW,EAAE,EAAE,CAAC;QAC1F,MAAM,CAAC,IAAI,CAAC;YACV,OAAO,EAAE,4CAA4C,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,4BAA4B,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG;SACtJ,CAAC,CAAC;QACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IAC5C,CAAC;IAED,OAAO;QACL,KAAK,EAAE,IAAI;QACX,QAAQ;QACR,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,MAAM,EAAE,EAAE;KACX,CAAC;AACJ,CAAC;AAID,SAAS,sBAAsB,CAAC,GAAY;IAC1C,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5C,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;IAChE,CAAC;IACD,MAAM,CAAC,GAAG,GAA8B,CAAC;IACzC,MAAM,MAAM,GAAmC;QAC7C,SAAS;QACT,WAAW;QACX,YAAY;QACZ,WAAW;QACX,qBAAqB;QACrB,eAAe;QACf,aAAa;KACd,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YACd,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,gCAAgC,CAAC,GAAG,EAAE,CAAC;QACzE,CAAC;IACH,CAAC;IACD,IACE,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ;QAC7B,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ;QAC/B,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ;QAChC,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ;QAC/B,OAAO,CAAC,CAAC,mBAAmB,KAAK,QAAQ;QACzC,OAAO,CAAC,CAAC,aAAa,KAAK,QAAQ;QACnC,OAAO,CAAC,CAAC,WAAW,KAAK,QAAQ,EACjC,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,0BAA0B,EAAE,CAAC;IAC/D,CAAC;IACD,OAAO;QACL,IAAI,EAAE,IAAI;QACV,IAAI,EAAE;YACJ,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,SAAS,EAAE,CAAC,CAAC,SAAS;YACtB,UAAU,EAAE,CAAC,CAAC,UAAU;YACxB,SAAS,EAAE,CAAC,CAAC,SAAS;YACtB,mBAAmB,EAAE,CAAC,CAAC,mBAAmB;YAC1C,aAAa,EAAE,CAAC,CAAC,aAAa;YAC9B,WAAW,EAAE,CAAC,CAAC,WAAW;SAC3B;KACF,CAAC;AACJ,CAAC;AAED,0EAA0E;AAE1E;;;;;;;;GAQG;AACH,MAAM,UAAU,iCAAiC,CAC/C,SAAqB,EACrB,QAAoB;IAEpB,OAAO,GAAG,WAAW,CAAC,SAAS,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;AAC9D,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iCAAiC,CAAC,IAMjD;IACC,MAAM,IAAI,GAAsB;QAC9B,OAAO,EAAE,GAAG;QACZ,SAAS,EAAE,mBAAmB;QAC9B,GAAG,IAAI;KACR,CAAC;IACF,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC;AACvD,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,+BAA+B,CAAC,KAKrD;IACC,8DAA8D;IAC9D,iEAAiE;IACjE,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;IACpD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;IACjD,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,CAAC,aAAa;IACtE,MAAM,cAAc,GAAG,eAAe,CAAC,WAAW,CAAC,CAAC;IACpD,MAAM,SAAS,GAAG,iCAAiC,CAAC;QAClD,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,mBAAmB,EAAE,KAAK,CAAC,mBAAmB;QAC9C,aAAa,EAAE,cAAc;QAC7B,WAAW,EAAE,KAAK,CAAC,WAAW;KAC/B,CAAC,CAAC;IACH,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC;IACnF,MAAM,OAAO,GAAG,iCAAiC,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IACvE,OAAO;QACL,KAAK,EAAE;YACL,QAAQ,EAAE,gBAAgB;YAC1B,YAAY,EAAE,KAAK;YACnB,mBAAmB,EAAE,OAAO;SAC7B;QACD,cAAc;KACf,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,KAAiB;IACxC,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,GAAG,IAAI,KAAK,CAAC,CAAC,CAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,KAAiB;IAC1C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAqB,CAAC,CAAC;IACzE,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,WAAW,CAAC,KAAiB;IACpC,+DAA+D;IAC/D,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACjF,CAAC"}
|
package/dist/index.d.ts
CHANGED
|
@@ -107,6 +107,8 @@ export interface ExecutionReceipt {
|
|
|
107
107
|
}
|
|
108
108
|
export type { DataIntegrityProof, VerifiableCredential, VerifiablePresentation, } from "./credentials.js";
|
|
109
109
|
import type { VerifiableCredential, VerifiablePresentation } from "./credentials.js";
|
|
110
|
+
import type { SkillEnvelope } from "@motebit/protocol";
|
|
111
|
+
import type { SkillVerifyReason } from "./skills.js";
|
|
110
112
|
export { verifyHardwareAttestationClaim, canonicalSecureEnclaveBodyForTest, encodeSecureEnclaveReceiptForTest, mintSecureEnclaveReceiptForTest, } from "./hardware-attestation.js";
|
|
111
113
|
export type { AttestationPlatform, HardwareAttestationError, HardwareAttestationVerifyResult, HardwareAttestationVerifiers, DeviceCheckVerifierContext, } from "./hardware-attestation.js";
|
|
112
114
|
import type { HardwareAttestationVerifiers, HardwareAttestationVerifyResult } from "./hardware-attestation.js";
|
|
@@ -158,7 +160,68 @@ export interface PresentationVerifyResult extends BaseResult {
|
|
|
158
160
|
holder?: string;
|
|
159
161
|
credentials?: CredentialVerifyResult[];
|
|
160
162
|
}
|
|
161
|
-
|
|
163
|
+
/**
|
|
164
|
+
* Per-file verification outcome inside a `SkillVerifyResult`. Each entry
|
|
165
|
+
* cross-checks `envelope.files[].hash` against `sha256(<file bytes>)`.
|
|
166
|
+
* `actual === null` means the verifier had no on-disk bytes to compare —
|
|
167
|
+
* either the bundle didn't ship the file or a directory walker couldn't
|
|
168
|
+
* locate it. Distinct shape from envelope-signature failure: a missing
|
|
169
|
+
* file is an unverifiable claim, not a forged one.
|
|
170
|
+
*/
|
|
171
|
+
export interface SkillFileVerifyResult {
|
|
172
|
+
readonly path: string;
|
|
173
|
+
readonly valid: boolean;
|
|
174
|
+
readonly expected: string;
|
|
175
|
+
readonly actual: string | null;
|
|
176
|
+
/** `"ok" | "hash_mismatch" | "missing"`. */
|
|
177
|
+
readonly reason: "ok" | "hash_mismatch" | "missing";
|
|
178
|
+
}
|
|
179
|
+
/**
|
|
180
|
+
* Verification outcome for a `SkillEnvelope` (per `spec/skills-v1.md` §5)
|
|
181
|
+
* with optional on-disk body + file cross-checks.
|
|
182
|
+
*
|
|
183
|
+
* Three independent verification axes:
|
|
184
|
+
* - `steps.envelope` — Ed25519 signature over canonical envelope bytes.
|
|
185
|
+
* Always populated; the primitive lives in this package.
|
|
186
|
+
* - `steps.body_hash` — `sha256(LF-normalized SKILL.md bytes)` cross-
|
|
187
|
+
* checked against `envelope.body_hash`. Populated by callers that
|
|
188
|
+
* read the body from disk (the `@motebit/verifier` directory walker
|
|
189
|
+
* does this); `null` when this layer was called with bare envelope
|
|
190
|
+
* JSON and had no body bytes to compare.
|
|
191
|
+
* - `steps.files` — per-file `sha256` cross-checks. Empty array when
|
|
192
|
+
* no file bytes were provided to compare; otherwise one entry per
|
|
193
|
+
* `envelope.files[]` declaration.
|
|
194
|
+
*
|
|
195
|
+
* `valid` reflects "every attempted axis passed AND every declared
|
|
196
|
+
* cross-check was attempted." Calling crypto's `verify(envelope)`
|
|
197
|
+
* directly returns `valid: false` with `body_hash: null` and `files:
|
|
198
|
+
* []` because the bare envelope can only be sig-verified — full
|
|
199
|
+
* verification requires the on-disk bytes. The
|
|
200
|
+
* `@motebit/verifier::verifySkillDirectory` library completes the
|
|
201
|
+
* other two axes; that's the canonical full-verify entry point for
|
|
202
|
+
* skills.
|
|
203
|
+
*/
|
|
204
|
+
export interface SkillVerifyResult extends BaseResult {
|
|
205
|
+
type: "skill";
|
|
206
|
+
envelope: SkillEnvelope | null;
|
|
207
|
+
/** Compact identifier — `<name>@<version>` from `envelope.skill`. */
|
|
208
|
+
skill?: string;
|
|
209
|
+
/** Echoed from `envelope.signature.public_key`. */
|
|
210
|
+
signer?: string;
|
|
211
|
+
steps: {
|
|
212
|
+
envelope: {
|
|
213
|
+
valid: boolean;
|
|
214
|
+
reason: SkillVerifyReason;
|
|
215
|
+
};
|
|
216
|
+
body_hash: {
|
|
217
|
+
valid: boolean;
|
|
218
|
+
expected: string;
|
|
219
|
+
actual: string;
|
|
220
|
+
} | null;
|
|
221
|
+
files: ReadonlyArray<SkillFileVerifyResult>;
|
|
222
|
+
};
|
|
223
|
+
}
|
|
224
|
+
export type VerifyResult = IdentityVerifyResult | ReceiptVerifyResult | CredentialVerifyResult | PresentationVerifyResult | SkillVerifyResult;
|
|
162
225
|
export type ArtifactType = VerifyResult["type"];
|
|
163
226
|
export interface VerifyOptions {
|
|
164
227
|
expectedType?: ArtifactType;
|
|
@@ -205,6 +268,58 @@ export declare function parse(content: string): {
|
|
|
205
268
|
signature: string;
|
|
206
269
|
rawFrontmatter: string;
|
|
207
270
|
};
|
|
271
|
+
/**
|
|
272
|
+
* Bundle-shape input for `verifySkillBundle`. The full-verify
|
|
273
|
+
* primitive — envelope signature + body hash + per-file hashes — runs
|
|
274
|
+
* pure on these bytes, no I/O, no environment-specific shape.
|
|
275
|
+
*
|
|
276
|
+
* Body bytes are LF-normalized SKILL.md content (the exact bytes the
|
|
277
|
+
* envelope's `body_hash` was computed over at sign time). Files map
|
|
278
|
+
* each path declared in `envelope.files[]` to its raw bytes. Callers
|
|
279
|
+
* with base64-encoded inputs (relay-served `SkillRegistryBundle`,
|
|
280
|
+
* tarball decoders) decode to `Uint8Array` before calling.
|
|
281
|
+
*
|
|
282
|
+
* Single canonical primitive across surfaces:
|
|
283
|
+
* - `motebit-verify` CLI / `@motebit/verifier::verifySkillDirectory`
|
|
284
|
+
* reads from disk → builds this shape → calls `verifySkillBundle`.
|
|
285
|
+
* - Browser consumers (`motebit.com/skills`, third-party registries,
|
|
286
|
+
* CI pipelines) decode from base64 → builds this shape → calls
|
|
287
|
+
* `verifySkillBundle`.
|
|
288
|
+
*
|
|
289
|
+
* Both paths produce the same `SkillVerifyResult` with the same step
|
|
290
|
+
* semantics. Same primitive, swap the I/O.
|
|
291
|
+
*/
|
|
292
|
+
export interface SkillBundleInput {
|
|
293
|
+
readonly envelope: SkillEnvelope;
|
|
294
|
+
/** LF-normalized SKILL.md body bytes — the exact bytes signed at envelope-sign time. */
|
|
295
|
+
readonly body: Uint8Array;
|
|
296
|
+
/** Per-path raw bytes for every entry in `envelope.files[]`. Omit a path to mark it missing. */
|
|
297
|
+
readonly files?: Readonly<Record<string, Uint8Array>>;
|
|
298
|
+
}
|
|
299
|
+
/**
|
|
300
|
+
* Verify a skill bundle end-to-end. Pure function — no I/O. Performs
|
|
301
|
+
* the three independent verification axes:
|
|
302
|
+
*
|
|
303
|
+
* 1. Envelope signature — Ed25519 over the canonical envelope bytes.
|
|
304
|
+
* 2. Body hash — `sha256(body)` cross-checked against `envelope.body_hash`.
|
|
305
|
+
* 3. Per-file hashes — for each entry in `envelope.files[]`,
|
|
306
|
+
* `sha256(files[path])` cross-checked against `entry.hash`. A
|
|
307
|
+
* missing path (envelope declared it; bundle didn't ship bytes)
|
|
308
|
+
* surfaces as `valid: false` with `reason: "missing"`.
|
|
309
|
+
*
|
|
310
|
+
* `valid: true` iff every axis passed AND every declared file was
|
|
311
|
+
* provided. The detailed step shape lets callers render per-axis
|
|
312
|
+
* outcomes — the canonical doctrine is "every routing-input claim
|
|
313
|
+
* MUST be visible to the user", and the same applies to verification:
|
|
314
|
+
* a one-bit valid/invalid throws away which axis failed.
|
|
315
|
+
*
|
|
316
|
+
* Faithful to `services/relay/CLAUDE.md` rule 6 ("relay is a
|
|
317
|
+
* convenience layer, not a trust root"): any consumer with a bundle
|
|
318
|
+
* — from any source, motebit-served or not — answers "is this signed
|
|
319
|
+
* AND do the bytes match what the publisher signed?" using only this
|
|
320
|
+
* primitive, no relay or runtime contact required.
|
|
321
|
+
*/
|
|
322
|
+
export declare function verifySkillBundle(input: SkillBundleInput): Promise<SkillVerifyResult>;
|
|
208
323
|
/**
|
|
209
324
|
* Verify any Motebit artifact: identity file, execution receipt,
|
|
210
325
|
* verifiable credential, or verifiable presentation.
|
|
@@ -262,4 +377,8 @@ export * from "./signing.js";
|
|
|
262
377
|
export * from "./artifacts.js";
|
|
263
378
|
export { signVerifiableCredential, verifyVerifiableCredential, signVerifiablePresentation, verifyVerifiablePresentation, issueGradientCredential, issueReputationCredential, issueTrustCredential, createPresentation, type GradientCredentialSubject, type ReputationCredentialSubject, type TrustCredentialSubject, } from "./credentials.js";
|
|
264
379
|
export { computeCredentialLeaf, verifyCredentialAnchor, verifyRevocationAnchor, type CredentialAnchorVerifyResult, type CredentialAnchorProofFields, type ChainAnchorVerifier, type RevocationAnchorVerifyResult, type RevocationAnchorProof, } from "./credential-anchor.js";
|
|
380
|
+
export { SKILL_SIGNATURE_SUITE, canonicalizeSkillManifestBytes, canonicalizeSkillEnvelopeBytes, signSkillManifest, signSkillEnvelope, verifySkillManifest, verifySkillManifestDetailed, verifySkillEnvelope, verifySkillEnvelopeDetailed, decodeSkillSignaturePublicKey, type SkillVerifyReason, type SkillVerifyDetail, } from "./skills.js";
|
|
381
|
+
export { DELETION_CERTIFICATE_SUITE, WITNESS_OMISSION_DISPUTE_WINDOW_MS, canonicalizeMultiSignatureCert, canonicalizeHorizonCert, canonicalizeHorizonCertForWitness, signCertAsSubject, signCertAsOperator, signCertAsDelegate, signCertAsGuardian, signHorizonCertAsIssuer, signHorizonWitness, canonicalizeHorizonWitnessRequestBody, signHorizonWitnessRequestBody, verifyHorizonWitnessRequestSignature, verifyDeletionCertificate, verifyRetentionManifest, type DeletionCertificateVerifyResult, type DeletionCertificateVerifyContext, type RetentionManifestVerifyResult, } from "./deletion-certificate.js";
|
|
382
|
+
export { canonicalizeWitnessOmissionDispute, signWitnessOmissionDispute, verifyWitnessOmissionDispute, type WitnessOmissionDisputeVerifyResult, type WitnessOmissionDisputeVerifyContext, } from "./witness-omission-dispute.js";
|
|
383
|
+
export { verifyMerkleInclusion } from "./merkle.js";
|
|
265
384
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAYH,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IAGjB,IAAI,CAAC,EAAE,UAAU,GAAG,SAAS,GAAG,eAAe,CAAC;IAChD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,QAAQ,EAAE;QACR,SAAS,EAAE,SAAS,CAAC;QACrB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;IAEF,UAAU,EAAE;QACV,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS,CAAC;QAC3C,aAAa,EAAE,MAAM,CAAC;QACtB,sBAAsB,EAAE,MAAM,CAAC;QAC/B,UAAU,EAAE,MAAM,CAAC;QACnB,aAAa,EAAE,OAAO,CAAC;KACxB,CAAC;IAEF,OAAO,EAAE;QACP,mBAAmB,EAAE,MAAM,CAAC;QAC5B,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACvC,WAAW,EAAE,OAAO,CAAC;KACtB,CAAC;IAEF,MAAM,EAAE;QACN,cAAc,EAAE,MAAM,CAAC;QACvB,oBAAoB,EAAE,MAAM,CAAC;QAC7B,cAAc,EAAE,MAAM,CAAC;KACxB,CAAC;IAEF,8EAA8E;IAC9E,QAAQ,CAAC,EAAE;QACT,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,cAAc,EAAE,MAAM,CAAC;QACvB,6DAA6D;QAC7D,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IAEF,OAAO,EAAE,KAAK,CAAC;QACb,SAAS,EAAE,MAAM,CAAC;QAClB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,aAAa,EAAE,MAAM,CAAC;KACvB,CAAC,CAAC;IAEH,UAAU,CAAC,EAAE,KAAK,CAAC,gBAAgB,CAAC,CAAC;CACtC;AAED,MAAM,WAAW,gBAAgB;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,KAAK,EAAE,4BAA4B,CAAC;IACpC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oEAAoE;IACpE,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,+DAA+D;IAC/D,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAMD,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,oFAAoF;IACpF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,gBAAgB,EAAE,CAAC;IACzC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;CACnB;AAOD,YAAY,EACV,kBAAkB,EAClB,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,KAAK,EAEV,oBAAoB,EACpB,sBAAsB,EACvB,MAAM,kBAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAYH,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IAGjB,IAAI,CAAC,EAAE,UAAU,GAAG,SAAS,GAAG,eAAe,CAAC;IAChD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,QAAQ,EAAE;QACR,SAAS,EAAE,SAAS,CAAC;QACrB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;IAEF,UAAU,EAAE;QACV,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS,CAAC;QAC3C,aAAa,EAAE,MAAM,CAAC;QACtB,sBAAsB,EAAE,MAAM,CAAC;QAC/B,UAAU,EAAE,MAAM,CAAC;QACnB,aAAa,EAAE,OAAO,CAAC;KACxB,CAAC;IAEF,OAAO,EAAE;QACP,mBAAmB,EAAE,MAAM,CAAC;QAC5B,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACvC,WAAW,EAAE,OAAO,CAAC;KACtB,CAAC;IAEF,MAAM,EAAE;QACN,cAAc,EAAE,MAAM,CAAC;QACvB,oBAAoB,EAAE,MAAM,CAAC;QAC7B,cAAc,EAAE,MAAM,CAAC;KACxB,CAAC;IAEF,8EAA8E;IAC9E,QAAQ,CAAC,EAAE;QACT,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,cAAc,EAAE,MAAM,CAAC;QACvB,6DAA6D;QAC7D,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IAEF,OAAO,EAAE,KAAK,CAAC;QACb,SAAS,EAAE,MAAM,CAAC;QAClB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,aAAa,EAAE,MAAM,CAAC;KACvB,CAAC,CAAC;IAEH,UAAU,CAAC,EAAE,KAAK,CAAC,gBAAgB,CAAC,CAAC;CACtC;AAED,MAAM,WAAW,gBAAgB;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,KAAK,EAAE,4BAA4B,CAAC;IACpC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oEAAoE;IACpE,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,+DAA+D;IAC/D,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAMD,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,oFAAoF;IACpF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,gBAAgB,EAAE,CAAC;IACzC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;CACnB;AAOD,YAAY,EACV,kBAAkB,EAClB,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,KAAK,EAEV,oBAAoB,EACpB,sBAAsB,EACvB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAEvD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAKrD,OAAO,EACL,8BAA8B,EAC9B,iCAAiC,EACjC,iCAAiC,EACjC,+BAA+B,GAChC,MAAM,2BAA2B,CAAC;AACnC,YAAY,EACV,mBAAmB,EACnB,wBAAwB,EACxB,+BAA+B,EAC/B,4BAA4B,EAC5B,0BAA0B,GAC3B,MAAM,2BAA2B,CAAC;AAEnC,OAAO,KAAK,EACV,4BAA4B,EAC5B,+BAA+B,EAChC,MAAM,2BAA2B,CAAC;AAMnC,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,UAAU,UAAU;IAClB,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,iBAAiB,EAAE,CAAC;CAC9B;AAED,MAAM,WAAW,oBAAqB,SAAQ,UAAU;IACtD,IAAI,EAAE,UAAU,CAAC;IACjB,QAAQ,EAAE,mBAAmB,GAAG,IAAI,CAAC;IACrC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,4EAA4E;IAC5E,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE;QACX,KAAK,EAAE,OAAO,CAAC;QACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;QAC5B,SAAS,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAED,MAAM,WAAW,mBAAoB,SAAQ,UAAU;IACrD,IAAI,EAAE,SAAS,CAAC;IAChB,OAAO,EAAE,gBAAgB,GAAG,IAAI,CAAC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,mBAAmB,EAAE,CAAC;CACrC;AAED,MAAM,WAAW,sBAAuB,SAAQ,UAAU;IACxD,IAAI,EAAE,YAAY,CAAC;IACnB,UAAU,EAAE,oBAAoB,GAAG,IAAI,CAAC;IACxC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB;;;;;;OAMG;IACH,oBAAoB,CAAC,EAAE,+BAA+B,CAAC;CACxD;AAED,MAAM,WAAW,wBAAyB,SAAQ,UAAU;IAC1D,IAAI,EAAE,cAAc,CAAC;IACrB,YAAY,EAAE,sBAAsB,GAAG,IAAI,CAAC;IAC5C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,sBAAsB,EAAE,CAAC;CACxC;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,4CAA4C;IAC5C,QAAQ,CAAC,MAAM,EAAE,IAAI,GAAG,eAAe,GAAG,SAAS,CAAC;CACrD;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,WAAW,iBAAkB,SAAQ,UAAU;IACnD,IAAI,EAAE,OAAO,CAAC;IACd,QAAQ,EAAE,aAAa,GAAG,IAAI,CAAC;IAC/B,qEAAqE;IACrE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE;QACL,QAAQ,EAAE;YAAE,KAAK,EAAE,OAAO,CAAC;YAAC,MAAM,EAAE,iBAAiB,CAAA;SAAE,CAAC;QACxD,SAAS,EAAE;YAAE,KAAK,EAAE,OAAO,CAAC;YAAC,QAAQ,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,CAAA;SAAE,GAAG,IAAI,CAAC;QACvE,KAAK,EAAE,aAAa,CAAC,qBAAqB,CAAC,CAAC;KAC7C,CAAC;CACH;AAED,MAAM,MAAM,YAAY,GACpB,oBAAoB,GACpB,mBAAmB,GACnB,sBAAsB,GACtB,wBAAwB,GACxB,iBAAiB,CAAC;AAEtB,MAAM,MAAM,YAAY,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;AAEhD,MAAM,WAAW,aAAa;IAC5B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,iFAAiF;IACjF,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;;;;;;;OAQG;IACH,mBAAmB,CAAC,EAAE,4BAA4B,CAAC;CACpD;AAMD;;;;;;;;GAQG;AACH,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,OAAO,CAAC;IACf,QAAQ,EAAE,mBAAmB,GAAG,IAAI,CAAC;IACrC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE;QACX,KAAK,EAAE,OAAO,CAAC;QACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;QAC5B,SAAS,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAqVD;;;GAGG;AACH,wBAAgB,KAAK,CAAC,OAAO,EAAE,MAAM,GAAG;IACtC,WAAW,EAAE,mBAAmB,CAAC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACxB,CAgCA;AA8aD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC;IACjC,wFAAwF;IACxF,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,gGAAgG;IAChG,QAAQ,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;CACvD;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,iBAAiB,CAAC,KAAK,EAAE,gBAAgB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CA+F3F;AAgND;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAsB,MAAM,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC,CAgG9F;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CASrF;AAOD,cAAc,cAAc,CAAC;AAC7B,cAAc,gBAAgB,CAAC;AAC/B,OAAO,EACL,wBAAwB,EACxB,0BAA0B,EAC1B,0BAA0B,EAC1B,4BAA4B,EAC5B,uBAAuB,EACvB,yBAAyB,EACzB,oBAAoB,EACpB,kBAAkB,EAClB,KAAK,yBAAyB,EAC9B,KAAK,2BAA2B,EAChC,KAAK,sBAAsB,GAC5B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,sBAAsB,EACtB,KAAK,4BAA4B,EACjC,KAAK,2BAA2B,EAChC,KAAK,mBAAmB,EACxB,KAAK,4BAA4B,EACjC,KAAK,qBAAqB,GAC3B,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,qBAAqB,EACrB,8BAA8B,EAC9B,8BAA8B,EAC9B,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,EACnB,2BAA2B,EAC3B,mBAAmB,EACnB,2BAA2B,EAC3B,6BAA6B,EAC7B,KAAK,iBAAiB,EACtB,KAAK,iBAAiB,GACvB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,0BAA0B,EAC1B,kCAAkC,EAClC,8BAA8B,EAC9B,uBAAuB,EACvB,iCAAiC,EACjC,iBAAiB,EACjB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,uBAAuB,EACvB,kBAAkB,EAClB,qCAAqC,EACrC,6BAA6B,EAC7B,oCAAoC,EACpC,yBAAyB,EACzB,uBAAuB,EACvB,KAAK,+BAA+B,EACpC,KAAK,gCAAgC,EACrC,KAAK,6BAA6B,GACnC,MAAM,2BAA2B,CAAC;AACnC,OAAO,EACL,kCAAkC,EAClC,0BAA0B,EAC1B,4BAA4B,EAC5B,KAAK,kCAAkC,EACvC,KAAK,mCAAmC,GACzC,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC"}
|