@motebit/crypto 1.2.0 → 1.2.1

package/dist/witness-omission-dispute.js

@@ -1,237 +0,0 @@
-/**
- * Witness-omission dispute — sign + verify (retention phase 4b-3).
- *
- * Permissive floor (Apache-2.0). Zero monorepo deps beyond
- * `@motebit/protocol` types. Routes signing through
- * `@motebit/crypto/suite-dispatch`.
- *
- * Path A quorum's soft-accountability layer for `append_only_horizon`
- * certs: a peer who believes `cert.witnessed_by[]` wrongly omits them
- * files this dispute within 24h of `cert.issued_at`. Two evidence
- * shapes:
- *
- *   - `inclusion_proof` — disputant proves their peer pubkey is in
- *     the cert's `federation_graph_anchor.merkle_root` via a Merkle
- *     inclusion proof. The verifier reconstructs against the cert's
- *     anchor root.
- *
- *   - `alternative_peering` — disputant supplies a signed peering
- *     artifact from the cert issuer (today: a federation Heartbeat,
- *     `motebit-concat-ed25519-hex-v1`) whose timestamp window covers
- *     `cert.horizon_ts ± 5 min` (mirrors heartbeat suspension
- *     threshold). The cert's published anchor is claimed incomplete.
- *
- * The verifier returns a per-step result; certificates remain
- * TERMINAL per `retention-policy.md` decision 5 — a sustained dispute
- * is a reputation hit on the issuer, not a cert invalidation.
- */
-import { canonicalJson, fromBase64Url, hexToBytes, toBase64Url } from "./signing.js";
-import { signBySuite, verifyBySuite } from "./suite-dispatch.js";
-import { verifyMerkleInclusion } from "./merkle.js";
-import { WITNESS_OMISSION_DISPUTE_WINDOW_MS } from "./deletion-certificate.js";
-// ── Constants ────────────────────────────────────────────────────────
-const WITNESS_OMISSION_DISPUTE_SUITE = "motebit-jcs-ed25519-b64-v1";
-const FEDERATION_HEARTBEAT_SUITE = "motebit-concat-ed25519-hex-v1";
-/**
- * Heartbeat-as-peering-evidence freshness window. A heartbeat whose
- * `timestamp` is within ±5 min of `cert.horizon_ts` proves the issuer
- * was alive on that peering relationship at the horizon — mirrors
- * `HEARTBEAT_REMOVE_THRESHOLD = 5` × `heartbeat_interval = 60s` in
- * `services/relay/src/federation.ts`.
- */
-const HEARTBEAT_FRESHNESS_WINDOW_MS = 5 * 60 * 1000;
-// ── Canonicalization ─────────────────────────────────────────────────
-/**
- * Compute the canonical signing bytes for a `WitnessOmissionDispute`.
- * Strips `signature` so the disputant signs every other field —
- * including `cert_signature`, `cert_issuer`, and the evidence body.
- */
-export function canonicalizeWitnessOmissionDispute(dispute) {
-    const { signature, ...body } = dispute;
-    void signature;
-    return new TextEncoder().encode(canonicalJson(body));
-}
-// ── Signing ──────────────────────────────────────────────────────────
-/**
- * Sign a `WitnessOmissionDispute` as the disputant. Caller provides
- * the unsigned body (everything except `suite` and `signature`); this
- * function appends both.
- */
-export async function signWitnessOmissionDispute(body, privateKey) {
-    const withSuite = {
-        ...body,
-        suite: WITNESS_OMISSION_DISPUTE_SUITE,
-        signature: "",
-    };
-    const bytes = canonicalizeWitnessOmissionDispute(withSuite);
-    const sig = await signBySuite(WITNESS_OMISSION_DISPUTE_SUITE, bytes, privateKey);
-    return { ...withSuite, signature: toBase64Url(sig) };
-}
-// ── Verifier ─────────────────────────────────────────────────────────
-/**
- * Verify a `WitnessOmissionDispute` against the disputed cert.
- *
- * Step ladder (fail-closed throughout):
- *   1. Window: `now - cert.issued_at <= WINDOW` AND
- *      `filed_at ∈ [cert.issued_at, cert.issued_at + WINDOW]`.
- *   2. Cert binding: `dispute.cert_signature === cert.signature` and
- *      `dispute.cert_issuer` matches the cert's subject.
- *   3. Disputant signature over `canonicalJson(dispute minus signature)`.
- *   4. Evidence: dispatched by `evidence.kind` —
- *      - `inclusion_proof`: requires cert has a `federation_graph_anchor`;
- *        verifies the Merkle proof against `anchor.merkle_root`.
- *      - `alternative_peering`: dispatches on `peering_artifact`'s
- *        self-described shape (today: federation Heartbeat); verifies
- *        the embedded signature against the issuer pubkey and the
- *        timestamp window covers `cert.horizon_ts`.
- */
-export async function verifyWitnessOmissionDispute(dispute, ctx) {
-    const errors = [];
-    const { cert } = ctx;
-    // ── Step 1: window (two gates) ────────────────────────────────────
-    const windowEnd = cert.issued_at + WITNESS_OMISSION_DISPUTE_WINDOW_MS;
-    const wallClockOpen = ctx.now <= windowEnd;
-    const filedAtInRange = dispute.filed_at >= cert.issued_at && dispute.filed_at <= windowEnd;
-    const windowOpen = wallClockOpen && filedAtInRange;
-    if (!wallClockOpen) {
-        errors.push(`dispute window expired: now (${ctx.now}) > cert.issued_at + ${WITNESS_OMISSION_DISPUTE_WINDOW_MS}ms`);
-    }
-    if (!filedAtInRange) {
-        errors.push("dispute.filed_at outside [cert.issued_at, cert.issued_at + WINDOW] — disputant-attested clock cannot widen window");
-    }
-    // ── Step 2: cert binding ──────────────────────────────────────────
-    let certBindingValid = true;
-    if (dispute.cert_signature !== cert.signature) {
-        errors.push("dispute.cert_signature does not match cert.signature");
-        certBindingValid = false;
-    }
-    const certSubjectId = cert.subject.kind === "motebit"
-        ? cert.subject.motebit_id
-        : cert.subject.operator_id;
-    if (dispute.cert_issuer !== certSubjectId) {
-        errors.push(`dispute.cert_issuer (${dispute.cert_issuer}) does not match cert subject (${certSubjectId})`);
-        certBindingValid = false;
-    }
-    // ── Step 3: disputant signature ───────────────────────────────────
-    let disputantSignatureValid = false;
-    if (ctx.disputantPublicKey === null) {
-        errors.push("disputant public key not resolvable");
-    }
-    else if (dispute.suite !== WITNESS_OMISSION_DISPUTE_SUITE) {
-        errors.push(`unexpected suite: ${String(dispute.suite)}`);
-    }
-    else {
-        const bytes = canonicalizeWitnessOmissionDispute(dispute);
-        let sigBytes;
-        try {
-            sigBytes = fromBase64Url(dispute.signature);
-        }
-        catch {
-            sigBytes = new Uint8Array(0);
-        }
-        if (sigBytes.length === 0) {
-            errors.push("dispute.signature decode failed");
-        }
-        else {
-            disputantSignatureValid = await verifyBySuite(dispute.suite, bytes, sigBytes, ctx.disputantPublicKey);
-            if (!disputantSignatureValid)
-                errors.push("dispute.signature does not verify");
-        }
-    }
-    // Short-circuit evidence verification when prior gates already failed.
-    // The dispute is invalid; the evidence-step result is meaningless.
-    if (!windowOpen || !certBindingValid || !disputantSignatureValid) {
-        return {
-            valid: false,
-            errors,
-            steps: {
-                window_open: windowOpen,
-                cert_binding_valid: certBindingValid,
-                disputant_signature_valid: disputantSignatureValid,
-                evidence_valid: null,
-            },
-        };
-    }
-    // ── Step 4: evidence dispatch ─────────────────────────────────────
-    const evidenceValid = await verifyEvidence(dispute.evidence, cert, ctx, errors);
-    return {
-        valid: errors.length === 0,
-        errors,
-        steps: {
-            window_open: windowOpen,
-            cert_binding_valid: certBindingValid,
-            disputant_signature_valid: disputantSignatureValid,
-            evidence_valid: evidenceValid,
-        },
-    };
-}
-async function verifyEvidence(evidence, cert, ctx, errors) {
-    if (evidence.kind === "inclusion_proof") {
-        const anchor = cert.federation_graph_anchor;
-        if (anchor === undefined) {
-            errors.push("inclusion_proof evidence requires cert.federation_graph_anchor — none present");
-            return false;
-        }
-        if (anchor.leaf_count === 0) {
-            errors.push("inclusion_proof evidence rejected: cert is self-witnessed (anchor.leaf_count=0)");
-            return false;
-        }
-        const ok = await verifyMerkleInclusion(evidence.leaf_hash, evidence.proof.leaf_index, evidence.proof.siblings, evidence.proof.layer_sizes, anchor.merkle_root);
-        if (!ok)
-            errors.push("inclusion proof does not reconstruct to anchor.merkle_root");
-        return ok;
-    }
-    // alternative_peering — closed union; TS narrows after the if-branch.
-    return verifyAlternativePeeringArtifact(evidence.peering_artifact, cert, ctx, errors);
-}
-/**
- * Verify a peering artifact embedded in `alternative_peering` evidence.
- * Today: federation Heartbeat is the canonical shape — the only
- * recurring signed peering attestation in `relay-federation-v1`.
- *
- * Heartbeat signing payload (FEDERATION_SUITE = motebit-concat-ed25519-hex-v1):
- *   `${relay_id}|${timestamp}|${suite}` — UTF-8 concatenation, hex sig.
- *
- * The verifier dispatches on the artifact's self-described shape:
- * presence of `relay_id` (string) + `timestamp` (number) + `signature`
- * (hex string) identifies the heartbeat shape. Future: PeeringConfirm
- * or other peering attestations land as additive dispatch arms.
- */
-async function verifyAlternativePeeringArtifact(artifact, cert, ctx, errors) {
-    const relayId = artifact["relay_id"];
-    const timestamp = artifact["timestamp"];
-    const signatureHex = artifact["signature"];
-    if (typeof relayId !== "string" ||
-        typeof timestamp !== "number" ||
-        typeof signatureHex !== "string") {
-        errors.push("alternative_peering artifact unrecognized — expected federation Heartbeat shape (relay_id, timestamp, signature)");
-        return false;
-    }
-    const certSubjectId = cert.subject.kind === "motebit"
-        ? cert.subject.motebit_id
-        : cert.subject.operator_id;
-    if (relayId !== certSubjectId) {
-        errors.push(`peering artifact relay_id (${relayId}) does not match cert issuer (${certSubjectId})`);
-        return false;
-    }
-    if (Math.abs(timestamp - cert.horizon_ts) > HEARTBEAT_FRESHNESS_WINDOW_MS) {
-        errors.push(`peering artifact timestamp (${timestamp}) outside ±${HEARTBEAT_FRESHNESS_WINDOW_MS}ms of cert.horizon_ts (${cert.horizon_ts})`);
-        return false;
-    }
-    let sigBytes;
-    /* c8 ignore start -- defensive catch; `hexToBytes` (signing.ts) uses parseInt which silently returns NaN for non-hex chars rather than throwing, so this catch is unreachable today. Keep for forward-compat: a future hex-decode primitive that throws (e.g. native Uint8Array.fromHex) would route through this branch and fail closed rather than passing garbage bytes through to verifyBySuite. */
-    try {
-        sigBytes = hexToBytes(signatureHex);
-    }
-    catch {
-        errors.push("peering artifact signature is not valid hex");
-        return false;
-    }
-    /* c8 ignore stop */
-    const payload = new TextEncoder().encode(`${relayId}|${timestamp}|${FEDERATION_HEARTBEAT_SUITE}`);
-    const ok = await verifyBySuite(FEDERATION_HEARTBEAT_SUITE, payload, sigBytes, ctx.issuerPublicKey);
-    if (!ok)
-        errors.push("peering artifact signature does not verify against cert issuer pubkey");
-    return ok;
-}
-//# sourceMappingURL=witness-omission-dispute.js.map

package/dist/witness-omission-dispute.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"witness-omission-dispute.js","sourceRoot":"","sources":["../src/witness-omission-dispute.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAQH,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AACrF,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACjE,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,kCAAkC,EAAE,MAAM,2BAA2B,CAAC;AAE/E,wEAAwE;AAExE,MAAM,8BAA8B,GAAG,4BAAqC,CAAC;AAC7E,MAAM,0BAA0B,GAAG,+BAAwC,CAAC;AAE5E;;;;;;GAMG;AACH,MAAM,6BAA6B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AA6CpD,wEAAwE;AAExE;;;;GAIG;AACH,MAAM,UAAU,kCAAkC,CAAC,OAA+B;IAChF,MAAM,EAAE,SAAS,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IACvC,KAAK,SAAS,CAAC;IACf,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC;AACvD,CAAC;AAED,wEAAwE;AAExE;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,IAAyD,EACzD,UAAsB;IAEtB,MAAM,SAAS,GAA2B;QACxC,GAAG,IAAI;QACP,KAAK,EAAE,8BAA8B;QACrC,SAAS,EAAE,EAAE;KACd,CAAC;IACF,MAAM,KAAK,GAAG,kCAAkC,CAAC,SAAS,CAAC,CAAC;IAC5D,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,8BAA8B,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC;IACjF,OAAO,EAAE,GAAG,SAAS,EAAE,SAAS,EAAE,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;AACvD,CAAC;AAED,wEAAwE;AAExE;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,OAA+B,EAC/B,GAAwC;IAExC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;IAErB,qEAAqE;IACrE,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,GAAG,kCAAkC,CAAC;IACtE,MAAM,aAAa,GAAG,GAAG,CAAC,GAAG,IAAI,SAAS,CAAC;IAC3C,MAAM,cAAc,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC,QAAQ,IAAI,SAAS,CAAC;IAC3F,MAAM,UAAU,GAAG,aAAa,IAAI,cAAc,CAAC;IACnD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,CAAC,IAAI,CACT,gCAAgC,GAAG,CAAC,GAAG,wBAAwB,kCAAkC,IAAI,CACtG,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,CAAC,IAAI,CACT,mHAAmH,CACpH,CAAC;IACJ,CAAC;IAED,qEAAqE;IACrE,IAAI,gBAAgB,GAAG,IAAI,CAAC;IAC5B,IAAI,OAAO,CAAC,cAAc,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;QAC9C,MAAM,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;QACpE,gBAAgB,GAAG,KAAK,CAAC;IAC3B,CAAC;IACD,MAAM,aAAa,GACjB,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,SAAS;QAC7B,CAAC,CAAE,IAAI,CAAC,OAAO,CAAC,UAAqB;QACrC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC;IAC/B,IAAI,OAAO,CAAC,WAAW,KAAK,aAAa,EAAE,CAAC;QAC1C,MAAM,CAAC,IAAI,CACT,wBAAwB,OAAO,CAAC,WAAW,kCAAkC,aAAa,GAAG,CAC9F,CAAC;QACF,gBAAgB,GAAG,KAAK,CAAC;IAC3B,CAAC;IAED,qEAAqE;IACrE,IAAI,uBAAuB,GAAG,KAAK,CAAC;IACpC,IAAI,GAAG,CAAC,kBAAkB,KAAK,IAAI,EAAE,CAAC;QACpC,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;IACrD,CAAC;SAAM,IAAI,OAAO,CAAC,KAAK,KAAK,8BAA8B,EAAE,CAAC;QAC5D,MAAM,CAAC,IAAI,CAAC,qBAAqB,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC5D,CAAC;SAAM,CAAC;QACN,MAAM,KAAK,GAAG,kCAAkC,CAAC,OAAO,CAAC,CAAC;QAC1D,IAAI,QAAoB,CAAC;QACzB,IAAI,CAAC;YACH,QAAQ,GAAG,aAAa,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC9C,CAAC;QAAC,MAAM,CAAC;YACP,QAAQ,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;QAC/B,CAAC;QACD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1B,MAAM,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;QACjD,CAAC;aAAM,CAAC;YACN,uBAAuB,GAAG,MAAM,aAAa,CAC3C,OAAO,CAAC,KAAK,EACb,KAAK,EACL,QAAQ,EACR,GAAG,CAAC,kBAAkB,CACvB,CAAC;YACF,IAAI,CAAC,uBAAuB;gBAAE,MAAM,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;QACjF,CAAC;IACH,CAAC;IAED,uEAAuE;IACvE,mEAAmE;IACnE,IAAI,CAAC,UAAU,IAAI,CAAC,gBAAgB,IAAI,CAAC,uBAAuB,EAAE,CAAC;QACjE,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM;YACN,KAAK,EAAE;gBACL,WAAW,EAAE,UAAU;gBACvB,kBAAkB,EAAE,gBAAgB;gBACpC,yBAAyB,EAAE,uBAAuB;gBAClD,cAAc,EAAE,IAAI;aACrB;SACF,CAAC;IACJ,CAAC;IAED,qEAAqE;IACrE,MAAM,aAAa,GAAG,MAAM,cAAc,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;IAEhF,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;QAC1B,MAAM;QACN,KAAK,EAAE;YACL,WAAW,EAAE,UAAU;YACvB,kBAAkB,EAAE,gBAAgB;YACpC,yBAAyB,EAAE,uBAAuB;YAClD,cAAc,EAAE,aAAa;SAC9B;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,QAAiC,EACjC,IAAmE,EACnE,GAAwC,EACxC,MAAgB;IAEhB,IAAI,QAAQ,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;QACxC,MAAM,MAAM,GAAG,IAAI,CAAC,uBAAuB,CAAC;QAC5C,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,CAAC,IAAI,CAAC,+EAA+E,CAAC,CAAC;YAC7F,OAAO,KAAK,CAAC;QACf,CAAC;QACD,IAAI,MAAM,CAAC,UAAU,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,CAAC,IAAI,CACT,iFAAiF,CAClF,CAAC;YACF,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,EAAE,GAAG,MAAM,qBAAqB,CACpC,QAAQ,CAAC,SAAS,EAClB,QAAQ,CAAC,KAAK,CAAC,UAAU,EACzB,QAAQ,CAAC,KAAK,CAAC,QAAQ,EACvB,QAAQ,CAAC,KAAK,CAAC,WAAW,EAC1B,MAAM,CAAC,WAAW,CACnB,CAAC;QACF,IAAI,CAAC,EAAE;YAAE,MAAM,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;QACnF,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,sEAAsE;IACtE,OAAO,gCAAgC,CAAC,QAAQ,CAAC,gBAAgB,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;AACxF,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,KAAK,UAAU,gCAAgC,CAC7C,QAAiC,EACjC,IAAmE,EACnE,GAAwC,EACxC,MAAgB;IAEhB,MAAM,OAAO,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC;IACxC,MAAM,YAAY,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC;IAE3C,IACE,OAAO,OAAO,KAAK,QAAQ;QAC3B,OAAO,SAAS,KAAK,QAAQ;QAC7B,OAAO,YAAY,KAAK,QAAQ,EAChC,CAAC;QACD,MAAM,CAAC,IAAI,CACT,kHAAkH,CACnH,CAAC;QACF,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,aAAa,GACjB,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,SAAS;QAC7B,CAAC,CAAE,IAAI,CAAC,OAAO,CAAC,UAAqB;QACrC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC;IAC/B,IAAI,OAAO,KAAK,aAAa,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,CACT,8BAA8B,OAAO,iCAAiC,aAAa,GAAG,CACvF,CAAC;QACF,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,6BAA6B,EAAE,CAAC;QAC1E,MAAM,CAAC,IAAI,CACT,+BAA+B,SAAS,cAAc,6BAA6B,0BAA0B,IAAI,CAAC,UAAU,GAAG,CAChI,CAAC;QACF,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,QAAoB,CAAC;IACzB,wYAAwY;IACxY,IAAI,CAAC;QACH,QAAQ,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;QAC3D,OAAO,KAAK,CAAC;IACf,CAAC;IACD,oBAAoB;IAEpB,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,OAAO,IAAI,SAAS,IAAI,0BAA0B,EAAE,CAAC,CAAC;IAClG,MAAM,EAAE,GAAG,MAAM,aAAa,CAC5B,0BAA0B,EAC1B,OAAO,EACP,QAAQ,EACR,GAAG,CAAC,eAAe,CACpB,CAAC;IACF,IAAI,CAAC,EAAE;QAAE,MAAM,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;IAC9F,OAAO,EAAE,CAAC;AACZ,CAAC"}