@motebit/verify 0.7.0 → 1.1.0

package/dist/adapters.js

@@ -0,0 +1,74 @@
+import { androidKeystoreVerifier } from "@motebit/crypto-android-keystore";
+import { deviceCheckVerifier, APPLE_APPATTEST_ROOT_PEM } from "@motebit/crypto-appattest";
+// eslint-disable-next-line @typescript-eslint/no-deprecated -- consumed for one minor deprecation cycle so already-minted Play Integrity claims continue to verify; removed at @motebit/crypto-play-integrity@2.0.0.
+import { playIntegrityVerifier } from "@motebit/crypto-play-integrity";
+import { tpmVerifier } from "@motebit/crypto-tpm";
+import { webauthnVerifier, DEFAULT_FIDO_ROOTS } from "@motebit/crypto-webauthn";
+/** Motebit's canonical iOS / Android app identifier. */
+const DEFAULT_BUNDLE_ID = "com.motebit.mobile";
+/** Motebit's canonical Relying Party ID for WebAuthn credentials. */
+const DEFAULT_WEBAUTHN_RP_ID = "motebit.com";
+/**
+ * Build the full `HardwareAttestationVerifiers` object covering every
+ * canonical platform adapter. Pass the result to `verifyFile`:
+ *
+ * ```ts
+ * import { verifyFile } from "@motebit/verifier";
+ * import { buildHardwareVerifiers } from "@motebit/verify";
+ *
+ * const result = await verifyFile("cred.json", {
+ *   hardwareAttestation: buildHardwareVerifiers({
+ *     androidKeystoreExpectedAttestationApplicationId: appIdBytes,
+ *   }),
+ * });
+ * ```
+ *
+ * Pure function: every dependency is captured at factory time and the
+ * returned verifiers are idempotent across calls. The Android Keystore
+ * arm is wired only when `androidKeystoreExpectedAttestationApplicationId`
+ * is supplied — there is no canonical default for the leaf-cert
+ * package binding, by design.
+ */
+export function buildHardwareVerifiers(config) {
+    const appAttestBundleId = config?.appAttestBundleId ?? DEFAULT_BUNDLE_ID;
+    const playIntegrityPackageName = config?.playIntegrityPackageName ?? DEFAULT_BUNDLE_ID;
+    const webauthnRpId = config?.webauthnRpId ?? DEFAULT_WEBAUTHN_RP_ID;
+    const verifiers = {
+        deviceCheck: deviceCheckVerifier({
+            expectedBundleId: appAttestBundleId,
+            rootPem: config?.appAttestRootPem ?? APPLE_APPATTEST_ROOT_PEM,
+        }),
+        tpm: tpmVerifier({
+            ...(config?.tpmRootPems !== undefined ? { rootPems: config.tpmRootPems } : {}),
+        }),
+        // eslint-disable-next-line @typescript-eslint/no-deprecated -- one-minor-cycle backward compat for already-minted Play Integrity credentials; removed at @motebit/crypto-play-integrity@2.0.0.
+        playIntegrity: playIntegrityVerifier({
+            expectedPackageName: playIntegrityPackageName,
+            ...(config?.playIntegrityPinnedJwks !== undefined
+                ? { pinnedJwks: config.playIntegrityPinnedJwks }
+                : {}),
+            ...(config?.playIntegrityRequiredDeviceIntegrity !== undefined
+                ? { requiredDeviceIntegrity: config.playIntegrityRequiredDeviceIntegrity }
+                : {}),
+        }),
+        webauthn: webauthnVerifier({
+            expectedRpId: webauthnRpId,
+            rootPems: config?.webauthnRootPems ?? DEFAULT_FIDO_ROOTS,
+        }),
+    };
+    // Android Keystore is wired only when the operator has supplied the
+    // expected `attestationApplicationId`. Leaving it unwired makes the
+    // canonical dispatcher report "verifier not wired" with a clear
+    // message — preferable to passing a placeholder that would
+    // false-reject every real claim.
+    if (config?.androidKeystoreExpectedAttestationApplicationId !== undefined) {
+        verifiers.androidKeystore = androidKeystoreVerifier({
+            expectedAttestationApplicationId: config.androidKeystoreExpectedAttestationApplicationId,
+            ...(config.androidKeystoreRootPems !== undefined
+                ? { rootPems: config.androidKeystoreRootPems }
+                : {}),
+        });
+    }
+    return verifiers;
+}
+//# sourceMappingURL=adapters.js.map

package/dist/adapters.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapters.js","sourceRoot":"","sources":["../src/adapters.ts"],"names":[],"mappings":"AAsCA,OAAO,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAC;AAC3E,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AAC1F,qNAAqN;AACrN,OAAO,EAAE,qBAAqB,EAAmB,MAAM,gCAAgC,CAAC;AACxF,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAyEhF,wDAAwD;AACxD,MAAM,iBAAiB,GAAG,oBAAoB,CAAC;AAC/C,qEAAqE;AACrE,MAAM,sBAAsB,GAAG,aAAa,CAAC;AAE7C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,sBAAsB,CACpC,MAAqC;IAErC,MAAM,iBAAiB,GAAG,MAAM,EAAE,iBAAiB,IAAI,iBAAiB,CAAC;IACzE,MAAM,wBAAwB,GAAG,MAAM,EAAE,wBAAwB,IAAI,iBAAiB,CAAC;IACvF,MAAM,YAAY,GAAG,MAAM,EAAE,YAAY,IAAI,sBAAsB,CAAC;IAEpE,MAAM,SAAS,GAA0C;QACvD,WAAW,EAAE,mBAAmB,CAAC;YAC/B,gBAAgB,EAAE,iBAAiB;YACnC,OAAO,EAAE,MAAM,EAAE,gBAAgB,IAAI,wBAAwB;SAC9D,CAAC;QACF,GAAG,EAAE,WAAW,CAAC;YACf,GAAG,CAAC,MAAM,EAAE,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC/E,CAAC;QACF,+LAA+L;QAC/L,aAAa,EAAE,qBAAqB,CAAC;YACnC,mBAAmB,EAAE,wBAAwB;YAC7C,GAAG,CAAC,MAAM,EAAE,uBAAuB,KAAK,SAAS;gBAC/C,CAAC,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,uBAAuB,EAAE;gBAChD,CAAC,CAAC,EAAE,CAAC;YACP,GAAG,CAAC,MAAM,EAAE,oCAAoC,KAAK,SAAS;gBAC5D,CAAC,CAAC,EAAE,uBAAuB,EAAE,MAAM,CAAC,oCAAoC,EAAE;gBAC1E,CAAC,CAAC,EAAE,CAAC;SACR,CAAC;QACF,QAAQ,EAAE,gBAAgB,CAAC;YACzB,YAAY,EAAE,YAAY;YAC1B,QAAQ,EAAE,MAAM,EAAE,gBAAgB,IAAI,kBAAkB;SACzD,CAAC;KACH,CAAC;IAEF,oEAAoE;IACpE,oEAAoE;IACpE,gEAAgE;IAChE,2DAA2D;IAC3D,iCAAiC;IACjC,IAAI,MAAM,EAAE,+CAA+C,KAAK,SAAS,EAAE,CAAC;QAC1E,SAAS,CAAC,eAAe,GAAG,uBAAuB,CAAC;YAClD,gCAAgC,EAAE,MAAM,CAAC,+CAA+C;YACxF,GAAG,CAAC,MAAM,CAAC,uBAAuB,KAAK,SAAS;gBAC9C,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,uBAAuB,EAAE;gBAC9C,CAAC,CAAC,EAAE,CAAC;SACR,CAAC,CAAC;IACL,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/cli.d.ts

@@ -0,0 +1,45 @@
+#!/usr/bin/env node
+/**
+ * `motebit-verify` CLI — the canonical motebit artifact verifier.
+ *
+ * Verifies identity files, execution receipts, credentials, and
+ * presentations against their embedded signatures. When a credential
+ * carries a `hardware_attestation` claim for `device_check` / `tpm` /
+ * `android_keystore` / `webauthn` (plus the deprecated `play_integrity`
+ * for backward compat with already-minted credentials), the bundled
+ * platform adapters verify the chain, extension, package binding, and
+ * identity binding end-to-end.
+ *
+ * ```
+ *   motebit-verify <file>                 # auto-detect, print human
+ *   motebit-verify <file> --json          # structured output
+ *   motebit-verify <file> --expect credential
+ *   motebit-verify <file> --clock-skew 30
+ *
+ *   # Platform-specific overrides (all optional; defaults match
+ *   # motebit's canonical identifiers).
+ *   motebit-verify <file> \
+ *     --bundle-id com.example.app \
+ *     --android-attestation-application-id ./app-id.bin \
+ *     --rp-id example.com
+ * ```
+ *
+ * Exit codes:
+ *   0  artifact verified (including any hardware-attestation channel)
+ *   1  artifact detected but signature / hardware-channel invalid
+ *   2  usage / I/O error
+ *
+ * Network-free by design. Every adapter pins its own trust anchor
+ * (Apple App Attest Root CA, FIDO roots, TPM vendor roots); Play
+ * Integrity's JWKS is fail-closed by default until an operator lands
+ * real bytes (see `@motebit/crypto-play-integrity`'s CLAUDE.md).
+ *
+ * Three-package lineage — mirrors how tools like `git` / `libgit2` or
+ * `cargo` / `tokio` separate the verb-tool from the library layer:
+ *
+ *   @motebit/verify   — this CLI (Apache-2.0, bundles all 4 adapters)
+ *   @motebit/verifier — Apache-2.0 library (file I/O, human formatting)
+ *   @motebit/crypto   — Apache-2.0 primitives (verify, sign, suite dispatch)
+ */
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG"}

package/dist/cli.js

@@ -0,0 +1,317 @@
+#!/usr/bin/env node
+/**
+ * `motebit-verify` CLI — the canonical motebit artifact verifier.
+ *
+ * Verifies identity files, execution receipts, credentials, and
+ * presentations against their embedded signatures. When a credential
+ * carries a `hardware_attestation` claim for `device_check` / `tpm` /
+ * `android_keystore` / `webauthn` (plus the deprecated `play_integrity`
+ * for backward compat with already-minted credentials), the bundled
+ * platform adapters verify the chain, extension, package binding, and
+ * identity binding end-to-end.
+ *
+ * ```
+ *   motebit-verify <file>                 # auto-detect, print human
+ *   motebit-verify <file> --json          # structured output
+ *   motebit-verify <file> --expect credential
+ *   motebit-verify <file> --clock-skew 30
+ *
+ *   # Platform-specific overrides (all optional; defaults match
+ *   # motebit's canonical identifiers).
+ *   motebit-verify <file> \
+ *     --bundle-id com.example.app \
+ *     --android-attestation-application-id ./app-id.bin \
+ *     --rp-id example.com
+ * ```
+ *
+ * Exit codes:
+ *   0  artifact verified (including any hardware-attestation channel)
+ *   1  artifact detected but signature / hardware-channel invalid
+ *   2  usage / I/O error
+ *
+ * Network-free by design. Every adapter pins its own trust anchor
+ * (Apple App Attest Root CA, FIDO roots, TPM vendor roots); Play
+ * Integrity's JWKS is fail-closed by default until an operator lands
+ * real bytes (see `@motebit/crypto-play-integrity`'s CLAUDE.md).
+ *
+ * Three-package lineage — mirrors how tools like `git` / `libgit2` or
+ * `cargo` / `tokio` separate the verb-tool from the library layer:
+ *
+ *   @motebit/verify   — this CLI (Apache-2.0, bundles all 4 adapters)
+ *   @motebit/verifier — Apache-2.0 library (file I/O, human formatting)
+ *   @motebit/crypto   — Apache-2.0 primitives (verify, sign, suite dispatch)
+ */
+import { readFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+import { formatHuman, verifyFile } from "@motebit/verifier";
+import { buildHardwareVerifiers } from "./adapters.js";
+const EXPECT_VALUES = [
+    "identity",
+    "receipt",
+    "credential",
+    "presentation",
+];
+function parseArgs(argv) {
+    let file;
+    let json = false;
+    let expectedType;
+    let clockSkewSeconds;
+    let bundleId;
+    let androidPackage;
+    let androidAttestationApplicationIdPath;
+    let rpId;
+    let help = false;
+    let version = false;
+    let i = 0;
+    while (i < argv.length) {
+        const arg = argv[i];
+        switch (arg) {
+            case "-h":
+            case "--help":
+                help = true;
+                i++;
+                break;
+            case "-V":
+            case "--version":
+                version = true;
+                i++;
+                break;
+            case "--json":
+                json = true;
+                i++;
+                break;
+            case "--expect":
+            case "--expected-type": {
+                const value = argv[i + 1];
+                if (value === undefined)
+                    return usage(`${arg} requires a value`);
+                if (!EXPECT_VALUES.includes(value)) {
+                    return usage(`unknown --expect value "${value}" (valid: ${EXPECT_VALUES.join(", ")})`);
+                }
+                expectedType = value;
+                i += 2;
+                break;
+            }
+            case "--clock-skew": {
+                const value = argv[i + 1];
+                if (value === undefined)
+                    return usage("--clock-skew requires an integer seconds value");
+                const n = Number.parseInt(value, 10);
+                if (!Number.isFinite(n) || n < 0) {
+                    return usage(`--clock-skew must be a non-negative integer (got "${value}")`);
+                }
+                clockSkewSeconds = n;
+                i += 2;
+                break;
+            }
+            case "--bundle-id": {
+                const value = argv[i + 1];
+                if (value === undefined)
+                    return usage("--bundle-id requires a value");
+                bundleId = value;
+                i += 2;
+                break;
+            }
+            case "--android-package": {
+                const value = argv[i + 1];
+                if (value === undefined)
+                    return usage("--android-package requires a value");
+                androidPackage = value;
+                i += 2;
+                break;
+            }
+            case "--android-attestation-application-id": {
+                // Path to a binary file containing the raw bytes of the leaf
+                // cert's `attestationApplicationId` extension value. Operators
+                // capture this once at build time (deterministic from the
+                // package name + signing-cert SHA-256) and pin the result;
+                // the verifier byte-compares against the leaf's KeyDescription
+                // extension. File-only intentionally — typical AAID is 50-200
+                // bytes, unwieldy on the command line as hex.
+                const value = argv[i + 1];
+                if (value === undefined) {
+                    return usage("--android-attestation-application-id requires a path to a binary file");
+                }
+                androidAttestationApplicationIdPath = value;
+                i += 2;
+                break;
+            }
+            case "--rp-id": {
+                const value = argv[i + 1];
+                if (value === undefined)
+                    return usage("--rp-id requires a value");
+                rpId = value;
+                i += 2;
+                break;
+            }
+            default:
+                if (arg.startsWith("-"))
+                    return usage(`unknown flag: ${arg}`);
+                if (file !== undefined) {
+                    return usage(`expected exactly one file argument, got a second: "${arg}" (after "${file}")`);
+                }
+                file = arg;
+                i++;
+                break;
+        }
+    }
+    if (help)
+        return { mode: "help", json };
+    if (version)
+        return { mode: "version", json };
+    if (file === undefined)
+        return usage("missing file argument");
+    return {
+        mode: "verify",
+        file,
+        json,
+        ...(expectedType !== undefined && { expectedType }),
+        ...(clockSkewSeconds !== undefined && { clockSkewSeconds }),
+        ...(bundleId !== undefined && { bundleId }),
+        ...(androidPackage !== undefined && { androidPackage }),
+        ...(androidAttestationApplicationIdPath !== undefined && {
+            androidAttestationApplicationIdPath,
+        }),
+        ...(rpId !== undefined && { rpId }),
+    };
+}
+function usage(message) {
+    return { mode: "help", json: false, usageError: message };
+}
+function renderHelp() {
+    return [
+        "motebit-verify — hardware-attestation-aware verifier for Motebit credentials",
+        "",
+        "USAGE",
+        "  motebit-verify <file> [options]",
+        "",
+        "OPTIONS",
+        "  --json                    Print structured JSON instead of human-readable.",
+        "  --expect <type>           Require the artifact to be of the named type.",
+        "  --clock-skew <seconds>    Allow N seconds of clock skew.",
+        "  --bundle-id <id>          Override the expected iOS bundle ID for App Attest",
+        "                            (default: com.motebit.mobile).",
+        "  --android-package <name>  Override the expected Android package name for",
+        "                            the deprecated Play Integrity adapter",
+        "                            (default: com.motebit.mobile).",
+        "  --android-attestation-application-id <path>",
+        "                            Path to a binary file containing the raw bytes",
+        "                            of the leaf cert's `attestationApplicationId`",
+        "                            extension value. REQUIRED to verify any",
+        "                            `android_keystore` credential — without it,",
+        "                            the Android Keystore arm is not wired and",
+        "                            the dispatcher reports 'verifier not wired'.",
+        "                            Capture once at build time from the registered",
+        "                            Android package + signing-cert hash; commit",
+        "                            alongside other pinned config.",
+        "  --rp-id <id>              Override the expected WebAuthn Relying Party ID",
+        "                            (default: motebit.com).",
+        "  -h, --help                Show this help.",
+        "  -V, --version             Print version.",
+        "",
+        "EXIT CODES",
+        "  0  Artifact verified (including hardware-attestation channel).",
+        "  1  Artifact invalid (signature, expiry, hardware-channel chain / nonce / bundle).",
+        "  2  Usage or I/O error.",
+        "",
+        "PLATFORMS WIRED (canonical)",
+        "  device_check       Apple App Attest (pinned Apple root)",
+        "  tpm                TPM 2.0 (pinned Infineon / Nuvoton / STMicro / Intel PTT roots)",
+        "  android_keystore   Android Hardware-Backed Keystore Attestation",
+        "                     (pinned Google attestation roots; requires",
+        "                     --android-attestation-application-id)",
+        "  webauthn           WebAuthn packed attestation (pinned Apple / Yubico / Microsoft)",
+        "",
+        "PLATFORMS WIRED (deprecated, removed at @motebit/crypto-play-integrity@2.0.0)",
+        "  play_integrity     Google Play Integrity (operator-supplied JWKS;",
+        "                     no global Google JWKS exists by Google's design.",
+        "                     See docs/doctrine/hardware-attestation.md § 'Three",
+        "                     architectural categories' for the structural reason.)",
+    ].join("\n");
+}
+let cachedVersion;
+function getPackageVersion() {
+    if (cachedVersion !== undefined)
+        return cachedVersion;
+    try {
+        const here = dirname(fileURLToPath(import.meta.url));
+        const pkgPath = join(here, "..", "package.json");
+        const pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
+        cachedVersion = pkg.version ?? "0.0.0";
+    }
+    catch {
+        cachedVersion = "0.0.0";
+    }
+    return cachedVersion;
+}
+async function main() {
+    const args = parseArgs(process.argv.slice(2));
+    if (args.mode === "version") {
+        process.stdout.write(`${getPackageVersion()}\n`);
+        return 0;
+    }
+    if (args.mode === "help") {
+        const help = renderHelp();
+        if (args.usageError !== undefined) {
+            process.stderr.write(`motebit-verify: ${args.usageError}\n\n${help}\n`);
+            return 2;
+        }
+        process.stdout.write(`${help}\n`);
+        return 0;
+    }
+    if (args.file === undefined) {
+        process.stderr.write(`motebit-verify: missing file argument\n\n${renderHelp()}\n`);
+        return 2;
+    }
+    let androidKeystoreExpectedAttestationApplicationId;
+    if (args.androidAttestationApplicationIdPath !== undefined) {
+        try {
+            const bytes = readFileSync(args.androidAttestationApplicationIdPath);
+            androidKeystoreExpectedAttestationApplicationId = new Uint8Array(bytes.buffer, bytes.byteOffset, bytes.byteLength);
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            process.stderr.write(`motebit-verify: cannot read --android-attestation-application-id at ${args.androidAttestationApplicationIdPath}: ${msg}\n`);
+            return 2;
+        }
+    }
+    const hardwareAttestation = buildHardwareVerifiers({
+        ...(args.bundleId !== undefined && { appAttestBundleId: args.bundleId }),
+        ...(args.androidPackage !== undefined && { playIntegrityPackageName: args.androidPackage }),
+        ...(androidKeystoreExpectedAttestationApplicationId !== undefined && {
+            androidKeystoreExpectedAttestationApplicationId,
+        }),
+        ...(args.rpId !== undefined && { webauthnRpId: args.rpId }),
+    });
+    let result;
+    try {
+        result = await verifyFile(args.file, {
+            ...(args.expectedType !== undefined && { expectedType: args.expectedType }),
+            ...(args.clockSkewSeconds !== undefined && { clockSkewSeconds: args.clockSkewSeconds }),
+            hardwareAttestation,
+        });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        process.stderr.write(`motebit-verify: cannot read ${args.file}: ${msg}\n`);
+        return 2;
+    }
+    if (args.json) {
+        process.stdout.write(`${JSON.stringify(result, null, 2)}\n`);
+    }
+    else {
+        process.stdout.write(`${formatHuman(result)}\n`);
+    }
+    return result.valid ? 0 : 1;
+}
+main()
+    .then((code) => {
+    process.exit(code);
+})
+    .catch((err) => {
+    const msg = err instanceof Error ? err.message : String(err);
+    process.stderr.write(`motebit-verify: ${msg}\n`);
+    process.exit(2);
+});
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAGzC,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE5D,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AAEvD,MAAM,aAAa,GAA4B;IAC7C,UAAU;IACV,SAAS;IACT,YAAY;IACZ,cAAc;CACf,CAAC;AAeF,SAAS,SAAS,CAAC,IAAuB;IACxC,IAAI,IAAwB,CAAC;IAC7B,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,IAAI,YAAsC,CAAC;IAC3C,IAAI,gBAAoC,CAAC;IACzC,IAAI,QAA4B,CAAC;IACjC,IAAI,cAAkC,CAAC;IACvC,IAAI,mCAAuD,CAAC;IAC5D,IAAI,IAAwB,CAAC;IAC7B,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAE,CAAC;QACrB,QAAQ,GAAG,EAAE,CAAC;YACZ,KAAK,IAAI,CAAC;YACV,KAAK,QAAQ;gBACX,IAAI,GAAG,IAAI,CAAC;gBACZ,CAAC,EAAE,CAAC;gBACJ,MAAM;YACR,KAAK,IAAI,CAAC;YACV,KAAK,WAAW;gBACd,OAAO,GAAG,IAAI,CAAC;gBACf,CAAC,EAAE,CAAC;gBACJ,MAAM;YACR,KAAK,QAAQ;gBACX,IAAI,GAAG,IAAI,CAAC;gBACZ,CAAC,EAAE,CAAC;gBACJ,MAAM;YACR,KAAK,UAAU,CAAC;YAChB,KAAK,iBAAiB,CAAC,CAAC,CAAC;gBACvB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,GAAG,GAAG,mBAAmB,CAAC,CAAC;gBACjE,IAAI,CAAE,aAAmC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC1D,OAAO,KAAK,CAAC,2BAA2B,KAAK,aAAa,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACzF,CAAC;gBACD,YAAY,GAAG,KAAqB,CAAC;gBACrC,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,cAAc,CAAC,CAAC,CAAC;gBACpB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,gDAAgD,CAAC,CAAC;gBACxF,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACrC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBACjC,OAAO,KAAK,CAAC,qDAAqD,KAAK,IAAI,CAAC,CAAC;gBAC/E,CAAC;gBACD,gBAAgB,GAAG,CAAC,CAAC;gBACrB,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,aAAa,CAAC,CAAC,CAAC;gBACnB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,8BAA8B,CAAC,CAAC;gBACtE,QAAQ,GAAG,KAAK,CAAC;gBACjB,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,mBAAmB,CAAC,CAAC,CAAC;gBACzB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBAC5E,cAAc,GAAG,KAAK,CAAC;gBACvB,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,sCAAsC,CAAC,CAAC,CAAC;gBAC5C,6DAA6D;gBAC7D,+DAA+D;gBAC/D,0DAA0D;gBAC1D,2DAA2D;gBAC3D,+DAA+D;gBAC/D,8DAA8D;gBAC9D,8CAA8C;gBAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;oBACxB,OAAO,KAAK,CAAC,uEAAuE,CAAC,CAAC;gBACxF,CAAC;gBACD,mCAAmC,GAAG,KAAK,CAAC;gBAC5C,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,SAAS,CAAC,CAAC,CAAC;gBACf,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,0BAA0B,CAAC,CAAC;gBAClE,IAAI,GAAG,KAAK,CAAC;gBACb,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD;gBACE,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,OAAO,KAAK,CAAC,iBAAiB,GAAG,EAAE,CAAC,CAAC;gBAC9D,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;oBACvB,OAAO,KAAK,CACV,sDAAsD,GAAG,aAAa,IAAI,IAAI,CAC/E,CAAC;gBACJ,CAAC;gBACD,IAAI,GAAG,GAAG,CAAC;gBACX,CAAC,EAAE,CAAC;gBACJ,MAAM;QACV,CAAC;IACH,CAAC;IAED,IAAI,IAAI;QAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IACxC,IAAI,OAAO;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAC9C,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAE9D,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,IAAI;QACJ,GAAG,CAAC,YAAY,KAAK,SAAS,IAAI,EAAE,YAAY,EAAE,CAAC;QACnD,GAAG,CAAC,gBAAgB,KAAK,SAAS,IAAI,EAAE,gBAAgB,EAAE,CAAC;QAC3D,GAAG,CAAC,QAAQ,KAAK,SAAS,IAAI,EAAE,QAAQ,EAAE,CAAC;QAC3C,GAAG,CAAC,cAAc,KAAK,SAAS,IAAI,EAAE,cAAc,EAAE,CAAC;QACvD,GAAG,CAAC,mCAAmC,KAAK,SAAS,IAAI;YACvD,mCAAmC;SACpC,CAAC;QACF,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,EAAE,IAAI,EAAE,CAAC;KACpC,CAAC;AACJ,CAAC;AAED,SAAS,KAAK,CAAC,OAAe;IAC5B,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;AAC5D,CAAC;AAED,SAAS,UAAU;IACjB,OAAO;QACL,8EAA8E;QAC9E,EAAE;QACF,OAAO;QACP,mCAAmC;QACnC,EAAE;QACF,SAAS;QACT,8EAA8E;QAC9E,2EAA2E;QAC3E,4DAA4D;QAC5D,gFAAgF;QAChF,4DAA4D;QAC5D,4EAA4E;QAC5E,mEAAmE;QACnE,4DAA4D;QAC5D,+CAA+C;QAC/C,4EAA4E;QAC5E,2EAA2E;QAC3E,qEAAqE;QACrE,yEAAyE;QACzE,uEAAuE;QACvE,0EAA0E;QAC1E,4EAA4E;QAC5E,yEAAyE;QACzE,4DAA4D;QAC5D,6EAA6E;QAC7E,qDAAqD;QACrD,6CAA6C;QAC7C,4CAA4C;QAC5C,EAAE;QACF,YAAY;QACZ,kEAAkE;QAClE,qFAAqF;QACrF,0BAA0B;QAC1B,EAAE;QACF,6BAA6B;QAC7B,2DAA2D;QAC3D,sFAAsF;QACtF,mEAAmE;QACnE,iEAAiE;QACjE,4DAA4D;QAC5D,sFAAsF;QACtF,EAAE;QACF,+EAA+E;QAC/E,qEAAqE;QACrE,uEAAuE;QACvE,yEAAyE;QACzE,4EAA4E;KAC7E,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,IAAI,aAAiC,CAAC;AACtC,SAAS,iBAAiB;IACxB,IAAI,aAAa,KAAK,SAAS;QAAE,OAAO,aAAa,CAAC;IACtD,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACrD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;QACjD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAyB,CAAC;QAC/E,aAAa,GAAG,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,aAAa,GAAG,OAAO,CAAC;IAC1B,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAE9C,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,iBAAiB,EAAE,IAAI,CAAC,CAAC;QACjD,OAAO,CAAC,CAAC;IACX,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,UAAU,EAAE,CAAC;QAC1B,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YAClC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,IAAI,CAAC,UAAU,OAAO,IAAI,IAAI,CAAC,CAAC;YACxE,OAAO,CAAC,CAAC;QACX,CAAC;QACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,IAAI,CAAC,CAAC;QAClC,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,4CAA4C,UAAU,EAAE,IAAI,CAAC,CAAC;QACnF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,+CAAuE,CAAC;IAC5E,IAAI,IAAI,CAAC,mCAAmC,KAAK,SAAS,EAAE,CAAC;QAC3D,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;YACrE,+CAA+C,GAAG,IAAI,UAAU,CAC9D,KAAK,CAAC,MAAM,EACZ,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,UAAU,CACjB,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,uEAAuE,IAAI,CAAC,mCAAmC,KAAK,GAAG,IAAI,CAC5H,CAAC;YACF,OAAO,CAAC,CAAC;QACX,CAAC;IACH,CAAC;IAED,MAAM,mBAAmB,GAAG,sBAAsB,CAAC;QACjD,GAAG,CAAC,IAAI,CAAC,QAAQ,KAAK,SAAS,IAAI,EAAE,iBAAiB,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACxE,GAAG,CAAC,IAAI,CAAC,cAAc,KAAK,SAAS,IAAI,EAAE,wBAAwB,EAAE,IAAI,CAAC,cAAc,EAAE,CAAC;QAC3F,GAAG,CAAC,+CAA+C,KAAK,SAAS,IAAI;YACnE,+CAA+C;SAChD,CAAC;QACF,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,EAAE,YAAY,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;KAC5D,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE;YACnC,GAAG,CAAC,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;YAC3E,GAAG,CAAC,IAAI,CAAC,gBAAgB,KAAK,SAAS,IAAI,EAAE,gBAAgB,EAAE,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACvF,mBAAmB;SACpB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,+BAA+B,IAAI,CAAC,IAAI,KAAK,GAAG,IAAI,CAAC,CAAC;QAC3E,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;IAC/D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC9B,CAAC;AAED,IAAI,EAAE;KACH,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;IACb,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACrB,CAAC,CAAC;KACD,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;IACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,GAAG,IAAI,CAAC,CAAC;IACjD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}