@naylence/advanced-security 0.3.5-test.101 → 0.3.5-test.104

package/dist/cjs/naylence/fame/security/cert/trust-store/http-bundle-provider.js

@@ -0,0 +1,497 @@
+import { sha256 } from "@noble/hashes/sha2.js";
+import { anchorsToPem, computeSpkiSha256, normalizePem, pemChainToAnchors, toBase64Url, withComputedSpki, } from "./anchor-utils.js";
+const DEFAULT_REFRESH_INTERVAL_MS = 86400000; // 24 hours
+const MIN_REFRESH_INTERVAL_MS = 60000; // 1 minute
+const consoleLogger = {
+    debug: (...args) => {
+        if (!isProductionEnvironment()) {
+            console.debug("[trust-bundle]", ...args);
+        }
+    },
+    warn: (...args) => {
+        console.warn("[trust-bundle]", ...args);
+    },
+};
+function isTruthyFlag(value) {
+    if (typeof value === "boolean") {
+        return value;
+    }
+    if (typeof value === "string") {
+        const normalized = value.trim().toLowerCase();
+        if (!normalized) {
+            return false;
+        }
+        return normalized !== "false" && normalized !== "0";
+    }
+    return false;
+}
+function isCacheDisabled() {
+    if (isNodeEnvironment() && typeof process !== "undefined") {
+        const flag = process.env?.NAYLENCE_TRUST_BUNDLE_DISABLE_CACHE;
+        if (flag !== undefined) {
+            return isTruthyFlag(flag);
+        }
+    }
+    if (typeof globalThis !== "undefined") {
+        const globalFlag = globalThis.NAYLENCE_TRUST_BUNDLE_DISABLE_CACHE;
+        if (globalFlag !== undefined) {
+            return isTruthyFlag(globalFlag);
+        }
+    }
+    return false;
+}
+export class HttpBundleProvider {
+    constructor(options) {
+        this.lastFetched = 0;
+        this.etag = null;
+        this.lastKnownHash = null;
+        this.version = null;
+        this.anchors = null;
+        this.inflight = null;
+        this.listeners = new Set();
+        this.initialized = false;
+        this.pemChain = null;
+        if (!options.url) {
+            throw new Error("HTTP trust bundle requires a URL");
+        }
+        const parsed = new URL(options.url);
+        const allowInsecureEnv = isTruthyFlag(getGlobalFlag("FAME_TRUST_BUNDLE_ALLOW_HTTP"));
+        const allowInsecureOption = options.allowInsecureHttp === true;
+        this.allowInsecureHttp = allowInsecureEnv || allowInsecureOption;
+        if (parsed.protocol !== "https:") {
+            const isLoopbackHost = isLoopbackHostname(parsed.hostname);
+            const devMode = !isProductionEnvironment();
+            if (!(this.allowInsecureHttp && devMode && isLoopbackHost)) {
+                throw new Error("Trust bundle URL must use HTTPS (set allowInsecureHttp or FAME_TRUST_BUNDLE_ALLOW_HTTP for dev-only http)");
+            }
+            consoleLogger.warn("Allowing insecure trust bundle URL", {
+                url: parsed.toString(),
+                devMode,
+                isLoopbackHost,
+            });
+        }
+        this.url = parsed;
+        this.refreshIntervalMs = normalizeRefreshInterval(options.refreshIntervalMs);
+        this.hashPins = normalizeHashPins(options.hashPins);
+        this.allowedSpkis = normalizeAllowedSpkis(options.allowedSpkis);
+        this.allowTofu = options.allowTofu === true;
+        this.enforceBrowserPins = options.enforcePinsInBrowser !== false;
+        this.cacheKey =
+            options.cacheKey ?? computeCacheKey(`${parsed.origin}${parsed.pathname}`);
+        if (isBrowserEnvironment() && !this.allowTofu && this.enforceBrowserPins) {
+            if (this.hashPins.length === 0 && this.allowedSpkis.length === 0) {
+                throw new Error("Browser environments require hash pin, SPKI allowlist, or TOFU");
+            }
+        }
+    }
+    async getRoots() {
+        if (!this.initialized) {
+            await this.initialize();
+        }
+        if (this.inflight) {
+            return this.inflight;
+        }
+        const now = Date.now();
+        const stale = now - this.lastFetched >= this.refreshIntervalMs;
+        if (stale || !this.anchors) {
+            this.inflight = this.fetchLatest()
+                .catch((error) => {
+                consoleLogger.warn("Trust bundle refresh failed", error);
+                if (this.anchors) {
+                    return this.anchors;
+                }
+                throw error;
+            })
+                .finally(() => {
+                this.inflight = null;
+            });
+            return this.inflight;
+        }
+        return this.anchors;
+    }
+    async getTrustStorePem() {
+        const anchors = await this.getRoots();
+        if (!anchors || anchors.length === 0) {
+            throw new Error("Trust bundle does not contain any certificates");
+        }
+        if (!this.pemChain || this.pemChain.trim().length === 0) {
+            this.pemChain = anchorsToPem(anchors);
+        }
+        if (!this.pemChain) {
+            throw new Error("Trust bundle PEM resolution failed");
+        }
+        return this.pemChain;
+    }
+    onUpdate(callback) {
+        this.listeners.add(callback);
+        return () => {
+            this.listeners.delete(callback);
+        };
+    }
+    async initialize() {
+        if (this.initialized) {
+            return;
+        }
+        try {
+            const cached = await loadCache(this.cacheKey);
+            if (cached) {
+                this.applyCachedEntry(cached);
+                consoleLogger.debug("Loaded trust bundle from cache", {
+                    url: this.url.href,
+                    anchorCount: cached.anchors.length,
+                });
+            }
+        }
+        catch (error) {
+            consoleLogger.warn("Failed to load cached trust bundle", error);
+        }
+        this.initialized = true;
+    }
+    applyCachedEntry(entry) {
+        this.anchors = withComputedSpki(entry.anchors);
+        this.etag = entry.etag;
+        this.lastFetched = entry.fetchedAt;
+        this.lastKnownHash = entry.hash;
+        this.version = entry.version;
+        this.pemChain = this.anchors ? anchorsToPem(this.anchors) : null;
+    }
+    async fetchLatest() {
+        const headers = {
+            "Accept": "application/json, application/pem-certificate-chain, text/plain",
+        };
+        if (this.etag) {
+            headers["If-None-Match"] = this.etag;
+        }
+        const response = await fetch(this.url, {
+            method: "GET",
+            headers,
+            cache: "no-store",
+        });
+        if (response.status === 304 && this.anchors) {
+            this.lastFetched = Date.now();
+            return this.anchors;
+        }
+        if (!response.ok) {
+            throw new Error(`Failed to download trust bundle: ${response.status} ${response.statusText}`);
+        }
+        const arrayBuffer = await response.arrayBuffer();
+        const payload = new Uint8Array(arrayBuffer);
+        const hash = computeHash(payload);
+        const pins = this.hashPins.length > 0 ? this.hashPins : null;
+        if (pins && !pins.includes(hash)) {
+            throw new Error("Trust bundle hash mismatch");
+        }
+        let expectedHash = pins ? hash : null;
+        if (!pins) {
+            if (this.lastKnownHash) {
+                if (this.lastKnownHash !== hash) {
+                    throw new Error("Trust bundle hash changed without pin");
+                }
+                expectedHash = hash;
+            }
+            else if (this.allowTofu) {
+                expectedHash = hash;
+            }
+            else if (isBrowserEnvironment() && this.enforceBrowserPins) {
+                throw new Error("Browser download without pins or TOFU is blocked");
+            }
+        }
+        const bundle = parseBundlePayload(payload, this.url.href);
+        if (bundle.version !== null && this.version !== null) {
+            if (bundle.version < this.version) {
+                throw new Error("Trust bundle downgrade detected");
+            }
+        }
+        if (this.allowedSpkis.length > 0) {
+            enforceSpkiAllowlist(bundle.anchors, this.allowedSpkis);
+        }
+        const etagHeader = response.headers.get("etag");
+        this.anchors = withComputedSpki(bundle.anchors);
+        this.etag = etagHeader;
+        this.lastFetched = Date.now();
+        this.lastKnownHash = expectedHash;
+        this.version = bundle.version;
+        this.pemChain = anchorsToPem(this.anchors);
+        const cacheEntry = {
+            anchors: this.anchors,
+            etag: this.etag,
+            fetchedAt: this.lastFetched,
+            hash: this.lastKnownHash,
+            version: this.version,
+        };
+        await saveCache(this.cacheKey, cacheEntry);
+        this.notifyListeners();
+        return this.anchors;
+    }
+    notifyListeners() {
+        for (const callback of this.listeners) {
+            try {
+                callback();
+            }
+            catch (error) {
+                consoleLogger.warn("Trust bundle listener failed", error);
+            }
+        }
+    }
+}
+function getGlobalFlag(name) {
+    if (typeof process !== "undefined" && process.env) {
+        const envValue = process.env[name];
+        if (envValue !== undefined) {
+            return envValue;
+        }
+    }
+    if (typeof globalThis !== "undefined") {
+        return globalThis[name];
+    }
+    return undefined;
+}
+function isLoopbackHostname(hostname) {
+    if (hostname === "localhost" || hostname === "[::1]") {
+        return true;
+    }
+    if (/^127(?:\.\d{1,3}){3}$/.test(hostname)) {
+        return true;
+    }
+    return false;
+}
+function parseBundlePayload(payload, sourceUrl) {
+    const text = bytesToUtf8(payload);
+    const trimmed = text.trim();
+    if (trimmed.startsWith("{")) {
+        const parsed = JSON.parse(trimmed);
+        const version = typeof parsed.version === "number" ? parsed.version : null;
+        const roots = Array.isArray(parsed.roots) ? parsed.roots : [];
+        const anchors = roots
+            .map((root) => {
+            const record = root;
+            const pem = normalizePem(String(record.pem ?? ""));
+            if (!pem) {
+                return null;
+            }
+            const anchor = {
+                pem,
+                ...(typeof record.kid === "string" ? { kid: record.kid } : {}),
+                ...(typeof record.validUntil === "string"
+                    ? { notAfter: record.validUntil }
+                    : {}),
+                ...(typeof record.notBefore === "string"
+                    ? { notBefore: record.notBefore }
+                    : {}),
+            };
+            return anchor;
+        })
+            .filter((anchor) => anchor !== null);
+        if (anchors.length === 0) {
+            throw new Error("Trust bundle JSON does not contain any roots");
+        }
+        return { anchors, version };
+    }
+    if (trimmed.includes("-----BEGIN")) {
+        return { anchors: pemChainToAnchors(trimmed), version: null };
+    }
+    throw new Error(`Unsupported trust bundle format from ${sourceUrl}`);
+}
+function enforceSpkiAllowlist(anchors, allowlist) {
+    const missing = [];
+    for (const anchor of anchors) {
+        const spki = anchor.spkiSha256 ?? computeSpkiSha256(anchor.pem);
+        if (!spki || !allowlist.includes(spki)) {
+            missing.push(anchor.kid ?? spki ?? "unknown");
+        }
+    }
+    if (missing.length > 0) {
+        throw new Error(`Trust bundle contains roots not present in SPKI allowlist: ${missing.join(",")}`);
+    }
+}
+function normalizeHashPins(pins) {
+    if (!pins || pins.length === 0) {
+        return [];
+    }
+    return pins
+        .map((pin) => pin.trim())
+        .filter((pin) => pin.length > 0)
+        .map((pin) => {
+        if (/^[0-9a-fA-F]{64}$/u.test(pin)) {
+            return hexToBase64Url(pin);
+        }
+        return pin;
+    });
+}
+function normalizeAllowedSpkis(entries) {
+    if (!entries || entries.length === 0) {
+        return [];
+    }
+    return entries.map((entry) => entry.trim()).filter((entry) => entry.length);
+}
+function normalizeRefreshInterval(value) {
+    if (typeof value !== "number" || Number.isNaN(value) || value <= 0) {
+        return DEFAULT_REFRESH_INTERVAL_MS;
+    }
+    return Math.max(MIN_REFRESH_INTERVAL_MS, Math.floor(value));
+}
+function computeHash(payload) {
+    const digest = sha256(payload);
+    return toBase64Url(digest);
+}
+function hexToBase64Url(hex) {
+    const bytes = new Uint8Array(hex.length / 2);
+    for (let index = 0; index < bytes.length; index += 1) {
+        bytes[index] = parseInt(hex.slice(index * 2, index * 2 + 2), 16);
+    }
+    return toBase64Url(bytes);
+}
+function bytesToUtf8(data) {
+    if (typeof TextDecoder !== "undefined") {
+        return new TextDecoder().decode(data);
+    }
+    if (typeof Buffer !== "undefined") {
+        return Buffer.from(data).toString("utf8");
+    }
+    return String.fromCharCode(...Array.from(data));
+}
+function computeCacheKey(value) {
+    const digest = sha256(new TextEncoder().encode(value));
+    return Array.from(digest)
+        .map((byte) => byte.toString(16).padStart(2, "0"))
+        .join("");
+}
+async function loadCache(key) {
+    if (isCacheDisabled()) {
+        return null;
+    }
+    if (isNodeEnvironment()) {
+        return loadCacheFromFile(key);
+    }
+    return loadCacheFromBrowser(key);
+}
+async function saveCache(key, entry) {
+    if (isCacheDisabled()) {
+        return;
+    }
+    if (isNodeEnvironment()) {
+        await saveCacheToFile(key, entry);
+    }
+    else {
+        await saveCacheToBrowser(key, entry);
+    }
+}
+async function loadCacheFromFile(key) {
+    try {
+        const { default: path } = await import("node:path");
+        const fs = await import("node:fs/promises");
+        const os = await import("node:os");
+        const dir = path.join(os.homedir(), ".naylence", "trust-bundles");
+        const filePath = path.join(dir, `${key}.json`);
+        const content = await fs.readFile(filePath, "utf8");
+        const parsed = JSON.parse(content);
+        return parsed;
+    }
+    catch (error) {
+        if (error?.code === "ENOENT") {
+            return null;
+        }
+        throw error;
+    }
+}
+async function saveCacheToFile(key, entry) {
+    const { default: path } = await import("node:path");
+    const fs = await import("node:fs/promises");
+    const os = await import("node:os");
+    const dir = path.join(os.homedir(), ".naylence", "trust-bundles");
+    await fs.mkdir(dir, { recursive: true });
+    const filePath = path.join(dir, `${key}.json`);
+    const payload = JSON.stringify(entry, null, 2);
+    await fs.writeFile(filePath, payload, "utf8");
+}
+const BROWSER_CACHE_NAMESPACE = "naylence.trustBundles";
+async function loadCacheFromBrowser(key) {
+    const store = await openBrowserStore();
+    if (!store) {
+        return null;
+    }
+    return store.get(key);
+}
+async function saveCacheToBrowser(key, entry) {
+    const store = await openBrowserStore();
+    if (!store) {
+        return;
+    }
+    await store.set(key, entry);
+}
+async function openBrowserStore() {
+    if (typeof indexedDB !== "undefined") {
+        return openIndexedDbStore();
+    }
+    if (typeof localStorage !== "undefined") {
+        return {
+            async get(key) {
+                const payload = localStorage.getItem(`${BROWSER_CACHE_NAMESPACE}:${key}`);
+                if (!payload) {
+                    return null;
+                }
+                return JSON.parse(payload);
+            },
+            async set(key, value) {
+                localStorage.setItem(`${BROWSER_CACHE_NAMESPACE}:${key}`, JSON.stringify(value));
+            },
+        };
+    }
+    return null;
+}
+async function openIndexedDbStore() {
+    return new Promise((resolve) => {
+        const request = indexedDB.open("naylence_trust_bundles", 1);
+        request.onupgradeneeded = () => {
+            const db = request.result;
+            if (!db.objectStoreNames.contains("bundles")) {
+                db.createObjectStore("bundles");
+            }
+        };
+        request.onsuccess = () => {
+            const db = request.result;
+            resolve({
+                get: (key) => new Promise((storeResolve, storeReject) => {
+                    const transaction = db.transaction("bundles", "readonly");
+                    const store = transaction.objectStore("bundles");
+                    const getRequest = store.get(key);
+                    getRequest.onsuccess = () => {
+                        storeResolve(getRequest.result ?? null);
+                    };
+                    getRequest.onerror = () => {
+                        storeReject(getRequest.error ?? new Error("IndexedDB get failed"));
+                    };
+                }),
+                set: (key, value) => new Promise((storeResolve, storeReject) => {
+                    const transaction = db.transaction("bundles", "readwrite");
+                    const store = transaction.objectStore("bundles");
+                    const putRequest = store.put(value, key);
+                    putRequest.onsuccess = () => {
+                        storeResolve();
+                    };
+                    putRequest.onerror = () => {
+                        storeReject(putRequest.error ?? new Error("IndexedDB put failed"));
+                    };
+                }),
+            });
+        };
+        request.onerror = () => {
+            consoleLogger.warn("IndexedDB unavailable for trust bundle caching", request.error);
+            resolve(null);
+        };
+    });
+}
+function isBrowserEnvironment() {
+    return typeof window !== "undefined" && typeof window.document !== "undefined";
+}
+function isNodeEnvironment() {
+    return (typeof process !== "undefined" &&
+        typeof process.versions !== "undefined" &&
+        typeof process.versions.node === "string");
+}
+function isProductionEnvironment() {
+    return (typeof process !== "undefined" &&
+        typeof process.env !== "undefined" &&
+        process.env.NODE_ENV === "production");
+}
+//# sourceMappingURL=http-bundle-provider.js.map

package/dist/cjs/naylence/fame/security/cert/trust-store/http-bundle-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-bundle-provider.js","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/cert/trust-store/http-bundle-provider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAE/C,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,YAAY,EACZ,iBAAiB,EACjB,WAAW,EACX,gBAAgB,GACjB,MAAM,mBAAmB,CAAC;AAsB3B,MAAM,2BAA2B,GAAG,QAAU,CAAC,CAAC,WAAW;AAC3D,MAAM,uBAAuB,GAAG,KAAM,CAAC,CAAC,WAAW;AAEnD,MAAM,aAAa,GAAG;IACpB,KAAK,EAAE,CAAC,GAAG,IAAe,EAAQ,EAAE;QAClC,IAAI,CAAC,uBAAuB,EAAE,EAAE,CAAC;YAC/B,OAAO,CAAC,KAAK,CAAC,gBAAgB,EAAE,GAAG,IAAI,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IACD,IAAI,EAAE,CAAC,GAAG,IAAe,EAAQ,EAAE;QACjC,OAAO,CAAC,IAAI,CAAC,gBAAgB,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,CAAC;CACF,CAAC;AAEF,SAAS,YAAY,CAAC,KAAc;IAClC,IAAI,OAAO,KAAK,KAAK,SAAS,EAAE,CAAC;QAC/B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC9C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,UAAU,KAAK,OAAO,IAAI,UAAU,KAAK,GAAG,CAAC;IACtD,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,eAAe;IACtB,IAAI,iBAAiB,EAAE,IAAI,OAAO,OAAO,KAAK,WAAW,EAAE,CAAC;QAC1D,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,EAAE,mCAAmC,CAAC;QAC9D,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;YACvB,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,IAAI,OAAO,UAAU,KAAK,WAAW,EAAE,CAAC;QACtC,MAAM,UAAU,GAAI,UAElB,CAAC,mCAAmC,CAAC;QAEvC,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7B,OAAO,YAAY,CAAC,UAAU,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,OAAO,kBAAkB;IAoB7B,YAAmB,OAAkC;QAV7C,gBAAW,GAAG,CAAC,CAAC;QAChB,SAAI,GAAkB,IAAI,CAAC;QAC3B,kBAAa,GAAkB,IAAI,CAAC;QACpC,YAAO,GAAkB,IAAI,CAAC;QAC9B,YAAO,GAAyB,IAAI,CAAC;QACrC,aAAQ,GAAkC,IAAI,CAAC;QACtC,cAAS,GAAG,IAAI,GAAG,EAAc,CAAC;QAC3C,gBAAW,GAAG,KAAK,CAAC;QACpB,aAAQ,GAAkB,IAAI,CAAC;QAGrC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACtD,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,gBAAgB,GAAG,YAAY,CACnC,aAAa,CAAC,8BAA8B,CAAC,CAC9C,CAAC;QACF,MAAM,mBAAmB,GAAG,OAAO,CAAC,iBAAiB,KAAK,IAAI,CAAC;QAC/D,IAAI,CAAC,iBAAiB,GAAG,gBAAgB,IAAI,mBAAmB,CAAC;QAEjE,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjC,MAAM,cAAc,GAAG,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC3D,MAAM,OAAO,GAAG,CAAC,uBAAuB,EAAE,CAAC;YAE3C,IAAI,CAAC,CAAC,IAAI,CAAC,iBAAiB,IAAI,OAAO,IAAI,cAAc,CAAC,EAAE,CAAC;gBAC3D,MAAM,IAAI,KAAK,CACb,2GAA2G,CAC5G,CAAC;YACJ,CAAC;YAED,aAAa,CAAC,IAAI,CAAC,oCAAoC,EAAE;gBACvD,GAAG,EAAE,MAAM,CAAC,QAAQ,EAAE;gBACtB,OAAO;gBACP,cAAc;aACf,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,GAAG,GAAG,MAAM,CAAC;QAClB,IAAI,CAAC,iBAAiB,GAAG,wBAAwB,CAC/C,OAAO,CAAC,iBAAiB,CAC1B,CAAC;QACF,IAAI,CAAC,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACpD,IAAI,CAAC,YAAY,GAAG,qBAAqB,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAChE,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,KAAK,IAAI,CAAC;QAC5C,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,oBAAoB,KAAK,KAAK,CAAC;QACjE,IAAI,CAAC,QAAQ;YACX,OAAO,CAAC,QAAQ,IAAI,eAAe,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QAE5E,IAAI,oBAAoB,EAAE,IAAI,CAAC,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACzE,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACjE,MAAM,IAAI,KAAK,CACb,gEAAgE,CACjE,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,QAAQ;QACnB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QAC1B,CAAC;QAED,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC,QAAQ,CAAC;QACvB,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,GAAG,GAAG,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,iBAAiB,CAAC;QAC/D,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAC3B,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE;iBAC/B,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;gBACf,aAAa,CAAC,IAAI,CAAC,6BAA6B,EAAE,KAAK,CAAC,CAAC;gBACzD,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;oBACjB,OAAO,IAAI,CAAC,OAAO,CAAC;gBACtB,CAAC;gBACD,MAAM,KAAK,CAAC;YACd,CAAC,CAAC;iBACD,OAAO,CAAC,GAAG,EAAE;gBACZ,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;YACvB,CAAC,CAAC,CAAC;YACL,OAAO,IAAI,CAAC,QAAQ,CAAC;QACvB,CAAC;QAED,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAEM,KAAK,CAAC,gBAAgB;QAC3B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACtC,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;QACpE,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxD,IAAI,CAAC,QAAQ,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACxD,CAAC;QAED,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAEM,QAAQ,CAAC,QAAoB;QAClC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7B,OAAO,GAAG,EAAE;YACV,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC,CAAC;IACJ,CAAC;IAEM,KAAK,CAAC,UAAU;QACrB,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,OAAO;QACT,CAAC;QACD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC9C,IAAI,MAAM,EAAE,CAAC;gBACX,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;gBAC9B,aAAa,CAAC,KAAK,CAAC,gCAAgC,EAAE;oBACpD,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI;oBAClB,WAAW,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM;iBACnC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,aAAa,CAAC,IAAI,CAAC,oCAAoC,EAAE,KAAK,CAAC,CAAC;QAClE,CAAC;QACD,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;IAC1B,CAAC;IAEO,gBAAgB,CAAC,KAAwB;QAC/C,IAAI,CAAC,OAAO,GAAG,gBAAgB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC/C,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;QACvB,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC,SAAS,CAAC;QACnC,IAAI,CAAC,aAAa,GAAG,KAAK,CAAC,IAAI,CAAC;QAChC,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;QAC7B,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACnE,CAAC;IAEO,KAAK,CAAC,WAAW;QACvB,MAAM,OAAO,GAA2B;YACtC,QAAQ,EAAE,iEAAiE;SAC5E,CAAC;QAEF,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,OAAO,CAAC,eAAe,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC;QACvC,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE;YACrC,MAAM,EAAE,KAAK;YACb,OAAO;YACP,KAAK,EAAE,UAAU;SAClB,CAAC,CAAC;QAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAC5C,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,OAAO,CAAC;QACtB,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CACb,oCAAoC,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAC7E,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAC;QACjD,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,WAAW,CAAC,CAAC;QAC5C,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;QAElC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;QAC7D,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAChD,CAAC;QAED,IAAI,YAAY,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;QACtC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;gBACvB,IAAI,IAAI,CAAC,aAAa,KAAK,IAAI,EAAE,CAAC;oBAChC,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;gBAC3D,CAAC;gBACD,YAAY,GAAG,IAAI,CAAC;YACtB,CAAC;iBAAM,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBAC1B,YAAY,GAAG,IAAI,CAAC;YACtB,CAAC;iBAAM,IAAI,oBAAoB,EAAE,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBAC7D,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;YACtE,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAE1D,IAAI,MAAM,CAAC,OAAO,KAAK,IAAI,IAAI,IAAI,CAAC,OAAO,KAAK,IAAI,EAAE,CAAC;YACrD,IAAI,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;gBAClC,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjC,oBAAoB,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAChD,IAAI,CAAC,OAAO,GAAG,gBAAgB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAChD,IAAI,CAAC,IAAI,GAAG,UAAU,CAAC;QACvB,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC9B,IAAI,CAAC,aAAa,GAAG,YAAY,CAAC;QAClC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE3C,MAAM,UAAU,GAAsB;YACpC,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,SAAS,EAAE,IAAI,CAAC,WAAW;YAC3B,IAAI,EAAE,IAAI,CAAC,aAAa;YACxB,OAAO,EAAE,IAAI,CAAC,OAAO;SACtB,CAAC;QAEF,MAAM,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QAC3C,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAEO,eAAe;QACrB,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACtC,IAAI,CAAC;gBACH,QAAQ,EAAE,CAAC;YACb,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,aAAa,CAAC,IAAI,CAAC,8BAA8B,EAAE,KAAK,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC;IACH,CAAC;CACF;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,IAAI,OAAO,OAAO,KAAK,WAAW,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QAClD,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,OAAO,QAAQ,CAAC;QAClB,CAAC;IACH,CAAC;IAED,IAAI,OAAO,UAAU,KAAK,WAAW,EAAE,CAAC;QACtC,OAAQ,UAAsC,CAAC,IAAI,CAAC,CAAC;IACvD,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,kBAAkB,CAAC,QAAgB;IAC1C,IAAI,QAAQ,KAAK,WAAW,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACrD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,uBAAuB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAOD,SAAS,kBAAkB,CACzB,OAAmB,EACnB,SAAiB;IAEjB,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IAClC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAE5B,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAC;QAC9D,MAAM,OAAO,GAAG,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;QAC3E,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QAE9D,MAAM,OAAO,GAAkB,KAAK;aACjC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;YACZ,MAAM,MAAM,GAAG,IAA+B,CAAC;YAC/C,MAAM,GAAG,GAAG,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC;YACnD,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,MAAM,GAAgB;gBAC1B,GAAG;gBACH,GAAG,CAAC,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9D,GAAG,CAAC,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ;oBACvC,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,UAAU,EAAE;oBACjC,CAAC,CAAC,EAAE,CAAC;gBACP,GAAG,CAAC,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ;oBACtC,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE;oBACjC,CAAC,CAAC,EAAE,CAAC;aACR,CAAC;YAEF,OAAO,MAAM,CAAC;QAChB,CAAC,CAAC;aACD,MAAM,CAAC,CAAC,MAAM,EAAyB,EAAE,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC;QAE9D,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;QAClE,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;IAC9B,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QACnC,OAAO,EAAE,OAAO,EAAE,iBAAiB,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAChE,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,wCAAwC,SAAS,EAAE,CAAC,CAAC;AACvE,CAAC;AAED,SAAS,oBAAoB,CAC3B,OAA+B,EAC/B,SAA4B;IAE5B,MAAM,OAAO,GAAG,EAAc,CAAC;IAC/B,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,IAAI,iBAAiB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChE,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACvC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,IAAI,IAAI,SAAS,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CACb,8DAA8D,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAClF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CACxB,IAAmC;IAEnC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,OAAO,IAAI;SACR,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;SACxB,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;SAC/B,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACX,IAAI,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACnC,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC;QAC7B,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,qBAAqB,CAC5B,OAAsC;IAEtC,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrC,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,wBAAwB,CAAC,KAAc;IAC9C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,KAAK,IAAI,CAAC,EAAE,CAAC;QACnE,OAAO,2BAA2B,CAAC;IACrC,CAAC;IACD,OAAO,IAAI,CAAC,GAAG,CAAC,uBAAuB,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED,SAAS,WAAW,CAAC,OAAmB;IACtC,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;IAC/B,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,cAAc,CAAC,GAAW;IACjC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC7C,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,KAAK,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACrD,KAAK,CAAC,KAAK,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACnE,CAAC;IACD,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;AAC5B,CAAC;AAED,SAAS,WAAW,CAAC,IAAgB;IACnC,IAAI,OAAO,WAAW,KAAK,WAAW,EAAE,CAAC;QACvC,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACxC,CAAC;IACD,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,MAAM,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IACvD,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC;SACtB,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SACjD,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,GAAW;IAClC,IAAI,eAAe,EAAE,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,iBAAiB,EAAE,EAAE,CAAC;QACxB,OAAO,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,oBAAoB,CAAC,GAAG,CAAC,CAAC;AACnC,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,GAAW,EAAE,KAAwB;IAC5D,IAAI,eAAe,EAAE,EAAE,CAAC;QACtB,OAAO;IACT,CAAC;IACD,IAAI,iBAAiB,EAAE,EAAE,CAAC;QACxB,MAAM,eAAe,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACpC,CAAC;SAAM,CAAC;QACN,MAAM,kBAAkB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,GAAW;IAC1C,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;QACpD,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;QAC5C,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;QAEnC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;QAClE,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC,CAAC;QAC/C,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACpD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAsB,CAAC;QACxD,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAK,KAA+B,EAAE,IAAI,KAAK,QAAQ,EAAE,CAAC;YACxD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,GAAW,EAAE,KAAwB;IAClE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;IACpD,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;IAC5C,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;IAEnC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;IAClE,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC,CAAC;IAC/C,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IAC/C,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,uBAAuB,GAAG,uBAAuB,CAAC;AAExD,KAAK,UAAU,oBAAoB,CAAC,GAAW;IAC7C,MAAM,KAAK,GAAG,MAAM,gBAAgB,EAAE,CAAC;IACvC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;AACxB,CAAC;AAED,KAAK,UAAU,kBAAkB,CAAC,GAAW,EAAE,KAAwB;IACrE,MAAM,KAAK,GAAG,MAAM,gBAAgB,EAAE,CAAC;IACvC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;IACT,CAAC;IAED,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;AAC9B,CAAC;AAOD,KAAK,UAAU,gBAAgB;IAC7B,IAAI,OAAO,SAAS,KAAK,WAAW,EAAE,CAAC;QACrC,OAAO,kBAAkB,EAAE,CAAC;IAC9B,CAAC;IAED,IAAI,OAAO,YAAY,KAAK,WAAW,EAAE,CAAC;QACxC,OAAO;YACL,KAAK,CAAC,GAAG,CAAC,GAAW;gBACnB,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,uBAAuB,IAAI,GAAG,EAAE,CAAC,CAAC;gBAC1E,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,OAAO,IAAI,CAAC;gBACd,CAAC;gBACD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAsB,CAAC;YAClD,CAAC;YACD,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,KAAwB;gBAC7C,YAAY,CAAC,OAAO,CAClB,GAAG,uBAAuB,IAAI,GAAG,EAAE,EACnC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CACtB,CAAC;YACJ,CAAC;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,kBAAkB;IAC/B,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,wBAAwB,EAAE,CAAC,CAAC,CAAC;QAE5D,OAAO,CAAC,eAAe,GAAG,GAAG,EAAE;YAC7B,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;YAC1B,IAAI,CAAC,EAAE,CAAC,gBAAgB,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC7C,EAAE,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAClC,CAAC;QACH,CAAC,CAAC;QAEF,OAAO,CAAC,SAAS,GAAG,GAAG,EAAE;YACvB,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;YAC1B,OAAO,CAAC;gBACN,GAAG,EAAE,CAAC,GAAW,EAAE,EAAE,CACnB,IAAI,OAAO,CAA2B,CAAC,YAAY,EAAE,WAAW,EAAE,EAAE;oBAClE,MAAM,WAAW,GAAG,EAAE,CAAC,WAAW,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;oBAC1D,MAAM,KAAK,GAAG,WAAW,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;oBACjD,MAAM,UAAU,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;oBAClC,UAAU,CAAC,SAAS,GAAG,GAAG,EAAE;wBAC1B,YAAY,CAAE,UAAU,CAAC,MAA4B,IAAI,IAAI,CAAC,CAAC;oBACjE,CAAC,CAAC;oBACF,UAAU,CAAC,OAAO,GAAG,GAAG,EAAE;wBACxB,WAAW,CAAC,UAAU,CAAC,KAAK,IAAI,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC,CAAC;oBACrE,CAAC,CAAC;gBACJ,CAAC,CAAC;gBACJ,GAAG,EAAE,CAAC,GAAW,EAAE,KAAwB,EAAE,EAAE,CAC7C,IAAI,OAAO,CAAO,CAAC,YAAY,EAAE,WAAW,EAAE,EAAE;oBAC9C,MAAM,WAAW,GAAG,EAAE,CAAC,WAAW,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;oBAC3D,MAAM,KAAK,GAAG,WAAW,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;oBACjD,MAAM,UAAU,GAAG,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBACzC,UAAU,CAAC,SAAS,GAAG,GAAG,EAAE;wBAC1B,YAAY,EAAE,CAAC;oBACjB,CAAC,CAAC;oBACF,UAAU,CAAC,OAAO,GAAG,GAAG,EAAE;wBACxB,WAAW,CAAC,UAAU,CAAC,KAAK,IAAI,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC,CAAC;oBACrE,CAAC,CAAC;gBACJ,CAAC,CAAC;aACL,CAAC,CAAC;QACL,CAAC,CAAC;QAEF,OAAO,CAAC,OAAO,GAAG,GAAG,EAAE;YACrB,aAAa,CAAC,IAAI,CAAC,gDAAgD,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;YACpF,OAAO,CAAC,IAAI,CAAC,CAAC;QAChB,CAAC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,oBAAoB;IAC3B,OAAO,OAAO,MAAM,KAAK,WAAW,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,WAAW,CAAC;AACjF,CAAC;AAED,SAAS,iBAAiB;IACxB,OAAO,CACL,OAAO,OAAO,KAAK,WAAW;QAC9B,OAAO,OAAO,CAAC,QAAQ,KAAK,WAAW;QACvC,OAAO,OAAO,CAAC,QAAQ,CAAC,IAAI,KAAK,QAAQ,CAC1C,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB;IAC9B,OAAO,CACL,OAAO,OAAO,KAAK,WAAW;QAC9B,OAAO,OAAO,CAAC,GAAG,KAAK,WAAW;QAClC,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CACtC,CAAC;AACJ,CAAC"}

package/dist/cjs/naylence/fame/security/cert/trust-store/http-signed-bundle-provider.js

@@ -0,0 +1,2 @@
+export { HttpBundleProvider } from "./http-bundle-provider.js";
+//# sourceMappingURL=http-signed-bundle-provider.js.map

package/dist/cjs/naylence/fame/security/cert/trust-store/http-signed-bundle-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-signed-bundle-provider.js","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/cert/trust-store/http-signed-bundle-provider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC"}

package/dist/cjs/naylence/fame/security/cert/trust-store/node-trust-store-provider-factory.js

@@ -0,0 +1,61 @@
+import { TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, TrustStoreProviderFactory, } from "./trust-store-provider-factory.js";
+import { createTrustStoreProviderFromEnv } from "./env-provider.js";
+export const FACTORY_META = {
+    base: TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE,
+    key: "EnvTrustStoreProvider",
+    isDefault: isNodeEnvironment(),
+    priority: isNodeEnvironment() ? 100 : 0,
+};
+export class EnvTrustStoreProviderFactory extends TrustStoreProviderFactory {
+    constructor() {
+        super(...arguments);
+        this.type = "EnvTrustStoreProvider";
+        this.isDefault = FACTORY_META.isDefault;
+        this.priority = FACTORY_META.priority;
+    }
+    async create(config, ...factoryArgs) {
+        const normalizedConfig = this.normalizeConfig(config);
+        const dependencies = this.extractDependencies(factoryArgs);
+        const envOverride = normalizedConfig.env ?? dependencies?.env ?? null;
+        const requirePinsInBrowser = normalizedConfig.requirePinsInBrowser ?? false;
+        const provider = await createTrustStoreProviderFromEnv({
+            env: envOverride ?? undefined,
+            requirePinsInBrowser,
+        });
+        if (provider) {
+            return provider;
+        }
+        return this.createUnconfiguredProvider("Trust store is not configured. For Node.js, set FAME_CA_CERTS to a PEM string, a file path, a data URI, or an HTTPS URL.");
+    }
+    normalizeConfig(config) {
+        if (!config) {
+            return {
+                type: "EnvTrustStoreProvider",
+            };
+        }
+        if (config.type === "EnvTrustStoreProvider") {
+            return config;
+        }
+        return {
+            ...config,
+            type: "EnvTrustStoreProvider",
+        };
+    }
+    extractDependencies(factoryArgs) {
+        if (factoryArgs.length === 0) {
+            return null;
+        }
+        const candidate = factoryArgs[0];
+        if (candidate && typeof candidate === "object") {
+            return candidate;
+        }
+        return null;
+    }
+}
+function isNodeEnvironment() {
+    return (typeof process !== "undefined" &&
+        typeof process.versions !== "undefined" &&
+        typeof process.versions.node === "string");
+}
+export default EnvTrustStoreProviderFactory;
+//# sourceMappingURL=node-trust-store-provider-factory.js.map

package/dist/cjs/naylence/fame/security/cert/trust-store/node-trust-store-provider-factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"node-trust-store-provider-factory.js","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/cert/trust-store/node-trust-store-provider-factory.ts"],"names":[],"mappings":"AACA,OAAO,EACL,sCAAsC,EACtC,yBAAyB,GAG1B,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EAAE,+BAA+B,EAAE,MAAM,mBAAmB,CAAC;AAQpE,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,IAAI,EAAE,sCAAsC;IAC5C,GAAG,EAAE,uBAAuB;IAC5B,SAAS,EAAE,iBAAiB,EAAE;IAC9B,QAAQ,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAC/B,CAAC;AAEX,MAAM,OAAO,4BAA6B,SAAQ,yBAAsD;IAAxG;;QACkB,SAAI,GAAG,uBAAuB,CAAC;QAC/B,cAAS,GAAG,YAAY,CAAC,SAAS,CAAC;QACnC,aAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC;IA2DnD,CAAC;IAzDQ,KAAK,CAAC,MAAM,CACjB,MAAqE,EACrE,GAAG,WAAsB;QAEzB,MAAM,gBAAgB,GAAG,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;QACtD,MAAM,YAAY,GAAG,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC,CAAC;QAE3D,MAAM,WAAW,GAAG,gBAAgB,CAAC,GAAG,IAAI,YAAY,EAAE,GAAG,IAAI,IAAI,CAAC;QACtE,MAAM,oBAAoB,GAAG,gBAAgB,CAAC,oBAAoB,IAAI,KAAK,CAAC;QAE5E,MAAM,QAAQ,GAAG,MAAM,+BAA+B,CAAC;YACrD,GAAG,EAAE,WAAW,IAAI,SAAS;YAC7B,oBAAoB;SACrB,CAAC,CAAC;QAEH,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,OAAO,IAAI,CAAC,0BAA0B,CACpC,0HAA0H,CAC3H,CAAC;IACJ,CAAC;IAEO,eAAe,CACrB,MAAqE;QAErE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO;gBACL,IAAI,EAAE,uBAAuB;aAC9B,CAAC;QACJ,CAAC;QAED,IAAK,MAAsC,CAAC,IAAI,KAAK,uBAAuB,EAAE,CAAC;YAC7E,OAAO,MAAqC,CAAC;QAC/C,CAAC;QAED,OAAO;YACL,GAAG,MAAM;YACT,IAAI,EAAE,uBAAuB;SACC,CAAC;IACnC,CAAC;IAEO,mBAAmB,CACzB,WAA+B;QAE/B,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;QACjC,IAAI,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;YAC/C,OAAO,SAA2C,CAAC;QACrD,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,SAAS,iBAAiB;IACxB,OAAO,CACL,OAAO,OAAO,KAAK,WAAW;QAC9B,OAAO,OAAO,CAAC,QAAQ,KAAK,WAAW;QACvC,OAAO,OAAO,CAAC,QAAQ,CAAC,IAAI,KAAK,QAAQ,CAC1C,CAAC;AACJ,CAAC;AAED,eAAe,4BAA4B,CAAC"}

package/dist/cjs/naylence/fame/security/cert/trust-store/static-bundle-provider.js

@@ -0,0 +1,44 @@
+import { anchorsToPem, normalizePem, pemChainToAnchors, withComputedSpki, dataUriToPem, } from "./anchor-utils.js";
+export class StaticBundleProvider {
+    constructor(anchors) {
+        const normalized = Array.from(anchors).map((anchor) => ({
+            ...anchor,
+            pem: normalizePem(anchor.pem),
+        }));
+        this.anchors = withComputedSpki(normalized);
+        this.pemChain = anchorsToPem(this.anchors);
+    }
+    async getRoots() {
+        return this.anchors;
+    }
+    async getTrustStorePem() {
+        if (!this.pemChain || this.pemChain.trim().length === 0) {
+            throw new Error("Static trust bundle is empty");
+        }
+        return this.pemChain;
+    }
+}
+export async function loadPemFromFile(path) {
+    if (!isNodeEnvironment()) {
+        throw new Error("File-based trust bundles are only supported in Node environments");
+    }
+    const fs = await import("node:fs/promises");
+    const contents = await fs.readFile(path, "utf8");
+    return normalizePem(contents);
+}
+export function createProviderFromPem(pem) {
+    return new StaticBundleProvider(pemChainToAnchors(pem));
+}
+export function createProviderFromDataUri(dataUri) {
+    const pem = dataUriToPem(dataUri);
+    if (!pem) {
+        throw new Error("Invalid data URI for trust bundle");
+    }
+    return createProviderFromPem(pem);
+}
+function isNodeEnvironment() {
+    return (typeof process !== "undefined" &&
+        typeof process.versions !== "undefined" &&
+        typeof process.versions.node === "string");
+}
+//# sourceMappingURL=static-bundle-provider.js.map

package/dist/cjs/naylence/fame/security/cert/trust-store/static-bundle-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"static-bundle-provider.js","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/cert/trust-store/static-bundle-provider.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,YAAY,GACb,MAAM,mBAAmB,CAAC;AAO3B,MAAM,OAAO,oBAAoB;IAI/B,YAAmB,OAA8B;QAC/C,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YACtD,GAAG,MAAM;YACT,GAAG,EAAE,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC;SAC9B,CAAC,CAAC,CAAC;QACJ,IAAI,CAAC,OAAO,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;QAC5C,IAAI,CAAC,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC7C,CAAC;IAEM,KAAK,CAAC,QAAQ;QACnB,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAEM,KAAK,CAAC,gBAAgB;QAC3B,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QACD,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;CACF;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,IAAY;IAChD,IAAI,CAAC,iBAAiB,EAAE,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACjD,OAAO,YAAY,CAAC,QAAQ,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,GAAW;IAC/C,OAAO,IAAI,oBAAoB,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,OAAe;IACvD,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IAClC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IACD,OAAO,qBAAqB,CAAC,GAAG,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,iBAAiB;IACxB,OAAO,CACL,OAAO,OAAO,KAAK,WAAW;QAC9B,OAAO,OAAO,CAAC,QAAQ,KAAK,WAAW;QACvC,OAAO,OAAO,CAAC,QAAQ,CAAC,IAAI,KAAK,QAAQ,CAC1C,CAAC;AACJ,CAAC"}