@nboconnect/connect 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +186 -0
- package/README.md +75 -0
- package/dist/agentWorkflow.d.ts +78 -0
- package/dist/agentWorkflow.d.ts.map +1 -0
- package/dist/agentWorkflow.js +154 -0
- package/dist/agentWorkflow.js.map +1 -0
- package/dist/index.d.ts +479 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +453 -0
- package/dist/index.js.map +1 -0
- package/dist/runtimeTokenReleaseGate.d.ts +43 -0
- package/dist/runtimeTokenReleaseGate.d.ts.map +1 -0
- package/dist/runtimeTokenReleaseGate.js +115 -0
- package/dist/runtimeTokenReleaseGate.js.map +1 -0
- package/dist/runtimeTokenReplay.d.ts +56 -0
- package/dist/runtimeTokenReplay.d.ts.map +1 -0
- package/dist/runtimeTokenReplay.js +137 -0
- package/dist/runtimeTokenReplay.js.map +1 -0
- package/dist/runtimeTokenRequest.d.ts +50 -0
- package/dist/runtimeTokenRequest.d.ts.map +1 -0
- package/dist/runtimeTokenRequest.js +79 -0
- package/dist/runtimeTokenRequest.js.map +1 -0
- package/dist/runtimeTokenShadow.d.ts +75 -0
- package/dist/runtimeTokenShadow.d.ts.map +1 -0
- package/dist/runtimeTokenShadow.js +168 -0
- package/dist/runtimeTokenShadow.js.map +1 -0
- package/package.json +38 -0
|
@@ -0,0 +1,115 @@
|
|
|
1
|
+
import { evaluateConnectRuntimeTokenShadowV1, } from './runtimeTokenShadow.js';
|
|
2
|
+
import { replayConnectRuntimeTokenShadowV1, } from './runtimeTokenReplay.js';
|
|
3
|
+
import { requestConnectRuntimeTokenShadowV1 } from './runtimeTokenRequest.js';
|
|
4
|
+
function stableSerialize(value) {
|
|
5
|
+
if (value === null || typeof value !== 'object')
|
|
6
|
+
return JSON.stringify(value);
|
|
7
|
+
if (Array.isArray(value))
|
|
8
|
+
return `[${value.map(stableSerialize).join(',')}]`;
|
|
9
|
+
return `{${Object.entries(value)
|
|
10
|
+
.filter(([, entry]) => entry !== undefined)
|
|
11
|
+
.sort(([left], [right]) => left.localeCompare(right))
|
|
12
|
+
.map(([key, entry]) => `${JSON.stringify(key)}:${stableSerialize(entry)}`)
|
|
13
|
+
.join(',')}}`;
|
|
14
|
+
}
|
|
15
|
+
function sameJson(left, right) {
|
|
16
|
+
return stableSerialize(left) === stableSerialize(right);
|
|
17
|
+
}
|
|
18
|
+
function mask(value) {
|
|
19
|
+
if (value.length <= 8)
|
|
20
|
+
return 'masked:opaque';
|
|
21
|
+
return `masked:${value.slice(0, 4)}...${value.slice(-4)}`;
|
|
22
|
+
}
|
|
23
|
+
function buildReplayFixture(releaseCase, evaluated, requested) {
|
|
24
|
+
return {
|
|
25
|
+
schemaVersion: 'nbo.connect.runtime_token_replay_fixture.v1',
|
|
26
|
+
fixtureId: `release:${releaseCase.caseId}`,
|
|
27
|
+
request: releaseCase.request,
|
|
28
|
+
expected: {
|
|
29
|
+
registryVersion: releaseCase.request.catalog.registryVersion,
|
|
30
|
+
wouldAuthorize: evaluated.wouldAuthorize,
|
|
31
|
+
denialCodes: evaluated.denialCodes,
|
|
32
|
+
missingApprovals: requested.missingApprovals,
|
|
33
|
+
blockedLiveValueGates: requested.blockedLiveValueGates,
|
|
34
|
+
dashboard: releaseCase.dashboard,
|
|
35
|
+
},
|
|
36
|
+
persisted: releaseCase.persisted,
|
|
37
|
+
};
|
|
38
|
+
}
|
|
39
|
+
function requestCreated(evaluated, requested) {
|
|
40
|
+
return requested.mode === 'shadow_request'
|
|
41
|
+
&& requested.wouldAllow === evaluated.wouldAuthorize
|
|
42
|
+
&& sameJson(requested.reviewPacket.denialCodes, evaluated.denialCodes)
|
|
43
|
+
&& requested.reviewPacket.humanApprovalRequired
|
|
44
|
+
&& requested.tokenIssued === false
|
|
45
|
+
&& requested.acceptedForAuthentication === false
|
|
46
|
+
&& (requested.proposedTokenEnvelope === null
|
|
47
|
+
|| (requested.proposedTokenEnvelope.tokenIssued === false
|
|
48
|
+
&& requested.proposedTokenEnvelope.usableForAuthentication === false));
|
|
49
|
+
}
|
|
50
|
+
function persistenceConsistent(releaseCase, evaluated) {
|
|
51
|
+
return releaseCase.persisted.auditRef.length > 0
|
|
52
|
+
&& releaseCase.persisted.organizationId === releaseCase.request.organizationId
|
|
53
|
+
&& releaseCase.persisted.nodeId === releaseCase.request.nodeId
|
|
54
|
+
&& releaseCase.persisted.decision === (evaluated.wouldAuthorize ? 'would_allow' : 'would_deny');
|
|
55
|
+
}
|
|
56
|
+
function safetyConsistent(requested, replay) {
|
|
57
|
+
return requested.tokenIssued === false
|
|
58
|
+
&& requested.acceptedForAuthentication === false
|
|
59
|
+
&& replay.safety.tokenIssued === false
|
|
60
|
+
&& replay.safety.acceptedForAuthentication === false
|
|
61
|
+
&& replay.safety.liveValueActionAttempted === false
|
|
62
|
+
&& replay.safety.rawClaimsExposed === false;
|
|
63
|
+
}
|
|
64
|
+
export function runConnectRuntimeTokenShadowReleaseGateV1(fixture) {
|
|
65
|
+
if (fixture.schemaVersion !== 'nbo.connect.runtime_token_shadow_release_fixture.v1') {
|
|
66
|
+
throw new Error('CONNECT_RUNTIME_TOKEN_SHADOW_RELEASE_FIXTURE_SCHEMA_INVALID');
|
|
67
|
+
}
|
|
68
|
+
if (fixture.cases.length < 2) {
|
|
69
|
+
throw new Error('CONNECT_RUNTIME_TOKEN_SHADOW_RELEASE_REQUIRES_ALLOW_AND_DENY_CASES');
|
|
70
|
+
}
|
|
71
|
+
const cases = fixture.cases.map((releaseCase) => {
|
|
72
|
+
const evaluated = evaluateConnectRuntimeTokenShadowV1(releaseCase.request);
|
|
73
|
+
const requested = requestConnectRuntimeTokenShadowV1(releaseCase.request);
|
|
74
|
+
const replay = replayConnectRuntimeTokenShadowV1(buildReplayFixture(releaseCase, evaluated, requested));
|
|
75
|
+
const requestWasCreated = requestCreated(evaluated, requested);
|
|
76
|
+
const persisted = persistenceConsistent(releaseCase, evaluated);
|
|
77
|
+
const dashboard = replay.checks.dashboardProjectionConsistent;
|
|
78
|
+
const safe = safetyConsistent(requested, replay);
|
|
79
|
+
return {
|
|
80
|
+
caseId: releaseCase.caseId,
|
|
81
|
+
decision: evaluated.wouldAuthorize ? 'would_allow' : 'would_deny',
|
|
82
|
+
denialCodes: evaluated.denialCodes,
|
|
83
|
+
requestDigest: replay.requestDigest,
|
|
84
|
+
decisionDigest: replay.decisionDigest,
|
|
85
|
+
maskedAuditRef: mask(releaseCase.persisted.auditRef),
|
|
86
|
+
checks: {
|
|
87
|
+
requestCreated: requestWasCreated,
|
|
88
|
+
persistenceConsistent: persisted,
|
|
89
|
+
dashboardProjectionConsistent: dashboard,
|
|
90
|
+
replayConsistent: replay.ok,
|
|
91
|
+
safetyConsistent: safe,
|
|
92
|
+
},
|
|
93
|
+
};
|
|
94
|
+
});
|
|
95
|
+
const allowCaseCount = cases.filter((item) => item.decision === 'would_allow').length;
|
|
96
|
+
const denyCaseCount = cases.filter((item) => item.decision === 'would_deny').length;
|
|
97
|
+
const ok = allowCaseCount > 0 && denyCaseCount > 0
|
|
98
|
+
&& cases.every((item) => Object.values(item.checks).every(Boolean));
|
|
99
|
+
return {
|
|
100
|
+
schemaVersion: 'nbo.connect.runtime_token_shadow_release_proof.v1',
|
|
101
|
+
mode: 'release_gate',
|
|
102
|
+
ok,
|
|
103
|
+
caseCount: cases.length,
|
|
104
|
+
allowCaseCount,
|
|
105
|
+
denyCaseCount,
|
|
106
|
+
cases,
|
|
107
|
+
safety: {
|
|
108
|
+
tokenIssued: false,
|
|
109
|
+
acceptedForAuthentication: false,
|
|
110
|
+
liveValueActionAttempted: false,
|
|
111
|
+
rawClaimsExposed: false,
|
|
112
|
+
},
|
|
113
|
+
};
|
|
114
|
+
}
|
|
115
|
+
//# sourceMappingURL=runtimeTokenReleaseGate.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"runtimeTokenReleaseGate.js","sourceRoot":"","sources":["../src/runtimeTokenReleaseGate.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,mCAAmC,GAGpC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,iCAAiC,GAGlC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,kCAAkC,EAAE,MAAM,0BAA0B,CAAC;AA4C9E,SAAS,eAAe,CAAC,KAAc;IACrC,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC9E,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,KAAK,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;IAC7E,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC;SACxD,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,KAAK,KAAK,SAAS,CAAC;SAC1C,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;SACpD,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC;SACzE,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;AAClB,CAAC;AAED,SAAS,QAAQ,CAAC,IAAa,EAAE,KAAc;IAC7C,OAAO,eAAe,CAAC,IAAI,CAAC,KAAK,eAAe,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,IAAI,CAAC,KAAa;IACzB,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,eAAe,CAAC;IAC9C,OAAO,UAAU,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AAC5D,CAAC;AAED,SAAS,kBAAkB,CACzB,WAAmD,EACnD,SAA4C,EAC5C,SAAgE;IAEhE,OAAO;QACL,aAAa,EAAE,6CAA6C;QAC5D,SAAS,EAAE,WAAW,WAAW,CAAC,MAAM,EAAE;QAC1C,OAAO,EAAE,WAAW,CAAC,OAAO;QAC5B,QAAQ,EAAE;YACR,eAAe,EAAE,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,eAAe;YAC5D,cAAc,EAAE,SAAS,CAAC,cAAc;YACxC,WAAW,EAAE,SAAS,CAAC,WAAW;YAClC,gBAAgB,EAAE,SAAS,CAAC,gBAAgB;YAC5C,qBAAqB,EAAE,SAAS,CAAC,qBAAqB;YACtD,SAAS,EAAE,WAAW,CAAC,SAAS;SACjC;QACD,SAAS,EAAE,WAAW,CAAC,SAAS;KACjC,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CACrB,SAA4C,EAC5C,SAAgE;IAEhE,OAAO,SAAS,CAAC,IAAI,KAAK,gBAAgB;WACrC,SAAS,CAAC,UAAU,KAAK,SAAS,CAAC,cAAc;WACjD,QAAQ,CAAC,SAAS,CAAC,YAAY,CAAC,WAAW,EAAE,SAAS,CAAC,WAAW,CAAC;WACnE,SAAS,CAAC,YAAY,CAAC,qBAAqB;WAC5C,SAAS,CAAC,WAAW,KAAK,KAAK;WAC/B,SAAS,CAAC,yBAAyB,KAAK,KAAK;WAC7C,CAAC,SAAS,CAAC,qBAAqB,KAAK,IAAI;eACvC,CAAC,SAAS,CAAC,qBAAqB,CAAC,WAAW,KAAK,KAAK;mBACpD,SAAS,CAAC,qBAAqB,CAAC,uBAAuB,KAAK,KAAK,CAAC,CAAC,CAAC;AAC/E,CAAC;AAED,SAAS,qBAAqB,CAC5B,WAAmD,EACnD,SAA4C;IAE5C,OAAO,WAAW,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;WAC3C,WAAW,CAAC,SAAS,CAAC,cAAc,KAAK,WAAW,CAAC,OAAO,CAAC,cAAc;WAC3E,WAAW,CAAC,SAAS,CAAC,MAAM,KAAK,WAAW,CAAC,OAAO,CAAC,MAAM;WAC3D,WAAW,CAAC,SAAS,CAAC,QAAQ,KAAK,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;AACpG,CAAC;AAED,SAAS,gBAAgB,CACvB,SAAgE,EAChE,MAAwC;IAExC,OAAO,SAAS,CAAC,WAAW,KAAK,KAAK;WACjC,SAAS,CAAC,yBAAyB,KAAK,KAAK;WAC7C,MAAM,CAAC,MAAM,CAAC,WAAW,KAAK,KAAK;WACnC,MAAM,CAAC,MAAM,CAAC,yBAAyB,KAAK,KAAK;WACjD,MAAM,CAAC,MAAM,CAAC,wBAAwB,KAAK,KAAK;WAChD,MAAM,CAAC,MAAM,CAAC,gBAAgB,KAAK,KAAK,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,yCAAyC,CACvD,OAAkD;IAElD,IAAI,OAAO,CAAC,aAAa,KAAK,qDAAqD,EAAE,CAAC;QACpF,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACjF,CAAC;IACD,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;IACxF,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE;QAC9C,MAAM,SAAS,GAAG,mCAAmC,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QAC3E,MAAM,SAAS,GAAG,kCAAkC,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QAC1E,MAAM,MAAM,GAAG,iCAAiC,CAC9C,kBAAkB,CAAC,WAAW,EAAE,SAAS,EAAE,SAAS,CAAC,CACtD,CAAC;QACF,MAAM,iBAAiB,GAAG,cAAc,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAC/D,MAAM,SAAS,GAAG,qBAAqB,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;QAChE,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,6BAA6B,CAAC;QAC9D,MAAM,IAAI,GAAG,gBAAgB,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QACjD,OAAO;YACL,MAAM,EAAE,WAAW,CAAC,MAAM;YAC1B,QAAQ,EAAE,SAAS,CAAC,cAAc,CAAC,CAAC,CAAC,aAAsB,CAAC,CAAC,CAAC,YAAqB;YACnF,WAAW,EAAE,SAAS,CAAC,WAAW;YAClC,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,cAAc,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,QAAQ,CAAC;YACpD,MAAM,EAAE;gBACN,cAAc,EAAE,iBAAiB;gBACjC,qBAAqB,EAAE,SAAS;gBAChC,6BAA6B,EAAE,SAAS;gBACxC,gBAAgB,EAAE,MAAM,CAAC,EAAE;gBAC3B,gBAAgB,EAAE,IAAI;aACvB;SACF,CAAC;IACJ,CAAC,CAAC,CAAC;IACH,MAAM,cAAc,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,KAAK,aAAa,CAAC,CAAC,MAAM,CAAC;IACtF,MAAM,aAAa,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,KAAK,YAAY,CAAC,CAAC,MAAM,CAAC;IACpF,MAAM,EAAE,GAAG,cAAc,GAAG,CAAC,IAAI,aAAa,GAAG,CAAC;WAC7C,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;IAEtE,OAAO;QACL,aAAa,EAAE,mDAAmD;QAClE,IAAI,EAAE,cAAc;QACpB,EAAE;QACF,SAAS,EAAE,KAAK,CAAC,MAAM;QACvB,cAAc;QACd,aAAa;QACb,KAAK;QACL,MAAM,EAAE;YACN,WAAW,EAAE,KAAK;YAClB,yBAAyB,EAAE,KAAK;YAChC,wBAAwB,EAAE,KAAK;YAC/B,gBAAgB,EAAE,KAAK;SACxB;KACF,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
import { type ConnectRuntimeTokenShadowDenialCodeV1, type ConnectRuntimeTokenShadowRequestV1, type ConnectRuntimeTokenShadowResultV1 } from './runtimeTokenShadow.js';
|
|
2
|
+
export type ConnectRuntimeTokenReplayFixtureV1 = {
|
|
3
|
+
schemaVersion: 'nbo.connect.runtime_token_replay_fixture.v1';
|
|
4
|
+
fixtureId: string;
|
|
5
|
+
request: ConnectRuntimeTokenShadowRequestV1;
|
|
6
|
+
expected: {
|
|
7
|
+
registryVersion: string;
|
|
8
|
+
wouldAuthorize: boolean;
|
|
9
|
+
denialCodes: ConnectRuntimeTokenShadowDenialCodeV1[];
|
|
10
|
+
missingApprovals: string[];
|
|
11
|
+
blockedLiveValueGates: string[];
|
|
12
|
+
dashboard: ConnectRuntimeTokenShadowResultV1['dashboard'];
|
|
13
|
+
};
|
|
14
|
+
persisted: {
|
|
15
|
+
auditRef: string;
|
|
16
|
+
organizationId: string;
|
|
17
|
+
nodeId: string;
|
|
18
|
+
decision: 'would_allow' | 'would_deny';
|
|
19
|
+
};
|
|
20
|
+
};
|
|
21
|
+
export type ConnectRuntimeTokenReplayProofV1 = {
|
|
22
|
+
schemaVersion: 'nbo.connect.runtime_token_replay_proof.v1';
|
|
23
|
+
mode: 'replay_only';
|
|
24
|
+
fixtureId: string;
|
|
25
|
+
ok: boolean;
|
|
26
|
+
environment: 'sandbox';
|
|
27
|
+
registryVersion: string;
|
|
28
|
+
requestDigest: string;
|
|
29
|
+
decisionDigest: string;
|
|
30
|
+
decision: 'would_allow' | 'would_deny';
|
|
31
|
+
denialCodes: ConnectRuntimeTokenShadowDenialCodeV1[];
|
|
32
|
+
maskedBindings: {
|
|
33
|
+
organizationId: string;
|
|
34
|
+
nodeId: string;
|
|
35
|
+
persona: string;
|
|
36
|
+
capabilityId: string;
|
|
37
|
+
actionId: string;
|
|
38
|
+
scope: string;
|
|
39
|
+
};
|
|
40
|
+
checks: {
|
|
41
|
+
registryVersionConsistent: boolean;
|
|
42
|
+
bindingsConsistent: boolean;
|
|
43
|
+
decisionConsistent: boolean;
|
|
44
|
+
gatesConsistent: boolean;
|
|
45
|
+
auditReferenceConsistent: boolean;
|
|
46
|
+
dashboardProjectionConsistent: boolean;
|
|
47
|
+
};
|
|
48
|
+
safety: {
|
|
49
|
+
tokenIssued: false;
|
|
50
|
+
acceptedForAuthentication: false;
|
|
51
|
+
liveValueActionAttempted: false;
|
|
52
|
+
rawClaimsExposed: false;
|
|
53
|
+
};
|
|
54
|
+
};
|
|
55
|
+
export declare function replayConnectRuntimeTokenShadowV1(fixture: ConnectRuntimeTokenReplayFixtureV1): ConnectRuntimeTokenReplayProofV1;
|
|
56
|
+
//# sourceMappingURL=runtimeTokenReplay.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"runtimeTokenReplay.d.ts","sourceRoot":"","sources":["../src/runtimeTokenReplay.ts"],"names":[],"mappings":"AAEA,OAAO,EAEL,KAAK,qCAAqC,EAC1C,KAAK,kCAAkC,EACvC,KAAK,iCAAiC,EACvC,MAAM,yBAAyB,CAAC;AAEjC,MAAM,MAAM,kCAAkC,GAAG;IAC/C,aAAa,EAAE,6CAA6C,CAAC;IAC7D,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,kCAAkC,CAAC;IAC5C,QAAQ,EAAE;QACR,eAAe,EAAE,MAAM,CAAC;QACxB,cAAc,EAAE,OAAO,CAAC;QACxB,WAAW,EAAE,qCAAqC,EAAE,CAAC;QACrD,gBAAgB,EAAE,MAAM,EAAE,CAAC;QAC3B,qBAAqB,EAAE,MAAM,EAAE,CAAC;QAChC,SAAS,EAAE,iCAAiC,CAAC,WAAW,CAAC,CAAC;KAC3D,CAAC;IACF,SAAS,EAAE;QACT,QAAQ,EAAE,MAAM,CAAC;QACjB,cAAc,EAAE,MAAM,CAAC;QACvB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,aAAa,GAAG,YAAY,CAAC;KACxC,CAAC;CACH,CAAC;AAEF,MAAM,MAAM,gCAAgC,GAAG;IAC7C,aAAa,EAAE,2CAA2C,CAAC;IAC3D,IAAI,EAAE,aAAa,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,EAAE,EAAE,OAAO,CAAC;IACZ,WAAW,EAAE,SAAS,CAAC;IACvB,eAAe,EAAE,MAAM,CAAC;IACxB,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,aAAa,GAAG,YAAY,CAAC;IACvC,WAAW,EAAE,qCAAqC,EAAE,CAAC;IACrD,cAAc,EAAE;QACd,cAAc,EAAE,MAAM,CAAC;QACvB,MAAM,EAAE,MAAM,CAAC;QACf,OAAO,EAAE,MAAM,CAAC;QAChB,YAAY,EAAE,MAAM,CAAC;QACrB,QAAQ,EAAE,MAAM,CAAC;QACjB,KAAK,EAAE,MAAM,CAAC;KACf,CAAC;IACF,MAAM,EAAE;QACN,yBAAyB,EAAE,OAAO,CAAC;QACnC,kBAAkB,EAAE,OAAO,CAAC;QAC5B,kBAAkB,EAAE,OAAO,CAAC;QAC5B,eAAe,EAAE,OAAO,CAAC;QACzB,wBAAwB,EAAE,OAAO,CAAC;QAClC,6BAA6B,EAAE,OAAO,CAAC;KACxC,CAAC;IACF,MAAM,EAAE;QACN,WAAW,EAAE,KAAK,CAAC;QACnB,yBAAyB,EAAE,KAAK,CAAC;QACjC,wBAAwB,EAAE,KAAK,CAAC;QAChC,gBAAgB,EAAE,KAAK,CAAC;KACzB,CAAC;CACH,CAAC;AAqDF,wBAAgB,iCAAiC,CAC/C,OAAO,EAAE,kCAAkC,GAC1C,gCAAgC,CAqFlC"}
|
|
@@ -0,0 +1,137 @@
|
|
|
1
|
+
import { createHash } from 'node:crypto';
|
|
2
|
+
import { evaluateConnectRuntimeTokenShadowV1, } from './runtimeTokenShadow.js';
|
|
3
|
+
function stableSerialize(value) {
|
|
4
|
+
if (value === null || typeof value !== 'object')
|
|
5
|
+
return JSON.stringify(value);
|
|
6
|
+
if (Array.isArray(value))
|
|
7
|
+
return `[${value.map(stableSerialize).join(',')}]`;
|
|
8
|
+
const entries = Object.entries(value)
|
|
9
|
+
.filter(([, entry]) => entry !== undefined)
|
|
10
|
+
.sort(([left], [right]) => left.localeCompare(right));
|
|
11
|
+
return `{${entries.map(([key, entry]) => `${JSON.stringify(key)}:${stableSerialize(entry)}`).join(',')}}`;
|
|
12
|
+
}
|
|
13
|
+
function digest(value) {
|
|
14
|
+
return `sha256:${createHash('sha256').update(stableSerialize(value)).digest('hex')}`;
|
|
15
|
+
}
|
|
16
|
+
function mask(value) {
|
|
17
|
+
if (value.length <= 8)
|
|
18
|
+
return 'masked:opaque';
|
|
19
|
+
return `masked:${value.slice(0, 4)}...${value.slice(-4)}`;
|
|
20
|
+
}
|
|
21
|
+
function deriveMissingApprovals(result) {
|
|
22
|
+
const approvals = ['human_or_connector_authorization_review'];
|
|
23
|
+
if (result.denialCodes.includes('AUTHORIZATION_WITHDRAWN'))
|
|
24
|
+
approvals.push('authorization_restoration');
|
|
25
|
+
if (result.denialCodes.includes('REGISTRY_VERSION_MISMATCH'))
|
|
26
|
+
approvals.push('capability_registry_sync');
|
|
27
|
+
if (result.denialCodes.includes('TOKEN_REVOKED') || result.denialCodes.includes('TOKEN_REPLAYED')) {
|
|
28
|
+
approvals.push('new_single_use_request_review');
|
|
29
|
+
}
|
|
30
|
+
return approvals;
|
|
31
|
+
}
|
|
32
|
+
function deriveBlockedGates(result) {
|
|
33
|
+
return result.denialCodes.includes('LIVE_VALUE_ACTION_BLOCKED')
|
|
34
|
+
? ['production_live_value_gates_disabled']
|
|
35
|
+
: [];
|
|
36
|
+
}
|
|
37
|
+
function sameJson(left, right) {
|
|
38
|
+
return stableSerialize(left) === stableSerialize(right);
|
|
39
|
+
}
|
|
40
|
+
function assertFixtureShape(fixture) {
|
|
41
|
+
if (fixture.schemaVersion !== 'nbo.connect.runtime_token_replay_fixture.v1') {
|
|
42
|
+
throw new Error('CONNECT_RUNTIME_TOKEN_REPLAY_FIXTURE_SCHEMA_INVALID');
|
|
43
|
+
}
|
|
44
|
+
if (!fixture.fixtureId || fixture.request.environment !== 'sandbox') {
|
|
45
|
+
throw new Error('CONNECT_RUNTIME_TOKEN_REPLAY_FIXTURE_SANDBOX_ONLY');
|
|
46
|
+
}
|
|
47
|
+
if (fixture.request.claims.registryVersion !== fixture.request.catalog.registryVersion
|
|
48
|
+
|| fixture.request.catalog.registryVersion !== fixture.expected.registryVersion) {
|
|
49
|
+
throw new Error('CONNECT_RUNTIME_TOKEN_REPLAY_REGISTRY_VERSION_MISMATCH');
|
|
50
|
+
}
|
|
51
|
+
}
|
|
52
|
+
export function replayConnectRuntimeTokenShadowV1(fixture) {
|
|
53
|
+
assertFixtureShape(fixture);
|
|
54
|
+
const result = evaluateConnectRuntimeTokenShadowV1(fixture.request);
|
|
55
|
+
const request = fixture.request;
|
|
56
|
+
const expected = fixture.expected;
|
|
57
|
+
const dashboard = result.dashboard;
|
|
58
|
+
const registryVersionConsistent = request.claims.registryVersion === request.catalog.registryVersion
|
|
59
|
+
&& expected.registryVersion === request.catalog.registryVersion;
|
|
60
|
+
const bindingsConsistent = [
|
|
61
|
+
[dashboard.organizationId, request.organizationId],
|
|
62
|
+
[dashboard.nodeId, request.nodeId],
|
|
63
|
+
[dashboard.persona, request.persona],
|
|
64
|
+
[dashboard.capabilityId, request.capabilityId],
|
|
65
|
+
[dashboard.actionId, request.actionId],
|
|
66
|
+
[dashboard.scope, request.scope],
|
|
67
|
+
].every(([actual, expectedValue]) => actual === expectedValue);
|
|
68
|
+
const decisionConsistent = result.wouldAuthorize === expected.wouldAuthorize
|
|
69
|
+
&& sameJson(result.denialCodes, expected.denialCodes);
|
|
70
|
+
const gatesConsistent = sameJson(deriveMissingApprovals(result), expected.missingApprovals)
|
|
71
|
+
&& sameJson(deriveBlockedGates(result), expected.blockedLiveValueGates);
|
|
72
|
+
const auditReferenceConsistent = fixture.persisted.auditRef.length > 0
|
|
73
|
+
&& fixture.persisted.organizationId === request.organizationId
|
|
74
|
+
&& fixture.persisted.nodeId === request.nodeId
|
|
75
|
+
&& fixture.persisted.decision === (result.wouldAuthorize ? 'would_allow' : 'would_deny');
|
|
76
|
+
const dashboardProjectionConsistent = sameJson({
|
|
77
|
+
...dashboard,
|
|
78
|
+
tokenRef: undefined,
|
|
79
|
+
auditRef: undefined,
|
|
80
|
+
}, {
|
|
81
|
+
...expected.dashboard,
|
|
82
|
+
tokenRef: undefined,
|
|
83
|
+
auditRef: undefined,
|
|
84
|
+
});
|
|
85
|
+
const decision = result.wouldAuthorize ? 'would_allow' : 'would_deny';
|
|
86
|
+
const decisionDigest = digest({
|
|
87
|
+
registryVersion: request.catalog.registryVersion,
|
|
88
|
+
wouldAuthorize: result.wouldAuthorize,
|
|
89
|
+
denialCodes: result.denialCodes,
|
|
90
|
+
bindings: {
|
|
91
|
+
organizationId: request.organizationId,
|
|
92
|
+
nodeId: request.nodeId,
|
|
93
|
+
persona: request.persona,
|
|
94
|
+
capabilityId: request.capabilityId,
|
|
95
|
+
actionId: request.actionId,
|
|
96
|
+
scope: request.scope,
|
|
97
|
+
},
|
|
98
|
+
missingApprovals: deriveMissingApprovals(result),
|
|
99
|
+
blockedLiveValueGates: deriveBlockedGates(result),
|
|
100
|
+
});
|
|
101
|
+
return {
|
|
102
|
+
schemaVersion: 'nbo.connect.runtime_token_replay_proof.v1',
|
|
103
|
+
mode: 'replay_only',
|
|
104
|
+
fixtureId: fixture.fixtureId,
|
|
105
|
+
ok: registryVersionConsistent && bindingsConsistent && decisionConsistent && gatesConsistent
|
|
106
|
+
&& auditReferenceConsistent && dashboardProjectionConsistent,
|
|
107
|
+
environment: 'sandbox',
|
|
108
|
+
registryVersion: request.catalog.registryVersion,
|
|
109
|
+
requestDigest: digest(request),
|
|
110
|
+
decisionDigest,
|
|
111
|
+
decision,
|
|
112
|
+
denialCodes: result.denialCodes,
|
|
113
|
+
maskedBindings: {
|
|
114
|
+
organizationId: mask(request.organizationId),
|
|
115
|
+
nodeId: mask(request.nodeId),
|
|
116
|
+
persona: mask(request.persona),
|
|
117
|
+
capabilityId: mask(request.capabilityId),
|
|
118
|
+
actionId: mask(request.actionId),
|
|
119
|
+
scope: mask(request.scope),
|
|
120
|
+
},
|
|
121
|
+
checks: {
|
|
122
|
+
registryVersionConsistent,
|
|
123
|
+
bindingsConsistent,
|
|
124
|
+
decisionConsistent,
|
|
125
|
+
gatesConsistent,
|
|
126
|
+
auditReferenceConsistent,
|
|
127
|
+
dashboardProjectionConsistent,
|
|
128
|
+
},
|
|
129
|
+
safety: {
|
|
130
|
+
tokenIssued: false,
|
|
131
|
+
acceptedForAuthentication: false,
|
|
132
|
+
liveValueActionAttempted: false,
|
|
133
|
+
rawClaimsExposed: false,
|
|
134
|
+
},
|
|
135
|
+
};
|
|
136
|
+
}
|
|
137
|
+
//# sourceMappingURL=runtimeTokenReplay.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"runtimeTokenReplay.js","sourceRoot":"","sources":["../src/runtimeTokenReplay.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EACL,mCAAmC,GAIpC,MAAM,yBAAyB,CAAC;AAyDjC,SAAS,eAAe,CAAC,KAAc;IACrC,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC9E,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,KAAK,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;IAC7E,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC;SAC7D,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,KAAK,KAAK,SAAS,CAAC;SAC1C,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC;IACxD,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;AAC5G,CAAC;AAED,SAAS,MAAM,CAAC,KAAc;IAC5B,OAAO,UAAU,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;AACvF,CAAC;AAED,SAAS,IAAI,CAAC,KAAa;IACzB,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,eAAe,CAAC;IAC9C,OAAO,UAAU,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AAC5D,CAAC;AAED,SAAS,sBAAsB,CAAC,MAAyC;IACvE,MAAM,SAAS,GAAG,CAAC,yCAAyC,CAAC,CAAC;IAC9D,IAAI,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,yBAAyB,CAAC;QAAE,SAAS,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IACxG,IAAI,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,2BAA2B,CAAC;QAAE,SAAS,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IACzG,IAAI,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAClG,SAAS,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAyC;IACnE,OAAO,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,2BAA2B,CAAC;QAC7D,CAAC,CAAC,CAAC,sCAAsC,CAAC;QAC1C,CAAC,CAAC,EAAE,CAAC;AACT,CAAC;AAED,SAAS,QAAQ,CAAC,IAAa,EAAE,KAAc;IAC7C,OAAO,eAAe,CAAC,IAAI,CAAC,KAAK,eAAe,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,kBAAkB,CAAC,OAA2C;IACrE,IAAI,OAAO,CAAC,aAAa,KAAK,6CAA6C,EAAE,CAAC;QAC5E,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;QACpE,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IACD,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,eAAe,KAAK,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,eAAe;WACjF,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,eAAe,KAAK,OAAO,CAAC,QAAQ,CAAC,eAAe,EAAE,CAAC;QAClF,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;IAC5E,CAAC;AACH,CAAC;AAED,MAAM,UAAU,iCAAiC,CAC/C,OAA2C;IAE3C,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAC5B,MAAM,MAAM,GAAG,mCAAmC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACpE,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAChC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAClC,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;IACnC,MAAM,yBAAyB,GAAG,OAAO,CAAC,MAAM,CAAC,eAAe,KAAK,OAAO,CAAC,OAAO,CAAC,eAAe;WAC/F,QAAQ,CAAC,eAAe,KAAK,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC;IAClE,MAAM,kBAAkB,GAAG;QACzB,CAAC,SAAS,CAAC,cAAc,EAAE,OAAO,CAAC,cAAc,CAAC;QAClD,CAAC,SAAS,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC;QAClC,CAAC,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC;QACpC,CAAC,SAAS,CAAC,YAAY,EAAE,OAAO,CAAC,YAAY,CAAC;QAC9C,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,QAAQ,CAAC;QACtC,CAAC,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC;KACjC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,aAAa,CAAC,EAAE,EAAE,CAAC,MAAM,KAAK,aAAa,CAAC,CAAC;IAC/D,MAAM,kBAAkB,GAAG,MAAM,CAAC,cAAc,KAAK,QAAQ,CAAC,cAAc;WACvE,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC;IACxD,MAAM,eAAe,GAAG,QAAQ,CAAC,sBAAsB,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,gBAAgB,CAAC;WACtF,QAAQ,CAAC,kBAAkB,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,qBAAqB,CAAC,CAAC;IAC1E,MAAM,wBAAwB,GAAG,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;WACjE,OAAO,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CAAC,cAAc;WAC3D,OAAO,CAAC,SAAS,CAAC,MAAM,KAAK,OAAO,CAAC,MAAM;WAC3C,OAAO,CAAC,SAAS,CAAC,QAAQ,KAAK,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;IAC3F,MAAM,6BAA6B,GAAG,QAAQ,CAAC;QAC7C,GAAG,SAAS;QACZ,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,SAAS;KACpB,EAAE;QACD,GAAG,QAAQ,CAAC,SAAS;QACrB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,SAAS;KACpB,CAAC,CAAC;IACH,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,YAAY,CAAC;IACtE,MAAM,cAAc,GAAG,MAAM,CAAC;QAC5B,eAAe,EAAE,OAAO,CAAC,OAAO,CAAC,eAAe;QAChD,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,QAAQ,EAAE;YACR,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB;QACD,gBAAgB,EAAE,sBAAsB,CAAC,MAAM,CAAC;QAChD,qBAAqB,EAAE,kBAAkB,CAAC,MAAM,CAAC;KAClD,CAAC,CAAC;IAEH,OAAO;QACL,aAAa,EAAE,2CAA2C;QAC1D,IAAI,EAAE,aAAa;QACnB,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,EAAE,EAAE,yBAAyB,IAAI,kBAAkB,IAAI,kBAAkB,IAAI,eAAe;eACvF,wBAAwB,IAAI,6BAA6B;QAC9D,WAAW,EAAE,SAAS;QACtB,eAAe,EAAE,OAAO,CAAC,OAAO,CAAC,eAAe;QAChD,aAAa,EAAE,MAAM,CAAC,OAAO,CAAC;QAC9B,cAAc;QACd,QAAQ;QACR,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,cAAc,EAAE;YACd,cAAc,EAAE,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC;YAC5C,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;YAC5B,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC;YAC9B,YAAY,EAAE,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC;YACxC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;YAChC,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC;SAC3B;QACD,MAAM,EAAE;YACN,yBAAyB;YACzB,kBAAkB;YAClB,kBAAkB;YAClB,eAAe;YACf,wBAAwB;YACxB,6BAA6B;SAC9B;QACD,MAAM,EAAE;YACN,WAAW,EAAE,KAAK;YAClB,yBAAyB,EAAE,KAAK;YAChC,wBAAwB,EAAE,KAAK;YAC/B,gBAAgB,EAAE,KAAK;SACxB;KACF,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
import { type ConnectRuntimeTokenShadowRequestV1, type ConnectRuntimeTokenShadowResultV1 } from './runtimeTokenShadow.js';
|
|
2
|
+
export type ConnectRuntimeTokenProposedEnvelopeV1 = {
|
|
3
|
+
envelopeType: 'proposed_connect_action';
|
|
4
|
+
tokenType: 'connect_action';
|
|
5
|
+
environment: 'sandbox';
|
|
6
|
+
organizationId: string;
|
|
7
|
+
nodeId: string;
|
|
8
|
+
persona: string;
|
|
9
|
+
capabilityId: string;
|
|
10
|
+
actionId: string;
|
|
11
|
+
scope: string;
|
|
12
|
+
proposedLifetimeSeconds: 300;
|
|
13
|
+
proposedExpiresAt: string;
|
|
14
|
+
tokenIssued: false;
|
|
15
|
+
usableForAuthentication: false;
|
|
16
|
+
};
|
|
17
|
+
export type ConnectRuntimeTokenRequestReviewPacketV1 = {
|
|
18
|
+
packetId: string;
|
|
19
|
+
packetType: 'runtime_token_request_review';
|
|
20
|
+
humanApprovalRequired: true;
|
|
21
|
+
decision: 'would_allow' | 'would_deny';
|
|
22
|
+
organizationId: string;
|
|
23
|
+
nodeId: string;
|
|
24
|
+
persona: string;
|
|
25
|
+
capabilityId: string;
|
|
26
|
+
actionId: string;
|
|
27
|
+
scope: string;
|
|
28
|
+
proposedExpiresAt: string;
|
|
29
|
+
reason: string;
|
|
30
|
+
missingApprovals: string[];
|
|
31
|
+
blockedLiveValueGates: string[];
|
|
32
|
+
denialCodes: ConnectRuntimeTokenShadowResultV1['denialCodes'];
|
|
33
|
+
};
|
|
34
|
+
export type ConnectRuntimeTokenRequestResultV1 = {
|
|
35
|
+
schemaVersion: 'nbo.connect.runtime_token_request.v1';
|
|
36
|
+
requestId: string;
|
|
37
|
+
mode: 'shadow_request';
|
|
38
|
+
wouldAllow: boolean;
|
|
39
|
+
reason: string;
|
|
40
|
+
missingApprovals: string[];
|
|
41
|
+
blockedLiveValueGates: string[];
|
|
42
|
+
proposedExpiresAt: string;
|
|
43
|
+
auditRef: string;
|
|
44
|
+
reviewPacket: ConnectRuntimeTokenRequestReviewPacketV1;
|
|
45
|
+
proposedTokenEnvelope: ConnectRuntimeTokenProposedEnvelopeV1 | null;
|
|
46
|
+
tokenIssued: false;
|
|
47
|
+
acceptedForAuthentication: false;
|
|
48
|
+
};
|
|
49
|
+
export declare function requestConnectRuntimeTokenShadowV1(request: ConnectRuntimeTokenShadowRequestV1): ConnectRuntimeTokenRequestResultV1;
|
|
50
|
+
//# sourceMappingURL=runtimeTokenRequest.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"runtimeTokenRequest.d.ts","sourceRoot":"","sources":["../src/runtimeTokenRequest.ts"],"names":[],"mappings":"AAEA,OAAO,EAEL,KAAK,kCAAkC,EACvC,KAAK,iCAAiC,EACvC,MAAM,yBAAyB,CAAC;AAEjC,MAAM,MAAM,qCAAqC,GAAG;IAClD,YAAY,EAAE,yBAAyB,CAAC;IACxC,SAAS,EAAE,gBAAgB,CAAC;IAC5B,WAAW,EAAE,SAAS,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,uBAAuB,EAAE,GAAG,CAAC;IAC7B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,EAAE,KAAK,CAAC;IACnB,uBAAuB,EAAE,KAAK,CAAC;CAChC,CAAC;AAEF,MAAM,MAAM,wCAAwC,GAAG;IACrD,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,8BAA8B,CAAC;IAC3C,qBAAqB,EAAE,IAAI,CAAC;IAC5B,QAAQ,EAAE,aAAa,GAAG,YAAY,CAAC;IACvC,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,iBAAiB,EAAE,MAAM,CAAC;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,qBAAqB,EAAE,MAAM,EAAE,CAAC;IAChC,WAAW,EAAE,iCAAiC,CAAC,aAAa,CAAC,CAAC;CAC/D,CAAC;AAEF,MAAM,MAAM,kCAAkC,GAAG;IAC/C,aAAa,EAAE,sCAAsC,CAAC;IACtD,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,gBAAgB,CAAC;IACvB,UAAU,EAAE,OAAO,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,qBAAqB,EAAE,MAAM,EAAE,CAAC;IAChC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,wCAAwC,CAAC;IACvD,qBAAqB,EAAE,qCAAqC,GAAG,IAAI,CAAC;IACpE,WAAW,EAAE,KAAK,CAAC;IACnB,yBAAyB,EAAE,KAAK,CAAC;CAClC,CAAC;AA0BF,wBAAgB,kCAAkC,CAChD,OAAO,EAAE,kCAAkC,GAC1C,kCAAkC,CAwDpC"}
|
|
@@ -0,0 +1,79 @@
|
|
|
1
|
+
import { randomUUID } from 'node:crypto';
|
|
2
|
+
import { evaluateConnectRuntimeTokenShadowV1, } from './runtimeTokenShadow.js';
|
|
3
|
+
const PROPOSED_LIFETIME_SECONDS = 300;
|
|
4
|
+
function getMissingApprovals(result) {
|
|
5
|
+
const approvals = ['human_or_connector_authorization_review'];
|
|
6
|
+
if (result.denialCodes.includes('AUTHORIZATION_WITHDRAWN'))
|
|
7
|
+
approvals.push('authorization_restoration');
|
|
8
|
+
if (result.denialCodes.includes('REGISTRY_VERSION_MISMATCH'))
|
|
9
|
+
approvals.push('capability_registry_sync');
|
|
10
|
+
if (result.denialCodes.includes('TOKEN_REVOKED') || result.denialCodes.includes('TOKEN_REPLAYED')) {
|
|
11
|
+
approvals.push('new_single_use_request_review');
|
|
12
|
+
}
|
|
13
|
+
return approvals;
|
|
14
|
+
}
|
|
15
|
+
function getBlockedLiveValueGates(result) {
|
|
16
|
+
return result.denialCodes.includes('LIVE_VALUE_ACTION_BLOCKED')
|
|
17
|
+
? ['production_live_value_gates_disabled']
|
|
18
|
+
: [];
|
|
19
|
+
}
|
|
20
|
+
function getReason(result) {
|
|
21
|
+
return result.wouldAuthorize
|
|
22
|
+
? 'Shadow policy would allow this bounded sandbox action; human or connector authorization is still required and no token is issued.'
|
|
23
|
+
: `Shadow policy denied this request: ${result.denialCodes.join(', ')}.`;
|
|
24
|
+
}
|
|
25
|
+
export function requestConnectRuntimeTokenShadowV1(request) {
|
|
26
|
+
const result = evaluateConnectRuntimeTokenShadowV1(request);
|
|
27
|
+
const requestId = randomUUID();
|
|
28
|
+
const proposedExpiresAt = new Date((request.nowSeconds + PROPOSED_LIFETIME_SECONDS) * 1000).toISOString();
|
|
29
|
+
const reason = getReason(result);
|
|
30
|
+
const missingApprovals = getMissingApprovals(result);
|
|
31
|
+
const blockedLiveValueGates = getBlockedLiveValueGates(result);
|
|
32
|
+
const reviewPacket = {
|
|
33
|
+
packetId: `runtime-token-request:${requestId}`,
|
|
34
|
+
packetType: 'runtime_token_request_review',
|
|
35
|
+
humanApprovalRequired: true,
|
|
36
|
+
decision: result.wouldAuthorize ? 'would_allow' : 'would_deny',
|
|
37
|
+
organizationId: request.organizationId,
|
|
38
|
+
nodeId: request.nodeId,
|
|
39
|
+
persona: request.persona,
|
|
40
|
+
capabilityId: request.capabilityId,
|
|
41
|
+
actionId: request.actionId,
|
|
42
|
+
scope: request.scope,
|
|
43
|
+
proposedExpiresAt,
|
|
44
|
+
reason,
|
|
45
|
+
missingApprovals,
|
|
46
|
+
blockedLiveValueGates,
|
|
47
|
+
denialCodes: result.denialCodes,
|
|
48
|
+
};
|
|
49
|
+
return {
|
|
50
|
+
schemaVersion: 'nbo.connect.runtime_token_request.v1',
|
|
51
|
+
requestId,
|
|
52
|
+
mode: 'shadow_request',
|
|
53
|
+
wouldAllow: result.wouldAuthorize,
|
|
54
|
+
reason,
|
|
55
|
+
missingApprovals,
|
|
56
|
+
blockedLiveValueGates,
|
|
57
|
+
proposedExpiresAt,
|
|
58
|
+
auditRef: result.audit.auditRef,
|
|
59
|
+
reviewPacket,
|
|
60
|
+
proposedTokenEnvelope: result.wouldAuthorize ? {
|
|
61
|
+
envelopeType: 'proposed_connect_action',
|
|
62
|
+
tokenType: 'connect_action',
|
|
63
|
+
environment: 'sandbox',
|
|
64
|
+
organizationId: request.organizationId,
|
|
65
|
+
nodeId: request.nodeId,
|
|
66
|
+
persona: request.persona,
|
|
67
|
+
capabilityId: request.capabilityId,
|
|
68
|
+
actionId: request.actionId,
|
|
69
|
+
scope: request.scope,
|
|
70
|
+
proposedLifetimeSeconds: PROPOSED_LIFETIME_SECONDS,
|
|
71
|
+
proposedExpiresAt,
|
|
72
|
+
tokenIssued: false,
|
|
73
|
+
usableForAuthentication: false,
|
|
74
|
+
} : null,
|
|
75
|
+
tokenIssued: false,
|
|
76
|
+
acceptedForAuthentication: false,
|
|
77
|
+
};
|
|
78
|
+
}
|
|
79
|
+
//# sourceMappingURL=runtimeTokenRequest.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"runtimeTokenRequest.js","sourceRoot":"","sources":["../src/runtimeTokenRequest.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EACL,mCAAmC,GAGpC,MAAM,yBAAyB,CAAC;AAoDjC,MAAM,yBAAyB,GAAG,GAAY,CAAC;AAE/C,SAAS,mBAAmB,CAAC,MAAyC;IACpE,MAAM,SAAS,GAAG,CAAC,yCAAyC,CAAC,CAAC;IAC9D,IAAI,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,yBAAyB,CAAC;QAAE,SAAS,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IACxG,IAAI,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,2BAA2B,CAAC;QAAE,SAAS,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IACzG,IAAI,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAClG,SAAS,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,wBAAwB,CAAC,MAAyC;IACzE,OAAO,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,2BAA2B,CAAC;QAC7D,CAAC,CAAC,CAAC,sCAAsC,CAAC;QAC1C,CAAC,CAAC,EAAE,CAAC;AACT,CAAC;AAED,SAAS,SAAS,CAAC,MAAyC;IAC1D,OAAO,MAAM,CAAC,cAAc;QAC1B,CAAC,CAAC,mIAAmI;QACrI,CAAC,CAAC,sCAAsC,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;AAC7E,CAAC;AAED,MAAM,UAAU,kCAAkC,CAChD,OAA2C;IAE3C,MAAM,MAAM,GAAG,mCAAmC,CAAC,OAAO,CAAC,CAAC;IAC5D,MAAM,SAAS,GAAG,UAAU,EAAE,CAAC;IAC/B,MAAM,iBAAiB,GAAG,IAAI,IAAI,CAChC,CAAC,OAAO,CAAC,UAAU,GAAG,yBAAyB,CAAC,GAAG,IAAI,CACxD,CAAC,WAAW,EAAE,CAAC;IAChB,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;IACjC,MAAM,gBAAgB,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IACrD,MAAM,qBAAqB,GAAG,wBAAwB,CAAC,MAAM,CAAC,CAAC;IAC/D,MAAM,YAAY,GAA6C;QAC7D,QAAQ,EAAE,yBAAyB,SAAS,EAAE;QAC9C,UAAU,EAAE,8BAA8B;QAC1C,qBAAqB,EAAE,IAAI;QAC3B,QAAQ,EAAE,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,YAAY;QAC9D,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,iBAAiB;QACjB,MAAM;QACN,gBAAgB;QAChB,qBAAqB;QACrB,WAAW,EAAE,MAAM,CAAC,WAAW;KAChC,CAAC;IAEF,OAAO;QACL,aAAa,EAAE,sCAAsC;QACrD,SAAS;QACT,IAAI,EAAE,gBAAgB;QACtB,UAAU,EAAE,MAAM,CAAC,cAAc;QACjC,MAAM;QACN,gBAAgB;QAChB,qBAAqB;QACrB,iBAAiB;QACjB,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,QAAQ;QAC/B,YAAY;QACZ,qBAAqB,EAAE,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC;YAC7C,YAAY,EAAE,yBAAyB;YACvC,SAAS,EAAE,gBAAgB;YAC3B,WAAW,EAAE,SAAS;YACtB,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,uBAAuB,EAAE,yBAAyB;YAClD,iBAAiB;YACjB,WAAW,EAAE,KAAK;YAClB,uBAAuB,EAAE,KAAK;SAC/B,CAAC,CAAC,CAAC,IAAI;QACR,WAAW,EAAE,KAAK;QAClB,yBAAyB,EAAE,KAAK;KACjC,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
import type { ConnectCatalogSnapshotV1 } from './index.js';
|
|
2
|
+
export type ConnectRuntimeTokenClaimsV1 = {
|
|
3
|
+
iss: 'nbo-connect';
|
|
4
|
+
aud: 'nbo-connect-action';
|
|
5
|
+
sub: string;
|
|
6
|
+
jti: string;
|
|
7
|
+
tokenType: 'connect_action';
|
|
8
|
+
environment: 'sandbox';
|
|
9
|
+
organizationId: string;
|
|
10
|
+
nodeId: string;
|
|
11
|
+
persona: string;
|
|
12
|
+
capabilityId: string;
|
|
13
|
+
actionId: string;
|
|
14
|
+
scope: string;
|
|
15
|
+
registryVersion: string;
|
|
16
|
+
iat: number;
|
|
17
|
+
exp: number;
|
|
18
|
+
authorizationRef: string;
|
|
19
|
+
};
|
|
20
|
+
export type ConnectRuntimeTokenShadowRequestV1 = {
|
|
21
|
+
claims: Partial<ConnectRuntimeTokenClaimsV1>;
|
|
22
|
+
environment: 'sandbox' | 'production';
|
|
23
|
+
organizationId: string;
|
|
24
|
+
nodeId: string;
|
|
25
|
+
persona: string;
|
|
26
|
+
capabilityId: string;
|
|
27
|
+
actionId: string;
|
|
28
|
+
scope: string;
|
|
29
|
+
nowSeconds: number;
|
|
30
|
+
catalog: ConnectCatalogSnapshotV1;
|
|
31
|
+
revokedJtis?: readonly string[];
|
|
32
|
+
consumedJtis?: readonly string[];
|
|
33
|
+
authorizationActive?: boolean;
|
|
34
|
+
};
|
|
35
|
+
export type ConnectRuntimeTokenShadowDenialCodeV1 = 'MALFORMED_CLAIMS' | 'ISSUER_MISMATCH' | 'AUDIENCE_MISMATCH' | 'TOKEN_TYPE_MISMATCH' | 'ENVIRONMENT_MISMATCH' | 'REQUIRED_CLAIM_MISSING' | 'TOKEN_NOT_YET_VALID' | 'TOKEN_EXPIRED' | 'TOKEN_LIFETIME_TOO_LONG' | 'ORGANIZATION_MISMATCH' | 'NODE_MISMATCH' | 'PERSONA_MISMATCH' | 'CAPABILITY_MISMATCH' | 'ACTION_MISMATCH' | 'SCOPE_MISMATCH' | 'REGISTRY_VERSION_MISMATCH' | 'AUTHORIZATION_WITHDRAWN' | 'TOKEN_REVOKED' | 'TOKEN_REPLAYED' | 'CAPABILITY_NOT_FOUND' | 'PERSONA_NOT_ALLOWED' | 'ACTION_NOT_ALLOWED' | 'SCOPE_NOT_ALLOWED' | 'LIVE_VALUE_ACTION_BLOCKED';
|
|
36
|
+
export type ConnectRuntimeTokenShadowAuditV1 = {
|
|
37
|
+
schemaVersion: 'nbo.connect.runtime_token_shadow_audit.v1';
|
|
38
|
+
auditRef: string;
|
|
39
|
+
outcome: 'RUNTIME_TOKEN_SHADOW_WOULD_ALLOW' | 'RUNTIME_TOKEN_SHADOW_DENIED';
|
|
40
|
+
tokenRef: string;
|
|
41
|
+
organizationId: string | null;
|
|
42
|
+
nodeId: string | null;
|
|
43
|
+
persona: string | null;
|
|
44
|
+
capabilityId: string | null;
|
|
45
|
+
actionId: string | null;
|
|
46
|
+
scope: string | null;
|
|
47
|
+
denialCodes: ConnectRuntimeTokenShadowDenialCodeV1[];
|
|
48
|
+
acceptedForAuthentication: false;
|
|
49
|
+
liveValueActionAttempted: false;
|
|
50
|
+
evaluatedAt: string;
|
|
51
|
+
};
|
|
52
|
+
export type ConnectRuntimeTokenShadowDashboardProjectionV1 = {
|
|
53
|
+
tokenRef: string;
|
|
54
|
+
auditRef: string;
|
|
55
|
+
status: 'would_allow' | 'would_deny';
|
|
56
|
+
environment: 'sandbox' | 'production';
|
|
57
|
+
organizationId: string | null;
|
|
58
|
+
nodeId: string | null;
|
|
59
|
+
persona: string | null;
|
|
60
|
+
capabilityId: string | null;
|
|
61
|
+
actionId: string | null;
|
|
62
|
+
scope: string | null;
|
|
63
|
+
denialCodes: ConnectRuntimeTokenShadowDenialCodeV1[];
|
|
64
|
+
acceptedForAuthentication: false;
|
|
65
|
+
};
|
|
66
|
+
export type ConnectRuntimeTokenShadowResultV1 = {
|
|
67
|
+
mode: 'shadow_only';
|
|
68
|
+
wouldAuthorize: boolean;
|
|
69
|
+
acceptedForAuthentication: false;
|
|
70
|
+
denialCodes: ConnectRuntimeTokenShadowDenialCodeV1[];
|
|
71
|
+
audit: ConnectRuntimeTokenShadowAuditV1;
|
|
72
|
+
dashboard: ConnectRuntimeTokenShadowDashboardProjectionV1;
|
|
73
|
+
};
|
|
74
|
+
export declare function evaluateConnectRuntimeTokenShadowV1(request: ConnectRuntimeTokenShadowRequestV1): ConnectRuntimeTokenShadowResultV1;
|
|
75
|
+
//# sourceMappingURL=runtimeTokenShadow.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"runtimeTokenShadow.d.ts","sourceRoot":"","sources":["../src/runtimeTokenShadow.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAE3D,MAAM,MAAM,2BAA2B,GAAG;IACxC,GAAG,EAAE,aAAa,CAAC;IACnB,GAAG,EAAE,oBAAoB,CAAC;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,gBAAgB,CAAC;IAC5B,WAAW,EAAE,SAAS,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,eAAe,EAAE,MAAM,CAAC;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,gBAAgB,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,kCAAkC,GAAG;IAC/C,MAAM,EAAE,OAAO,CAAC,2BAA2B,CAAC,CAAC;IAC7C,WAAW,EAAE,SAAS,GAAG,YAAY,CAAC;IACtC,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,wBAAwB,CAAC;IAClC,WAAW,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAChC,YAAY,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACjC,mBAAmB,CAAC,EAAE,OAAO,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,qCAAqC,GAC7C,kBAAkB,GAClB,iBAAiB,GACjB,mBAAmB,GACnB,qBAAqB,GACrB,sBAAsB,GACtB,wBAAwB,GACxB,qBAAqB,GACrB,eAAe,GACf,yBAAyB,GACzB,uBAAuB,GACvB,eAAe,GACf,kBAAkB,GAClB,qBAAqB,GACrB,iBAAiB,GACjB,gBAAgB,GAChB,2BAA2B,GAC3B,yBAAyB,GACzB,eAAe,GACf,gBAAgB,GAChB,sBAAsB,GACtB,qBAAqB,GACrB,oBAAoB,GACpB,mBAAmB,GACnB,2BAA2B,CAAC;AAEhC,MAAM,MAAM,gCAAgC,GAAG;IAC7C,aAAa,EAAE,2CAA2C,CAAC;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,kCAAkC,GAAG,6BAA6B,CAAC;IAC5E,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,WAAW,EAAE,qCAAqC,EAAE,CAAC;IACrD,yBAAyB,EAAE,KAAK,CAAC;IACjC,wBAAwB,EAAE,KAAK,CAAC;IAChC,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,8CAA8C,GAAG;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,aAAa,GAAG,YAAY,CAAC;IACrC,WAAW,EAAE,SAAS,GAAG,YAAY,CAAC;IACtC,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,WAAW,EAAE,qCAAqC,EAAE,CAAC;IACrD,yBAAyB,EAAE,KAAK,CAAC;CAClC,CAAC;AAEF,MAAM,MAAM,iCAAiC,GAAG;IAC9C,IAAI,EAAE,aAAa,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,yBAAyB,EAAE,KAAK,CAAC;IACjC,WAAW,EAAE,qCAAqC,EAAE,CAAC;IACrD,KAAK,EAAE,gCAAgC,CAAC;IACxC,SAAS,EAAE,8CAA8C,CAAC;CAC3D,CAAC;AAmHF,wBAAgB,mCAAmC,CACjD,OAAO,EAAE,kCAAkC,GAC1C,iCAAiC,CAgEnC"}
|