@numerum-tech/yeriasdk 1.0.0

package/dist/core/jsonapp.js

@@ -0,0 +1,528 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JsonApp = void 0;
+const crypto_1 = require("crypto");
+const form_view_1 = require("./form-view");
+const reader_view_1 = require("./reader-view");
+const action_list_view_1 = require("./action-list-view");
+const action_grid_view_1 = require("./action-grid-view");
+const qr_scan_view_1 = require("./qr-scan-view");
+const qr_display_view_1 = require("./qr-display-view");
+const message_view_1 = require("./message-view");
+const card_view_1 = require("./card-view");
+const carousel_view_1 = require("./carousel-view");
+const timeline_view_1 = require("./timeline-view");
+const media_view_1 = require("./media-view");
+const map_view_1 = require("./map-view");
+const errors_1 = require("../errors");
+const notification_1 = require("./notification");
+class JsonApp {
+    constructor(config) {
+        this.config = {
+            allowedDomains: [],
+            viewExpirationMinutes: 60,
+            ...config
+        };
+        // Génération ou utilisation des clés Ed25519
+        if (config.privateKey && config.publicKey) {
+            this.privateKey = config.privateKey;
+            this.publicKey = config.publicKey;
+        }
+        else {
+            // Génération automatique des clés Ed25519
+            const keyPair = (0, crypto_1.generateKeyPairSync)('ed25519');
+            this.privateKey = keyPair.privateKey.export({ type: 'pkcs8', format: 'pem' });
+            this.publicKey = keyPair.publicKey.export({ type: 'spki', format: 'pem' });
+        }
+    }
+    /**
+     * Crée une vue de formulaire sécurisée
+     */
+    createFormView(formId, title, processId) {
+        return new form_view_1.FormView(formId, title, processId);
+    }
+    /**
+     * Crée une vue de lecture sécurisée
+     */
+    createReaderView(viewId, title, processId) {
+        return new reader_view_1.ReaderView(viewId, title, processId);
+    }
+    /**
+     * Crée une vue de liste d'actions sécurisée
+     */
+    createActionListView(viewId, title, processId) {
+        return new action_list_view_1.ActionListView(viewId, title, processId);
+    }
+    /**
+     * Crée une vue de grille d'actions sécurisée
+     */
+    createActionGridView(viewId, title, processId) {
+        return new action_grid_view_1.ActionGridView(viewId, title, processId);
+    }
+    /**
+     * Crée une vue de scan QR sécurisée
+     */
+    createQRScanView(viewId, title, processId) {
+        return new qr_scan_view_1.QRScanView(viewId, title, processId);
+    }
+    /**
+     * Crée une vue d'affichage QR sécurisée
+     */
+    createQRDisplayView(viewId, title, processId) {
+        return new qr_display_view_1.QRDisplayView(viewId, title, processId);
+    }
+    /**
+     * Crée une vue de message sécurisée
+     */
+    createMessageView(viewId, title, processId) {
+        return new message_view_1.MessageView(viewId, title, processId);
+    }
+    createCardView(viewId, title, processId) {
+        return new card_view_1.CardView(viewId, title, processId);
+    }
+    createCarouselView(viewId, title, processId) {
+        return new carousel_view_1.CarouselView(viewId, title, processId);
+    }
+    createTimelineView(viewId, title, processId) {
+        return new timeline_view_1.TimelineView(viewId, title, processId);
+    }
+    createMediaView(viewId, title, processId) {
+        return new media_view_1.MediaView(viewId, title, processId);
+    }
+    createMapView(viewId, title, processId) {
+        return new map_view_1.MapView(viewId, title, processId);
+    }
+    /**
+     * Crée une notification pour un utilisateur spécifique
+     */
+    createNotification(userId, title, body, link) {
+        return new notification_1.Notification(userId, title, body, link);
+    }
+    /**
+     * Signe une notification avec Ed25519
+     */
+    signNotification(notification) {
+        const notificationJson = notification.toJSON();
+        const timestamp = Date.now();
+        // Payload must match backend reconstruction: { notification (object), timestamp, appId }
+        const payload = JSON.stringify({
+            notification: notificationJson,
+            timestamp: timestamp,
+            appId: this.config.appId
+        });
+        const signatureBuffer = (0, crypto_1.sign)(null, Buffer.from(payload), this.privateKey);
+        const signature = signatureBuffer.toString('base64');
+        return {
+            appId: this.config.appId,
+            signature,
+            timestamp,
+            notification: notificationJson
+        };
+    }
+    /**
+     * Envoie une notification signée à la plateforme City-Mate
+     * @param notification - Notification à envoyer
+     * @param platformUrl - URL de la plateforme (optionnel, utilise config.platformUrl si non fourni)
+     * @throws {ConfigurationError} Si aucune URL de plateforme n'est configurée
+     * @throws {ExternalError} Si l'envoi échoue
+     */
+    async sendNotification(notification, platformUrl) {
+        const signedNotification = this.signNotification(notification);
+        const url = platformUrl || this.config.platformUrl;
+        if (!url) {
+            throw new errors_1.ConfigurationError('Platform URL required for sending notifications. Set platformUrl in JsonAppConfig or pass it as parameter.');
+        }
+        try {
+            const response = await fetch(url, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify(signedNotification),
+                signal: AbortSignal.timeout(this.config.notificationTimeout || 5000)
+            });
+            if (!response.ok) {
+                throw new errors_1.ExternalError(errors_1.ERROR_CODES.NOTIFICATION_FAILED, `Failed to send notification: ${response.status} ${response.statusText}`, 'fetch');
+            }
+        }
+        catch (error) {
+            if (error instanceof errors_1.ExternalError || error instanceof errors_1.ConfigurationError) {
+                throw error;
+            }
+            throw new errors_1.ExternalError(errors_1.ERROR_CODES.NOTIFICATION_FAILED, `Failed to send notification: ${error instanceof Error ? error.message : String(error)}`, 'fetch', error instanceof Error ? error : undefined);
+        }
+    }
+    /**
+     * Rotate the service's signing key on the Yeria registry. The rotation
+     * envelope is signed with the *current* private key — the caller proves
+     * they own the still-valid keypair before the new one is accepted.
+     *
+     * After this call succeeds:
+     *   - The new public key becomes Active on Yeria.
+     *   - The old key keeps validating signatures for ~5 minutes (grace
+     *     window so in-flight signed responses still verify).
+     *   - This JsonApp instance is mutated to use the new keypair locally.
+     *
+     * @param yeriaApiBaseUrl - Yeria registry root, e.g. `https://yeria.app`
+     * @param serviceId       - The service id assigned by Yeria
+     * @param newKeys         - The freshly-generated keypair to switch to
+     */
+    async rotateKey(yeriaApiBaseUrl, serviceId, newKeys) {
+        if (!newKeys?.privateKey || !newKeys?.publicKey) {
+            throw new errors_1.ConfigurationError('rotateKey requires { privateKey, publicKey } in PEM');
+        }
+        const envelope = {
+            serviceId: String(serviceId),
+            newPublicKey: newKeys.publicKey,
+            timestamp: Date.now()
+        };
+        const payload = JSON.stringify(envelope);
+        const signature = (0, crypto_1.sign)(null, Buffer.from(payload), this.privateKey).toString('base64');
+        const url = `${yeriaApiBaseUrl.replace(/\/+$/, '')}/api/v1/services/${serviceId}/keys/rotate`;
+        let response;
+        try {
+            response = await fetch(url, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                    envelope,
+                    signature,
+                    currentPublicKey: this.publicKey
+                }),
+                signal: AbortSignal.timeout(this.config.notificationTimeout || 5000)
+            });
+        }
+        catch (error) {
+            throw new errors_1.ExternalError(errors_1.ERROR_CODES.NOTIFICATION_FAILED, `Key rotation request failed: ${error instanceof Error ? error.message : String(error)}`, 'fetch', error instanceof Error ? error : undefined);
+        }
+        if (!response.ok) {
+            const text = await response.text().catch(() => '');
+            throw new errors_1.ExternalError(errors_1.ERROR_CODES.NOTIFICATION_FAILED, `Key rotation rejected: ${response.status} ${response.statusText} ${text}`, 'fetch');
+        }
+        const body = await response.json();
+        // Locally swap to the new keypair so subsequent serve() calls sign
+        // with it. Old responses still verify against the old public key
+        // during the grace window because Yeria keeps both rows Active.
+        this.privateKey = newKeys.privateKey;
+        this.publicKey = newKeys.publicKey;
+        return {
+            keyId: body.data?.key?.id,
+            expiresAt: body.data?.key?.expires_at,
+            gracePeriodMinutes: body.data?.grace_period_minutes ?? 5
+        };
+    }
+    /**
+     * Sérialise une vue, signe les bytes sérialisés, et retourne une
+     * enveloppe `{payload, signature}` à envoyer telle quelle au client.
+     *
+     * Usage côté provider (Express) :
+     *   res.json(jsonApp.serve(view));
+     *   res.status(400).json(jsonApp.serve(errorMessage));
+     *
+     * La signature est dans la structure de retour — impossible de
+     * l'oublier en l'envoyant. Le client vérifie sur `payload` (string)
+     * sans re-stringification.
+     */
+    serve(view) {
+        const decoded = {
+            appId: this.config.appId,
+            timestamp: Date.now(),
+            view: view.toJSON()
+        };
+        const payload = JSON.stringify(decoded);
+        const signature = (0, crypto_1.sign)(null, Buffer.from(payload, 'utf8'), this.privateKey).toString('base64');
+        return { payload, signature };
+    }
+    /**
+     * Obtient la clé publique pour la vérification côté frontend
+     */
+    getPublicKey() {
+        return this.publicKey;
+    }
+    /**
+     * Vérifie l'intégrité d'une enveloppe signée reçue du wire.
+     *
+     * @throws {AppIdMismatchError}        si appId ne matche pas this.config.appId
+     * @throws {ViewExpiredError}          si timestamp > viewExpirationMinutes
+     * @throws {SignatureVerificationError} si signature invalide ou payload malformé
+     */
+    verifyIntegrity(envelope) {
+        try {
+            // 1. Verify signature on payload bytes — no re-stringification
+            const signatureBuffer = Buffer.from(envelope.signature, 'base64');
+            const isValid = (0, crypto_1.verify)(null, Buffer.from(envelope.payload, 'utf8'), this.publicKey, signatureBuffer);
+            if (!isValid) {
+                throw new errors_1.SignatureVerificationError(this.config.appId);
+            }
+            // 2. Parse the now-trusted payload
+            const decoded = JSON.parse(envelope.payload);
+            // 3. appId match
+            if (decoded.appId !== this.config.appId) {
+                throw new errors_1.AppIdMismatchError(this.config.appId, decoded.appId);
+            }
+            // 4. Expiration window
+            const now = Date.now();
+            const expirationTime = this.config.viewExpirationMinutes * 60 * 1000;
+            const age = now - decoded.timestamp;
+            if (age > expirationTime) {
+                const viewId = typeof decoded.view['id'] === 'string'
+                    ? decoded.view['id']
+                    : 'unknown';
+                throw new errors_1.ViewExpiredError(viewId, age, expirationTime);
+            }
+            return true;
+        }
+        catch (error) {
+            if (error instanceof errors_1.AppIdMismatchError ||
+                error instanceof errors_1.ViewExpiredError ||
+                error instanceof errors_1.SignatureVerificationError) {
+                throw error;
+            }
+            throw new errors_1.SignatureVerificationError(this.config.appId);
+        }
+    }
+    /**
+     * Méthode statique pour vérifier une signature.
+     * @param publicKey - Clé publique Ed25519 (PEM format)
+     * @param payload   - JSON string signée (extraite de l'enveloppe)
+     * @param signature - Signature base64
+     * @param onError   - Optional error callback for logging
+     * @returns true si la signature est valide
+     */
+    static verifySignature(publicKey, payload, signature, onError) {
+        try {
+            const signatureBuffer = Buffer.from(signature, 'base64');
+            return (0, crypto_1.verify)(null, Buffer.from(payload, 'utf8'), publicKey, signatureBuffer);
+        }
+        catch (error) {
+            const err = error instanceof Error ? error : new Error('Unknown error');
+            if (onError) {
+                onError(err);
+            }
+            else if (typeof process !== 'undefined' && process.env?.['NODE_ENV'] !== 'production') {
+                console.error('[JsonApp] Error verifying signature:', err);
+            }
+            return false;
+        }
+    }
+    /**
+     * Génère statiquement une enveloppe signée sans instance JsonApp.
+     */
+    static signView(view, appId, privateKey, timestamp = Date.now()) {
+        const decoded = { appId, timestamp, view };
+        const payload = JSON.stringify(decoded);
+        const signature = (0, crypto_1.sign)(null, Buffer.from(payload, 'utf8'), privateKey).toString('base64');
+        return { payload, signature };
+    }
+    /**
+     * Verify a Yeria-issued user token (RS256 JWT signed by Yeria's
+     * Registry RSA key). Used by providers to authenticate inbound
+     * requests carrying `Authorization: Bearer <serviceToken>`.
+     *
+     * @param jwtToken           Compact JWT (header.payload.signature, base64url).
+     * @param yeriaPublicKey     Yeria's Registry public key in PEM format.
+     *                           Fetch once at boot from
+     *                           `GET /api/v1/registry/public-key` and cache.
+     * @param expectedServiceId  When supplied, asserts `aud === String(expectedServiceId)`.
+     *                           Pass the service id your backend is hosting; refuse
+     *                           tokens scoped to a different service.
+     * @returns                  The verified claims object.
+     * @throws SignatureVerificationError if signature invalid / token malformed / wrong issuer / wrong audience.
+     * @throws ViewExpiredError            if the `exp` claim is in the past.
+     */
+    static verifyUserToken(jwtToken, yeriaPublicKey, expectedServiceId) {
+        if (typeof jwtToken !== 'string' || jwtToken.length === 0) {
+            throw new errors_1.SignatureVerificationError('yeria', 'missing jwt');
+        }
+        const parts = jwtToken.split('.');
+        if (parts.length !== 3 || !parts[0] || !parts[1] || !parts[2]) {
+            throw new errors_1.SignatureVerificationError('yeria', 'malformed jwt');
+        }
+        const headerB64 = parts[0];
+        const payloadB64 = parts[1];
+        const signatureB64 = parts[2];
+        let header;
+        let claims;
+        try {
+            header = JSON.parse(base64UrlDecodeToString(headerB64));
+            claims = JSON.parse(base64UrlDecodeToString(payloadB64));
+        }
+        catch (_e) {
+            throw new errors_1.SignatureVerificationError('yeria', 'invalid base64 / json');
+        }
+        if (header['alg'] !== 'RS256') {
+            throw new errors_1.SignatureVerificationError('yeria', `unsupported alg: ${String(header['alg'])}`);
+        }
+        // Verify RSA-SHA256 over the canonical signing input.
+        const signingInput = `${headerB64}.${payloadB64}`;
+        const signatureBytes = base64UrlDecodeToBuffer(signatureB64);
+        const verifier = (0, crypto_1.createVerify)('RSA-SHA256');
+        verifier.update(signingInput);
+        verifier.end();
+        const sigOk = verifier.verify(yeriaPublicKey, signatureBytes);
+        if (!sigOk) {
+            throw new errors_1.SignatureVerificationError('yeria', 'signature mismatch');
+        }
+        if (claims.iss !== 'yeria') {
+            throw new errors_1.SignatureVerificationError('yeria', `unexpected issuer: ${String(claims.iss)}`);
+        }
+        if (expectedServiceId !== undefined && claims.aud !== String(expectedServiceId)) {
+            throw new errors_1.SignatureVerificationError('yeria', `audience mismatch: token aud=${claims.aud}, expected=${String(expectedServiceId)}`);
+        }
+        const nowSec = Math.floor(Date.now() / 1000);
+        if (typeof claims.exp !== 'number' || claims.exp <= nowSec) {
+            throw new errors_1.ViewExpiredError('user-token', (nowSec - (claims.exp || 0)) * 1000, 0);
+        }
+        // Surface kid from the header for caller convenience.
+        if (typeof header['kid'] === 'string') {
+            claims.kid = header['kid'];
+        }
+        return claims;
+    }
+    /**
+     * Same audience-scoped JWT verify as `verifyUserToken`, but the second
+     * argument is a kid resolver instead of a fixed PEM. The SDK pulls
+     * the `kid` from the JWT header, calls `resolver(kid)`, and verifies
+     * the signature against whatever PEM comes back.
+     *
+     * Pair with `YeriaKeyStore` so providers don't have to write key-
+     * fetching, caching or rotation-grace handling themselves.
+     *
+     * @throws SignatureVerificationError if the resolver returns null, the
+     *         signature fails, the issuer / audience mismatches, or the
+     *         JWT is malformed.
+     * @throws ViewExpiredError when `exp` is in the past.
+     */
+    static async verifyUserTokenWithResolver(jwtToken, resolver, expectedServiceId) {
+        if (typeof jwtToken !== 'string' || jwtToken.length === 0) {
+            throw new errors_1.SignatureVerificationError('yeria', 'missing jwt');
+        }
+        const parts = jwtToken.split('.');
+        if (parts.length !== 3 || !parts[0] || !parts[1] || !parts[2]) {
+            throw new errors_1.SignatureVerificationError('yeria', 'malformed jwt');
+        }
+        let header;
+        try {
+            header = JSON.parse(base64UrlDecodeToString(parts[0]));
+        }
+        catch (_e) {
+            throw new errors_1.SignatureVerificationError('yeria', 'invalid header');
+        }
+        const kid = header['kid'];
+        if (typeof kid !== 'string' || kid.length === 0) {
+            throw new errors_1.SignatureVerificationError('yeria', 'jwt header missing kid');
+        }
+        const pem = await resolver(kid);
+        if (!pem) {
+            // Resolver returns null when Yeria says the key is expired or
+            // the kid is unknown. Either way the token cannot be trusted.
+            throw new errors_1.SignatureVerificationError('yeria', `no trusted key for kid=${kid}`);
+        }
+        return JsonApp.verifyUserToken(jwtToken, pem, expectedServiceId);
+    }
+    /**
+     * Provider-side helper: fetch a Yeria user's profile by `sub`.
+     *
+     * Builds an Ed25519-signed envelope and POSTs to
+     * `POST /api/v1/provider/services/{serviceId}/users/{userId}/profile`.
+     * Yeria already holds every Active public key for this service, so
+     * the envelope itself is the only credential — no user JWT is sent
+     * in the body and the PEM is never disclosed.
+     *
+     * Typical usage (provider middleware after `verifyUserTokenWithResolver`):
+     *
+     *   let user = await db.users.findByYeriaSub(claims.sub);
+     *   if (!user) {
+     *     const profile = await JsonApp.fetchUserProfile({
+     *       baseUrl: process.env.YERIA_BASE_URL,
+     *       serviceId: MY_SERVICE_ID,
+     *       userId: claims.sub,
+     *       privateKey: SERVICE_ED25519_PRIVATE_KEY,
+     *     });
+     *     user = await db.users.insert({ yeria_sub: claims.sub, ...profile });
+     *   }
+     *
+     * The hot path stays local-DB after the first miss.
+     */
+    static async fetchUserProfile(opts) {
+        if (!opts || !opts.baseUrl)
+            throw new Error('fetchUserProfile: baseUrl is required');
+        if (opts.serviceId === undefined || opts.serviceId === null) {
+            throw new Error('fetchUserProfile: serviceId is required');
+        }
+        if (opts.userId === undefined || opts.userId === null) {
+            throw new Error('fetchUserProfile: userId is required');
+        }
+        if (typeof opts.privateKey !== 'string' || opts.privateKey.length === 0) {
+            throw new Error('fetchUserProfile: privateKey (PEM) is required');
+        }
+        const fetchImpl = opts.fetch ?? globalThis.fetch;
+        if (typeof fetchImpl !== 'function') {
+            throw new Error('fetchUserProfile: no fetch available — pass opts.fetch on Node < 18 or non-browser runtimes');
+        }
+        const envelope = {
+            service_id: opts.serviceId,
+            user_id: opts.userId,
+            timestamp: Date.now(),
+            nonce: (0, crypto_1.randomBytes)(16).toString('hex'),
+        };
+        const payloadStr = JSON.stringify(envelope);
+        const signature = (0, crypto_1.sign)(null, Buffer.from(payloadStr, 'utf8'), opts.privateKey).toString('base64');
+        const baseUrl = opts.baseUrl.replace(/\/+$/, '');
+        const url = `${baseUrl}/api/v1/provider/services/${encodeURIComponent(String(opts.serviceId))}/users/${encodeURIComponent(String(opts.userId))}/profile`;
+        const res = await fetchImpl(url, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ envelope, signature }),
+        });
+        let body;
+        try {
+            body = await res.json();
+        }
+        catch (_e) {
+            body = null;
+        }
+        if (!res.ok) {
+            const msg = extractErrorMessage(body) || `HTTP ${res.status}`;
+            throw new Error(`Yeria profile fetch failed: ${msg}`);
+        }
+        const result = (body && typeof body === 'object' && 'result' in body)
+            ? body.result
+            : body;
+        if (!result || typeof result !== 'object') {
+            throw new Error('Yeria profile fetch: unexpected response shape');
+        }
+        const r = result;
+        return {
+            user_id: Number(r['user_id']),
+            first_name: typeof r['first_name'] === 'string' ? r['first_name'] : null,
+            last_name: typeof r['last_name'] === 'string' ? r['last_name'] : null,
+            country_code: typeof r['country_code'] === 'string' ? r['country_code'] : null,
+        };
+    }
+}
+exports.JsonApp = JsonApp;
+function extractErrorMessage(body) {
+    if (!body || typeof body !== 'object')
+        return null;
+    const b = body;
+    if (typeof b['message'] === 'string')
+        return b['message'];
+    if (b['error'] && typeof b['error'] === 'object') {
+        const e = b['error'];
+        if (typeof e['message'] === 'string')
+            return e['message'];
+    }
+    if (typeof b['error'] === 'string')
+        return b['error'];
+    return null;
+}
+// ── base64url helpers (stateless, no dep) ────────────────────────────────
+// JWT uses base64url (RFC 4648 §5): `-` for `+`, `_` for `/`, no padding.
+function base64UrlDecodeToBuffer(input) {
+    const padded = input.replace(/-/g, '+').replace(/_/g, '/') +
+        '==='.slice((input.length + 3) % 4);
+    return Buffer.from(padded, 'base64');
+}
+function base64UrlDecodeToString(input) {
+    return base64UrlDecodeToBuffer(input).toString('utf8');
+}
+//# sourceMappingURL=jsonapp.js.map

package/dist/core/jsonapp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jsonapp.js","sourceRoot":"","sources":["../../src/core/jsonapp.ts"],"names":[],"mappings":";;;AAAA,mCAAsF;AAEtF,2CAAuC;AACvC,+CAA2C;AAC3C,yDAAoD;AACpD,yDAAoD;AACpD,iDAA4C;AAC5C,uDAAkD;AAClD,iDAA6C;AAC7C,2CAAuC;AACvC,mDAA+C;AAC/C,mDAA+C;AAC/C,6CAAyC;AACzC,yCAAqC;AACrC,sCAOmB;AACnB,iDAA8C;AA8E9C,MAAa,OAAO;IAKhB,YAAY,MAAqB;QAC7B,IAAI,CAAC,MAAM,GAAG;YACV,cAAc,EAAE,EAAE;YAClB,qBAAqB,EAAE,EAAE;YACzB,GAAG,MAAM;SACZ,CAAC;QAEF,6CAA6C;QAC7C,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACxC,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;YACpC,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;QACtC,CAAC;aAAM,CAAC;YACJ,0CAA0C;YAC1C,MAAM,OAAO,GAAG,IAAA,4BAAmB,EAAC,SAAS,CAAC,CAAC;YAC/C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;YACxF,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;QACzF,CAAC;IACL,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,MAAc,EAAE,KAAa,EAAE,SAAkB;QAC5D,OAAO,IAAI,oBAAQ,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;IAClD,CAAC;IAED;;OAEG;IACH,gBAAgB,CAAC,MAAc,EAAE,KAAa,EAAE,SAAkB;QAC9D,OAAO,IAAI,wBAAU,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;IACpD,CAAC;IAED;;OAEG;IACH,oBAAoB,CAAC,MAAc,EAAE,KAAa,EAAE,SAAkB;QAClE,OAAO,IAAI,iCAAc,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;IACxD,CAAC;IAED;;OAEG;IACH,oBAAoB,CAAC,MAAc,EAAE,KAAa,EAAE,SAAkB;QAClE,OAAO,IAAI,iCAAc,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;IACxD,CAAC;IAED;;OAEG;IACH,gBAAgB,CAAC,MAAc,EAAE,KAAa,EAAE,SAAkB;QAC9D,OAAO,IAAI,yBAAU,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;IACpD,CAAC;IAED;;OAEG;IACH,mBAAmB,CAAC,MAAc,EAAE,KAAa,EAAE,SAAkB;QACjE,OAAO,IAAI,+BAAa,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;IACvD,CAAC;IAED;;OAEG;IACH,iBAAiB,CAAC,MAAc,EAAE,KAAa,EAAE,SAAkB;QAC/D,OAAO,IAAI,0BAAW,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;IACrD,CAAC;IAED,cAAc,CAAC,MAAc,EAAE,KAAa,EAAE,SAAkB;QAC5D,OAAO,IAAI,oBAAQ,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;IAClD,CAAC;IAED,kBAAkB,CAAC,MAAc,EAAE,KAAa,EAAE,SAAkB;QAChE,OAAO,IAAI,4BAAY,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;IACtD,CAAC;IAED,kBAAkB,CAAC,MAAc,EAAE,KAAa,EAAE,SAAkB;QAChE,OAAO,IAAI,4BAAY,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;IACtD,CAAC;IAED,eAAe,CAAC,MAAc,EAAE,KAAa,EAAE,SAAkB;QAC7D,OAAO,IAAI,sBAAS,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;IACnD,CAAC;IAED,aAAa,CAAC,MAAc,EAAE,KAAa,EAAE,SAAkB;QAC3D,OAAO,IAAI,kBAAO,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;IACjD,CAAC;IAED;;OAEG;IACH,kBAAkB,CAAC,MAAc,EAAE,KAAa,EAAE,IAAY,EAAE,IAAa;QACzE,OAAO,IAAI,2BAAY,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IACvD,CAAC;IAED;;OAEG;IACH,gBAAgB,CAAC,YAA0B;QACvC,MAAM,gBAAgB,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC;QAC/C,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,yFAAyF;QACzF,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC;YAC3B,YAAY,EAAE,gBAAgB;YAC9B,SAAS,EAAE,SAAS;YACpB,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;SAC3B,CAAC,CAAC;QACH,MAAM,eAAe,GAAG,IAAA,aAAI,EAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAC1E,MAAM,SAAS,GAAG,eAAe,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAErD,OAAO;YACH,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;YACxB,SAAS;YACT,SAAS;YACT,YAAY,EAAE,gBAAgB;SACjC,CAAC;IACN,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,gBAAgB,CAClB,YAA0B,EAC1B,WAAoB;QAEpB,MAAM,kBAAkB,GAAG,IAAI,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;QAC/D,MAAM,GAAG,GAAG,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;QAEnD,IAAI,CAAC,GAAG,EAAE,CAAC;YACP,MAAM,IAAI,2BAAkB,CAAC,4GAA4G,CAAC,CAAC;QAC/I,CAAC;QAED,IAAI,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC9B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,kBAAkB,CAAC;gBACxC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,mBAAmB,IAAI,IAAI,CAAC;aACvE,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACf,MAAM,IAAI,sBAAa,CACnB,oBAAW,CAAC,mBAAmB,EAC/B,gCAAgC,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,EACxE,OAAO,CACV,CAAC;YACN,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,IAAI,KAAK,YAAY,sBAAa,IAAI,KAAK,YAAY,2BAAkB,EAAE,CAAC;gBACxE,MAAM,KAAK,CAAC;YAChB,CAAC;YACD,MAAM,IAAI,sBAAa,CACnB,oBAAW,CAAC,mBAAmB,EAC/B,gCAAgC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,EACxF,OAAO,EACP,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAC7C,CAAC;QACN,CAAC;IACL,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,SAAS,CACX,eAAuB,EACvB,SAA0B,EAC1B,OAAkD;QAElD,IAAI,CAAC,OAAO,EAAE,UAAU,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,CAAC;YAC9C,MAAM,IAAI,2BAAkB,CAAC,qDAAqD,CAAC,CAAC;QACxF,CAAC;QAED,MAAM,QAAQ,GAAG;YACb,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC;YAC5B,YAAY,EAAE,OAAO,CAAC,SAAS;YAC/B,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACxB,CAAC;QACF,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,SAAS,GAAG,IAAA,aAAI,EAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAEvF,MAAM,GAAG,GAAG,GAAG,eAAe,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,oBAAoB,SAAS,cAAc,CAAC;QAC9F,IAAI,QAAkB,CAAC;QACvB,IAAI,CAAC;YACD,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBACxB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACjB,QAAQ;oBACR,SAAS;oBACT,gBAAgB,EAAE,IAAI,CAAC,SAAS;iBACnC,CAAC;gBACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,mBAAmB,IAAI,IAAI,CAAC;aACvE,CAAC,CAAC;QACP,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,IAAI,sBAAa,CACnB,oBAAW,CAAC,mBAAmB,EAC/B,gCAAgC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,EACxF,OAAO,EACP,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAC7C,CAAC;QACN,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACf,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YACnD,MAAM,IAAI,sBAAa,CACnB,oBAAW,CAAC,mBAAmB,EAC/B,0BAA0B,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,IAAI,IAAI,EAAE,EAC1E,OAAO,CACV,CAAC;QACN,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAK/B,CAAC;QAEF,mEAAmE;QACnE,iEAAiE;QACjE,gEAAgE;QAChE,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QACrC,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QAEnC,OAAO;YACH,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,EAAY;YACnC,SAAS,EAAE,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,UAAoB;YAC/C,kBAAkB,EAAE,IAAI,CAAC,IAAI,EAAE,oBAAoB,IAAI,CAAC;SAC3D,CAAC;IACN,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,IAAc;QAChB,MAAM,OAAO,GAAmB;YAC5B,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;YACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,IAAI,EAAE,IAAI,CAAC,MAAM,EAAE;SACtB,CAAC;QACF,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACxC,MAAM,SAAS,GAAG,IAAA,aAAI,EAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC/F,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;IAClC,CAAC;IAED;;OAEG;IACH,YAAY;QACR,OAAO,IAAI,CAAC,SAAS,CAAC;IAC1B,CAAC;IAED;;;;;;OAMG;IACH,eAAe,CAAC,QAAwB;QACpC,IAAI,CAAC;YACD,+DAA+D;YAC/D,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YAClE,MAAM,OAAO,GAAG,IAAA,eAAM,EAClB,IAAI,EACJ,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,EACrC,IAAI,CAAC,SAAS,EACd,eAAe,CAClB,CAAC;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACX,MAAM,IAAI,mCAA0B,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC5D,CAAC;YAED,mCAAmC;YACnC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAmB,CAAC;YAE/D,iBAAiB;YACjB,IAAI,OAAO,CAAC,KAAK,KAAK,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;gBACtC,MAAM,IAAI,2BAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;YACnE,CAAC;YAED,uBAAuB;YACvB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC,qBAAsB,GAAG,EAAE,GAAG,IAAI,CAAC;YACtE,MAAM,GAAG,GAAG,GAAG,GAAG,OAAO,CAAC,SAAS,CAAC;YACpC,IAAI,GAAG,GAAG,cAAc,EAAE,CAAC;gBACvB,MAAM,MAAM,GAAG,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,QAAQ;oBACjD,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAW;oBAC9B,CAAC,CAAC,SAAS,CAAC;gBAChB,MAAM,IAAI,yBAAgB,CAAC,MAAM,EAAE,GAAG,EAAE,cAAc,CAAC,CAAC;YAC5D,CAAC;YAED,OAAO,IAAI,CAAC;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,IAAI,KAAK,YAAY,2BAAkB;gBACnC,KAAK,YAAY,yBAAgB;gBACjC,KAAK,YAAY,mCAA0B,EAAE,CAAC;gBAC9C,MAAM,KAAK,CAAC;YAChB,CAAC;YACD,MAAM,IAAI,mCAA0B,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC5D,CAAC;IACL,CAAC;IAED;;;;;;;OAOG;IACH,MAAM,CAAC,eAAe,CAClB,SAAiB,EACjB,OAAe,EACf,SAAiB,EACjB,OAAgC;QAEhC,IAAI,CAAC;YACD,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YACzD,OAAO,IAAA,eAAM,EAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;QAClF,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;YACxE,IAAI,OAAO,EAAE,CAAC;gBACV,OAAO,CAAC,GAAG,CAAC,CAAC;YACjB,CAAC;iBAAM,IAAI,OAAO,OAAO,KAAK,WAAW,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,YAAY,EAAE,CAAC;gBACtF,OAAO,CAAC,KAAK,CAAC,sCAAsC,EAAE,GAAG,CAAC,CAAC;YAC/D,CAAC;YACD,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,QAAQ,CACX,IAA6B,EAC7B,KAAa,EACb,UAAkB,EAClB,YAAoB,IAAI,CAAC,GAAG,EAAE;QAE9B,MAAM,OAAO,GAAmB,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QAC3D,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACxC,MAAM,SAAS,GAAG,IAAA,aAAI,EAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,UAAU,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC1F,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;IAClC,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACH,MAAM,CAAC,eAAe,CAClB,QAAgB,EAChB,cAAsB,EACtB,iBAAmC;QAEnC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,mCAA0B,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QACjE,CAAC;QACD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5D,MAAM,IAAI,mCAA0B,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QACnE,CAAC;QACD,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAC3B,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAC5B,MAAM,YAAY,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAE9B,IAAI,MAA+B,CAAC;QACpC,IAAI,MAAuB,CAAC;QAC5B,IAAI,CAAC;YACD,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAC,CAAC;YACxD,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,uBAAuB,CAAC,UAAU,CAAC,CAAoB,CAAC;QAChF,CAAC;QAAC,OAAO,EAAE,EAAE,CAAC;YACV,MAAM,IAAI,mCAA0B,CAAC,OAAO,EAAE,uBAAuB,CAAC,CAAC;QAC3E,CAAC;QAED,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,OAAO,EAAE,CAAC;YAC5B,MAAM,IAAI,mCAA0B,CAChC,OAAO,EACP,oBAAoB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAC9C,CAAC;QACN,CAAC;QAED,sDAAsD;QACtD,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;QAClD,MAAM,cAAc,GAAG,uBAAuB,CAAC,YAAY,CAAC,CAAC;QAC7D,MAAM,QAAQ,GAAG,IAAA,qBAAY,EAAC,YAAY,CAAC,CAAC;QAC5C,QAAQ,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAC9B,QAAQ,CAAC,GAAG,EAAE,CAAC;QACf,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,cAAc,EAAE,cAAc,CAAC,CAAC;QAC9D,IAAI,CAAC,KAAK,EAAE,CAAC;YACT,MAAM,IAAI,mCAA0B,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAC;QACxE,CAAC;QAED,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;YACzB,MAAM,IAAI,mCAA0B,CAChC,OAAO,EACP,sBAAsB,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC7C,CAAC;QACN,CAAC;QACD,IAAI,iBAAiB,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAC9E,MAAM,IAAI,mCAA0B,CAChC,OAAO,EACP,gCAAgC,MAAM,CAAC,GAAG,cAAc,MAAM,CAAC,iBAAiB,CAAC,EAAE,CACtF,CAAC;QACN,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7C,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,GAAG,IAAI,MAAM,EAAE,CAAC;YACzD,MAAM,IAAI,yBAAgB,CAAC,YAAY,EAAE,CAAC,MAAM,GAAG,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC;QACrF,CAAC;QAED,sDAAsD;QACtD,IAAI,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,CAAC,GAAG,GAAG,MAAM,CAAC,KAAK,CAAW,CAAC;QACzC,CAAC;QACD,OAAO,MAAM,CAAC;IAClB,CAAC;IAED;;;;;;;;;;;;;OAaG;IACH,MAAM,CAAC,KAAK,CAAC,2BAA2B,CACpC,QAAgB,EAChB,QAAgC,EAChC,iBAAmC;QAEnC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,mCAA0B,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QACjE,CAAC;QACD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5D,MAAM,IAAI,mCAA0B,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QACnE,CAAC;QAED,IAAI,MAA+B,CAAC;QACpC,IAAI,CAAC;YACD,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,uBAAuB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3D,CAAC;QAAC,OAAO,EAAE,EAAE,CAAC;YACV,MAAM,IAAI,mCAA0B,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QAC1B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9C,MAAM,IAAI,mCAA0B,CAAC,OAAO,EAAE,wBAAwB,CAAC,CAAC;QAC5E,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,CAAC,GAAG,EAAE,CAAC;YACP,8DAA8D;YAC9D,8DAA8D;YAC9D,MAAM,IAAI,mCAA0B,CAChC,OAAO,EACP,0BAA0B,GAAG,EAAE,CAClC,CAAC;QACN,CAAC;QAED,OAAO,OAAO,CAAC,eAAe,CAAC,QAAQ,EAAE,GAAG,EAAE,iBAAiB,CAAC,CAAC;IACrE,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,IAM7B;QACG,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO;YAAK,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QACxF,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,IAAI,IAAI,CAAC,SAAS,KAAK,IAAI,EAAE,CAAC;YAC1D,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtE,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC;QACjD,IAAI,OAAO,SAAS,KAAK,UAAU,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CACX,6FAA6F,CAChG,CAAC;QACN,CAAC;QAED,MAAM,QAAQ,GAAG;YACb,UAAU,EAAE,IAAI,CAAC,SAAS;YAC1B,OAAO,EAAE,IAAI,CAAC,MAAM;YACpB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,KAAK,EAAE,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;SACzC,CAAC;QACF,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC5C,MAAM,SAAS,GAAG,IAAA,aAAI,EAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAElG,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACjD,MAAM,GAAG,GAAG,GAAG,OAAO,6BAA6B,kBAAkB,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,UAAU,kBAAkB,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,UAAU,CAAC;QAEzJ,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE;YAC7B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;SAChD,CAAC,CAAC;QAEH,IAAI,IAAa,CAAC;QAClB,IAAI,CAAC;YAAC,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAAC,CAAC;QAChC,OAAO,EAAE,EAAE,CAAC;YAAC,IAAI,GAAG,IAAI,CAAC;QAAC,CAAC;QAE3B,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACV,MAAM,GAAG,GAAG,mBAAmB,CAAC,IAAI,CAAC,IAAI,QAAQ,GAAG,CAAC,MAAM,EAAE,CAAC;YAC9D,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,MAAM,GAAG,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,QAAQ,IAAI,IAAI,CAAC;YACjE,CAAC,CAAE,IAA4B,CAAC,MAAM;YACtC,CAAC,CAAC,IAAI,CAAC;QACX,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;QACtE,CAAC;QACD,MAAM,CAAC,GAAG,MAAiC,CAAC;QAC5C,OAAO;YACH,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;YAC7B,UAAU,EAAE,OAAO,CAAC,CAAC,YAAY,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAW,CAAC,CAAC,CAAC,IAAI;YAClF,SAAS,EAAG,OAAO,CAAC,CAAC,WAAW,CAAC,KAAM,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAY,CAAC,CAAC,CAAC,IAAI;YAClF,YAAY,EAAE,OAAO,CAAC,CAAC,cAAc,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAW,CAAC,CAAC,CAAC,IAAI;SAC3F,CAAC;IACN,CAAC;CACJ;AA1lBD,0BA0lBC;AAED,SAAS,mBAAmB,CAAC,IAAa;IACtC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACnD,MAAM,CAAC,GAAG,IAA+B,CAAC;IAC1C,IAAI,OAAO,CAAC,CAAC,SAAS,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAC,SAAS,CAAW,CAAC;IACpE,IAAI,CAAC,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;QAC/C,MAAM,CAAC,GAAG,CAAC,CAAC,OAAO,CAA4B,CAAC;QAChD,IAAI,OAAO,CAAC,CAAC,SAAS,CAAC,KAAK,QAAQ;YAAE,OAAO,CAAC,CAAC,SAAS,CAAW,CAAC;IACxE,CAAC;IACD,IAAI,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAC,OAAO,CAAW,CAAC;IAChE,OAAO,IAAI,CAAC;AAChB,CAAC;AAED,4EAA4E;AAC5E,0EAA0E;AAE1E,SAAS,uBAAuB,CAAC,KAAa;IAC1C,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;QACtD,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACxC,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,uBAAuB,CAAC,KAAa;IAC1C,OAAO,uBAAuB,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC3D,CAAC"}

package/dist/core/key-store.d.ts

@@ -0,0 +1,51 @@
+export type KeyState = 'active' | 'rotating' | 'expired' | 'unknown';
+export interface KeyLookup {
+    state: KeyState;
+    publicKey: string | null;
+    expiresAt: string | null;
+}
+export interface YeriaKeyStoreOptions {
+    /**
+     * Base URL of the Yeria platform — e.g. `https://yeria.app`. Trailing
+     * slash optional. The store appends `/api/v1/public/registry/...`.
+     */
+    baseUrl: string;
+    /**
+     * Cache lifetime per kid, in milliseconds. Default 10 minutes.
+     * Applies to both positive (PEM) and negative (expired/unknown)
+     * cache entries.
+     */
+    ttlMs?: number;
+    /**
+     * Inject a `fetch` implementation. Defaults to the global `fetch` —
+     * Node 18+ ships it natively. Tests override to avoid real HTTP.
+     */
+    fetch?: typeof fetch;
+}
+export declare class YeriaKeyStore {
+    private readonly baseUrl;
+    private readonly ttlMs;
+    private readonly fetchImpl;
+    private readonly cache;
+    constructor(opts: YeriaKeyStoreOptions);
+    /**
+     * Resolve a kid to a PEM. Returns null when the key is expired or
+     * unknown — the caller should reject the inbound token in that case.
+     */
+    getByKid(kid: string): Promise<string | null>;
+    /**
+     * Resolve a kid to its full trust state. Same network/cache behaviour
+     * as `getByKid` — exposed for callers that want to log / branch on
+     * the state.
+     */
+    getState(kid: string): Promise<KeyState>;
+    /** Drop a single cache entry. Use after a verify failure to force a
+     *  refetch on the retry — covers the case where Yeria rotated a key
+     *  out from under our cache. */
+    invalidate(kid: string): void;
+    /** Drop the entire cache. */
+    invalidateAll(): void;
+    private lookup;
+    private fetchFromYeria;
+}
+//# sourceMappingURL=key-store.d.ts.map

package/dist/core/key-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-store.d.ts","sourceRoot":"","sources":["../../src/core/key-store.ts"],"names":[],"mappings":"AAyBA,MAAM,MAAM,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAAG,SAAS,GAAG,SAAS,CAAC;AAErE,MAAM,WAAW,SAAS;IACtB,KAAK,EAAE,QAAQ,CAAC;IAChB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,MAAM,WAAW,oBAAoB;IACjC;;;OAGG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;CACxB;AASD,qBAAa,aAAa;IACtB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAS;IAC/B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAe;IACzC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAiC;gBAE3C,IAAI,EAAE,oBAAoB;IAetC;;;OAGG;IACG,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAKnD;;;;OAIG;IACG,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAK9C;;oCAEgC;IAChC,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAI7B,6BAA6B;IAC7B,aAAa,IAAI,IAAI;YAIP,MAAM;YAeN,cAAc;CAuC/B"}