npm - @openid4vc/openid4vp - Versions diffs - 0.3.0-alpha-20250304095426 → 0.3.0-alpha-20250307131618 - Mend

@openid4vc/openid4vp 0.3.0-alpha-20250304095426 → 0.3.0-alpha-20250307131618

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/index.ts","../src/client-identifier-scheme/z-client-id-scheme.ts","../src/jarm/jarm-auth-response/verify-jarm-auth-response.ts","../src/jarm/jarm-auth-response/jarm-validate-auth-response.ts","../src/jarm/jarm-auth-response/z-jarm-auth-response.ts","../src/jarm/metadata/z-jarm-client-metadata.ts","../src/authorization-request/create-authorization-request.ts","../src/jar/create-jar-auth-request.ts","../src/authorization-request/validate-authorization-request.ts","../src/authorization-request/validate-authorization-request-dc-api.ts","../src/authorization-request/z-authorization-request.ts","../src/models/z-client-metadata.ts","../src/models/z-vp-formats-supported.ts","../src/authorization-request/z-authorization-request-dc-api.ts","../src/authorization-request/parse-authorization-request-params.ts","../src/jar/z-jar-auth-request.ts","../src/authorization-request/resolve-authorization-request.ts","../src/client-identifier-scheme/parse-client-identifier-scheme.ts","../src/version.ts","../src/fetch-client-metadata.ts","../src/models/z-wallet-metadata.ts","../src/jar/handle-jar-request/verify-jar-request.ts","../src/jar/jar-request-object/fetch-jar-request-object.ts","../src/jar/jar-request-object/z-jar-request-object.ts","../src/transaction-data/parse-transaction-data.ts","../src/transaction-data/z-transaction-data.ts","../src/authorization-response/create-authorization-response.ts","../../utils/src/date.ts","../src/jarm/jarm-auth-response-create.ts","../src/jarm/jarm-extract-jwks.ts","../src/jarm/jarm-response-mode.ts","../src/jarm/metadata/jarm-assert-metadata-supported.ts","../src/authorization-response/submit-authorization-response.ts","../src/jarm/jarm-auth-response-send.ts","../src/authorization-response/validate-authorization-response.ts","../src/vp-token/parse-vp-token.ts","../src/vp-token/z-vp-token.ts","../src/authorization-response/parse-authorization-response.ts","../src/authorization-response/parse-authorization-response-payload.ts","../src/authorization-response/z-authorization-response.ts","../src/models/z-pex.ts","../src/authorization-response/parse-jarm-authorization-response.ts","../src/Openid4vpClient.ts","../src/Openid4vpVerifier.ts","../src/models/z-credential-formats.ts","../src/models/z-proof-formats.ts"],"sourcesContent":["export { zClientIdScheme, ClientIdScheme } from './client-identifier-scheme/z-client-id-scheme'\nexport {\n verifyJarmAuthorizationResponse,\n type VerifyJarmAuthorizationResponseOptions,\n type JarmMode,\n} from './jarm/jarm-auth-response/verify-jarm-auth-response'\nexport { zJarmClientMetadata, JarmClientMetadata } from './jarm/metadata/z-jarm-client-metadata'\nexport {\n createOpenid4vpAuthorizationRequest,\n CreateOpenid4vpAuthorizationRequestOptions,\n} from './authorization-request/create-authorization-request'\nexport {\n parseOpenid4vpAuthorizationRequestPayload,\n ParseOpenid4vpAuthRequestPayloadOptions,\n} from './authorization-request/parse-authorization-request-params'\nexport {\n resolveOpenid4vpAuthorizationRequest,\n ResolveOpenid4vpAuthorizationRequestOptions,\n ResolvedOpenid4vpAuthRequest,\n} from './authorization-request/resolve-authorization-request'\nexport type { Openid4vpAuthorizationRequest } from './authorization-request/z-authorization-request'\nexport {\n validateOpenid4vpAuthorizationRequestPayload,\n ValidateOpenid4vpAuthorizationRequestPayloadOptions,\n WalletVerificationOptions,\n} from './authorization-request/validate-authorization-request'\nexport {\n createOpenid4vpAuthorizationResponse,\n CreateOpenid4vpAuthorizationResponseOptions,\n CreateOpenid4vpAuthorizationResponseResult,\n} from './authorization-response/create-authorization-response'\nexport {\n submitOpenid4vpAuthorizationResponse,\n SubmitOpenid4vpAuthorizationResponseOptions,\n} from './authorization-response/submit-authorization-response'\nexport {\n validateOpenid4vpAuthorizationResponsePayload,\n ValidateOpenid4vpAuthorizationResponseOptions,\n} from './authorization-response/validate-authorization-response'\nexport {\n parseTransactionData,\n ParseTransactionDataOptions,\n} from './transaction-data/parse-transaction-data'\nexport type { TransactionDataEntry } from './transaction-data/z-transaction-data'\nexport {\n parsePexVpToken,\n parseDcqlVpToken,\n} from './vp-token/parse-vp-token'\n\nexport {\n parseOpenid4vpAuthorizationResponse,\n ParseOpenid4vpAuthorizationResponseOptions,\n ParsedOpenid4vpAuthorizationResponse,\n} from './authorization-response/parse-authorization-response'\n\nexport {\n parseJarmAuthorizationResponse,\n ParseJarmAuthorizationResponseOptions,\n} from './authorization-response/parse-jarm-authorization-response'\n\nexport {\n ValidateOpenid4VpPexAuthorizationResponseResult,\n ValidateOpenid4VpDcqlAuthorizationResponseResult,\n ValidateOpenid4VpAuthorizationResponseResult,\n} from './authorization-response/validate-authorization-response-result'\n\nexport { Openid4vpClient } from './Openid4vpClient'\nexport { Openid4vpVerifier } from './Openid4vpVerifier'\nexport {\n zOpenid4vpAuthorizationResponse,\n Openid4vpAuthorizationResponse,\n} from './authorization-response/z-authorization-response'\n\nexport { isJarmResponseMode } from './jarm/jarm-response-mode'\n\nexport {\n isOpenid4vpAuthorizationRequestDcApi,\n type Openid4vpAuthorizationRequestDcApi,\n} from './authorization-request/z-authorization-request-dc-api'\n\nexport {\n zClientMetadata,\n ClientMetadata,\n} from './models/z-client-metadata'\n\nexport {\n zCredentialFormat,\n CredentialFormat,\n} from './models/z-credential-formats'\n\nexport {\n zProofFormat,\n ProofFormat,\n} from './models/z-proof-formats'\n\nexport {\n zWalletMetadata,\n WalletMetadata,\n} from './models/z-wallet-metadata'\n","import { z } from 'zod'\n\nexport const zClientIdScheme = z.enum([\n 'pre-registered',\n 'redirect_uri',\n 'https',\n 'verifier_attestation',\n 'did',\n 'x509_san_dns',\n 'x509_san_uri',\n 'web-origin',\n])\n\nexport type ClientIdScheme = z.infer<typeof zClientIdScheme>\n","import {\n type CallbackContext,\n Oauth2Error,\n decodeJwt,\n decodeJwtHeader,\n jwtSignerFromJwt,\n zCompactJwe,\n zCompactJwt,\n zJwtHeader,\n} from '@openid4vc/oauth2'\nimport z from 'zod'\nimport { jarmAuthResponseValidate } from './jarm-validate-auth-response'\nimport {\n type JarmAuthResponse,\n type JarmAuthResponseEncryptedOnly,\n zJarmAuthResponse,\n zJarmAuthResponseEncryptedOnly,\n} from './z-jarm-auth-response'\n\nexport enum JarmMode {\n Signed = 'Signed',\n Encrypted = 'Encrypted',\n SignedEncrypted = 'SignedEncrypted',\n}\n\nexport type GetOpenid4vpAuthorizationRequestCallback = (\n authResponse: JarmAuthResponse \| JarmAuthResponseEncryptedOnly\n) => Promise<{ authorizationRequest: { client_id: string; nonce: string; state?: string } }>\n\n/*\n The client decrypts the JWT using the default key for the respective issuer or,\n * if applicable, determined by the kid JWT header parameter.\n * The key might be a private key, where the corresponding public key is registered\n * with the expected issuer of the response (\"use\":\"enc\" via the client's metadata jwks or jwks_uri)\n * or a key derived from its client secret (see Section 2.2).\n /\nconst decryptJarmRequestData = async (options: {\n requestData: string\n callbacks: Pick<CallbackContext, 'decryptJwe'>\n}) => {\n const { requestData, callbacks } = options\n\n const { header } = decodeJwtHeader({ jwt: requestData })\n if (!header.kid) {\n throw new Oauth2Error('Jarm JWE is missing the protected header field \"kid\".')\n }\n\n const result = await callbacks.decryptJwe(requestData)\n if (!result.decrypted) {\n throw new Oauth2Error('Failed to decrypt jarm auth response.')\n }\n\n return result.payload\n}\n\nexport interface VerifyJarmAuthorizationResponseOptions {\n jarmAuthorizationResponseJwt: string\n callbacks: Pick<CallbackContext, 'decryptJwe' \| 'verifyJwt'> & {\n getOpenid4vpAuthorizationRequest: GetOpenid4vpAuthorizationRequestCallback\n }\n}\n\nexport type VerifiedJarmAuthorizationResponse = Awaited<ReturnType<typeof verifyJarmAuthorizationResponse>>\n\n/\n Validate a JARM direct_post.jwt compliant authentication response\n * * The decryption key should be resolvable using the the protected header's 'kid' field\n * * The signature verification jwk should be resolvable using the jws protected header's 'kid' field and the payload's 'iss' field.\n /\nexport async function verifyJarmAuthorizationResponse(options: VerifyJarmAuthorizationResponseOptions) {\n const { jarmAuthorizationResponseJwt, callbacks } = options\n\n const requestDataIsEncrypted = zCompactJwe.safeParse(jarmAuthorizationResponseJwt).success\n const decryptedRequestData = requestDataIsEncrypted\n ? await decryptJarmRequestData({ requestData: jarmAuthorizationResponseJwt, callbacks })\n : jarmAuthorizationResponseJwt\n\n const responseIsSigned = zCompactJwt.safeParse(decryptedRequestData).success\n if (!requestDataIsEncrypted && !responseIsSigned) {\n throw new Oauth2Error('Jarm Auth Response must be either encrypted, signed, or signed and encrypted.')\n }\n\n let jarmAuthResponse: JarmAuthResponse \| JarmAuthResponseEncryptedOnly\n\n if (responseIsSigned) {\n const { header: jwsProtectedHeader, payload: jwsPayload } = decodeJwt({\n jwt: decryptedRequestData,\n headerSchema: z.object({ ...zJwtHeader.shape, kid: z.string() }),\n })\n\n const response = zJarmAuthResponse.parse(jwsPayload)\n const jwtSigner = jwtSignerFromJwt({ header: jwsProtectedHeader, payload: jwsPayload })\n\n const verificationResult = await options.callbacks.verifyJwt(jwtSigner, {\n compact: decryptedRequestData,\n header: jwsProtectedHeader,\n payload: jwsPayload,\n })\n\n if (!verificationResult.verified) {\n throw new Oauth2Error('Jarm Auth Response is not valid.')\n }\n\n jarmAuthResponse = response\n } else {\n const jsonRequestData: unknown = JSON.parse(decryptedRequestData)\n jarmAuthResponse = zJarmAuthResponseEncryptedOnly.parse(jsonRequestData)\n }\n\n const { authorizationRequest } = await callbacks.getOpenid4vpAuthorizationRequest(jarmAuthResponse)\n\n jarmAuthResponseValidate({\n clientId: authorizationRequest.client_id,\n authorizationResponse: jarmAuthResponse,\n })\n const type: JarmMode =\n requestDataIsEncrypted && responseIsSigned\n ? JarmMode.SignedEncrypted\n : requestDataIsEncrypted\n ? JarmMode.Encrypted\n : JarmMode.Signed\n\n const issuer = jarmAuthResponse.iss\n return { authorizationRequest, jarmAuthResponse, type, issuer }\n}\n","import { Oauth2Error } from '@openid4vc/oauth2'\nimport { dateToSeconds } from '@openid4vc/utils'\nimport { type JarmAuthResponse, type JarmAuthResponseEncryptedOnly, zJarmAuthResponse } from './z-jarm-auth-response'\n\nexport const jarmAuthResponseValidate = (options: {\n clientId: string\n authorizationResponse: JarmAuthResponse \| JarmAuthResponseEncryptedOnly\n}) => {\n const { clientId, authorizationResponse } = options\n\n // The traditional Jarm Validation Methods do not account for the encrypted response.\n if (!zJarmAuthResponse.safeParse(authorizationResponse).success) {\n return\n }\n\n // 3. The client obtains the aud element from the JWT and checks whether it matches the client id the client used to identify itself in the corresponding authorization request. If the check fails, the client MUST abort processing and refuse the response.\n if (clientId !== authorizationResponse.aud) {\n throw new Oauth2Error(\n `Invalid 'aud' claim in JARM authorization response. Expected '${\n clientId\n }' received '${JSON.stringify(authorizationResponse.aud)}'.`\n )\n }\n\n // 4. The client checks the JWT's exp element to determine if the JWT is still valid. If the check fails, the client MUST abort processing and refuse the response.\n // 120 seconds clock skew\n if (authorizationResponse.exp !== undefined && authorizationResponse.exp < dateToSeconds()) {\n throw new Oauth2Error('Jarm auth response is expired.')\n }\n}\n","import { zJwtHeader, zJwtPayload } from '@openid4vc/oauth2'\nimport { z } from 'zod'\n\nexport const zJarmHeader = z.object({ ...zJwtHeader.shape, apu: z.string().optional(), apv: z.string().optional() })\nexport type JarmHeader = z.infer<typeof zJarmHeader>\n\nexport const zJarmAuthResponse = z\n .object({\n /\n iss: The issuer URL of the authorization server that created the response\n * aud: The client_id of the client the response is intended for\n * exp: The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.\n /\n ...zJwtPayload.shape,\n ...zJwtPayload.pick({ iss: true, aud: true, exp: true }).required().shape,\n state: z.optional(z.string()),\n })\n .passthrough()\n\nexport type JarmAuthResponse = z.infer<typeof zJarmAuthResponse>\n\nexport const zJarmAuthResponseEncryptedOnly = z\n .object({\n ...zJwtPayload.shape,\n state: z.optional(z.string()),\n })\n .passthrough()\nexport type JarmAuthResponseEncryptedOnly = z.infer<typeof zJarmAuthResponseEncryptedOnly>\n","import { Oauth2Error, zAlgValueNotNone } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport { z } from 'zod'\n\nexport const zJarmSignOnlyClientMetadata = z.object({\n authorization_signed_response_alg: zAlgValueNotNone,\n\n authorization_encrypted_response_alg: z.optional(z.never()),\n authorization_encrypted_response_enc: z.optional(z.never()),\n})\nexport type JarmSignOnlyClientMetadata = z.infer<typeof zJarmSignOnlyClientMetadata>\n\nexport const zJarmEncryptOnlyClientMetadata = z.object({\n authorization_signed_response_alg: z.optional(z.never()),\n authorization_encrypted_response_alg: z.string(),\n\n authorization_encrypted_response_enc: z.optional(z.string()),\n})\nexport type JarmEncryptOnlyClientMetadata = z.infer<typeof zJarmEncryptOnlyClientMetadata>\n\nexport const zJarmSignEncryptClientMetadata = z.object({\n authorization_signed_response_alg: zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg,\n authorization_encrypted_response_alg: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg,\n authorization_encrypted_response_enc: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc,\n})\nexport type JarmSignEncryptClientMetadata = z.infer<typeof zJarmSignEncryptClientMetadata>\n\n/\n Clients may register their public encryption keys using the jwks_uri or jwks metadata parameters.\n /\nexport const zJarmClientMetadata = z.object({\n authorization_signed_response_alg: z.optional(zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg),\n authorization_encrypted_response_alg: z.optional(\n zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg\n ),\n authorization_encrypted_response_enc: z.optional(\n zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc\n ),\n})\nexport type JarmClientMetadata = z.infer<typeof zJarmClientMetadata>\n\nexport const zJarmClientMetadataParsed = zJarmClientMetadata.transform((client_metadata) => {\n const parsedClientMeta = parseWithErrorHandling(\n z.union([zJarmEncryptOnlyClientMetadata, zJarmSignOnlyClientMetadata, zJarmSignEncryptClientMetadata]),\n client_metadata,\n 'Invalid jarm client metadata.'\n )\n\n const SignEncrypt = zJarmSignEncryptClientMetadata.safeParse(parsedClientMeta)\n if (SignEncrypt.success) {\n return {\n type: 'sign_encrypt',\n client_metadata: {\n ...SignEncrypt.data,\n authorization_encrypted_response_enc: client_metadata.authorization_encrypted_response_enc ?? 'A128CBC-HS256',\n },\n } as const\n }\n\n const encryptOnly = zJarmEncryptOnlyClientMetadata.safeParse(parsedClientMeta)\n if (encryptOnly.success) {\n return {\n type: 'encrypt',\n client_metadata: {\n ...encryptOnly.data,\n authorization_encrypted_response_enc: parsedClientMeta.authorization_encrypted_response_enc ?? 'A128CBC-HS256',\n },\n } as const\n }\n\n // this must be the last entry\n const signOnly = zJarmSignOnlyClientMetadata.safeParse(parsedClientMeta)\n if (signOnly.success) {\n return {\n type: 'sign',\n client_metadata: {\n ...signOnly.data,\n authorization_signed_response_alg: parsedClientMeta.authorization_signed_response_alg ?? 'RS256',\n },\n } as const\n }\n\n throw new Oauth2Error('Invalid jarm client metadata. Failed to parse.')\n})\nexport type JarmClientMetadataParsed = z.infer<typeof zJarmClientMetadataParsed>\n","import { type CallbackContext, type JwtSigner, Oauth2Error } from '@openid4vc/oauth2'\nimport { URL, URLSearchParams, objectToQueryParams, parseWithErrorHandling } from '@openid4vc/utils'\nimport { createJarAuthRequest } from '../jar/create-jar-auth-request'\nimport {\n type WalletVerificationOptions,\n validateOpenid4vpAuthorizationRequestPayload,\n} from './validate-authorization-request'\nimport { validateOpenid4vpAuthorizationRequestDcApiPayload } from './validate-authorization-request-dc-api'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestDcApi,\n} from './z-authorization-request-dc-api'\n\nexport interface CreateOpenid4vpAuthorizationRequestOptions {\n scheme?: string\n requestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n jar?: {\n requestUri?: string\n jwtSigner: JwtSigner\n additionalJwtPayload?: Record<string, unknown>\n }\n wallet?: WalletVerificationOptions\n callbacks: Pick<CallbackContext, 'signJwt' \| 'encryptJwe'>\n}\n\n/\n Creates an OpenID4VP authorization request, optionally with a JWT Secured Authorization Request (JAR)\n * If the request is created after receiving wallet metadata via a POST to the request_uri endpoint, the wallet nonce needs to be provided\n \n @param options Configuration options for creating the authorization request\n * @param input.scheme Optional URI scheme to use (defaults to 'openid4vp://')\n * @param input.requestParams The OpenID4VP authorization request parameters\n * @param input.jar Optional JWT Secured Authorization Request (JAR) configuration\n * @param input.jar.requestUri The URI where the JAR will be accessible\n * @param input.jar.jwtSigner Function to sign the JAR JWT\n * @param input.jar.jweEncryptor Optional function to encrypt the JAR JWT\n * @param input.jar.additionalJwtPayload Optional additional claims to include in JAR JWT\n * @param input.wallet Optional wallet-specific parameters\n * @param input.wallet.nonce Optional wallet nonce\n * @param input.callbacks Callback functions for JWT operations\n * @returns Object containing the authorization request parameters, URI and optional JAR details\n /\nexport async function createOpenid4vpAuthorizationRequest(options: CreateOpenid4vpAuthorizationRequestOptions) {\n const { jar, scheme = 'openid4vp://', requestPayload, wallet, callbacks } = options\n\n let additionalJwtPayload: Record<string, unknown> \| undefined\n\n let authRequestParams: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n if (isOpenid4vpAuthorizationRequestDcApi(requestPayload)) {\n authRequestParams = parseWithErrorHandling(\n zOpenid4vpAuthorizationRequestDcApi,\n requestPayload,\n 'Invalid authorization request. Could not parse openid4vp dc_api authorization request.'\n )\n\n if (jar && !authRequestParams.expected_origins) {\n throw new Oauth2Error(\n `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combination with jar.`\n )\n }\n\n validateOpenid4vpAuthorizationRequestDcApiPayload({\n params: authRequestParams,\n isJarRequest: Boolean(jar),\n omitOriginValidation: true,\n })\n } else {\n authRequestParams = parseWithErrorHandling(\n zOpenid4vpAuthorizationRequest,\n requestPayload,\n 'Invalid authorization request. Could not parse openid4vp authorization request.'\n )\n validateOpenid4vpAuthorizationRequestPayload({ params: authRequestParams, walletVerificationOptions: wallet })\n }\n\n if (jar) {\n if (!jar.additionalJwtPayload?.aud) {\n additionalJwtPayload = { ...jar.additionalJwtPayload, aud: jar.requestUri }\n }\n }\n\n if (jar) {\n const jarResult = await createJarAuthRequest({\n ...jar,\n authRequestParams: requestPayload,\n additionalJwtPayload,\n callbacks,\n })\n\n const url = new URL(scheme)\n url.search = `?${new URLSearchParams([\n ...url.searchParams.entries(),\n ...objectToQueryParams(jarResult.requestParams).entries(),\n ]).toString()}`\n\n return {\n authRequestObject: jarResult.requestParams,\n authRequest: url.toString(),\n jar: { ...jar, ...jarResult },\n }\n }\n\n const url = new URL(scheme)\n url.search = `?${new URLSearchParams([\n ...url.searchParams.entries(),\n ...objectToQueryParams(requestPayload).entries(),\n ]).toString()}`\n\n return {\n authRequestObject: requestPayload,\n authRequest: url.toString(),\n jar: undefined,\n }\n}\n","import {\n type CallbackContext,\n type JweEncryptor,\n type Jwk,\n type JwtPayload,\n type JwtSigner,\n jwtHeaderFromJwtSigner,\n} from '@openid4vc/oauth2'\nimport type { JarAuthRequest } from './z-jar-auth-request'\n\nexport interface CreateJarAuthRequestOptions {\n authRequestParams: JwtPayload & { client_id?: string }\n jwtSigner: JwtSigner\n jweEncryptor?: JweEncryptor\n requestUri?: string\n additionalJwtPayload?: Record<string, unknown>\n callbacks: Pick<CallbackContext, 'signJwt' \| 'encryptJwe'>\n}\n\n/\n Creates a JAR (JWT Authorization Request) request object.\n \n @param options - The input parameters\n * @param options.authRequestParams - The authorization request parameters\n * @param options.jwtSigner - The JWT signer\n * @param options.jweEncryptor - The JWE encryptor (optional) if provided, the request object will be encrypted\n * @param options.requestUri - The request URI (optional) if provided, the request object needs to be fetched from the URI\n * @param options.callbacks - The callback context\n * @returns the requestParams, signerJwk, encryptionJwk, and requestObjectJwt\n /\nexport async function createJarAuthRequest(options: CreateJarAuthRequestOptions) {\n const { jwtSigner, jweEncryptor, authRequestParams, requestUri, callbacks } = options\n\n let requestObjectJwt: string \| undefined\n let encryptionJwk: Jwk \| undefined\n\n const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {\n header: { ...jwtHeaderFromJwtSigner(jwtSigner), typ: 'oauth-authz-req+jwt' },\n payload: { ...options.additionalJwtPayload, ...authRequestParams },\n })\n requestObjectJwt = jwt\n\n if (jweEncryptor) {\n const encryptionResult = await callbacks.encryptJwe(jweEncryptor, requestObjectJwt)\n requestObjectJwt = encryptionResult.jwe\n encryptionJwk = encryptionResult.encryptionJwk\n }\n\n const client_id = authRequestParams.client_id\n const requestParams: JarAuthRequest = requestUri\n ? { client_id, request_uri: requestUri }\n : { client_id, request: requestObjectJwt }\n\n return { requestParams, signerJwk, encryptionJwk, requestObjectJwt }\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { zHttpsUrl } from '@openid4vc/utils'\nimport type { WalletMetadata } from '../models/z-wallet-metadata'\nimport type { Openid4vpAuthorizationRequest } from './z-authorization-request'\n\nexport interface WalletVerificationOptions {\n expectedNonce?: string\n metadata?: WalletMetadata\n}\n\nexport interface ValidateOpenid4vpAuthorizationRequestPayloadOptions {\n params: Openid4vpAuthorizationRequest\n walletVerificationOptions?: WalletVerificationOptions\n}\n\n/\n Validate the OpenId4Vp Authorization Request parameters\n /\nexport const validateOpenid4vpAuthorizationRequestPayload = (\n options: ValidateOpenid4vpAuthorizationRequestPayloadOptions\n) => {\n const { params, walletVerificationOptions } = options\n\n if (!params.redirect_uri && !params.response_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`,\n })\n }\n\n if (params.response_uri && !['direct_post', 'direct_post.jwt'].find((mode) => mode === params.response_mode)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`,\n })\n }\n\n if (\n [params.presentation_definition_uri, params.presentation_definition, params.dcql_query, params.scope].filter(\n Boolean\n ).length > 1\n ) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition.',\n })\n }\n\n if (params.request_uri_method && !params.request_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"request_uri_method\" parameter MUST NOT be present in the authorization request if the \"request_uri\" parameter is not present.',\n })\n }\n\n if (params.request_uri_method && !['GET', 'POST'].includes(params.request_uri_method)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestUriMethod,\n error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`,\n })\n }\n\n if (params.trust_chain && !zHttpsUrl.safeParse(params.client_id).success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"trust_chain\" parameter MUST NOT be present in the authorization request if the \"client_id\" is not an OpenId Federation Entity Identifier starting with http:// or https://.',\n })\n }\n\n if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"wallet_nonce\" parameter MUST be present in the authorization request when the \"expectedNonce\" parameter is provided.',\n })\n }\n\n if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"wallet_nonce\" parameter MUST match the \"expectedNonce\" parameter when the \"expectedNonce\" parameter is provided.',\n })\n }\n\n if (params.client_id.startsWith('web-origin:')) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'client_id' parameter MUST NOT use client identifier scheme 'web-origin' when not using the dc_api response mode. Current: ${params.client_id}`,\n })\n }\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequestDcApi } from './z-authorization-request-dc-api'\n\nexport interface ValidateOpenid4vpAuthorizationRequestDcApiPayloadOptions {\n params: Openid4vpAuthorizationRequestDcApi\n isJarRequest: boolean\n omitOriginValidation?: boolean\n origin?: string\n}\n\n/\n Validate the OpenId4Vp Authorization Request parameters for the dc_api response mode\n /\nexport const validateOpenid4vpAuthorizationRequestDcApiPayload = (\n options: ValidateOpenid4vpAuthorizationRequestDcApiPayloadOptions\n) => {\n const { params, isJarRequest, omitOriginValidation, origin } = options\n\n if (isJarRequest && !params.expected_origins) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`,\n })\n }\n\n if ([params.presentation_definition, params.dcql_query].filter(Boolean).length > 1) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition.',\n })\n }\n\n if (params.expected_origins && !omitOriginValidation) {\n if (!origin) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`,\n })\n }\n\n if (params.expected_origins && !params.expected_origins.includes(origin)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(', ')}`,\n })\n }\n }\n}\n","import { zHttpsUrl } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport { zClientMetadata } from '../models/z-client-metadata'\n\nexport const zOpenid4vpAuthorizationRequest = z\n .object({\n response_type: z.literal('vp_token'),\n client_id: z.string(),\n redirect_uri: zHttpsUrl.optional(),\n response_uri: zHttpsUrl.optional(),\n request_uri: zHttpsUrl.optional(),\n request_uri_method: z.optional(z.string()),\n response_mode: z.enum(['direct_post', 'direct_post.jwt']).optional(),\n nonce: z.string(),\n wallet_nonce: z.string().optional(),\n scope: z.string().optional(),\n presentation_definition: z.record(z.any()).optional(),\n presentation_definition_uri: zHttpsUrl.optional(),\n dcql_query: z.record(z.any()).optional(),\n client_metadata: zClientMetadata.optional(),\n client_metadata_uri: zHttpsUrl.optional(),\n state: z.string().optional(),\n transaction_data: z.array(z.string()).optional(),\n trust_chain: z.unknown().optional(),\n client_id_scheme: z\n .enum([\n 'pre-registered',\n 'redirect_uri',\n 'entity_id',\n 'did',\n 'verifier_attestation',\n 'x509_san_dns',\n 'x509_san_uri',\n ])\n .optional(),\n })\n .passthrough()\n\nexport type Openid4vpAuthorizationRequest = z.infer<typeof zOpenid4vpAuthorizationRequest>\n","import { zJwkSet } from '@openid4vc/oauth2'\nimport { zHttpsUrl } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport { zJarmClientMetadata } from '../jarm/metadata/z-jarm-client-metadata'\nimport { zVpFormatsSupported } from './z-vp-formats-supported'\n\n// Authoritative data the Wallet is able to obtain about the Client from other sources,\n// for example those from an OpenID Federation Entity Statement, take precedence over the values passed in client_metadata.\nexport const zClientMetadata = z\n .object({\n jwks: z.optional(zJwkSet),\n vp_formats: z.optional(zVpFormatsSupported),\n ...zJarmClientMetadata.shape,\n logo_uri: zHttpsUrl.optional(),\n client_name: z.string().optional(),\n })\n .passthrough()\nexport type ClientMetadata = z.infer<typeof zClientMetadata>\n","import { z } from 'zod'\nexport const zVpFormatsSupported = z.record(\n z.string(),\n z\n .object({\n alg_values_supported: z.optional(z.array(z.string())),\n })\n .passthrough()\n)\n\nexport type VpFormatsSupported = z.infer<typeof zVpFormatsSupported>\n","import { z } from 'zod'\nimport type { JarAuthRequest } from '../jar/z-jar-auth-request'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\n\nexport const zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest\n .pick({\n client_id: true,\n response_type: true,\n response_mode: true,\n nonce: true,\n presentation_definition: true,\n client_metadata: true,\n transaction_data: true,\n dcql_query: true,\n })\n .extend({\n client_id: z.optional(z.string()),\n expected_origins: z.array(z.string()).optional(),\n response_mode: z.enum(['dc_api', 'dc_api.jwt', 'w3c_dc_api.jwt', 'w3c_dc_api']),\n client_id_scheme: z\n .enum([\n 'pre-registered',\n 'redirect_uri',\n 'entity_id',\n 'did',\n 'verifier_attestation',\n 'x509_san_dns',\n 'x509_san_uri',\n ])\n .optional(),\n })\n .strip()\n\nexport type Openid4vpAuthorizationRequestDcApi = z.infer<typeof zOpenid4vpAuthorizationRequestDcApi>\n\nexport function isOpenid4vpAuthorizationRequestDcApi(\n request: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi \| JarAuthRequest\n): request is Openid4vpAuthorizationRequestDcApi {\n return (\n request.response_mode === 'dc_api' \|\|\n request.response_mode === 'dc_api.jwt' \|\|\n request.response_mode === 'w3c_dc_api.jwt' \|\|\n request.response_mode === 'w3c_dc_api'\n )\n}\n","import { decodeJwt } from '@openid4vc/oauth2'\nimport { URL } from '@openid4vc/utils'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport { type JarAuthRequest, isJarAuthRequest, zJarAuthRequest } from '../jar/z-jar-auth-request'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestDcApi,\n} from './z-authorization-request-dc-api'\n\nexport interface ParsedJarRequest {\n type: 'jar'\n provided: 'uri' \| 'jwt' \| 'params'\n params: JarAuthRequest\n}\n\nexport interface ParsedOpenid4vpAuthRequest {\n type: 'openid4vp'\n provided: 'uri' \| 'jwt' \| 'params'\n params: Openid4vpAuthorizationRequest\n}\n\nexport interface ParsedOpenid4vpDcApiAuthRequest {\n type: 'openid4vp_dc_api'\n provided: 'uri' \| 'jwt' \| 'params'\n params: Openid4vpAuthorizationRequestDcApi\n}\n\nexport interface ParseOpenid4vpAuthRequestPayloadOptions {\n authorizationRequest: string \| Record<string, unknown>\n}\n\nexport function parseOpenid4vpAuthorizationRequestPayload(\n options: ParseOpenid4vpAuthRequestPayloadOptions\n): ParsedOpenid4vpAuthRequest \| ParsedJarRequest \| ParsedOpenid4vpDcApiAuthRequest {\n const { authorizationRequest } = options\n let provided: 'uri' \| 'jwt' \| 'params' = 'params'\n\n let params: Record<string, unknown>\n if (typeof authorizationRequest === 'string') {\n if (authorizationRequest.includes('://')) {\n const url = new URL(authorizationRequest)\n params = Object.fromEntries(url.searchParams)\n provided = 'uri'\n } else {\n const decoded = decodeJwt({ jwt: authorizationRequest })\n params = decoded.payload\n provided = 'jwt'\n }\n } else {\n params = authorizationRequest\n }\n\n const parsedRequest = parseWithErrorHandling(\n z.union([zOpenid4vpAuthorizationRequest, zJarAuthRequest, zOpenid4vpAuthorizationRequestDcApi]),\n params\n )\n\n if (isJarAuthRequest(parsedRequest)) {\n return {\n type: 'jar',\n provided,\n params: parsedRequest,\n }\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(parsedRequest)) {\n return {\n type: 'openid4vp_dc_api',\n provided,\n params: parsedRequest,\n }\n }\n\n return {\n type: 'openid4vp',\n provided,\n params: parsedRequest,\n }\n}\n","import { Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { zHttpsUrl } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\n\nexport const zJarAuthRequest = z\n .object({\n request: z.optional(z.string()),\n request_uri: z.optional(zHttpsUrl),\n request_uri_method: z.optional(z.string()),\n client_id: z.optional(z.string()),\n })\n .passthrough()\nexport type JarAuthRequest = z.infer<typeof zJarAuthRequest>\n\nexport function validateJarRequestParams(options: { jarRequestParams: JarAuthRequest }) {\n const { jarRequestParams } = options\n\n if (jarRequestParams.request && jarRequestParams.request_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: 'invalid_request_object',\n error_description: 'request and request_uri cannot both be present in a JAR request',\n })\n }\n\n if (!jarRequestParams.request && !jarRequestParams.request_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: 'invalid_request_object',\n error_description: 'request or request_uri must be present',\n })\n }\n\n return jarRequestParams as JarAuthRequest &\n ({ request_uri: string; request?: never } \| { request: string; request_uri?: never })\n}\n\nexport function isJarAuthRequest(\n request: Openid4vpAuthorizationRequest \| JarAuthRequest \| Openid4vpAuthorizationRequestDcApi\n): request is JarAuthRequest {\n return 'request' in request \|\| 'request_uri' in request\n}\n","import { type CallbackContext, Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport {\n type ParsedClientIdentifier,\n parseClientIdentifier,\n} from '../client-identifier-scheme/parse-client-identifier-scheme'\nimport { fetchClientMetadata } from '../fetch-client-metadata'\nimport { type VerifiedJarRequest, verifyJarRequest } from '../jar/handle-jar-request/verify-jar-request'\nimport { type JarAuthRequest, isJarAuthRequest, zJarAuthRequest } from '../jar/z-jar-auth-request'\nimport type { WalletMetadata } from '../models/z-wallet-metadata'\nimport { parseTransactionData } from '../transaction-data/parse-transaction-data'\nimport type { TransactionData } from '../transaction-data/z-transaction-data'\nimport {\n type WalletVerificationOptions,\n validateOpenid4vpAuthorizationRequestPayload,\n} from './validate-authorization-request'\nimport { validateOpenid4vpAuthorizationRequestDcApiPayload } from './validate-authorization-request-dc-api'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestDcApi,\n} from './z-authorization-request-dc-api'\n\nexport interface ResolveOpenid4vpAuthorizationRequestOptions {\n requestPayload: Openid4vpAuthorizationRequest \| JarAuthRequest\n wallet?: WalletVerificationOptions\n origin?: string\n omitOriginValidation?: boolean\n callbacks: Pick<CallbackContext, 'verifyJwt' \| 'decryptJwe' \| 'getX509CertificateMetadata'>\n}\n\nexport type ResolvedOpenid4vpAuthRequest = {\n transactionData?: TransactionData\n requestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n jar: VerifiedJarRequest \| undefined\n client: ParsedClientIdentifier\n pex?: {\n presentation_definition: unknown\n presentation_definition_uri?: string\n }\n dcql?: { query: unknown } \| undefined\n}\nexport async function resolveOpenid4vpAuthorizationRequest(\n options: ResolveOpenid4vpAuthorizationRequestOptions\n): Promise<ResolvedOpenid4vpAuthRequest> {\n const { requestPayload, wallet, callbacks, origin, omitOriginValidation } = options\n\n let authRequestPayload:\n \| Openid4vpAuthorizationRequest\n \| (Openid4vpAuthorizationRequestDcApi & { presentation_definition_uri?: never })\n\n const parsed = parseWithErrorHandling(\n z.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zJarAuthRequest]),\n requestPayload,\n 'Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request.'\n )\n\n let jar: VerifiedJarRequest \| undefined\n if (isJarAuthRequest(parsed)) {\n jar = await verifyJarRequest({ jarRequestParams: parsed, callbacks, wallet })\n\n const parsedJarAuthRequestPayload = parseWithErrorHandling(\n z.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),\n jar.authRequestParams,\n 'Invalid authorization request. Could not parse jar request payload as openid4vp auth request.'\n )\n\n authRequestPayload = validateOpenId4vpPayload({\n requestPayload: parsedJarAuthRequestPayload,\n wallet,\n jar: true,\n origin,\n omitOriginValidation,\n })\n } else {\n authRequestPayload = validateOpenId4vpPayload({\n requestPayload: parsed,\n wallet,\n jar: false,\n origin,\n omitOriginValidation,\n })\n }\n\n let clientMetadata: WalletMetadata \| undefined\n if (!isOpenid4vpAuthorizationRequestDcApi(authRequestPayload) && authRequestPayload.client_metadata_uri) {\n clientMetadata = await fetchClientMetadata({ clientMetadataUri: authRequestPayload.client_metadata_uri })\n }\n\n const clientMeta = parseClientIdentifier({\n request: { ...authRequestPayload, client_metadata: clientMetadata ?? authRequestPayload.client_metadata },\n jar,\n callbacks,\n origin,\n })\n\n let pex: ResolvedOpenid4vpAuthRequest['pex'] \| undefined\n let dcql: ResolvedOpenid4vpAuthRequest['dcql'] \| undefined\n\n if (authRequestPayload.presentation_definition \|\| authRequestPayload.presentation_definition_uri) {\n if (authRequestPayload.presentation_definition_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Cannot fetch presentation definition from URI. Not supported.',\n })\n }\n\n pex = {\n presentation_definition: authRequestPayload.presentation_definition,\n presentation_definition_uri: authRequestPayload.presentation_definition_uri,\n }\n }\n\n if (authRequestPayload.dcql_query) {\n dcql = { query: authRequestPayload.dcql_query }\n }\n\n const transactionData = authRequestPayload.transaction_data\n ? parseTransactionData({ transactionData: authRequestPayload.transaction_data })\n : undefined\n\n return {\n transactionData,\n requestPayload: authRequestPayload,\n jar,\n client: { ...clientMeta },\n pex,\n dcql,\n }\n}\n\nfunction validateOpenId4vpPayload(options: {\n requestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n wallet?: WalletVerificationOptions\n jar: boolean\n origin?: string\n omitOriginValidation?: boolean\n}) {\n const { requestPayload, wallet, jar, origin, omitOriginValidation } = options\n\n if (isOpenid4vpAuthorizationRequestDcApi(requestPayload)) {\n validateOpenid4vpAuthorizationRequestDcApiPayload({\n params: requestPayload,\n isJarRequest: jar,\n omitOriginValidation,\n origin,\n })\n\n return requestPayload\n }\n\n validateOpenid4vpAuthorizationRequestPayload({ params: requestPayload, walletVerificationOptions: wallet })\n return requestPayload\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError, getGlobalConfig } from '@openid4vc/oauth2'\nimport type { CallbackContext } from '../../../oauth2/src/callbacks'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n} from '../authorization-request/z-authorization-request-dc-api'\nimport type { VerifiedJarRequest } from '../jar/handle-jar-request/verify-jar-request'\nimport type { ClientMetadata } from '../models/z-client-metadata'\nimport { parseAuthorizationRequestVersion } from '../version'\nimport { type ClientIdScheme, zClientIdScheme } from './z-client-id-scheme'\n\n/\n Result of parsing a client identifier\n /\nexport type ParsedClientIdentifier =\n \| {\n scheme: 'redirect_uri'\n identifier: string\n originalValue: string\n redirectUri: string\n clientMetadata?: ClientMetadata\n }\n \| {\n scheme: 'https'\n identifier: string\n originalValue: string\n trustChain?: unknown\n clientMetadata?: never // clientMetadata must be obtained from the entity statement\n }\n \| {\n scheme: 'did'\n identifier: string\n originalValue: string\n didUrl: string\n clientMetadata?: ClientMetadata\n }\n \| {\n scheme: 'x509_san_uri' \| 'x509_san_dns'\n identifier: string\n originalValue: string\n clientMetadata?: ClientMetadata\n x5c: string[]\n }\n \| {\n scheme: 'verifier_attestation' \| 'pre-registered' \| 'web-origin'\n identifier: string\n originalValue: string\n clientMetadata?: ClientMetadata\n }\n\n/\n Configuration options for the parser\n /\nexport interface ClientIdentifierParserConfig {\n supportedSchemes?: ClientIdScheme[]\n}\n\nexport interface ClientIdentifierParserOptions {\n request: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n jar?: VerifiedJarRequest\n origin?: string\n callbacks: Partial<Pick<CallbackContext, 'getX509CertificateMetadata'>>\n}\n\nfunction getClientId(options: ClientIdentifierParserOptions) {\n if (isOpenid4vpAuthorizationRequestDcApi(options.request)) {\n if (!options.origin) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n \"Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'\",\n })\n }\n\n if (!options.jar \|\| !options.request.client_id) return `web-origin:${options.origin}`\n\n return options.request.client_id\n }\n\n return options.request.client_id\n}\n\nfunction getLegacyClientId(options: ClientIdentifierParserOptions) {\n const legacyClientIdScheme = options.request.client_id_scheme ?? 'pre-registered'\n\n let clientIdScheme: ClientIdScheme\n if (legacyClientIdScheme === 'entity_id') {\n clientIdScheme = 'https'\n } else {\n clientIdScheme = legacyClientIdScheme\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(options.request)) {\n if (!options.origin) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n \"Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'\",\n })\n }\n\n if (!options.jar \|\| !options.request.client_id) return `web-origin:${options.origin}`\n\n return `${clientIdScheme}:${options.request.client_id}`\n }\n\n if (clientIdScheme === 'https' \|\| clientIdScheme === 'did') {\n return options.request.client_id\n }\n\n if (clientIdScheme === 'pre-registered') {\n return options.request.client_id\n }\n\n return `${clientIdScheme}:${options.request.client_id}`\n}\n\n/\n Parse and validate a client identifier\n /\nexport function parseClientIdentifier(\n options: ClientIdentifierParserOptions,\n parserConfig?: ClientIdentifierParserConfig\n): ParsedClientIdentifier {\n const { request, jar } = options\n\n const version = parseAuthorizationRequestVersion(request)\n // this means that client_id_scheme is used\n if (version < 22) {\n const legacyClientIdScheme = request.client_id_scheme ?? 'pre-registered'\n\n let clientIdSchem: ClientIdScheme\n if (legacyClientIdScheme) {\n if (legacyClientIdScheme === 'entity_id') {\n clientIdSchem = 'https'\n } else {\n clientIdSchem = legacyClientIdScheme\n }\n }\n }\n\n const isDcApiRequest = isOpenid4vpAuthorizationRequestDcApi(request)\n const clientId = version < 22 ? getLegacyClientId(options) : getClientId(options)\n\n // By default require signatures for these schemes\n const parserConfigWithDefaults = {\n supportedSchemes: parserConfig?.supportedSchemes \|\| Object.values(zClientIdScheme.options),\n }\n\n const colonIndex = clientId.indexOf(':')\n if (colonIndex === -1) {\n return {\n scheme: 'pre-registered',\n identifier: clientId,\n originalValue: clientId,\n clientMetadata: request.client_metadata,\n }\n }\n\n const schemePart = clientId.substring(0, colonIndex)\n const identifierPart = clientId.substring(colonIndex + 1)\n\n if (!parserConfigWithDefaults.supportedSchemes.includes(schemePart as ClientIdScheme)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Unsupported client identifier scheme. ${schemePart} is not supported.`,\n })\n }\n\n const scheme = schemePart as ClientIdScheme\n if (scheme === 'https') {\n // https://github.com/openid/OpenID4VP/issues/436\n if (isDcApiRequest) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The client identifier scheme 'https' is not supported when using the dc_api response mode.`,\n })\n }\n\n if (!clientId.startsWith('https://') && !(getGlobalConfig().allowInsecureUrls && clientId.startsWith('http://'))) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Invalid client identifier. Client identifier must start with https:// or http:// if allowInsecureUrls is true.',\n })\n }\n\n return {\n scheme,\n identifier: clientId,\n originalValue: clientId,\n trustChain: request.trust_chain,\n }\n }\n\n if (scheme === 'redirect_uri') {\n if (jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier scheme \"redirect_uri\" the request MUST NOT be signed.',\n })\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(request)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The client identifier scheme 'redirect_uri' is not supported when using the dc_api response mode.`,\n })\n }\n\n return {\n scheme,\n identifier: identifierPart,\n originalValue: clientId,\n redirectUri: (request.redirect_uri ?? request.response_uri) as string,\n }\n }\n\n if (scheme === 'did') {\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier scheme \"did\" requires a signed JAR request.',\n })\n }\n\n if (!clientId.startsWith('did:')) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: \"Invalid client identifier. Client identifier must start with 'did:'\",\n })\n }\n\n if (!jar.signer.publicJwk.kid) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Missing required 'kid' for client identifier scheme: did`,\n })\n }\n\n if (!jar.signer.publicJwk.kid?.startsWith(clientId)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'With client identifier scheme \"did\" the JAR request must be signed by the same DID as the client identifier.',\n })\n }\n\n return {\n scheme,\n identifier: clientId,\n originalValue: clientId,\n didUrl: jar.signer.publicJwk.kid,\n }\n }\n\n if (scheme === 'x509_san_dns' \|\| scheme === 'x509_san_uri') {\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Using client identifier scheme \"x509_san_dns\" or \"x509_san_uri\" requires a signed JAR request.',\n })\n }\n\n if (jar.signer.method !== 'x5c') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Something went wrong. The JWT signer method is not x5c but the client identifier scheme is x509_san_dns.',\n })\n }\n\n if (scheme === 'x509_san_dns') {\n if (!options.callbacks.getX509CertificateMetadata) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.ServerError,\n },\n {\n internalMessage:\n \"Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_dns' client id scheme\",\n }\n )\n }\n\n const { sanDnsNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0])\n if (!sanDnsNames.includes(identifierPart)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(', ')}] must match the client identifier '${identifierPart}'. `,\n })\n }\n\n if (!isOpenid4vpAuthorizationRequestDcApi(request)) {\n const uri = request.redirect_uri ?? request.response_uri\n if (!uri \|\| getDomainFromUrl(uri) !== identifierPart) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns.',\n })\n }\n }\n } else if (scheme === 'x509_san_uri') {\n if (!options.callbacks.getX509CertificateMetadata) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.ServerError,\n },\n {\n internalMessage:\n \"Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_uri' client id scheme\",\n }\n )\n }\n\n const { sanUriNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0])\n if (!sanUriNames.includes(identifierPart)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(', ')}] must match the client identifier '${identifierPart}'.`,\n })\n }\n\n if (!isOpenid4vpAuthorizationRequestDcApi(request)) {\n const uri = request.redirect_uri \|\| request.response_uri\n if (!uri \|\| uri !== identifierPart) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The redirect_uri value MUST match the Client Identifier without the prefix x509_san_uri',\n })\n }\n }\n }\n\n return {\n scheme,\n identifier: identifierPart,\n originalValue: clientId,\n x5c: jar.signer.x5c,\n }\n }\n\n if (scheme === 'web-origin') {\n return {\n scheme,\n identifier: identifierPart,\n originalValue: clientId,\n clientMetadata: request.client_metadata,\n }\n }\n\n if (scheme === 'verifier_attestation') {\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier scheme \"verifier_attestation\" requires a signed JAR request.',\n })\n }\n }\n\n return {\n scheme,\n identifier: identifierPart,\n originalValue: clientId,\n }\n}\n\nfunction getDomainFromUrl(url: string): string {\n try {\n const regex = /[#/?]/\n const domain = url.split('://')[1].split(regex)[0]\n return domain\n } catch (error) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.ServerError,\n error_description: `Url '${url}' is not a valid URL`,\n })\n }\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequest } from './authorization-request/z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n} from './authorization-request/z-authorization-request-dc-api'\nimport { zClientIdScheme } from './client-identifier-scheme/z-client-id-scheme'\n\nexport const Openid4vpVersion = [18, 19, 20, 21, 22, 23, 24] as const\nexport type OpenId4VpVersion = (typeof Openid4vpVersion)[number]\n\nexport function parseAuthorizationRequestVersion(\n request: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n): OpenId4VpVersion {\n const requirements: ['<' \| '>=', OpenId4VpVersion][] = []\n\n // 23\n\n const vp_formats = request.client_metadata?.vp_formats\n // There might be some time we'd like to include both, as the update of the identifier can be somewhat tricky.\n //if (vp_formats) {\n //if (Object.keys(vp_formats).includes('vc+sd-jwt' satisfies CredentialFormat)) {\n //requirements.push(['<', 23])\n //}\n\n //if (Object.keys(vp_formats).includes('dc+sd-jwt' satisfies CredentialFormat)) {\n //requirements.push(['>=', 23])\n //}\n\n //if (Object.keys(vp_formats).includes('vc+sd-jwt' satisfies CredentialFormat)) {\n //requirements.push(['>=', 21])\n //}\n //}\n\n //if (\n //request.client_metadata?.vp_formats &&\n //Object.keys(request.client_metadata?.vp_formats).some(val => val === 'vc+sd-jwt')\n //) {\n //requirements.push(['>=', 21])\n //}\n\n if (\n isOpenid4vpAuthorizationRequestDcApi(request) &&\n (request.response_mode === 'w3c_dc_api' \|\| request.response_mode === 'w3c_dc_api.jwt')\n ) {\n requirements.push(['<', 23])\n requirements.push(['>=', 21])\n }\n\n if (\n (isOpenid4vpAuthorizationRequestDcApi(request) && request.response_mode === 'dc_api') \|\|\n request.response_mode === 'dc_api.jwt'\n ) {\n requirements.push(['>=', 23])\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data \|\| request.dcql_query)) {\n requirements.push(['>=', 23])\n }\n\n // 22\n\n if (request.dcql_query) {\n requirements.push(['>=', 22])\n }\n\n if (request.transaction_data) {\n requirements.push(['>=', 22])\n }\n\n if (request.client_id_scheme) {\n requirements.push(['<', 22])\n }\n\n // what happens if we don't have a client_id_scheme?\n\n // if the client_id is prefixed with a scheme, we know for sure that the version is >= 22\n // if it is not prefixed we don't know anything since it can default in all versions to pre-registered\n if (request.client_id) {\n const colonIndex = request.client_id.indexOf(':')\n const schemePart = request.client_id.substring(0, colonIndex)\n const parsedScheme = zClientIdScheme.safeParse(schemePart)\n\n // we know this for sure\n if (parsedScheme.success && parsedScheme.data !== 'did' && parsedScheme.data !== 'https') {\n requirements.push(['>=', 22])\n }\n }\n\n // only possible with dc_api which is available in 21\n if (!request.client_id) {\n requirements.push(['>=', 21])\n }\n\n // 21\n\n if ('client_metadata_uri' in request) {\n requirements.push(['<', 21])\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(request)) {\n requirements.push(['>=', 21])\n }\n\n if ('request_uri_method' in request \|\| 'wallet_nonce' in request) {\n requirements.push(['>=', 21])\n }\n\n // 20\n\n if (request.client_id_scheme === 'verifier_attestation') {\n requirements.push(['>=', 20])\n }\n\n // 19\n\n if (request.client_id_scheme === 'x509_san_dns' \|\| request.client_id_scheme === 'x509_san_uri') {\n requirements.push(['>=', 19])\n }\n\n // The minimum version which satisfies all requirements\n const lessThanVersions = requirements.filter(([operator]) => operator === '<').map(([_, version]) => version)\n\n const greaterThanVersions = requirements.filter(([operator]) => operator === '>=').map(([_, version]) => version)\n\n // Find the minimum version that satisfies all \"less than\" constraints\n const highestPossibleVersion =\n lessThanVersions.length > 0 ? (Math.max(Math.min(...lessThanVersions) - 1, 18) as OpenId4VpVersion) : (24 as const) // Default to highest version\n\n // Find the maximum version that satisfies all \"greater than or equal to\" constraints\n const lowestRequiredVersion =\n greaterThanVersions.length > 0 ? (Math.max(...greaterThanVersions) as OpenId4VpVersion) : (18 as const) // Default to lowest version\n\n // The acceptable range is [lowestRequiredVersion, highestPossibleVersion]\n // We return the lowest possible version that satisfies all constraints\n if (lowestRequiredVersion > highestPossibleVersion) {\n // No valid version exists that satisfies all constraints\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Could not infer openid4vp version from the openid4vp request payload.',\n })\n }\n\n return highestPossibleVersion\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { type BaseSchema, ContentType, type Fetch, createZodFetcher } from '@openid4vc/utils'\nimport type { z } from 'zod'\nimport { zWalletMetadata } from './models/z-wallet-metadata'\n\nexport async function fetchClientMetadata<Schema extends BaseSchema>(options: {\n clientMetadataUri: string\n fetch?: Fetch\n}): Promise<z.infer<Schema> \| null> {\n const { fetch, clientMetadataUri } = options\n const fetcher = createZodFetcher(fetch)\n\n const { result, response } = await fetcher(zWalletMetadata, ContentType.Json, clientMetadataUri, {\n method: 'GET',\n headers: {\n Accept: ContentType.Json,\n },\n })\n\n if (!response.ok) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Fetching client metadata from '${clientMetadataUri}' failed with status code '${response.status}'.`,\n error: Oauth2ErrorCodes.InvalidRequestUri,\n })\n }\n\n if (!result \|\| !result.success) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Parsing client metadata from '${clientMetadataUri}' failed.`,\n error: Oauth2ErrorCodes.InvalidRequestObject,\n })\n }\n\n return result.data\n}\n","import { z } from 'zod'\nimport { zClientIdScheme } from '../client-identifier-scheme/z-client-id-scheme'\nimport { zVpFormatsSupported } from './z-vp-formats-supported'\n\nexport const zWalletMetadata = z.object({\n presentation_definition_uri_supported: z.optional(z.boolean()),\n vp_formats_supported: zVpFormatsSupported,\n client_id_schemes_supported: z.optional(z.array(zClientIdScheme)),\n request_object_signing_alg_values_supported: z.optional(z.array(z.string())),\n authorization_encryption_alg_values_supported: z.optional(z.array(z.string())),\n authorization_encryption_enc_values_supported: z.optional(z.array(z.string())),\n})\n\nexport type WalletMetadata = z.infer<typeof zWalletMetadata>\n","import {\n type CallbackContext,\n type Jwk,\n type JwtSignerWithJwk,\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n decodeJwt,\n jwtSignerFromJwt,\n verifyJwt,\n zCompactJwe,\n zCompactJwt,\n} from '@openid4vc/oauth2'\nimport { type ClientIdScheme, zClientIdScheme } from '../../client-identifier-scheme/z-client-id-scheme'\nimport type { WalletMetadata } from '../../models/z-wallet-metadata'\nimport { parseAuthorizationRequestVersion } from '../../version'\nimport { fetchJarRequestObject } from '../jar-request-object/fetch-jar-request-object'\nimport { type JarRequestObjectPayload, zJarRequestObjectPayload } from '../jar-request-object/z-jar-request-object'\nimport { type JarAuthRequest, validateJarRequestParams } from '../z-jar-auth-request'\n\nexport interface VerifyJarRequestOptions {\n jarRequestParams: JarAuthRequest\n callbacks: Pick<CallbackContext, 'verifyJwt' \| 'decryptJwe'>\n wallet?: {\n metadata?: WalletMetadata\n nonce?: string\n }\n}\n\nexport interface VerifiedJarRequest {\n authRequestParams: JarRequestObjectPayload\n sendBy: 'value' \| 'reference'\n decryptionJwk?: Jwk\n signer: JwtSignerWithJwk\n}\n\n/\n Verifies a JAR (JWT Secured Authorization Request) request by validating, decrypting, and verifying signatures.\n \n @param options - The input parameters\n * @param options.jarRequestParams - The JAR authorization request parameters\n * @param options.callbacks - Context containing the relevant Jose crypto operations\n * @returns The verified authorization request parameters and metadata\n /\nexport async function verifyJarRequest(options: VerifyJarRequestOptions): Promise<VerifiedJarRequest> {\n const { callbacks, wallet = {} } = options\n\n const jarRequestParams = validateJarRequestParams(options)\n\n const sendBy = jarRequestParams.request ? 'value' : 'reference'\n const clientIdentifierScheme: ClientIdScheme = jarRequestParams.client_id\n ? zClientIdScheme.parse(jarRequestParams.client_id.split(':')[0])\n : 'web-origin'\n\n const method = jarRequestParams.request_uri_method ?? 'GET'\n if (method !== 'GET' && method !== 'POST') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestUriMethod,\n error_description: 'Invalid request_uri_method. Must be GET or POST.',\n })\n }\n\n const requestObject =\n jarRequestParams.request ??\n (await fetchJarRequestObject({\n requestUri: jarRequestParams.request_uri,\n clientIdentifierScheme,\n method,\n wallet,\n }))\n\n const requestObjectIsEncrypted = zCompactJwe.safeParse(requestObject).success\n const { decryptionJwk, payload: decryptedRequestObject } = requestObjectIsEncrypted\n ? await decryptJarRequest({ jwe: requestObject, callbacks })\n : { payload: requestObject, decryptionJwk: undefined }\n\n const requestIsSigned = zCompactJwt.safeParse(decryptedRequestObject).success\n if (!requestIsSigned) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'Jar Request Object is not a valid JWS.',\n })\n }\n\n const { authRequestParams, signer } = await verifyJarRequestObject({\n decryptedRequestObject,\n callbacks,\n })\n if (!authRequestParams.client_id) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'Jar Request Object is missing the required \"client_id\" field.',\n })\n }\n\n if (jarRequestParams.client_id !== authRequestParams.client_id) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'client_id does not match the request object client_id.',\n })\n }\n\n return {\n sendBy,\n authRequestParams,\n signer,\n decryptionJwk,\n }\n}\n\nasync function decryptJarRequest(options: {\n jwe: string\n callbacks: Pick<CallbackContext, 'decryptJwe'>\n}) {\n const { jwe, callbacks } = options\n\n const { header } = decodeJwt({ jwt: jwe })\n if (!header.kid) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'Jar JWE is missing the protected header field \"kid\".',\n })\n }\n\n const decryptionResult = await callbacks.decryptJwe(jwe)\n if (!decryptionResult.decrypted) {\n throw new Oauth2ServerErrorResponseError({\n error: 'invalid_request_object',\n error_description: 'Failed to decrypt jar request object.',\n })\n }\n\n return decryptionResult\n}\n\nasync function verifyJarRequestObject(options: {\n decryptedRequestObject: string\n callbacks: Pick<CallbackContext, 'verifyJwt'>\n}) {\n const { decryptedRequestObject, callbacks } = options\n\n const jwt = decodeJwt({ jwt: decryptedRequestObject, payloadSchema: zJarRequestObjectPayload })\n\n const jwtSigner = jwtSignerFromJwt(jwt)\n const { signer } = await verifyJwt({\n verifyJwtCallback: callbacks.verifyJwt,\n compact: decryptedRequestObject,\n header: jwt.header,\n payload: jwt.payload,\n signer: jwtSigner,\n })\n\n // biome-ignore lint/suspicious/noExplicitAny: <explanation>\n const version = parseAuthorizationRequestVersion(jwt.payload as any)\n if (jwt.header.typ !== 'oauth-authz-req+jwt' && version >= 24) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: `Invalid Jar Request Object typ header. Expected \"oauth-authz-req+jwt\", received \"${jwt.header.typ}\".`,\n })\n }\n\n return { authRequestParams: jwt.payload, signer }\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { type BaseSchema, ContentType, type Fetch, createZodFetcher, objectToQueryParams } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport type { ClientIdScheme } from '../../client-identifier-scheme/z-client-id-scheme'\nimport type { WalletMetadata } from '../../models/z-wallet-metadata'\n\n/\n Fetch a request object and parse the response.\n * If you want to fetch the request object without providing wallet_metadata or wallet_nonce as defined in jar you can use the `fetchJarRequestObject` function.\n \n Returns validated request object if successful response\n * Throws error otherwise\n \n @throws {ValidationError} if successful response but validation of response failed\n * @throws {InvalidFetchResponseError} if no successful or 404 response\n * @throws {Error} if parsing json from response fails\n /\nexport async function fetchJarRequestObject<Schema extends BaseSchema>(options: {\n requestUri: string\n clientIdentifierScheme: ClientIdScheme\n method: 'GET' \| 'POST'\n wallet: {\n metadata?: WalletMetadata\n nonce?: string\n }\n fetch?: Fetch\n}): Promise<z.infer<Schema> \| null> {\n const { requestUri, clientIdentifierScheme, method, wallet, fetch } = options\n const fetcher = createZodFetcher(fetch)\n\n let requestBody = wallet.metadata ? { wallet_metadata: wallet.metadata, wallet_nonce: wallet.nonce } : undefined\n if (\n requestBody?.wallet_metadata?.request_object_signing_alg_values_supported &&\n clientIdentifierScheme === 'redirect_uri'\n ) {\n // This value indicates that the Client Identifier (without the prefix redirect_uri:) is the Verifier's Redirect URI (or Response URI when Response Mode direct_post is used). The Authorization Request MUST NOT be signed.\n const { request_object_signing_alg_values_supported, ...rest } = requestBody.wallet_metadata\n requestBody = { ...requestBody, wallet_metadata: { ...rest } }\n }\n\n const { result, response } = await fetcher(z.string(), ContentType.OAuthRequestObjectJwt, requestUri, {\n method,\n headers: {\n Accept: `${ContentType.OAuthRequestObjectJwt}, ${ContentType.Jwt};q=0.9`,\n 'Content-Type': ContentType.XWwwFormUrlencoded,\n },\n body: method === 'POST' ? objectToQueryParams(wallet.metadata ?? {}) : undefined,\n })\n\n if (!response.ok) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Fetching request_object from request_uri '${requestUri}' failed with status code '${response.status}'.`,\n error: Oauth2ErrorCodes.InvalidRequestUri,\n })\n }\n\n if (!result \|\| !result.success) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Parsing request_object from request_uri '${requestUri}' failed.`,\n error: Oauth2ErrorCodes.InvalidRequestObject,\n })\n }\n\n return result.data\n}\n","import { zJwtPayload } from '@openid4vc/oauth2'\nimport { z } from 'zod'\n\nexport const zJarRequestObjectPayload = z\n .object({\n ...zJwtPayload.shape,\n client_id: z.string(),\n })\n .passthrough()\nexport type JarRequestObjectPayload = z.infer<typeof zJarRequestObjectPayload>\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { decodeBase64, encodeToUtf8String, parseIfJson } from '@openid4vc/utils'\nimport { type TransactionData, zTransactionData } from './z-transaction-data'\n\nexport interface ParseTransactionDataOptions {\n transactionData: string[]\n}\n\nexport function parseTransactionData(options: ParseTransactionDataOptions): TransactionData {\n const { transactionData } = options\n\n const decoded = transactionData.map((tdEntry) => parseIfJson(encodeToUtf8String(decodeBase64(tdEntry))))\n\n const parsedResult = zTransactionData.safeParse(decoded)\n if (!parsedResult.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: 'Failed to parse transaction data.',\n })\n }\n\n return parsedResult.data\n}\n","import { z } from 'zod'\n\nexport const zTransactionEntry = z.object({\n type: z.string(),\n credential_ids: z.array(z.string()).min(1),\n transaction_data_hashes_alg: z.array(z.string()).optional(),\n})\nexport type TransactionDataEntry = z.infer<typeof zTransactionEntry>\n\nexport const zTransactionData = z.array(zTransactionEntry)\nexport type TransactionData = z.infer<typeof zTransactionData>\n","import {\n type CallbackContext,\n type JwtSigner,\n Oauth2Error,\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n} from '@openid4vc/oauth2'\nimport { dateToSeconds } from '@openid4vc/utils'\nimport { addSecondsToDate } from '../../../utils/src/date'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport { createJarmAuthResponse } from '../jarm/jarm-auth-response-create'\nimport { extractJwksFromClientMetadata } from '../jarm/jarm-extract-jwks'\nimport { isJarmResponseMode } from '../jarm/jarm-response-mode'\nimport { jarmAssertMetadataSupported } from '../jarm/metadata/jarm-assert-metadata-supported'\nimport type { JarmServerMetadata } from '../jarm/metadata/z-jarm-authorization-server-metadata'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface CreateOpenid4vpAuthorizationResponseOptions {\n requestPayload:\n \| Pick<Openid4vpAuthorizationRequest, 'state' \| 'client_metadata' \| 'nonce' \| 'response_mode'>\n \| Pick<Openid4vpAuthorizationRequestDcApi, 'client_metadata' \| 'response_mode' \| 'nonce'>\n responsePayload: Openid4vpAuthorizationResponse & { state?: never }\n jarm?: {\n jwtSigner?: JwtSigner\n encryption?: { nonce: string }\n serverMetadata: JarmServerMetadata\n authorizationServer?: string // The issuer URL of the authorization server that created the response\n audience?: string // The client_id of the client the response is intended for\n expiresInSeconds?: number // The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.\n }\n callbacks: Pick<CallbackContext, 'signJwt' \| 'encryptJwe'>\n}\n\nexport interface CreateOpenid4vpAuthorizationResponseResult {\n responsePayload: Openid4vpAuthorizationResponse\n jarm?: { responseJwt: string }\n}\n\nexport async function createOpenid4vpAuthorizationResponse(\n options: CreateOpenid4vpAuthorizationResponseOptions\n): Promise<CreateOpenid4vpAuthorizationResponseResult> {\n const { requestPayload, jarm, callbacks } = options\n const responsePayload = {\n ...options.responsePayload,\n ...('state' in requestPayload && { state: requestPayload.state }),\n } satisfies Openid4vpAuthorizationResponse\n\n if (requestPayload.response_mode && isJarmResponseMode(requestPayload.response_mode) && !jarm) {\n throw new Oauth2Error(\n `Missing jarm options for creating Jarm response with response mode '${requestPayload.response_mode}'`\n )\n }\n\n if (!jarm) {\n return {\n responsePayload,\n }\n }\n\n if (!requestPayload.client_metadata) {\n throw new Oauth2Error('Missing client metadata in the request params to assert Jarm metadata support.')\n }\n\n if (!requestPayload.client_metadata.jwks) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Missing JWKS in client metadata. Cannot extract encryption JWK.',\n })\n }\n\n const supportedJarmMetadata = jarmAssertMetadataSupported({\n clientMetadata: requestPayload.client_metadata,\n serverMetadata: jarm.serverMetadata,\n })\n\n const clientMetaJwks = extractJwksFromClientMetadata({\n ...requestPayload.client_metadata,\n jwks: requestPayload.client_metadata.jwks,\n })\n\n if (!clientMetaJwks?.encJwk) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Could not extract encryption JWK from client metadata. Failed to create JARM response.',\n })\n }\n\n // When the response is NOT only encrypted, the JWT payload needs to include the iss, aud and exp.\n let additionalJwtPayload: Record<string, string \| number> \| undefined\n if (jarm?.jwtSigner) {\n if (!jarm.authorizationServer) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Missing required iss in JARM configuration for creating OpenID4VP authorization response.',\n })\n }\n\n if (!jarm.audience) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Missing required aud in JARM configuration for creating OpenID4VP authorization response.',\n })\n }\n\n additionalJwtPayload = {\n iss: jarm.authorizationServer,\n aud: jarm.audience,\n exp: jarm.expiresInSeconds ?? dateToSeconds(addSecondsToDate(new Date(), 60 10)), // default: 10 minutes\n }\n }\n\n const jarmResponsePayload = {\n ...responsePayload,\n ...additionalJwtPayload,\n } satisfies Openid4vpAuthorizationResponse\n\n const result = await createJarmAuthResponse({\n jarmAuthResponse: jarmResponsePayload,\n jwtSigner: jarm?.jwtSigner,\n jweEncryptor:\n jarm?.encryption && (supportedJarmMetadata.type === 'encrypt' \|\| supportedJarmMetadata.type === 'sign_encrypt')\n ? {\n method: 'jwk',\n publicJwk: clientMetaJwks.encJwk,\n apu: jarm.encryption?.nonce,\n apv: requestPayload.nonce,\n alg: supportedJarmMetadata.client_metadata.authorization_encrypted_response_alg,\n enc: supportedJarmMetadata.client_metadata.authorization_encrypted_response_enc,\n }\n : undefined,\n callbacks: {\n signJwt: callbacks.signJwt,\n encryptJwe: callbacks.encryptJwe,\n },\n })\n\n return {\n responsePayload: jarmResponsePayload,\n jarm: { responseJwt: result.jarmAuthResponseJwt },\n }\n}\n","/*\n Get the time in seconds since epoch for a date.\n * If date is not provided the current time will be used.\n /\nexport function dateToSeconds(date?: Date) {\n const milliseconds = date?.getTime() ?? Date.now()\n\n return Math.floor(milliseconds / 1000)\n}\n\nexport function addSecondsToDate(date: Date, seconds: number) {\n return new Date(date.getTime() + seconds 1000)\n}\n","import {\n type CallbackContext,\n type JweEncryptor,\n type JwtSigner,\n Oauth2Error,\n jwtHeaderFromJwtSigner,\n} from '@openid4vc/oauth2'\nimport type { JarmAuthResponse, JarmAuthResponseEncryptedOnly } from './jarm-auth-response/z-jarm-auth-response'\n\nexport interface CreateJarmAuthResponseOptions {\n jarmAuthResponse: JarmAuthResponse \| JarmAuthResponseEncryptedOnly\n jwtSigner?: JwtSigner\n jweEncryptor?: JweEncryptor\n callbacks: Pick<CallbackContext, 'signJwt' \| 'encryptJwe'>\n}\n\nexport async function createJarmAuthResponse(options: CreateJarmAuthResponseOptions) {\n const { jarmAuthResponse, jweEncryptor, jwtSigner, callbacks } = options\n if (!jwtSigner && jweEncryptor) {\n const { jwe } = await callbacks.encryptJwe(jweEncryptor, JSON.stringify(jarmAuthResponse))\n return { jarmAuthResponseJwt: jwe }\n }\n\n if (jwtSigner && !jweEncryptor) {\n const signed = await callbacks.signJwt(jwtSigner, {\n header: jwtHeaderFromJwtSigner(jwtSigner),\n payload: jarmAuthResponse,\n })\n return { jarmAuthResponseJwt: signed.jwt }\n }\n\n if (!jwtSigner \|\| !jweEncryptor) {\n throw new Oauth2Error('JWT signer and/or encryptor are required to create a JARM auth response.')\n }\n const signed = await callbacks.signJwt(jwtSigner, {\n header: jwtHeaderFromJwtSigner(jwtSigner),\n payload: jarmAuthResponse,\n })\n\n const encrypted = await callbacks.encryptJwe(jweEncryptor, signed.jwt)\n\n return { jarmAuthResponseJwt: encrypted.jwe }\n}\n","import type { JwkSet } from '@openid4vc/oauth2'\nimport { type JarmClientMetadata, zJarmClientMetadataParsed } from './metadata/z-jarm-client-metadata'\n\nexport function extractJwksFromClientMetadata(clientMetadata: JarmClientMetadata & { jwks: JwkSet }) {\n const parsed = zJarmClientMetadataParsed.parse(clientMetadata)\n\n const encryptionAlg = parsed.client_metadata.authorization_encrypted_response_enc\n const signingAlg = parsed.client_metadata.authorization_signed_response_alg\n\n const encJwk =\n clientMetadata.jwks.keys.find((key) => key.use === 'enc' && key.alg === encryptionAlg) ??\n clientMetadata.jwks.keys.find((key) => key.use === 'enc') ??\n // fallback, take first key. HAIP does not specify requirement on enc\n clientMetadata.jwks.keys?.[0]\n\n const sigJwk =\n clientMetadata.jwks.keys.find((key) => key.use === 'sig' && key.alg === signingAlg) ??\n clientMetadata.jwks.keys.find((key) => key.use === 'sig') ??\n // falback, take first key\n clientMetadata.jwks.keys?.[0]\n\n return { encJwk, sigJwk }\n}\n","import { z } from 'zod'\n\nexport const jarmResponseMode = [\n 'jwt',\n 'query.jwt',\n 'fragment.jwt',\n 'form_post.jwt',\n 'direct_post.jwt',\n 'dc_api.jwt',\n] as const\nexport const zJarmResponseMode = z.enum(jarmResponseMode)\n\nexport type JarmResponseMode = (typeof jarmResponseMode)[number]\n\nexport const isJarmResponseMode = (responseMode: string): responseMode is JarmResponseMode => {\n return jarmResponseMode.includes(responseMode as JarmResponseMode)\n}\n","import { Oauth2Error } from '@openid4vc/oauth2'\nimport type { JarmServerMetadata } from './z-jarm-authorization-server-metadata'\nimport { type JarmClientMetadata, zJarmClientMetadataParsed } from './z-jarm-client-metadata'\n\ninterface AssertValueSupported<T> {\n supported: T[]\n actual: T\n errorMessage: string\n}\n\nfunction assertValueSupported<T>(options: AssertValueSupported<T>): T {\n const { errorMessage, supported, actual } = options\n const intersection = supported.find((value) => value === actual)\n\n if (!intersection) {\n throw new Oauth2Error(errorMessage)\n }\n\n return intersection\n}\n\nexport function jarmAssertMetadataSupported(options: {\n clientMetadata: JarmClientMetadata\n serverMetadata: JarmServerMetadata\n}) {\n const { clientMetadata, serverMetadata } = options\n const parsedClientMetadata = zJarmClientMetadataParsed.parse(clientMetadata)\n\n if (parsedClientMetadata.type === 'sign_encrypt' \|\| parsedClientMetadata.type === 'encrypt') {\n if (serverMetadata.authorization_encryption_alg_values_supported) {\n assertValueSupported({\n supported: serverMetadata.authorization_encryption_alg_values_supported,\n actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_alg,\n errorMessage: 'Invalid authorization_encryption_alg',\n })\n }\n\n if (serverMetadata.authorization_encryption_enc_values_supported) {\n assertValueSupported({\n supported: serverMetadata.authorization_encryption_enc_values_supported,\n actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_enc,\n errorMessage: 'Invalid authorization_encryption_enc',\n })\n }\n }\n\n if (\n serverMetadata.authorization_signing_alg_values_supported &&\n (parsedClientMetadata.type === 'sign' \|\| parsedClientMetadata.type === 'sign_encrypt')\n ) {\n assertValueSupported({\n supported: serverMetadata.authorization_signing_alg_values_supported,\n actual: parsedClientMetadata.client_metadata.authorization_signed_response_alg,\n errorMessage: 'Invalid authorization_signed_response_alg',\n })\n }\n\n return parsedClientMetadata\n}\n","import { type CallbackContext, Oauth2Error } from '@openid4vc/oauth2'\nimport { ContentType, defaultFetcher } from '@openid4vc/utils'\nimport { objectToQueryParams } from '@openid4vc/utils'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport { jarmAuthResponseSend } from '../jarm/jarm-auth-response-send'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface SubmitOpenid4vpAuthorizationResponseOptions {\n requestPayload: Pick<Openid4vpAuthorizationRequest, 'response_uri'>\n responsePayload: Openid4vpAuthorizationResponse\n jarm?: { responseJwt: string }\n callbacks: Pick<CallbackContext, 'fetch'>\n}\n\nexport async function submitOpenid4vpAuthorizationResponse(options: SubmitOpenid4vpAuthorizationResponseOptions) {\n const { requestPayload, responsePayload, jarm, callbacks } = options\n const url = requestPayload.response_uri\n\n if (jarm) {\n return jarmAuthResponseSend({\n authRequest: requestPayload,\n jarmAuthResponseJwt: jarm.responseJwt,\n callbacks,\n })\n }\n\n if (!url) {\n throw new Oauth2Error(\n 'Failed to submit OpenId4Vp Authorization Response. No redirect_uri or response_uri provided.'\n )\n }\n\n const fetch = callbacks.fetch ?? defaultFetcher\n const encodedResponse = objectToQueryParams(responsePayload)\n const submissionResponse = await fetch(url, {\n method: 'POST',\n body: encodedResponse,\n headers: {\n 'Content-Type': ContentType.XWwwFormUrlencoded,\n },\n })\n\n return {\n responseMode: 'direct_post',\n response: submissionResponse,\n }\n}\n","import { type CallbackContext, Oauth2Error } from '@openid4vc/oauth2'\nimport { ContentType, URL, defaultFetcher } from '@openid4vc/utils'\n\ninterface JarmAuthResponseSendOptions {\n authRequest: {\n response_uri?: string\n redirect_uri?: string\n }\n jarmAuthResponseJwt: string\n callbacks: Pick<CallbackContext, 'fetch'>\n}\n\nexport const jarmAuthResponseSend = (options: JarmAuthResponseSendOptions) => {\n const { authRequest, jarmAuthResponseJwt, callbacks } = options\n\n const responseEndpoint = authRequest.response_uri ?? authRequest.redirect_uri\n if (!responseEndpoint) {\n throw new Oauth2Error(`Either 'response_uri' or 'redirect_uri' MUST be present in the authorization request`)\n }\n\n const responseEndpointUrl = new URL(responseEndpoint)\n return handleDirectPostJwt(responseEndpointUrl, jarmAuthResponseJwt, callbacks)\n}\n\nasync function handleDirectPostJwt(\n responseEndpoint: URL,\n responseJwt: string,\n callbacks: Pick<CallbackContext, 'fetch'>\n) {\n const response = await (callbacks.fetch ?? defaultFetcher)(responseEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': ContentType.XWwwFormUrlencoded },\n body: `response=${responseJwt}`,\n })\n\n return {\n responseMode: 'direct_post.jwt',\n response,\n } as const\n}\n","import { Oauth2Error } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport { parseDcqlVpToken, parsePexVpToken } from '../vp-token/parse-vp-token'\nimport type { ValidateOpenid4VpAuthorizationResponseResult } from './validate-authorization-response-result'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface ValidateOpenid4vpAuthorizationResponseOptions {\n requestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n responsePayload: Openid4vpAuthorizationResponse\n}\n\n/*\n The following steps need to be performed outside of this library\n * - verifying the presentations\n * - validating the presentations against the presentation definition\n * - checking the revocation status of the presentations\n * - checking the nonce of the presentations matches the nonce of the request (for mdoc's)\n /\nexport function validateOpenid4vpAuthorizationResponsePayload(\n options: ValidateOpenid4vpAuthorizationResponseOptions\n): ValidateOpenid4VpAuthorizationResponseResult {\n const { requestPayload, responsePayload } = options\n\n if ('state' in requestPayload && requestPayload.state !== responsePayload.state) {\n throw new Oauth2Error('OpenId4Vp Authorization Response state mismatch.')\n }\n\n // TODO: implement id_token handling\n if (responsePayload.id_token) {\n throw new Oauth2Error('OpenId4Vp Authorization Response id_token is not supported.')\n }\n\n if (responsePayload.presentation_submission) {\n if (!requestPayload.presentation_definition) {\n throw new Oauth2Error('OpenId4Vp Authorization Request is missing the required presentation_definition.')\n }\n\n return {\n type: 'pex',\n pex:\n 'scope' in requestPayload && requestPayload.scope\n ? {\n scope: requestPayload.scope,\n presentationSubmission: responsePayload.presentation_submission,\n presentations: parsePexVpToken(responsePayload.vp_token),\n }\n : {\n presentationDefinition: requestPayload.presentation_definition,\n presentationSubmission: responsePayload.presentation_submission,\n presentations: parsePexVpToken(responsePayload.vp_token),\n },\n }\n }\n\n if (requestPayload.dcql_query) {\n const presentations = parseDcqlVpToken(responsePayload.vp_token)\n\n return {\n type: 'dcql',\n dcql:\n 'scope' in requestPayload && requestPayload.scope\n ? {\n scope: requestPayload.scope,\n presentations,\n }\n : {\n query: requestPayload.dcql_query,\n presentations,\n },\n }\n }\n\n throw new Oauth2Error(\n 'Invalid OpenId4Vp Authorization Response. Response neither contains a presentation_submission nor request contains a dcql_query.'\n )\n}\n","import { parseIfJson, parseWithErrorHandling } from '@openid4vc/utils'\nimport { type VpTokenDcql, type VpTokenPexEntry, zVpTokenDcql, zVpTokenPex } from './z-vp-token'\n\nexport function parsePexVpToken(vpToken: unknown): [VpTokenPexEntry, ...VpTokenPexEntry[]] {\n const parsedVpToken = parseWithErrorHandling(\n zVpTokenPex,\n parseIfJson(vpToken),\n 'Could not parse presentation exchange vp_token. Expected a string or an array of strings'\n )\n\n return Array.isArray(parsedVpToken) ? (parsedVpToken as [VpTokenPexEntry, ...VpTokenPexEntry[]]) : [parsedVpToken]\n}\n\nexport function parseDcqlVpToken(vpToken: unknown): VpTokenDcql {\n return parseWithErrorHandling(\n zVpTokenDcql,\n parseIfJson(vpToken),\n 'Could not parse dcql vp_token. Expected an object where the values are encoded presentations'\n )\n}\n","import { z } from 'zod'\n\nconst zVpTokenPexEntry = z.union([z.string(), z.record(z.any())], {\n message: 'pex vp_token entry must be a string or object',\n})\n\nexport const zVpTokenPex = z.union(\n [zVpTokenPexEntry, z.array(zVpTokenPexEntry).nonempty('Must have at least entry in vp_token array')],\n {\n message: 'pex vp_token must be a string, object or array of strings and objects',\n }\n)\nexport type VpTokenPex = z.infer<typeof zVpTokenPex>\nexport type VpTokenPexEntry = z.infer<typeof zVpTokenPexEntry>\n\nexport const zVpTokenDcql = z.record(z.union([z.string(), z.record(z.any())]), {\n message:\n 'dcql vp_token must be an object with keys referencing the dcql credential query id, and values the encoded (string or object) presentation',\n})\nexport type VpTokenDcql = z.infer<typeof zVpTokenDcql>\n\nexport const zVpToken = zVpTokenDcql.or(zVpTokenPex)\nexport type VpToken = z.infer<typeof zVpToken>\n","import { type CallbackContext, Oauth2Error, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { parseOpenid4vpAuthorizationRequestPayload } from '../authorization-request/parse-authorization-request-params'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport type {\n GetOpenid4vpAuthorizationRequestCallback,\n VerifiedJarmAuthorizationResponse,\n} from '../jarm/jarm-auth-response/verify-jarm-auth-response'\nimport type { JarmHeader } from '../jarm/jarm-auth-response/z-jarm-auth-response'\nimport { isJarmResponseMode } from '../jarm/jarm-response-mode'\nimport { parseOpenid4VpAuthorizationResponsePayload } from './parse-authorization-response-payload'\nimport { parseJarmAuthorizationResponse } from './parse-jarm-authorization-response'\nimport { validateOpenid4vpAuthorizationResponsePayload } from './validate-authorization-response'\nimport type { ValidateOpenid4VpAuthorizationResponseResult } from './validate-authorization-response-result'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface ParseOpenid4vpAuthorizationResponseOptions {\n responsePayload: Record<string, unknown>\n callbacks: Pick<CallbackContext, 'decryptJwe' \| 'verifyJwt'> & {\n getOpenid4vpAuthorizationRequest: GetOpenid4vpAuthorizationRequestCallback\n }\n}\n\nexport type ParsedOpenid4vpAuthorizationResponse = ValidateOpenid4VpAuthorizationResponseResult & {\n authorizationResponsePayload: Openid4vpAuthorizationResponse\n authorizationRequestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n\n expectedNonce: string\n\n // TODO: return this\n // expectedTransactionDataHashes?: []\n\n jarm?: VerifiedJarmAuthorizationResponse & {\n jarmHeader: JarmHeader\n mdocGeneratedNonce?: string\n }\n}\n\nexport async function parseOpenid4vpAuthorizationResponse(\n options: ParseOpenid4vpAuthorizationResponseOptions\n): Promise<ParsedOpenid4vpAuthorizationResponse> {\n const { responsePayload, callbacks } = options\n\n if (responsePayload.response) {\n return parseJarmAuthorizationResponse({ jarmResponseJwt: responsePayload.response as string, callbacks })\n }\n\n const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(responsePayload)\n\n const { authorizationRequest } = await callbacks.getOpenid4vpAuthorizationRequest(authorizationResponsePayload)\n const parsedAuthRequest = parseOpenid4vpAuthorizationRequestPayload({ authorizationRequest: authorizationRequest })\n if (parsedAuthRequest.type !== 'openid4vp' && parsedAuthRequest.type !== 'openid4vp_dc_api') {\n throw new Oauth2Error('Invalid authorization request. Could not parse openid4vp authorization request.')\n }\n\n const authorizationRequestPayload = parsedAuthRequest.params\n\n const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({\n requestPayload: authorizationRequestPayload,\n responsePayload: authorizationResponsePayload,\n })\n\n if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode)) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: 'invalid_request',\n error_description: 'Invalid response mode for openid4vp response. Expected jarm response.',\n },\n {\n status: 400,\n }\n )\n }\n\n return {\n ...validateOpenId4vpResponse,\n expectedNonce: authorizationRequestPayload.nonce,\n\n authorizationResponsePayload,\n authorizationRequestPayload,\n jarm: undefined,\n }\n}\n","import { parseWithErrorHandling } from '@openid4vc/utils'\nimport { zOpenid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport function parseOpenid4VpAuthorizationResponsePayload(payload: Record<string, unknown>) {\n return parseWithErrorHandling(\n zOpenid4vpAuthorizationResponse,\n payload,\n 'Failed to parse openid4vp authorization response.'\n )\n}\n","import { z } from 'zod'\nimport { zPexPresentationSubmission } from '../models/z-pex'\nimport { zVpToken } from '../vp-token/z-vp-token'\n\nexport const zOpenid4vpAuthorizationResponse = z\n .object({\n state: z.string().optional(),\n id_token: z.string().optional(),\n vp_token: zVpToken,\n presentation_submission: zPexPresentationSubmission.optional(),\n refresh_token: z.string().optional(),\n token_type: z.string().optional(),\n access_token: z.string().optional(),\n expires_in: z.number().optional(),\n })\n .passthrough()\nexport type Openid4vpAuthorizationResponse = z.infer<typeof zOpenid4vpAuthorizationResponse>\n","import { z } from 'zod'\n\nexport const zPexPresentationDefinition = z.record(z.any())\nexport const zPexPresentationSubmission = z.record(z.any())\n\nexport type PexPresentationDefinition = z.infer<typeof zPexPresentationDefinition>\nexport type PexPresentationSubmission = z.infer<typeof zPexPresentationSubmission>\n","import { type CallbackContext, Oauth2Error, decodeJwtHeader, zCompactJwe, zCompactJwt } from '@openid4vc/oauth2'\nimport { decodeBase64, encodeToUtf8String, parseWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport { parseOpenid4vpAuthorizationRequestPayload } from '../authorization-request/parse-authorization-request-params'\nimport {\n type GetOpenid4vpAuthorizationRequestCallback,\n verifyJarmAuthorizationResponse,\n} from '../jarm/jarm-auth-response/verify-jarm-auth-response'\nimport { zJarmHeader } from '../jarm/jarm-auth-response/z-jarm-auth-response'\nimport { isJarmResponseMode } from '../jarm/jarm-response-mode'\nimport type { ParsedOpenid4vpAuthorizationResponse } from './parse-authorization-response'\nimport { parseOpenid4VpAuthorizationResponsePayload } from './parse-authorization-response-payload'\nimport { validateOpenid4vpAuthorizationResponsePayload } from './validate-authorization-response'\n\nexport interface ParseJarmAuthorizationResponseOptions {\n jarmResponseJwt: string\n callbacks: Pick<CallbackContext, 'decryptJwe' \| 'verifyJwt'> & {\n getOpenid4vpAuthorizationRequest: GetOpenid4vpAuthorizationRequestCallback\n }\n}\n\nexport async function parseJarmAuthorizationResponse(\n options: ParseJarmAuthorizationResponseOptions\n): Promise<ParsedOpenid4vpAuthorizationResponse> {\n const { jarmResponseJwt, callbacks } = options\n\n const jarmAuthorizationResponseJwt = parseWithErrorHandling(\n z.union([zCompactJwt, zCompactJwe]),\n jarmResponseJwt,\n 'Invalid jarm authorization response jwt.'\n )\n\n const verifiedJarmResponse = await verifyJarmAuthorizationResponse({ jarmAuthorizationResponseJwt, callbacks })\n\n const { header: jarmHeader } = decodeJwtHeader({\n jwt: jarmAuthorizationResponseJwt,\n headerSchema: zJarmHeader,\n })\n\n const parsedAuthorizationRequest = parseOpenid4vpAuthorizationRequestPayload({\n authorizationRequest: verifiedJarmResponse.authorizationRequest,\n })\n\n if (parsedAuthorizationRequest.type !== 'openid4vp' && parsedAuthorizationRequest.type !== 'openid4vp_dc_api') {\n throw new Oauth2Error('Invalid authorization request. Could not parse openid4vp authorization request.')\n }\n\n const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(verifiedJarmResponse.jarmAuthResponse)\n const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({\n requestPayload: parsedAuthorizationRequest.params,\n responsePayload: authorizationResponsePayload,\n })\n\n const authorizationRequestPayload = parsedAuthorizationRequest.params\n if (!authorizationRequestPayload.response_mode \|\| !isJarmResponseMode(authorizationRequestPayload.response_mode)) {\n throw new Oauth2Error(\n `Invalid response mode for jarm response. Response mode: '${authorizationRequestPayload.response_mode ?? 'fragment'}'`\n )\n }\n\n let mdocGeneratedNonce: string \| undefined = undefined\n\n if (jarmHeader?.apu) {\n mdocGeneratedNonce = encodeToUtf8String(decodeBase64(jarmHeader.apu))\n }\n if (jarmHeader?.apv) {\n const jarmRequestNonce = encodeToUtf8String(decodeBase64(jarmHeader.apv))\n if (jarmRequestNonce !== authorizationRequestPayload.nonce) {\n throw new Oauth2Error('The nonce in the jarm header does not match the nonce in the request.')\n }\n }\n\n return {\n ...validateOpenId4vpResponse,\n jarm: { ...verifiedJarmResponse, jarmHeader, mdocGeneratedNonce },\n\n expectedNonce: authorizationRequestPayload.nonce,\n authorizationResponsePayload,\n authorizationRequestPayload,\n }\n}\n","import type { CallbackContext } from '@openid4vc/oauth2'\nimport {} from './authorization-request/create-authorization-request'\nimport { parseOpenid4vpAuthorizationRequestPayload } from './authorization-request/parse-authorization-request-params'\nimport type { ParseOpenid4vpAuthRequestPayloadOptions } from './authorization-request/parse-authorization-request-params'\nimport {\n type ResolveOpenid4vpAuthorizationRequestOptions,\n resolveOpenid4vpAuthorizationRequest,\n} from './authorization-request/resolve-authorization-request'\nimport {\n type CreateOpenid4vpAuthorizationResponseOptions,\n createOpenid4vpAuthorizationResponse,\n} from './authorization-response/create-authorization-response'\nimport {\n type SubmitOpenid4vpAuthorizationResponseOptions,\n submitOpenid4vpAuthorizationResponse,\n} from './authorization-response/submit-authorization-response'\n\nexport interface Openid4vpClientOptions {\n /\n Callbacks required for the openid4vp client\n /\n callbacks: Omit<CallbackContext, 'hash' \| 'generateRandom' \| 'clientAuthentication'>\n}\n\nexport class Openid4vpClient {\n public constructor(private options: Openid4vpClientOptions) {}\n\n public parseOpenid4vpAuthorizationRequestPayload(options: ParseOpenid4vpAuthRequestPayloadOptions) {\n return parseOpenid4vpAuthorizationRequestPayload(options)\n }\n\n public async resolveOpenId4vpAuthorizationRequest(\n options: Omit<ResolveOpenid4vpAuthorizationRequestOptions, 'callbacks'>\n ) {\n return resolveOpenid4vpAuthorizationRequest({ ...options, callbacks: this.options.callbacks })\n }\n\n public async createOpenid4vpAuthorizationResponse(\n options: Omit<CreateOpenid4vpAuthorizationResponseOptions, 'callbacks'>\n ) {\n return createOpenid4vpAuthorizationResponse({ ...options, callbacks: this.options.callbacks })\n }\n\n public async submitOpenid4vpAuthorizationResponse(\n options: Omit<SubmitOpenid4vpAuthorizationResponseOptions, 'callbacks'>\n ) {\n return submitOpenid4vpAuthorizationResponse({ ...options, callbacks: this.options.callbacks })\n }\n}\n","import type { CallbackContext } from '@openid4vc/oauth2'\nimport {\n type CreateOpenid4vpAuthorizationRequestOptions,\n createOpenid4vpAuthorizationRequest,\n} from './authorization-request/create-authorization-request'\nimport {\n type ParseOpenid4vpAuthRequestPayloadOptions,\n parseOpenid4vpAuthorizationRequestPayload,\n} from './authorization-request/parse-authorization-request-params'\nimport {\n type ParseOpenid4vpAuthorizationResponseOptions,\n parseOpenid4vpAuthorizationResponse,\n} from './authorization-response/parse-authorization-response'\nimport {\n type ValidateOpenid4vpAuthorizationResponseOptions,\n validateOpenid4vpAuthorizationResponsePayload,\n} from './authorization-response/validate-authorization-response'\nimport type { ParseTransactionDataOptions } from './transaction-data/parse-transaction-data'\nimport { parseTransactionData } from './transaction-data/parse-transaction-data'\nimport { parseDcqlVpToken, parsePexVpToken } from './vp-token/parse-vp-token'\n\nexport interface Openid4vpVerifierOptions {\n /\n Callbacks required for the openid4vp verifier\n */\n callbacks: Omit<CallbackContext, 'hash' \| 'generateRandom' \| 'clientAuthentication'>\n}\n\nexport class Openid4vpVerifier {\n public constructor(private options: Openid4vpVerifierOptions) {}\n\n public async createOpenId4vpAuthorizationRequest(\n options: Omit<CreateOpenid4vpAuthorizationRequestOptions, 'callbacks'>\n ) {\n return createOpenid4vpAuthorizationRequest({ ...options, callbacks: this.options.callbacks })\n }\n\n public parseOpenid4vpAuthorizationRequestPayload(options: ParseOpenid4vpAuthRequestPayloadOptions) {\n return parseOpenid4vpAuthorizationRequestPayload(options)\n }\n\n public parseOpenid4vpAuthorizationResponse(options: ParseOpenid4vpAuthorizationResponseOptions) {\n return parseOpenid4vpAuthorizationResponse(options)\n }\n\n public validateOpenid4vpAuthorizationResponsePayload(options: ValidateOpenid4vpAuthorizationResponseOptions) {\n return validateOpenid4vpAuthorizationResponsePayload(options)\n }\n\n public parsePexVpToken(vpToken: unknown) {\n return parsePexVpToken(vpToken)\n }\n\n public parseDcqlVpToken(vpToken: unknown) {\n return parseDcqlVpToken(vpToken)\n }\n\n public parseTransactionData(options: ParseTransactionDataOptions) {\n return parseTransactionData(options)\n }\n}\n","import { z } from 'zod'\nexport const zCredentialFormat = z.enum(['jwt_vc_json', 'ldp_vc', 'ac_vc', 'mso_mdoc', 'dc+sd-jwt', 'vc+sd-jwt'])\nexport type CredentialFormat = z.infer<typeof zCredentialFormat>\n","import { z } from 'zod'\nexport const zProofFormat = z.enum(['jwt_vp_json', 'ldc_vp', 'ac_vp', 'dc+sd-jwt', 'vc+sd-jwt', 'mso_mdoc'])\nexport type ProofFormat = z.infer<typeof zProofFormat>\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,iBAAkB;AAEX,IAAM,kBAAkB,aAAE,KAAK;AAAA,EACpC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;;;ACXD,IAAAA,iBASO;AACP,IAAAC,cAAc;;;ACVd,IAAAC,iBAA4B;AAC5B,mBAA8B;;;ACD9B,oBAAwC;AACxC,IAAAC,cAAkB;AAEX,IAAM,cAAc,cAAE,OAAO,EAAE,GAAG,yBAAW,OAAO,KAAK,cAAE,OAAO,EAAE,SAAS,GAAG,KAAK,cAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AAG5G,IAAM,oBAAoB,cAC9B,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMN,GAAG,0BAAY;AAAA,EACf,GAAG,0BAAY,KAAK,EAAE,KAAK,MAAM,KAAK,MAAM,KAAK,KAAK,CAAC,EAAE,SAAS,EAAE;AAAA,EACpE,OAAO,cAAE,SAAS,cAAE,OAAO,CAAC;AAC9B,CAAC,EACA,YAAY;AAIR,IAAM,iCAAiC,cAC3C,OAAO;AAAA,EACN,GAAG,0BAAY;AAAA,EACf,OAAO,cAAE,SAAS,cAAE,OAAO,CAAC;AAC9B,CAAC,EACA,YAAY;;;ADtBR,IAAM,2BAA2B,CAAC,YAGnC;AACJ,QAAM,EAAE,UAAU,sBAAsB,IAAI;AAG5C,MAAI,CAAC,kBAAkB,UAAU,qBAAqB,EAAE,SAAS;AAC/D;AAAA,EACF;AAGA,MAAI,aAAa,sBAAsB,KAAK;AAC1C,UAAM,IAAI;AAAA,MACR,iEACE,QACF,eAAe,KAAK,UAAU,sBAAsB,GAAG,CAAC;AAAA,IAC1D;AAAA,EACF;AAIA,MAAI,sBAAsB,QAAQ,UAAa,sBAAsB,UAAM,4BAAc,GAAG;AAC1F,UAAM,IAAI,2BAAY,gCAAgC;AAAA,EACxD;AACF;;;ADOA,IAAM,yBAAyB,OAAO,YAGhC;AACJ,QAAM,EAAE,aAAa,UAAU,IAAI;AAEnC,QAAM,EAAE,OAAO,QAAI,gCAAgB,EAAE,KAAK,YAAY,CAAC;AACvD,MAAI,CAAC,OAAO,KAAK;AACf,UAAM,IAAI,2BAAY,uDAAuD;AAAA,EAC/E;AAEA,QAAM,SAAS,MAAM,UAAU,WAAW,WAAW;AACrD,MAAI,CAAC,OAAO,WAAW;AACrB,UAAM,IAAI,2BAAY,uCAAuC;AAAA,EAC/D;AAEA,SAAO,OAAO;AAChB;AAgBA,eAAsB,gCAAgC,SAAiD;AACrG,QAAM,EAAE,8BAA8B,UAAU,IAAI;AAEpD,QAAM,yBAAyB,2BAAY,UAAU,4BAA4B,EAAE;AACnF,QAAM,uBAAuB,yBACzB,MAAM,uBAAuB,EAAE,aAAa,8BAA8B,UAAU,CAAC,IACrF;AAEJ,QAAM,mBAAmB,2BAAY,UAAU,oBAAoB,EAAE;AACrE,MAAI,CAAC,0BAA0B,CAAC,kBAAkB;AAChD,UAAM,IAAI,2BAAY,+EAA+E;AAAA,EACvG;AAEA,MAAI;AAEJ,MAAI,kBAAkB;AACpB,UAAM,EAAE,QAAQ,oBAAoB,SAAS,WAAW,QAAI,0BAAU;AAAA,MACpE,KAAK;AAAA,MACL,cAAc,YAAAC,QAAE,OAAO,EAAE,GAAG,0BAAW,OAAO,KAAK,YAAAA,QAAE,OAAO,EAAE,CAAC;AAAA,IACjE,CAAC;AAED,UAAM,WAAW,kBAAkB,MAAM,UAAU;AACnD,UAAM,gBAAY,iCAAiB,EAAE,QAAQ,oBAAoB,SAAS,WAAW,CAAC;AAEtF,UAAM,qBAAqB,MAAM,QAAQ,UAAU,UAAU,WAAW;AAAA,MACtE,SAAS;AAAA,MACT,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,QAAI,CAAC,mBAAmB,UAAU;AAChC,YAAM,IAAI,2BAAY,kCAAkC;AAAA,IAC1D;AAEA,uBAAmB;AAAA,EACrB,OAAO;AACL,UAAM,kBAA2B,KAAK,MAAM,oBAAoB;AAChE,uBAAmB,+BAA+B,MAAM,eAAe;AAAA,EACzE;AAEA,QAAM,EAAE,qBAAqB,IAAI,MAAM,UAAU,iCAAiC,gBAAgB;AAElG,2BAAyB;AAAA,IACvB,UAAU,qBAAqB;AAAA,IAC/B,uBAAuB;AAAA,EACzB,CAAC;AACD,QAAM,OACJ,0BAA0B,mBACtB,0CACA,yBACE,8BACA;AAER,QAAM,SAAS,iBAAiB;AAChC,SAAO,EAAE,sBAAsB,kBAAkB,MAAM,OAAO;AAChE;;;AG5HA,IAAAC,iBAA8C;AAC9C,IAAAC,gBAAuC;AACvC,IAAAC,cAAkB;AAEX,IAAM,8BAA8B,cAAE,OAAO;AAAA,EAClD,mCAAmC;AAAA,EAEnC,sCAAsC,cAAE,SAAS,cAAE,MAAM,CAAC;AAAA,EAC1D,sCAAsC,cAAE,SAAS,cAAE,MAAM,CAAC;AAC5D,CAAC;AAGM,IAAM,iCAAiC,cAAE,OAAO;AAAA,EACrD,mCAAmC,cAAE,SAAS,cAAE,MAAM,CAAC;AAAA,EACvD,sCAAsC,cAAE,OAAO;AAAA,EAE/C,sCAAsC,cAAE,SAAS,cAAE,OAAO,CAAC;AAC7D,CAAC;AAGM,IAAM,iCAAiC,cAAE,OAAO;AAAA,EACrD,mCAAmC,4BAA4B,MAAM;AAAA,EACrE,sCAAsC,+BAA+B,MAAM;AAAA,EAC3E,sCAAsC,+BAA+B,MAAM;AAC7E,CAAC;AAMM,IAAM,sBAAsB,cAAE,OAAO;AAAA,EAC1C,mCAAmC,cAAE,SAAS,4BAA4B,MAAM,iCAAiC;AAAA,EACjH,sCAAsC,cAAE;AAAA,IACtC,+BAA+B,MAAM;AAAA,EACvC;AAAA,EACA,sCAAsC,cAAE;AAAA,IACtC,+BAA+B,MAAM;AAAA,EACvC;AACF,CAAC;AAGM,IAAM,4BAA4B,oBAAoB,UAAU,CAAC,oBAAoB;AAC1F,QAAM,uBAAmB;AAAA,IACvB,cAAE,MAAM,CAAC,gCAAgC,6BAA6B,8BAA8B,CAAC;AAAA,IACrG;AAAA,IACA;AAAA,EACF;AAEA,QAAM,cAAc,+BAA+B,UAAU,gBAAgB;AAC7E,MAAI,YAAY,SAAS;AACvB,WAAO;AAAA,MACL,MAAM;AAAA,MACN,iBAAiB;AAAA,QACf,GAAG,YAAY;AAAA,QACf,sCAAsC,gBAAgB,wCAAwC;AAAA,MAChG;AAAA,IACF;AAAA,EACF;AAEA,QAAM,cAAc,+BAA+B,UAAU,gBAAgB;AAC7E,MAAI,YAAY,SAAS;AACvB,WAAO;AAAA,MACL,MAAM;AAAA,MACN,iBAAiB;AAAA,QACf,GAAG,YAAY;AAAA,QACf,sCAAsC,iBAAiB,wCAAwC;AAAA,MACjG;AAAA,IACF;AAAA,EACF;AAGA,QAAM,WAAW,4BAA4B,UAAU,gBAAgB;AACvE,MAAI,SAAS,SAAS;AACpB,WAAO;AAAA,MACL,MAAM;AAAA,MACN,iBAAiB;AAAA,QACf,GAAG,SAAS;AAAA,QACZ,mCAAmC,iBAAiB,qCAAqC;AAAA,MAC3F;AAAA,IACF;AAAA,EACF;AAEA,QAAM,IAAI,2BAAY,gDAAgD;AACxE,CAAC;;;ACnFD,IAAAC,iBAAkE;AAClE,IAAAC,gBAAkF;;;ACDlF,IAAAC,iBAOO;AAuBP,eAAsB,qBAAqB,SAAsC;AAC/E,QAAM,EAAE,WAAW,cAAc,mBAAmB,YAAY,UAAU,IAAI;AAE9E,MAAI;AACJ,MAAI;AAEJ,QAAM,EAAE,KAAK,UAAU,IAAI,MAAM,UAAU,QAAQ,WAAW;AAAA,IAC5D,QAAQ,EAAE,OAAG,uCAAuB,SAAS,GAAG,KAAK,sBAAsB;AAAA,IAC3E,SAAS,EAAE,GAAG,QAAQ,sBAAsB,GAAG,kBAAkB;AAAA,EACnE,CAAC;AACD,qBAAmB;AAEnB,MAAI,cAAc;AAChB,UAAM,mBAAmB,MAAM,UAAU,WAAW,cAAc,gBAAgB;AAClF,uBAAmB,iBAAiB;AACpC,oBAAgB,iBAAiB;AAAA,EACnC;AAEA,QAAM,YAAY,kBAAkB;AACpC,QAAM,gBAAgC,aAClC,EAAE,WAAW,aAAa,WAAW,IACrC,EAAE,WAAW,SAAS,iBAAiB;AAE3C,SAAO,EAAE,eAAe,WAAW,eAAe,iBAAiB;AACrE;;;ACtDA,IAAAC,iBAAiE;AACjE,IAAAC,gBAA0B;AAiBnB,IAAM,+CAA+C,CAC1D,YACG;AACH,QAAM,EAAE,QAAQ,0BAA0B,IAAI;AAE9C,MAAI,CAAC,OAAO,gBAAgB,CAAC,OAAO,cAAc;AAChD,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,gBAAgB,CAAC,CAAC,eAAe,iBAAiB,EAAE,KAAK,CAAC,SAAS,SAAS,OAAO,aAAa,GAAG;AAC5G,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBAAmB,sHAAsH,OAAO,aAAa;AAAA,IAC/J,CAAC;AAAA,EACH;AAEA,MACE,CAAC,OAAO,6BAA6B,OAAO,yBAAyB,OAAO,YAAY,OAAO,KAAK,EAAE;AAAA,IACpG;AAAA,EACF,EAAE,SAAS,GACX;AACA,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,sBAAsB,CAAC,OAAO,aAAa;AACpD,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,sBAAsB,CAAC,CAAC,OAAO,MAAM,EAAE,SAAS,OAAO,kBAAkB,GAAG;AACrF,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBAAmB,wEAAwE,OAAO,kBAAkB;AAAA,IACtH,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,eAAe,CAAC,wBAAU,UAAU,OAAO,SAAS,EAAE,SAAS;AACxE,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,2BAA2B,iBAAiB,CAAC,OAAO,cAAc;AACpE,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,2BAA2B,kBAAkB,OAAO,cAAc;AACpE,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,UAAU,WAAW,aAAa,GAAG;AAC9C,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBAAmB,kIAAkI,OAAO,SAAS;AAAA,IACvK,CAAC;AAAA,EACH;AACF;;;AC9FA,IAAAC,iBAAiE;AAa1D,IAAM,oDAAoD,CAC/D,YACG;AACH,QAAM,EAAE,QAAQ,cAAc,sBAAsB,OAAO,IAAI;AAE/D,MAAI,gBAAgB,CAAC,OAAO,kBAAkB;AAC5C,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,OAAO,yBAAyB,OAAO,UAAU,EAAE,OAAO,OAAO,EAAE,SAAS,GAAG;AAClF,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,oBAAoB,CAAC,sBAAsB;AACpD,QAAI,CAAC,QAAQ;AACX,YAAM,IAAI,8CAA+B;AAAA,QACvC,OAAO,gCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,OAAO,oBAAoB,CAAC,OAAO,iBAAiB,SAAS,MAAM,GAAG;AACxE,YAAM,IAAI,8CAA+B;AAAA,QACvC,OAAO,gCAAiB;AAAA,QACxB,mBAAmB,mGAAmG,OAAO,iBAAiB,KAAK,IAAI,CAAC;AAAA,MAC1J,CAAC;AAAA,IACH;AAAA,EACF;AACF;;;AChDA,IAAAC,gBAA0B;AAC1B,IAAAC,cAAkB;;;ACDlB,IAAAC,iBAAwB;AACxB,IAAAC,gBAA0B;AAC1B,IAAAC,cAAkB;;;ACFlB,IAAAC,cAAkB;AACX,IAAM,sBAAsB,cAAE;AAAA,EACnC,cAAE,OAAO;AAAA,EACT,cACG,OAAO;AAAA,IACN,sBAAsB,cAAE,SAAS,cAAE,MAAM,cAAE,OAAO,CAAC,CAAC;AAAA,EACtD,CAAC,EACA,YAAY;AACjB;;;ADAO,IAAM,kBAAkB,cAC5B,OAAO;AAAA,EACN,MAAM,cAAE,SAAS,sBAAO;AAAA,EACxB,YAAY,cAAE,SAAS,mBAAmB;AAAA,EAC1C,GAAG,oBAAoB;AAAA,EACvB,UAAU,wBAAU,SAAS;AAAA,EAC7B,aAAa,cAAE,OAAO,EAAE,SAAS;AACnC,CAAC,EACA,YAAY;;;ADZR,IAAM,iCAAiC,cAC3C,OAAO;AAAA,EACN,eAAe,cAAE,QAAQ,UAAU;AAAA,EACnC,WAAW,cAAE,OAAO;AAAA,EACpB,cAAc,wBAAU,SAAS;AAAA,EACjC,cAAc,wBAAU,SAAS;AAAA,EACjC,aAAa,wBAAU,SAAS;AAAA,EAChC,oBAAoB,cAAE,SAAS,cAAE,OAAO,CAAC;AAAA,EACzC,eAAe,cAAE,KAAK,CAAC,eAAe,iBAAiB,CAAC,EAAE,SAAS;AAAA,EACnE,OAAO,cAAE,OAAO;AAAA,EAChB,cAAc,cAAE,OAAO,EAAE,SAAS;AAAA,EAClC,OAAO,cAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,yBAAyB,cAAE,OAAO,cAAE,IAAI,CAAC,EAAE,SAAS;AAAA,EACpD,6BAA6B,wBAAU,SAAS;AAAA,EAChD,YAAY,cAAE,OAAO,cAAE,IAAI,CAAC,EAAE,SAAS;AAAA,EACvC,iBAAiB,gBAAgB,SAAS;AAAA,EAC1C,qBAAqB,wBAAU,SAAS;AAAA,EACxC,OAAO,cAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,kBAAkB,cAAE,MAAM,cAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EAC/C,aAAa,cAAE,QAAQ,EAAE,SAAS;AAAA,EAClC,kBAAkB,cACf,KAAK;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,EACA,SAAS;AACd,CAAC,EACA,YAAY;;;AGpCf,IAAAC,cAAkB;AAIX,IAAM,sCAAsC,+BAChD,KAAK;AAAA,EACJ,WAAW;AAAA,EACX,eAAe;AAAA,EACf,eAAe;AAAA,EACf,OAAO;AAAA,EACP,yBAAyB;AAAA,EACzB,iBAAiB;AAAA,EACjB,kBAAkB;AAAA,EAClB,YAAY;AACd,CAAC,EACA,OAAO;AAAA,EACN,WAAW,cAAE,SAAS,cAAE,OAAO,CAAC;AAAA,EAChC,kBAAkB,cAAE,MAAM,cAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EAC/C,eAAe,cAAE,KAAK,CAAC,UAAU,cAAc,kBAAkB,YAAY,CAAC;AAAA,EAC9E,kBAAkB,cACf,KAAK;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,EACA,SAAS;AACd,CAAC,EACA,MAAM;AAIF,SAAS,qCACd,SAC+C;AAC/C,SACE,QAAQ,kBAAkB,YAC1B,QAAQ,kBAAkB,gBAC1B,QAAQ,kBAAkB,oBAC1B,QAAQ,kBAAkB;AAE9B;;;APAA,eAAsB,oCAAoC,SAAqD;AAC7G,QAAM,EAAE,KAAK,SAAS,gBAAgB,gBAAgB,QAAQ,UAAU,IAAI;AAE5E,MAAI;AAEJ,MAAI;AACJ,MAAI,qCAAqC,cAAc,GAAG;AACxD,4BAAoB;AAAA,MAClB;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAEA,QAAI,OAAO,CAAC,kBAAkB,kBAAkB;AAC9C,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,sDAAkD;AAAA,MAChD,QAAQ;AAAA,MACR,cAAc,QAAQ,GAAG;AAAA,MACzB,sBAAsB;AAAA,IACxB,CAAC;AAAA,EACH,OAAO;AACL,4BAAoB;AAAA,MAClB;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,iDAA6C,EAAE,QAAQ,mBAAmB,2BAA2B,OAAO,CAAC;AAAA,EAC/G;AAEA,MAAI,KAAK;AACP,QAAI,CAAC,IAAI,sBAAsB,KAAK;AAClC,6BAAuB,EAAE,GAAG,IAAI,sBAAsB,KAAK,IAAI,WAAW;AAAA,IAC5E;AAAA,EACF;AAEA,MAAI,KAAK;AACP,UAAM,YAAY,MAAM,qBAAqB;AAAA,MAC3C,GAAG;AAAA,MACH,mBAAmB;AAAA,MACnB;AAAA,MACA;AAAA,IACF,CAAC;AAED,UAAMC,OAAM,IAAI,kBAAI,MAAM;AAC1B,IAAAA,KAAI,SAAS,IAAI,IAAI,8BAAgB;AAAA,MACnC,GAAGA,KAAI,aAAa,QAAQ;AAAA,MAC5B,OAAG,mCAAoB,UAAU,aAAa,EAAE,QAAQ;AAAA,IAC1D,CAAC,EAAE,SAAS,CAAC;AAEb,WAAO;AAAA,MACL,mBAAmB,UAAU;AAAA,MAC7B,aAAaA,KAAI,SAAS;AAAA,MAC1B,KAAK,EAAE,GAAG,KAAK,GAAG,UAAU;AAAA,IAC9B;AAAA,EACF;AAEA,QAAM,MAAM,IAAI,kBAAI,MAAM;AAC1B,MAAI,SAAS,IAAI,IAAI,8BAAgB;AAAA,IACnC,GAAG,IAAI,aAAa,QAAQ;AAAA,IAC5B,OAAG,mCAAoB,cAAc,EAAE,QAAQ;AAAA,EACjD,CAAC,EAAE,SAAS,CAAC;AAEb,SAAO;AAAA,IACL,mBAAmB;AAAA,IACnB,aAAa,IAAI,SAAS;AAAA,IAC1B,KAAK;AAAA,EACP;AACF;;;AQnHA,IAAAC,kBAA0B;AAC1B,IAAAC,gBAAoB;AACpB,IAAAA,gBAAuC;AACvC,IAAAC,eAAc;;;ACHd,IAAAC,kBAA+C;AAC/C,IAAAC,gBAA0B;AAC1B,IAAAC,cAAkB;AAIX,IAAM,kBAAkB,cAC5B,OAAO;AAAA,EACN,SAAS,cAAE,SAAS,cAAE,OAAO,CAAC;AAAA,EAC9B,aAAa,cAAE,SAAS,uBAAS;AAAA,EACjC,oBAAoB,cAAE,SAAS,cAAE,OAAO,CAAC;AAAA,EACzC,WAAW,cAAE,SAAS,cAAE,OAAO,CAAC;AAClC,CAAC,EACA,YAAY;AAGR,SAAS,yBAAyB,SAA+C;AACtF,QAAM,EAAE,iBAAiB,IAAI;AAE7B,MAAI,iBAAiB,WAAW,iBAAiB,aAAa;AAC5D,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO;AAAA,MACP,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,iBAAiB,WAAW,CAAC,iBAAiB,aAAa;AAC9D,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO;AAAA,MACP,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO;AAET;AAEO,SAAS,iBACd,SAC2B;AAC3B,SAAO,aAAa,WAAW,iBAAiB;AAClD;;;ADPO,SAAS,0CACd,SACiF;AACjF,QAAM,EAAE,qBAAqB,IAAI;AACjC,MAAI,WAAqC;AAEzC,MAAI;AACJ,MAAI,OAAO,yBAAyB,UAAU;AAC5C,QAAI,qBAAqB,SAAS,KAAK,GAAG;AACxC,YAAM,MAAM,IAAI,kBAAI,oBAAoB;AACxC,eAAS,OAAO,YAAY,IAAI,YAAY;AAC5C,iBAAW;AAAA,IACb,OAAO;AACL,YAAM,cAAU,2BAAU,EAAE,KAAK,qBAAqB,CAAC;AACvD,eAAS,QAAQ;AACjB,iBAAW;AAAA,IACb;AAAA,EACF,OAAO;AACL,aAAS;AAAA,EACX;AAEA,QAAM,oBAAgB;AAAA,IACpB,aAAAC,QAAE,MAAM,CAAC,gCAAgC,iBAAiB,mCAAmC,CAAC;AAAA,IAC9F;AAAA,EACF;AAEA,MAAI,iBAAiB,aAAa,GAAG;AACnC,WAAO;AAAA,MACL,MAAM;AAAA,MACN;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,MAAI,qCAAqC,aAAa,GAAG;AACvD,WAAO;AAAA,MACL,MAAM;AAAA,MACN;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,SAAO;AAAA,IACL,MAAM;AAAA,IACN;AAAA,IACA,QAAQ;AAAA,EACV;AACF;;;AEjFA,IAAAC,kBAAuF;AACvF,IAAAC,iBAAuC;AACvC,IAAAC,eAAc;;;ACFd,IAAAC,kBAAkF;;;ACAlF,IAAAC,kBAAiE;AAW1D,SAAS,iCACd,SACkB;AAClB,QAAM,eAAiD,CAAC;AAIxD,QAAM,aAAa,QAAQ,iBAAiB;AAuB5C,MACE,qCAAqC,OAAO,MAC3C,QAAQ,kBAAkB,gBAAgB,QAAQ,kBAAkB,mBACrE;AACA,iBAAa,KAAK,CAAC,KAAK,EAAE,CAAC;AAC3B,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAEA,MACG,qCAAqC,OAAO,KAAK,QAAQ,kBAAkB,YAC5E,QAAQ,kBAAkB,cAC1B;AACA,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAEA,MAAI,qCAAqC,OAAO,MAAM,QAAQ,oBAAoB,QAAQ,aAAa;AACrG,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAIA,MAAI,QAAQ,YAAY;AACtB,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAEA,MAAI,QAAQ,kBAAkB;AAC5B,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAEA,MAAI,QAAQ,kBAAkB;AAC5B,iBAAa,KAAK,CAAC,KAAK,EAAE,CAAC;AAAA,EAC7B;AAMA,MAAI,QAAQ,WAAW;AACrB,UAAM,aAAa,QAAQ,UAAU,QAAQ,GAAG;AAChD,UAAM,aAAa,QAAQ,UAAU,UAAU,GAAG,UAAU;AAC5D,UAAM,eAAe,gBAAgB,UAAU,UAAU;AAGzD,QAAI,aAAa,WAAW,aAAa,SAAS,SAAS,aAAa,SAAS,SAAS;AACxF,mBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,IAC9B;AAAA,EACF;AAGA,MAAI,CAAC,QAAQ,WAAW;AACtB,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAIA,MAAI,yBAAyB,SAAS;AACpC,iBAAa,KAAK,CAAC,KAAK,EAAE,CAAC;AAAA,EAC7B;AAEA,MAAI,qCAAqC,OAAO,GAAG;AACjD,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAEA,MAAI,wBAAwB,WAAW,kBAAkB,SAAS;AAChE,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAIA,MAAI,QAAQ,qBAAqB,wBAAwB;AACvD,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAIA,MAAI,QAAQ,qBAAqB,kBAAkB,QAAQ,qBAAqB,gBAAgB;AAC9F,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAGA,QAAM,mBAAmB,aAAa,OAAO,CAAC,CAAC,QAAQ,MAAM,aAAa,GAAG,EAAE,IAAI,CAAC,CAAC,GAAG,OAAO,MAAM,OAAO;AAE5G,QAAM,sBAAsB,aAAa,OAAO,CAAC,CAAC,QAAQ,MAAM,aAAa,IAAI,EAAE,IAAI,CAAC,CAAC,GAAG,OAAO,MAAM,OAAO;AAGhH,QAAM,yBACJ,iBAAiB,SAAS,IAAK,KAAK,IAAI,KAAK,IAAI,GAAG,gBAAgB,IAAI,GAAG,EAAE,IAA0B;AAGzG,QAAM,wBACJ,oBAAoB,SAAS,IAAK,KAAK,IAAI,GAAG,mBAAmB,IAA0B;AAI7F,MAAI,wBAAwB,wBAAwB;AAElD,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO;AACT;;;AD/EA,SAAS,YAAY,SAAwC;AAC3D,MAAI,qCAAqC,QAAQ,OAAO,GAAG;AACzD,QAAI,CAAC,QAAQ,QAAQ;AACnB,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,QAAQ,OAAO,CAAC,QAAQ,QAAQ,UAAW,QAAO,cAAc,QAAQ,MAAM;AAEnF,WAAO,QAAQ,QAAQ;AAAA,EACzB;AAEA,SAAO,QAAQ,QAAQ;AACzB;AAEA,SAAS,kBAAkB,SAAwC;AACjE,QAAM,uBAAuB,QAAQ,QAAQ,oBAAoB;AAEjE,MAAI;AACJ,MAAI,yBAAyB,aAAa;AACxC,qBAAiB;AAAA,EACnB,OAAO;AACL,qBAAiB;AAAA,EACnB;AAEA,MAAI,qCAAqC,QAAQ,OAAO,GAAG;AACzD,QAAI,CAAC,QAAQ,QAAQ;AACnB,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,QAAQ,OAAO,CAAC,QAAQ,QAAQ,UAAW,QAAO,cAAc,QAAQ,MAAM;AAEnF,WAAO,GAAG,cAAc,IAAI,QAAQ,QAAQ,SAAS;AAAA,EACvD;AAEA,MAAI,mBAAmB,WAAW,mBAAmB,OAAO;AAC1D,WAAO,QAAQ,QAAQ;AAAA,EACzB;AAEA,MAAI,mBAAmB,kBAAkB;AACvC,WAAO,QAAQ,QAAQ;AAAA,EACzB;AAEA,SAAO,GAAG,cAAc,IAAI,QAAQ,QAAQ,SAAS;AACvD;AAKO,SAAS,sBACd,SACA,cACwB;AACxB,QAAM,EAAE,SAAS,IAAI,IAAI;AAEzB,QAAM,UAAU,iCAAiC,OAAO;AAExD,MAAI,UAAU,IAAI;AAChB,UAAM,uBAAuB,QAAQ,oBAAoB;AAEzD,QAAI;AACJ,QAAI,sBAAsB;AACxB,UAAI,yBAAyB,aAAa;AACxC,wBAAgB;AAAA,MAClB,OAAO;AACL,wBAAgB;AAAA,MAClB;AAAA,IACF;AAAA,EACF;AAEA,QAAM,iBAAiB,qCAAqC,OAAO;AACnE,QAAM,WAAW,UAAU,KAAK,kBAAkB,OAAO,IAAI,YAAY,OAAO;AAGhF,QAAM,2BAA2B;AAAA,IAC/B,kBAAkB,cAAc,oBAAoB,OAAO,OAAO,gBAAgB,OAAO;AAAA,EAC3F;AAEA,QAAM,aAAa,SAAS,QAAQ,GAAG;AACvC,MAAI,eAAe,IAAI;AACrB,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,YAAY;AAAA,MACZ,eAAe;AAAA,MACf,gBAAgB,QAAQ;AAAA,IAC1B;AAAA,EACF;AAEA,QAAM,aAAa,SAAS,UAAU,GAAG,UAAU;AACnD,QAAM,iBAAiB,SAAS,UAAU,aAAa,CAAC;AAExD,MAAI,CAAC,yBAAyB,iBAAiB,SAAS,UAA4B,GAAG;AACrF,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB,yCAAyC,UAAU;AAAA,IACxE,CAAC;AAAA,EACH;AAEA,QAAM,SAAS;AACf,MAAI,WAAW,SAAS;AAEtB,QAAI,gBAAgB;AAClB,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,SAAS,WAAW,UAAU,KAAK,MAAE,iCAAgB,EAAE,qBAAqB,SAAS,WAAW,SAAS,IAAI;AAChH,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,MACL;AAAA,MACA,YAAY;AAAA,MACZ,eAAe;AAAA,MACf,YAAY,QAAQ;AAAA,IACtB;AAAA,EACF;AAEA,MAAI,WAAW,gBAAgB;AAC7B,QAAI,KAAK;AACP,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,qCAAqC,OAAO,GAAG;AACjD,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,MACL;AAAA,MACA,YAAY;AAAA,MACZ,eAAe;AAAA,MACf,aAAc,QAAQ,gBAAgB,QAAQ;AAAA,IAChD;AAAA,EACF;AAEA,MAAI,WAAW,OAAO;AACpB,QAAI,CAAC,KAAK;AACR,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,SAAS,WAAW,MAAM,GAAG;AAChC,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,IAAI,OAAO,UAAU,KAAK;AAC7B,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,IAAI,OAAO,UAAU,KAAK,WAAW,QAAQ,GAAG;AACnD,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,MACL;AAAA,MACA,YAAY;AAAA,MACZ,eAAe;AAAA,MACf,QAAQ,IAAI,OAAO,UAAU;AAAA,IAC/B;AAAA,EACF;AAEA,MAAI,WAAW,kBAAkB,WAAW,gBAAgB;AAC1D,QAAI,CAAC,KAAK;AACR,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,QAAI,IAAI,OAAO,WAAW,OAAO;AAC/B,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,QAAI,WAAW,gBAAgB;AAC7B,UAAI,CAAC,QAAQ,UAAU,4BAA4B;AACjD,cAAM,IAAI;AAAA,UACR;AAAA,YACE,OAAO,iCAAiB;AAAA,UAC1B;AAAA,UACA;AAAA,YACE,iBACE;AAAA,UACJ;AAAA,QACF;AAAA,MACF;AAEA,YAAM,EAAE,YAAY,IAAI,QAAQ,UAAU,2BAA2B,IAAI,OAAO,IAAI,CAAC,CAAC;AACtF,UAAI,CAAC,YAAY,SAAS,cAAc,GAAG;AACzC,cAAM,IAAI,+CAA+B;AAAA,UACvC,OAAO,iCAAiB;AAAA,UACxB,mBAAmB,0EAA0E,YAAY,KAAK,IAAI,CAAC,uCAAuC,cAAc;AAAA,QAC1K,CAAC;AAAA,MACH;AAEA,UAAI,CAAC,qCAAqC,OAAO,GAAG;AAClD,cAAM,MAAM,QAAQ,gBAAgB,QAAQ;AAC5C,YAAI,CAAC,OAAO,iBAAiB,GAAG,MAAM,gBAAgB;AACpD,gBAAM,IAAI,+CAA+B;AAAA,YACvC,OAAO,iCAAiB;AAAA,YACxB,mBACE;AAAA,UACJ,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF,WAAW,WAAW,gBAAgB;AACpC,UAAI,CAAC,QAAQ,UAAU,4BAA4B;AACjD,cAAM,IAAI;AAAA,UACR;AAAA,YACE,OAAO,iCAAiB;AAAA,UAC1B;AAAA,UACA;AAAA,YACE,iBACE;AAAA,UACJ;AAAA,QACF;AAAA,MACF;AAEA,YAAM,EAAE,YAAY,IAAI,QAAQ,UAAU,2BAA2B,IAAI,OAAO,IAAI,CAAC,CAAC;AACtF,UAAI,CAAC,YAAY,SAAS,cAAc,GAAG;AACzC,cAAM,IAAI,+CAA+B;AAAA,UACvC,OAAO,iCAAiB;AAAA,UACxB,mBAAmB,0EAA0E,YAAY,KAAK,IAAI,CAAC,uCAAuC,cAAc;AAAA,QAC1K,CAAC;AAAA,MACH;AAEA,UAAI,CAAC,qCAAqC,OAAO,GAAG;AAClD,cAAM,MAAM,QAAQ,gBAAgB,QAAQ;AAC5C,YAAI,CAAC,OAAO,QAAQ,gBAAgB;AAClC,gBAAM,IAAI,+CAA+B;AAAA,YACvC,OAAO,iCAAiB;AAAA,YACxB,mBACE;AAAA,UACJ,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL;AAAA,MACA,YAAY;AAAA,MACZ,eAAe;AAAA,MACf,KAAK,IAAI,OAAO;AAAA,IAClB;AAAA,EACF;AAEA,MAAI,WAAW,cAAc;AAC3B,WAAO;AAAA,MACL;AAAA,MACA,YAAY;AAAA,MACZ,eAAe;AAAA,MACf,gBAAgB,QAAQ;AAAA,IAC1B;AAAA,EACF;AAEA,MAAI,WAAW,wBAAwB;AACrC,QAAI,CAAC,KAAK;AACR,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA,YAAY;AAAA,IACZ,eAAe;AAAA,EACjB;AACF;AAEA,SAAS,iBAAiB,KAAqB;AAC7C,MAAI;AACF,UAAM,QAAQ;AACd,UAAM,SAAS,IAAI,MAAM,KAAK,EAAE,CAAC,EAAE,MAAM,KAAK,EAAE,CAAC;AACjD,WAAO;AAAA,EACT,SAAS,OAAO;AACd,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB,QAAQ,GAAG;AAAA,IAChC,CAAC;AAAA,EACH;AACF;;;AE9XA,IAAAC,kBAAiE;AACjE,IAAAC,iBAA2E;;;ACD3E,IAAAC,eAAkB;AAIX,IAAM,kBAAkB,eAAE,OAAO;AAAA,EACtC,uCAAuC,eAAE,SAAS,eAAE,QAAQ,CAAC;AAAA,EAC7D,sBAAsB;AAAA,EACtB,6BAA6B,eAAE,SAAS,eAAE,MAAM,eAAe,CAAC;AAAA,EAChE,6CAA6C,eAAE,SAAS,eAAE,MAAM,eAAE,OAAO,CAAC,CAAC;AAAA,EAC3E,+CAA+C,eAAE,SAAS,eAAE,MAAM,eAAE,OAAO,CAAC,CAAC;AAAA,EAC7E,+CAA+C,eAAE,SAAS,eAAE,MAAM,eAAE,OAAO,CAAC,CAAC;AAC/E,CAAC;;;ADND,eAAsB,oBAA+C,SAGjC;AAClC,QAAM,EAAE,OAAO,kBAAkB,IAAI;AACrC,QAAM,cAAU,iCAAiB,KAAK;AAEtC,QAAM,EAAE,QAAQ,SAAS,IAAI,MAAM,QAAQ,iBAAiB,2BAAY,MAAM,mBAAmB;AAAA,IAC/F,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,QAAQ,2BAAY;AAAA,IACtB;AAAA,EACF,CAAC;AAED,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAI,+CAA+B;AAAA,MACvC,mBAAmB,kCAAkC,iBAAiB,8BAA8B,SAAS,MAAM;AAAA,MACnH,OAAO,iCAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,UAAU,CAAC,OAAO,SAAS;AAC9B,UAAM,IAAI,+CAA+B;AAAA,MACvC,mBAAmB,iCAAiC,iBAAiB;AAAA,MACrE,OAAO,iCAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AAEA,SAAO,OAAO;AAChB;;;AElCA,IAAAC,kBAWO;;;ACXP,IAAAC,kBAAiE;AACjE,IAAAC,iBAAgG;AAChG,IAAAC,eAAkB;AAelB,eAAsB,sBAAiD,SASnC;AAClC,QAAM,EAAE,YAAY,wBAAwB,QAAQ,QAAQ,MAAM,IAAI;AACtE,QAAM,cAAU,iCAAiB,KAAK;AAEtC,MAAI,cAAc,OAAO,WAAW,EAAE,iBAAiB,OAAO,UAAU,cAAc,OAAO,MAAM,IAAI;AACvG,MACE,aAAa,iBAAiB,+CAC9B,2BAA2B,gBAC3B;AAEA,UAAM,EAAE,6CAA6C,GAAG,KAAK,IAAI,YAAY;AAC7E,kBAAc,EAAE,GAAG,aAAa,iBAAiB,EAAE,GAAG,KAAK,EAAE;AAAA,EAC/D;AAEA,QAAM,EAAE,QAAQ,SAAS,IAAI,MAAM,QAAQ,eAAE,OAAO,GAAG,2BAAY,uBAAuB,YAAY;AAAA,IACpG;AAAA,IACA,SAAS;AAAA,MACP,QAAQ,GAAG,2BAAY,qBAAqB,KAAK,2BAAY,GAAG;AAAA,MAChE,gBAAgB,2BAAY;AAAA,IAC9B;AAAA,IACA,MAAM,WAAW,aAAS,oCAAoB,OAAO,YAAY,CAAC,CAAC,IAAI;AAAA,EACzE,CAAC;AAED,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAI,+CAA+B;AAAA,MACvC,mBAAmB,6CAA6C,UAAU,8BAA8B,SAAS,MAAM;AAAA,MACvH,OAAO,iCAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,UAAU,CAAC,OAAO,SAAS;AAC9B,UAAM,IAAI,+CAA+B;AAAA,MACvC,mBAAmB,4CAA4C,UAAU;AAAA,MACzE,OAAO,iCAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AAEA,SAAO,OAAO;AAChB;;;AChEA,IAAAC,kBAA4B;AAC5B,IAAAC,eAAkB;AAEX,IAAM,2BAA2B,eACrC,OAAO;AAAA,EACN,GAAG,4BAAY;AAAA,EACf,WAAW,eAAE,OAAO;AACtB,CAAC,EACA,YAAY;;;AFmCf,eAAsB,iBAAiB,SAA+D;AACpG,QAAM,EAAE,WAAW,SAAS,CAAC,EAAE,IAAI;AAEnC,QAAM,mBAAmB,yBAAyB,OAAO;AAEzD,QAAM,SAAS,iBAAiB,UAAU,UAAU;AACpD,QAAM,yBAAyC,iBAAiB,YAC5D,gBAAgB,MAAM,iBAAiB,UAAU,MAAM,GAAG,EAAE,CAAC,CAAC,IAC9D;AAEJ,QAAM,SAAS,iBAAiB,sBAAsB;AACtD,MAAI,WAAW,SAAS,WAAW,QAAQ;AACzC,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,QAAM,gBACJ,iBAAiB,WAChB,MAAM,sBAAsB;AAAA,IAC3B,YAAY,iBAAiB;AAAA,IAC7B;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AAEH,QAAM,2BAA2B,4BAAY,UAAU,aAAa,EAAE;AACtE,QAAM,EAAE,eAAe,SAAS,uBAAuB,IAAI,2BACvD,MAAM,kBAAkB,EAAE,KAAK,eAAe,UAAU,CAAC,IACzD,EAAE,SAAS,eAAe,eAAe,OAAU;AAEvD,QAAM,kBAAkB,4BAAY,UAAU,sBAAsB,EAAE;AACtE,MAAI,CAAC,iBAAiB;AACpB,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,QAAM,EAAE,mBAAmB,OAAO,IAAI,MAAM,uBAAuB;AAAA,IACjE;AAAA,IACA;AAAA,EACF,CAAC;AACD,MAAI,CAAC,kBAAkB,WAAW;AAChC,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,MAAI,iBAAiB,cAAc,kBAAkB,WAAW;AAC9D,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAEA,eAAe,kBAAkB,SAG9B;AACD,QAAM,EAAE,KAAK,UAAU,IAAI;AAE3B,QAAM,EAAE,OAAO,QAAI,2BAAU,EAAE,KAAK,IAAI,CAAC;AACzC,MAAI,CAAC,OAAO,KAAK;AACf,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,QAAM,mBAAmB,MAAM,UAAU,WAAW,GAAG;AACvD,MAAI,CAAC,iBAAiB,WAAW;AAC/B,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO;AAAA,MACP,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAEA,eAAe,uBAAuB,SAGnC;AACD,QAAM,EAAE,wBAAwB,UAAU,IAAI;AAE9C,QAAM,UAAM,2BAAU,EAAE,KAAK,wBAAwB,eAAe,yBAAyB,CAAC;AAE9F,QAAM,gBAAY,kCAAiB,GAAG;AACtC,QAAM,EAAE,OAAO,IAAI,UAAM,2BAAU;AAAA,IACjC,mBAAmB,UAAU;AAAA,IAC7B,SAAS;AAAA,IACT,QAAQ,IAAI;AAAA,IACZ,SAAS,IAAI;AAAA,IACb,QAAQ;AAAA,EACV,CAAC;AAGD,QAAM,UAAU,iCAAiC,IAAI,OAAc;AACnE,MAAI,IAAI,OAAO,QAAQ,yBAAyB,WAAW,IAAI;AAC7D,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB,oFAAoF,IAAI,OAAO,GAAG;AAAA,IACvH,CAAC;AAAA,EACH;AAEA,SAAO,EAAE,mBAAmB,IAAI,SAAS,OAAO;AAClD;;;AGjKA,IAAAC,kBAAiE;AACjE,IAAAC,iBAA8D;;;ACD9D,IAAAC,eAAkB;AAEX,IAAM,oBAAoB,eAAE,OAAO;AAAA,EACxC,MAAM,eAAE,OAAO;AAAA,EACf,gBAAgB,eAAE,MAAM,eAAE,OAAO,CAAC,EAAE,IAAI,CAAC;AAAA,EACzC,6BAA6B,eAAE,MAAM,eAAE,OAAO,CAAC,EAAE,SAAS;AAC5D,CAAC;AAGM,IAAM,mBAAmB,eAAE,MAAM,iBAAiB;;;ADDlD,SAAS,qBAAqB,SAAuD;AAC1F,QAAM,EAAE,gBAAgB,IAAI;AAE5B,QAAM,UAAU,gBAAgB,IAAI,CAAC,gBAAY,gCAAY,uCAAmB,6BAAa,OAAO,CAAC,CAAC,CAAC;AAEvG,QAAM,eAAe,iBAAiB,UAAU,OAAO;AACvD,MAAI,CAAC,aAAa,SAAS;AACzB,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO,aAAa;AACtB;;;ARsBA,eAAsB,qCACpB,SACuC;AACvC,QAAM,EAAE,gBAAgB,QAAQ,WAAW,QAAQ,qBAAqB,IAAI;AAE5E,MAAI;AAIJ,QAAM,aAAS;AAAA,IACb,aAAAC,QAAE,MAAM,CAAC,qCAAqC,gCAAgC,eAAe,CAAC;AAAA,IAC9F;AAAA,IACA;AAAA,EACF;AAEA,MAAI;AACJ,MAAI,iBAAiB,MAAM,GAAG;AAC5B,UAAM,MAAM,iBAAiB,EAAE,kBAAkB,QAAQ,WAAW,OAAO,CAAC;AAE5E,UAAM,kCAA8B;AAAA,MAClC,aAAAA,QAAE,MAAM,CAAC,qCAAqC,8BAA8B,CAAC;AAAA,MAC7E,IAAI;AAAA,MACJ;AAAA,IACF;AAEA,yBAAqB,yBAAyB;AAAA,MAC5C,gBAAgB;AAAA,MAChB;AAAA,MACA,KAAK;AAAA,MACL;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH,OAAO;AACL,yBAAqB,yBAAyB;AAAA,MAC5C,gBAAgB;AAAA,MAChB;AAAA,MACA,KAAK;AAAA,MACL;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAEA,MAAI;AACJ,MAAI,CAAC,qCAAqC,kBAAkB,KAAK,mBAAmB,qBAAqB;AACvG,qBAAiB,MAAM,oBAAoB,EAAE,mBAAmB,mBAAmB,oBAAoB,CAAC;AAAA,EAC1G;AAEA,QAAM,aAAa,sBAAsB;AAAA,IACvC,SAAS,EAAE,GAAG,oBAAoB,iBAAiB,kBAAkB,mBAAmB,gBAAgB;AAAA,IACxG;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AAED,MAAI;AACJ,MAAI;AAEJ,MAAI,mBAAmB,2BAA2B,mBAAmB,6BAA6B;AAChG,QAAI,mBAAmB,6BAA6B;AAClD,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,UAAM;AAAA,MACJ,yBAAyB,mBAAmB;AAAA,MAC5C,6BAA6B,mBAAmB;AAAA,IAClD;AAAA,EACF;AAEA,MAAI,mBAAmB,YAAY;AACjC,WAAO,EAAE,OAAO,mBAAmB,WAAW;AAAA,EAChD;AAEA,QAAM,kBAAkB,mBAAmB,mBACvC,qBAAqB,EAAE,iBAAiB,mBAAmB,iBAAiB,CAAC,IAC7E;AAEJ,SAAO;AAAA,IACL;AAAA,IACA,gBAAgB;AAAA,IAChB;AAAA,IACA,QAAQ,EAAE,GAAG,WAAW;AAAA,IACxB;AAAA,IACA;AAAA,EACF;AACF;AAEA,SAAS,yBAAyB,SAM/B;AACD,QAAM,EAAE,gBAAgB,QAAQ,KAAK,QAAQ,qBAAqB,IAAI;AAEtE,MAAI,qCAAqC,cAAc,GAAG;AACxD,sDAAkD;AAAA,MAChD,QAAQ;AAAA,MACR,cAAc;AAAA,MACd;AAAA,MACA;AAAA,IACF,CAAC;AAED,WAAO;AAAA,EACT;AAEA,+CAA6C,EAAE,QAAQ,gBAAgB,2BAA2B,OAAO,CAAC;AAC1G,SAAO;AACT;;;AU3JA,IAAAC,kBAMO;AACP,IAAAC,iBAA8B;;;ACGvB,SAAS,iBAAiB,MAAY,SAAiB;AAC5D,SAAO,IAAI,KAAK,KAAK,QAAQ,IAAI,UAAU,GAAI;AACjD;;;ACZA,IAAAC,kBAMO;AAUP,eAAsB,uBAAuB,SAAwC;AACnF,QAAM,EAAE,kBAAkB,cAAc,WAAW,UAAU,IAAI;AACjE,MAAI,CAAC,aAAa,cAAc;AAC9B,UAAM,EAAE,IAAI,IAAI,MAAM,UAAU,WAAW,cAAc,KAAK,UAAU,gBAAgB,CAAC;AACzF,WAAO,EAAE,qBAAqB,IAAI;AAAA,EACpC;AAEA,MAAI,aAAa,CAAC,cAAc;AAC9B,UAAMC,UAAS,MAAM,UAAU,QAAQ,WAAW;AAAA,MAChD,YAAQ,wCAAuB,SAAS;AAAA,MACxC,SAAS;AAAA,IACX,CAAC;AACD,WAAO,EAAE,qBAAqBA,QAAO,IAAI;AAAA,EAC3C;AAEA,MAAI,CAAC,aAAa,CAAC,cAAc;AAC/B,UAAM,IAAI,4BAAY,0EAA0E;AAAA,EAClG;AACA,QAAM,SAAS,MAAM,UAAU,QAAQ,WAAW;AAAA,IAChD,YAAQ,wCAAuB,SAAS;AAAA,IACxC,SAAS;AAAA,EACX,CAAC;AAED,QAAM,YAAY,MAAM,UAAU,WAAW,cAAc,OAAO,GAAG;AAErE,SAAO,EAAE,qBAAqB,UAAU,IAAI;AAC9C;;;ACvCO,SAAS,8BAA8B,gBAAuD;AACnG,QAAM,SAAS,0BAA0B,MAAM,cAAc;AAE7D,QAAM,gBAAgB,OAAO,gBAAgB;AAC7C,QAAM,aAAa,OAAO,gBAAgB;AAE1C,QAAM,SACJ,eAAe,KAAK,KAAK,KAAK,CAAC,QAAQ,IAAI,QAAQ,SAAS,IAAI,QAAQ,aAAa,KACrF,eAAe,KAAK,KAAK,KAAK,CAAC,QAAQ,IAAI,QAAQ,KAAK;AAAA,EAExD,eAAe,KAAK,OAAO,CAAC;AAE9B,QAAM,SACJ,eAAe,KAAK,KAAK,KAAK,CAAC,QAAQ,IAAI,QAAQ,SAAS,IAAI,QAAQ,UAAU,KAClF,eAAe,KAAK,KAAK,KAAK,CAAC,QAAQ,IAAI,QAAQ,KAAK;AAAA,EAExD,eAAe,KAAK,OAAO,CAAC;AAE9B,SAAO,EAAE,QAAQ,OAAO;AAC1B;;;ACtBA,IAAAC,eAAkB;AAEX,IAAM,mBAAmB;AAAA,EAC9B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AACO,IAAM,oBAAoB,eAAE,KAAK,gBAAgB;AAIjD,IAAM,qBAAqB,CAAC,iBAA2D;AAC5F,SAAO,iBAAiB,SAAS,YAAgC;AACnE;;;AChBA,IAAAC,kBAA4B;AAU5B,SAAS,qBAAwB,SAAqC;AACpE,QAAM,EAAE,cAAc,WAAW,OAAO,IAAI;AAC5C,QAAM,eAAe,UAAU,KAAK,CAAC,UAAU,UAAU,MAAM;AAE/D,MAAI,CAAC,cAAc;AACjB,UAAM,IAAI,4BAAY,YAAY;AAAA,EACpC;AAEA,SAAO;AACT;AAEO,SAAS,4BAA4B,SAGzC;AACD,QAAM,EAAE,gBAAgB,eAAe,IAAI;AAC3C,QAAM,uBAAuB,0BAA0B,MAAM,cAAc;AAE3E,MAAI,qBAAqB,SAAS,kBAAkB,qBAAqB,SAAS,WAAW;AAC3F,QAAI,eAAe,+CAA+C;AAChE,2BAAqB;AAAA,QACnB,WAAW,eAAe;AAAA,QAC1B,QAAQ,qBAAqB,gBAAgB;AAAA,QAC7C,cAAc;AAAA,MAChB,CAAC;AAAA,IACH;AAEA,QAAI,eAAe,+CAA+C;AAChE,2BAAqB;AAAA,QACnB,WAAW,eAAe;AAAA,QAC1B,QAAQ,qBAAqB,gBAAgB;AAAA,QAC7C,cAAc;AAAA,MAChB,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MACE,eAAe,+CACd,qBAAqB,SAAS,UAAU,qBAAqB,SAAS,iBACvE;AACA,yBAAqB;AAAA,MACnB,WAAW,eAAe;AAAA,MAC1B,QAAQ,qBAAqB,gBAAgB;AAAA,MAC7C,cAAc;AAAA,IAChB,CAAC;AAAA,EACH;AAEA,SAAO;AACT;;;ALnBA,eAAsB,qCACpB,SACqD;AACrD,QAAM,EAAE,gBAAgB,MAAM,UAAU,IAAI;AAC5C,QAAM,kBAAkB;AAAA,IACtB,GAAG,QAAQ;AAAA,IACX,GAAI,WAAW,kBAAkB,EAAE,OAAO,eAAe,MAAM;AAAA,EACjE;AAEA,MAAI,eAAe,iBAAiB,mBAAmB,eAAe,aAAa,KAAK,CAAC,MAAM;AAC7F,UAAM,IAAI;AAAA,MACR,uEAAuE,eAAe,aAAa;AAAA,IACrG;AAAA,EACF;AAEA,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,MACL;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC,eAAe,iBAAiB;AACnC,UAAM,IAAI,4BAAY,gFAAgF;AAAA,EACxG;AAEA,MAAI,CAAC,eAAe,gBAAgB,MAAM;AACxC,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,QAAM,wBAAwB,4BAA4B;AAAA,IACxD,gBAAgB,eAAe;AAAA,IAC/B,gBAAgB,KAAK;AAAA,EACvB,CAAC;AAED,QAAM,iBAAiB,8BAA8B;AAAA,IACnD,GAAG,eAAe;AAAA,IAClB,MAAM,eAAe,gBAAgB;AAAA,EACvC,CAAC;AAED,MAAI,CAAC,gBAAgB,QAAQ;AAC3B,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAGA,MAAI;AACJ,MAAI,MAAM,WAAW;AACnB,QAAI,CAAC,KAAK,qBAAqB;AAC7B,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,KAAK,UAAU;AAClB,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,2BAAuB;AAAA,MACrB,KAAK,KAAK;AAAA,MACV,KAAK,KAAK;AAAA,MACV,KAAK,KAAK,wBAAoB,8BAAc,iBAAiB,oBAAI,KAAK,GAAG,KAAK,EAAE,CAAC;AAAA;AAAA,IACnF;AAAA,EACF;AAEA,QAAM,sBAAsB;AAAA,IAC1B,GAAG;AAAA,IACH,GAAG;AAAA,EACL;AAEA,QAAM,SAAS,MAAM,uBAAuB;AAAA,IAC1C,kBAAkB;AAAA,IAClB,WAAW,MAAM;AAAA,IACjB,cACE,MAAM,eAAe,sBAAsB,SAAS,aAAa,sBAAsB,SAAS,kBAC5F;AAAA,MACE,QAAQ;AAAA,MACR,WAAW,eAAe;AAAA,MAC1B,KAAK,KAAK,YAAY;AAAA,MACtB,KAAK,eAAe;AAAA,MACpB,KAAK,sBAAsB,gBAAgB;AAAA,MAC3C,KAAK,sBAAsB,gBAAgB;AAAA,IAC7C,IACA;AAAA,IACN,WAAW;AAAA,MACT,SAAS,UAAU;AAAA,MACnB,YAAY,UAAU;AAAA,IACxB;AAAA,EACF,CAAC;AAED,SAAO;AAAA,IACL,iBAAiB;AAAA,IACjB,MAAM,EAAE,aAAa,OAAO,oBAAoB;AAAA,EAClD;AACF;;;AM7IA,IAAAC,kBAAkD;AAClD,IAAAC,iBAA4C;AAC5C,IAAAA,iBAAoC;;;ACFpC,IAAAC,kBAAkD;AAClD,IAAAC,iBAAiD;AAW1C,IAAM,uBAAuB,CAAC,YAAyC;AAC5E,QAAM,EAAE,aAAa,qBAAqB,UAAU,IAAI;AAExD,QAAM,mBAAmB,YAAY,gBAAgB,YAAY;AACjE,MAAI,CAAC,kBAAkB;AACrB,UAAM,IAAI,4BAAY,uFAAuF;AAAA,EAC/G;AAEA,QAAM,sBAAsB,IAAI,mBAAI,gBAAgB;AACpD,SAAO,oBAAoB,qBAAqB,qBAAqB,SAAS;AAChF;AAEA,eAAe,oBACb,kBACA,aACA,WACA;AACA,QAAM,WAAW,OAAO,UAAU,SAAS,+BAAgB,kBAAkB;AAAA,IAC3E,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,2BAAY,mBAAmB;AAAA,IAC1D,MAAM,YAAY,WAAW;AAAA,EAC/B,CAAC;AAED,SAAO;AAAA,IACL,cAAc;AAAA,IACd;AAAA,EACF;AACF;;;ADzBA,eAAsB,qCAAqC,SAAsD;AAC/G,QAAM,EAAE,gBAAgB,iBAAiB,MAAM,UAAU,IAAI;AAC7D,QAAM,MAAM,eAAe;AAE3B,MAAI,MAAM;AACR,WAAO,qBAAqB;AAAA,MAC1B,aAAa;AAAA,MACb,qBAAqB,KAAK;AAAA,MAC1B;AAAA,IACF,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,QAAQ,UAAU,SAAS;AACjC,QAAM,sBAAkB,oCAAoB,eAAe;AAC3D,QAAM,qBAAqB,MAAM,MAAM,KAAK;AAAA,IAC1C,QAAQ;AAAA,IACR,MAAM;AAAA,IACN,SAAS;AAAA,MACP,gBAAgB,2BAAY;AAAA,IAC9B;AAAA,EACF,CAAC;AAED,SAAO;AAAA,IACL,cAAc;AAAA,IACd,UAAU;AAAA,EACZ;AACF;;;AE9CA,IAAAC,kBAA4B;;;ACA5B,IAAAC,iBAAoD;;;ACApD,IAAAC,eAAkB;AAElB,IAAM,mBAAmB,eAAE,MAAM,CAAC,eAAE,OAAO,GAAG,eAAE,OAAO,eAAE,IAAI,CAAC,CAAC,GAAG;AAAA,EAChE,SAAS;AACX,CAAC;AAEM,IAAM,cAAc,eAAE;AAAA,EAC3B,CAAC,kBAAkB,eAAE,MAAM,gBAAgB,EAAE,SAAS,4CAA4C,CAAC;AAAA,EACnG;AAAA,IACE,SAAS;AAAA,EACX;AACF;AAIO,IAAM,eAAe,eAAE,OAAO,eAAE,MAAM,CAAC,eAAE,OAAO,GAAG,eAAE,OAAO,eAAE,IAAI,CAAC,CAAC,CAAC,GAAG;AAAA,EAC7E,SACE;AACJ,CAAC;AAGM,IAAM,WAAW,aAAa,GAAG,WAAW;;;ADlB5C,SAAS,gBAAgB,SAA2D;AACzF,QAAM,oBAAgB;AAAA,IACpB;AAAA,QACA,4BAAY,OAAO;AAAA,IACnB;AAAA,EACF;AAEA,SAAO,MAAM,QAAQ,aAAa,IAAK,gBAA4D,CAAC,aAAa;AACnH;AAEO,SAAS,iBAAiB,SAA+B;AAC9D,aAAO;AAAA,IACL;AAAA,QACA,4BAAY,OAAO;AAAA,IACnB;AAAA,EACF;AACF;;;ADAO,SAAS,8CACd,SAC8C;AAC9C,QAAM,EAAE,gBAAgB,gBAAgB,IAAI;AAE5C,MAAI,WAAW,kBAAkB,eAAe,UAAU,gBAAgB,OAAO;AAC/E,UAAM,IAAI,4BAAY,kDAAkD;AAAA,EAC1E;AAGA,MAAI,gBAAgB,UAAU;AAC5B,UAAM,IAAI,4BAAY,6DAA6D;AAAA,EACrF;AAEA,MAAI,gBAAgB,yBAAyB;AAC3C,QAAI,CAAC,eAAe,yBAAyB;AAC3C,YAAM,IAAI,4BAAY,kFAAkF;AAAA,IAC1G;AAEA,WAAO;AAAA,MACL,MAAM;AAAA,MACN,KACE,WAAW,kBAAkB,eAAe,QACxC;AAAA,QACE,OAAO,eAAe;AAAA,QACtB,wBAAwB,gBAAgB;AAAA,QACxC,eAAe,gBAAgB,gBAAgB,QAAQ;AAAA,MACzD,IACA;AAAA,QACE,wBAAwB,eAAe;AAAA,QACvC,wBAAwB,gBAAgB;AAAA,QACxC,eAAe,gBAAgB,gBAAgB,QAAQ;AAAA,MACzD;AAAA,IACR;AAAA,EACF;AAEA,MAAI,eAAe,YAAY;AAC7B,UAAM,gBAAgB,iBAAiB,gBAAgB,QAAQ;AAE/D,WAAO;AAAA,MACL,MAAM;AAAA,MACN,MACE,WAAW,kBAAkB,eAAe,QACxC;AAAA,QACE,OAAO,eAAe;AAAA,QACtB;AAAA,MACF,IACA;AAAA,QACE,OAAO,eAAe;AAAA,QACtB;AAAA,MACF;AAAA,IACR;AAAA,EACF;AAEA,QAAM,IAAI;AAAA,IACR;AAAA,EACF;AACF;;;AG5EA,IAAAC,kBAAkF;;;ACAlF,IAAAC,iBAAuC;;;ACAvC,IAAAC,eAAkB;;;ACAlB,IAAAC,eAAkB;AAEX,IAAM,6BAA6B,eAAE,OAAO,eAAE,IAAI,CAAC;AACnD,IAAM,6BAA6B,eAAE,OAAO,eAAE,IAAI,CAAC;;;ADCnD,IAAM,kCAAkC,eAC5C,OAAO;AAAA,EACN,OAAO,eAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,UAAU,eAAE,OAAO,EAAE,SAAS;AAAA,EAC9B,UAAU;AAAA,EACV,yBAAyB,2BAA2B,SAAS;AAAA,EAC7D,eAAe,eAAE,OAAO,EAAE,SAAS;AAAA,EACnC,YAAY,eAAE,OAAO,EAAE,SAAS;AAAA,EAChC,cAAc,eAAE,OAAO,EAAE,SAAS;AAAA,EAClC,YAAY,eAAE,OAAO,EAAE,SAAS;AAClC,CAAC,EACA,YAAY;;;ADZR,SAAS,2CAA2C,SAAkC;AAC3F,aAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;;;AGTA,IAAAC,kBAA6F;AAC7F,IAAAC,iBAAyE;AACzE,IAAAC,eAAc;AAmBd,eAAsB,+BACpB,SAC+C;AAC/C,QAAM,EAAE,iBAAiB,UAAU,IAAI;AAEvC,QAAM,mCAA+B;AAAA,IACnC,aAAAC,QAAE,MAAM,CAAC,6BAAa,2BAAW,CAAC;AAAA,IAClC;AAAA,IACA;AAAA,EACF;AAEA,QAAM,uBAAuB,MAAM,gCAAgC,EAAE,8BAA8B,UAAU,CAAC;AAE9G,QAAM,EAAE,QAAQ,WAAW,QAAI,iCAAgB;AAAA,IAC7C,KAAK;AAAA,IACL,cAAc;AAAA,EAChB,CAAC;AAED,QAAM,6BAA6B,0CAA0C;AAAA,IAC3E,sBAAsB,qBAAqB;AAAA,EAC7C,CAAC;AAED,MAAI,2BAA2B,SAAS,eAAe,2BAA2B,SAAS,oBAAoB;AAC7G,UAAM,IAAI,4BAAY,iFAAiF;AAAA,EACzG;AAEA,QAAM,+BAA+B,2CAA2C,qBAAqB,gBAAgB;AACrH,QAAM,4BAA4B,8CAA8C;AAAA,IAC9E,gBAAgB,2BAA2B;AAAA,IAC3C,iBAAiB;AAAA,EACnB,CAAC;AAED,QAAM,8BAA8B,2BAA2B;AAC/D,MAAI,CAAC,4BAA4B,iBAAiB,CAAC,mBAAmB,4BAA4B,aAAa,GAAG;AAChH,UAAM,IAAI;AAAA,MACR,4DAA4D,4BAA4B,iBAAiB,UAAU;AAAA,IACrH;AAAA,EACF;AAEA,MAAI,qBAAyC;AAE7C,MAAI,YAAY,KAAK;AACnB,6BAAqB,uCAAmB,6BAAa,WAAW,GAAG,CAAC;AAAA,EACtE;AACA,MAAI,YAAY,KAAK;AACnB,UAAM,uBAAmB,uCAAmB,6BAAa,WAAW,GAAG,CAAC;AACxE,QAAI,qBAAqB,4BAA4B,OAAO;AAC1D,YAAM,IAAI,4BAAY,uEAAuE;AAAA,IAC/F;AAAA,EACF;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,IACH,MAAM,EAAE,GAAG,sBAAsB,YAAY,mBAAmB;AAAA,IAEhE,eAAe,4BAA4B;AAAA,IAC3C;AAAA,IACA;AAAA,EACF;AACF;;;AJ1CA,eAAsB,oCACpB,SAC+C;AAC/C,QAAM,EAAE,iBAAiB,UAAU,IAAI;AAEvC,MAAI,gBAAgB,UAAU;AAC5B,WAAO,+BAA+B,EAAE,iBAAiB,gBAAgB,UAAoB,UAAU,CAAC;AAAA,EAC1G;AAEA,QAAM,+BAA+B,2CAA2C,eAAe;AAE/F,QAAM,EAAE,qBAAqB,IAAI,MAAM,UAAU,iCAAiC,4BAA4B;AAC9G,QAAM,oBAAoB,0CAA0C,EAAE,qBAA2C,CAAC;AAClH,MAAI,kBAAkB,SAAS,eAAe,kBAAkB,SAAS,oBAAoB;AAC3F,UAAM,IAAI,4BAAY,iFAAiF;AAAA,EACzG;AAEA,QAAM,8BAA8B,kBAAkB;AAEtD,QAAM,4BAA4B,8CAA8C;AAAA,IAC9E,gBAAgB;AAAA,IAChB,iBAAiB;AAAA,EACnB,CAAC;AAED,MAAI,4BAA4B,iBAAiB,mBAAmB,4BAA4B,aAAa,GAAG;AAC9G,UAAM,IAAI;AAAA,MACR;AAAA,QACE,OAAO;AAAA,QACP,mBAAmB;AAAA,MACrB;AAAA,MACA;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,IACH,eAAe,4BAA4B;AAAA,IAE3C;AAAA,IACA;AAAA,IACA,MAAM;AAAA,EACR;AACF;;;AK1DO,IAAM,kBAAN,MAAsB;AAAA,EACpB,YAAoB,SAAiC;AAAjC;AAAA,EAAkC;AAAA,EAEtD,0CAA0C,SAAkD;AACjG,WAAO,0CAA0C,OAAO;AAAA,EAC1D;AAAA,EAEA,MAAa,qCACX,SACA;AACA,WAAO,qCAAqC,EAAE,GAAG,SAAS,WAAW,KAAK,QAAQ,UAAU,CAAC;AAAA,EAC/F;AAAA,EAEA,MAAa,qCACX,SACA;AACA,WAAO,qCAAqC,EAAE,GAAG,SAAS,WAAW,KAAK,QAAQ,UAAU,CAAC;AAAA,EAC/F;AAAA,EAEA,MAAa,qCACX,SACA;AACA,WAAO,qCAAqC,EAAE,GAAG,SAAS,WAAW,KAAK,QAAQ,UAAU,CAAC;AAAA,EAC/F;AACF;;;ACpBO,IAAM,oBAAN,MAAwB;AAAA,EACtB,YAAoB,SAAmC;AAAnC;AAAA,EAAoC;AAAA,EAE/D,MAAa,oCACX,SACA;AACA,WAAO,oCAAoC,EAAE,GAAG,SAAS,WAAW,KAAK,QAAQ,UAAU,CAAC;AAAA,EAC9F;AAAA,EAEO,0CAA0C,SAAkD;AACjG,WAAO,0CAA0C,OAAO;AAAA,EAC1D;AAAA,EAEO,oCAAoC,SAAqD;AAC9F,WAAO,oCAAoC,OAAO;AAAA,EACpD;AAAA,EAEO,8CAA8C,SAAwD;AAC3G,WAAO,8CAA8C,OAAO;AAAA,EAC9D;AAAA,EAEO,gBAAgB,SAAkB;AACvC,WAAO,gBAAgB,OAAO;AAAA,EAChC;AAAA,EAEO,iBAAiB,SAAkB;AACxC,WAAO,iBAAiB,OAAO;AAAA,EACjC;AAAA,EAEO,qBAAqB,SAAsC;AAChE,WAAO,qBAAqB,OAAO;AAAA,EACrC;AACF;;;AC5DA,IAAAC,eAAkB;AACX,IAAM,oBAAoB,eAAE,KAAK,CAAC,eAAe,UAAU,SAAS,YAAY,aAAa,WAAW,CAAC;;;ACDhH,IAAAC,eAAkB;AACX,IAAM,eAAe,eAAE,KAAK,CAAC,eAAe,UAAU,SAAS,aAAa,aAAa,UAAU,CAAC;","names":["import_oauth2","import_zod","import_oauth2","import_zod","z","import_oauth2","import_utils","import_zod","import_oauth2","import_utils","import_oauth2","import_oauth2","import_utils","import_oauth2","import_utils","import_zod","import_oauth2","import_utils","import_zod","import_zod","import_zod","url","import_oauth2","import_utils","import_zod","import_oauth2","import_utils","import_zod","z","import_oauth2","import_utils","import_zod","import_oauth2","import_oauth2","import_oauth2","import_utils","import_zod","import_oauth2","import_oauth2","import_utils","import_zod","import_oauth2","import_zod","import_oauth2","import_utils","import_zod","z","import_oauth2","import_utils","import_oauth2","signed","import_zod","import_oauth2","import_oauth2","import_utils","import_oauth2","import_utils","import_oauth2","import_utils","import_zod","import_oauth2","import_utils","import_zod","import_zod","import_oauth2","import_utils","import_zod","z","import_zod","import_zod"]}
1	+ {"version":3,"sources":["../src/index.ts","../src/client-identifier-scheme/z-client-id-scheme.ts","../src/jarm/jarm-auth-response/verify-jarm-auth-response.ts","../src/jarm/jarm-auth-response/jarm-validate-auth-response.ts","../src/jarm/jarm-auth-response/z-jarm-auth-response.ts","../src/jarm/metadata/z-jarm-client-metadata.ts","../src/authorization-request/create-authorization-request.ts","../src/jar/create-jar-auth-request.ts","../src/authorization-request/validate-authorization-request.ts","../src/authorization-request/validate-authorization-request-dc-api.ts","../src/authorization-request/z-authorization-request.ts","../src/models/z-client-metadata.ts","../src/models/z-vp-formats-supported.ts","../src/authorization-request/z-authorization-request-dc-api.ts","../src/authorization-request/parse-authorization-request-params.ts","../src/jar/z-jar-auth-request.ts","../src/authorization-request/resolve-authorization-request.ts","../src/client-identifier-scheme/parse-client-identifier-scheme.ts","../src/version.ts","../src/fetch-client-metadata.ts","../src/models/z-wallet-metadata.ts","../src/jar/handle-jar-request/verify-jar-request.ts","../src/jar/jar-request-object/fetch-jar-request-object.ts","../src/jar/jar-request-object/z-jar-request-object.ts","../src/transaction-data/parse-transaction-data.ts","../src/transaction-data/z-transaction-data.ts","../src/authorization-response/create-authorization-response.ts","../../utils/src/date.ts","../src/jarm/jarm-auth-response-create.ts","../src/jarm/jarm-extract-jwks.ts","../src/jarm/jarm-response-mode.ts","../src/jarm/metadata/jarm-assert-metadata-supported.ts","../src/authorization-response/submit-authorization-response.ts","../src/jarm/jarm-auth-response-send.ts","../src/authorization-response/validate-authorization-response.ts","../src/vp-token/parse-vp-token.ts","../src/vp-token/z-vp-token.ts","../src/authorization-response/parse-authorization-response.ts","../src/authorization-response/parse-authorization-response-payload.ts","../src/authorization-response/z-authorization-response.ts","../src/models/z-pex.ts","../src/authorization-response/parse-jarm-authorization-response.ts","../src/Openid4vpClient.ts","../src/transaction-data/verify-transaction-data.ts","../src/Openid4vpVerifier.ts","../src/models/z-credential-formats.ts","../src/models/z-proof-formats.ts"],"sourcesContent":["export { zClientIdScheme, ClientIdScheme } from './client-identifier-scheme/z-client-id-scheme'\nexport {\n verifyJarmAuthorizationResponse,\n type VerifyJarmAuthorizationResponseOptions,\n type JarmMode,\n} from './jarm/jarm-auth-response/verify-jarm-auth-response'\nexport { zJarmClientMetadata, JarmClientMetadata } from './jarm/metadata/z-jarm-client-metadata'\nexport {\n createOpenid4vpAuthorizationRequest,\n CreateOpenid4vpAuthorizationRequestOptions,\n} from './authorization-request/create-authorization-request'\nexport {\n parseOpenid4vpAuthorizationRequestPayload,\n ParseOpenid4vpAuthRequestPayloadOptions,\n} from './authorization-request/parse-authorization-request-params'\nexport {\n resolveOpenid4vpAuthorizationRequest,\n ResolveOpenid4vpAuthorizationRequestOptions,\n ResolvedOpenid4vpAuthRequest,\n} from './authorization-request/resolve-authorization-request'\nexport type { Openid4vpAuthorizationRequest } from './authorization-request/z-authorization-request'\nexport {\n validateOpenid4vpAuthorizationRequestPayload,\n ValidateOpenid4vpAuthorizationRequestPayloadOptions,\n WalletVerificationOptions,\n} from './authorization-request/validate-authorization-request'\nexport {\n createOpenid4vpAuthorizationResponse,\n CreateOpenid4vpAuthorizationResponseOptions,\n CreateOpenid4vpAuthorizationResponseResult,\n} from './authorization-response/create-authorization-response'\nexport {\n submitOpenid4vpAuthorizationResponse,\n SubmitOpenid4vpAuthorizationResponseOptions,\n} from './authorization-response/submit-authorization-response'\nexport {\n validateOpenid4vpAuthorizationResponsePayload,\n ValidateOpenid4vpAuthorizationResponseOptions,\n} from './authorization-response/validate-authorization-response'\nexport {\n parseTransactionData,\n ParseTransactionDataOptions,\n} from './transaction-data/parse-transaction-data'\nexport type { TransactionDataEntry } from './transaction-data/z-transaction-data'\nexport {\n parsePexVpToken,\n parseDcqlVpToken,\n} from './vp-token/parse-vp-token'\n\nexport {\n parseOpenid4vpAuthorizationResponse,\n ParseOpenid4vpAuthorizationResponseOptions,\n ParsedOpenid4vpAuthorizationResponse,\n} from './authorization-response/parse-authorization-response'\n\nexport {\n parseJarmAuthorizationResponse,\n ParseJarmAuthorizationResponseOptions,\n} from './authorization-response/parse-jarm-authorization-response'\n\nexport {\n ValidateOpenid4VpPexAuthorizationResponseResult,\n ValidateOpenid4VpDcqlAuthorizationResponseResult,\n ValidateOpenid4VpAuthorizationResponseResult,\n} from './authorization-response/validate-authorization-response-result'\n\nexport { Openid4vpClient } from './Openid4vpClient'\nexport { Openid4vpVerifier } from './Openid4vpVerifier'\nexport {\n zOpenid4vpAuthorizationResponse,\n Openid4vpAuthorizationResponse,\n} from './authorization-response/z-authorization-response'\n\nexport { isJarmResponseMode } from './jarm/jarm-response-mode'\n\nexport {\n isOpenid4vpAuthorizationRequestDcApi,\n type Openid4vpAuthorizationRequestDcApi,\n} from './authorization-request/z-authorization-request-dc-api'\n\nexport {\n zClientMetadata,\n ClientMetadata,\n} from './models/z-client-metadata'\n\nexport {\n zCredentialFormat,\n CredentialFormat,\n} from './models/z-credential-formats'\n\nexport {\n zProofFormat,\n ProofFormat,\n} from './models/z-proof-formats'\n\nexport {\n zWalletMetadata,\n WalletMetadata,\n} from './models/z-wallet-metadata'\n","import { z } from 'zod'\n\nexport const zClientIdScheme = z.enum([\n 'pre-registered',\n 'redirect_uri',\n 'https',\n 'verifier_attestation',\n 'did',\n 'x509_san_dns',\n 'x509_san_uri',\n 'web-origin',\n])\n\nexport type ClientIdScheme = z.infer<typeof zClientIdScheme>\n","import {\n type CallbackContext,\n Oauth2Error,\n decodeJwt,\n decodeJwtHeader,\n jwtSignerFromJwt,\n zCompactJwe,\n zCompactJwt,\n zJwtHeader,\n} from '@openid4vc/oauth2'\nimport z from 'zod'\nimport { jarmAuthResponseValidate } from './jarm-validate-auth-response'\nimport {\n type JarmAuthResponse,\n type JarmAuthResponseEncryptedOnly,\n zJarmAuthResponse,\n zJarmAuthResponseEncryptedOnly,\n} from './z-jarm-auth-response'\n\nexport enum JarmMode {\n Signed = 'Signed',\n Encrypted = 'Encrypted',\n SignedEncrypted = 'SignedEncrypted',\n}\n\nexport type GetOpenid4vpAuthorizationRequestCallback = (\n authResponse: JarmAuthResponse \| JarmAuthResponseEncryptedOnly\n) => Promise<{ authorizationRequest: { client_id: string; nonce: string; state?: string } }>\n\n/*\n The client decrypts the JWT using the default key for the respective issuer or,\n * if applicable, determined by the kid JWT header parameter.\n * The key might be a private key, where the corresponding public key is registered\n * with the expected issuer of the response (\"use\":\"enc\" via the client's metadata jwks or jwks_uri)\n * or a key derived from its client secret (see Section 2.2).\n /\nconst decryptJarmRequestData = async (options: {\n requestData: string\n callbacks: Pick<CallbackContext, 'decryptJwe'>\n}) => {\n const { requestData, callbacks } = options\n\n const { header } = decodeJwtHeader({ jwt: requestData })\n if (!header.kid) {\n throw new Oauth2Error('Jarm JWE is missing the protected header field \"kid\".')\n }\n\n const result = await callbacks.decryptJwe(requestData)\n if (!result.decrypted) {\n throw new Oauth2Error('Failed to decrypt jarm auth response.')\n }\n\n return result.payload\n}\n\nexport interface VerifyJarmAuthorizationResponseOptions {\n jarmAuthorizationResponseJwt: string\n callbacks: Pick<CallbackContext, 'decryptJwe' \| 'verifyJwt'> & {\n getOpenid4vpAuthorizationRequest: GetOpenid4vpAuthorizationRequestCallback\n }\n}\n\nexport type VerifiedJarmAuthorizationResponse = Awaited<ReturnType<typeof verifyJarmAuthorizationResponse>>\n\n/\n Validate a JARM direct_post.jwt compliant authentication response\n * * The decryption key should be resolvable using the the protected header's 'kid' field\n * * The signature verification jwk should be resolvable using the jws protected header's 'kid' field and the payload's 'iss' field.\n /\nexport async function verifyJarmAuthorizationResponse(options: VerifyJarmAuthorizationResponseOptions) {\n const { jarmAuthorizationResponseJwt, callbacks } = options\n\n const requestDataIsEncrypted = zCompactJwe.safeParse(jarmAuthorizationResponseJwt).success\n const decryptedRequestData = requestDataIsEncrypted\n ? await decryptJarmRequestData({ requestData: jarmAuthorizationResponseJwt, callbacks })\n : jarmAuthorizationResponseJwt\n\n const responseIsSigned = zCompactJwt.safeParse(decryptedRequestData).success\n if (!requestDataIsEncrypted && !responseIsSigned) {\n throw new Oauth2Error('Jarm Auth Response must be either encrypted, signed, or signed and encrypted.')\n }\n\n let jarmAuthResponse: JarmAuthResponse \| JarmAuthResponseEncryptedOnly\n\n if (responseIsSigned) {\n const { header: jwsProtectedHeader, payload: jwsPayload } = decodeJwt({\n jwt: decryptedRequestData,\n headerSchema: z.object({ ...zJwtHeader.shape, kid: z.string() }),\n })\n\n const response = zJarmAuthResponse.parse(jwsPayload)\n const jwtSigner = jwtSignerFromJwt({ header: jwsProtectedHeader, payload: jwsPayload })\n\n const verificationResult = await options.callbacks.verifyJwt(jwtSigner, {\n compact: decryptedRequestData,\n header: jwsProtectedHeader,\n payload: jwsPayload,\n })\n\n if (!verificationResult.verified) {\n throw new Oauth2Error('Jarm Auth Response is not valid.')\n }\n\n jarmAuthResponse = response\n } else {\n const jsonRequestData: unknown = JSON.parse(decryptedRequestData)\n jarmAuthResponse = zJarmAuthResponseEncryptedOnly.parse(jsonRequestData)\n }\n\n const { authorizationRequest } = await callbacks.getOpenid4vpAuthorizationRequest(jarmAuthResponse)\n\n jarmAuthResponseValidate({\n clientId: authorizationRequest.client_id,\n authorizationResponse: jarmAuthResponse,\n })\n const type: JarmMode =\n requestDataIsEncrypted && responseIsSigned\n ? JarmMode.SignedEncrypted\n : requestDataIsEncrypted\n ? JarmMode.Encrypted\n : JarmMode.Signed\n\n const issuer = jarmAuthResponse.iss\n return { authorizationRequest, jarmAuthResponse, type, issuer }\n}\n","import { Oauth2Error } from '@openid4vc/oauth2'\nimport { dateToSeconds } from '@openid4vc/utils'\nimport { type JarmAuthResponse, type JarmAuthResponseEncryptedOnly, zJarmAuthResponse } from './z-jarm-auth-response'\n\nexport const jarmAuthResponseValidate = (options: {\n clientId: string\n authorizationResponse: JarmAuthResponse \| JarmAuthResponseEncryptedOnly\n}) => {\n const { clientId, authorizationResponse } = options\n\n // The traditional Jarm Validation Methods do not account for the encrypted response.\n if (!zJarmAuthResponse.safeParse(authorizationResponse).success) {\n return\n }\n\n // 3. The client obtains the aud element from the JWT and checks whether it matches the client id the client used to identify itself in the corresponding authorization request. If the check fails, the client MUST abort processing and refuse the response.\n if (clientId !== authorizationResponse.aud) {\n throw new Oauth2Error(\n `Invalid 'aud' claim in JARM authorization response. Expected '${\n clientId\n }' received '${JSON.stringify(authorizationResponse.aud)}'.`\n )\n }\n\n // 4. The client checks the JWT's exp element to determine if the JWT is still valid. If the check fails, the client MUST abort processing and refuse the response.\n // 120 seconds clock skew\n if (authorizationResponse.exp !== undefined && authorizationResponse.exp < dateToSeconds()) {\n throw new Oauth2Error('Jarm auth response is expired.')\n }\n}\n","import { zJwtHeader, zJwtPayload } from '@openid4vc/oauth2'\nimport { z } from 'zod'\n\nexport const zJarmHeader = z.object({ ...zJwtHeader.shape, apu: z.string().optional(), apv: z.string().optional() })\nexport type JarmHeader = z.infer<typeof zJarmHeader>\n\nexport const zJarmAuthResponse = z\n .object({\n /\n iss: The issuer URL of the authorization server that created the response\n * aud: The client_id of the client the response is intended for\n * exp: The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.\n /\n ...zJwtPayload.shape,\n ...zJwtPayload.pick({ iss: true, aud: true, exp: true }).required().shape,\n state: z.optional(z.string()),\n })\n .passthrough()\n\nexport type JarmAuthResponse = z.infer<typeof zJarmAuthResponse>\n\nexport const zJarmAuthResponseEncryptedOnly = z\n .object({\n ...zJwtPayload.shape,\n state: z.optional(z.string()),\n })\n .passthrough()\nexport type JarmAuthResponseEncryptedOnly = z.infer<typeof zJarmAuthResponseEncryptedOnly>\n","import { Oauth2Error, zAlgValueNotNone } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport { z } from 'zod'\n\nexport const zJarmSignOnlyClientMetadata = z.object({\n authorization_signed_response_alg: zAlgValueNotNone,\n\n authorization_encrypted_response_alg: z.optional(z.never()),\n authorization_encrypted_response_enc: z.optional(z.never()),\n})\nexport type JarmSignOnlyClientMetadata = z.infer<typeof zJarmSignOnlyClientMetadata>\n\nexport const zJarmEncryptOnlyClientMetadata = z.object({\n authorization_signed_response_alg: z.optional(z.never()),\n authorization_encrypted_response_alg: z.string(),\n\n authorization_encrypted_response_enc: z.optional(z.string()),\n})\nexport type JarmEncryptOnlyClientMetadata = z.infer<typeof zJarmEncryptOnlyClientMetadata>\n\nexport const zJarmSignEncryptClientMetadata = z.object({\n authorization_signed_response_alg: zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg,\n authorization_encrypted_response_alg: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg,\n authorization_encrypted_response_enc: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc,\n})\nexport type JarmSignEncryptClientMetadata = z.infer<typeof zJarmSignEncryptClientMetadata>\n\n/\n Clients may register their public encryption keys using the jwks_uri or jwks metadata parameters.\n /\nexport const zJarmClientMetadata = z.object({\n authorization_signed_response_alg: z.optional(zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg),\n authorization_encrypted_response_alg: z.optional(\n zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg\n ),\n authorization_encrypted_response_enc: z.optional(\n zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc\n ),\n})\nexport type JarmClientMetadata = z.infer<typeof zJarmClientMetadata>\n\nexport const zJarmClientMetadataParsed = zJarmClientMetadata.transform((client_metadata) => {\n const parsedClientMeta = parseWithErrorHandling(\n z.union([zJarmEncryptOnlyClientMetadata, zJarmSignOnlyClientMetadata, zJarmSignEncryptClientMetadata]),\n client_metadata,\n 'Invalid jarm client metadata.'\n )\n\n const SignEncrypt = zJarmSignEncryptClientMetadata.safeParse(parsedClientMeta)\n if (SignEncrypt.success) {\n return {\n type: 'sign_encrypt',\n client_metadata: {\n ...SignEncrypt.data,\n authorization_encrypted_response_enc: client_metadata.authorization_encrypted_response_enc ?? 'A128CBC-HS256',\n },\n } as const\n }\n\n const encryptOnly = zJarmEncryptOnlyClientMetadata.safeParse(parsedClientMeta)\n if (encryptOnly.success) {\n return {\n type: 'encrypt',\n client_metadata: {\n ...encryptOnly.data,\n authorization_encrypted_response_enc: parsedClientMeta.authorization_encrypted_response_enc ?? 'A128CBC-HS256',\n },\n } as const\n }\n\n // this must be the last entry\n const signOnly = zJarmSignOnlyClientMetadata.safeParse(parsedClientMeta)\n if (signOnly.success) {\n return {\n type: 'sign',\n client_metadata: {\n ...signOnly.data,\n authorization_signed_response_alg: parsedClientMeta.authorization_signed_response_alg ?? 'RS256',\n },\n } as const\n }\n\n throw new Oauth2Error('Invalid jarm client metadata. Failed to parse.')\n})\nexport type JarmClientMetadataParsed = z.infer<typeof zJarmClientMetadataParsed>\n","import { type CallbackContext, type JwtSigner, Oauth2Error } from '@openid4vc/oauth2'\nimport { URL, URLSearchParams, objectToQueryParams, parseWithErrorHandling } from '@openid4vc/utils'\nimport { createJarAuthRequest } from '../jar/create-jar-auth-request'\nimport {\n type WalletVerificationOptions,\n validateOpenid4vpAuthorizationRequestPayload,\n} from './validate-authorization-request'\nimport { validateOpenid4vpAuthorizationRequestDcApiPayload } from './validate-authorization-request-dc-api'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestDcApi,\n} from './z-authorization-request-dc-api'\n\nexport interface CreateOpenid4vpAuthorizationRequestOptions {\n scheme?: string\n requestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n jar?: {\n requestUri?: string\n jwtSigner: JwtSigner\n additionalJwtPayload?: Record<string, unknown>\n }\n wallet?: WalletVerificationOptions\n callbacks: Pick<CallbackContext, 'signJwt' \| 'encryptJwe'>\n}\n\n/\n Creates an OpenID4VP authorization request, optionally with a JWT Secured Authorization Request (JAR)\n * If the request is created after receiving wallet metadata via a POST to the request_uri endpoint, the wallet nonce needs to be provided\n \n @param options Configuration options for creating the authorization request\n * @param input.scheme Optional URI scheme to use (defaults to 'openid4vp://')\n * @param input.requestParams The OpenID4VP authorization request parameters\n * @param input.jar Optional JWT Secured Authorization Request (JAR) configuration\n * @param input.jar.requestUri The URI where the JAR will be accessible\n * @param input.jar.jwtSigner Function to sign the JAR JWT\n * @param input.jar.jweEncryptor Optional function to encrypt the JAR JWT\n * @param input.jar.additionalJwtPayload Optional additional claims to include in JAR JWT\n * @param input.wallet Optional wallet-specific parameters\n * @param input.wallet.nonce Optional wallet nonce\n * @param input.callbacks Callback functions for JWT operations\n * @returns Object containing the authorization request parameters, URI and optional JAR details\n /\nexport async function createOpenid4vpAuthorizationRequest(options: CreateOpenid4vpAuthorizationRequestOptions) {\n const { jar, scheme = 'openid4vp://', requestPayload, wallet, callbacks } = options\n\n let additionalJwtPayload: Record<string, unknown> \| undefined\n\n let authRequestParams: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n if (isOpenid4vpAuthorizationRequestDcApi(requestPayload)) {\n authRequestParams = parseWithErrorHandling(\n zOpenid4vpAuthorizationRequestDcApi,\n requestPayload,\n 'Invalid authorization request. Could not parse openid4vp dc_api authorization request.'\n )\n\n if (jar && !authRequestParams.expected_origins) {\n throw new Oauth2Error(\n `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combination with jar.`\n )\n }\n\n validateOpenid4vpAuthorizationRequestDcApiPayload({\n params: authRequestParams,\n isJarRequest: Boolean(jar),\n omitOriginValidation: true,\n })\n } else {\n authRequestParams = parseWithErrorHandling(\n zOpenid4vpAuthorizationRequest,\n requestPayload,\n 'Invalid authorization request. Could not parse openid4vp authorization request.'\n )\n validateOpenid4vpAuthorizationRequestPayload({ params: authRequestParams, walletVerificationOptions: wallet })\n }\n\n if (jar) {\n if (!jar.additionalJwtPayload?.aud) {\n additionalJwtPayload = { ...jar.additionalJwtPayload, aud: jar.requestUri }\n }\n }\n\n if (jar) {\n const jarResult = await createJarAuthRequest({\n ...jar,\n authRequestParams: requestPayload,\n additionalJwtPayload,\n callbacks,\n })\n\n const url = new URL(scheme)\n url.search = `?${new URLSearchParams([\n ...url.searchParams.entries(),\n ...objectToQueryParams(jarResult.requestParams).entries(),\n ]).toString()}`\n\n return {\n authRequestObject: jarResult.requestParams,\n authRequest: url.toString(),\n jar: { ...jar, ...jarResult },\n }\n }\n\n const url = new URL(scheme)\n url.search = `?${new URLSearchParams([\n ...url.searchParams.entries(),\n ...objectToQueryParams(requestPayload).entries(),\n ]).toString()}`\n\n return {\n authRequestObject: requestPayload,\n authRequest: url.toString(),\n jar: undefined,\n }\n}\n","import {\n type CallbackContext,\n type JweEncryptor,\n type Jwk,\n type JwtPayload,\n type JwtSigner,\n jwtHeaderFromJwtSigner,\n} from '@openid4vc/oauth2'\nimport type { JarAuthRequest } from './z-jar-auth-request'\n\nexport interface CreateJarAuthRequestOptions {\n authRequestParams: JwtPayload & { client_id?: string }\n jwtSigner: JwtSigner\n jweEncryptor?: JweEncryptor\n requestUri?: string\n additionalJwtPayload?: Record<string, unknown>\n callbacks: Pick<CallbackContext, 'signJwt' \| 'encryptJwe'>\n}\n\n/\n Creates a JAR (JWT Authorization Request) request object.\n \n @param options - The input parameters\n * @param options.authRequestParams - The authorization request parameters\n * @param options.jwtSigner - The JWT signer\n * @param options.jweEncryptor - The JWE encryptor (optional) if provided, the request object will be encrypted\n * @param options.requestUri - The request URI (optional) if provided, the request object needs to be fetched from the URI\n * @param options.callbacks - The callback context\n * @returns the requestParams, signerJwk, encryptionJwk, and requestObjectJwt\n /\nexport async function createJarAuthRequest(options: CreateJarAuthRequestOptions) {\n const { jwtSigner, jweEncryptor, authRequestParams, requestUri, callbacks } = options\n\n let requestObjectJwt: string \| undefined\n let encryptionJwk: Jwk \| undefined\n\n const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {\n header: { ...jwtHeaderFromJwtSigner(jwtSigner), typ: 'oauth-authz-req+jwt' },\n payload: { ...options.additionalJwtPayload, ...authRequestParams },\n })\n requestObjectJwt = jwt\n\n if (jweEncryptor) {\n const encryptionResult = await callbacks.encryptJwe(jweEncryptor, requestObjectJwt)\n requestObjectJwt = encryptionResult.jwe\n encryptionJwk = encryptionResult.encryptionJwk\n }\n\n const client_id = authRequestParams.client_id\n const requestParams: JarAuthRequest = requestUri\n ? { client_id, request_uri: requestUri }\n : { client_id, request: requestObjectJwt }\n\n return { requestParams, signerJwk, encryptionJwk, requestObjectJwt }\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { zHttpsUrl } from '@openid4vc/utils'\nimport type { WalletMetadata } from '../models/z-wallet-metadata'\nimport type { Openid4vpAuthorizationRequest } from './z-authorization-request'\n\nexport interface WalletVerificationOptions {\n expectedNonce?: string\n metadata?: WalletMetadata\n}\n\nexport interface ValidateOpenid4vpAuthorizationRequestPayloadOptions {\n params: Openid4vpAuthorizationRequest\n walletVerificationOptions?: WalletVerificationOptions\n}\n\n/\n Validate the OpenId4Vp Authorization Request parameters\n /\nexport const validateOpenid4vpAuthorizationRequestPayload = (\n options: ValidateOpenid4vpAuthorizationRequestPayloadOptions\n) => {\n const { params, walletVerificationOptions } = options\n\n if (!params.redirect_uri && !params.response_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`,\n })\n }\n\n if (params.response_uri && !['direct_post', 'direct_post.jwt'].find((mode) => mode === params.response_mode)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`,\n })\n }\n\n if (\n [params.presentation_definition_uri, params.presentation_definition, params.dcql_query, params.scope].filter(\n Boolean\n ).length > 1\n ) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition.',\n })\n }\n\n if (params.request_uri_method && !params.request_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"request_uri_method\" parameter MUST NOT be present in the authorization request if the \"request_uri\" parameter is not present.',\n })\n }\n\n if (params.request_uri_method && !['GET', 'POST'].includes(params.request_uri_method)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestUriMethod,\n error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`,\n })\n }\n\n if (params.trust_chain && !zHttpsUrl.safeParse(params.client_id).success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"trust_chain\" parameter MUST NOT be present in the authorization request if the \"client_id\" is not an OpenId Federation Entity Identifier starting with http:// or https://.',\n })\n }\n\n if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"wallet_nonce\" parameter MUST be present in the authorization request when the \"expectedNonce\" parameter is provided.',\n })\n }\n\n if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"wallet_nonce\" parameter MUST match the \"expectedNonce\" parameter when the \"expectedNonce\" parameter is provided.',\n })\n }\n\n if (params.client_id.startsWith('web-origin:')) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'client_id' parameter MUST NOT use client identifier scheme 'web-origin' when not using the dc_api response mode. Current: ${params.client_id}`,\n })\n }\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequestDcApi } from './z-authorization-request-dc-api'\n\nexport interface ValidateOpenid4vpAuthorizationRequestDcApiPayloadOptions {\n params: Openid4vpAuthorizationRequestDcApi\n isJarRequest: boolean\n omitOriginValidation?: boolean\n origin?: string\n}\n\n/\n Validate the OpenId4Vp Authorization Request parameters for the dc_api response mode\n /\nexport const validateOpenid4vpAuthorizationRequestDcApiPayload = (\n options: ValidateOpenid4vpAuthorizationRequestDcApiPayloadOptions\n) => {\n const { params, isJarRequest, omitOriginValidation, origin } = options\n\n if (isJarRequest && !params.expected_origins) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`,\n })\n }\n\n if ([params.presentation_definition, params.dcql_query].filter(Boolean).length > 1) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition.',\n })\n }\n\n if (params.expected_origins && !omitOriginValidation) {\n if (!origin) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`,\n })\n }\n\n if (params.expected_origins && !params.expected_origins.includes(origin)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(', ')}`,\n })\n }\n }\n}\n","import { zHttpsUrl } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport { zClientMetadata } from '../models/z-client-metadata'\n\nexport const zOpenid4vpAuthorizationRequest = z\n .object({\n response_type: z.literal('vp_token'),\n client_id: z.string(),\n redirect_uri: zHttpsUrl.optional(),\n response_uri: zHttpsUrl.optional(),\n request_uri: zHttpsUrl.optional(),\n request_uri_method: z.optional(z.string()),\n response_mode: z.enum(['direct_post', 'direct_post.jwt']).optional(),\n nonce: z.string(),\n wallet_nonce: z.string().optional(),\n scope: z.string().optional(),\n presentation_definition: z.record(z.any()).optional(),\n presentation_definition_uri: zHttpsUrl.optional(),\n dcql_query: z.record(z.any()).optional(),\n client_metadata: zClientMetadata.optional(),\n client_metadata_uri: zHttpsUrl.optional(),\n state: z.string().optional(),\n transaction_data: z.array(z.string()).optional(),\n trust_chain: z.unknown().optional(),\n client_id_scheme: z\n .enum([\n 'pre-registered',\n 'redirect_uri',\n 'entity_id',\n 'did',\n 'verifier_attestation',\n 'x509_san_dns',\n 'x509_san_uri',\n ])\n .optional(),\n })\n .passthrough()\n\nexport type Openid4vpAuthorizationRequest = z.infer<typeof zOpenid4vpAuthorizationRequest>\n","import { zJwkSet } from '@openid4vc/oauth2'\nimport { zHttpsUrl } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport { zJarmClientMetadata } from '../jarm/metadata/z-jarm-client-metadata'\nimport { zVpFormatsSupported } from './z-vp-formats-supported'\n\n// Authoritative data the Wallet is able to obtain about the Client from other sources,\n// for example those from an OpenID Federation Entity Statement, take precedence over the values passed in client_metadata.\nexport const zClientMetadata = z\n .object({\n jwks: z.optional(zJwkSet),\n vp_formats: z.optional(zVpFormatsSupported),\n ...zJarmClientMetadata.shape,\n logo_uri: zHttpsUrl.optional(),\n client_name: z.string().optional(),\n })\n .passthrough()\nexport type ClientMetadata = z.infer<typeof zClientMetadata>\n","import { z } from 'zod'\nexport const zVpFormatsSupported = z.record(\n z.string(),\n z\n .object({\n alg_values_supported: z.optional(z.array(z.string())),\n })\n .passthrough()\n)\n\nexport type VpFormatsSupported = z.infer<typeof zVpFormatsSupported>\n","import { z } from 'zod'\nimport type { JarAuthRequest } from '../jar/z-jar-auth-request'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\n\nexport const zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest\n .pick({\n client_id: true,\n response_type: true,\n response_mode: true,\n nonce: true,\n presentation_definition: true,\n client_metadata: true,\n transaction_data: true,\n dcql_query: true,\n })\n .extend({\n client_id: z.optional(z.string()),\n expected_origins: z.array(z.string()).optional(),\n response_mode: z.enum(['dc_api', 'dc_api.jwt', 'w3c_dc_api.jwt', 'w3c_dc_api']),\n client_id_scheme: z\n .enum([\n 'pre-registered',\n 'redirect_uri',\n 'entity_id',\n 'did',\n 'verifier_attestation',\n 'x509_san_dns',\n 'x509_san_uri',\n ])\n .optional(),\n })\n .strip()\n\nexport type Openid4vpAuthorizationRequestDcApi = z.infer<typeof zOpenid4vpAuthorizationRequestDcApi>\n\nexport function isOpenid4vpAuthorizationRequestDcApi(\n request: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi \| JarAuthRequest\n): request is Openid4vpAuthorizationRequestDcApi {\n return (\n request.response_mode === 'dc_api' \|\|\n request.response_mode === 'dc_api.jwt' \|\|\n request.response_mode === 'w3c_dc_api.jwt' \|\|\n request.response_mode === 'w3c_dc_api'\n )\n}\n","import { decodeJwt } from '@openid4vc/oauth2'\nimport { URL } from '@openid4vc/utils'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport { type JarAuthRequest, isJarAuthRequest, zJarAuthRequest } from '../jar/z-jar-auth-request'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestDcApi,\n} from './z-authorization-request-dc-api'\n\nexport interface ParsedJarRequest {\n type: 'jar'\n provided: 'uri' \| 'jwt' \| 'params'\n params: JarAuthRequest\n}\n\nexport interface ParsedOpenid4vpAuthRequest {\n type: 'openid4vp'\n provided: 'uri' \| 'jwt' \| 'params'\n params: Openid4vpAuthorizationRequest\n}\n\nexport interface ParsedOpenid4vpDcApiAuthRequest {\n type: 'openid4vp_dc_api'\n provided: 'uri' \| 'jwt' \| 'params'\n params: Openid4vpAuthorizationRequestDcApi\n}\n\nexport interface ParseOpenid4vpAuthRequestPayloadOptions {\n authorizationRequest: string \| Record<string, unknown>\n}\n\nexport function parseOpenid4vpAuthorizationRequestPayload(\n options: ParseOpenid4vpAuthRequestPayloadOptions\n): ParsedOpenid4vpAuthRequest \| ParsedJarRequest \| ParsedOpenid4vpDcApiAuthRequest {\n const { authorizationRequest } = options\n let provided: 'uri' \| 'jwt' \| 'params' = 'params'\n\n let params: Record<string, unknown>\n if (typeof authorizationRequest === 'string') {\n if (authorizationRequest.includes('://')) {\n const url = new URL(authorizationRequest)\n params = Object.fromEntries(url.searchParams)\n provided = 'uri'\n } else {\n const decoded = decodeJwt({ jwt: authorizationRequest })\n params = decoded.payload\n provided = 'jwt'\n }\n } else {\n params = authorizationRequest\n }\n\n const parsedRequest = parseWithErrorHandling(\n z.union([zOpenid4vpAuthorizationRequest, zJarAuthRequest, zOpenid4vpAuthorizationRequestDcApi]),\n params\n )\n\n if (isJarAuthRequest(parsedRequest)) {\n return {\n type: 'jar',\n provided,\n params: parsedRequest,\n }\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(parsedRequest)) {\n return {\n type: 'openid4vp_dc_api',\n provided,\n params: parsedRequest,\n }\n }\n\n return {\n type: 'openid4vp',\n provided,\n params: parsedRequest,\n }\n}\n","import { Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { zHttpsUrl } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\n\nexport const zJarAuthRequest = z\n .object({\n request: z.optional(z.string()),\n request_uri: z.optional(zHttpsUrl),\n request_uri_method: z.optional(z.string()),\n client_id: z.optional(z.string()),\n })\n .passthrough()\nexport type JarAuthRequest = z.infer<typeof zJarAuthRequest>\n\nexport function validateJarRequestParams(options: { jarRequestParams: JarAuthRequest }) {\n const { jarRequestParams } = options\n\n if (jarRequestParams.request && jarRequestParams.request_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: 'invalid_request_object',\n error_description: 'request and request_uri cannot both be present in a JAR request',\n })\n }\n\n if (!jarRequestParams.request && !jarRequestParams.request_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: 'invalid_request_object',\n error_description: 'request or request_uri must be present',\n })\n }\n\n return jarRequestParams as JarAuthRequest &\n ({ request_uri: string; request?: never } \| { request: string; request_uri?: never })\n}\n\nexport function isJarAuthRequest(\n request: Openid4vpAuthorizationRequest \| JarAuthRequest \| Openid4vpAuthorizationRequestDcApi\n): request is JarAuthRequest {\n return 'request' in request \|\| 'request_uri' in request\n}\n","import { type CallbackContext, Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport {\n type ParsedClientIdentifier,\n parseClientIdentifier,\n} from '../client-identifier-scheme/parse-client-identifier-scheme'\nimport { fetchClientMetadata } from '../fetch-client-metadata'\nimport { type VerifiedJarRequest, verifyJarRequest } from '../jar/handle-jar-request/verify-jar-request'\nimport { type JarAuthRequest, isJarAuthRequest, zJarAuthRequest } from '../jar/z-jar-auth-request'\nimport type { WalletMetadata } from '../models/z-wallet-metadata'\nimport { type ParsedTransactionDataEntry, parseTransactionData } from '../transaction-data/parse-transaction-data'\nimport {\n type WalletVerificationOptions,\n validateOpenid4vpAuthorizationRequestPayload,\n} from './validate-authorization-request'\nimport { validateOpenid4vpAuthorizationRequestDcApiPayload } from './validate-authorization-request-dc-api'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestDcApi,\n} from './z-authorization-request-dc-api'\n\nexport interface ResolveOpenid4vpAuthorizationRequestOptions {\n requestPayload: Openid4vpAuthorizationRequest \| JarAuthRequest\n wallet?: WalletVerificationOptions\n origin?: string\n omitOriginValidation?: boolean\n callbacks: Pick<CallbackContext, 'verifyJwt' \| 'decryptJwe' \| 'getX509CertificateMetadata'>\n}\n\nexport type ResolvedOpenid4vpAuthRequest = {\n transactionData?: ParsedTransactionDataEntry[]\n requestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n jar: VerifiedJarRequest \| undefined\n client: ParsedClientIdentifier\n pex?: {\n presentation_definition: unknown\n presentation_definition_uri?: string\n }\n dcql?: { query: unknown } \| undefined\n}\nexport async function resolveOpenid4vpAuthorizationRequest(\n options: ResolveOpenid4vpAuthorizationRequestOptions\n): Promise<ResolvedOpenid4vpAuthRequest> {\n const { requestPayload, wallet, callbacks, origin, omitOriginValidation } = options\n\n let authRequestPayload:\n \| Openid4vpAuthorizationRequest\n \| (Openid4vpAuthorizationRequestDcApi & { presentation_definition_uri?: never })\n\n const parsed = parseWithErrorHandling(\n z.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zJarAuthRequest]),\n requestPayload,\n 'Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request.'\n )\n\n let jar: VerifiedJarRequest \| undefined\n if (isJarAuthRequest(parsed)) {\n jar = await verifyJarRequest({ jarRequestParams: parsed, callbacks, wallet })\n\n const parsedJarAuthRequestPayload = parseWithErrorHandling(\n z.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),\n jar.authRequestParams,\n 'Invalid authorization request. Could not parse jar request payload as openid4vp auth request.'\n )\n\n authRequestPayload = validateOpenId4vpPayload({\n requestPayload: parsedJarAuthRequestPayload,\n wallet,\n jar: true,\n origin,\n omitOriginValidation,\n })\n } else {\n authRequestPayload = validateOpenId4vpPayload({\n requestPayload: parsed,\n wallet,\n jar: false,\n origin,\n omitOriginValidation,\n })\n }\n\n let clientMetadata: WalletMetadata \| undefined\n if (!isOpenid4vpAuthorizationRequestDcApi(authRequestPayload) && authRequestPayload.client_metadata_uri) {\n clientMetadata = await fetchClientMetadata({ clientMetadataUri: authRequestPayload.client_metadata_uri })\n }\n\n const clientMeta = parseClientIdentifier({\n request: { ...authRequestPayload, client_metadata: clientMetadata ?? authRequestPayload.client_metadata },\n jar,\n callbacks,\n origin,\n })\n\n let pex: ResolvedOpenid4vpAuthRequest['pex'] \| undefined\n let dcql: ResolvedOpenid4vpAuthRequest['dcql'] \| undefined\n\n if (authRequestPayload.presentation_definition \|\| authRequestPayload.presentation_definition_uri) {\n if (authRequestPayload.presentation_definition_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Cannot fetch presentation definition from URI. Not supported.',\n })\n }\n\n pex = {\n presentation_definition: authRequestPayload.presentation_definition,\n presentation_definition_uri: authRequestPayload.presentation_definition_uri,\n }\n }\n\n if (authRequestPayload.dcql_query) {\n dcql = { query: authRequestPayload.dcql_query }\n }\n\n const transactionData = authRequestPayload.transaction_data\n ? parseTransactionData({ transactionData: authRequestPayload.transaction_data })\n : undefined\n\n return {\n transactionData,\n requestPayload: authRequestPayload,\n jar,\n client: { ...clientMeta },\n pex,\n dcql,\n }\n}\n\nfunction validateOpenId4vpPayload(options: {\n requestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n wallet?: WalletVerificationOptions\n jar: boolean\n origin?: string\n omitOriginValidation?: boolean\n}) {\n const { requestPayload, wallet, jar, origin, omitOriginValidation } = options\n\n if (isOpenid4vpAuthorizationRequestDcApi(requestPayload)) {\n validateOpenid4vpAuthorizationRequestDcApiPayload({\n params: requestPayload,\n isJarRequest: jar,\n omitOriginValidation,\n origin,\n })\n\n return requestPayload\n }\n\n validateOpenid4vpAuthorizationRequestPayload({ params: requestPayload, walletVerificationOptions: wallet })\n return requestPayload\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError, getGlobalConfig } from '@openid4vc/oauth2'\nimport type { CallbackContext } from '../../../oauth2/src/callbacks'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n} from '../authorization-request/z-authorization-request-dc-api'\nimport type { VerifiedJarRequest } from '../jar/handle-jar-request/verify-jar-request'\nimport type { ClientMetadata } from '../models/z-client-metadata'\nimport { parseAuthorizationRequestVersion } from '../version'\nimport { type ClientIdScheme, zClientIdScheme } from './z-client-id-scheme'\n\n/\n Result of parsing a client identifier\n /\nexport type ParsedClientIdentifier =\n \| {\n scheme: 'redirect_uri'\n identifier: string\n originalValue: string\n redirectUri: string\n clientMetadata?: ClientMetadata\n }\n \| {\n scheme: 'https'\n identifier: string\n originalValue: string\n trustChain?: unknown\n clientMetadata?: never // clientMetadata must be obtained from the entity statement\n }\n \| {\n scheme: 'did'\n identifier: string\n originalValue: string\n didUrl: string\n clientMetadata?: ClientMetadata\n }\n \| {\n scheme: 'x509_san_uri' \| 'x509_san_dns'\n identifier: string\n originalValue: string\n clientMetadata?: ClientMetadata\n x5c: string[]\n }\n \| {\n scheme: 'verifier_attestation' \| 'pre-registered' \| 'web-origin'\n identifier: string\n originalValue: string\n clientMetadata?: ClientMetadata\n }\n\n/\n Configuration options for the parser\n /\nexport interface ClientIdentifierParserConfig {\n supportedSchemes?: ClientIdScheme[]\n}\n\nexport interface ClientIdentifierParserOptions {\n request: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n jar?: VerifiedJarRequest\n origin?: string\n callbacks: Partial<Pick<CallbackContext, 'getX509CertificateMetadata'>>\n}\n\nfunction getClientId(options: ClientIdentifierParserOptions) {\n if (isOpenid4vpAuthorizationRequestDcApi(options.request)) {\n if (!options.origin) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n \"Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'\",\n })\n }\n\n if (!options.jar \|\| !options.request.client_id) return `web-origin:${options.origin}`\n\n return options.request.client_id\n }\n\n return options.request.client_id\n}\n\nfunction getLegacyClientId(options: ClientIdentifierParserOptions) {\n const legacyClientIdScheme = options.request.client_id_scheme ?? 'pre-registered'\n\n let clientIdScheme: ClientIdScheme\n if (legacyClientIdScheme === 'entity_id') {\n clientIdScheme = 'https'\n } else {\n clientIdScheme = legacyClientIdScheme\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(options.request)) {\n if (!options.origin) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n \"Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'\",\n })\n }\n\n if (!options.jar \|\| !options.request.client_id) return `web-origin:${options.origin}`\n\n return `${clientIdScheme}:${options.request.client_id}`\n }\n\n if (clientIdScheme === 'https' \|\| clientIdScheme === 'did') {\n return options.request.client_id\n }\n\n if (clientIdScheme === 'pre-registered') {\n return options.request.client_id\n }\n\n return `${clientIdScheme}:${options.request.client_id}`\n}\n\n/\n Parse and validate a client identifier\n /\nexport function parseClientIdentifier(\n options: ClientIdentifierParserOptions,\n parserConfig?: ClientIdentifierParserConfig\n): ParsedClientIdentifier {\n const { request, jar } = options\n\n const version = parseAuthorizationRequestVersion(request)\n // this means that client_id_scheme is used\n if (version < 22) {\n const legacyClientIdScheme = request.client_id_scheme ?? 'pre-registered'\n\n let clientIdSchem: ClientIdScheme\n if (legacyClientIdScheme) {\n if (legacyClientIdScheme === 'entity_id') {\n clientIdSchem = 'https'\n } else {\n clientIdSchem = legacyClientIdScheme\n }\n }\n }\n\n const isDcApiRequest = isOpenid4vpAuthorizationRequestDcApi(request)\n const clientId = version < 22 ? getLegacyClientId(options) : getClientId(options)\n\n // By default require signatures for these schemes\n const parserConfigWithDefaults = {\n supportedSchemes: parserConfig?.supportedSchemes \|\| Object.values(zClientIdScheme.options),\n }\n\n const colonIndex = clientId.indexOf(':')\n if (colonIndex === -1) {\n return {\n scheme: 'pre-registered',\n identifier: clientId,\n originalValue: clientId,\n clientMetadata: request.client_metadata,\n }\n }\n\n const schemePart = clientId.substring(0, colonIndex)\n const identifierPart = clientId.substring(colonIndex + 1)\n\n if (!parserConfigWithDefaults.supportedSchemes.includes(schemePart as ClientIdScheme)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Unsupported client identifier scheme. ${schemePart} is not supported.`,\n })\n }\n\n const scheme = schemePart as ClientIdScheme\n if (scheme === 'https') {\n // https://github.com/openid/OpenID4VP/issues/436\n if (isDcApiRequest) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The client identifier scheme 'https' is not supported when using the dc_api response mode.`,\n })\n }\n\n if (!clientId.startsWith('https://') && !(getGlobalConfig().allowInsecureUrls && clientId.startsWith('http://'))) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Invalid client identifier. Client identifier must start with https:// or http:// if allowInsecureUrls is true.',\n })\n }\n\n return {\n scheme,\n identifier: clientId,\n originalValue: clientId,\n trustChain: request.trust_chain,\n }\n }\n\n if (scheme === 'redirect_uri') {\n if (jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier scheme \"redirect_uri\" the request MUST NOT be signed.',\n })\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(request)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The client identifier scheme 'redirect_uri' is not supported when using the dc_api response mode.`,\n })\n }\n\n return {\n scheme,\n identifier: identifierPart,\n originalValue: clientId,\n redirectUri: (request.redirect_uri ?? request.response_uri) as string,\n }\n }\n\n if (scheme === 'did') {\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier scheme \"did\" requires a signed JAR request.',\n })\n }\n\n if (!clientId.startsWith('did:')) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: \"Invalid client identifier. Client identifier must start with 'did:'\",\n })\n }\n\n if (!jar.signer.publicJwk.kid) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Missing required 'kid' for client identifier scheme: did`,\n })\n }\n\n if (!jar.signer.publicJwk.kid?.startsWith(clientId)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'With client identifier scheme \"did\" the JAR request must be signed by the same DID as the client identifier.',\n })\n }\n\n return {\n scheme,\n identifier: clientId,\n originalValue: clientId,\n didUrl: jar.signer.publicJwk.kid,\n }\n }\n\n if (scheme === 'x509_san_dns' \|\| scheme === 'x509_san_uri') {\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Using client identifier scheme \"x509_san_dns\" or \"x509_san_uri\" requires a signed JAR request.',\n })\n }\n\n if (jar.signer.method !== 'x5c') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Something went wrong. The JWT signer method is not x5c but the client identifier scheme is x509_san_dns.',\n })\n }\n\n if (scheme === 'x509_san_dns') {\n if (!options.callbacks.getX509CertificateMetadata) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.ServerError,\n },\n {\n internalMessage:\n \"Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_dns' client id scheme\",\n }\n )\n }\n\n const { sanDnsNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0])\n if (!sanDnsNames.includes(identifierPart)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(', ')}] must match the client identifier '${identifierPart}'. `,\n })\n }\n\n if (!isOpenid4vpAuthorizationRequestDcApi(request)) {\n const uri = request.redirect_uri ?? request.response_uri\n if (!uri \|\| getDomainFromUrl(uri) !== identifierPart) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns.',\n })\n }\n }\n } else if (scheme === 'x509_san_uri') {\n if (!options.callbacks.getX509CertificateMetadata) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.ServerError,\n },\n {\n internalMessage:\n \"Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_uri' client id scheme\",\n }\n )\n }\n\n const { sanUriNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0])\n if (!sanUriNames.includes(identifierPart)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(', ')}] must match the client identifier '${identifierPart}'.`,\n })\n }\n\n if (!isOpenid4vpAuthorizationRequestDcApi(request)) {\n const uri = request.redirect_uri \|\| request.response_uri\n if (!uri \|\| uri !== identifierPart) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The redirect_uri value MUST match the Client Identifier without the prefix x509_san_uri',\n })\n }\n }\n }\n\n return {\n scheme,\n identifier: identifierPart,\n originalValue: clientId,\n x5c: jar.signer.x5c,\n }\n }\n\n if (scheme === 'web-origin') {\n return {\n scheme,\n identifier: identifierPart,\n originalValue: clientId,\n clientMetadata: request.client_metadata,\n }\n }\n\n if (scheme === 'verifier_attestation') {\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier scheme \"verifier_attestation\" requires a signed JAR request.',\n })\n }\n }\n\n return {\n scheme,\n identifier: identifierPart,\n originalValue: clientId,\n }\n}\n\nfunction getDomainFromUrl(url: string): string {\n try {\n const regex = /[#/?]/\n const domain = url.split('://')[1].split(regex)[0]\n return domain\n } catch (error) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.ServerError,\n error_description: `Url '${url}' is not a valid URL`,\n })\n }\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequest } from './authorization-request/z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n} from './authorization-request/z-authorization-request-dc-api'\nimport { zClientIdScheme } from './client-identifier-scheme/z-client-id-scheme'\n\nexport const Openid4vpVersion = [18, 19, 20, 21, 22, 23, 24] as const\nexport type OpenId4VpVersion = (typeof Openid4vpVersion)[number]\n\nexport function parseAuthorizationRequestVersion(\n request: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n): OpenId4VpVersion {\n const requirements: ['<' \| '>=', OpenId4VpVersion][] = []\n\n // 23\n\n const vp_formats = request.client_metadata?.vp_formats\n // There might be some time we'd like to include both, as the update of the identifier can be somewhat tricky.\n //if (vp_formats) {\n //if (Object.keys(vp_formats).includes('vc+sd-jwt' satisfies CredentialFormat)) {\n //requirements.push(['<', 23])\n //}\n\n //if (Object.keys(vp_formats).includes('dc+sd-jwt' satisfies CredentialFormat)) {\n //requirements.push(['>=', 23])\n //}\n\n //if (Object.keys(vp_formats).includes('vc+sd-jwt' satisfies CredentialFormat)) {\n //requirements.push(['>=', 21])\n //}\n //}\n\n //if (\n //request.client_metadata?.vp_formats &&\n //Object.keys(request.client_metadata?.vp_formats).some(val => val === 'vc+sd-jwt')\n //) {\n //requirements.push(['>=', 21])\n //}\n\n if (\n isOpenid4vpAuthorizationRequestDcApi(request) &&\n (request.response_mode === 'w3c_dc_api' \|\| request.response_mode === 'w3c_dc_api.jwt')\n ) {\n requirements.push(['<', 23])\n requirements.push(['>=', 21])\n }\n\n if (\n (isOpenid4vpAuthorizationRequestDcApi(request) && request.response_mode === 'dc_api') \|\|\n request.response_mode === 'dc_api.jwt'\n ) {\n requirements.push(['>=', 23])\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data \|\| request.dcql_query)) {\n requirements.push(['>=', 23])\n }\n\n // 22\n\n if (request.dcql_query) {\n requirements.push(['>=', 22])\n }\n\n if (request.transaction_data) {\n requirements.push(['>=', 22])\n }\n\n if (request.client_id_scheme) {\n requirements.push(['<', 22])\n }\n\n // what happens if we don't have a client_id_scheme?\n\n // if the client_id is prefixed with a scheme, we know for sure that the version is >= 22\n // if it is not prefixed we don't know anything since it can default in all versions to pre-registered\n if (request.client_id) {\n const colonIndex = request.client_id.indexOf(':')\n const schemePart = request.client_id.substring(0, colonIndex)\n const parsedScheme = zClientIdScheme.safeParse(schemePart)\n\n // we know this for sure\n if (parsedScheme.success && parsedScheme.data !== 'did' && parsedScheme.data !== 'https') {\n requirements.push(['>=', 22])\n }\n }\n\n // only possible with dc_api which is available in 21\n if (!request.client_id) {\n requirements.push(['>=', 21])\n }\n\n // 21\n\n if ('client_metadata_uri' in request) {\n requirements.push(['<', 21])\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(request)) {\n requirements.push(['>=', 21])\n }\n\n if ('request_uri_method' in request \|\| 'wallet_nonce' in request) {\n requirements.push(['>=', 21])\n }\n\n // 20\n\n if (request.client_id_scheme === 'verifier_attestation') {\n requirements.push(['>=', 20])\n }\n\n // 19\n\n if (request.client_id_scheme === 'x509_san_dns' \|\| request.client_id_scheme === 'x509_san_uri') {\n requirements.push(['>=', 19])\n }\n\n // The minimum version which satisfies all requirements\n const lessThanVersions = requirements.filter(([operator]) => operator === '<').map(([_, version]) => version)\n\n const greaterThanVersions = requirements.filter(([operator]) => operator === '>=').map(([_, version]) => version)\n\n // Find the minimum version that satisfies all \"less than\" constraints\n const highestPossibleVersion =\n lessThanVersions.length > 0 ? (Math.max(Math.min(...lessThanVersions) - 1, 18) as OpenId4VpVersion) : (24 as const) // Default to highest version\n\n // Find the maximum version that satisfies all \"greater than or equal to\" constraints\n const lowestRequiredVersion =\n greaterThanVersions.length > 0 ? (Math.max(...greaterThanVersions) as OpenId4VpVersion) : (18 as const) // Default to lowest version\n\n // The acceptable range is [lowestRequiredVersion, highestPossibleVersion]\n // We return the lowest possible version that satisfies all constraints\n if (lowestRequiredVersion > highestPossibleVersion) {\n // No valid version exists that satisfies all constraints\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Could not infer openid4vp version from the openid4vp request payload.',\n })\n }\n\n return highestPossibleVersion\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { type BaseSchema, ContentType, type Fetch, createZodFetcher } from '@openid4vc/utils'\nimport type { z } from 'zod'\nimport { zWalletMetadata } from './models/z-wallet-metadata'\n\nexport async function fetchClientMetadata<Schema extends BaseSchema>(options: {\n clientMetadataUri: string\n fetch?: Fetch\n}): Promise<z.infer<Schema> \| null> {\n const { fetch, clientMetadataUri } = options\n const fetcher = createZodFetcher(fetch)\n\n const { result, response } = await fetcher(zWalletMetadata, ContentType.Json, clientMetadataUri, {\n method: 'GET',\n headers: {\n Accept: ContentType.Json,\n },\n })\n\n if (!response.ok) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Fetching client metadata from '${clientMetadataUri}' failed with status code '${response.status}'.`,\n error: Oauth2ErrorCodes.InvalidRequestUri,\n })\n }\n\n if (!result \|\| !result.success) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Parsing client metadata from '${clientMetadataUri}' failed.`,\n error: Oauth2ErrorCodes.InvalidRequestObject,\n })\n }\n\n return result.data\n}\n","import { z } from 'zod'\nimport { zClientIdScheme } from '../client-identifier-scheme/z-client-id-scheme'\nimport { zVpFormatsSupported } from './z-vp-formats-supported'\n\nexport const zWalletMetadata = z.object({\n presentation_definition_uri_supported: z.optional(z.boolean()),\n vp_formats_supported: zVpFormatsSupported,\n client_id_schemes_supported: z.optional(z.array(zClientIdScheme)),\n request_object_signing_alg_values_supported: z.optional(z.array(z.string())),\n authorization_encryption_alg_values_supported: z.optional(z.array(z.string())),\n authorization_encryption_enc_values_supported: z.optional(z.array(z.string())),\n})\n\nexport type WalletMetadata = z.infer<typeof zWalletMetadata>\n","import {\n type CallbackContext,\n type Jwk,\n type JwtSignerWithJwk,\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n decodeJwt,\n jwtSignerFromJwt,\n verifyJwt,\n zCompactJwe,\n zCompactJwt,\n} from '@openid4vc/oauth2'\nimport { type ClientIdScheme, zClientIdScheme } from '../../client-identifier-scheme/z-client-id-scheme'\nimport type { WalletMetadata } from '../../models/z-wallet-metadata'\nimport { parseAuthorizationRequestVersion } from '../../version'\nimport { fetchJarRequestObject } from '../jar-request-object/fetch-jar-request-object'\nimport { type JarRequestObjectPayload, zJarRequestObjectPayload } from '../jar-request-object/z-jar-request-object'\nimport { type JarAuthRequest, validateJarRequestParams } from '../z-jar-auth-request'\n\nexport interface VerifyJarRequestOptions {\n jarRequestParams: JarAuthRequest\n callbacks: Pick<CallbackContext, 'verifyJwt' \| 'decryptJwe'>\n wallet?: {\n metadata?: WalletMetadata\n nonce?: string\n }\n}\n\nexport interface VerifiedJarRequest {\n authRequestParams: JarRequestObjectPayload\n sendBy: 'value' \| 'reference'\n decryptionJwk?: Jwk\n signer: JwtSignerWithJwk\n}\n\n/\n Verifies a JAR (JWT Secured Authorization Request) request by validating, decrypting, and verifying signatures.\n \n @param options - The input parameters\n * @param options.jarRequestParams - The JAR authorization request parameters\n * @param options.callbacks - Context containing the relevant Jose crypto operations\n * @returns The verified authorization request parameters and metadata\n /\nexport async function verifyJarRequest(options: VerifyJarRequestOptions): Promise<VerifiedJarRequest> {\n const { callbacks, wallet = {} } = options\n\n const jarRequestParams = validateJarRequestParams(options)\n\n const sendBy = jarRequestParams.request ? 'value' : 'reference'\n const clientIdentifierScheme: ClientIdScheme = jarRequestParams.client_id\n ? zClientIdScheme.parse(jarRequestParams.client_id.split(':')[0])\n : 'web-origin'\n\n const method = jarRequestParams.request_uri_method ?? 'GET'\n if (method !== 'GET' && method !== 'POST') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestUriMethod,\n error_description: 'Invalid request_uri_method. Must be GET or POST.',\n })\n }\n\n const requestObject =\n jarRequestParams.request ??\n (await fetchJarRequestObject({\n requestUri: jarRequestParams.request_uri,\n clientIdentifierScheme,\n method,\n wallet,\n }))\n\n const requestObjectIsEncrypted = zCompactJwe.safeParse(requestObject).success\n const { decryptionJwk, payload: decryptedRequestObject } = requestObjectIsEncrypted\n ? await decryptJarRequest({ jwe: requestObject, callbacks })\n : { payload: requestObject, decryptionJwk: undefined }\n\n const requestIsSigned = zCompactJwt.safeParse(decryptedRequestObject).success\n if (!requestIsSigned) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'Jar Request Object is not a valid JWS.',\n })\n }\n\n const { authRequestParams, signer } = await verifyJarRequestObject({\n decryptedRequestObject,\n callbacks,\n })\n if (!authRequestParams.client_id) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'Jar Request Object is missing the required \"client_id\" field.',\n })\n }\n\n if (jarRequestParams.client_id !== authRequestParams.client_id) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'client_id does not match the request object client_id.',\n })\n }\n\n return {\n sendBy,\n authRequestParams,\n signer,\n decryptionJwk,\n }\n}\n\nasync function decryptJarRequest(options: {\n jwe: string\n callbacks: Pick<CallbackContext, 'decryptJwe'>\n}) {\n const { jwe, callbacks } = options\n\n const { header } = decodeJwt({ jwt: jwe })\n if (!header.kid) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'Jar JWE is missing the protected header field \"kid\".',\n })\n }\n\n const decryptionResult = await callbacks.decryptJwe(jwe)\n if (!decryptionResult.decrypted) {\n throw new Oauth2ServerErrorResponseError({\n error: 'invalid_request_object',\n error_description: 'Failed to decrypt jar request object.',\n })\n }\n\n return decryptionResult\n}\n\nasync function verifyJarRequestObject(options: {\n decryptedRequestObject: string\n callbacks: Pick<CallbackContext, 'verifyJwt'>\n}) {\n const { decryptedRequestObject, callbacks } = options\n\n const jwt = decodeJwt({ jwt: decryptedRequestObject, payloadSchema: zJarRequestObjectPayload })\n\n const jwtSigner = jwtSignerFromJwt(jwt)\n const { signer } = await verifyJwt({\n verifyJwtCallback: callbacks.verifyJwt,\n compact: decryptedRequestObject,\n header: jwt.header,\n payload: jwt.payload,\n signer: jwtSigner,\n })\n\n // biome-ignore lint/suspicious/noExplicitAny: <explanation>\n const version = parseAuthorizationRequestVersion(jwt.payload as any)\n if (jwt.header.typ !== 'oauth-authz-req+jwt' && version >= 24) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: `Invalid Jar Request Object typ header. Expected \"oauth-authz-req+jwt\", received \"${jwt.header.typ}\".`,\n })\n }\n\n return { authRequestParams: jwt.payload, signer }\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { type BaseSchema, ContentType, type Fetch, createZodFetcher, objectToQueryParams } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport type { ClientIdScheme } from '../../client-identifier-scheme/z-client-id-scheme'\nimport type { WalletMetadata } from '../../models/z-wallet-metadata'\n\n/\n Fetch a request object and parse the response.\n * If you want to fetch the request object without providing wallet_metadata or wallet_nonce as defined in jar you can use the `fetchJarRequestObject` function.\n \n Returns validated request object if successful response\n * Throws error otherwise\n \n @throws {ValidationError} if successful response but validation of response failed\n * @throws {InvalidFetchResponseError} if no successful or 404 response\n * @throws {Error} if parsing json from response fails\n /\nexport async function fetchJarRequestObject<Schema extends BaseSchema>(options: {\n requestUri: string\n clientIdentifierScheme: ClientIdScheme\n method: 'GET' \| 'POST'\n wallet: {\n metadata?: WalletMetadata\n nonce?: string\n }\n fetch?: Fetch\n}): Promise<z.infer<Schema> \| null> {\n const { requestUri, clientIdentifierScheme, method, wallet, fetch } = options\n const fetcher = createZodFetcher(fetch)\n\n let requestBody = wallet.metadata ? { wallet_metadata: wallet.metadata, wallet_nonce: wallet.nonce } : undefined\n if (\n requestBody?.wallet_metadata?.request_object_signing_alg_values_supported &&\n clientIdentifierScheme === 'redirect_uri'\n ) {\n // This value indicates that the Client Identifier (without the prefix redirect_uri:) is the Verifier's Redirect URI (or Response URI when Response Mode direct_post is used). The Authorization Request MUST NOT be signed.\n const { request_object_signing_alg_values_supported, ...rest } = requestBody.wallet_metadata\n requestBody = { ...requestBody, wallet_metadata: { ...rest } }\n }\n\n const { result, response } = await fetcher(z.string(), ContentType.OAuthRequestObjectJwt, requestUri, {\n method,\n headers: {\n Accept: `${ContentType.OAuthRequestObjectJwt}, ${ContentType.Jwt};q=0.9`,\n 'Content-Type': ContentType.XWwwFormUrlencoded,\n },\n body: method === 'POST' ? objectToQueryParams(wallet.metadata ?? {}) : undefined,\n })\n\n if (!response.ok) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Fetching request_object from request_uri '${requestUri}' failed with status code '${response.status}'.`,\n error: Oauth2ErrorCodes.InvalidRequestUri,\n })\n }\n\n if (!result \|\| !result.success) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Parsing request_object from request_uri '${requestUri}' failed.`,\n error: Oauth2ErrorCodes.InvalidRequestObject,\n })\n }\n\n return result.data\n}\n","import { zJwtPayload } from '@openid4vc/oauth2'\nimport { z } from 'zod'\n\nexport const zJarRequestObjectPayload = z\n .object({\n ...zJwtPayload.shape,\n client_id: z.string(),\n })\n .passthrough()\nexport type JarRequestObjectPayload = z.infer<typeof zJarRequestObjectPayload>\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { decodeBase64, encodeToUtf8String, parseIfJson } from '@openid4vc/utils'\nimport { type TransactionDataEntry, zTransactionData } from './z-transaction-data'\n\nexport interface ParseTransactionDataOptions {\n transactionData: string[]\n}\n\nexport interface ParsedTransactionDataEntry {\n transactionData: TransactionDataEntry\n transactionDataIndex: number\n encoded: string\n}\n\nexport function parseTransactionData(options: ParseTransactionDataOptions): ParsedTransactionDataEntry[] {\n const { transactionData } = options\n\n const decoded = transactionData.map((tdEntry) => parseIfJson(encodeToUtf8String(decodeBase64(tdEntry))))\n\n const parsedResult = zTransactionData.safeParse(decoded)\n if (!parsedResult.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: 'Failed to parse transaction data.',\n })\n }\n\n return parsedResult.data.map((decoded, index) => ({\n transactionData: decoded,\n encoded: transactionData[index],\n transactionDataIndex: index,\n }))\n}\n","import { z } from 'zod'\n\nexport const zTransactionEntry = z.object({\n type: z.string(),\n credential_ids: z.array(z.string()).nonempty(),\n transaction_data_hashes_alg: z.array(z.string()).optional(),\n})\nexport type TransactionDataEntry = z.infer<typeof zTransactionEntry>\n\nexport const zTransactionData = z.array(zTransactionEntry)\nexport type TransactionData = z.infer<typeof zTransactionData>\n","import {\n type CallbackContext,\n type JwtSigner,\n Oauth2Error,\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n} from '@openid4vc/oauth2'\nimport { dateToSeconds } from '@openid4vc/utils'\nimport { addSecondsToDate } from '../../../utils/src/date'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport { createJarmAuthResponse } from '../jarm/jarm-auth-response-create'\nimport { extractJwksFromClientMetadata } from '../jarm/jarm-extract-jwks'\nimport { isJarmResponseMode } from '../jarm/jarm-response-mode'\nimport { jarmAssertMetadataSupported } from '../jarm/metadata/jarm-assert-metadata-supported'\nimport type { JarmServerMetadata } from '../jarm/metadata/z-jarm-authorization-server-metadata'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface CreateOpenid4vpAuthorizationResponseOptions {\n requestPayload:\n \| Pick<Openid4vpAuthorizationRequest, 'state' \| 'client_metadata' \| 'nonce' \| 'response_mode'>\n \| Pick<Openid4vpAuthorizationRequestDcApi, 'client_metadata' \| 'response_mode' \| 'nonce'>\n responsePayload: Openid4vpAuthorizationResponse & { state?: never }\n jarm?: {\n jwtSigner?: JwtSigner\n encryption?: { nonce: string }\n serverMetadata: JarmServerMetadata\n authorizationServer?: string // The issuer URL of the authorization server that created the response\n audience?: string // The client_id of the client the response is intended for\n expiresInSeconds?: number // The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.\n }\n callbacks: Pick<CallbackContext, 'signJwt' \| 'encryptJwe'>\n}\n\nexport interface CreateOpenid4vpAuthorizationResponseResult {\n responsePayload: Openid4vpAuthorizationResponse\n jarm?: { responseJwt: string }\n}\n\nexport async function createOpenid4vpAuthorizationResponse(\n options: CreateOpenid4vpAuthorizationResponseOptions\n): Promise<CreateOpenid4vpAuthorizationResponseResult> {\n const { requestPayload, jarm, callbacks } = options\n const responsePayload = {\n ...options.responsePayload,\n ...('state' in requestPayload && { state: requestPayload.state }),\n } satisfies Openid4vpAuthorizationResponse\n\n if (requestPayload.response_mode && isJarmResponseMode(requestPayload.response_mode) && !jarm) {\n throw new Oauth2Error(\n `Missing jarm options for creating Jarm response with response mode '${requestPayload.response_mode}'`\n )\n }\n\n if (!jarm) {\n return {\n responsePayload,\n }\n }\n\n if (!requestPayload.client_metadata) {\n throw new Oauth2Error('Missing client metadata in the request params to assert Jarm metadata support.')\n }\n\n if (!requestPayload.client_metadata.jwks) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Missing JWKS in client metadata. Cannot extract encryption JWK.',\n })\n }\n\n const supportedJarmMetadata = jarmAssertMetadataSupported({\n clientMetadata: requestPayload.client_metadata,\n serverMetadata: jarm.serverMetadata,\n })\n\n const clientMetaJwks = extractJwksFromClientMetadata({\n ...requestPayload.client_metadata,\n jwks: requestPayload.client_metadata.jwks,\n })\n\n if (!clientMetaJwks?.encJwk) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Could not extract encryption JWK from client metadata. Failed to create JARM response.',\n })\n }\n\n // When the response is NOT only encrypted, the JWT payload needs to include the iss, aud and exp.\n let additionalJwtPayload: Record<string, string \| number> \| undefined\n if (jarm?.jwtSigner) {\n if (!jarm.authorizationServer) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Missing required iss in JARM configuration for creating OpenID4VP authorization response.',\n })\n }\n\n if (!jarm.audience) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Missing required aud in JARM configuration for creating OpenID4VP authorization response.',\n })\n }\n\n additionalJwtPayload = {\n iss: jarm.authorizationServer,\n aud: jarm.audience,\n exp: jarm.expiresInSeconds ?? dateToSeconds(addSecondsToDate(new Date(), 60 10)), // default: 10 minutes\n }\n }\n\n const jarmResponsePayload = {\n ...responsePayload,\n ...additionalJwtPayload,\n } satisfies Openid4vpAuthorizationResponse\n\n const result = await createJarmAuthResponse({\n jarmAuthResponse: jarmResponsePayload,\n jwtSigner: jarm?.jwtSigner,\n jweEncryptor:\n jarm?.encryption && (supportedJarmMetadata.type === 'encrypt' \|\| supportedJarmMetadata.type === 'sign_encrypt')\n ? {\n method: 'jwk',\n publicJwk: clientMetaJwks.encJwk,\n apu: jarm.encryption?.nonce,\n apv: requestPayload.nonce,\n alg: supportedJarmMetadata.client_metadata.authorization_encrypted_response_alg,\n enc: supportedJarmMetadata.client_metadata.authorization_encrypted_response_enc,\n }\n : undefined,\n callbacks: {\n signJwt: callbacks.signJwt,\n encryptJwe: callbacks.encryptJwe,\n },\n })\n\n return {\n responsePayload: jarmResponsePayload,\n jarm: { responseJwt: result.jarmAuthResponseJwt },\n }\n}\n","/*\n Get the time in seconds since epoch for a date.\n * If date is not provided the current time will be used.\n /\nexport function dateToSeconds(date?: Date) {\n const milliseconds = date?.getTime() ?? Date.now()\n\n return Math.floor(milliseconds / 1000)\n}\n\nexport function addSecondsToDate(date: Date, seconds: number) {\n return new Date(date.getTime() + seconds 1000)\n}\n","import {\n type CallbackContext,\n type JweEncryptor,\n type JwtSigner,\n Oauth2Error,\n jwtHeaderFromJwtSigner,\n} from '@openid4vc/oauth2'\nimport type { JarmAuthResponse, JarmAuthResponseEncryptedOnly } from './jarm-auth-response/z-jarm-auth-response'\n\nexport interface CreateJarmAuthResponseOptions {\n jarmAuthResponse: JarmAuthResponse \| JarmAuthResponseEncryptedOnly\n jwtSigner?: JwtSigner\n jweEncryptor?: JweEncryptor\n callbacks: Pick<CallbackContext, 'signJwt' \| 'encryptJwe'>\n}\n\nexport async function createJarmAuthResponse(options: CreateJarmAuthResponseOptions) {\n const { jarmAuthResponse, jweEncryptor, jwtSigner, callbacks } = options\n if (!jwtSigner && jweEncryptor) {\n const { jwe } = await callbacks.encryptJwe(jweEncryptor, JSON.stringify(jarmAuthResponse))\n return { jarmAuthResponseJwt: jwe }\n }\n\n if (jwtSigner && !jweEncryptor) {\n const signed = await callbacks.signJwt(jwtSigner, {\n header: jwtHeaderFromJwtSigner(jwtSigner),\n payload: jarmAuthResponse,\n })\n return { jarmAuthResponseJwt: signed.jwt }\n }\n\n if (!jwtSigner \|\| !jweEncryptor) {\n throw new Oauth2Error('JWT signer and/or encryptor are required to create a JARM auth response.')\n }\n const signed = await callbacks.signJwt(jwtSigner, {\n header: jwtHeaderFromJwtSigner(jwtSigner),\n payload: jarmAuthResponse,\n })\n\n const encrypted = await callbacks.encryptJwe(jweEncryptor, signed.jwt)\n\n return { jarmAuthResponseJwt: encrypted.jwe }\n}\n","import type { JwkSet } from '@openid4vc/oauth2'\nimport { type JarmClientMetadata, zJarmClientMetadataParsed } from './metadata/z-jarm-client-metadata'\n\nexport function extractJwksFromClientMetadata(clientMetadata: JarmClientMetadata & { jwks: JwkSet }) {\n const parsed = zJarmClientMetadataParsed.parse(clientMetadata)\n\n const encryptionAlg = parsed.client_metadata.authorization_encrypted_response_enc\n const signingAlg = parsed.client_metadata.authorization_signed_response_alg\n\n const encJwk =\n clientMetadata.jwks.keys.find((key) => key.use === 'enc' && key.alg === encryptionAlg) ??\n clientMetadata.jwks.keys.find((key) => key.use === 'enc') ??\n // fallback, take first key. HAIP does not specify requirement on enc\n clientMetadata.jwks.keys?.[0]\n\n const sigJwk =\n clientMetadata.jwks.keys.find((key) => key.use === 'sig' && key.alg === signingAlg) ??\n clientMetadata.jwks.keys.find((key) => key.use === 'sig') ??\n // falback, take first key\n clientMetadata.jwks.keys?.[0]\n\n return { encJwk, sigJwk }\n}\n","import { z } from 'zod'\n\nexport const jarmResponseMode = [\n 'jwt',\n 'query.jwt',\n 'fragment.jwt',\n 'form_post.jwt',\n 'direct_post.jwt',\n 'dc_api.jwt',\n] as const\nexport const zJarmResponseMode = z.enum(jarmResponseMode)\n\nexport type JarmResponseMode = (typeof jarmResponseMode)[number]\n\nexport const isJarmResponseMode = (responseMode: string): responseMode is JarmResponseMode => {\n return jarmResponseMode.includes(responseMode as JarmResponseMode)\n}\n","import { Oauth2Error } from '@openid4vc/oauth2'\nimport type { JarmServerMetadata } from './z-jarm-authorization-server-metadata'\nimport { type JarmClientMetadata, zJarmClientMetadataParsed } from './z-jarm-client-metadata'\n\ninterface AssertValueSupported<T> {\n supported: T[]\n actual: T\n errorMessage: string\n}\n\nfunction assertValueSupported<T>(options: AssertValueSupported<T>): T {\n const { errorMessage, supported, actual } = options\n const intersection = supported.find((value) => value === actual)\n\n if (!intersection) {\n throw new Oauth2Error(errorMessage)\n }\n\n return intersection\n}\n\nexport function jarmAssertMetadataSupported(options: {\n clientMetadata: JarmClientMetadata\n serverMetadata: JarmServerMetadata\n}) {\n const { clientMetadata, serverMetadata } = options\n const parsedClientMetadata = zJarmClientMetadataParsed.parse(clientMetadata)\n\n if (parsedClientMetadata.type === 'sign_encrypt' \|\| parsedClientMetadata.type === 'encrypt') {\n if (serverMetadata.authorization_encryption_alg_values_supported) {\n assertValueSupported({\n supported: serverMetadata.authorization_encryption_alg_values_supported,\n actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_alg,\n errorMessage: 'Invalid authorization_encryption_alg',\n })\n }\n\n if (serverMetadata.authorization_encryption_enc_values_supported) {\n assertValueSupported({\n supported: serverMetadata.authorization_encryption_enc_values_supported,\n actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_enc,\n errorMessage: 'Invalid authorization_encryption_enc',\n })\n }\n }\n\n if (\n serverMetadata.authorization_signing_alg_values_supported &&\n (parsedClientMetadata.type === 'sign' \|\| parsedClientMetadata.type === 'sign_encrypt')\n ) {\n assertValueSupported({\n supported: serverMetadata.authorization_signing_alg_values_supported,\n actual: parsedClientMetadata.client_metadata.authorization_signed_response_alg,\n errorMessage: 'Invalid authorization_signed_response_alg',\n })\n }\n\n return parsedClientMetadata\n}\n","import { type CallbackContext, Oauth2Error } from '@openid4vc/oauth2'\nimport { ContentType, defaultFetcher } from '@openid4vc/utils'\nimport { objectToQueryParams } from '@openid4vc/utils'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport { jarmAuthResponseSend } from '../jarm/jarm-auth-response-send'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface SubmitOpenid4vpAuthorizationResponseOptions {\n requestPayload: Pick<Openid4vpAuthorizationRequest, 'response_uri'>\n responsePayload: Openid4vpAuthorizationResponse\n jarm?: { responseJwt: string }\n callbacks: Pick<CallbackContext, 'fetch'>\n}\n\nexport async function submitOpenid4vpAuthorizationResponse(options: SubmitOpenid4vpAuthorizationResponseOptions) {\n const { requestPayload, responsePayload, jarm, callbacks } = options\n const url = requestPayload.response_uri\n\n if (jarm) {\n return jarmAuthResponseSend({\n authRequest: requestPayload,\n jarmAuthResponseJwt: jarm.responseJwt,\n callbacks,\n })\n }\n\n if (!url) {\n throw new Oauth2Error(\n 'Failed to submit OpenId4Vp Authorization Response. No redirect_uri or response_uri provided.'\n )\n }\n\n const fetch = callbacks.fetch ?? defaultFetcher\n const encodedResponse = objectToQueryParams(responsePayload)\n const submissionResponse = await fetch(url, {\n method: 'POST',\n body: encodedResponse,\n headers: {\n 'Content-Type': ContentType.XWwwFormUrlencoded,\n },\n })\n\n return {\n responseMode: 'direct_post',\n response: submissionResponse,\n }\n}\n","import { type CallbackContext, Oauth2Error } from '@openid4vc/oauth2'\nimport { ContentType, URL, defaultFetcher } from '@openid4vc/utils'\n\ninterface JarmAuthResponseSendOptions {\n authRequest: {\n response_uri?: string\n redirect_uri?: string\n }\n jarmAuthResponseJwt: string\n callbacks: Pick<CallbackContext, 'fetch'>\n}\n\nexport const jarmAuthResponseSend = (options: JarmAuthResponseSendOptions) => {\n const { authRequest, jarmAuthResponseJwt, callbacks } = options\n\n const responseEndpoint = authRequest.response_uri ?? authRequest.redirect_uri\n if (!responseEndpoint) {\n throw new Oauth2Error(`Either 'response_uri' or 'redirect_uri' MUST be present in the authorization request`)\n }\n\n const responseEndpointUrl = new URL(responseEndpoint)\n return handleDirectPostJwt(responseEndpointUrl, jarmAuthResponseJwt, callbacks)\n}\n\nasync function handleDirectPostJwt(\n responseEndpoint: URL,\n responseJwt: string,\n callbacks: Pick<CallbackContext, 'fetch'>\n) {\n const response = await (callbacks.fetch ?? defaultFetcher)(responseEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': ContentType.XWwwFormUrlencoded },\n body: `response=${responseJwt}`,\n })\n\n return {\n responseMode: 'direct_post.jwt',\n response,\n } as const\n}\n","import { Oauth2Error } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport { parseDcqlVpToken, parsePexVpToken } from '../vp-token/parse-vp-token'\nimport type { ValidateOpenid4VpAuthorizationResponseResult } from './validate-authorization-response-result'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface ValidateOpenid4vpAuthorizationResponseOptions {\n requestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n responsePayload: Openid4vpAuthorizationResponse\n}\n\n/*\n The following steps need to be performed outside of this library\n * - verifying the presentations\n * - validating the presentations against the presentation definition\n * - checking the revocation status of the presentations\n * - checking the nonce of the presentations matches the nonce of the request (for mdoc's)\n /\nexport function validateOpenid4vpAuthorizationResponsePayload(\n options: ValidateOpenid4vpAuthorizationResponseOptions\n): ValidateOpenid4VpAuthorizationResponseResult {\n const { requestPayload, responsePayload } = options\n\n if ('state' in requestPayload && requestPayload.state !== responsePayload.state) {\n throw new Oauth2Error('OpenId4Vp Authorization Response state mismatch.')\n }\n\n // TODO: implement id_token handling\n if (responsePayload.id_token) {\n throw new Oauth2Error('OpenId4Vp Authorization Response id_token is not supported.')\n }\n\n if (responsePayload.presentation_submission) {\n if (!requestPayload.presentation_definition) {\n throw new Oauth2Error('OpenId4Vp Authorization Request is missing the required presentation_definition.')\n }\n\n return {\n type: 'pex',\n pex:\n 'scope' in requestPayload && requestPayload.scope\n ? {\n scope: requestPayload.scope,\n presentationSubmission: responsePayload.presentation_submission,\n presentations: parsePexVpToken(responsePayload.vp_token),\n }\n : {\n presentationDefinition: requestPayload.presentation_definition,\n presentationSubmission: responsePayload.presentation_submission,\n presentations: parsePexVpToken(responsePayload.vp_token),\n },\n }\n }\n\n if (requestPayload.dcql_query) {\n const presentations = parseDcqlVpToken(responsePayload.vp_token)\n\n return {\n type: 'dcql',\n dcql:\n 'scope' in requestPayload && requestPayload.scope\n ? {\n scope: requestPayload.scope,\n presentations,\n }\n : {\n query: requestPayload.dcql_query,\n presentations,\n },\n }\n }\n\n throw new Oauth2Error(\n 'Invalid OpenId4Vp Authorization Response. Response neither contains a presentation_submission nor request contains a dcql_query.'\n )\n}\n","import { parseIfJson, parseWithErrorHandling } from '@openid4vc/utils'\nimport { type VpTokenDcql, type VpTokenPexEntry, zVpTokenDcql, zVpTokenPex } from './z-vp-token'\n\nexport function parsePexVpToken(vpToken: unknown): [VpTokenPexEntry, ...VpTokenPexEntry[]] {\n const parsedVpToken = parseWithErrorHandling(\n zVpTokenPex,\n parseIfJson(vpToken),\n 'Could not parse presentation exchange vp_token. Expected a string or an array of strings'\n )\n\n return Array.isArray(parsedVpToken) ? (parsedVpToken as [VpTokenPexEntry, ...VpTokenPexEntry[]]) : [parsedVpToken]\n}\n\nexport function parseDcqlVpToken(vpToken: unknown): VpTokenDcql {\n return parseWithErrorHandling(\n zVpTokenDcql,\n parseIfJson(vpToken),\n 'Could not parse dcql vp_token. Expected an object where the values are encoded presentations'\n )\n}\n","import { z } from 'zod'\n\nconst zVpTokenPexEntry = z.union([z.string(), z.record(z.any())], {\n message: 'pex vp_token entry must be a string or object',\n})\n\nexport const zVpTokenPex = z.union(\n [zVpTokenPexEntry, z.array(zVpTokenPexEntry).nonempty('Must have at least entry in vp_token array')],\n {\n message: 'pex vp_token must be a string, object or array of strings and objects',\n }\n)\nexport type VpTokenPex = z.infer<typeof zVpTokenPex>\nexport type VpTokenPexEntry = z.infer<typeof zVpTokenPexEntry>\n\nexport const zVpTokenDcql = z.record(z.union([z.string(), z.record(z.any())]), {\n message:\n 'dcql vp_token must be an object with keys referencing the dcql credential query id, and values the encoded (string or object) presentation',\n})\nexport type VpTokenDcql = z.infer<typeof zVpTokenDcql>\n\nexport const zVpToken = zVpTokenDcql.or(zVpTokenPex)\nexport type VpToken = z.infer<typeof zVpToken>\n","import { type CallbackContext, Oauth2Error, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { parseOpenid4vpAuthorizationRequestPayload } from '../authorization-request/parse-authorization-request-params'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport type {\n GetOpenid4vpAuthorizationRequestCallback,\n VerifiedJarmAuthorizationResponse,\n} from '../jarm/jarm-auth-response/verify-jarm-auth-response'\nimport type { JarmHeader } from '../jarm/jarm-auth-response/z-jarm-auth-response'\nimport { isJarmResponseMode } from '../jarm/jarm-response-mode'\nimport { parseOpenid4VpAuthorizationResponsePayload } from './parse-authorization-response-payload'\nimport { parseJarmAuthorizationResponse } from './parse-jarm-authorization-response'\nimport { validateOpenid4vpAuthorizationResponsePayload } from './validate-authorization-response'\nimport type { ValidateOpenid4VpAuthorizationResponseResult } from './validate-authorization-response-result'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface ParseOpenid4vpAuthorizationResponseOptions {\n responsePayload: Record<string, unknown>\n callbacks: Pick<CallbackContext, 'decryptJwe' \| 'verifyJwt'> & {\n getOpenid4vpAuthorizationRequest: GetOpenid4vpAuthorizationRequestCallback\n }\n}\n\nexport type ParsedOpenid4vpAuthorizationResponse = ValidateOpenid4VpAuthorizationResponseResult & {\n authorizationResponsePayload: Openid4vpAuthorizationResponse\n authorizationRequestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n\n expectedNonce: string\n\n // TODO: return this\n // expectedTransactionDataHashes?: []\n\n jarm?: VerifiedJarmAuthorizationResponse & {\n jarmHeader: JarmHeader\n mdocGeneratedNonce?: string\n }\n}\n\nexport async function parseOpenid4vpAuthorizationResponse(\n options: ParseOpenid4vpAuthorizationResponseOptions\n): Promise<ParsedOpenid4vpAuthorizationResponse> {\n const { responsePayload, callbacks } = options\n\n if (responsePayload.response) {\n return parseJarmAuthorizationResponse({ jarmResponseJwt: responsePayload.response as string, callbacks })\n }\n\n const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(responsePayload)\n\n const { authorizationRequest } = await callbacks.getOpenid4vpAuthorizationRequest(authorizationResponsePayload)\n const parsedAuthRequest = parseOpenid4vpAuthorizationRequestPayload({ authorizationRequest: authorizationRequest })\n if (parsedAuthRequest.type !== 'openid4vp' && parsedAuthRequest.type !== 'openid4vp_dc_api') {\n throw new Oauth2Error('Invalid authorization request. Could not parse openid4vp authorization request.')\n }\n\n const authorizationRequestPayload = parsedAuthRequest.params\n\n const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({\n requestPayload: authorizationRequestPayload,\n responsePayload: authorizationResponsePayload,\n })\n\n if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode)) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: 'invalid_request',\n error_description: 'Invalid response mode for openid4vp response. Expected jarm response.',\n },\n {\n status: 400,\n }\n )\n }\n\n return {\n ...validateOpenId4vpResponse,\n expectedNonce: authorizationRequestPayload.nonce,\n\n authorizationResponsePayload,\n authorizationRequestPayload,\n jarm: undefined,\n }\n}\n","import { parseWithErrorHandling } from '@openid4vc/utils'\nimport { zOpenid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport function parseOpenid4VpAuthorizationResponsePayload(payload: Record<string, unknown>) {\n return parseWithErrorHandling(\n zOpenid4vpAuthorizationResponse,\n payload,\n 'Failed to parse openid4vp authorization response.'\n )\n}\n","import { z } from 'zod'\nimport { zPexPresentationSubmission } from '../models/z-pex'\nimport { zVpToken } from '../vp-token/z-vp-token'\n\nexport const zOpenid4vpAuthorizationResponse = z\n .object({\n state: z.string().optional(),\n id_token: z.string().optional(),\n vp_token: zVpToken,\n presentation_submission: zPexPresentationSubmission.optional(),\n refresh_token: z.string().optional(),\n token_type: z.string().optional(),\n access_token: z.string().optional(),\n expires_in: z.number().optional(),\n })\n .passthrough()\nexport type Openid4vpAuthorizationResponse = z.infer<typeof zOpenid4vpAuthorizationResponse>\n","import { z } from 'zod'\n\nexport const zPexPresentationDefinition = z.record(z.any())\nexport const zPexPresentationSubmission = z.record(z.any())\n\nexport type PexPresentationDefinition = z.infer<typeof zPexPresentationDefinition>\nexport type PexPresentationSubmission = z.infer<typeof zPexPresentationSubmission>\n","import { type CallbackContext, Oauth2Error, decodeJwtHeader, zCompactJwe, zCompactJwt } from '@openid4vc/oauth2'\nimport { decodeBase64, encodeToUtf8String, parseWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport { parseOpenid4vpAuthorizationRequestPayload } from '../authorization-request/parse-authorization-request-params'\nimport {\n type GetOpenid4vpAuthorizationRequestCallback,\n verifyJarmAuthorizationResponse,\n} from '../jarm/jarm-auth-response/verify-jarm-auth-response'\nimport { zJarmHeader } from '../jarm/jarm-auth-response/z-jarm-auth-response'\nimport { isJarmResponseMode } from '../jarm/jarm-response-mode'\nimport type { ParsedOpenid4vpAuthorizationResponse } from './parse-authorization-response'\nimport { parseOpenid4VpAuthorizationResponsePayload } from './parse-authorization-response-payload'\nimport { validateOpenid4vpAuthorizationResponsePayload } from './validate-authorization-response'\n\nexport interface ParseJarmAuthorizationResponseOptions {\n jarmResponseJwt: string\n callbacks: Pick<CallbackContext, 'decryptJwe' \| 'verifyJwt'> & {\n getOpenid4vpAuthorizationRequest: GetOpenid4vpAuthorizationRequestCallback\n }\n}\n\nexport async function parseJarmAuthorizationResponse(\n options: ParseJarmAuthorizationResponseOptions\n): Promise<ParsedOpenid4vpAuthorizationResponse> {\n const { jarmResponseJwt, callbacks } = options\n\n const jarmAuthorizationResponseJwt = parseWithErrorHandling(\n z.union([zCompactJwt, zCompactJwe]),\n jarmResponseJwt,\n 'Invalid jarm authorization response jwt.'\n )\n\n const verifiedJarmResponse = await verifyJarmAuthorizationResponse({ jarmAuthorizationResponseJwt, callbacks })\n\n const { header: jarmHeader } = decodeJwtHeader({\n jwt: jarmAuthorizationResponseJwt,\n headerSchema: zJarmHeader,\n })\n\n const parsedAuthorizationRequest = parseOpenid4vpAuthorizationRequestPayload({\n authorizationRequest: verifiedJarmResponse.authorizationRequest,\n })\n\n if (parsedAuthorizationRequest.type !== 'openid4vp' && parsedAuthorizationRequest.type !== 'openid4vp_dc_api') {\n throw new Oauth2Error('Invalid authorization request. Could not parse openid4vp authorization request.')\n }\n\n const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(verifiedJarmResponse.jarmAuthResponse)\n const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({\n requestPayload: parsedAuthorizationRequest.params,\n responsePayload: authorizationResponsePayload,\n })\n\n const authorizationRequestPayload = parsedAuthorizationRequest.params\n if (!authorizationRequestPayload.response_mode \|\| !isJarmResponseMode(authorizationRequestPayload.response_mode)) {\n throw new Oauth2Error(\n `Invalid response mode for jarm response. Response mode: '${authorizationRequestPayload.response_mode ?? 'fragment'}'`\n )\n }\n\n let mdocGeneratedNonce: string \| undefined = undefined\n\n if (jarmHeader?.apu) {\n mdocGeneratedNonce = encodeToUtf8String(decodeBase64(jarmHeader.apu))\n }\n if (jarmHeader?.apv) {\n const jarmRequestNonce = encodeToUtf8String(decodeBase64(jarmHeader.apv))\n if (jarmRequestNonce !== authorizationRequestPayload.nonce) {\n throw new Oauth2Error('The nonce in the jarm header does not match the nonce in the request.')\n }\n }\n\n return {\n ...validateOpenId4vpResponse,\n jarm: { ...verifiedJarmResponse, jarmHeader, mdocGeneratedNonce },\n\n expectedNonce: authorizationRequestPayload.nonce,\n authorizationResponsePayload,\n authorizationRequestPayload,\n }\n}\n","import type { CallbackContext } from '@openid4vc/oauth2'\nimport {} from './authorization-request/create-authorization-request'\nimport { parseOpenid4vpAuthorizationRequestPayload } from './authorization-request/parse-authorization-request-params'\nimport type { ParseOpenid4vpAuthRequestPayloadOptions } from './authorization-request/parse-authorization-request-params'\nimport {\n type ResolveOpenid4vpAuthorizationRequestOptions,\n resolveOpenid4vpAuthorizationRequest,\n} from './authorization-request/resolve-authorization-request'\nimport {\n type CreateOpenid4vpAuthorizationResponseOptions,\n createOpenid4vpAuthorizationResponse,\n} from './authorization-response/create-authorization-response'\nimport {\n type SubmitOpenid4vpAuthorizationResponseOptions,\n submitOpenid4vpAuthorizationResponse,\n} from './authorization-response/submit-authorization-response'\n\nexport interface Openid4vpClientOptions {\n /\n Callbacks required for the openid4vp client\n /\n callbacks: Omit<CallbackContext, 'hash' \| 'generateRandom' \| 'clientAuthentication'>\n}\n\nexport class Openid4vpClient {\n public constructor(private options: Openid4vpClientOptions) {}\n\n public parseOpenid4vpAuthorizationRequestPayload(options: ParseOpenid4vpAuthRequestPayloadOptions) {\n return parseOpenid4vpAuthorizationRequestPayload(options)\n }\n\n public async resolveOpenId4vpAuthorizationRequest(\n options: Omit<ResolveOpenid4vpAuthorizationRequestOptions, 'callbacks'>\n ) {\n return resolveOpenid4vpAuthorizationRequest({ ...options, callbacks: this.options.callbacks })\n }\n\n public async createOpenid4vpAuthorizationResponse(\n options: Omit<CreateOpenid4vpAuthorizationResponseOptions, 'callbacks'>\n ) {\n return createOpenid4vpAuthorizationResponse({ ...options, callbacks: this.options.callbacks })\n }\n\n public async submitOpenid4vpAuthorizationResponse(\n options: Omit<SubmitOpenid4vpAuthorizationResponseOptions, 'callbacks'>\n ) {\n return submitOpenid4vpAuthorizationResponse({ ...options, callbacks: this.options.callbacks })\n }\n}\n","import {\n type CallbackContext,\n HashAlgorithm,\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n} from '@openid4vc/oauth2'\nimport { decodeUtf8String, encodeToBase64Url } from '@openid4vc/utils'\nimport { type ParsedTransactionDataEntry, parseTransactionData } from './parse-transaction-data'\n\nexport interface TransactionDataHashesCredentials {\n /\n credentialId is the pex input descriptor id\n * or dcql credential query id\n \n The values must be an array of transaction data hashes\n /\n [credentialId: string]:\n \| {\n /\n The hashes of the transaction data\n /\n transaction_data_hashes: string[]\n\n /\n The transaction data hash alg. If not provided\n * in the presentation, the default value of sha256\n * is used.\n /\n transaction_data_hashes_alg?: string\n }\n \| undefined\n}\n\nexport interface VerifyTransactionDataOptions {\n transactionData: string[]\n credentials: TransactionDataHashesCredentials\n callbacks: Pick<CallbackContext, 'hash'>\n}\n\nexport async function verifyTransactionData(\n options: VerifyTransactionDataOptions\n): Promise<VerifiedTransactionDataEntry[]> {\n const parsedTransactionData = parseTransactionData({\n transactionData: options.transactionData,\n })\n\n const matchedEntries: Array<VerifiedTransactionDataEntry> = []\n for (const parsedEntry of parsedTransactionData) {\n const matchedEntry = await verifyTransactionDataEntry({\n entry: parsedEntry,\n callbacks: options.callbacks,\n credentials: options.credentials,\n })\n\n matchedEntries.push(matchedEntry)\n }\n\n return matchedEntries\n}\n\nexport interface VerifiedTransactionDataEntry {\n transactionDataEntry: ParsedTransactionDataEntry\n credentialId: string\n hash: string\n hashAlg: HashAlgorithm\n credentialHashIndex: number\n}\n\nasync function verifyTransactionDataEntry({\n entry,\n credentials,\n callbacks,\n}: {\n entry: ParsedTransactionDataEntry\n credentials: TransactionDataHashesCredentials\n callbacks: Pick<CallbackContext, 'hash'>\n}): Promise<VerifiedTransactionDataEntry> {\n const allowedAlgs = entry.transactionData.transaction_data_hashes_alg ?? ['sha-256']\n const supportedAlgs: HashAlgorithm[] = allowedAlgs.filter((alg): alg is HashAlgorithm =>\n Object.values(HashAlgorithm).includes(alg as HashAlgorithm)\n )\n\n const hashes: { [key in HashAlgorithm]?: string } = {}\n for (const alg of supportedAlgs) {\n hashes[alg] = encodeToBase64Url(await callbacks.hash(decodeUtf8String(entry.encoded), alg))\n }\n\n for (const credentialId of entry.transactionData.credential_ids) {\n const transactionDataHashesCredential = credentials[credentialId]\n if (!transactionDataHashesCredential) continue\n\n const alg = transactionDataHashesCredential.transaction_data_hashes_alg ?? 'sha-256'\n const hash = hashes[alg as HashAlgorithm]\n\n if (!allowedAlgs.includes(alg)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: `Transaction data entry with index ${entry.transactionDataIndex} is hashed using alg '${alg}'. However transaction data only allows alg values ${allowedAlgs.join(', ')}.`,\n })\n }\n\n // This is an error of this library.\n if (!hash) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: `Transaction data entry with index ${entry.transactionDataIndex} is hashed using unsupported alg '${alg}'. This library only supports verification of transaction data hashes using alg values ${Object.values(HashAlgorithm).join(', ')}. Either verify the hashes outside of this library, or limit the allowed alg values to the ones supported by this library.`,\n })\n }\n\n const credentialHashIndex = transactionDataHashesCredential.transaction_data_hashes.indexOf(hash)\n if (credentialHashIndex !== -1) {\n return {\n transactionDataEntry: entry,\n credentialId,\n hash,\n hashAlg: alg as HashAlgorithm,\n credentialHashIndex,\n }\n }\n }\n\n // No matches were found\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: `Transaction data entry with index ${entry.transactionDataIndex} does not have a matching hash in any of the submitted credentials`,\n })\n}\n","import type { CallbackContext } from '@openid4vc/oauth2'\nimport {\n type CreateOpenid4vpAuthorizationRequestOptions,\n createOpenid4vpAuthorizationRequest,\n} from './authorization-request/create-authorization-request'\nimport {\n type ParseOpenid4vpAuthRequestPayloadOptions,\n parseOpenid4vpAuthorizationRequestPayload,\n} from './authorization-request/parse-authorization-request-params'\nimport {\n type ParseOpenid4vpAuthorizationResponseOptions,\n parseOpenid4vpAuthorizationResponse,\n} from './authorization-response/parse-authorization-response'\nimport {\n type ValidateOpenid4vpAuthorizationResponseOptions,\n validateOpenid4vpAuthorizationResponsePayload,\n} from './authorization-response/validate-authorization-response'\nimport type { ParseTransactionDataOptions } from './transaction-data/parse-transaction-data'\nimport { parseTransactionData } from './transaction-data/parse-transaction-data'\nimport { type VerifyTransactionDataOptions, verifyTransactionData } from './transaction-data/verify-transaction-data'\nimport { parseDcqlVpToken, parsePexVpToken } from './vp-token/parse-vp-token'\n\nexport interface Openid4vpVerifierOptions {\n /\n Callbacks required for the openid4vp verifier\n */\n callbacks: Omit<CallbackContext, 'hash' \| 'generateRandom' \| 'clientAuthentication'>\n}\n\nexport class Openid4vpVerifier {\n public constructor(private options: Openid4vpVerifierOptions) {}\n\n public async createOpenId4vpAuthorizationRequest(\n options: Omit<CreateOpenid4vpAuthorizationRequestOptions, 'callbacks'>\n ) {\n return createOpenid4vpAuthorizationRequest({ ...options, callbacks: this.options.callbacks })\n }\n\n public parseOpenid4vpAuthorizationRequestPayload(options: ParseOpenid4vpAuthRequestPayloadOptions) {\n return parseOpenid4vpAuthorizationRequestPayload(options)\n }\n\n public parseOpenid4vpAuthorizationResponse(options: ParseOpenid4vpAuthorizationResponseOptions) {\n return parseOpenid4vpAuthorizationResponse(options)\n }\n\n public validateOpenid4vpAuthorizationResponsePayload(options: ValidateOpenid4vpAuthorizationResponseOptions) {\n return validateOpenid4vpAuthorizationResponsePayload(options)\n }\n\n public parsePexVpToken(vpToken: unknown) {\n return parsePexVpToken(vpToken)\n }\n\n public parseDcqlVpToken(vpToken: unknown) {\n return parseDcqlVpToken(vpToken)\n }\n\n public parseTransactionData(options: ParseTransactionDataOptions) {\n return parseTransactionData(options)\n }\n\n public verifyTransactionData(options: VerifyTransactionDataOptions) {\n return verifyTransactionData(options)\n }\n}\n","import { z } from 'zod'\nexport const zCredentialFormat = z.enum(['jwt_vc_json', 'ldp_vc', 'ac_vc', 'mso_mdoc', 'dc+sd-jwt', 'vc+sd-jwt'])\nexport type CredentialFormat = z.infer<typeof zCredentialFormat>\n","import { z } from 'zod'\nexport const zProofFormat = z.enum(['jwt_vp_json', 'ldc_vp', 'ac_vp', 'dc+sd-jwt', 'vc+sd-jwt', 'mso_mdoc'])\nexport type ProofFormat = z.infer<typeof zProofFormat>\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,iBAAkB;AAEX,IAAM,kBAAkB,aAAE,KAAK;AAAA,EACpC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;;;ACXD,IAAAA,iBASO;AACP,IAAAC,cAAc;;;ACVd,IAAAC,iBAA4B;AAC5B,mBAA8B;;;ACD9B,oBAAwC;AACxC,IAAAC,cAAkB;AAEX,IAAM,cAAc,cAAE,OAAO,EAAE,GAAG,yBAAW,OAAO,KAAK,cAAE,OAAO,EAAE,SAAS,GAAG,KAAK,cAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AAG5G,IAAM,oBAAoB,cAC9B,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMN,GAAG,0BAAY;AAAA,EACf,GAAG,0BAAY,KAAK,EAAE,KAAK,MAAM,KAAK,MAAM,KAAK,KAAK,CAAC,EAAE,SAAS,EAAE;AAAA,EACpE,OAAO,cAAE,SAAS,cAAE,OAAO,CAAC;AAC9B,CAAC,EACA,YAAY;AAIR,IAAM,iCAAiC,cAC3C,OAAO;AAAA,EACN,GAAG,0BAAY;AAAA,EACf,OAAO,cAAE,SAAS,cAAE,OAAO,CAAC;AAC9B,CAAC,EACA,YAAY;;;ADtBR,IAAM,2BAA2B,CAAC,YAGnC;AACJ,QAAM,EAAE,UAAU,sBAAsB,IAAI;AAG5C,MAAI,CAAC,kBAAkB,UAAU,qBAAqB,EAAE,SAAS;AAC/D;AAAA,EACF;AAGA,MAAI,aAAa,sBAAsB,KAAK;AAC1C,UAAM,IAAI;AAAA,MACR,iEACE,QACF,eAAe,KAAK,UAAU,sBAAsB,GAAG,CAAC;AAAA,IAC1D;AAAA,EACF;AAIA,MAAI,sBAAsB,QAAQ,UAAa,sBAAsB,UAAM,4BAAc,GAAG;AAC1F,UAAM,IAAI,2BAAY,gCAAgC;AAAA,EACxD;AACF;;;ADOA,IAAM,yBAAyB,OAAO,YAGhC;AACJ,QAAM,EAAE,aAAa,UAAU,IAAI;AAEnC,QAAM,EAAE,OAAO,QAAI,gCAAgB,EAAE,KAAK,YAAY,CAAC;AACvD,MAAI,CAAC,OAAO,KAAK;AACf,UAAM,IAAI,2BAAY,uDAAuD;AAAA,EAC/E;AAEA,QAAM,SAAS,MAAM,UAAU,WAAW,WAAW;AACrD,MAAI,CAAC,OAAO,WAAW;AACrB,UAAM,IAAI,2BAAY,uCAAuC;AAAA,EAC/D;AAEA,SAAO,OAAO;AAChB;AAgBA,eAAsB,gCAAgC,SAAiD;AACrG,QAAM,EAAE,8BAA8B,UAAU,IAAI;AAEpD,QAAM,yBAAyB,2BAAY,UAAU,4BAA4B,EAAE;AACnF,QAAM,uBAAuB,yBACzB,MAAM,uBAAuB,EAAE,aAAa,8BAA8B,UAAU,CAAC,IACrF;AAEJ,QAAM,mBAAmB,2BAAY,UAAU,oBAAoB,EAAE;AACrE,MAAI,CAAC,0BAA0B,CAAC,kBAAkB;AAChD,UAAM,IAAI,2BAAY,+EAA+E;AAAA,EACvG;AAEA,MAAI;AAEJ,MAAI,kBAAkB;AACpB,UAAM,EAAE,QAAQ,oBAAoB,SAAS,WAAW,QAAI,0BAAU;AAAA,MACpE,KAAK;AAAA,MACL,cAAc,YAAAC,QAAE,OAAO,EAAE,GAAG,0BAAW,OAAO,KAAK,YAAAA,QAAE,OAAO,EAAE,CAAC;AAAA,IACjE,CAAC;AAED,UAAM,WAAW,kBAAkB,MAAM,UAAU;AACnD,UAAM,gBAAY,iCAAiB,EAAE,QAAQ,oBAAoB,SAAS,WAAW,CAAC;AAEtF,UAAM,qBAAqB,MAAM,QAAQ,UAAU,UAAU,WAAW;AAAA,MACtE,SAAS;AAAA,MACT,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,QAAI,CAAC,mBAAmB,UAAU;AAChC,YAAM,IAAI,2BAAY,kCAAkC;AAAA,IAC1D;AAEA,uBAAmB;AAAA,EACrB,OAAO;AACL,UAAM,kBAA2B,KAAK,MAAM,oBAAoB;AAChE,uBAAmB,+BAA+B,MAAM,eAAe;AAAA,EACzE;AAEA,QAAM,EAAE,qBAAqB,IAAI,MAAM,UAAU,iCAAiC,gBAAgB;AAElG,2BAAyB;AAAA,IACvB,UAAU,qBAAqB;AAAA,IAC/B,uBAAuB;AAAA,EACzB,CAAC;AACD,QAAM,OACJ,0BAA0B,mBACtB,0CACA,yBACE,8BACA;AAER,QAAM,SAAS,iBAAiB;AAChC,SAAO,EAAE,sBAAsB,kBAAkB,MAAM,OAAO;AAChE;;;AG5HA,IAAAC,iBAA8C;AAC9C,IAAAC,gBAAuC;AACvC,IAAAC,cAAkB;AAEX,IAAM,8BAA8B,cAAE,OAAO;AAAA,EAClD,mCAAmC;AAAA,EAEnC,sCAAsC,cAAE,SAAS,cAAE,MAAM,CAAC;AAAA,EAC1D,sCAAsC,cAAE,SAAS,cAAE,MAAM,CAAC;AAC5D,CAAC;AAGM,IAAM,iCAAiC,cAAE,OAAO;AAAA,EACrD,mCAAmC,cAAE,SAAS,cAAE,MAAM,CAAC;AAAA,EACvD,sCAAsC,cAAE,OAAO;AAAA,EAE/C,sCAAsC,cAAE,SAAS,cAAE,OAAO,CAAC;AAC7D,CAAC;AAGM,IAAM,iCAAiC,cAAE,OAAO;AAAA,EACrD,mCAAmC,4BAA4B,MAAM;AAAA,EACrE,sCAAsC,+BAA+B,MAAM;AAAA,EAC3E,sCAAsC,+BAA+B,MAAM;AAC7E,CAAC;AAMM,IAAM,sBAAsB,cAAE,OAAO;AAAA,EAC1C,mCAAmC,cAAE,SAAS,4BAA4B,MAAM,iCAAiC;AAAA,EACjH,sCAAsC,cAAE;AAAA,IACtC,+BAA+B,MAAM;AAAA,EACvC;AAAA,EACA,sCAAsC,cAAE;AAAA,IACtC,+BAA+B,MAAM;AAAA,EACvC;AACF,CAAC;AAGM,IAAM,4BAA4B,oBAAoB,UAAU,CAAC,oBAAoB;AAC1F,QAAM,uBAAmB;AAAA,IACvB,cAAE,MAAM,CAAC,gCAAgC,6BAA6B,8BAA8B,CAAC;AAAA,IACrG;AAAA,IACA;AAAA,EACF;AAEA,QAAM,cAAc,+BAA+B,UAAU,gBAAgB;AAC7E,MAAI,YAAY,SAAS;AACvB,WAAO;AAAA,MACL,MAAM;AAAA,MACN,iBAAiB;AAAA,QACf,GAAG,YAAY;AAAA,QACf,sCAAsC,gBAAgB,wCAAwC;AAAA,MAChG;AAAA,IACF;AAAA,EACF;AAEA,QAAM,cAAc,+BAA+B,UAAU,gBAAgB;AAC7E,MAAI,YAAY,SAAS;AACvB,WAAO;AAAA,MACL,MAAM;AAAA,MACN,iBAAiB;AAAA,QACf,GAAG,YAAY;AAAA,QACf,sCAAsC,iBAAiB,wCAAwC;AAAA,MACjG;AAAA,IACF;AAAA,EACF;AAGA,QAAM,WAAW,4BAA4B,UAAU,gBAAgB;AACvE,MAAI,SAAS,SAAS;AACpB,WAAO;AAAA,MACL,MAAM;AAAA,MACN,iBAAiB;AAAA,QACf,GAAG,SAAS;AAAA,QACZ,mCAAmC,iBAAiB,qCAAqC;AAAA,MAC3F;AAAA,IACF;AAAA,EACF;AAEA,QAAM,IAAI,2BAAY,gDAAgD;AACxE,CAAC;;;ACnFD,IAAAC,iBAAkE;AAClE,IAAAC,gBAAkF;;;ACDlF,IAAAC,iBAOO;AAuBP,eAAsB,qBAAqB,SAAsC;AAC/E,QAAM,EAAE,WAAW,cAAc,mBAAmB,YAAY,UAAU,IAAI;AAE9E,MAAI;AACJ,MAAI;AAEJ,QAAM,EAAE,KAAK,UAAU,IAAI,MAAM,UAAU,QAAQ,WAAW;AAAA,IAC5D,QAAQ,EAAE,OAAG,uCAAuB,SAAS,GAAG,KAAK,sBAAsB;AAAA,IAC3E,SAAS,EAAE,GAAG,QAAQ,sBAAsB,GAAG,kBAAkB;AAAA,EACnE,CAAC;AACD,qBAAmB;AAEnB,MAAI,cAAc;AAChB,UAAM,mBAAmB,MAAM,UAAU,WAAW,cAAc,gBAAgB;AAClF,uBAAmB,iBAAiB;AACpC,oBAAgB,iBAAiB;AAAA,EACnC;AAEA,QAAM,YAAY,kBAAkB;AACpC,QAAM,gBAAgC,aAClC,EAAE,WAAW,aAAa,WAAW,IACrC,EAAE,WAAW,SAAS,iBAAiB;AAE3C,SAAO,EAAE,eAAe,WAAW,eAAe,iBAAiB;AACrE;;;ACtDA,IAAAC,iBAAiE;AACjE,IAAAC,gBAA0B;AAiBnB,IAAM,+CAA+C,CAC1D,YACG;AACH,QAAM,EAAE,QAAQ,0BAA0B,IAAI;AAE9C,MAAI,CAAC,OAAO,gBAAgB,CAAC,OAAO,cAAc;AAChD,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,gBAAgB,CAAC,CAAC,eAAe,iBAAiB,EAAE,KAAK,CAAC,SAAS,SAAS,OAAO,aAAa,GAAG;AAC5G,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBAAmB,sHAAsH,OAAO,aAAa;AAAA,IAC/J,CAAC;AAAA,EACH;AAEA,MACE,CAAC,OAAO,6BAA6B,OAAO,yBAAyB,OAAO,YAAY,OAAO,KAAK,EAAE;AAAA,IACpG;AAAA,EACF,EAAE,SAAS,GACX;AACA,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,sBAAsB,CAAC,OAAO,aAAa;AACpD,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,sBAAsB,CAAC,CAAC,OAAO,MAAM,EAAE,SAAS,OAAO,kBAAkB,GAAG;AACrF,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBAAmB,wEAAwE,OAAO,kBAAkB;AAAA,IACtH,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,eAAe,CAAC,wBAAU,UAAU,OAAO,SAAS,EAAE,SAAS;AACxE,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,2BAA2B,iBAAiB,CAAC,OAAO,cAAc;AACpE,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,2BAA2B,kBAAkB,OAAO,cAAc;AACpE,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,UAAU,WAAW,aAAa,GAAG;AAC9C,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBAAmB,kIAAkI,OAAO,SAAS;AAAA,IACvK,CAAC;AAAA,EACH;AACF;;;AC9FA,IAAAC,iBAAiE;AAa1D,IAAM,oDAAoD,CAC/D,YACG;AACH,QAAM,EAAE,QAAQ,cAAc,sBAAsB,OAAO,IAAI;AAE/D,MAAI,gBAAgB,CAAC,OAAO,kBAAkB;AAC5C,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,OAAO,yBAAyB,OAAO,UAAU,EAAE,OAAO,OAAO,EAAE,SAAS,GAAG;AAClF,UAAM,IAAI,8CAA+B;AAAA,MACvC,OAAO,gCAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,oBAAoB,CAAC,sBAAsB;AACpD,QAAI,CAAC,QAAQ;AACX,YAAM,IAAI,8CAA+B;AAAA,QACvC,OAAO,gCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,OAAO,oBAAoB,CAAC,OAAO,iBAAiB,SAAS,MAAM,GAAG;AACxE,YAAM,IAAI,8CAA+B;AAAA,QACvC,OAAO,gCAAiB;AAAA,QACxB,mBAAmB,mGAAmG,OAAO,iBAAiB,KAAK,IAAI,CAAC;AAAA,MAC1J,CAAC;AAAA,IACH;AAAA,EACF;AACF;;;AChDA,IAAAC,gBAA0B;AAC1B,IAAAC,cAAkB;;;ACDlB,IAAAC,iBAAwB;AACxB,IAAAC,gBAA0B;AAC1B,IAAAC,cAAkB;;;ACFlB,IAAAC,cAAkB;AACX,IAAM,sBAAsB,cAAE;AAAA,EACnC,cAAE,OAAO;AAAA,EACT,cACG,OAAO;AAAA,IACN,sBAAsB,cAAE,SAAS,cAAE,MAAM,cAAE,OAAO,CAAC,CAAC;AAAA,EACtD,CAAC,EACA,YAAY;AACjB;;;ADAO,IAAM,kBAAkB,cAC5B,OAAO;AAAA,EACN,MAAM,cAAE,SAAS,sBAAO;AAAA,EACxB,YAAY,cAAE,SAAS,mBAAmB;AAAA,EAC1C,GAAG,oBAAoB;AAAA,EACvB,UAAU,wBAAU,SAAS;AAAA,EAC7B,aAAa,cAAE,OAAO,EAAE,SAAS;AACnC,CAAC,EACA,YAAY;;;ADZR,IAAM,iCAAiC,cAC3C,OAAO;AAAA,EACN,eAAe,cAAE,QAAQ,UAAU;AAAA,EACnC,WAAW,cAAE,OAAO;AAAA,EACpB,cAAc,wBAAU,SAAS;AAAA,EACjC,cAAc,wBAAU,SAAS;AAAA,EACjC,aAAa,wBAAU,SAAS;AAAA,EAChC,oBAAoB,cAAE,SAAS,cAAE,OAAO,CAAC;AAAA,EACzC,eAAe,cAAE,KAAK,CAAC,eAAe,iBAAiB,CAAC,EAAE,SAAS;AAAA,EACnE,OAAO,cAAE,OAAO;AAAA,EAChB,cAAc,cAAE,OAAO,EAAE,SAAS;AAAA,EAClC,OAAO,cAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,yBAAyB,cAAE,OAAO,cAAE,IAAI,CAAC,EAAE,SAAS;AAAA,EACpD,6BAA6B,wBAAU,SAAS;AAAA,EAChD,YAAY,cAAE,OAAO,cAAE,IAAI,CAAC,EAAE,SAAS;AAAA,EACvC,iBAAiB,gBAAgB,SAAS;AAAA,EAC1C,qBAAqB,wBAAU,SAAS;AAAA,EACxC,OAAO,cAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,kBAAkB,cAAE,MAAM,cAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EAC/C,aAAa,cAAE,QAAQ,EAAE,SAAS;AAAA,EAClC,kBAAkB,cACf,KAAK;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,EACA,SAAS;AACd,CAAC,EACA,YAAY;;;AGpCf,IAAAC,cAAkB;AAIX,IAAM,sCAAsC,+BAChD,KAAK;AAAA,EACJ,WAAW;AAAA,EACX,eAAe;AAAA,EACf,eAAe;AAAA,EACf,OAAO;AAAA,EACP,yBAAyB;AAAA,EACzB,iBAAiB;AAAA,EACjB,kBAAkB;AAAA,EAClB,YAAY;AACd,CAAC,EACA,OAAO;AAAA,EACN,WAAW,cAAE,SAAS,cAAE,OAAO,CAAC;AAAA,EAChC,kBAAkB,cAAE,MAAM,cAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EAC/C,eAAe,cAAE,KAAK,CAAC,UAAU,cAAc,kBAAkB,YAAY,CAAC;AAAA,EAC9E,kBAAkB,cACf,KAAK;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,EACA,SAAS;AACd,CAAC,EACA,MAAM;AAIF,SAAS,qCACd,SAC+C;AAC/C,SACE,QAAQ,kBAAkB,YAC1B,QAAQ,kBAAkB,gBAC1B,QAAQ,kBAAkB,oBAC1B,QAAQ,kBAAkB;AAE9B;;;APAA,eAAsB,oCAAoC,SAAqD;AAC7G,QAAM,EAAE,KAAK,SAAS,gBAAgB,gBAAgB,QAAQ,UAAU,IAAI;AAE5E,MAAI;AAEJ,MAAI;AACJ,MAAI,qCAAqC,cAAc,GAAG;AACxD,4BAAoB;AAAA,MAClB;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAEA,QAAI,OAAO,CAAC,kBAAkB,kBAAkB;AAC9C,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,sDAAkD;AAAA,MAChD,QAAQ;AAAA,MACR,cAAc,QAAQ,GAAG;AAAA,MACzB,sBAAsB;AAAA,IACxB,CAAC;AAAA,EACH,OAAO;AACL,4BAAoB;AAAA,MAClB;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,iDAA6C,EAAE,QAAQ,mBAAmB,2BAA2B,OAAO,CAAC;AAAA,EAC/G;AAEA,MAAI,KAAK;AACP,QAAI,CAAC,IAAI,sBAAsB,KAAK;AAClC,6BAAuB,EAAE,GAAG,IAAI,sBAAsB,KAAK,IAAI,WAAW;AAAA,IAC5E;AAAA,EACF;AAEA,MAAI,KAAK;AACP,UAAM,YAAY,MAAM,qBAAqB;AAAA,MAC3C,GAAG;AAAA,MACH,mBAAmB;AAAA,MACnB;AAAA,MACA;AAAA,IACF,CAAC;AAED,UAAMC,OAAM,IAAI,kBAAI,MAAM;AAC1B,IAAAA,KAAI,SAAS,IAAI,IAAI,8BAAgB;AAAA,MACnC,GAAGA,KAAI,aAAa,QAAQ;AAAA,MAC5B,OAAG,mCAAoB,UAAU,aAAa,EAAE,QAAQ;AAAA,IAC1D,CAAC,EAAE,SAAS,CAAC;AAEb,WAAO;AAAA,MACL,mBAAmB,UAAU;AAAA,MAC7B,aAAaA,KAAI,SAAS;AAAA,MAC1B,KAAK,EAAE,GAAG,KAAK,GAAG,UAAU;AAAA,IAC9B;AAAA,EACF;AAEA,QAAM,MAAM,IAAI,kBAAI,MAAM;AAC1B,MAAI,SAAS,IAAI,IAAI,8BAAgB;AAAA,IACnC,GAAG,IAAI,aAAa,QAAQ;AAAA,IAC5B,OAAG,mCAAoB,cAAc,EAAE,QAAQ;AAAA,EACjD,CAAC,EAAE,SAAS,CAAC;AAEb,SAAO;AAAA,IACL,mBAAmB;AAAA,IACnB,aAAa,IAAI,SAAS;AAAA,IAC1B,KAAK;AAAA,EACP;AACF;;;AQnHA,IAAAC,kBAA0B;AAC1B,IAAAC,gBAAoB;AACpB,IAAAA,gBAAuC;AACvC,IAAAC,eAAc;;;ACHd,IAAAC,kBAA+C;AAC/C,IAAAC,gBAA0B;AAC1B,IAAAC,cAAkB;AAIX,IAAM,kBAAkB,cAC5B,OAAO;AAAA,EACN,SAAS,cAAE,SAAS,cAAE,OAAO,CAAC;AAAA,EAC9B,aAAa,cAAE,SAAS,uBAAS;AAAA,EACjC,oBAAoB,cAAE,SAAS,cAAE,OAAO,CAAC;AAAA,EACzC,WAAW,cAAE,SAAS,cAAE,OAAO,CAAC;AAClC,CAAC,EACA,YAAY;AAGR,SAAS,yBAAyB,SAA+C;AACtF,QAAM,EAAE,iBAAiB,IAAI;AAE7B,MAAI,iBAAiB,WAAW,iBAAiB,aAAa;AAC5D,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO;AAAA,MACP,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,iBAAiB,WAAW,CAAC,iBAAiB,aAAa;AAC9D,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO;AAAA,MACP,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO;AAET;AAEO,SAAS,iBACd,SAC2B;AAC3B,SAAO,aAAa,WAAW,iBAAiB;AAClD;;;ADPO,SAAS,0CACd,SACiF;AACjF,QAAM,EAAE,qBAAqB,IAAI;AACjC,MAAI,WAAqC;AAEzC,MAAI;AACJ,MAAI,OAAO,yBAAyB,UAAU;AAC5C,QAAI,qBAAqB,SAAS,KAAK,GAAG;AACxC,YAAM,MAAM,IAAI,kBAAI,oBAAoB;AACxC,eAAS,OAAO,YAAY,IAAI,YAAY;AAC5C,iBAAW;AAAA,IACb,OAAO;AACL,YAAM,cAAU,2BAAU,EAAE,KAAK,qBAAqB,CAAC;AACvD,eAAS,QAAQ;AACjB,iBAAW;AAAA,IACb;AAAA,EACF,OAAO;AACL,aAAS;AAAA,EACX;AAEA,QAAM,oBAAgB;AAAA,IACpB,aAAAC,QAAE,MAAM,CAAC,gCAAgC,iBAAiB,mCAAmC,CAAC;AAAA,IAC9F;AAAA,EACF;AAEA,MAAI,iBAAiB,aAAa,GAAG;AACnC,WAAO;AAAA,MACL,MAAM;AAAA,MACN;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,MAAI,qCAAqC,aAAa,GAAG;AACvD,WAAO;AAAA,MACL,MAAM;AAAA,MACN;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,SAAO;AAAA,IACL,MAAM;AAAA,IACN;AAAA,IACA,QAAQ;AAAA,EACV;AACF;;;AEjFA,IAAAC,kBAAuF;AACvF,IAAAC,iBAAuC;AACvC,IAAAC,eAAc;;;ACFd,IAAAC,kBAAkF;;;ACAlF,IAAAC,kBAAiE;AAW1D,SAAS,iCACd,SACkB;AAClB,QAAM,eAAiD,CAAC;AAIxD,QAAM,aAAa,QAAQ,iBAAiB;AAuB5C,MACE,qCAAqC,OAAO,MAC3C,QAAQ,kBAAkB,gBAAgB,QAAQ,kBAAkB,mBACrE;AACA,iBAAa,KAAK,CAAC,KAAK,EAAE,CAAC;AAC3B,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAEA,MACG,qCAAqC,OAAO,KAAK,QAAQ,kBAAkB,YAC5E,QAAQ,kBAAkB,cAC1B;AACA,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAEA,MAAI,qCAAqC,OAAO,MAAM,QAAQ,oBAAoB,QAAQ,aAAa;AACrG,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAIA,MAAI,QAAQ,YAAY;AACtB,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAEA,MAAI,QAAQ,kBAAkB;AAC5B,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAEA,MAAI,QAAQ,kBAAkB;AAC5B,iBAAa,KAAK,CAAC,KAAK,EAAE,CAAC;AAAA,EAC7B;AAMA,MAAI,QAAQ,WAAW;AACrB,UAAM,aAAa,QAAQ,UAAU,QAAQ,GAAG;AAChD,UAAM,aAAa,QAAQ,UAAU,UAAU,GAAG,UAAU;AAC5D,UAAM,eAAe,gBAAgB,UAAU,UAAU;AAGzD,QAAI,aAAa,WAAW,aAAa,SAAS,SAAS,aAAa,SAAS,SAAS;AACxF,mBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,IAC9B;AAAA,EACF;AAGA,MAAI,CAAC,QAAQ,WAAW;AACtB,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAIA,MAAI,yBAAyB,SAAS;AACpC,iBAAa,KAAK,CAAC,KAAK,EAAE,CAAC;AAAA,EAC7B;AAEA,MAAI,qCAAqC,OAAO,GAAG;AACjD,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAEA,MAAI,wBAAwB,WAAW,kBAAkB,SAAS;AAChE,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAIA,MAAI,QAAQ,qBAAqB,wBAAwB;AACvD,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAIA,MAAI,QAAQ,qBAAqB,kBAAkB,QAAQ,qBAAqB,gBAAgB;AAC9F,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAGA,QAAM,mBAAmB,aAAa,OAAO,CAAC,CAAC,QAAQ,MAAM,aAAa,GAAG,EAAE,IAAI,CAAC,CAAC,GAAG,OAAO,MAAM,OAAO;AAE5G,QAAM,sBAAsB,aAAa,OAAO,CAAC,CAAC,QAAQ,MAAM,aAAa,IAAI,EAAE,IAAI,CAAC,CAAC,GAAG,OAAO,MAAM,OAAO;AAGhH,QAAM,yBACJ,iBAAiB,SAAS,IAAK,KAAK,IAAI,KAAK,IAAI,GAAG,gBAAgB,IAAI,GAAG,EAAE,IAA0B;AAGzG,QAAM,wBACJ,oBAAoB,SAAS,IAAK,KAAK,IAAI,GAAG,mBAAmB,IAA0B;AAI7F,MAAI,wBAAwB,wBAAwB;AAElD,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO;AACT;;;AD/EA,SAAS,YAAY,SAAwC;AAC3D,MAAI,qCAAqC,QAAQ,OAAO,GAAG;AACzD,QAAI,CAAC,QAAQ,QAAQ;AACnB,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,QAAQ,OAAO,CAAC,QAAQ,QAAQ,UAAW,QAAO,cAAc,QAAQ,MAAM;AAEnF,WAAO,QAAQ,QAAQ;AAAA,EACzB;AAEA,SAAO,QAAQ,QAAQ;AACzB;AAEA,SAAS,kBAAkB,SAAwC;AACjE,QAAM,uBAAuB,QAAQ,QAAQ,oBAAoB;AAEjE,MAAI;AACJ,MAAI,yBAAyB,aAAa;AACxC,qBAAiB;AAAA,EACnB,OAAO;AACL,qBAAiB;AAAA,EACnB;AAEA,MAAI,qCAAqC,QAAQ,OAAO,GAAG;AACzD,QAAI,CAAC,QAAQ,QAAQ;AACnB,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,QAAQ,OAAO,CAAC,QAAQ,QAAQ,UAAW,QAAO,cAAc,QAAQ,MAAM;AAEnF,WAAO,GAAG,cAAc,IAAI,QAAQ,QAAQ,SAAS;AAAA,EACvD;AAEA,MAAI,mBAAmB,WAAW,mBAAmB,OAAO;AAC1D,WAAO,QAAQ,QAAQ;AAAA,EACzB;AAEA,MAAI,mBAAmB,kBAAkB;AACvC,WAAO,QAAQ,QAAQ;AAAA,EACzB;AAEA,SAAO,GAAG,cAAc,IAAI,QAAQ,QAAQ,SAAS;AACvD;AAKO,SAAS,sBACd,SACA,cACwB;AACxB,QAAM,EAAE,SAAS,IAAI,IAAI;AAEzB,QAAM,UAAU,iCAAiC,OAAO;AAExD,MAAI,UAAU,IAAI;AAChB,UAAM,uBAAuB,QAAQ,oBAAoB;AAEzD,QAAI;AACJ,QAAI,sBAAsB;AACxB,UAAI,yBAAyB,aAAa;AACxC,wBAAgB;AAAA,MAClB,OAAO;AACL,wBAAgB;AAAA,MAClB;AAAA,IACF;AAAA,EACF;AAEA,QAAM,iBAAiB,qCAAqC,OAAO;AACnE,QAAM,WAAW,UAAU,KAAK,kBAAkB,OAAO,IAAI,YAAY,OAAO;AAGhF,QAAM,2BAA2B;AAAA,IAC/B,kBAAkB,cAAc,oBAAoB,OAAO,OAAO,gBAAgB,OAAO;AAAA,EAC3F;AAEA,QAAM,aAAa,SAAS,QAAQ,GAAG;AACvC,MAAI,eAAe,IAAI;AACrB,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,YAAY;AAAA,MACZ,eAAe;AAAA,MACf,gBAAgB,QAAQ;AAAA,IAC1B;AAAA,EACF;AAEA,QAAM,aAAa,SAAS,UAAU,GAAG,UAAU;AACnD,QAAM,iBAAiB,SAAS,UAAU,aAAa,CAAC;AAExD,MAAI,CAAC,yBAAyB,iBAAiB,SAAS,UAA4B,GAAG;AACrF,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB,yCAAyC,UAAU;AAAA,IACxE,CAAC;AAAA,EACH;AAEA,QAAM,SAAS;AACf,MAAI,WAAW,SAAS;AAEtB,QAAI,gBAAgB;AAClB,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,SAAS,WAAW,UAAU,KAAK,MAAE,iCAAgB,EAAE,qBAAqB,SAAS,WAAW,SAAS,IAAI;AAChH,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,MACL;AAAA,MACA,YAAY;AAAA,MACZ,eAAe;AAAA,MACf,YAAY,QAAQ;AAAA,IACtB;AAAA,EACF;AAEA,MAAI,WAAW,gBAAgB;AAC7B,QAAI,KAAK;AACP,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,qCAAqC,OAAO,GAAG;AACjD,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,MACL;AAAA,MACA,YAAY;AAAA,MACZ,eAAe;AAAA,MACf,aAAc,QAAQ,gBAAgB,QAAQ;AAAA,IAChD;AAAA,EACF;AAEA,MAAI,WAAW,OAAO;AACpB,QAAI,CAAC,KAAK;AACR,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,SAAS,WAAW,MAAM,GAAG;AAChC,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,IAAI,OAAO,UAAU,KAAK;AAC7B,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,IAAI,OAAO,UAAU,KAAK,WAAW,QAAQ,GAAG;AACnD,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,MACL;AAAA,MACA,YAAY;AAAA,MACZ,eAAe;AAAA,MACf,QAAQ,IAAI,OAAO,UAAU;AAAA,IAC/B;AAAA,EACF;AAEA,MAAI,WAAW,kBAAkB,WAAW,gBAAgB;AAC1D,QAAI,CAAC,KAAK;AACR,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,QAAI,IAAI,OAAO,WAAW,OAAO;AAC/B,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,QAAI,WAAW,gBAAgB;AAC7B,UAAI,CAAC,QAAQ,UAAU,4BAA4B;AACjD,cAAM,IAAI;AAAA,UACR;AAAA,YACE,OAAO,iCAAiB;AAAA,UAC1B;AAAA,UACA;AAAA,YACE,iBACE;AAAA,UACJ;AAAA,QACF;AAAA,MACF;AAEA,YAAM,EAAE,YAAY,IAAI,QAAQ,UAAU,2BAA2B,IAAI,OAAO,IAAI,CAAC,CAAC;AACtF,UAAI,CAAC,YAAY,SAAS,cAAc,GAAG;AACzC,cAAM,IAAI,+CAA+B;AAAA,UACvC,OAAO,iCAAiB;AAAA,UACxB,mBAAmB,0EAA0E,YAAY,KAAK,IAAI,CAAC,uCAAuC,cAAc;AAAA,QAC1K,CAAC;AAAA,MACH;AAEA,UAAI,CAAC,qCAAqC,OAAO,GAAG;AAClD,cAAM,MAAM,QAAQ,gBAAgB,QAAQ;AAC5C,YAAI,CAAC,OAAO,iBAAiB,GAAG,MAAM,gBAAgB;AACpD,gBAAM,IAAI,+CAA+B;AAAA,YACvC,OAAO,iCAAiB;AAAA,YACxB,mBACE;AAAA,UACJ,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF,WAAW,WAAW,gBAAgB;AACpC,UAAI,CAAC,QAAQ,UAAU,4BAA4B;AACjD,cAAM,IAAI;AAAA,UACR;AAAA,YACE,OAAO,iCAAiB;AAAA,UAC1B;AAAA,UACA;AAAA,YACE,iBACE;AAAA,UACJ;AAAA,QACF;AAAA,MACF;AAEA,YAAM,EAAE,YAAY,IAAI,QAAQ,UAAU,2BAA2B,IAAI,OAAO,IAAI,CAAC,CAAC;AACtF,UAAI,CAAC,YAAY,SAAS,cAAc,GAAG;AACzC,cAAM,IAAI,+CAA+B;AAAA,UACvC,OAAO,iCAAiB;AAAA,UACxB,mBAAmB,0EAA0E,YAAY,KAAK,IAAI,CAAC,uCAAuC,cAAc;AAAA,QAC1K,CAAC;AAAA,MACH;AAEA,UAAI,CAAC,qCAAqC,OAAO,GAAG;AAClD,cAAM,MAAM,QAAQ,gBAAgB,QAAQ;AAC5C,YAAI,CAAC,OAAO,QAAQ,gBAAgB;AAClC,gBAAM,IAAI,+CAA+B;AAAA,YACvC,OAAO,iCAAiB;AAAA,YACxB,mBACE;AAAA,UACJ,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL;AAAA,MACA,YAAY;AAAA,MACZ,eAAe;AAAA,MACf,KAAK,IAAI,OAAO;AAAA,IAClB;AAAA,EACF;AAEA,MAAI,WAAW,cAAc;AAC3B,WAAO;AAAA,MACL;AAAA,MACA,YAAY;AAAA,MACZ,eAAe;AAAA,MACf,gBAAgB,QAAQ;AAAA,IAC1B;AAAA,EACF;AAEA,MAAI,WAAW,wBAAwB;AACrC,QAAI,CAAC,KAAK;AACR,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA,YAAY;AAAA,IACZ,eAAe;AAAA,EACjB;AACF;AAEA,SAAS,iBAAiB,KAAqB;AAC7C,MAAI;AACF,UAAM,QAAQ;AACd,UAAM,SAAS,IAAI,MAAM,KAAK,EAAE,CAAC,EAAE,MAAM,KAAK,EAAE,CAAC;AACjD,WAAO;AAAA,EACT,SAAS,OAAO;AACd,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB,QAAQ,GAAG;AAAA,IAChC,CAAC;AAAA,EACH;AACF;;;AE9XA,IAAAC,kBAAiE;AACjE,IAAAC,iBAA2E;;;ACD3E,IAAAC,eAAkB;AAIX,IAAM,kBAAkB,eAAE,OAAO;AAAA,EACtC,uCAAuC,eAAE,SAAS,eAAE,QAAQ,CAAC;AAAA,EAC7D,sBAAsB;AAAA,EACtB,6BAA6B,eAAE,SAAS,eAAE,MAAM,eAAe,CAAC;AAAA,EAChE,6CAA6C,eAAE,SAAS,eAAE,MAAM,eAAE,OAAO,CAAC,CAAC;AAAA,EAC3E,+CAA+C,eAAE,SAAS,eAAE,MAAM,eAAE,OAAO,CAAC,CAAC;AAAA,EAC7E,+CAA+C,eAAE,SAAS,eAAE,MAAM,eAAE,OAAO,CAAC,CAAC;AAC/E,CAAC;;;ADND,eAAsB,oBAA+C,SAGjC;AAClC,QAAM,EAAE,OAAO,kBAAkB,IAAI;AACrC,QAAM,cAAU,iCAAiB,KAAK;AAEtC,QAAM,EAAE,QAAQ,SAAS,IAAI,MAAM,QAAQ,iBAAiB,2BAAY,MAAM,mBAAmB;AAAA,IAC/F,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,QAAQ,2BAAY;AAAA,IACtB;AAAA,EACF,CAAC;AAED,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAI,+CAA+B;AAAA,MACvC,mBAAmB,kCAAkC,iBAAiB,8BAA8B,SAAS,MAAM;AAAA,MACnH,OAAO,iCAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,UAAU,CAAC,OAAO,SAAS;AAC9B,UAAM,IAAI,+CAA+B;AAAA,MACvC,mBAAmB,iCAAiC,iBAAiB;AAAA,MACrE,OAAO,iCAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AAEA,SAAO,OAAO;AAChB;;;AElCA,IAAAC,kBAWO;;;ACXP,IAAAC,kBAAiE;AACjE,IAAAC,iBAAgG;AAChG,IAAAC,eAAkB;AAelB,eAAsB,sBAAiD,SASnC;AAClC,QAAM,EAAE,YAAY,wBAAwB,QAAQ,QAAQ,MAAM,IAAI;AACtE,QAAM,cAAU,iCAAiB,KAAK;AAEtC,MAAI,cAAc,OAAO,WAAW,EAAE,iBAAiB,OAAO,UAAU,cAAc,OAAO,MAAM,IAAI;AACvG,MACE,aAAa,iBAAiB,+CAC9B,2BAA2B,gBAC3B;AAEA,UAAM,EAAE,6CAA6C,GAAG,KAAK,IAAI,YAAY;AAC7E,kBAAc,EAAE,GAAG,aAAa,iBAAiB,EAAE,GAAG,KAAK,EAAE;AAAA,EAC/D;AAEA,QAAM,EAAE,QAAQ,SAAS,IAAI,MAAM,QAAQ,eAAE,OAAO,GAAG,2BAAY,uBAAuB,YAAY;AAAA,IACpG;AAAA,IACA,SAAS;AAAA,MACP,QAAQ,GAAG,2BAAY,qBAAqB,KAAK,2BAAY,GAAG;AAAA,MAChE,gBAAgB,2BAAY;AAAA,IAC9B;AAAA,IACA,MAAM,WAAW,aAAS,oCAAoB,OAAO,YAAY,CAAC,CAAC,IAAI;AAAA,EACzE,CAAC;AAED,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAI,+CAA+B;AAAA,MACvC,mBAAmB,6CAA6C,UAAU,8BAA8B,SAAS,MAAM;AAAA,MACvH,OAAO,iCAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,UAAU,CAAC,OAAO,SAAS;AAC9B,UAAM,IAAI,+CAA+B;AAAA,MACvC,mBAAmB,4CAA4C,UAAU;AAAA,MACzE,OAAO,iCAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AAEA,SAAO,OAAO;AAChB;;;AChEA,IAAAC,kBAA4B;AAC5B,IAAAC,eAAkB;AAEX,IAAM,2BAA2B,eACrC,OAAO;AAAA,EACN,GAAG,4BAAY;AAAA,EACf,WAAW,eAAE,OAAO;AACtB,CAAC,EACA,YAAY;;;AFmCf,eAAsB,iBAAiB,SAA+D;AACpG,QAAM,EAAE,WAAW,SAAS,CAAC,EAAE,IAAI;AAEnC,QAAM,mBAAmB,yBAAyB,OAAO;AAEzD,QAAM,SAAS,iBAAiB,UAAU,UAAU;AACpD,QAAM,yBAAyC,iBAAiB,YAC5D,gBAAgB,MAAM,iBAAiB,UAAU,MAAM,GAAG,EAAE,CAAC,CAAC,IAC9D;AAEJ,QAAM,SAAS,iBAAiB,sBAAsB;AACtD,MAAI,WAAW,SAAS,WAAW,QAAQ;AACzC,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,QAAM,gBACJ,iBAAiB,WAChB,MAAM,sBAAsB;AAAA,IAC3B,YAAY,iBAAiB;AAAA,IAC7B;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AAEH,QAAM,2BAA2B,4BAAY,UAAU,aAAa,EAAE;AACtE,QAAM,EAAE,eAAe,SAAS,uBAAuB,IAAI,2BACvD,MAAM,kBAAkB,EAAE,KAAK,eAAe,UAAU,CAAC,IACzD,EAAE,SAAS,eAAe,eAAe,OAAU;AAEvD,QAAM,kBAAkB,4BAAY,UAAU,sBAAsB,EAAE;AACtE,MAAI,CAAC,iBAAiB;AACpB,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,QAAM,EAAE,mBAAmB,OAAO,IAAI,MAAM,uBAAuB;AAAA,IACjE;AAAA,IACA;AAAA,EACF,CAAC;AACD,MAAI,CAAC,kBAAkB,WAAW;AAChC,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,MAAI,iBAAiB,cAAc,kBAAkB,WAAW;AAC9D,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAEA,eAAe,kBAAkB,SAG9B;AACD,QAAM,EAAE,KAAK,UAAU,IAAI;AAE3B,QAAM,EAAE,OAAO,QAAI,2BAAU,EAAE,KAAK,IAAI,CAAC;AACzC,MAAI,CAAC,OAAO,KAAK;AACf,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,QAAM,mBAAmB,MAAM,UAAU,WAAW,GAAG;AACvD,MAAI,CAAC,iBAAiB,WAAW;AAC/B,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO;AAAA,MACP,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAEA,eAAe,uBAAuB,SAGnC;AACD,QAAM,EAAE,wBAAwB,UAAU,IAAI;AAE9C,QAAM,UAAM,2BAAU,EAAE,KAAK,wBAAwB,eAAe,yBAAyB,CAAC;AAE9F,QAAM,gBAAY,kCAAiB,GAAG;AACtC,QAAM,EAAE,OAAO,IAAI,UAAM,2BAAU;AAAA,IACjC,mBAAmB,UAAU;AAAA,IAC7B,SAAS;AAAA,IACT,QAAQ,IAAI;AAAA,IACZ,SAAS,IAAI;AAAA,IACb,QAAQ;AAAA,EACV,CAAC;AAGD,QAAM,UAAU,iCAAiC,IAAI,OAAc;AACnE,MAAI,IAAI,OAAO,QAAQ,yBAAyB,WAAW,IAAI;AAC7D,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB,oFAAoF,IAAI,OAAO,GAAG;AAAA,IACvH,CAAC;AAAA,EACH;AAEA,SAAO,EAAE,mBAAmB,IAAI,SAAS,OAAO;AAClD;;;AGjKA,IAAAC,kBAAiE;AACjE,IAAAC,iBAA8D;;;ACD9D,IAAAC,eAAkB;AAEX,IAAM,oBAAoB,eAAE,OAAO;AAAA,EACxC,MAAM,eAAE,OAAO;AAAA,EACf,gBAAgB,eAAE,MAAM,eAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EAC7C,6BAA6B,eAAE,MAAM,eAAE,OAAO,CAAC,EAAE,SAAS;AAC5D,CAAC;AAGM,IAAM,mBAAmB,eAAE,MAAM,iBAAiB;;;ADKlD,SAAS,qBAAqB,SAAoE;AACvG,QAAM,EAAE,gBAAgB,IAAI;AAE5B,QAAM,UAAU,gBAAgB,IAAI,CAAC,gBAAY,gCAAY,uCAAmB,6BAAa,OAAO,CAAC,CAAC,CAAC;AAEvG,QAAM,eAAe,iBAAiB,UAAU,OAAO;AACvD,MAAI,CAAC,aAAa,SAAS;AACzB,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO,aAAa,KAAK,IAAI,CAACC,UAAS,WAAW;AAAA,IAChD,iBAAiBA;AAAA,IACjB,SAAS,gBAAgB,KAAK;AAAA,IAC9B,sBAAsB;AAAA,EACxB,EAAE;AACJ;;;ARWA,eAAsB,qCACpB,SACuC;AACvC,QAAM,EAAE,gBAAgB,QAAQ,WAAW,QAAQ,qBAAqB,IAAI;AAE5E,MAAI;AAIJ,QAAM,aAAS;AAAA,IACb,aAAAC,QAAE,MAAM,CAAC,qCAAqC,gCAAgC,eAAe,CAAC;AAAA,IAC9F;AAAA,IACA;AAAA,EACF;AAEA,MAAI;AACJ,MAAI,iBAAiB,MAAM,GAAG;AAC5B,UAAM,MAAM,iBAAiB,EAAE,kBAAkB,QAAQ,WAAW,OAAO,CAAC;AAE5E,UAAM,kCAA8B;AAAA,MAClC,aAAAA,QAAE,MAAM,CAAC,qCAAqC,8BAA8B,CAAC;AAAA,MAC7E,IAAI;AAAA,MACJ;AAAA,IACF;AAEA,yBAAqB,yBAAyB;AAAA,MAC5C,gBAAgB;AAAA,MAChB;AAAA,MACA,KAAK;AAAA,MACL;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH,OAAO;AACL,yBAAqB,yBAAyB;AAAA,MAC5C,gBAAgB;AAAA,MAChB;AAAA,MACA,KAAK;AAAA,MACL;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAEA,MAAI;AACJ,MAAI,CAAC,qCAAqC,kBAAkB,KAAK,mBAAmB,qBAAqB;AACvG,qBAAiB,MAAM,oBAAoB,EAAE,mBAAmB,mBAAmB,oBAAoB,CAAC;AAAA,EAC1G;AAEA,QAAM,aAAa,sBAAsB;AAAA,IACvC,SAAS,EAAE,GAAG,oBAAoB,iBAAiB,kBAAkB,mBAAmB,gBAAgB;AAAA,IACxG;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AAED,MAAI;AACJ,MAAI;AAEJ,MAAI,mBAAmB,2BAA2B,mBAAmB,6BAA6B;AAChG,QAAI,mBAAmB,6BAA6B;AAClD,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,UAAM;AAAA,MACJ,yBAAyB,mBAAmB;AAAA,MAC5C,6BAA6B,mBAAmB;AAAA,IAClD;AAAA,EACF;AAEA,MAAI,mBAAmB,YAAY;AACjC,WAAO,EAAE,OAAO,mBAAmB,WAAW;AAAA,EAChD;AAEA,QAAM,kBAAkB,mBAAmB,mBACvC,qBAAqB,EAAE,iBAAiB,mBAAmB,iBAAiB,CAAC,IAC7E;AAEJ,SAAO;AAAA,IACL;AAAA,IACA,gBAAgB;AAAA,IAChB;AAAA,IACA,QAAQ,EAAE,GAAG,WAAW;AAAA,IACxB;AAAA,IACA;AAAA,EACF;AACF;AAEA,SAAS,yBAAyB,SAM/B;AACD,QAAM,EAAE,gBAAgB,QAAQ,KAAK,QAAQ,qBAAqB,IAAI;AAEtE,MAAI,qCAAqC,cAAc,GAAG;AACxD,sDAAkD;AAAA,MAChD,QAAQ;AAAA,MACR,cAAc;AAAA,MACd;AAAA,MACA;AAAA,IACF,CAAC;AAED,WAAO;AAAA,EACT;AAEA,+CAA6C,EAAE,QAAQ,gBAAgB,2BAA2B,OAAO,CAAC;AAC1G,SAAO;AACT;;;AU1JA,IAAAC,kBAMO;AACP,IAAAC,iBAA8B;;;ACGvB,SAAS,iBAAiB,MAAY,SAAiB;AAC5D,SAAO,IAAI,KAAK,KAAK,QAAQ,IAAI,UAAU,GAAI;AACjD;;;ACZA,IAAAC,kBAMO;AAUP,eAAsB,uBAAuB,SAAwC;AACnF,QAAM,EAAE,kBAAkB,cAAc,WAAW,UAAU,IAAI;AACjE,MAAI,CAAC,aAAa,cAAc;AAC9B,UAAM,EAAE,IAAI,IAAI,MAAM,UAAU,WAAW,cAAc,KAAK,UAAU,gBAAgB,CAAC;AACzF,WAAO,EAAE,qBAAqB,IAAI;AAAA,EACpC;AAEA,MAAI,aAAa,CAAC,cAAc;AAC9B,UAAMC,UAAS,MAAM,UAAU,QAAQ,WAAW;AAAA,MAChD,YAAQ,wCAAuB,SAAS;AAAA,MACxC,SAAS;AAAA,IACX,CAAC;AACD,WAAO,EAAE,qBAAqBA,QAAO,IAAI;AAAA,EAC3C;AAEA,MAAI,CAAC,aAAa,CAAC,cAAc;AAC/B,UAAM,IAAI,4BAAY,0EAA0E;AAAA,EAClG;AACA,QAAM,SAAS,MAAM,UAAU,QAAQ,WAAW;AAAA,IAChD,YAAQ,wCAAuB,SAAS;AAAA,IACxC,SAAS;AAAA,EACX,CAAC;AAED,QAAM,YAAY,MAAM,UAAU,WAAW,cAAc,OAAO,GAAG;AAErE,SAAO,EAAE,qBAAqB,UAAU,IAAI;AAC9C;;;ACvCO,SAAS,8BAA8B,gBAAuD;AACnG,QAAM,SAAS,0BAA0B,MAAM,cAAc;AAE7D,QAAM,gBAAgB,OAAO,gBAAgB;AAC7C,QAAM,aAAa,OAAO,gBAAgB;AAE1C,QAAM,SACJ,eAAe,KAAK,KAAK,KAAK,CAAC,QAAQ,IAAI,QAAQ,SAAS,IAAI,QAAQ,aAAa,KACrF,eAAe,KAAK,KAAK,KAAK,CAAC,QAAQ,IAAI,QAAQ,KAAK;AAAA,EAExD,eAAe,KAAK,OAAO,CAAC;AAE9B,QAAM,SACJ,eAAe,KAAK,KAAK,KAAK,CAAC,QAAQ,IAAI,QAAQ,SAAS,IAAI,QAAQ,UAAU,KAClF,eAAe,KAAK,KAAK,KAAK,CAAC,QAAQ,IAAI,QAAQ,KAAK;AAAA,EAExD,eAAe,KAAK,OAAO,CAAC;AAE9B,SAAO,EAAE,QAAQ,OAAO;AAC1B;;;ACtBA,IAAAC,eAAkB;AAEX,IAAM,mBAAmB;AAAA,EAC9B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AACO,IAAM,oBAAoB,eAAE,KAAK,gBAAgB;AAIjD,IAAM,qBAAqB,CAAC,iBAA2D;AAC5F,SAAO,iBAAiB,SAAS,YAAgC;AACnE;;;AChBA,IAAAC,kBAA4B;AAU5B,SAAS,qBAAwB,SAAqC;AACpE,QAAM,EAAE,cAAc,WAAW,OAAO,IAAI;AAC5C,QAAM,eAAe,UAAU,KAAK,CAAC,UAAU,UAAU,MAAM;AAE/D,MAAI,CAAC,cAAc;AACjB,UAAM,IAAI,4BAAY,YAAY;AAAA,EACpC;AAEA,SAAO;AACT;AAEO,SAAS,4BAA4B,SAGzC;AACD,QAAM,EAAE,gBAAgB,eAAe,IAAI;AAC3C,QAAM,uBAAuB,0BAA0B,MAAM,cAAc;AAE3E,MAAI,qBAAqB,SAAS,kBAAkB,qBAAqB,SAAS,WAAW;AAC3F,QAAI,eAAe,+CAA+C;AAChE,2BAAqB;AAAA,QACnB,WAAW,eAAe;AAAA,QAC1B,QAAQ,qBAAqB,gBAAgB;AAAA,QAC7C,cAAc;AAAA,MAChB,CAAC;AAAA,IACH;AAEA,QAAI,eAAe,+CAA+C;AAChE,2BAAqB;AAAA,QACnB,WAAW,eAAe;AAAA,QAC1B,QAAQ,qBAAqB,gBAAgB;AAAA,QAC7C,cAAc;AAAA,MAChB,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MACE,eAAe,+CACd,qBAAqB,SAAS,UAAU,qBAAqB,SAAS,iBACvE;AACA,yBAAqB;AAAA,MACnB,WAAW,eAAe;AAAA,MAC1B,QAAQ,qBAAqB,gBAAgB;AAAA,MAC7C,cAAc;AAAA,IAChB,CAAC;AAAA,EACH;AAEA,SAAO;AACT;;;ALnBA,eAAsB,qCACpB,SACqD;AACrD,QAAM,EAAE,gBAAgB,MAAM,UAAU,IAAI;AAC5C,QAAM,kBAAkB;AAAA,IACtB,GAAG,QAAQ;AAAA,IACX,GAAI,WAAW,kBAAkB,EAAE,OAAO,eAAe,MAAM;AAAA,EACjE;AAEA,MAAI,eAAe,iBAAiB,mBAAmB,eAAe,aAAa,KAAK,CAAC,MAAM;AAC7F,UAAM,IAAI;AAAA,MACR,uEAAuE,eAAe,aAAa;AAAA,IACrG;AAAA,EACF;AAEA,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,MACL;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC,eAAe,iBAAiB;AACnC,UAAM,IAAI,4BAAY,gFAAgF;AAAA,EACxG;AAEA,MAAI,CAAC,eAAe,gBAAgB,MAAM;AACxC,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,QAAM,wBAAwB,4BAA4B;AAAA,IACxD,gBAAgB,eAAe;AAAA,IAC/B,gBAAgB,KAAK;AAAA,EACvB,CAAC;AAED,QAAM,iBAAiB,8BAA8B;AAAA,IACnD,GAAG,eAAe;AAAA,IAClB,MAAM,eAAe,gBAAgB;AAAA,EACvC,CAAC;AAED,MAAI,CAAC,gBAAgB,QAAQ;AAC3B,UAAM,IAAI,+CAA+B;AAAA,MACvC,OAAO,iCAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAGA,MAAI;AACJ,MAAI,MAAM,WAAW;AACnB,QAAI,CAAC,KAAK,qBAAqB;AAC7B,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,KAAK,UAAU;AAClB,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,2BAAuB;AAAA,MACrB,KAAK,KAAK;AAAA,MACV,KAAK,KAAK;AAAA,MACV,KAAK,KAAK,wBAAoB,8BAAc,iBAAiB,oBAAI,KAAK,GAAG,KAAK,EAAE,CAAC;AAAA;AAAA,IACnF;AAAA,EACF;AAEA,QAAM,sBAAsB;AAAA,IAC1B,GAAG;AAAA,IACH,GAAG;AAAA,EACL;AAEA,QAAM,SAAS,MAAM,uBAAuB;AAAA,IAC1C,kBAAkB;AAAA,IAClB,WAAW,MAAM;AAAA,IACjB,cACE,MAAM,eAAe,sBAAsB,SAAS,aAAa,sBAAsB,SAAS,kBAC5F;AAAA,MACE,QAAQ;AAAA,MACR,WAAW,eAAe;AAAA,MAC1B,KAAK,KAAK,YAAY;AAAA,MACtB,KAAK,eAAe;AAAA,MACpB,KAAK,sBAAsB,gBAAgB;AAAA,MAC3C,KAAK,sBAAsB,gBAAgB;AAAA,IAC7C,IACA;AAAA,IACN,WAAW;AAAA,MACT,SAAS,UAAU;AAAA,MACnB,YAAY,UAAU;AAAA,IACxB;AAAA,EACF,CAAC;AAED,SAAO;AAAA,IACL,iBAAiB;AAAA,IACjB,MAAM,EAAE,aAAa,OAAO,oBAAoB;AAAA,EAClD;AACF;;;AM7IA,IAAAC,kBAAkD;AAClD,IAAAC,iBAA4C;AAC5C,IAAAA,iBAAoC;;;ACFpC,IAAAC,kBAAkD;AAClD,IAAAC,iBAAiD;AAW1C,IAAM,uBAAuB,CAAC,YAAyC;AAC5E,QAAM,EAAE,aAAa,qBAAqB,UAAU,IAAI;AAExD,QAAM,mBAAmB,YAAY,gBAAgB,YAAY;AACjE,MAAI,CAAC,kBAAkB;AACrB,UAAM,IAAI,4BAAY,uFAAuF;AAAA,EAC/G;AAEA,QAAM,sBAAsB,IAAI,mBAAI,gBAAgB;AACpD,SAAO,oBAAoB,qBAAqB,qBAAqB,SAAS;AAChF;AAEA,eAAe,oBACb,kBACA,aACA,WACA;AACA,QAAM,WAAW,OAAO,UAAU,SAAS,+BAAgB,kBAAkB;AAAA,IAC3E,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,2BAAY,mBAAmB;AAAA,IAC1D,MAAM,YAAY,WAAW;AAAA,EAC/B,CAAC;AAED,SAAO;AAAA,IACL,cAAc;AAAA,IACd;AAAA,EACF;AACF;;;ADzBA,eAAsB,qCAAqC,SAAsD;AAC/G,QAAM,EAAE,gBAAgB,iBAAiB,MAAM,UAAU,IAAI;AAC7D,QAAM,MAAM,eAAe;AAE3B,MAAI,MAAM;AACR,WAAO,qBAAqB;AAAA,MAC1B,aAAa;AAAA,MACb,qBAAqB,KAAK;AAAA,MAC1B;AAAA,IACF,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,QAAQ,UAAU,SAAS;AACjC,QAAM,sBAAkB,oCAAoB,eAAe;AAC3D,QAAM,qBAAqB,MAAM,MAAM,KAAK;AAAA,IAC1C,QAAQ;AAAA,IACR,MAAM;AAAA,IACN,SAAS;AAAA,MACP,gBAAgB,2BAAY;AAAA,IAC9B;AAAA,EACF,CAAC;AAED,SAAO;AAAA,IACL,cAAc;AAAA,IACd,UAAU;AAAA,EACZ;AACF;;;AE9CA,IAAAC,kBAA4B;;;ACA5B,IAAAC,iBAAoD;;;ACApD,IAAAC,eAAkB;AAElB,IAAM,mBAAmB,eAAE,MAAM,CAAC,eAAE,OAAO,GAAG,eAAE,OAAO,eAAE,IAAI,CAAC,CAAC,GAAG;AAAA,EAChE,SAAS;AACX,CAAC;AAEM,IAAM,cAAc,eAAE;AAAA,EAC3B,CAAC,kBAAkB,eAAE,MAAM,gBAAgB,EAAE,SAAS,4CAA4C,CAAC;AAAA,EACnG;AAAA,IACE,SAAS;AAAA,EACX;AACF;AAIO,IAAM,eAAe,eAAE,OAAO,eAAE,MAAM,CAAC,eAAE,OAAO,GAAG,eAAE,OAAO,eAAE,IAAI,CAAC,CAAC,CAAC,GAAG;AAAA,EAC7E,SACE;AACJ,CAAC;AAGM,IAAM,WAAW,aAAa,GAAG,WAAW;;;ADlB5C,SAAS,gBAAgB,SAA2D;AACzF,QAAM,oBAAgB;AAAA,IACpB;AAAA,QACA,4BAAY,OAAO;AAAA,IACnB;AAAA,EACF;AAEA,SAAO,MAAM,QAAQ,aAAa,IAAK,gBAA4D,CAAC,aAAa;AACnH;AAEO,SAAS,iBAAiB,SAA+B;AAC9D,aAAO;AAAA,IACL;AAAA,QACA,4BAAY,OAAO;AAAA,IACnB;AAAA,EACF;AACF;;;ADAO,SAAS,8CACd,SAC8C;AAC9C,QAAM,EAAE,gBAAgB,gBAAgB,IAAI;AAE5C,MAAI,WAAW,kBAAkB,eAAe,UAAU,gBAAgB,OAAO;AAC/E,UAAM,IAAI,4BAAY,kDAAkD;AAAA,EAC1E;AAGA,MAAI,gBAAgB,UAAU;AAC5B,UAAM,IAAI,4BAAY,6DAA6D;AAAA,EACrF;AAEA,MAAI,gBAAgB,yBAAyB;AAC3C,QAAI,CAAC,eAAe,yBAAyB;AAC3C,YAAM,IAAI,4BAAY,kFAAkF;AAAA,IAC1G;AAEA,WAAO;AAAA,MACL,MAAM;AAAA,MACN,KACE,WAAW,kBAAkB,eAAe,QACxC;AAAA,QACE,OAAO,eAAe;AAAA,QACtB,wBAAwB,gBAAgB;AAAA,QACxC,eAAe,gBAAgB,gBAAgB,QAAQ;AAAA,MACzD,IACA;AAAA,QACE,wBAAwB,eAAe;AAAA,QACvC,wBAAwB,gBAAgB;AAAA,QACxC,eAAe,gBAAgB,gBAAgB,QAAQ;AAAA,MACzD;AAAA,IACR;AAAA,EACF;AAEA,MAAI,eAAe,YAAY;AAC7B,UAAM,gBAAgB,iBAAiB,gBAAgB,QAAQ;AAE/D,WAAO;AAAA,MACL,MAAM;AAAA,MACN,MACE,WAAW,kBAAkB,eAAe,QACxC;AAAA,QACE,OAAO,eAAe;AAAA,QACtB;AAAA,MACF,IACA;AAAA,QACE,OAAO,eAAe;AAAA,QACtB;AAAA,MACF;AAAA,IACR;AAAA,EACF;AAEA,QAAM,IAAI;AAAA,IACR;AAAA,EACF;AACF;;;AG5EA,IAAAC,kBAAkF;;;ACAlF,IAAAC,iBAAuC;;;ACAvC,IAAAC,eAAkB;;;ACAlB,IAAAC,eAAkB;AAEX,IAAM,6BAA6B,eAAE,OAAO,eAAE,IAAI,CAAC;AACnD,IAAM,6BAA6B,eAAE,OAAO,eAAE,IAAI,CAAC;;;ADCnD,IAAM,kCAAkC,eAC5C,OAAO;AAAA,EACN,OAAO,eAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,UAAU,eAAE,OAAO,EAAE,SAAS;AAAA,EAC9B,UAAU;AAAA,EACV,yBAAyB,2BAA2B,SAAS;AAAA,EAC7D,eAAe,eAAE,OAAO,EAAE,SAAS;AAAA,EACnC,YAAY,eAAE,OAAO,EAAE,SAAS;AAAA,EAChC,cAAc,eAAE,OAAO,EAAE,SAAS;AAAA,EAClC,YAAY,eAAE,OAAO,EAAE,SAAS;AAClC,CAAC,EACA,YAAY;;;ADZR,SAAS,2CAA2C,SAAkC;AAC3F,aAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;;;AGTA,IAAAC,kBAA6F;AAC7F,IAAAC,iBAAyE;AACzE,IAAAC,eAAc;AAmBd,eAAsB,+BACpB,SAC+C;AAC/C,QAAM,EAAE,iBAAiB,UAAU,IAAI;AAEvC,QAAM,mCAA+B;AAAA,IACnC,aAAAC,QAAE,MAAM,CAAC,6BAAa,2BAAW,CAAC;AAAA,IAClC;AAAA,IACA;AAAA,EACF;AAEA,QAAM,uBAAuB,MAAM,gCAAgC,EAAE,8BAA8B,UAAU,CAAC;AAE9G,QAAM,EAAE,QAAQ,WAAW,QAAI,iCAAgB;AAAA,IAC7C,KAAK;AAAA,IACL,cAAc;AAAA,EAChB,CAAC;AAED,QAAM,6BAA6B,0CAA0C;AAAA,IAC3E,sBAAsB,qBAAqB;AAAA,EAC7C,CAAC;AAED,MAAI,2BAA2B,SAAS,eAAe,2BAA2B,SAAS,oBAAoB;AAC7G,UAAM,IAAI,4BAAY,iFAAiF;AAAA,EACzG;AAEA,QAAM,+BAA+B,2CAA2C,qBAAqB,gBAAgB;AACrH,QAAM,4BAA4B,8CAA8C;AAAA,IAC9E,gBAAgB,2BAA2B;AAAA,IAC3C,iBAAiB;AAAA,EACnB,CAAC;AAED,QAAM,8BAA8B,2BAA2B;AAC/D,MAAI,CAAC,4BAA4B,iBAAiB,CAAC,mBAAmB,4BAA4B,aAAa,GAAG;AAChH,UAAM,IAAI;AAAA,MACR,4DAA4D,4BAA4B,iBAAiB,UAAU;AAAA,IACrH;AAAA,EACF;AAEA,MAAI,qBAAyC;AAE7C,MAAI,YAAY,KAAK;AACnB,6BAAqB,uCAAmB,6BAAa,WAAW,GAAG,CAAC;AAAA,EACtE;AACA,MAAI,YAAY,KAAK;AACnB,UAAM,uBAAmB,uCAAmB,6BAAa,WAAW,GAAG,CAAC;AACxE,QAAI,qBAAqB,4BAA4B,OAAO;AAC1D,YAAM,IAAI,4BAAY,uEAAuE;AAAA,IAC/F;AAAA,EACF;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,IACH,MAAM,EAAE,GAAG,sBAAsB,YAAY,mBAAmB;AAAA,IAEhE,eAAe,4BAA4B;AAAA,IAC3C;AAAA,IACA;AAAA,EACF;AACF;;;AJ1CA,eAAsB,oCACpB,SAC+C;AAC/C,QAAM,EAAE,iBAAiB,UAAU,IAAI;AAEvC,MAAI,gBAAgB,UAAU;AAC5B,WAAO,+BAA+B,EAAE,iBAAiB,gBAAgB,UAAoB,UAAU,CAAC;AAAA,EAC1G;AAEA,QAAM,+BAA+B,2CAA2C,eAAe;AAE/F,QAAM,EAAE,qBAAqB,IAAI,MAAM,UAAU,iCAAiC,4BAA4B;AAC9G,QAAM,oBAAoB,0CAA0C,EAAE,qBAA2C,CAAC;AAClH,MAAI,kBAAkB,SAAS,eAAe,kBAAkB,SAAS,oBAAoB;AAC3F,UAAM,IAAI,4BAAY,iFAAiF;AAAA,EACzG;AAEA,QAAM,8BAA8B,kBAAkB;AAEtD,QAAM,4BAA4B,8CAA8C;AAAA,IAC9E,gBAAgB;AAAA,IAChB,iBAAiB;AAAA,EACnB,CAAC;AAED,MAAI,4BAA4B,iBAAiB,mBAAmB,4BAA4B,aAAa,GAAG;AAC9G,UAAM,IAAI;AAAA,MACR;AAAA,QACE,OAAO;AAAA,QACP,mBAAmB;AAAA,MACrB;AAAA,MACA;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,IACH,eAAe,4BAA4B;AAAA,IAE3C;AAAA,IACA;AAAA,IACA,MAAM;AAAA,EACR;AACF;;;AK1DO,IAAM,kBAAN,MAAsB;AAAA,EACpB,YAAoB,SAAiC;AAAjC;AAAA,EAAkC;AAAA,EAEtD,0CAA0C,SAAkD;AACjG,WAAO,0CAA0C,OAAO;AAAA,EAC1D;AAAA,EAEA,MAAa,qCACX,SACA;AACA,WAAO,qCAAqC,EAAE,GAAG,SAAS,WAAW,KAAK,QAAQ,UAAU,CAAC;AAAA,EAC/F;AAAA,EAEA,MAAa,qCACX,SACA;AACA,WAAO,qCAAqC,EAAE,GAAG,SAAS,WAAW,KAAK,QAAQ,UAAU,CAAC;AAAA,EAC/F;AAAA,EAEA,MAAa,qCACX,SACA;AACA,WAAO,qCAAqC,EAAE,GAAG,SAAS,WAAW,KAAK,QAAQ,UAAU,CAAC;AAAA,EAC/F;AACF;;;AChDA,IAAAC,kBAKO;AACP,IAAAC,iBAAoD;AAiCpD,eAAsB,sBACpB,SACyC;AACzC,QAAM,wBAAwB,qBAAqB;AAAA,IACjD,iBAAiB,QAAQ;AAAA,EAC3B,CAAC;AAED,QAAM,iBAAsD,CAAC;AAC7D,aAAW,eAAe,uBAAuB;AAC/C,UAAM,eAAe,MAAM,2BAA2B;AAAA,MACpD,OAAO;AAAA,MACP,WAAW,QAAQ;AAAA,MACnB,aAAa,QAAQ;AAAA,IACvB,CAAC;AAED,mBAAe,KAAK,YAAY;AAAA,EAClC;AAEA,SAAO;AACT;AAUA,eAAe,2BAA2B;AAAA,EACxC;AAAA,EACA;AAAA,EACA;AACF,GAI0C;AACxC,QAAM,cAAc,MAAM,gBAAgB,+BAA+B,CAAC,SAAS;AACnF,QAAM,gBAAiC,YAAY;AAAA,IAAO,CAAC,QACzD,OAAO,OAAO,6BAAa,EAAE,SAAS,GAAoB;AAAA,EAC5D;AAEA,QAAM,SAA8C,CAAC;AACrD,aAAW,OAAO,eAAe;AAC/B,WAAO,GAAG,QAAI,kCAAkB,MAAM,UAAU,SAAK,iCAAiB,MAAM,OAAO,GAAG,GAAG,CAAC;AAAA,EAC5F;AAEA,aAAW,gBAAgB,MAAM,gBAAgB,gBAAgB;AAC/D,UAAM,kCAAkC,YAAY,YAAY;AAChE,QAAI,CAAC,gCAAiC;AAEtC,UAAM,MAAM,gCAAgC,+BAA+B;AAC3E,UAAM,OAAO,OAAO,GAAoB;AAExC,QAAI,CAAC,YAAY,SAAS,GAAG,GAAG;AAC9B,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB,qCAAqC,MAAM,oBAAoB,yBAAyB,GAAG,sDAAsD,YAAY,KAAK,IAAI,CAAC;AAAA,MAC5L,CAAC;AAAA,IACH;AAGA,QAAI,CAAC,MAAM;AACT,YAAM,IAAI,+CAA+B;AAAA,QACvC,OAAO,iCAAiB;AAAA,QACxB,mBAAmB,qCAAqC,MAAM,oBAAoB,qCAAqC,GAAG,0FAA0F,OAAO,OAAO,6BAAa,EAAE,KAAK,IAAI,CAAC;AAAA,MAC7P,CAAC;AAAA,IACH;AAEA,UAAM,sBAAsB,gCAAgC,wBAAwB,QAAQ,IAAI;AAChG,QAAI,wBAAwB,IAAI;AAC9B,aAAO;AAAA,QACL,sBAAsB;AAAA,QACtB;AAAA,QACA;AAAA,QACA,SAAS;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAGA,QAAM,IAAI,+CAA+B;AAAA,IACvC,OAAO,iCAAiB;AAAA,IACxB,mBAAmB,qCAAqC,MAAM,oBAAoB;AAAA,EACpF,CAAC;AACH;;;ACjGO,IAAM,oBAAN,MAAwB;AAAA,EACtB,YAAoB,SAAmC;AAAnC;AAAA,EAAoC;AAAA,EAE/D,MAAa,oCACX,SACA;AACA,WAAO,oCAAoC,EAAE,GAAG,SAAS,WAAW,KAAK,QAAQ,UAAU,CAAC;AAAA,EAC9F;AAAA,EAEO,0CAA0C,SAAkD;AACjG,WAAO,0CAA0C,OAAO;AAAA,EAC1D;AAAA,EAEO,oCAAoC,SAAqD;AAC9F,WAAO,oCAAoC,OAAO;AAAA,EACpD;AAAA,EAEO,8CAA8C,SAAwD;AAC3G,WAAO,8CAA8C,OAAO;AAAA,EAC9D;AAAA,EAEO,gBAAgB,SAAkB;AACvC,WAAO,gBAAgB,OAAO;AAAA,EAChC;AAAA,EAEO,iBAAiB,SAAkB;AACxC,WAAO,iBAAiB,OAAO;AAAA,EACjC;AAAA,EAEO,qBAAqB,SAAsC;AAChE,WAAO,qBAAqB,OAAO;AAAA,EACrC;AAAA,EAEO,sBAAsB,SAAuC;AAClE,WAAO,sBAAsB,OAAO;AAAA,EACtC;AACF;;;ACjEA,IAAAC,eAAkB;AACX,IAAM,oBAAoB,eAAE,KAAK,CAAC,eAAe,UAAU,SAAS,YAAY,aAAa,WAAW,CAAC;;;ACDhH,IAAAC,eAAkB;AACX,IAAM,eAAe,eAAE,KAAK,CAAC,eAAe,UAAU,SAAS,aAAa,aAAa,UAAU,CAAC;","names":["import_oauth2","import_zod","import_oauth2","import_zod","z","import_oauth2","import_utils","import_zod","import_oauth2","import_utils","import_oauth2","import_oauth2","import_utils","import_oauth2","import_utils","import_zod","import_oauth2","import_utils","import_zod","import_zod","import_zod","url","import_oauth2","import_utils","import_zod","import_oauth2","import_utils","import_zod","z","import_oauth2","import_utils","import_zod","import_oauth2","import_oauth2","import_oauth2","import_utils","import_zod","import_oauth2","import_oauth2","import_utils","import_zod","import_oauth2","import_zod","import_oauth2","import_utils","import_zod","decoded","z","import_oauth2","import_utils","import_oauth2","signed","import_zod","import_oauth2","import_oauth2","import_utils","import_oauth2","import_utils","import_oauth2","import_utils","import_zod","import_oauth2","import_utils","import_zod","import_zod","import_oauth2","import_utils","import_zod","z","import_oauth2","import_utils","import_zod","import_zod"]}