npm - @openid4vc/openid4vp - Versions diffs - 0.5.0-alpha-20260202131209 → 0.5.0-alpha-20260202155954 - Mend

@openid4vc/openid4vp 0.5.0-alpha-20260202131209 → 0.5.0-alpha-20260202155954

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.mjs","names":["z","url","z","parsedClientIdPrefixAndIdentifier","clientIdScheme","clientIdIdentifier","uniformClientIdScheme","decoded","z","enc","z","z"],"sources":["../src/authorization-request/validate-authorization-request.ts","../src/authorization-request/validate-authorization-request-dc-api.ts","../src/jarm/metadata/z-jarm-client-metadata.ts","../src/models/z-vp-formats-supported.ts","../src/models/z-client-metadata.ts","../src/models/z-verifier-attestations.ts","../src/authorization-request/z-authorization-request.ts","../src/authorization-request/z-authorization-request-dc-api.ts","../src/authorization-request/create-authorization-request.ts","../src/jar/z-jar-authorization-request.ts","../src/authorization-request/parse-authorization-request-params.ts","../src/client-identifier-prefix/x509-hash.ts","../src/client-identifier-prefix/z-client-id-prefix.ts","../src/client-identifier-prefix/parse-client-identifier-prefix.ts","../src/fetch-client-metadata.ts","../src/version.ts","../src/jar/jar-request-object/fetch-jar-request-object.ts","../src/jar/handle-jar-request/verify-jar-request.ts","../src/transaction-data/z-transaction-data.ts","../src/transaction-data/parse-transaction-data.ts","../src/authorization-request/resolve-authorization-request.ts","../../utils/src/date.ts","../src/jarm/jarm-authorization-response-create.ts","../src/jarm/jarm-extract-jwks.ts","../src/jarm/jarm-response-mode.ts","../src/jarm/metadata/jarm-assert-metadata-supported.ts","../src/authorization-response/create-authorization-response.ts","../src/models/z-pex.ts","../src/vp-token/z-vp-token.ts","../src/authorization-response/z-authorization-response.ts","../src/authorization-response/parse-authorization-response-payload.ts","../src/jarm/jarm-authorization-response/z-jarm-authorization-response.ts","../src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts","../src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts","../src/vp-token/parse-vp-token.ts","../src/authorization-response/validate-authorization-response.ts","../src/authorization-response/parse-jarm-authorization-response.ts","../src/authorization-response/parse-authorization-response.ts","../src/jarm/jarm-authorization-response-send.ts","../src/authorization-response/submit-authorization-response.ts","../src/models/z-credential-formats.ts","../src/models/z-proof-formats.ts","../src/models/z-wallet-metadata.ts","../src/Openid4vpClient.ts","../src/transaction-data/verify-transaction-data.ts","../src/Openid4vpVerifier.ts"],"sourcesContent":["import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { zHttpsUrl } from '@openid4vc/utils'\nimport type { WalletMetadata } from '../models/z-wallet-metadata'\nimport type { Openid4vpAuthorizationRequest } from './z-authorization-request'\n\nexport interface WalletVerificationOptions {\n expectedNonce?: string\n metadata?: WalletMetadata\n}\n\nexport interface ValidateOpenid4vpAuthorizationRequestPayloadOptions {\n params: Openid4vpAuthorizationRequest\n walletVerificationOptions?: WalletVerificationOptions\n}\n\n/*\n Validate the OpenId4Vp Authorization Request parameters\n /\nexport const validateOpenid4vpAuthorizationRequestPayload = (\n options: ValidateOpenid4vpAuthorizationRequestPayloadOptions\n) => {\n const { params, walletVerificationOptions } = options\n\n if (!params.redirect_uri && !params.response_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`,\n })\n }\n\n if (params.response_uri && !['direct_post', 'direct_post.jwt'].find((mode) => mode === params.response_mode)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`,\n })\n }\n\n if (\n [params.presentation_definition_uri, params.presentation_definition, params.dcql_query, params.scope].filter(\n Boolean\n ).length > 1\n ) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition.',\n })\n }\n\n if (params.request_uri_method && !params.request_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"request_uri_method\" parameter MUST NOT be present in the authorization request if the \"request_uri\" parameter is not present.',\n })\n }\n\n if (params.request_uri_method && !['GET', 'POST'].includes(params.request_uri_method)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestUriMethod,\n error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`,\n })\n }\n\n if (params.trust_chain && !zHttpsUrl.safeParse(params.client_id).success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"trust_chain\" parameter MUST NOT be present in the authorization request if the \"client_id\" is not an OpenId Federation Entity Identifier starting with http:// or https://.',\n })\n }\n\n if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"wallet_nonce\" parameter MUST be present in the authorization request when the \"expectedNonce\" parameter is provided.',\n })\n }\n\n if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"wallet_nonce\" parameter MUST match the \"expectedNonce\" parameter when the \"expectedNonce\" parameter is provided.',\n })\n }\n\n if (params.client_id.startsWith('web-origin:') \|\| params.client_id.startsWith('origin:')) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'client_id' parameter MUST NOT use client identifier scheme '${params.client_id.split(':')[0]}' when not using the dc_api response mode. Current: ${params.client_id}`,\n })\n }\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequestDcApi } from './z-authorization-request-dc-api'\n\nexport interface ValidateOpenid4vpAuthorizationRequestDcApiPayloadOptions {\n params: Openid4vpAuthorizationRequestDcApi\n isJarRequest: boolean\n disableOriginValidation?: boolean\n origin?: string\n}\n\n/\n Validate the OpenId4Vp Authorization Request parameters for the dc_api response mode\n /\nexport const validateOpenid4vpAuthorizationRequestDcApiPayload = (\n options: ValidateOpenid4vpAuthorizationRequestDcApiPayloadOptions\n) => {\n const { params, isJarRequest, disableOriginValidation, origin } = options\n\n if (isJarRequest && !params.expected_origins) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`,\n })\n }\n\n if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query or presentation_definition',\n })\n }\n\n if (params.expected_origins && !disableOriginValidation) {\n if (!origin) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`,\n })\n }\n\n if (params.expected_origins && !params.expected_origins.includes(origin)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(', ')}`,\n })\n }\n }\n}\n","import { Oauth2Error, zAlgValueNotNone } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport { z } from 'zod'\n\nexport const zJarmSignOnlyClientMetadata = z.object({\n authorization_signed_response_alg: zAlgValueNotNone,\n\n authorization_encrypted_response_alg: z.optional(z.never()),\n authorization_encrypted_response_enc: z.optional(z.never()),\n})\nexport type JarmSignOnlyClientMetadata = z.infer<typeof zJarmSignOnlyClientMetadata>\n\nexport const zJarmEncryptOnlyClientMetadata = z.object({\n authorization_signed_response_alg: z.optional(z.never()),\n authorization_encrypted_response_alg: z.string(),\n\n authorization_encrypted_response_enc: z.optional(z.string()),\n})\nexport type JarmEncryptOnlyClientMetadata = z.infer<typeof zJarmEncryptOnlyClientMetadata>\n\nexport const zJarmSignEncryptClientMetadata = z.object({\n authorization_signed_response_alg: zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg,\n authorization_encrypted_response_alg: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg,\n authorization_encrypted_response_enc: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc,\n})\nexport type JarmSignEncryptClientMetadata = z.infer<typeof zJarmSignEncryptClientMetadata>\n\n/\n Clients may register their public encryption keys using the jwks_uri or jwks metadata parameters.\n /\nexport const zJarmClientMetadata = z.object({\n authorization_signed_response_alg: z.optional(zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg),\n authorization_encrypted_response_alg: z.optional(\n zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg\n ),\n authorization_encrypted_response_enc: z.optional(\n zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc\n ),\n})\nexport type JarmClientMetadata = z.infer<typeof zJarmClientMetadata>\n\nexport const zJarmClientMetadataParsed = zJarmClientMetadata.transform((client_metadata) => {\n const parsedClientMeta = parseWithErrorHandling(\n z.union([zJarmEncryptOnlyClientMetadata, zJarmSignOnlyClientMetadata, zJarmSignEncryptClientMetadata]),\n client_metadata,\n 'Invalid jarm client metadata.'\n )\n\n const SignEncrypt = zJarmSignEncryptClientMetadata.safeParse(parsedClientMeta)\n if (SignEncrypt.success) {\n return {\n type: 'sign_encrypt',\n client_metadata: {\n ...SignEncrypt.data,\n authorization_encrypted_response_enc: client_metadata.authorization_encrypted_response_enc,\n },\n } as const\n }\n\n const encryptOnly = zJarmEncryptOnlyClientMetadata.safeParse(parsedClientMeta)\n if (encryptOnly.success) {\n return {\n type: 'encrypt',\n client_metadata: {\n ...encryptOnly.data,\n authorization_encrypted_response_enc: parsedClientMeta.authorization_encrypted_response_enc,\n },\n } as const\n }\n\n // this must be the last entry\n const signOnly = zJarmSignOnlyClientMetadata.safeParse(parsedClientMeta)\n if (signOnly.success) {\n return {\n type: 'sign',\n client_metadata: {\n ...signOnly.data,\n authorization_signed_response_alg: parsedClientMeta.authorization_signed_response_alg,\n },\n } as const\n }\n\n throw new Oauth2Error('Invalid jarm client metadata. Failed to parse.')\n})\nexport type JarmClientMetadataParsed = z.infer<typeof zJarmClientMetadataParsed>\n","import { z } from 'zod'\n\nexport const zVpFormatsSupported = z\n // Define known formats\n .object({\n 'dc+sd-jwt': z.optional(\n z\n .object({\n 'sd-jwt_alg_values': z.optional(z.tuple([z.string()], z.string())),\n 'kb-jwt_alg_values': z.optional(z.tuple([z.string()], z.string())),\n })\n .loose()\n ),\n jwt_vc_json: z.optional(\n z\n .object({\n alg_values: z.optional(z.tuple([z.string()], z.string())),\n })\n .loose()\n ),\n ldp_vc: z.optional(\n z\n .object({\n proof_type_values: z.optional(z.tuple([z.string()], z.string())),\n cryptosuite_values: z.optional(z.tuple([z.string()], z.string())),\n })\n .loose()\n ),\n mso_mdoc: z.optional(\n z\n .object({\n // Draft 27\n issuer_signed_alg_values: z.optional(z.tuple([z.number()], z.number())),\n device_signed_alg_values: z.optional(z.tuple([z.number()], z.number())),\n\n // Draft 28+\n issuerauth_alg_values: z.optional(z.tuple([z.number()], z.number())),\n deviceauth_alg_values: z.optional(z.tuple([z.number()], z.number())),\n })\n .loose()\n ),\n })\n .loose()\n // Require object for all unknown formats\n .catchall(z.object({}).loose())\n\nexport type VpFormatsSupported = z.infer<typeof zVpFormatsSupported>\n\nexport const zLegacyVpFormats = z.record(\n z.string(),\n z\n .object({\n alg_values_supported: z.optional(z.array(z.string())),\n })\n .loose()\n)\n\nexport type LegacyVpFormats = z.infer<typeof zLegacyVpFormats>\n","import { zJwkSet } from '@openid4vc/oauth2'\nimport { zDataUrl, zHttpsUrl } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport { zJarmClientMetadata } from '../jarm/metadata/z-jarm-client-metadata'\nimport { zLegacyVpFormats, zVpFormatsSupported } from './z-vp-formats-supported'\n\n// Authoritative data the Wallet is able to obtain about the Client from other sources,\n// for example those from an OpenID Federation Entity Statement, take precedence over the values passed in client_metadata.\nexport const zClientMetadata = z\n .object({\n // Up until draft 22\n jwks_uri: z.url().optional(),\n jwks: z.optional(zJwkSet),\n\n // Up until draft 26\n vp_formats: z.optional(zLegacyVpFormats),\n\n // From draft 27\n vp_formats_supported: z.optional(zVpFormatsSupported),\n\n // From draft 28\n encrypted_response_enc_values_supported: z.optional(z.array(z.string())),\n\n ...zJarmClientMetadata.shape,\n\n logo_uri: zHttpsUrl.or(zDataUrl).optional(),\n client_name: z.string().optional(),\n })\n .loose()\nexport type ClientMetadata = z.infer<typeof zClientMetadata>\n","import z from 'zod'\n\nconst zVerifierAttestation = z.object({\n format: z.string(),\n data: z.record(z.string(), z.unknown()).or(z.string()),\n credential_ids: z.array(z.string()).optional(),\n})\n\nexport const zVerifierAttestations = z.array(zVerifierAttestation)\n\nexport type VerifierAttestation = z.infer<typeof zVerifierAttestation>\nexport type VerifierAttestations = z.infer<typeof zVerifierAttestations>\n","import { URL, zHttpsUrl, zStringToJson } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport { zClientMetadata } from '../models/z-client-metadata'\nimport { zVerifierAttestations } from '../models/z-verifier-attestations'\n\nexport const zOpenid4vpAuthorizationRequest = z\n .object({\n response_type: z.literal('vp_token'),\n client_id: z.string(),\n redirect_uri: zHttpsUrl.optional(),\n response_uri: zHttpsUrl.optional(),\n request_uri: zHttpsUrl.optional(),\n request_uri_method: z.optional(z.string()),\n response_mode: z.enum(['direct_post', 'direct_post.jwt']).optional(),\n nonce: z.string(),\n wallet_nonce: z.string().optional(),\n scope: z.string().optional(),\n presentation_definition: z\n .record(z.string(), z.any())\n // for backwards compat\n .or(zStringToJson)\n .optional(),\n presentation_definition_uri: zHttpsUrl.optional(),\n dcql_query: z\n .record(z.string(), z.any())\n // for backwards compat\n .or(zStringToJson)\n .optional(),\n client_metadata: zClientMetadata.optional(),\n client_metadata_uri: zHttpsUrl.optional(),\n state: z.string().optional(),\n transaction_data: z.array(z.base64url()).optional(),\n trust_chain: z.tuple([z.string()], z.string()).optional(),\n client_id_scheme: z\n .enum([\n 'pre-registered',\n 'redirect_uri',\n 'entity_id',\n 'did',\n 'verifier_attestation',\n 'x509_san_dns',\n 'x509_san_uri',\n 'x509_hash',\n ])\n .optional(),\n verifier_attestations: zVerifierAttestations.optional(),\n verifier_info: zVerifierAttestations.optional(),\n })\n .loose()\n\n// Helps with parsing from an URI to a valid authorization request object\nexport const zOpenid4vpAuthorizationRequestFromUriParams = z\n .url()\n .transform((url): unknown => Object.fromEntries(new URL(url).searchParams))\n .pipe(\n z\n .object({\n presentation_definition: zStringToJson.optional(),\n client_metadata: zStringToJson.optional(),\n dcql_query: zStringToJson.optional(),\n transaction_data: zStringToJson.optional(),\n verifier_attestations: zStringToJson.optional(),\n verifier_info: zStringToJson.optional(),\n })\n .loose()\n )\n\nexport type Openid4vpAuthorizationRequest = z.infer<typeof zOpenid4vpAuthorizationRequest>\n","import { z } from 'zod'\nimport type { Openid4vpJarAuthorizationRequest } from '../jar/z-jar-authorization-request'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\n\nconst zOpenid4vpResponseModeDcApi = z.enum(['dc_api', 'dc_api.jwt', 'w3c_dc_api.jwt', 'w3c_dc_api'])\nexport const zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest\n .pick({\n response_type: true,\n nonce: true,\n presentation_definition: true,\n client_metadata: true,\n transaction_data: true,\n dcql_query: true,\n trust_chain: true,\n state: true,\n verifier_attestations: true,\n verifier_info: true,\n })\n .extend({\n client_id: z.optional(z.string()),\n expected_origins: z.array(z.string()).optional(),\n response_mode: zOpenid4vpResponseModeDcApi,\n\n // Not allowed with dc_api, but added to make working with interfaces easier\n client_id_scheme: z.never().optional(),\n scope: z.never().optional(),\n\n // TODO: should we disallow any properties specifically, such as redirect_uri and response_uri?\n })\n\nexport type Openid4vpAuthorizationRequestDcApi = z.infer<typeof zOpenid4vpAuthorizationRequestDcApi>\n\nexport function isOpenid4vpResponseModeDcApi(\n responseMode: unknown\n): responseMode is Openid4vpAuthorizationRequestDcApi['response_mode'] {\n return (\n responseMode !== undefined &&\n zOpenid4vpResponseModeDcApi.options.includes(responseMode as Openid4vpAuthorizationRequestDcApi['response_mode'])\n )\n}\n\nexport function isOpenid4vpAuthorizationRequestDcApi(\n request: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi \| Openid4vpJarAuthorizationRequest\n): request is Openid4vpAuthorizationRequestDcApi {\n return isOpenid4vpResponseModeDcApi(request.response_mode)\n}\n","import {\n type CallbackContext,\n type CreateJarAuthorizationRequestOptions,\n createJarAuthorizationRequest,\n Oauth2Error,\n} from '@openid4vc/oauth2'\nimport { objectToQueryParams, parseWithErrorHandling, URL, URLSearchParams } from '@openid4vc/utils'\nimport {\n validateOpenid4vpAuthorizationRequestPayload,\n type WalletVerificationOptions,\n} from './validate-authorization-request'\nimport { validateOpenid4vpAuthorizationRequestDcApiPayload } from './validate-authorization-request-dc-api'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\nimport {\n isOpenid4vpAuthorizationRequestDcApi,\n type Openid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestDcApi,\n} from './z-authorization-request-dc-api'\n\nexport interface CreateOpenid4vpAuthorizationRequestOptions {\n scheme?: string\n authorizationRequestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n jar?: Pick<\n CreateJarAuthorizationRequestOptions,\n 'additionalJwtPayload' \| 'requestUri' \| 'jwtSigner' \| 'expiresInSeconds'\n >\n\n wallet?: WalletVerificationOptions\n callbacks: Pick<CallbackContext, 'signJwt' \| 'encryptJwe'>\n\n /\n Date that should be used as now. If not provided current date will be used.\n /\n now?: Date\n}\n\n/\n Creates an OpenID4VP authorization request, optionally with a JWT Secured Authorization Request (JAR)\n * If the request is created after receiving wallet metadata via a POST to the request_uri endpoint, the wallet nonce needs to be provided\n \n @param options Configuration options for creating the authorization request\n * @param input.scheme Optional URI scheme to use (defaults to 'openid4vp://')\n * @param input.authorizationRequestPayload The OpenID4VP authorization request parameters\n * @param input.jar Optional JWT Secured Authorization Request (JAR) configuration\n * @param input.jar.requestUri The URI where the JAR will be accessible\n * @param input.jar.jwtSigner Function to sign the JAR JWT\n * @param input.jar.jweEncryptor Optional function to encrypt the JAR JWT\n * @param input.jar.additionalJwtPayload Optional additional claims to include in JAR JWT\n * @param input.wallet Optional wallet-specific parameters\n * @param input.wallet.nonce Optional wallet nonce\n * @param input.callbacks Callback functions for JWT operations\n * @returns Object containing the authorization request parameters, URI and optional JAR details\n /\nexport async function createOpenid4vpAuthorizationRequest(options: CreateOpenid4vpAuthorizationRequestOptions) {\n const { jar, scheme = 'openid4vp://', wallet, callbacks } = options\n\n let additionalJwtPayload: Record<string, unknown> \| undefined\n\n let authorizationRequestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {\n authorizationRequestPayload = parseWithErrorHandling(\n zOpenid4vpAuthorizationRequestDcApi,\n options.authorizationRequestPayload,\n 'Invalid authorization request. Could not parse openid4vp dc_api authorization request.'\n )\n\n if (jar && !authorizationRequestPayload.expected_origins) {\n throw new Oauth2Error(\n `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combination with jar.`\n )\n }\n\n validateOpenid4vpAuthorizationRequestDcApiPayload({\n params: authorizationRequestPayload,\n isJarRequest: Boolean(jar),\n disableOriginValidation: true,\n })\n } else {\n authorizationRequestPayload = parseWithErrorHandling(\n zOpenid4vpAuthorizationRequest,\n options.authorizationRequestPayload,\n 'Invalid authorization request. Could not parse openid4vp authorization request.'\n )\n validateOpenid4vpAuthorizationRequestPayload({\n params: authorizationRequestPayload,\n walletVerificationOptions: wallet,\n })\n }\n\n if (jar) {\n additionalJwtPayload = !jar.additionalJwtPayload?.aud\n ? { ...jar.additionalJwtPayload, aud: jar.requestUri }\n : jar.additionalJwtPayload\n\n const jarResult = await createJarAuthorizationRequest({\n ...jar,\n authorizationRequestPayload,\n additionalJwtPayload,\n callbacks,\n })\n\n const url = new URL(scheme)\n url.search = `?${new URLSearchParams([\n ...url.searchParams.entries(),\n ...objectToQueryParams(jarResult.jarAuthorizationRequest).entries(),\n // Add client_id_scheme if defined for backwards compat\n ...(authorizationRequestPayload.client_id_scheme\n ? [['client_id_scheme', authorizationRequestPayload.client_id_scheme]]\n : []),\n ]).toString()}`\n\n return {\n authorizationRequestPayload,\n authorizationRequestObject: jarResult.jarAuthorizationRequest,\n authorizationRequest: url.toString(),\n jar: { ...jar, ...jarResult },\n }\n }\n\n const url = new URL(scheme)\n url.search = `?${new URLSearchParams([\n ...url.searchParams.entries(),\n ...objectToQueryParams(authorizationRequestPayload).entries(),\n ]).toString()}`\n\n return {\n authorizationRequestPayload,\n authorizationRequestObject: authorizationRequestPayload,\n authorizationRequest: url.toString(),\n jar: undefined,\n }\n}\n","import { zJarAuthorizationRequest } from '@openid4vc/oauth2'\nimport { z } from 'zod'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\n\nexport const zOpenid4vpJarAuthorizationRequest = zJarAuthorizationRequest.extend({\n request_uri_method: z.optional(z.string()),\n})\nexport type Openid4vpJarAuthorizationRequest = z.infer<typeof zOpenid4vpJarAuthorizationRequest>\n\nexport function isJarAuthorizationRequest(\n request: Openid4vpAuthorizationRequest \| Openid4vpJarAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n): request is Openid4vpJarAuthorizationRequest {\n return 'request' in request \|\| 'request_uri' in request\n}\n","import { decodeJwt } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport {\n isJarAuthorizationRequest,\n type Openid4vpJarAuthorizationRequest,\n zOpenid4vpJarAuthorizationRequest,\n} from '../jar/z-jar-authorization-request'\nimport {\n type Openid4vpAuthorizationRequest,\n zOpenid4vpAuthorizationRequest,\n zOpenid4vpAuthorizationRequestFromUriParams,\n} from './z-authorization-request'\nimport {\n isOpenid4vpAuthorizationRequestDcApi,\n type Openid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestDcApi,\n} from './z-authorization-request-dc-api'\n\nexport interface ParsedJarRequest {\n type: 'jar'\n provided: 'uri' \| 'jwt' \| 'params'\n params: Openid4vpJarAuthorizationRequest\n}\n\nexport interface ParsedOpenid4vpAuthorizationRequest {\n type: 'openid4vp'\n provided: 'uri' \| 'jwt' \| 'params'\n params: Openid4vpAuthorizationRequest\n}\n\nexport interface ParsedOpenid4vpDcApiAuthorizationRequest {\n type: 'openid4vp_dc_api'\n provided: 'uri' \| 'jwt' \| 'params'\n params: Openid4vpAuthorizationRequestDcApi\n}\n\nexport interface ParseOpenid4vpAuthorizationRequestOptions {\n authorizationRequest: string \| Record<string, unknown>\n}\n\nexport function parseOpenid4vpAuthorizationRequest(\n options: ParseOpenid4vpAuthorizationRequestOptions\n): ParsedOpenid4vpAuthorizationRequest \| ParsedJarRequest \| ParsedOpenid4vpDcApiAuthorizationRequest {\n const { authorizationRequest } = options\n let provided: 'uri' \| 'jwt' \| 'params' = 'params'\n\n let params: Record<string, unknown>\n if (typeof authorizationRequest === 'string') {\n // JWT will never contain :\n if (authorizationRequest.includes(':')) {\n params = parseWithErrorHandling(\n zOpenid4vpAuthorizationRequestFromUriParams,\n authorizationRequest,\n 'Unable to parse openid4vp authorization request uri to a valid object'\n )\n provided = 'uri'\n } else {\n const decoded = decodeJwt({ jwt: authorizationRequest })\n params = decoded.payload\n provided = 'jwt'\n }\n } else {\n params = authorizationRequest\n }\n\n const parsedRequest = parseWithErrorHandling(\n z.union([zOpenid4vpAuthorizationRequest, zOpenid4vpJarAuthorizationRequest, zOpenid4vpAuthorizationRequestDcApi]),\n params\n )\n\n if (isJarAuthorizationRequest(parsedRequest)) {\n return {\n type: 'jar',\n provided,\n params: parsedRequest,\n }\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(parsedRequest)) {\n return {\n type: 'openid4vp_dc_api',\n provided,\n params: parsedRequest,\n }\n }\n\n return {\n type: 'openid4vp',\n provided,\n params: parsedRequest,\n }\n}\n","import { type CallbackContext, HashAlgorithm } from '@openid4vc/oauth2'\nimport { decodeBase64, encodeToBase64Url } from '@openid4vc/utils'\n\nexport async function calculateX509HashClientIdPrefixValue({\n x509Certificate,\n hash,\n}: {\n /\n DER encoded x509 certificate. Either encoded as base64 or directly as Uint8Array\n /\n x509Certificate: string \| Uint8Array\n\n hash: CallbackContext['hash']\n}) {\n return encodeToBase64Url(\n await hash(\n typeof x509Certificate === 'string' ? decodeBase64(x509Certificate) : x509Certificate,\n HashAlgorithm.Sha256\n )\n )\n}\n","import { getGlobalConfig } from '@openid4vc/utils'\nimport { z } from 'zod'\n\nexport const zClientIdPrefix = z.enum([\n 'pre-registered',\n 'redirect_uri',\n 'verifier_attestation',\n\n 'https', // pre draft 26\n 'openid_federation', // from draft 26\n\n 'did', // pre draft 26\n 'decentralized_identifier', // from draft 26\n\n 'x509_san_uri', // pre-draft 25\n 'x509_hash', // from draft 25\n\n 'x509_san_dns',\n\n 'origin', // from draft 25\n 'web-origin', // pre-draft 25\n])\n\nexport const zUniformClientIdPrefix = zClientIdPrefix.exclude(['did', 'https', 'web-origin'])\n\nexport type ClientIdPrefix = z.infer<typeof zClientIdPrefix>\nexport type UniformClientIdPrefix = z.infer<typeof zUniformClientIdPrefix>\n\nexport const zClientIdToClientIdPrefixAndIdentifier = z.union(\n [\n z\n .string({ message: 'client_id MUST be a string' })\n .includes(':')\n .transform((clientId) => {\n const colonIndex = clientId.indexOf(':')\n const clientIdPrefix = clientId.slice(0, colonIndex)\n const clientIdIdentifier = clientId.slice(colonIndex + 1)\n\n // If we allow http, we parse it as https\n if (clientIdPrefix === 'http' && getGlobalConfig().allowInsecureUrls) {\n return ['https', clientId]\n }\n\n if (clientIdPrefix === 'did' \|\| clientIdPrefix === 'http' \|\| clientIdPrefix === 'https') {\n return [clientIdPrefix, clientId]\n }\n\n return [clientIdPrefix, clientIdIdentifier]\n })\n .pipe(z.tuple([zClientIdPrefix.exclude(['pre-registered']), z.string()])),\n z\n .string()\n .refine((clientId) => clientId.includes(':') === false)\n .transform((clientId) => ['pre-registered', clientId] as const),\n ],\n {\n message: `client_id must either start with a known prefix followed by ':' or contain no ':'. Known prefixes are ${zClientIdPrefix.exclude(['pre-registered']).options.join(', ')}`,\n }\n)\n\nexport const zClientIdPrefixToUniform = zClientIdPrefix.transform((prefix) =>\n prefix === 'did'\n ? 'decentralized_identifier'\n : prefix === 'https'\n ? 'openid_federation'\n : prefix === 'web-origin'\n ? 'origin'\n : prefix\n)\n\nexport const zLegacyClientIdScheme = z.enum([\n 'pre-registered',\n 'redirect_uri',\n 'entity_id',\n 'did',\n 'verifier_attestation',\n 'x509_san_dns',\n 'x509_san_uri',\n])\n\nexport type LegacyClientIdScheme = z.infer<typeof zLegacyClientIdScheme>\n\nexport const zLegacyClientIdSchemeToClientIdPrefix = zLegacyClientIdScheme\n .optional()\n .default('pre-registered')\n .transform((clientIdScheme) =>\n clientIdScheme === 'entity_id'\n ? 'openid_federation'\n : clientIdScheme === 'did'\n ? 'decentralized_identifier'\n : clientIdScheme\n )\n","import { type CallbackContext, Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { URL, zHttpsUrl } from '@openid4vc/utils'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport {\n isOpenid4vpAuthorizationRequestDcApi,\n isOpenid4vpResponseModeDcApi,\n type Openid4vpAuthorizationRequestDcApi,\n} from '../authorization-request/z-authorization-request-dc-api'\nimport type { VerifiedJarRequest } from '../jar/handle-jar-request/verify-jar-request'\nimport type { ClientMetadata } from '../models/z-client-metadata'\nimport type { Openid4vpVersionNumber } from '../version'\nimport { calculateX509HashClientIdPrefixValue } from './x509-hash'\nimport {\n type ClientIdPrefix,\n type LegacyClientIdScheme,\n type UniformClientIdPrefix,\n zClientIdPrefix,\n zClientIdPrefixToUniform,\n zClientIdToClientIdPrefixAndIdentifier,\n zLegacyClientIdSchemeToClientIdPrefix,\n} from './z-client-id-prefix'\n\ntype ParsedClientIdentifierBase = {\n /\n The effective client identifier, and can be used to create and validate the session binding in e.g. the `aud`\n * of the SD-JWT KB-JWT.\n /\n effective: string\n\n /\n The identifier part of the client id. E.g. `did:example:123` for `decentralized_identifier:did:example:123`\n /\n identifier: string\n\n /\n These are the original raw unvalidated values for the client id. Be cautious with using these.\n /\n original: {\n /\n This is the actual `client_id` parameter. May be undefined in case of unsigned\n * DC API request.\n /\n clientId?: string\n\n /\n This is the legacy `client_id_scheme` parameter\n /\n clientIdScheme?: LegacyClientIdScheme\n }\n}\n\n/\n Result of parsing a client identifier\n /\nexport type ParsedClientIdentifier = (\n \| {\n prefix: 'redirect_uri'\n redirectUri: string\n clientMetadata?: ClientMetadata\n }\n \| {\n prefix: 'openid_federation'\n trustChain?: unknown\n clientMetadata?: never // clientMetadata must be obtained from the entity statement\n }\n \| {\n prefix: 'decentralized_identifier'\n didUrl: string\n clientMetadata?: ClientMetadata\n }\n \| {\n prefix: 'x509_san_uri' \| 'x509_san_dns' \| 'x509_hash'\n clientMetadata?: ClientMetadata\n x5c: string[]\n }\n \| {\n prefix: 'verifier_attestation' \| 'pre-registered' \| 'origin'\n clientMetadata?: ClientMetadata\n }\n) &\n ParsedClientIdentifierBase\n\nexport interface GetOpenid4vpClientIdOptions {\n /\n The client_id. Could be undefined in case of DC API\n /\n clientId?: string\n\n /\n Legacy client id scheme from the authorization request payload\n /\n legacyClientIdScheme?: unknown\n\n responseMode: unknown\n origin?: string\n\n /\n The version of OpenID4VP used.\n \n Currently it is only used for:\n * - determining whether effective client id is `origin:` or `web-origin:` when DC API is used.\n \n When no version is provided, it is assumed version 1.0 (100) is used.\n /\n version?: Openid4vpVersionNumber\n}\n\n/\n Get the client id for an authorization request based on the response_mode, client_id, client_id_scheme and origin values.\n \n It will return the client id prefix as used in OpenID4VP v1, and optionally provide the legacyClientId if the\n * client id was provided with a client_id_scheme\n /\nexport function getOpenid4vpClientId(options: GetOpenid4vpClientIdOptions): {\n /\n The identifier part of the client id. E.g. `did:example:123`, or `https://federation.com`\n /\n clientIdIdentifier: string\n\n /\n The client id prefix according to the latest verion of OpenID4VP. Older prefixes are\n * transformed into a singular value. Do not use this for checking the actual client id prefix\n * used, but can be used to understand which method is used.\n \n E.g. `did` will be put as `decentralized_identifier`\n /\n clientIdPrefix: UniformClientIdPrefix\n\n /\n The effective client id prefix, is the client id prefix that was used in the actual request.\n \n E.g. `did` will remain as `did`\n /\n effectiveClientIdPrefix: ClientIdPrefix \| LegacyClientIdScheme\n\n /\n The effective client id is the client id that should be used for validation. E.g. if you're comparing\n * the `aud` claim in a SD-JWT KB-JWT, this is the value where you should match against.\n /\n effectiveClientId: string\n\n /\n These are the original raw unvalidated values for the client id\n /\n original: {\n /\n This is the actual `client_id` parameter. May be undefined in case of unsigned\n * DC API request.\n /\n clientId?: string\n\n /\n This is the legacy `client_id_scheme` parameter\n /\n clientIdScheme?: LegacyClientIdScheme\n }\n} {\n const original = {\n clientId: options.clientId,\n }\n\n const version = options.version ?? 100\n\n // Handle DC API\n if (isOpenid4vpResponseModeDcApi(options.responseMode)) {\n if (!options.clientId) {\n if (!options.origin) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n \"Failed to parse client identifier. 'origin' is required for requests without a client_id and response_mode 'dc_api' and 'dc_api.jwt'\",\n })\n }\n\n return {\n clientIdPrefix: 'origin',\n effectiveClientIdPrefix: 'origin',\n clientIdIdentifier: options.origin,\n effectiveClientId: version >= 25 ? `origin:${options.origin}` : `web-origin:${options.origin}`,\n original,\n }\n }\n\n const parsedClientIdPrefixAndIdentifier = zClientIdToClientIdPrefixAndIdentifier.safeParse(options.clientId)\n if (!parsedClientIdPrefixAndIdentifier.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`,\n })\n }\n\n const [clientIdScheme, clientIdIdentifier] = parsedClientIdPrefixAndIdentifier.data\n const uniformClientIdScheme = zClientIdPrefixToUniform.safeParse(clientIdScheme)\n if (!uniformClientIdScheme.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`,\n })\n }\n\n return {\n effectiveClientId: options.clientId,\n effectiveClientIdPrefix: clientIdScheme,\n original,\n\n clientIdPrefix: uniformClientIdScheme.data,\n clientIdIdentifier,\n }\n }\n\n // If no DC API, client_id is required\n if (!options.clientId) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Missing required client_id parameter for response_mode '${options.responseMode}'.`,\n })\n }\n\n // Handle legacy client id scheme\n if (options.legacyClientIdScheme) {\n const parsedClientIdPrefix = zLegacyClientIdSchemeToClientIdPrefix.safeParse(options.legacyClientIdScheme)\n if (!parsedClientIdPrefix.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Unsupported client_id_scheme value '${options.legacyClientIdScheme}'.`,\n })\n }\n\n const clientIdPrefix = parsedClientIdPrefix.data\n\n return {\n effectiveClientId: options.clientId,\n clientIdIdentifier: options.clientId,\n clientIdPrefix,\n effectiveClientIdPrefix: (options.legacyClientIdScheme ?? 'pre-registered') as LegacyClientIdScheme,\n original: {\n ...original,\n clientIdScheme: options.legacyClientIdScheme as LegacyClientIdScheme \| undefined,\n },\n }\n }\n\n const parsedClientIdPrefixAndIdentifier = zClientIdToClientIdPrefixAndIdentifier.safeParse(options.clientId)\n if (!parsedClientIdPrefixAndIdentifier.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`,\n })\n }\n\n const [clientIdScheme, clientIdIdentifier] = parsedClientIdPrefixAndIdentifier.data\n const uniformClientIdScheme = zClientIdPrefixToUniform.safeParse(clientIdScheme)\n if (!uniformClientIdScheme.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`,\n })\n }\n\n // Fall back to modern client id. We don't validate it yet, we just want to get the\n // modern client id\n return {\n effectiveClientId: options.clientId,\n clientIdPrefix: uniformClientIdScheme.data,\n effectiveClientIdPrefix: clientIdScheme,\n clientIdIdentifier,\n original,\n }\n}\n\n/\n Configuration options for the parser\n /\nexport interface ValidateOpenid4vpClientIdParserConfig {\n supportedSchemes?: UniformClientIdPrefix[]\n}\n\nexport interface ValidateOpenid4vpClientIdOptions {\n authorizationRequestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n jar?: VerifiedJarRequest\n origin?: string\n callbacks: Pick<CallbackContext, 'getX509CertificateMetadata' \| 'hash'>\n\n version: Openid4vpVersionNumber\n}\n\n/\n Parse and validate a client identifier\n /\nexport async function validateOpenid4vpClientId(\n options: ValidateOpenid4vpClientIdOptions,\n parserConfig?: ValidateOpenid4vpClientIdParserConfig\n): Promise<ParsedClientIdentifier> {\n const { authorizationRequestPayload, jar, origin } = options\n\n // By default require signatures for these schemes\n const parserConfigWithDefaults = {\n supportedSchemes: parserConfig?.supportedSchemes \|\| Object.values(zClientIdPrefix.options),\n }\n\n const { clientIdIdentifier, clientIdPrefix, effectiveClientId, original } = getOpenid4vpClientId({\n clientId: authorizationRequestPayload.client_id,\n legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,\n responseMode: authorizationRequestPayload.response_mode,\n origin,\n })\n\n if (clientIdPrefix === 'pre-registered') {\n return {\n prefix: 'pre-registered',\n identifier: clientIdIdentifier,\n effective: effectiveClientId,\n original,\n }\n }\n\n if (!parserConfigWithDefaults.supportedSchemes.includes(clientIdPrefix)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Unsupported client identifier prefix. ${clientIdPrefix} is not supported.`,\n })\n }\n\n if (clientIdPrefix === 'openid_federation') {\n if (!zHttpsUrl.safeParse(clientIdIdentifier).success) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Invalid client identifier. Client identifier must start with https://',\n },\n {\n internalMessage: `Insecure http:// urls can be enabled by setting the 'allowInsecureUrls' option using setGlobalConfig`,\n }\n )\n }\n\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier prefix \"https\" requires a signed JAR request.',\n })\n }\n\n if (jar.signer.method !== 'federation') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Something went wrong. The JWT signer method is not federation but the client identifier prefix is https.',\n })\n }\n\n return {\n prefix: 'openid_federation',\n identifier: clientIdIdentifier,\n effective: effectiveClientId,\n original,\n trustChain: authorizationRequestPayload.trust_chain,\n }\n }\n\n if (clientIdPrefix === 'redirect_uri') {\n if (jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier prefix \"redirect_uri\" the request MUST NOT be signed.',\n })\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The client identifier prefix 'redirect_uri' is not supported when using the dc_api response mode.`,\n })\n }\n\n if (authorizationRequestPayload.redirect_uri && authorizationRequestPayload.redirect_uri !== clientIdIdentifier) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidClient,\n error_description: `When the client identifier prefix is 'redirect_uri', the client id identifier MUST match the redirect_uri.`,\n })\n }\n\n if (authorizationRequestPayload.response_uri && authorizationRequestPayload.response_uri !== clientIdIdentifier) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidClient,\n error_description: `When the client identifier prefix is 'redirect_uri', the client id identifier MUST match the response_uri.`,\n })\n }\n\n return {\n prefix: clientIdPrefix,\n identifier: clientIdIdentifier,\n effective: effectiveClientId,\n original,\n clientMetadata: authorizationRequestPayload.client_metadata,\n redirectUri: (authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri) as string,\n }\n }\n\n if (clientIdPrefix === 'decentralized_identifier') {\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier prefix \"did\" requires a signed JAR request.',\n })\n }\n\n if (jar.signer.method !== 'did') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Something went wrong. The JWT signer method is not did but the client identifier prefix is did.',\n })\n }\n\n if (!clientIdIdentifier.startsWith('did:')) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: \"Invalid client identifier. Client id identifier must start with 'did:'\",\n })\n }\n\n const [did] = jar.signer.didUrl.split('#')\n if (clientIdIdentifier !== did) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `With client identifier prefix '${clientIdPrefix}' the JAR request must be signed by the same DID as the client identifier.`,\n })\n }\n\n return {\n prefix: 'decentralized_identifier',\n identifier: clientIdIdentifier,\n effective: effectiveClientId,\n original,\n clientMetadata: authorizationRequestPayload.client_metadata,\n didUrl: jar.signer.didUrl,\n }\n }\n\n if (clientIdPrefix === 'x509_san_dns' \|\| clientIdPrefix === 'x509_san_uri' \|\| clientIdPrefix === 'x509_hash') {\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Using client identifier prefix '${clientIdPrefix}' requires a signed JAR request.`,\n })\n }\n\n if (jar.signer.method !== 'x5c') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Something went wrong. The JWT signer method is not x5c but the client identifier prefix is '${clientIdPrefix}'`,\n })\n }\n\n if (!options.callbacks.getX509CertificateMetadata) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.ServerError,\n },\n {\n internalMessage: `Missing required 'getX509CertificateMetadata' callback for verification of '${clientIdPrefix}' client id prefix`,\n }\n )\n }\n\n if (clientIdPrefix === 'x509_san_dns') {\n const { sanDnsNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0])\n if (!sanDnsNames.includes(clientIdIdentifier)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(', ')}] must match the client identifier '${clientIdIdentifier}'. `,\n })\n }\n\n if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {\n const uri = authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri\n if (!uri \|\| new URL(uri).hostname !== clientIdIdentifier) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns.',\n })\n }\n }\n } else if (clientIdPrefix === 'x509_san_uri') {\n const { sanUriNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0])\n if (!sanUriNames.includes(clientIdIdentifier)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(', ')}] must match the client identifier '${clientIdIdentifier}'.`,\n })\n }\n\n if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {\n const uri = authorizationRequestPayload.redirect_uri \|\| authorizationRequestPayload.response_uri\n if (!uri \|\| uri !== clientIdIdentifier) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The redirect_uri value MUST match the Client Identifier without the prefix x509_san_uri',\n })\n }\n }\n } else if (clientIdPrefix === 'x509_hash') {\n const x509Hash = await calculateX509HashClientIdPrefixValue({\n hash: options.callbacks.hash,\n x509Certificate: jar.signer.x5c[0],\n })\n\n if (x509Hash !== clientIdIdentifier) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Invalid client identifier. Expected the base64url encoded sha-256 hash of the leaf x5c certificate ('${x509Hash}') to match the client identifier '${clientIdIdentifier}'.`,\n })\n }\n }\n\n return {\n prefix: clientIdPrefix,\n identifier: clientIdIdentifier,\n effective: effectiveClientId,\n original,\n x5c: jar.signer.x5c,\n clientMetadata: authorizationRequestPayload.client_metadata,\n }\n }\n\n if (clientIdPrefix === 'origin') {\n return {\n prefix: clientIdPrefix,\n identifier: clientIdIdentifier,\n effective: effectiveClientId,\n original,\n clientMetadata: authorizationRequestPayload.client_metadata,\n }\n }\n\n if (clientIdPrefix === 'verifier_attestation') {\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier prefix \"verifier_attestation\" requires a signed JAR request.',\n })\n }\n }\n\n return {\n prefix: clientIdPrefix,\n clientMetadata: authorizationRequestPayload.client_metadata,\n identifier: clientIdIdentifier,\n effective: effectiveClientId,\n original,\n }\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { ContentType, createZodFetcher, type Fetch } from '@openid4vc/utils'\nimport { type ClientMetadata, zClientMetadata } from './models/z-client-metadata'\n\nexport async function fetchClientMetadata(options: {\n clientMetadataUri: string\n fetch?: Fetch\n}): Promise<ClientMetadata> {\n const { fetch, clientMetadataUri } = options\n const fetcher = createZodFetcher(fetch)\n\n const { result, response } = await fetcher(zClientMetadata, ContentType.Json, clientMetadataUri, {\n method: 'GET',\n headers: {\n Accept: ContentType.Json,\n },\n })\n\n if (!response.ok) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Fetching client metadata from '${clientMetadataUri}' failed with status code '${response.status}'.`,\n error: Oauth2ErrorCodes.InvalidRequestUri,\n })\n }\n\n if (!result \|\| !result.success) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Parsing client metadata from '${clientMetadataUri}' failed.`,\n error: Oauth2ErrorCodes.InvalidRequestObject,\n })\n }\n\n return result.data\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequest } from './authorization-request/z-authorization-request'\nimport {\n isOpenid4vpAuthorizationRequestDcApi,\n type Openid4vpAuthorizationRequestDcApi,\n} from './authorization-request/z-authorization-request-dc-api'\nimport { zClientIdPrefix } from './client-identifier-prefix/z-client-id-prefix'\n\n/\n The Openid4vpVersionNumber\n \n 100 means 1.0 final, all others are draft versions\n /\nexport type Openid4vpVersionNumber = 18 \| 19 \| 20 \| 21 \| 22 \| 23 \| 24 \| 25 \| 26 \| 27 \| 28 \| 100\n\nexport function parseAuthorizationRequestVersion(\n request: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n): Openid4vpVersionNumber {\n const requirements: ['<' \| '>=', Openid4vpVersionNumber][] = []\n // 29\n if (request.verifier_info) {\n requirements.push(['>=', 100])\n }\n if (request.verifier_attestations) {\n requirements.push(['<', 100])\n }\n\n // 28\n if (\n request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values \|\|\n request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values\n ) {\n requirements.push(['>=', 28])\n }\n\n if (\n request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuer_signed_alg_values \|\|\n request.client_metadata?.vp_formats_supported?.mso_mdoc?.device_signed_alg_values\n ) {\n requirements.push(['<', 28])\n }\n\n // 27\n\n if (request.client_metadata?.vp_formats_supported) {\n requirements.push(['>=', 27])\n }\n if (request.client_metadata?.vp_formats) {\n requirements.push(['<', 27])\n }\n\n // 26\n if (\n request.client_id?.startsWith('openid_federation:') \|\|\n request.client_id?.startsWith('decentralized_identifier:')\n ) {\n requirements.push(['>=', 26])\n }\n\n if (request.client_id?.startsWith('did:')) {\n requirements.push(['<', 26])\n }\n\n if (request.presentation_definition \|\| request.presentation_definition_uri) {\n requirements.push(['<', 26])\n }\n\n if (request.verifier_attestations) {\n requirements.push(['>=', 26])\n }\n\n // 25\n if (request.client_id?.startsWith('x509_san_uri:')) {\n requirements.push(['<', 25])\n }\n\n if (request.client_id?.startsWith('x509_hash:')) {\n requirements.push(['>=', 25])\n }\n\n if (request.client_id?.startsWith('web-origin:')) {\n requirements.push(['<', 25])\n }\n\n if (request.client_id?.startsWith('origin:')) {\n requirements.push(['>=', 25])\n }\n\n // 23\n if (\n isOpenid4vpAuthorizationRequestDcApi(request) &&\n (request.response_mode === 'w3c_dc_api' \|\| request.response_mode === 'w3c_dc_api.jwt')\n ) {\n requirements.push(['<', 23])\n requirements.push(['>=', 21])\n }\n\n if (\n isOpenid4vpAuthorizationRequestDcApi(request) &&\n (request.response_mode === 'dc_api' \|\| request.response_mode === 'dc_api.jwt')\n ) {\n requirements.push(['>=', 23])\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data \|\| request.dcql_query)) {\n requirements.push(['>=', 23])\n }\n\n // 22\n\n if (request.transaction_data) {\n requirements.push(['>=', 22])\n }\n\n if (request.client_id_scheme) {\n requirements.push(['<', 22])\n }\n\n // what happens if we don't have a client_id_scheme?\n\n // if the client_id is prefixed with a scheme, we know for sure that the version is >= 22\n // if it is not prefixed we don't know anything since it can default in all versions to pre-registered\n if (request.client_id) {\n const colonIndex = request.client_id.indexOf(':')\n const schemePart = request.client_id.substring(0, colonIndex)\n const parsedScheme = zClientIdPrefix.safeParse(schemePart)\n\n // we know this for sure\n if (parsedScheme.success && parsedScheme.data !== 'did' && parsedScheme.data !== 'https') {\n requirements.push(['>=', 22])\n }\n }\n\n // 21\n\n // only possible with dc_api which is available in 21\n if (!request.client_id) {\n requirements.push(['>=', 21])\n }\n\n // NOTE: DCQL was added in 22, but we've used it with draft 21 before, so it's\n // not 100% correct, but prevents interop issues\n if (request.dcql_query) {\n requirements.push(['>=', 21])\n }\n\n if (request.client_metadata_uri) {\n requirements.push(['<', 21])\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(request)) {\n requirements.push(['>=', 21])\n }\n\n if (request.request_uri_method \|\| request.wallet_nonce) {\n requirements.push(['>=', 21])\n }\n\n // 20\n\n if (request.client_id_scheme === 'verifier_attestation') {\n requirements.push(['>=', 20])\n }\n\n // 19\n\n if (request.client_id_scheme === 'x509_san_dns' \|\| request.client_id_scheme === 'x509_san_uri') {\n requirements.push(['>=', 19])\n }\n\n // The minimum version which satisfies all requirements\n const lessThanVersions = requirements.filter(([operator]) => operator === '<').map(([_, version]) => version)\n\n const greaterThanVersions = requirements.filter(([operator]) => operator === '>=').map(([_, version]) => version)\n\n // Find the minimum version that satisfies all \"less than\" constraints\n const highestPossibleVersion =\n lessThanVersions.length > 0\n ? (Math.max(Math.min(...lessThanVersions) - 1, 18) as Openid4vpVersionNumber)\n : (100 as const) // Default to highest version\n\n // Find the maximum version that satisfies all \"greater than or equal to\" constraints\n const lowestRequiredVersion =\n greaterThanVersions.length > 0 ? (Math.max(...greaterThanVersions) as Openid4vpVersionNumber) : (18 as const) // Default to lowest version\n\n // The acceptable range is [lowestRequiredVersion, highestPossibleVersion]\n // We return the lowest possible version that satisfies all constraints\n if (lowestRequiredVersion > highestPossibleVersion) {\n // No valid version exists that satisfies all constraints\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Could not infer openid4vp version from the openid4vp request payload. Based on specification requirements, lowest required version is ${lowestRequiredVersion} and highest possible version is ${highestPossibleVersion}`,\n })\n }\n\n return highestPossibleVersion\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { ContentType, createFetcher, type Fetch, objectToQueryParams } from '@openid4vc/utils'\nimport type { ClientIdPrefix } from '../../client-identifier-prefix/z-client-id-prefix'\nimport type { WalletMetadata } from '../../models/z-wallet-metadata'\n\n/\n Fetch a request object and parse the response.\n * If you want to fetch the request object without providing wallet_metadata or wallet_nonce as defined in jar you can use the `fetchJarRequestObject` function.\n \n Returns validated request object if successful response\n * Throws error otherwise\n \n @throws {ValidationError} if successful response but validation of response failed\n * @throws {InvalidFetchResponseError} if no successful or 404 response\n * @throws {Error} if parsing json from response fails\n /\nexport async function fetchJarRequestObject(options: {\n requestUri: string\n clientIdPrefix?: ClientIdPrefix\n method: 'get' \| 'post'\n wallet: {\n metadata?: WalletMetadata\n nonce?: string\n }\n fetch?: Fetch\n}): Promise<string> {\n const { requestUri, clientIdPrefix, method, wallet, fetch } = options\n\n let requestBody = wallet.metadata ? { wallet_metadata: wallet.metadata, wallet_nonce: wallet.nonce } : undefined\n if (requestBody?.wallet_metadata?.request_object_signing_alg_values_supported && clientIdPrefix === 'redirect_uri') {\n // This value indicates that the Client Identifier (without the prefix redirect_uri:) is the Verifier's Redirect URI (or Response URI when Response Mode direct_post is used). The Authorization Request MUST NOT be signed.\n const { request_object_signing_alg_values_supported, ...rest } = requestBody.wallet_metadata\n requestBody = { ...requestBody, wallet_metadata: { ...rest } }\n }\n\n const response = await createFetcher(fetch)(requestUri, {\n method,\n body: method === 'post' ? objectToQueryParams(wallet.metadata ?? {}) : undefined,\n headers: {\n Accept: `${ContentType.OAuthAuthorizationRequestJwt}, ${ContentType.Jwt};q=0.9, text/plain`,\n 'Content-Type': ContentType.XWwwFormUrlencoded,\n },\n }).catch(() => {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Fetching request_object from request_uri '${requestUri}' failed`,\n error: Oauth2ErrorCodes.InvalidRequestUri,\n })\n })\n\n if (!response.ok) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Fetching request_object from request_uri '${requestUri}' failed with status code '${response.status}'.`,\n error: Oauth2ErrorCodes.InvalidRequestUri,\n })\n }\n\n return await response.text()\n}\n","import {\n type CallbackContext,\n type DecodeJwtResult,\n decodeJwt,\n type JarRequestObjectPayload,\n type Jwk,\n type JwtSigner,\n type JwtSignerWithJwk,\n jwtSignerFromJwt,\n Oauth2Error,\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n signedAuthorizationRequestJwtHeaderTyp,\n validateJarRequestParams,\n verifyJwt,\n zCompactJwe,\n zCompactJwt,\n zJarRequestObjectPayload,\n} from '@openid4vc/oauth2'\nimport { isOpenid4vpResponseModeDcApi } from '../../authorization-request/z-authorization-request-dc-api'\nimport { getOpenid4vpClientId } from '../../client-identifier-prefix/parse-client-identifier-prefix'\nimport {\n type ClientIdPrefix,\n type UniformClientIdPrefix,\n zClientIdPrefix,\n} from '../../client-identifier-prefix/z-client-id-prefix'\nimport type { WalletMetadata } from '../../models/z-wallet-metadata'\nimport { parseAuthorizationRequestVersion } from '../../version'\nimport { fetchJarRequestObject } from '../jar-request-object/fetch-jar-request-object'\nimport type { Openid4vpJarAuthorizationRequest } from '../z-jar-authorization-request'\n\nexport interface VerifyJarRequestOptions {\n jarRequestParams: Openid4vpJarAuthorizationRequest\n callbacks: Pick<CallbackContext, 'verifyJwt' \| 'decryptJwe' \| 'fetch'>\n wallet?: {\n metadata?: WalletMetadata\n nonce?: string\n }\n}\n\nexport interface VerifiedJarRequest {\n authorizationRequestPayload: JarRequestObjectPayload\n sendBy: 'value' \| 'reference'\n decryptionJwk?: Jwk\n signer: JwtSignerWithJwk\n jwt: DecodeJwtResult<undefined, typeof zJarRequestObjectPayload>\n}\n\n/\n Verifies a JAR (JWT Secured Authorization Request) request by validating, decrypting, and verifying signatures.\n \n @param options - The input parameters\n * @param options.jarRequestParams - The JAR authorization request parameters\n * @param options.callbacks - Context containing the relevant Jose crypto operations\n * @returns The verified authorization request parameters and metadata\n /\nexport async function verifyJarRequest(options: VerifyJarRequestOptions): Promise<VerifiedJarRequest> {\n const { callbacks, wallet = {} } = options\n\n const jarRequestParams = {\n ...validateJarRequestParams(options),\n ...options.jarRequestParams,\n } as Openid4vpJarAuthorizationRequest & ReturnType<typeof validateJarRequestParams>\n\n const sendBy = jarRequestParams.request ? 'value' : 'reference'\n\n // We can't know the client id prefix here if draft was before client_id_scheme became prefix\n const clientIdPrefix: ClientIdPrefix \| undefined = jarRequestParams.client_id\n ? zClientIdPrefix.safeParse(jarRequestParams.client_id.split(':')[0]).data\n : 'origin'\n\n const method = jarRequestParams.request_uri_method ?? 'get'\n if (method !== 'get' && method !== 'post') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestUriMethod,\n error_description: `Invalid request_uri_method. Must be 'get' or 'post'.`,\n })\n }\n\n const requestObject =\n jarRequestParams.request ??\n (await fetchJarRequestObject({\n requestUri: jarRequestParams.request_uri,\n clientIdPrefix,\n method,\n wallet,\n fetch: callbacks.fetch,\n }))\n\n const requestObjectIsEncrypted = zCompactJwe.safeParse(requestObject).success\n const { decryptionJwk, payload: decryptedRequestObject } = requestObjectIsEncrypted\n ? await decryptJarRequest({ jwe: requestObject, callbacks })\n : { payload: requestObject, decryptionJwk: undefined }\n\n const requestIsSigned = zCompactJwt.safeParse(decryptedRequestObject).success\n if (!requestIsSigned) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'JAR request object is not a valid JWT.',\n })\n }\n\n const { authorizationRequestPayload, signer, jwt } = await verifyJarRequestObject({\n decryptedRequestObject,\n callbacks,\n })\n if (!authorizationRequestPayload.client_id) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'Jar Request Object is missing the required \"client_id\" field.',\n })\n }\n\n // Expect the client_id from the jar request to match the payload, but only if we're not using DC API\n if (\n !isOpenid4vpResponseModeDcApi(authorizationRequestPayload.response_mode) &&\n jarRequestParams.client_id !== authorizationRequestPayload.client_id\n ) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'client_id does not match the request object client_id.',\n })\n }\n if (\n jarRequestParams.client_id_scheme &&\n jarRequestParams.client_id_scheme !== authorizationRequestPayload.client_id_scheme\n ) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'client_id_scheme does not match the request object client_id_scheme.',\n })\n }\n\n return {\n sendBy,\n jwt,\n authorizationRequestPayload,\n signer,\n decryptionJwk,\n }\n}\n\nasync function decryptJarRequest(options: { jwe: string; callbacks: Pick<CallbackContext, 'decryptJwe'> }) {\n const { jwe, callbacks } = options\n\n const { header } = decodeJwt({ jwt: jwe })\n if (!header.kid) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'Jar JWE is missing the protected header field \"kid\".',\n })\n }\n\n const decryptionResult = await callbacks.decryptJwe(jwe)\n if (!decryptionResult.decrypted) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'Failed to decrypt jar request object.',\n })\n }\n\n return decryptionResult\n}\n\nasync function verifyJarRequestObject(options: {\n decryptedRequestObject: string\n callbacks: Pick<CallbackContext, 'verifyJwt'>\n}) {\n const { decryptedRequestObject, callbacks } = options\n\n const jwt = decodeJwt({ jwt: decryptedRequestObject, payloadSchema: zJarRequestObjectPayload })\n\n let jwtSigner: JwtSigner\n\n const { clientIdPrefix } = getOpenid4vpClientId({\n responseMode: jwt.payload.response_mode,\n clientId: jwt.payload.client_id,\n legacyClientIdScheme: jwt.payload.client_id_scheme,\n })\n\n // Allowed signer methods for each of the client id schemes\n const clientIdToSignerMethod: Record<UniformClientIdPrefix, JwtSigner['method'][]> = {\n decentralized_identifier: ['did'],\n\n 'pre-registered': ['custom', 'did', 'jwk'],\n origin: [], // no signing allowed\n redirect_uri: [], // no signing allowed\n\n // Not 100% sure which one are allowed?\n verifier_attestation: ['did', 'federation', 'jwk', 'x5c', 'custom'],\n\n x509_san_dns: ['x5c'],\n x509_san_uri: ['x5c'],\n x509_hash: ['x5c'],\n\n // Handled separately\n openid_federation: [],\n }\n\n // The logic to determine the signer for a JWT is different for signed authorization request and federation\n if (clientIdPrefix === 'openid_federation') {\n if (!jwt.header.kid) {\n throw new Oauth2Error(\n `When OpenID Federation is used for signed authorization request, the 'kid' parameter is required.`\n )\n }\n\n jwtSigner = {\n method: 'federation',\n alg: jwt.header.alg,\n trustChain: jwt.payload.trust_chain,\n kid: jwt.header.kid,\n }\n } else {\n jwtSigner = jwtSignerFromJwt({ ...jwt, allowedSignerMethods: clientIdToSignerMethod[clientIdPrefix] })\n }\n\n const { signer } = await verifyJwt({\n verifyJwtCallback: callbacks.verifyJwt,\n compact: decryptedRequestObject,\n header: jwt.header,\n payload: jwt.payload,\n signer: jwtSigner,\n })\n\n // biome-ignore lint/suspicious/noExplicitAny: no explanation\n const version = parseAuthorizationRequestVersion(jwt.payload as any)\n if (jwt.header.typ !== signedAuthorizationRequestJwtHeaderTyp && version >= 24) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: `Invalid Jar Request Object typ header. Expected \"oauth-authz-req+jwt\", received \"${jwt.header.typ}\".`,\n })\n }\n\n return {\n signer,\n jwt,\n authorizationRequestPayload: jwt.payload,\n }\n}\n","import { z } from 'zod'\n\nexport const zTransactionEntry = z\n .object({\n type: z.string(),\n credential_ids: z.tuple([z.string()], z.string()),\n\n // SD-JWT VC specific\n transaction_data_hashes_alg: z.tuple([z.string()], z.string()).optional(),\n })\n .loose()\nexport type TransactionDataEntry = z.infer<typeof zTransactionEntry>\n\nexport const zTransactionData = z.array(zTransactionEntry)\nexport type TransactionData = z.infer<typeof zTransactionData>\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { decodeBase64, encodeToUtf8String, parseIfJson } from '@openid4vc/utils'\nimport { type TransactionDataEntry, zTransactionData } from './z-transaction-data'\n\nexport interface ParseTransactionDataOptions {\n transactionData: string[]\n}\n\nexport interface ParsedTransactionDataEntry {\n transactionData: TransactionDataEntry\n transactionDataIndex: number\n encoded: string\n}\n\nexport function parseTransactionData(options: ParseTransactionDataOptions): ParsedTransactionDataEntry[] {\n const { transactionData } = options\n\n const decoded = transactionData.map((tdEntry) => parseIfJson(encodeToUtf8String(decodeBase64(tdEntry))))\n\n const parsedResult = zTransactionData.safeParse(decoded)\n if (!parsedResult.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: 'Failed to parse transaction data.',\n })\n }\n\n return parsedResult.data.map((decoded, index) => ({\n transactionData: decoded,\n encoded: transactionData[index],\n transactionDataIndex: index,\n }))\n}\n","import { type CallbackContext, Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport {\n type ParsedClientIdentifier,\n validateOpenid4vpClientId,\n} from '../client-identifier-prefix/parse-client-identifier-prefix'\nimport { fetchClientMetadata } from '../fetch-client-metadata'\nimport { type VerifiedJarRequest, verifyJarRequest } from '../jar/handle-jar-request/verify-jar-request'\nimport {\n isJarAuthorizationRequest,\n type Openid4vpJarAuthorizationRequest,\n zOpenid4vpJarAuthorizationRequest,\n} from '../jar/z-jar-authorization-request'\nimport type { PexPresentationDefinition } from '../models/z-pex'\nimport { type ParsedTransactionDataEntry, parseTransactionData } from '../transaction-data/parse-transaction-data'\nimport { type Openid4vpVersionNumber, parseAuthorizationRequestVersion } from '../version'\nimport {\n validateOpenid4vpAuthorizationRequestPayload,\n type WalletVerificationOptions,\n} from './validate-authorization-request'\nimport { validateOpenid4vpAuthorizationRequestDcApiPayload } from './validate-authorization-request-dc-api'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\nimport {\n isOpenid4vpAuthorizationRequestDcApi,\n type Openid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestDcApi,\n} from './z-authorization-request-dc-api'\n\nexport interface ResolveOpenid4vpAuthorizationRequestOptions {\n authorizationRequestPayload:\n \| Openid4vpAuthorizationRequest\n \| Openid4vpAuthorizationRequestDcApi\n \| Openid4vpJarAuthorizationRequest\n wallet?: WalletVerificationOptions\n origin?: string\n disableOriginValidation?: boolean\n callbacks: Pick<CallbackContext, 'verifyJwt' \| 'decryptJwe' \| 'getX509CertificateMetadata' \| 'fetch' \| 'hash'>\n}\n\nexport type ResolvedOpenid4vpAuthorizationRequest = {\n transactionData?: ParsedTransactionDataEntry[]\n authorizationRequestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n jar: VerifiedJarRequest \| undefined\n client: ParsedClientIdentifier\n pex?: {\n presentation_definition?: PexPresentationDefinition\n presentation_definition_uri?: string\n }\n dcql?: { query: unknown } \| undefined\n\n /\n The highest possible version number based on (draft)-version checks done on the request.\n \n 100 means 1.0 final, all other numbers are draft versions.\n /\n version: Openid4vpVersionNumber\n}\n\nexport async function resolveOpenid4vpAuthorizationRequest(\n options: ResolveOpenid4vpAuthorizationRequestOptions\n): Promise<ResolvedOpenid4vpAuthorizationRequest> {\n const { wallet, callbacks, origin, disableOriginValidation } = options\n\n let authorizationRequestPayload:\n \| Openid4vpAuthorizationRequest\n \| (Openid4vpAuthorizationRequestDcApi & { presentation_definition_uri?: never })\n\n const parsed = parseWithErrorHandling(\n z.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zOpenid4vpJarAuthorizationRequest]),\n options.authorizationRequestPayload,\n 'Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request.'\n )\n\n let jar: VerifiedJarRequest \| undefined\n if (isJarAuthorizationRequest(parsed)) {\n jar = await verifyJarRequest({ jarRequestParams: parsed, callbacks, wallet })\n\n const parsedJarAuthorizationRequestPayload = parseWithErrorHandling(\n z.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),\n jar.authorizationRequestPayload,\n 'Invalid authorization request. Could not parse jar request payload as openid4vp auth request.'\n )\n\n authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({\n authorizationRequestPayload: parsedJarAuthorizationRequestPayload,\n wallet,\n jar: true,\n origin,\n disableOriginValidation,\n })\n } else {\n authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({\n authorizationRequestPayload: parsed,\n wallet,\n jar: false,\n origin,\n disableOriginValidation,\n })\n }\n\n const version = parseAuthorizationRequestVersion(authorizationRequestPayload)\n let clientMetadata = authorizationRequestPayload.client_metadata\n if (\n !isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) &&\n !clientMetadata &&\n authorizationRequestPayload.client_metadata_uri\n ) {\n clientMetadata = await fetchClientMetadata({ clientMetadataUri: authorizationRequestPayload.client_metadata_uri })\n }\n\n const clientMeta = await validateOpenid4vpClientId({\n authorizationRequestPayload: {\n ...authorizationRequestPayload,\n client_metadata: clientMetadata,\n },\n jar,\n callbacks,\n origin,\n version,\n })\n\n let pex: ResolvedOpenid4vpAuthorizationRequest['pex'] \| undefined\n let dcql: ResolvedOpenid4vpAuthorizationRequest['dcql'] \| undefined\n\n if (authorizationRequestPayload.presentation_definition \|\| authorizationRequestPayload.presentation_definition_uri) {\n if (authorizationRequestPayload.presentation_definition_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Cannot fetch presentation definition from URI. Not supported.',\n })\n }\n\n pex = {\n presentation_definition: authorizationRequestPayload.presentation_definition,\n presentation_definition_uri: authorizationRequestPayload.presentation_definition_uri,\n }\n }\n\n if (authorizationRequestPayload.dcql_query) {\n dcql = { query: authorizationRequestPayload.dcql_query }\n }\n\n const transactionData = authorizationRequestPayload.transaction_data\n ? parseTransactionData({ transactionData: authorizationRequestPayload.transaction_data })\n : undefined\n\n return {\n transactionData,\n authorizationRequestPayload,\n jar,\n client: clientMeta,\n pex,\n dcql,\n version,\n }\n}\n\nfunction validateOpenId4vpAuthorizationRequestPayload(options: {\n authorizationRequestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n wallet?: WalletVerificationOptions\n jar: boolean\n origin?: string\n disableOriginValidation?: boolean\n}) {\n const { authorizationRequestPayload, wallet, jar, origin, disableOriginValidation } = options\n\n if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {\n validateOpenid4vpAuthorizationRequestDcApiPayload({\n params: authorizationRequestPayload,\n isJarRequest: jar,\n disableOriginValidation,\n origin,\n })\n\n return authorizationRequestPayload\n }\n\n validateOpenid4vpAuthorizationRequestPayload({\n params: authorizationRequestPayload,\n walletVerificationOptions: wallet,\n })\n return authorizationRequestPayload\n}\n","/\n Get the time in seconds since epoch for a date.\n * If date is not provided the current time will be used.\n /\nexport function dateToSeconds(date?: Date) {\n const milliseconds = date?.getTime() ?? Date.now()\n\n return Math.floor(milliseconds / 1000)\n}\n\nexport function addSecondsToDate(date: Date, seconds: number) {\n return new Date(date.getTime() + seconds 1000)\n}\n","import {\n type CallbackContext,\n type JweEncryptor,\n type JwtSigner,\n jwtHeaderFromJwtSigner,\n Oauth2Error,\n} from '@openid4vc/oauth2'\nimport type {\n JarmAuthorizationResponse,\n JarmAuthorizationResponseEncryptedOnly,\n} from './jarm-authorization-response/z-jarm-authorization-response'\n\nexport interface CreateJarmAuthorizationResponseOptions {\n jarmAuthorizationResponse: JarmAuthorizationResponse \| JarmAuthorizationResponseEncryptedOnly\n jwtSigner?: JwtSigner\n jweEncryptor?: JweEncryptor\n callbacks: Pick<CallbackContext, 'signJwt' \| 'encryptJwe'>\n}\n\nexport async function createJarmAuthorizationResponse(options: CreateJarmAuthorizationResponseOptions) {\n const { jarmAuthorizationResponse, jweEncryptor, jwtSigner, callbacks } = options\n if (!jwtSigner && jweEncryptor) {\n const { jwe } = await callbacks.encryptJwe(jweEncryptor, JSON.stringify(jarmAuthorizationResponse))\n return { jarmAuthorizationResponseJwt: jwe }\n }\n\n if (jwtSigner && !jweEncryptor) {\n const signed = await callbacks.signJwt(jwtSigner, {\n header: jwtHeaderFromJwtSigner(jwtSigner),\n payload: jarmAuthorizationResponse,\n })\n return { jarmAuthorizationResponseJwt: signed.jwt }\n }\n\n if (!jwtSigner \|\| !jweEncryptor) {\n throw new Oauth2Error('JWT signer and/or encryptor are required to create a JARM auth response.')\n }\n const signed = await callbacks.signJwt(jwtSigner, {\n header: jwtHeaderFromJwtSigner(jwtSigner),\n payload: jarmAuthorizationResponse,\n })\n\n const encrypted = await callbacks.encryptJwe(jweEncryptor, signed.jwt)\n\n return { jarmAuthorizationResponseJwt: encrypted.jwe }\n}\n","import type { JwkSet } from '@openid4vc/oauth2'\n\nexport function extractEncryptionJwkFromJwks(\n jwks: JwkSet,\n {\n kid,\n supportedAlgValues,\n }: {\n kid?: string\n supportedAlgValues?: string[]\n }\n) {\n if (kid) {\n return jwks.keys.find((jwk) => jwk.kid === kid)\n }\n\n let algFiltered = jwks.keys.filter((key) => key.alg && supportedAlgValues?.includes(key.alg))\n if (algFiltered.length === 0) algFiltered = jwks.keys\n\n let encFiltered = algFiltered.filter((key) => key.use === 'enc')\n if (!encFiltered) encFiltered = algFiltered.filter((key) => key.use !== 'sig')\n\n return encFiltered.length > 0 ? encFiltered[0] : jwks.keys[0]\n}\n","import { z } from 'zod'\n\nexport const jarmResponseMode = [\n 'jwt',\n 'query.jwt',\n 'fragment.jwt',\n 'form_post.jwt',\n 'direct_post.jwt',\n 'dc_api.jwt',\n] as const\nexport const zJarmResponseMode = z.enum(jarmResponseMode)\n\nexport type JarmResponseMode = (typeof jarmResponseMode)[number]\n\nexport const isJarmResponseMode = (responseMode: string): responseMode is JarmResponseMode => {\n return jarmResponseMode.includes(responseMode as JarmResponseMode)\n}\n","import { Oauth2Error } from '@openid4vc/oauth2'\nimport type { JarmServerMetadata } from './z-jarm-authorization-server-metadata'\nimport { type JarmClientMetadata, zJarmClientMetadataParsed } from './z-jarm-client-metadata'\n\ninterface AssertValueSupported<T> {\n supported: T[]\n actual: T\n errorMessage: string\n}\n\nexport function assertValueSupported<T>(options: AssertValueSupported<T>): T {\n const { errorMessage, supported, actual } = options\n const intersection = supported.find((value) => value === actual)\n\n if (!intersection) {\n throw new Oauth2Error(errorMessage)\n }\n\n return intersection\n}\n\nexport function jarmAssertMetadataSupported(options: {\n clientMetadata: JarmClientMetadata\n serverMetadata: JarmServerMetadata\n}) {\n const { clientMetadata, serverMetadata } = options\n const parsedClientMetadata = zJarmClientMetadataParsed.parse(clientMetadata)\n\n if (parsedClientMetadata.type === 'sign_encrypt' \|\| parsedClientMetadata.type === 'encrypt') {\n if (serverMetadata.authorization_encryption_alg_values_supported) {\n assertValueSupported({\n supported: serverMetadata.authorization_encryption_alg_values_supported,\n actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_alg,\n errorMessage: 'Invalid authorization_encryption_alg',\n })\n }\n\n if (serverMetadata.authorization_encryption_enc_values_supported) {\n assertValueSupported({\n supported: serverMetadata.authorization_encryption_enc_values_supported,\n actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_enc,\n errorMessage: 'Invalid authorization_encryption_enc',\n })\n }\n }\n\n if (\n serverMetadata.authorization_signing_alg_values_supported &&\n (parsedClientMetadata.type === 'sign' \|\| parsedClientMetadata.type === 'sign_encrypt')\n ) {\n assertValueSupported({\n supported: serverMetadata.authorization_signing_alg_values_supported,\n actual: parsedClientMetadata.client_metadata.authorization_signed_response_alg,\n errorMessage: 'Invalid authorization_signed_response_alg',\n })\n }\n\n return parsedClientMetadata\n}\n","import {\n type CallbackContext,\n fetchJwks,\n type Jwk,\n type JwkSet,\n type JwtSigner,\n Oauth2Error,\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n} from '@openid4vc/oauth2'\nimport { dateToSeconds, encodeToBase64Url } from '@openid4vc/utils'\nimport { addSecondsToDate } from '../../../utils/src/date'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport { getOpenid4vpClientId } from '../client-identifier-prefix/parse-client-identifier-prefix'\nimport { createJarmAuthorizationResponse } from '../jarm/jarm-authorization-response-create'\nimport { extractEncryptionJwkFromJwks } from '../jarm/jarm-extract-jwks'\nimport { isJarmResponseMode } from '../jarm/jarm-response-mode'\nimport { assertValueSupported, jarmAssertMetadataSupported } from '../jarm/metadata/jarm-assert-metadata-supported'\nimport type { JarmServerMetadata } from '../jarm/metadata/z-jarm-authorization-server-metadata'\nimport type { ClientMetadata } from '../models/z-client-metadata'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface CreateOpenid4vpAuthorizationResponseOptions {\n authorizationRequestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n\n /*\n Optional client metadata to use for sending the authorization response. In case of e.g. OpenID Federation\n * the client metadata needs to be resolved and verified externally.\n /\n clientMetadata?: ClientMetadata\n\n /\n The origin of the reuqest, required when creating a response for the Digital Credentials API.\n /\n origin?: string\n\n authorizationResponsePayload: Openid4vpAuthorizationResponse & { state?: never }\n jarm?: {\n jwtSigner?: JwtSigner\n encryption?: {\n nonce: string\n\n /\n The JWK that should be used for encryption of the JARM response.\n \n If not defined, the Jwk will be determined based on the client_metadata.\n /\n jwk?: Jwk\n }\n serverMetadata: JarmServerMetadata\n authorizationServer?: string // The issuer URL of the authorization server that created the response\n audience?: string // The client_id of the client the response is intended for\n expiresInSeconds?: number // The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.\n }\n callbacks: Pick<CallbackContext, 'signJwt' \| 'encryptJwe' \| 'fetch'>\n}\n\nexport interface CreateOpenid4vpAuthorizationResponseResult {\n authorizationResponsePayload: Openid4vpAuthorizationResponse\n jarm?: {\n responseJwt: string\n /\n The JWK used to encrypt the JARM response. Only defined if the response is encrypted.\n /\n encryptionJwk?: Jwk\n }\n}\n\nexport async function createOpenid4vpAuthorizationResponse(\n options: CreateOpenid4vpAuthorizationResponseOptions\n): Promise<CreateOpenid4vpAuthorizationResponseResult> {\n const { authorizationRequestPayload, jarm, callbacks, origin } = options\n\n const authorizationResponsePayload = {\n ...options.authorizationResponsePayload,\n state: authorizationRequestPayload.state,\n } satisfies Openid4vpAuthorizationResponse\n\n const { clientIdPrefix } = getOpenid4vpClientId({\n responseMode: authorizationRequestPayload.response_mode,\n clientId: authorizationRequestPayload.client_id,\n legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,\n origin,\n })\n\n if (\n authorizationRequestPayload.response_mode &&\n isJarmResponseMode(authorizationRequestPayload.response_mode) &&\n !jarm\n ) {\n throw new Oauth2Error(\n `Missing jarm options for creating Jarm response with response mode '${authorizationRequestPayload.response_mode}'`\n )\n }\n\n if (!jarm) {\n return {\n authorizationResponsePayload,\n }\n }\n\n // When using OpenID Federation, we must not rely on the client metadata from the request\n if (clientIdPrefix === 'openid_federation' && !options.clientMetadata) {\n throw new Oauth2Error(\n \"When OpenID Federation is used as the client id prefix (https/openid_federation), passing externally fetched and verified 'clientMetadata' to the 'createOpenid4vpAuthorizationResponse' is required.\"\n )\n }\n\n const clientMetadata = options.clientMetadata ?? authorizationRequestPayload.client_metadata\n if (!clientMetadata) {\n throw new Oauth2Error('Missing client metadata in the request params to assert Jarm metadata support.')\n }\n\n let jwks: JwkSet\n\n if (clientMetadata.jwks) {\n jwks = clientMetadata.jwks\n } else if (clientMetadata.jwks_uri) {\n jwks = await fetchJwks(clientMetadata.jwks_uri, options.callbacks.fetch)\n } else {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Missing 'jwks' or 'jwks_uri' in client metadata. Cannot extract encryption JWK.`,\n })\n }\n\n if (\n clientMetadata.authorization_encrypted_response_alg \|\|\n clientMetadata.authorization_encrypted_response_enc \|\|\n clientMetadata.authorization_signed_response_alg\n ) {\n jarmAssertMetadataSupported({\n clientMetadata: clientMetadata,\n serverMetadata: jarm.serverMetadata,\n })\n }\n\n const encJwk =\n // User-provided JWK takes precedence\n jarm?.encryption?.jwk ??\n extractEncryptionJwkFromJwks(jwks, {\n supportedAlgValues:\n jarm.serverMetadata.authorization_encryption_alg_values_supported ??\n (clientMetadata.authorization_encrypted_response_alg\n ? [clientMetadata.authorization_encrypted_response_alg]\n : undefined),\n })\n\n if (!encJwk) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'No encryption JWK provided and could not extract encryption JWK from client metadata. Failed to create JARM response.',\n })\n }\n\n let enc: string\n if (clientMetadata.encrypted_response_enc_values_supported) {\n // Take first supported, or otherwise the first value\n enc =\n jarm.serverMetadata.authorization_encryption_enc_values_supported.find((enc) =>\n clientMetadata.encrypted_response_enc_values_supported?.includes(enc)\n ) ?? clientMetadata.encrypted_response_enc_values_supported[0]\n } else {\n // Use old value, or otherwise fallback to default\n enc = clientMetadata.authorization_encrypted_response_enc ?? 'A128GCM'\n }\n\n assertValueSupported({\n actual: enc,\n supported: jarm.serverMetadata.authorization_encryption_enc_values_supported,\n errorMessage: `Invalid 'enc' value ${enc}. Supported values are ${jarm.serverMetadata.authorization_encryption_enc_values_supported.join(', ')}`,\n })\n\n const alg = encJwk.alg ?? clientMetadata.authorization_encrypted_response_alg ?? 'ECDH-ES'\n assertValueSupported({\n actual: alg,\n supported: jarm.serverMetadata.authorization_encryption_alg_values_supported,\n errorMessage: `Invalid 'alg' value ${alg}. Supported values are ${jarm.serverMetadata.authorization_encryption_alg_values_supported.join(', ')}`,\n })\n\n // TODO: we can remove this once support for pre-1.0 versions have been removed\n // TODO: we should keep the JARM implementation and move it to oauth2 package\n // When the response is NOT only encrypted, the JWT payload needs to include the iss, aud and exp.\n let additionalJwtPayload: Record<string, string \| number> \| undefined\n if (jarm?.jwtSigner) {\n if (!jarm.authorizationServer) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Missing required iss in JARM configuration for creating OpenID4VP authorization response.',\n })\n }\n\n if (!jarm.audience) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Missing required aud in JARM configuration for creating OpenID4VP authorization response.',\n })\n }\n\n additionalJwtPayload = {\n iss: jarm.authorizationServer,\n aud: jarm.audience,\n exp: jarm.expiresInSeconds ?? dateToSeconds(addSecondsToDate(new Date(), 60 10)), // default: 10 minutes\n }\n }\n\n const jarmResponsePayload = {\n ...authorizationResponsePayload,\n ...additionalJwtPayload,\n } satisfies Openid4vpAuthorizationResponse\n\n const result = await createJarmAuthorizationResponse({\n jarmAuthorizationResponse: jarmResponsePayload,\n jwtSigner: jarm?.jwtSigner,\n jweEncryptor: jarm?.encryption\n ? {\n method: 'jwk',\n publicJwk: encJwk,\n apu: jarm.encryption.nonce ? encodeToBase64Url(jarm.encryption.nonce) : undefined,\n apv: encodeToBase64Url(authorizationRequestPayload.nonce),\n alg,\n enc,\n }\n : undefined,\n callbacks: {\n signJwt: callbacks.signJwt,\n encryptJwe: callbacks.encryptJwe,\n },\n })\n\n return {\n authorizationResponsePayload: jarmResponsePayload,\n jarm: { responseJwt: result.jarmAuthorizationResponseJwt, encryptionJwk: encJwk },\n }\n}\n","import { z } from 'zod'\n\nexport const zPexPresentationDefinition = z.record(z.string(), z.any())\nexport const zPexPresentationSubmission = z.record(z.string(), z.any())\n\nexport type PexPresentationDefinition = z.infer<typeof zPexPresentationDefinition>\nexport type PexPresentationSubmission = z.infer<typeof zPexPresentationSubmission>\n","import { z } from 'zod'\n\nconst zVpTokenPresentationEntry = z.union([z.string(), z.record(z.string(), z.any())], {\n message: 'vp_token presentation entry must be string or object',\n})\nexport type VpTokenPresentationEntry = z.infer<typeof zVpTokenPresentationEntry>\n\nexport const zVpTokenPex = z.union(\n [\n zVpTokenPresentationEntry,\n z.tuple([zVpTokenPresentationEntry], zVpTokenPresentationEntry, 'Must have at least entry in vp_token array'),\n ],\n {\n message: 'pex vp_token must be a string, object or non-empty array of strings and objects',\n }\n)\nexport type VpTokenPex = z.infer<typeof zVpTokenPex>\n\nexport const zVpTokenDcql = z.record(\n z.string(),\n z.union([z.tuple([zVpTokenPresentationEntry], zVpTokenPresentationEntry), zVpTokenPresentationEntry]),\n {\n message:\n 'dcql vp_token must be an object with keys referencing the dcql credential query id, and values a non-empty array of strings and objects, or string, or object',\n }\n)\nexport type VpTokenDcql = z.infer<typeof zVpTokenDcql>\n\nexport const zVpToken = zVpTokenDcql.or(zVpTokenPex)\nexport type VpToken = z.infer<typeof zVpToken>\n","import { zStringToJson } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport { zPexPresentationSubmission } from '../models/z-pex'\nimport { zVpToken } from '../vp-token/z-vp-token'\n\nexport const zOpenid4vpAuthorizationResponse = z\n .object({\n state: z.string().optional(),\n id_token: z.string().optional(),\n vp_token: zVpToken,\n presentation_submission: zPexPresentationSubmission.or(zStringToJson).optional(),\n refresh_token: z.string().optional(),\n token_type: z.string().optional(),\n access_token: z.string().optional(),\n expires_in: z.coerce.number().optional(),\n })\n .loose()\nexport type Openid4vpAuthorizationResponse = z.infer<typeof zOpenid4vpAuthorizationResponse>\n","import { parseWithErrorHandling } from '@openid4vc/utils'\nimport { zOpenid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport function parseOpenid4VpAuthorizationResponsePayload(payload: Record<string, unknown>) {\n return parseWithErrorHandling(\n zOpenid4vpAuthorizationResponse,\n payload,\n 'Failed to parse openid4vp authorization response.'\n )\n}\n","import { zJwtHeader, zJwtPayload } from '@openid4vc/oauth2'\nimport { z } from 'zod'\n\nexport const zJarmHeader = z.object({ ...zJwtHeader.shape, apu: z.string().optional(), apv: z.string().optional() })\nexport type JarmHeader = z.infer<typeof zJarmHeader>\n\nexport const zJarmAuthorizationResponse = z\n .object({\n /*\n iss: The issuer URL of the authorization server that created the response\n * aud: The client_id of the client the response is intended for\n * exp: The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.\n /\n ...zJwtPayload.shape,\n ...zJwtPayload.pick({ iss: true, aud: true, exp: true }).required().shape,\n state: z.optional(z.string()),\n })\n .loose()\n\nexport type JarmAuthorizationResponse = z.infer<typeof zJarmAuthorizationResponse>\n\nexport const zJarmAuthorizationResponseEncryptedOnly = z\n .object({\n ...zJwtPayload.shape,\n state: z.optional(z.string()),\n })\n .loose()\nexport type JarmAuthorizationResponseEncryptedOnly = z.infer<typeof zJarmAuthorizationResponseEncryptedOnly>\n","import { Oauth2Error } from '@openid4vc/oauth2'\nimport { dateToSeconds } from '@openid4vc/utils'\nimport {\n type JarmAuthorizationResponse,\n type JarmAuthorizationResponseEncryptedOnly,\n zJarmAuthorizationResponse,\n} from './z-jarm-authorization-response'\n\nexport const jarmAuthorizationResponseValidate = (options: {\n expectedClientId: string\n authorizationResponse: JarmAuthorizationResponse \| JarmAuthorizationResponseEncryptedOnly\n}) => {\n const { expectedClientId, authorizationResponse } = options\n\n // The traditional Jarm Validation Methods do not account for the encrypted response.\n if (!zJarmAuthorizationResponse.safeParse(authorizationResponse).success) {\n return\n }\n\n // 3. The client obtains the aud element from the JWT and checks whether it matches the client id the client used to identify itself in the corresponding authorization request. If the check fails, the client MUST abort processing and refuse the response.\n if (\n (Array.isArray(authorizationResponse.aud) && !authorizationResponse.aud.includes(expectedClientId)) \|\|\n (typeof authorizationResponse.aud === 'string' && authorizationResponse.aud !== expectedClientId)\n ) {\n throw new Oauth2Error(\n `Invalid 'aud' claim in JARM authorization response. Expected '${\n expectedClientId\n }' received '${JSON.stringify(authorizationResponse.aud)}'.`\n )\n }\n\n // 4. The client checks the JWT's exp element to determine if the JWT is still valid. If the check fails, the client MUST abort processing and refuse the response.\n // 120 seconds clock skew\n if (authorizationResponse.exp !== undefined && authorizationResponse.exp < dateToSeconds()) {\n throw new Oauth2Error('JARM auth response is expired.')\n }\n}\n","import {\n type CallbackContext,\n decodeJwt,\n decodeJwtHeader,\n type Jwk,\n jwtSignerFromJwt,\n Oauth2Error,\n zCompactJwe,\n zCompactJwt,\n zJwtHeader,\n} from '@openid4vc/oauth2'\nimport { stringToJsonWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport type { Openid4vpAuthorizationRequest } from '../../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../../authorization-request/z-authorization-request-dc-api'\nimport { extractEncryptionJwkFromJwks } from '../jarm-extract-jwks'\nimport { jarmAuthorizationResponseValidate } from './jarm-validate-authorization-response'\nimport {\n type JarmAuthorizationResponse,\n type JarmAuthorizationResponseEncryptedOnly,\n zJarmAuthorizationResponse,\n zJarmAuthorizationResponseEncryptedOnly,\n} from './z-jarm-authorization-response'\n\nexport enum JarmMode {\n Signed = 'Signed',\n Encrypted = 'Encrypted',\n SignedEncrypted = 'SignedEncrypted',\n}\n\n/\n The client decrypts the JWT using the default key for the respective issuer or,\n * if applicable, determined by the kid JWT header parameter.\n * The key might be a private key, where the corresponding public key is registered\n * with the expected issuer of the response (\"use\":\"enc\" via the client's metadata jwks or jwks_uri)\n * or a key derived from its client secret (see Section 2.2).\n /\nconst decryptJarmAuthorizationResponseJwt = async (options: {\n jarmAuthorizationResponseJwt: string\n callbacks: Pick<CallbackContext, 'decryptJwe'>\n authorizationRequestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n}) => {\n const { jarmAuthorizationResponseJwt, callbacks, authorizationRequestPayload } = options\n\n let encryptionJwk: Jwk \| undefined\n const { header } = decodeJwtHeader({\n jwt: jarmAuthorizationResponseJwt,\n })\n\n // NOTE: previously we required `kid` to be present in the JARM header, but not all implementations seem to\n // add this, so we removed the check. Starting from draft 26 it's required again, so we can add the check again when\n // removing support for drafts <26\n if (authorizationRequestPayload.client_metadata?.jwks) {\n // If there's no kid, we try to extract the JWK from the request, if we are not successful\n // (because e.g. the request used client_metadata_uri) the decryptJwe callback has to handle this edge case\n // See https://github.com/openid/OpenID4VP/issues/441\n encryptionJwk = extractEncryptionJwkFromJwks(authorizationRequestPayload.client_metadata.jwks, {\n // Kid always take precedence\n kid: header.kid,\n\n // This value was removed in draft 26, but if it's still provided, we can use it to determine the key to use\n supportedAlgValues: authorizationRequestPayload.client_metadata.authorization_encrypted_response_alg\n ? [authorizationRequestPayload.client_metadata.authorization_encrypted_response_alg]\n : undefined,\n })\n }\n\n const result = await callbacks.decryptJwe(jarmAuthorizationResponseJwt, { jwk: encryptionJwk })\n if (!result.decrypted) {\n throw new Oauth2Error('Failed to decrypt jarm auth response.')\n }\n\n return {\n decryptionJwk: result.decryptionJwk,\n payload: result.payload,\n }\n}\n\nexport interface VerifyJarmAuthorizationResponseOptions {\n jarmAuthorizationResponseJwt: string\n\n authorizationRequestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n\n /\n The client id of the authorization request. This should be the effective client id,\n * meaning that if no client_id was present in the authorization request and DC API is used\n * it should be `web-origin:<origin>` (until draft 24) or `origin:<origin>` (from draft 25)\n /\n expectedClientId: string\n\n callbacks: Pick<CallbackContext, 'decryptJwe' \| 'verifyJwt'>\n}\n\nexport type VerifiedJarmAuthorizationResponse = Awaited<ReturnType<typeof verifyJarmAuthorizationResponse>>\n\n/\n Validate a JARM direct_post.jwt compliant authentication response\n * * The decryption key should be resolvable using the the protected header's 'kid' field\n * * The signature verification jwk should be resolvable using the jws protected header's 'kid' field and the payload's 'iss' field.\n /\nexport async function verifyJarmAuthorizationResponse(options: VerifyJarmAuthorizationResponseOptions) {\n const { jarmAuthorizationResponseJwt, callbacks, expectedClientId, authorizationRequestPayload } = options\n\n const requestDataIsEncrypted = zCompactJwe.safeParse(jarmAuthorizationResponseJwt).success\n const decryptedRequestData = requestDataIsEncrypted\n ? await decryptJarmAuthorizationResponseJwt({\n jarmAuthorizationResponseJwt,\n callbacks,\n authorizationRequestPayload,\n })\n : { payload: jarmAuthorizationResponseJwt, decryptionJwk: undefined }\n\n const responseIsSigned = zCompactJwt.safeParse(decryptedRequestData.payload).success\n if (!requestDataIsEncrypted && !responseIsSigned) {\n throw new Oauth2Error('Jarm Auth Response must be either encrypted, signed, or signed and encrypted.')\n }\n\n let jarmAuthorizationResponse: JarmAuthorizationResponse \| JarmAuthorizationResponseEncryptedOnly\n\n if (responseIsSigned) {\n const { header: jwsProtectedHeader, payload: jwsPayload } = decodeJwt({\n jwt: decryptedRequestData.payload,\n headerSchema: z.object({ ...zJwtHeader.shape, kid: z.string() }),\n })\n\n const response = zJarmAuthorizationResponse.parse(jwsPayload)\n const jwtSigner = jwtSignerFromJwt({ header: jwsProtectedHeader, payload: jwsPayload })\n\n const verificationResult = await options.callbacks.verifyJwt(jwtSigner, {\n compact: decryptedRequestData.payload,\n header: jwsProtectedHeader,\n payload: jwsPayload,\n })\n\n if (!verificationResult.verified) {\n throw new Oauth2Error('Jarm Auth Response is not valid.')\n }\n\n jarmAuthorizationResponse = response\n } else {\n const jsonRequestData = stringToJsonWithErrorHandling(\n decryptedRequestData.payload,\n 'Unable to parse decrypted JARM JWE body to JSON'\n )\n jarmAuthorizationResponse = zJarmAuthorizationResponseEncryptedOnly.parse(jsonRequestData)\n }\n\n jarmAuthorizationResponseValidate({\n expectedClientId,\n authorizationResponse: jarmAuthorizationResponse,\n })\n const type: JarmMode =\n requestDataIsEncrypted && responseIsSigned\n ? JarmMode.SignedEncrypted\n : requestDataIsEncrypted\n ? JarmMode.Encrypted\n : JarmMode.Signed\n\n const issuer = jarmAuthorizationResponse.iss\n return {\n jarmAuthorizationResponse,\n type,\n issuer,\n decryptionJwk: decryptedRequestData.decryptionJwk,\n }\n}\n","import { parseIfJson, parseWithErrorHandling } from '@openid4vc/utils'\nimport { type VpTokenPresentationEntry, zVpTokenDcql, zVpTokenPex } from './z-vp-token'\n\nexport function parsePexVpToken(vpToken: unknown): [VpTokenPresentationEntry, ...VpTokenPresentationEntry[]] {\n const parsedVpToken = parseWithErrorHandling(\n zVpTokenPex,\n parseIfJson(vpToken),\n 'Could not parse presentation exchange vp_token. Expected a string or an array of strings'\n )\n\n return Array.isArray(parsedVpToken)\n ? (parsedVpToken as [VpTokenPresentationEntry, ...VpTokenPresentationEntry[]])\n : [parsedVpToken]\n}\n\nexport function parseDcqlVpToken(\n vpToken: unknown\n): Record<string, [VpTokenPresentationEntry, ...VpTokenPresentationEntry[]]> {\n const parsedVpToken = parseWithErrorHandling(\n zVpTokenDcql,\n parseIfJson(vpToken),\n 'Could not parse dcql vp_token. Expected an object where the values are encoded presentations'\n )\n\n return Object.fromEntries(\n Object.entries(parsedVpToken).map(([queryId, presentations]) => [\n queryId,\n Array.isArray(presentations)\n ? (presentations as [VpTokenPresentationEntry, ...VpTokenPresentationEntry[]])\n : [presentations],\n ])\n )\n}\n","import { Oauth2Error } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport { parseDcqlVpToken, parsePexVpToken } from '../vp-token/parse-vp-token'\nimport type { ValidateOpenid4VpAuthorizationResponseResult } from './validate-authorization-response-result'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface ValidateOpenid4vpAuthorizationResponseOptions {\n authorizationRequestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n authorizationResponsePayload: Openid4vpAuthorizationResponse\n}\n\n/\n The following steps need to be performed outside of this library\n * - verifying the presentations\n * - validating the presentations against the presentation definition\n * - checking the revocation status of the presentations\n * - checking the nonce of the presentations matches the nonce of the request (for mdoc's)\n /\nexport function validateOpenid4vpAuthorizationResponsePayload(\n options: ValidateOpenid4vpAuthorizationResponseOptions\n): ValidateOpenid4VpAuthorizationResponseResult {\n const { authorizationRequestPayload, authorizationResponsePayload } = options\n\n if (authorizationRequestPayload.state && authorizationRequestPayload.state !== authorizationResponsePayload.state) {\n throw new Oauth2Error('OpenId4Vp Authorization Response state mismatch.')\n }\n\n // TODO: implement id_token handling\n if (authorizationResponsePayload.id_token) {\n throw new Oauth2Error('OpenId4Vp Authorization Response id_token is not supported.')\n }\n\n if (authorizationResponsePayload.presentation_submission) {\n if (!authorizationRequestPayload.presentation_definition) {\n throw new Oauth2Error('OpenId4Vp Authorization Request is missing the required presentation_definition.')\n }\n\n return {\n type: 'pex',\n pex: authorizationRequestPayload.scope\n ? {\n scope: authorizationRequestPayload.scope,\n presentationSubmission: authorizationResponsePayload.presentation_submission,\n presentations: parsePexVpToken(authorizationResponsePayload.vp_token),\n }\n : {\n presentationDefinition: authorizationRequestPayload.presentation_definition,\n presentationSubmission: authorizationResponsePayload.presentation_submission,\n presentations: parsePexVpToken(authorizationResponsePayload.vp_token),\n },\n }\n }\n\n if (authorizationRequestPayload.dcql_query) {\n const presentations = parseDcqlVpToken(authorizationResponsePayload.vp_token)\n\n return {\n type: 'dcql',\n dcql: authorizationRequestPayload.scope\n ? {\n scope: authorizationRequestPayload.scope,\n presentations,\n }\n : {\n query: authorizationRequestPayload.dcql_query,\n presentations,\n },\n }\n }\n\n throw new Oauth2Error(\n 'Invalid OpenId4Vp Authorization Response. Response neither contains a presentation_submission nor request contains a dcql_query.'\n )\n}\n","import { type CallbackContext, decodeJwtHeader, Oauth2Error, zCompactJwe, zCompactJwt } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport { verifyJarmAuthorizationResponse } from '../jarm/jarm-authorization-response/verify-jarm-authorization-response'\nimport { zJarmHeader } from '../jarm/jarm-authorization-response/z-jarm-authorization-response'\nimport { isJarmResponseMode } from '../jarm/jarm-response-mode'\nimport type { ParsedOpenid4vpAuthorizationResponse } from './parse-authorization-response'\nimport { parseOpenid4VpAuthorizationResponsePayload } from './parse-authorization-response-payload'\nimport { validateOpenid4vpAuthorizationResponsePayload } from './validate-authorization-response'\n\nexport interface ParseJarmAuthorizationResponseOptions {\n jarmResponseJwt: string\n authorizationRequestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n callbacks: Pick<CallbackContext, 'decryptJwe' \| 'verifyJwt'>\n\n expectedClientId: string\n}\n\nexport async function parseJarmAuthorizationResponse(\n options: ParseJarmAuthorizationResponseOptions\n): Promise<ParsedOpenid4vpAuthorizationResponse> {\n const { jarmResponseJwt, callbacks, authorizationRequestPayload, expectedClientId } = options\n\n const jarmAuthorizationResponseJwt = parseWithErrorHandling(\n z.union([zCompactJwt, zCompactJwe]),\n jarmResponseJwt,\n 'Invalid jarm authorization response jwt.'\n )\n\n const verifiedJarmResponse = await verifyJarmAuthorizationResponse({\n jarmAuthorizationResponseJwt,\n callbacks,\n expectedClientId,\n authorizationRequestPayload,\n })\n\n const { header: jarmHeader } = decodeJwtHeader({\n jwt: jarmAuthorizationResponseJwt,\n headerSchema: zJarmHeader,\n })\n\n const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(\n verifiedJarmResponse.jarmAuthorizationResponse\n )\n const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({\n authorizationRequestPayload: authorizationRequestPayload,\n authorizationResponsePayload: authorizationResponsePayload,\n })\n\n if (!authorizationRequestPayload.response_mode \|\| !isJarmResponseMode(authorizationRequestPayload.response_mode)) {\n throw new Oauth2Error(\n `Invalid response mode for jarm response. Response mode: '${authorizationRequestPayload.response_mode ?? 'fragment'}'`\n )\n }\n\n return {\n ...validateOpenId4vpResponse,\n jarm: { ...verifiedJarmResponse, jarmHeader },\n\n expectedNonce: authorizationRequestPayload.nonce,\n authorizationResponsePayload,\n }\n}\n","import { type CallbackContext, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport { getOpenid4vpClientId } from '../client-identifier-prefix/parse-client-identifier-prefix'\nimport type { VerifiedJarmAuthorizationResponse } from '../jarm/jarm-authorization-response/verify-jarm-authorization-response'\nimport type { JarmHeader } from '../jarm/jarm-authorization-response/z-jarm-authorization-response'\nimport { isJarmResponseMode } from '../jarm/jarm-response-mode'\nimport { parseOpenid4VpAuthorizationResponsePayload } from './parse-authorization-response-payload'\nimport { parseJarmAuthorizationResponse } from './parse-jarm-authorization-response'\nimport { validateOpenid4vpAuthorizationResponsePayload } from './validate-authorization-response'\nimport type { ValidateOpenid4VpAuthorizationResponseResult } from './validate-authorization-response-result'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface ParseOpenid4vpAuthorizationResponseOptions {\n /\n The authorization response as received from the wallet, and can optionally still be encrypted.\n /\n authorizationResponse: Record<string, unknown>\n\n authorizationRequestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n callbacks: Pick<CallbackContext, 'decryptJwe' \| 'verifyJwt'>\n\n origin?: string\n}\n\nexport type ParsedOpenid4vpAuthorizationResponse = ValidateOpenid4VpAuthorizationResponseResult & {\n authorizationResponsePayload: Openid4vpAuthorizationResponse\n expectedNonce: string\n jarm?: VerifiedJarmAuthorizationResponse & {\n jarmHeader: JarmHeader\n }\n}\n\nexport async function parseOpenid4vpAuthorizationResponse(\n options: ParseOpenid4vpAuthorizationResponseOptions\n): Promise<ParsedOpenid4vpAuthorizationResponse> {\n const { authorizationResponse, callbacks, authorizationRequestPayload, origin } = options\n\n const expectedClientId = getOpenid4vpClientId({\n origin,\n responseMode: authorizationRequestPayload.response_mode,\n clientId: authorizationRequestPayload.client_id,\n legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,\n })\n if (authorizationResponse.response) {\n return parseJarmAuthorizationResponse({\n jarmResponseJwt: authorizationResponse.response as string,\n callbacks,\n authorizationRequestPayload,\n expectedClientId: expectedClientId.effectiveClientId,\n })\n }\n\n const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(authorizationResponse)\n\n const validatedOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({\n authorizationRequestPayload: authorizationRequestPayload,\n authorizationResponsePayload: authorizationResponsePayload,\n })\n\n if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode)) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: 'invalid_request',\n error_description: 'Invalid response mode for openid4vp response. Expected jarm response.',\n },\n {\n status: 400,\n }\n )\n }\n\n return {\n ...validatedOpenId4vpResponse,\n expectedNonce: authorizationRequestPayload.nonce,\n\n authorizationResponsePayload,\n jarm: undefined,\n }\n}\n","import { type CallbackContext, Oauth2Error } from '@openid4vc/oauth2'\nimport { ContentType, createFetcher, URL } from '@openid4vc/utils'\n\ninterface JarmAuthorizationResponseSendOptions {\n authorizationRequestPayload: {\n response_uri?: string\n redirect_uri?: string\n }\n jarmAuthorizationResponseJwt: string\n callbacks: Pick<CallbackContext, 'fetch'>\n}\n\nexport const jarmAuthorizationResponseSend = (options: JarmAuthorizationResponseSendOptions) => {\n const { authorizationRequestPayload, jarmAuthorizationResponseJwt, callbacks } = options\n\n const responseEndpoint = authorizationRequestPayload.response_uri ?? authorizationRequestPayload.redirect_uri\n if (!responseEndpoint) {\n throw new Oauth2Error(`Either 'response_uri' or 'redirect_uri' MUST be present in the authorization request`)\n }\n\n const responseEndpointUrl = new URL(responseEndpoint)\n return handleDirectPostJwt(responseEndpointUrl, jarmAuthorizationResponseJwt, callbacks)\n}\n\nasync function handleDirectPostJwt(\n responseEndpoint: URL,\n responseJwt: string,\n callbacks: Pick<CallbackContext, 'fetch'>\n) {\n const response = await createFetcher(callbacks.fetch)(responseEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': ContentType.XWwwFormUrlencoded },\n body: `response=${responseJwt}`,\n })\n\n return {\n responseMode: 'direct_post.jwt',\n response,\n } as const\n}\n","import { type CallbackContext, Oauth2Error } from '@openid4vc/oauth2'\nimport { ContentType, createFetcher, objectToQueryParams } from '@openid4vc/utils'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport { jarmAuthorizationResponseSend } from '../jarm/jarm-authorization-response-send'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface SubmitOpenid4vpAuthorizationResponseOptions {\n authorizationRequestPayload: Pick<Openid4vpAuthorizationRequest, 'response_uri'>\n authorizationResponsePayload: Openid4vpAuthorizationResponse\n jarm?: { responseJwt: string }\n callbacks: Pick<CallbackContext, 'fetch'>\n}\n\nexport async function submitOpenid4vpAuthorizationResponse(options: SubmitOpenid4vpAuthorizationResponseOptions) {\n const { authorizationRequestPayload, authorizationResponsePayload, jarm, callbacks } = options\n const url = authorizationRequestPayload.response_uri\n\n if (jarm) {\n return jarmAuthorizationResponseSend({\n authorizationRequestPayload,\n jarmAuthorizationResponseJwt: jarm.responseJwt,\n callbacks,\n })\n }\n\n if (!url) {\n throw new Oauth2Error(\n 'Failed to submit OpenId4Vp Authorization Response. No redirect_uri or response_uri provided.'\n )\n }\n\n const fetch = createFetcher(callbacks.fetch)\n const encodedResponse = objectToQueryParams(authorizationResponsePayload)\n const submissionResponse = await fetch(url, {\n method: 'POST',\n body: encodedResponse.toString(),\n headers: {\n 'Content-Type': ContentType.XWwwFormUrlencoded,\n },\n })\n\n return {\n responseMode: 'direct_post',\n response: submissionResponse,\n }\n}\n","import { z } from 'zod'\nexport const zCredentialFormat = z.enum(['jwt_vc_json', 'ldp_vc', 'mso_mdoc', 'dc+sd-jwt', 'vc+sd-jwt'])\nexport type CredentialFormat = z.infer<typeof zCredentialFormat>\n","import { z } from 'zod'\nexport const zProofFormat = z.enum(['jwt_vp_json', 'ldc_vp', 'ac_vp', 'dc+sd-jwt', 'vc+sd-jwt', 'mso_mdoc'])\nexport type ProofFormat = z.infer<typeof zProofFormat>\n","import { z } from 'zod'\nimport { zClientIdPrefix, zUniformClientIdPrefix } from '../client-identifier-prefix/z-client-id-prefix'\nimport { zLegacyVpFormats, zVpFormatsSupported } from './z-vp-formats-supported'\n\nexport const zWalletMetadata = z.object({\n presentation_definition_uri_supported: z.optional(z.boolean()),\n\n // Up until draft 26 the legacy format was used\n vp_formats_supported: z.optional(zVpFormatsSupported.or(zLegacyVpFormats)),\n\n client_id_schemes_supported: z.optional(\n // client_id_schemes_supported was from before decentralized_identifier and openid_federation were defined\n z.array(zClientIdPrefix.exclude(['decentralized_identifier', 'openid_federation']))\n ),\n\n client_id_prefixes_supported: z.optional(z.array(zUniformClientIdPrefix)),\n\n request_object_signing_alg_values_supported: z.optional(z.array(z.string())),\n authorization_encryption_alg_values_supported: z.optional(z.array(z.string())),\n authorization_encryption_enc_values_supported: z.optional(z.array(z.string())),\n})\n\nexport type WalletMetadata = z.infer<typeof zWalletMetadata>\n","import type { CallbackContext } from '@openid4vc/oauth2'\nimport type { ParseOpenid4vpAuthorizationRequestOptions } from './authorization-request/parse-authorization-request-params'\nimport { parseOpenid4vpAuthorizationRequest } from './authorization-request/parse-authorization-request-params'\nimport {\n type ResolveOpenid4vpAuthorizationRequestOptions,\n resolveOpenid4vpAuthorizationRequest,\n} from './authorization-request/resolve-authorization-request'\nimport {\n type CreateOpenid4vpAuthorizationResponseOptions,\n createOpenid4vpAuthorizationResponse,\n} from './authorization-response/create-authorization-response'\nimport {\n type SubmitOpenid4vpAuthorizationResponseOptions,\n submitOpenid4vpAuthorizationResponse,\n} from './authorization-response/submit-authorization-response'\n\nexport interface Openid4vpClientOptions {\n /\n Callbacks required for the openid4vp client\n /\n callbacks: Omit<CallbackContext, 'generateRandom' \| 'clientAuthentication'>\n}\n\nexport class Openid4vpClient {\n public constructor(private options: Openid4vpClientOptions) {}\n\n public parseOpenid4vpAuthorizationRequest(options: ParseOpenid4vpAuthorizationRequestOptions) {\n return parseOpenid4vpAuthorizationRequest(options)\n }\n\n public async resolveOpenId4vpAuthorizationRequest(\n options: Omit<ResolveOpenid4vpAuthorizationRequestOptions, 'callbacks'>\n ) {\n return resolveOpenid4vpAuthorizationRequest({ ...options, callbacks: this.options.callbacks })\n }\n\n public async createOpenid4vpAuthorizationResponse(\n options: Omit<CreateOpenid4vpAuthorizationResponseOptions, 'callbacks'>\n ) {\n return createOpenid4vpAuthorizationResponse({ ...options, callbacks: this.options.callbacks })\n }\n\n public async submitOpenid4vpAuthorizationResponse(\n options: Omit<SubmitOpenid4vpAuthorizationResponseOptions, 'callbacks'>\n ) {\n return submitOpenid4vpAuthorizationResponse({ ...options, callbacks: this.options.callbacks })\n }\n}\n","import {\n type CallbackContext,\n HashAlgorithm,\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n} from '@openid4vc/oauth2'\nimport { decodeUtf8String, encodeToBase64Url, type NonEmptyArray } from '@openid4vc/utils'\nimport { type ParsedTransactionDataEntry, parseTransactionData } from './parse-transaction-data'\n\nexport interface TransactionDataHashesCredentials {\n /\n credentialId is the pex input descriptor id\n * or dcql credential query id.\n \n The values must be an array of transaction data hashes\n /\n [credentialId: string]:\n \| NonEmptyArray<{\n /\n The hashes of the transaction data\n /\n transaction_data_hashes: string[]\n\n /\n The transaction data hash alg. If not provided\n * in the presentation, the default value of sha256\n * is used.\n /\n transaction_data_hashes_alg?: string\n }>\n \| undefined\n}\n\nexport interface VerifyTransactionDataOptions {\n transactionData: string[]\n credentials: TransactionDataHashesCredentials\n callbacks: Pick<CallbackContext, 'hash'>\n}\n\nexport async function verifyTransactionData(\n options: VerifyTransactionDataOptions\n): Promise<VerifiedTransactionDataEntry[]> {\n const parsedTransactionData = parseTransactionData({\n transactionData: options.transactionData,\n })\n\n const matchedEntries: Array<VerifiedTransactionDataEntry> = []\n for (const parsedEntry of parsedTransactionData) {\n const matchedEntry = await verifyTransactionDataEntry({\n entry: parsedEntry,\n callbacks: options.callbacks,\n credentials: options.credentials,\n })\n\n matchedEntries.push(matchedEntry)\n }\n\n return matchedEntries\n}\n\nexport interface VerifiedTransactionDataEntry {\n transactionDataEntry: ParsedTransactionDataEntry\n credentialId: string\n\n presentations: NonEmptyArray<{\n presentationIndex: number\n hash: string\n hashAlg: HashAlgorithm\n credentialHashIndex: number\n }>\n}\n\nasync function verifyTransactionDataEntry({\n entry,\n credentials,\n callbacks,\n}: {\n entry: ParsedTransactionDataEntry\n credentials: TransactionDataHashesCredentials\n callbacks: Pick<CallbackContext, 'hash'>\n}): Promise<VerifiedTransactionDataEntry> {\n const allowedAlgs = entry.transactionData.transaction_data_hashes_alg ?? ['sha-256']\n const supportedAlgs: HashAlgorithm[] = allowedAlgs.filter((alg): alg is HashAlgorithm =>\n Object.values(HashAlgorithm).includes(alg as HashAlgorithm)\n )\n\n const hashes: { [key in HashAlgorithm]?: string } = {}\n for (const alg of supportedAlgs) {\n hashes[alg] = encodeToBase64Url(await callbacks.hash(decodeUtf8String(entry.encoded), alg))\n }\n\n for (const credentialId of entry.transactionData.credential_ids) {\n const transactionDataHashesCredentials = credentials[credentialId]\n if (!transactionDataHashesCredentials) continue\n\n const presentations: VerifiedTransactionDataEntry['presentations'][number][] = []\n\n for (const transactionDataHashesCredential of transactionDataHashesCredentials) {\n const alg = transactionDataHashesCredential.transaction_data_hashes_alg ?? 'sha-256'\n const hash = hashes[alg as HashAlgorithm]\n const presentationIndex = transactionDataHashesCredentials.indexOf(transactionDataHashesCredential)\n\n if (!allowedAlgs.includes(alg)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} is hashed using alg '${alg}'. However transaction data only allows alg values ${allowedAlgs.join(', ')}.`,\n })\n }\n\n if (!hash) {\n // This is an error of this library.\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} is hashed using unsupported alg '${alg}'. This library only supports verification of transaction data hashes using alg values ${Object.values(HashAlgorithm).join(', ')}. Either verify the hashes outside of this library, or limit the allowed alg values to the ones supported by this library.`,\n })\n }\n\n const credentialHashIndex = transactionDataHashesCredential.transaction_data_hashes.indexOf(hash)\n\n if (credentialHashIndex === -1) {\n // No matches were found\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} does not have a matching hash in the transaction_data_hashes`,\n })\n }\n\n presentations.push({\n credentialHashIndex,\n hash,\n hashAlg: alg as HashAlgorithm,\n presentationIndex,\n })\n }\n\n return {\n transactionDataEntry: entry,\n credentialId,\n presentations: presentations as VerifiedTransactionDataEntry['presentations'],\n }\n }\n\n // No matches were found\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: `Transaction data entry with index ${entry.transactionDataIndex} does not have a matching hash in any of the submitted credentials`,\n })\n}\n","import type { CallbackContext } from '@openid4vc/oauth2'\nimport {\n type CreateOpenid4vpAuthorizationRequestOptions,\n createOpenid4vpAuthorizationRequest,\n} from './authorization-request/create-authorization-request'\nimport {\n type ParseOpenid4vpAuthorizationRequestOptions,\n parseOpenid4vpAuthorizationRequest,\n} from './authorization-request/parse-authorization-request-params'\nimport {\n type ParseOpenid4vpAuthorizationResponseOptions,\n parseOpenid4vpAuthorizationResponse,\n} from './authorization-response/parse-authorization-response'\nimport {\n type ValidateOpenid4vpAuthorizationResponseOptions,\n validateOpenid4vpAuthorizationResponsePayload,\n} from './authorization-response/validate-authorization-response'\nimport type { ParseTransactionDataOptions } from './transaction-data/parse-transaction-data'\nimport { parseTransactionData } from './transaction-data/parse-transaction-data'\nimport { type VerifyTransactionDataOptions, verifyTransactionData } from './transaction-data/verify-transaction-data'\nimport { parseDcqlVpToken, parsePexVpToken } from './vp-token/parse-vp-token'\n\nexport interface Openid4vpVerifierOptions {\n /\n Callbacks required for the openid4vp verifier\n /\n callbacks: Omit<CallbackContext, 'generateRandom' \| 'clientAuthentication'>\n}\n\nexport class Openid4vpVerifier {\n public constructor(private options: Openid4vpVerifierOptions) {}\n\n public async createOpenId4vpAuthorizationRequest(\n options: Omit<CreateOpenid4vpAuthorizationRequestOptions, 'callbacks'>\n ) {\n return createOpenid4vpAuthorizationRequest({ ...options, callbacks: this.options.callbacks })\n }\n\n public parseOpenid4vpAuthorizationRequestPayload(options: ParseOpenid4vpAuthorizationRequestOptions) {\n return parseOpenid4vpAuthorizationRequest(options)\n }\n\n public parseOpenid4vpAuthorizationResponse(options: ParseOpenid4vpAuthorizationResponseOptions) {\n return parseOpenid4vpAuthorizationResponse(options)\n }\n\n public validateOpenid4vpAuthorizationResponsePayload(options: ValidateOpenid4vpAuthorizationResponseOptions) {\n return validateOpenid4vpAuthorizationResponsePayload(options)\n }\n\n public parsePexVpToken(vpToken: unknown) {\n return parsePexVpToken(vpToken)\n }\n\n public parseDcqlVpToken(vpToken: unknown) {\n return parseDcqlVpToken(vpToken)\n }\n\n public parseTransactionData(options: ParseTransactionDataOptions) {\n return parseTransactionData(options)\n }\n\n /\n Verify transaction data against submitted credentials.\n \n NOTE: this expects transaction data based authorization based on hashes. This is the method defined\n * for SD-JWT VC, but for mDOCs it's much more generic. If you're using transaction data with mDOCs based\n * on hashes, you can extract the values from the DeviceResponse, otherwise you must verify the transaction data\n * manually.\n */\n public verifyTransactionData(options: Omit<VerifyTransactionDataOptions, 'callbacks'>) {\n return verifyTransactionData({\n ...options,\n callbacks: this.options.callbacks,\n })\n }\n}\n"],"mappings":";;;;;;;;AAkBA,MAAa,gDACX,YACG;CACH,MAAM,EAAE,QAAQ,8BAA8B;AAE9C,KAAI,CAAC,OAAO,gBAAgB,CAAC,OAAO,aAClC,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAGJ,KAAI,OAAO,gBAAgB,CAAC,CAAC,eAAe,kBAAkB,CAAC,MAAM,SAAS,SAAS,OAAO,cAAc,CAC1G,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,sHAAsH,OAAO;EACjJ,CAAC;AAGJ,KACE;EAAC,OAAO;EAA6B,OAAO;EAAyB,OAAO;EAAY,OAAO;EAAM,CAAC,OACpG,QACD,CAAC,SAAS,EAEX,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBACE;EACH,CAAC;AAGJ,KAAI,OAAO,sBAAsB,CAAC,OAAO,YACvC,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBACE;EACH,CAAC;AAGJ,KAAI,OAAO,sBAAsB,CAAC,CAAC,OAAO,OAAO,CAAC,SAAS,OAAO,mBAAmB,CACnF,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,wEAAwE,OAAO;EACnG,CAAC;AAGJ,KAAI,OAAO,eAAe,CAAC,UAAU,UAAU,OAAO,UAAU,CAAC,QAC/D,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBACE;EACH,CAAC;AAGJ,KAAI,2BAA2B,iBAAiB,CAAC,OAAO,aACtD,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBACE;EACH,CAAC;AAGJ,KAAI,2BAA2B,kBAAkB,OAAO,aACtD,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBACE;EACH,CAAC;AAGJ,KAAI,OAAO,UAAU,WAAW,cAAc,IAAI,OAAO,UAAU,WAAW,UAAU,CACtF,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,oEAAoE,OAAO,UAAU,MAAM,IAAI,CAAC,GAAG,sDAAsD,OAAO;EACpL,CAAC;;;;;;;;AC/EN,MAAa,qDACX,YACG;CACH,MAAM,EAAE,QAAQ,cAAc,yBAAyB,WAAW;AAElE,KAAI,gBAAgB,CAAC,OAAO,iBAC1B,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAGJ,KAAI,CAAC,OAAO,yBAAyB,OAAO,WAAW,CAAC,OAAO,QAAQ,CAAC,WAAW,EACjF,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBACE;EACH,CAAC;AAGJ,KAAI,OAAO,oBAAoB,CAAC,yBAAyB;AACvD,MAAI,CAAC,OACH,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,MAAI,OAAO,oBAAoB,CAAC,OAAO,iBAAiB,SAAS,OAAO,CACtE,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB,mGAAmG,OAAO,iBAAiB,KAAK,KAAK;GACzJ,CAAC;;;;;;ACzCR,MAAa,8BAA8B,EAAE,OAAO;CAClD,mCAAmC;CAEnC,sCAAsC,EAAE,SAAS,EAAE,OAAO,CAAC;CAC3D,sCAAsC,EAAE,SAAS,EAAE,OAAO,CAAC;CAC5D,CAAC;AAGF,MAAa,iCAAiC,EAAE,OAAO;CACrD,mCAAmC,EAAE,SAAS,EAAE,OAAO,CAAC;CACxD,sCAAsC,EAAE,QAAQ;CAEhD,sCAAsC,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7D,CAAC;AAGF,MAAa,iCAAiC,EAAE,OAAO;CACrD,mCAAmC,4BAA4B,MAAM;CACrE,sCAAsC,+BAA+B,MAAM;CAC3E,sCAAsC,+BAA+B,MAAM;CAC5E,CAAC;;;;AAMF,MAAa,sBAAsB,EAAE,OAAO;CAC1C,mCAAmC,EAAE,SAAS,4BAA4B,MAAM,kCAAkC;CAClH,sCAAsC,EAAE,SACtC,+BAA+B,MAAM,qCACtC;CACD,sCAAsC,EAAE,SACtC,+BAA+B,MAAM,qCACtC;CACF,CAAC;AAGF,MAAa,4BAA4B,oBAAoB,WAAW,oBAAoB;CAC1F,MAAM,mBAAmB,uBACvB,EAAE,MAAM;EAAC;EAAgC;EAA6B;EAA+B,CAAC,EACtG,iBACA,gCACD;CAED,MAAM,cAAc,+BAA+B,UAAU,iBAAiB;AAC9E,KAAI,YAAY,QACd,QAAO;EACL,MAAM;EACN,iBAAiB;GACf,GAAG,YAAY;GACf,sCAAsC,gBAAgB;GACvD;EACF;CAGH,MAAM,cAAc,+BAA+B,UAAU,iBAAiB;AAC9E,KAAI,YAAY,QACd,QAAO;EACL,MAAM;EACN,iBAAiB;GACf,GAAG,YAAY;GACf,sCAAsC,iBAAiB;GACxD;EACF;CAIH,MAAM,WAAW,4BAA4B,UAAU,iBAAiB;AACxE,KAAI,SAAS,QACX,QAAO;EACL,MAAM;EACN,iBAAiB;GACf,GAAG,SAAS;GACZ,mCAAmC,iBAAiB;GACrD;EACF;AAGH,OAAM,IAAI,YAAY,iDAAiD;EACvE;;;;ACjFF,MAAa,sBAAsB,EAEhC,OAAO;CACN,aAAa,EAAE,SACb,EACG,OAAO;EACN,qBAAqB,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;EAClE,qBAAqB,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;EACnE,CAAC,CACD,OAAO,CACX;CACD,aAAa,EAAE,SACb,EACG,OAAO,EACN,YAAY,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,EAC1D,CAAC,CACD,OAAO,CACX;CACD,QAAQ,EAAE,SACR,EACG,OAAO;EACN,mBAAmB,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;EAChE,oBAAoB,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;EAClE,CAAC,CACD,OAAO,CACX;CACD,UAAU,EAAE,SACV,EACG,OAAO;EAEN,0BAA0B,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;EACvE,0BAA0B,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;EAGvE,uBAAuB,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;EACpE,uBAAuB,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;EACrE,CAAC,CACD,OAAO,CACX;CACF,CAAC,CACD,OAAO,CAEP,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC;AAIjC,MAAa,mBAAmB,EAAE,OAChC,EAAE,QAAQ,EACV,EACG,OAAO,EACN,sBAAsB,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,EACtD,CAAC,CACD,OAAO,CACX;;;;AC/CD,MAAa,kBAAkB,EAC5B,OAAO;CAEN,UAAU,EAAE,KAAK,CAAC,UAAU;CAC5B,MAAM,EAAE,SAAS,QAAQ;CAGzB,YAAY,EAAE,SAAS,iBAAiB;CAGxC,sBAAsB,EAAE,SAAS,oBAAoB;CAGrD,yCAAyC,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;CAExE,GAAG,oBAAoB;CAEvB,UAAU,UAAU,GAAG,SAAS,CAAC,UAAU;CAC3C,aAAa,EAAE,QAAQ,CAAC,UAAU;CACnC,CAAC,CACD,OAAO;;;;AC1BV,MAAM,uBAAuBA,IAAE,OAAO;CACpC,QAAQA,IAAE,QAAQ;CAClB,MAAMA,IAAE,OAAOA,IAAE,QAAQ,EAAEA,IAAE,SAAS,CAAC,CAAC,GAAGA,IAAE,QAAQ,CAAC;CACtD,gBAAgBA,IAAE,MAAMA,IAAE,QAAQ,CAAC,CAAC,UAAU;CAC/C,CAAC;AAEF,MAAa,wBAAwBA,IAAE,MAAM,qBAAqB;;;;ACHlE,MAAa,iCAAiC,EAC3C,OAAO;CACN,eAAe,EAAE,QAAQ,WAAW;CACpC,WAAW,EAAE,QAAQ;CACrB,cAAc,UAAU,UAAU;CAClC,cAAc,UAAU,UAAU;CAClC,aAAa,UAAU,UAAU;CACjC,oBAAoB,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC1C,eAAe,EAAE,KAAK,CAAC,eAAe,kBAAkB,CAAC,CAAC,UAAU;CACpE,OAAO,EAAE,QAAQ;CACjB,cAAc,EAAE,QAAQ,CAAC,UAAU;CACnC,OAAO,EAAE,QAAQ,CAAC,UAAU;CAC5B,yBAAyB,EACtB,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC,CAE3B,GAAG,cAAc,CACjB,UAAU;CACb,6BAA6B,UAAU,UAAU;CACjD,YAAY,EACT,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC,CAE3B,GAAG,cAAc,CACjB,UAAU;CACb,iBAAiB,gBAAgB,UAAU;CAC3C,qBAAqB,UAAU,UAAU;CACzC,OAAO,EAAE,QAAQ,CAAC,UAAU;CAC5B,kBAAkB,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,UAAU;CACnD,aAAa,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,UAAU;CACzD,kBAAkB,EACf,KAAK;EACJ;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACD,CAAC,CACD,UAAU;CACb,uBAAuB,sBAAsB,UAAU;CACvD,eAAe,sBAAsB,UAAU;CAChD,CAAC,CACD,OAAO;AAGV,MAAa,8CAA8C,EACxD,KAAK,CACL,WAAW,QAAiB,OAAO,YAAY,IAAI,IAAI,IAAI,CAAC,aAAa,CAAC,CAC1E,KACC,EACG,OAAO;CACN,yBAAyB,cAAc,UAAU;CACjD,iBAAiB,cAAc,UAAU;CACzC,YAAY,cAAc,UAAU;CACpC,kBAAkB,cAAc,UAAU;CAC1C,uBAAuB,cAAc,UAAU;CAC/C,eAAe,cAAc,UAAU;CACxC,CAAC,CACD,OAAO,CACX;;;;AC7DH,MAAM,8BAA8B,EAAE,KAAK;CAAC;CAAU;CAAc;CAAkB;CAAa,CAAC;AACpG,MAAa,sCAAsC,+BAChD,KAAK;CACJ,eAAe;CACf,OAAO;CACP,yBAAyB;CACzB,iBAAiB;CACjB,kBAAkB;CAClB,YAAY;CACZ,aAAa;CACb,OAAO;CACP,uBAAuB;CACvB,eAAe;CAChB,CAAC,CACD,OAAO;CACN,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;CACjC,kBAAkB,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;CAChD,eAAe;CAGf,kBAAkB,EAAE,OAAO,CAAC,UAAU;CACtC,OAAO,EAAE,OAAO,CAAC,UAAU;CAG5B,CAAC;AAIJ,SAAgB,6BACd,cACqE;AACrE,QACE,iBAAiB,UACjB,4BAA4B,QAAQ,SAAS,aAAoE;;AAIrH,SAAgB,qCACd,SAC+C;AAC/C,QAAO,6BAA6B,QAAQ,cAAc;;;;;;;;;;;;;;;;;;;;;;ACS5D,eAAsB,oCAAoC,SAAqD;CAC7G,MAAM,EAAE,KAAK,SAAS,gBAAgB,QAAQ,cAAc;CAE5D,IAAI;CAEJ,IAAI;AACJ,KAAI,qCAAqC,QAAQ,4BAA4B,EAAE;AAC7E,gCAA8B,uBAC5B,qCACA,QAAQ,6BACR,yFACD;AAED,MAAI,OAAO,CAAC,4BAA4B,iBACtC,OAAM,IAAI,YACR,gHACD;AAGH,oDAAkD;GAChD,QAAQ;GACR,cAAc,QAAQ,IAAI;GAC1B,yBAAyB;GAC1B,CAAC;QACG;AACL,gCAA8B,uBAC5B,gCACA,QAAQ,6BACR,kFACD;AACD,+CAA6C;GAC3C,QAAQ;GACR,2BAA2B;GAC5B,CAAC;;AAGJ,KAAI,KAAK;AACP,yBAAuB,CAAC,IAAI,sBAAsB,MAC9C;GAAE,GAAG,IAAI;GAAsB,KAAK,IAAI;GAAY,GACpD,IAAI;EAER,MAAM,YAAY,MAAM,8BAA8B;GACpD,GAAG;GACH;GACA;GACA;GACD,CAAC;EAEF,MAAMC,QAAM,IAAI,IAAI,OAAO;AAC3B,QAAI,SAAS,IAAI,IAAI,gBAAgB;GACnC,GAAGA,MAAI,aAAa,SAAS;GAC7B,GAAG,oBAAoB,UAAU,wBAAwB,CAAC,SAAS;GAEnE,GAAI,4BAA4B,mBAC5B,CAAC,CAAC,oBAAoB,4BAA4B,iBAAiB,CAAC,GACpE,EAAE;GACP,CAAC,CAAC,UAAU;AAEb,SAAO;GACL;GACA,4BAA4B,UAAU;GACtC,sBAAsBA,MAAI,UAAU;GACpC,KAAK;IAAE,GAAG;IAAK,GAAG;IAAW;GAC9B;;CAGH,MAAM,MAAM,IAAI,IAAI,OAAO;AAC3B,KAAI,SAAS,IAAI,IAAI,gBAAgB,CACnC,GAAG,IAAI,aAAa,SAAS,EAC7B,GAAG,oBAAoB,4BAA4B,CAAC,SAAS,CAC9D,CAAC,CAAC,UAAU;AAEb,QAAO;EACL;EACA,4BAA4B;EAC5B,sBAAsB,IAAI,UAAU;EACpC,KAAK;EACN;;;;;AC7HH,MAAa,oCAAoC,yBAAyB,OAAO,EAC/E,oBAAoB,EAAE,SAAS,EAAE,QAAQ,CAAC,EAC3C,CAAC;AAGF,SAAgB,0BACd,SAC6C;AAC7C,QAAO,aAAa,WAAW,iBAAiB;;;;;AC4BlD,SAAgB,mCACd,SACmG;CACnG,MAAM,EAAE,yBAAyB;CACjC,IAAI,WAAqC;CAEzC,IAAI;AACJ,KAAI,OAAO,yBAAyB,SAElC,KAAI,qBAAqB,SAAS,IAAI,EAAE;AACtC,WAAS,uBACP,6CACA,sBACA,wEACD;AACD,aAAW;QACN;AAEL,WADgB,UAAU,EAAE,KAAK,sBAAsB,CAAC,CACvC;AACjB,aAAW;;KAGb,UAAS;CAGX,MAAM,gBAAgB,uBACpBC,IAAE,MAAM;EAAC;EAAgC;EAAmC;EAAoC,CAAC,EACjH,OACD;AAED,KAAI,0BAA0B,cAAc,CAC1C,QAAO;EACL,MAAM;EACN;EACA,QAAQ;EACT;AAGH,KAAI,qCAAqC,cAAc,CACrD,QAAO;EACL,MAAM;EACN;EACA,QAAQ;EACT;AAGH,QAAO;EACL,MAAM;EACN;EACA,QAAQ;EACT;;;;;ACxFH,eAAsB,qCAAqC,EACzD,iBACA,QAQC;AACD,QAAO,kBACL,MAAM,KACJ,OAAO,oBAAoB,WAAW,aAAa,gBAAgB,GAAG,iBACtE,cAAc,OACf,CACF;;;;;AChBH,MAAa,kBAAkB,EAAE,KAAK;CACpC;CACA;CACA;CAEA;CACA;CAEA;CACA;CAEA;CACA;CAEA;CAEA;CACA;CACD,CAAC;AAEF,MAAa,yBAAyB,gBAAgB,QAAQ;CAAC;CAAO;CAAS;CAAa,CAAC;AAK7F,MAAa,yCAAyC,EAAE,MACtD,CACE,EACG,OAAO,EAAE,SAAS,8BAA8B,CAAC,CACjD,SAAS,IAAI,CACb,WAAW,aAAa;CACvB,MAAM,aAAa,SAAS,QAAQ,IAAI;CACxC,MAAM,iBAAiB,SAAS,MAAM,GAAG,WAAW;CACpD,MAAM,qBAAqB,SAAS,MAAM,aAAa,EAAE;AAGzD,KAAI,mBAAmB,UAAU,iBAAiB,CAAC,kBACjD,QAAO,CAAC,SAAS,SAAS;AAG5B,KAAI,mBAAmB,SAAS,mBAAmB,UAAU,mBAAmB,QAC9E,QAAO,CAAC,gBAAgB,SAAS;AAGnC,QAAO,CAAC,gBAAgB,mBAAmB;EAC3C,CACD,KAAK,EAAE,MAAM,CAAC,gBAAgB,QAAQ,CAAC,iBAAiB,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC,EAC3E,EACG,QAAQ,CACR,QAAQ,aAAa,SAAS,SAAS,IAAI,KAAK,MAAM,CACtD,WAAW,aAAa,CAAC,kBAAkB,SAAS,CAAU,CAClE,EACD,EACE,SAAS,yGAAyG,gBAAgB,QAAQ,CAAC,iBAAiB,CAAC,CAAC,QAAQ,KAAK,KAAK,IACjL,CACF;AAED,MAAa,2BAA2B,gBAAgB,WAAW,WACjE,WAAW,QACP,6BACA,WAAW,UACT,sBACA,WAAW,eACT,WACA,OACT;AAED,MAAa,wBAAwB,EAAE,KAAK;CAC1C;CACA;CACA;CACA;CACA;CACA;CACA;CACD,CAAC;AAIF,MAAa,wCAAwC,sBAClD,UAAU,CACV,QAAQ,iBAAiB,CACzB,WAAW,mBACV,mBAAmB,cACf,sBACA,mBAAmB,QACjB,6BACA,eACP;;;;;;;;;;ACsBH,SAAgB,qBAAqB,SA2CnC;CACA,MAAM,WAAW,EACf,UAAU,QAAQ,UACnB;CAED,MAAM,UAAU,QAAQ,WAAW;AAGnC,KAAI,6BAA6B,QAAQ,aAAa,EAAE;AACtD,MAAI,CAAC,QAAQ,UAAU;AACrB,OAAI,CAAC,QAAQ,OACX,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBACE;IACH,CAAC;AAGJ,UAAO;IACL,gBAAgB;IAChB,yBAAyB;IACzB,oBAAoB,QAAQ;IAC5B,mBAAmB,WAAW,KAAK,UAAU,QAAQ,WAAW,cAAc,QAAQ;IACtF;IACD;;EAGH,MAAMC,sCAAoC,uCAAuC,UAAU,QAAQ,SAAS;AAC5G,MAAI,CAACA,oCAAkC,QACrC,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB,6DAA6D,QAAQ,SAAS;GAClG,CAAC;EAGJ,MAAM,CAACC,kBAAgBC,wBAAsBF,oCAAkC;EAC/E,MAAMG,0BAAwB,yBAAyB,UAAUF,iBAAe;AAChF,MAAI,CAACE,wBAAsB,QACzB,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB,6DAA6D,QAAQ,SAAS;GAClG,CAAC;AAGJ,SAAO;GACL,mBAAmB,QAAQ;GAC3B,yBAAyBF;GACzB;GAEA,gBAAgBE,wBAAsB;GACtC;GACD;;AAIH,KAAI,CAAC,QAAQ,SACX,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,8FAA8F,QAAQ,aAAa;EACvI,CAAC;AAIJ,KAAI,QAAQ,sBAAsB;EAChC,MAAM,uBAAuB,sCAAsC,UAAU,QAAQ,qBAAqB;AAC1G,MAAI,CAAC,qBAAqB,QACxB,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB,0EAA0E,QAAQ,qBAAqB;GAC3H,CAAC;EAGJ,MAAM,iBAAiB,qBAAqB;AAE5C,SAAO;GACL,mBAAmB,QAAQ;GAC3B,oBAAoB,QAAQ;GAC5B;GACA,yBAA0B,QAAQ,wBAAwB;GAC1D,UAAU;IACR,GAAG;IACH,gBAAgB,QAAQ;IACzB;GACF;;CAGH,MAAM,oCAAoC,uCAAuC,UAAU,QAAQ,SAAS;AAC5G,KAAI,CAAC,kCAAkC,QACrC,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,6DAA6D,QAAQ,SAAS;EAClG,CAAC;CAGJ,MAAM,CAAC,gBAAgB,sBAAsB,kCAAkC;CAC/E,MAAM,wBAAwB,yBAAyB,UAAU,eAAe;AAChF,KAAI,CAAC,sBAAsB,QACzB,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,6DAA6D,QAAQ,SAAS;EAClG,CAAC;AAKJ,QAAO;EACL,mBAAmB,QAAQ;EAC3B,gBAAgB,sBAAsB;EACtC,yBAAyB;EACzB;EACA;EACD;;;;;AAsBH,eAAsB,0BACpB,SACA,cACiC;CACjC,MAAM,EAAE,6BAA6B,KAAK,WAAW;CAGrD,MAAM,2BAA2B,EAC/B,kBAAkB,cAAc,oBAAoB,OAAO,OAAO,gBAAgB,QAAQ,EAC3F;CAED,MAAM,EAAE,oBAAoB,gBAAgB,mBAAmB,aAAa,qBAAqB;EAC/F,UAAU,4BAA4B;EACtC,sBAAsB,4BAA4B;EAClD,cAAc,4BAA4B;EAC1C;EACD,CAAC;AAEF,KAAI,mBAAmB,iBACrB,QAAO;EACL,QAAQ;EACR,YAAY;EACZ,WAAW;EACX;EACD;AAGH,KAAI,CAAC,yBAAyB,iBAAiB,SAAS,eAAe,CACrE,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,yCAAyC,eAAe;EAC5E,CAAC;AAGJ,KAAI,mBAAmB,qBAAqB;AAC1C,MAAI,CAAC,UAAU,UAAU,mBAAmB,CAAC,QAC3C,OAAM,IAAI,+BACR;GACE,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,EACD,EACE,iBAAiB,wGAClB,CACF;AAGH,MAAI,CAAC,IACH,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,MAAI,IAAI,OAAO,WAAW,aACxB,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBACE;GACH,CAAC;AAGJ,SAAO;GACL,QAAQ;GACR,YAAY;GACZ,WAAW;GACX;GACA,YAAY,4BAA4B;GACzC;;AAGH,KAAI,mBAAmB,gBAAgB;AACrC,MAAI,IACF,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,MAAI,qCAAqC,4BAA4B,CACnE,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,MAAI,4BAA4B,gBAAgB,4BAA4B,iBAAiB,mBAC3F,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,MAAI,4BAA4B,gBAAgB,4BAA4B,iBAAiB,mBAC3F,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,SAAO;GACL,QAAQ;GACR,YAAY;GACZ,WAAW;GACX;GACA,gBAAgB,4BAA4B;GAC5C,aAAc,4BAA4B,gBAAgB,4BAA4B;GACvF;;AAGH,KAAI,mBAAmB,4BAA4B;AACjD,MAAI,CAAC,IACH,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,MAAI,IAAI,OAAO,WAAW,MACxB,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBACE;GACH,CAAC;AAGJ,MAAI,CAAC,mBAAmB,WAAW,OAAO,CACxC,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;EAGJ,MAAM,CAAC,OAAO,IAAI,OAAO,OAAO,MAAM,IAAI;AAC1C,MAAI,uBAAuB,IACzB,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB,kCAAkC,eAAe;GACrE,CAAC;AAGJ,SAAO;GACL,QAAQ;GACR,YAAY;GACZ,WAAW;GACX;GACA,gBAAgB,4BAA4B;GAC5C,QAAQ,IAAI,OAAO;GACpB;;AAGH,KAAI,mBAAmB,kBAAkB,mBAAmB,kBAAkB,mBAAmB,aAAa;AAC5G,MAAI,CAAC,IACH,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB,mCAAmC,eAAe;GACtE,CAAC;AAGJ,MAAI,IAAI,OAAO,WAAW,MACxB,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB,+FAA+F,eAAe;GAClI,CAAC;AAGJ,MAAI,CAAC,QAAQ,UAAU,2BACrB,OAAM,IAAI,+BACR,EACE,OAAO,iBAAiB,aACzB,EACD,EACE,iBAAiB,+EAA+E,eAAe,qBAChH,CACF;AAGH,MAAI,mBAAmB,gBAAgB;GACrC,MAAM,EAAE,gBAAgB,QAAQ,UAAU,2BAA2B,IAAI,OAAO,IAAI,GAAG;AACvF,OAAI,CAAC,YAAY,SAAS,mBAAmB,CAC3C,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB,0EAA0E,YAAY,KAAK,KAAK,CAAC,sCAAsC,mBAAmB;IAC9K,CAAC;AAGJ,OAAI,CAAC,qCAAqC,4BAA4B,EAAE;IACtE,MAAM,MAAM,4BAA4B,gBAAgB,4BAA4B;AACpF,QAAI,CAAC,OAAO,IAAI,IAAI,IAAI,CAAC,aAAa,mBACpC,OAAM,IAAI,+BAA+B;KACvC,OAAO,iBAAiB;KACxB,mBACE;KACH,CAAC;;aAGG,mBAAmB,gBAAgB;GAC5C,MAAM,EAAE,gBAAgB,QAAQ,UAAU,2BAA2B,IAAI,OAAO,IAAI,GAAG;AACvF,OAAI,CAAC,YAAY,SAAS,mBAAmB,CAC3C,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB,0EAA0E,YAAY,KAAK,KAAK,CAAC,sCAAsC,mBAAmB;IAC9K,CAAC;AAGJ,OAAI,CAAC,qCAAqC,4BAA4B,EAAE;IACtE,MAAM,MAAM,4BAA4B,gBAAgB,4BAA4B;AACpF,QAAI,CAAC,OAAO,QAAQ,mBAClB,OAAM,IAAI,+BAA+B;KACvC,OAAO,iBAAiB;KACxB,mBACE;KACH,CAAC;;aAGG,mBAAmB,aAAa;GACzC,MAAM,WAAW,MAAM,qCAAqC;IAC1D,MAAM,QAAQ,UAAU;IACxB,iBAAiB,IAAI,OAAO,IAAI;IACjC,CAAC;AAEF,OAAI,aAAa,mBACf,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB,wGAAwG,SAAS,qCAAqC,mBAAmB;IAC7L,CAAC;;AAIN,SAAO;GACL,QAAQ;GACR,YAAY;GACZ,WAAW;GACX;GACA,KAAK,IAAI,OAAO;GAChB,gBAAgB,4BAA4B;GAC7C;;AAGH,KAAI,mBAAmB,SACrB,QAAO;EACL,QAAQ;EACR,YAAY;EACZ,WAAW;EACX;EACA,gBAAgB,4BAA4B;EAC7C;AAGH,KAAI,mBAAmB,wBACrB;MAAI,CAAC,IACH,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;;AAIN,QAAO;EACL,QAAQ;EACR,gBAAgB,4BAA4B;EAC5C,YAAY;EACZ,WAAW;EACX;EACD;;;;;ACriBH,eAAsB,oBAAoB,SAGd;CAC1B,MAAM,EAAE,OAAO,sBAAsB;CAGrC,MAAM,EAAE,QAAQ,aAAa,MAFb,iBAAiB,MAAM,CAEI,iBAAiB,YAAY,MAAM,mBAAmB;EAC/F,QAAQ;EACR,SAAS,EACP,QAAQ,YAAY,MACrB;EACF,CAAC;AAEF,KAAI,CAAC,SAAS,GACZ,OAAM,IAAI,+BAA+B;EACvC,mBAAmB,kCAAkC,kBAAkB,6BAA6B,SAAS,OAAO;EACpH,OAAO,iBAAiB;EACzB,CAAC;AAGJ,KAAI,CAAC,UAAU,CAAC,OAAO,QACrB,OAAM,IAAI,+BAA+B;EACvC,mBAAmB,iCAAiC,kBAAkB;EACtE,OAAO,iBAAiB;EACzB,CAAC;AAGJ,QAAO,OAAO;;;;;ACjBhB,SAAgB,iCACd,SACwB;CACxB,MAAM,eAAuD,EAAE;AAE/D,KAAI,QAAQ,cACV,cAAa,KAAK,CAAC,MAAM,IAAI,CAAC;AAEhC,KAAI,QAAQ,sBACV,cAAa,KAAK,CAAC,KAAK,IAAI,CAAC;AAI/B,KACE,QAAQ,iBAAiB,sBAAsB,UAAU,yBACzD,QAAQ,iBAAiB,sBAAsB,UAAU,sBAEzD,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAG/B,KACE,QAAQ,iBAAiB,sBAAsB,UAAU,4BACzD,QAAQ,iBAAiB,sBAAsB,UAAU,yBAEzD,cAAa,KAAK,CAAC,KAAK,GAAG,CAAC;AAK9B,KAAI,QAAQ,iBAAiB,qBAC3B,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAE/B,KAAI,QAAQ,iBAAiB,WAC3B,cAAa,KAAK,CAAC,KAAK,GAAG,CAAC;AAI9B,KACE,QAAQ,WAAW,WAAW,qBAAqB,IACnD,QAAQ,WAAW,WAAW,4BAA4B,CAE1D,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAG/B,KAAI,QAAQ,WAAW,WAAW,OAAO,CACvC,cAAa,KAAK,CAAC,KAAK,GAAG,CAAC;AAG9B,KAAI,QAAQ,2BAA2B,QAAQ,4BAC7C,cAAa,KAAK,CAAC,KAAK,GAAG,CAAC;AAG9B,KAAI,QAAQ,sBACV,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAI/B,KAAI,QAAQ,WAAW,WAAW,gBAAgB,CAChD,cAAa,KAAK,CAAC,KAAK,GAAG,CAAC;AAG9B,KAAI,QAAQ,WAAW,WAAW,aAAa,CAC7C,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAG/B,KAAI,QAAQ,WAAW,WAAW,cAAc,CAC9C,cAAa,KAAK,CAAC,KAAK,GAAG,CAAC;AAG9B,KAAI,QAAQ,WAAW,WAAW,UAAU,CAC1C,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAI/B,KACE,qCAAqC,QAAQ,KAC5C,QAAQ,kBAAkB,gBAAgB,QAAQ,kBAAkB,mBACrE;AACA,eAAa,KAAK,CAAC,KAAK,GAAG,CAAC;AAC5B,eAAa,KAAK,CAAC,MAAM,GAAG,CAAC;;AAG/B,KACE,qCAAqC,QAAQ,KAC5C,QAAQ,kBAAkB,YAAY,QAAQ,kBAAkB,cAEjE,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAG/B,KAAI,qCAAqC,QAAQ,KAAK,QAAQ,oBAAoB,QAAQ,YACxF,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAK/B,KAAI,QAAQ,iBACV,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAG/B,KAAI,QAAQ,iBACV,cAAa,KAAK,CAAC,KAAK,GAAG,CAAC;AAO9B,KAAI,QAAQ,WAAW;EACrB,MAAM,aAAa,QAAQ,UAAU,QAAQ,IAAI;EACjD,MAAM,aAAa,QAAQ,UAAU,UAAU,GAAG,WAAW;EAC7D,MAAM,eAAe,gBAAgB,UAAU,WAAW;AAG1D,MAAI,aAAa,WAAW,aAAa,SAAS,SAAS,aAAa,SAAS,QAC/E,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;;AAOjC,KAAI,CAAC,QAAQ,UACX,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAK/B,KAAI,QAAQ,WACV,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAG/B,KAAI,QAAQ,oBACV,cAAa,KAAK,CAAC,KAAK,GAAG,CAAC;AAG9B,KAAI,qCAAqC,QAAQ,CAC/C,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAG/B,KAAI,QAAQ,sBAAsB,QAAQ,aACxC,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAK/B,KAAI,QAAQ,qBAAqB,uBAC/B,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAK/B,KAAI,QAAQ,qBAAqB,kBAAkB,QAAQ,qBAAqB,eAC9E,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;CAI/B,MAAM,mBAAmB,aAAa,QAAQ,CAAC,cAAc,aAAa,IAAI,CAAC,KAAK,CAAC,GAAG,aAAa,QAAQ;CAE7G,MAAM,sBAAsB,aAAa,QAAQ,CAAC,cAAc,aAAa,KAAK,CAAC,KAAK,CAAC,GAAG,aAAa,QAAQ;CAGjH,MAAM,yBACJ,iBAAiB,SAAS,IACrB,KAAK,IAAI,KAAK,IAAI,GAAG,iBAAiB,GAAG,GAAG,GAAG,GAC/C;CAGP,MAAM,wBACJ,oBAAoB,SAAS,IAAK,KAAK,IAAI,GAAG,oBAAoB,GAA+B;AAInG,KAAI,wBAAwB,uBAE1B,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,yIAAyI,sBAAsB,mCAAmC;EACtN,CAAC;AAGJ,QAAO;;;;;;;;;;;;;;;;ACnLT,eAAsB,sBAAsB,SASxB;CAClB,MAAM,EAAE,YAAY,gBAAgB,QAAQ,QAAQ,UAAU;CAE9D,IAAI,cAAc,OAAO,WAAW;EAAE,iBAAiB,OAAO;EAAU,cAAc,OAAO;EAAO,GAAG;AACvG,KAAI,aAAa,iBAAiB,+CAA+C,mBAAmB,gBAAgB;EAElH,MAAM,EAAE,6CAA6C,GAAG,SAAS,YAAY;AAC7E,gBAAc;GAAE,GAAG;GAAa,iBAAiB,EAAE,GAAG,MAAM;GAAE;;CAGhE,MAAM,WAAW,MAAM,cAAc,MAAM,CAAC,YAAY;EACtD;EACA,MAAM,WAAW,SAAS,oBAAoB,OAAO,YAAY,EAAE,CAAC,GAAG;EACvE,SAAS;GACP,QAAQ,GAAG,YAAY,6BAA6B,IAAI,YAAY,IAAI;GACxE,gBAAgB,YAAY;GAC7B;EACF,CAAC,CAAC,YAAY;AACb,QAAM,IAAI,+BAA+B;GACvC,mBAAmB,6CAA6C,WAAW;GAC3E,OAAO,iBAAiB;GACzB,CAAC;GACF;AAEF,KAAI,CAAC,SAAS,GACZ,OAAM,IAAI,+BAA+B;EACvC,mBAAmB,6CAA6C,WAAW,6BAA6B,SAAS,OAAO;EACxH,OAAO,iBAAiB;EACzB,CAAC;AAGJ,QAAO,MAAM,SAAS,MAAM;;;;;;;;;;;;;ACA9B,eAAsB,iBAAiB,SAA+D;CACpG,MAAM,EAAE,WAAW,SAAS,EAAE,KAAK;CAEnC,MAAM,mBAAmB;EACvB,GAAG,yBAAyB,QAAQ;EACpC,GAAG,QAAQ;EACZ;CAED,MAAM,SAAS,iBAAiB,UAAU,UAAU;CAGpD,MAAM,iBAA6C,iBAAiB,YAChE,gBAAgB,UAAU,iBAAiB,UAAU,MAAM,IAAI,CAAC,GAAG,CAAC,OACpE;CAEJ,MAAM,SAAS,iBAAiB,sBAAsB;AACtD,KAAI,WAAW,SAAS,WAAW,OACjC,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;CAGJ,MAAM,gBACJ,iBAAiB,WAChB,MAAM,sBAAsB;EAC3B,YAAY,iBAAiB;EAC7B;EACA;EACA;EACA,OAAO,UAAU;EAClB,CAAC;CAGJ,MAAM,EAAE,eAAe,SAAS,2BADC,YAAY,UAAU,cAAc,CAAC,UAElE,MAAM,kBAAkB;EAAE,KAAK;EAAe;EAAW,CAAC,GAC1D;EAAE,SAAS;EAAe,eAAe;EAAW;AAGxD,KAAI,CADoB,YAAY,UAAU,uBAAuB,CAAC,QAEpE,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;CAGJ,MAAM,EAAE,6BAA6B,QAAQ,QAAQ,MAAM,uBAAuB;EAChF;EACA;EACD,CAAC;AACF,KAAI,CAAC,4BAA4B,UAC/B,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAIJ,KACE,CAAC,6BAA6B,4BAA4B,cAAc,IACxE,iBAAiB,cAAc,4BAA4B,UAE3D,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAEJ,KACE,iBAAiB,oBACjB,iBAAiB,qBAAqB,4BAA4B,iBAElE,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAGJ,QAAO;EACL;EACA;EACA;EACA;EACA;EACD;;AAGH,eAAe,kBAAkB,SAA0E;CACzG,MAAM,EAAE,KAAK,cAAc;CAE3B,MAAM,EAAE,WAAW,UAAU,EAAE,KAAK,KAAK,CAAC;AAC1C,KAAI,CAAC,OAAO,IACV,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;CAGJ,MAAM,mBAAmB,MAAM,UAAU,WAAW,IAAI;AACxD,KAAI,CAAC,iBAAiB,UACpB,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAGJ,QAAO;;AAGT,eAAe,uBAAuB,SAGnC;CACD,MAAM,EAAE,wBAAwB,cAAc;CAE9C,MAAM,MAAM,UAAU;EAAE,KAAK;EAAwB,eAAe;EAA0B,CAAC;CAE/F,IAAI;CAEJ,MAAM,EAAE,mBAAmB,qBAAqB;EAC9C,cAAc,IAAI,QAAQ;EAC1B,UAAU,IAAI,QAAQ;EACtB,sBAAsB,IAAI,QAAQ;EACnC,CAAC;CAGF,MAAM,yBAA+E;EACnF,0BAA0B,CAAC,MAAM;EAEjC,kBAAkB;GAAC;GAAU;GAAO;GAAM;EAC1C,QAAQ,EAAE;EACV,cAAc,EAAE;EAGhB,sBAAsB;GAAC;GAAO;GAAc;GAAO;GAAO;GAAS;EAEnE,cAAc,CAAC,MAAM;EACrB,cAAc,CAAC,MAAM;EACrB,WAAW,CAAC,MAAM;EAGlB,mBAAmB,EAAE;EACtB;AAGD,KAAI,mBAAmB,qBAAqB;AAC1C,MAAI,CAAC,IAAI,OAAO,IACd,OAAM,IAAI,YACR,oGACD;AAGH,cAAY;GACV,QAAQ;GACR,KAAK,IAAI,OAAO;GAChB,YAAY,IAAI,QAAQ;GACxB,KAAK,IAAI,OAAO;GACjB;OAED,aAAY,iBAAiB;EAAE,GAAG;EAAK,sBAAsB,uBAAuB;EAAiB,CAAC;CAGxG,MAAM,EAAE,WAAW,MAAM,UAAU;EACjC,mBAAmB,UAAU;EAC7B,SAAS;EACT,QAAQ,IAAI;EACZ,SAAS,IAAI;EACb,QAAQ;EACT,CAAC;CAGF,MAAM,UAAU,iCAAiC,IAAI,QAAe;AACpE,KAAI,IAAI,OAAO,QAAQ,0CAA0C,WAAW,GAC1E,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,oFAAoF,IAAI,OAAO,IAAI;EACvH,CAAC;AAGJ,QAAO;EACL;EACA;EACA,6BAA6B,IAAI;EAClC;;;;;AC5OH,MAAa,oBAAoB,EAC9B,OAAO;CACN,MAAM,EAAE,QAAQ;CAChB,gBAAgB,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC;CAGjD,6BAA6B,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,UAAU;CAC1E,CAAC,CACD,OAAO;AAGV,MAAa,mBAAmB,EAAE,MAAM,kBAAkB;;;;ACC1D,SAAgB,qBAAqB,SAAoE;CACvG,MAAM,EAAE,oBAAoB;CAE5B,MAAM,UAAU,gBAAgB,KAAK,YAAY,YAAY,mBAAmB,aAAa,QAAQ,CAAC,CAAC,CAAC;CAExG,MAAM,eAAe,iBAAiB,UAAU,QAAQ;AACxD,KAAI,CAAC,aAAa,QAChB,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAGJ,QAAO,aAAa,KAAK,KAAK,WAAS,WAAW;EAChD,iBAAiBC;EACjB,SAAS,gBAAgB;EACzB,sBAAsB;EACvB,EAAE;;;;;AC4BL,eAAsB,qCACpB,SACgD;CAChD,MAAM,EAAE,QAAQ,WAAW,QAAQ,4BAA4B;CAE/D,IAAI;CAIJ,MAAM,SAAS,uBACbC,IAAE,MAAM;EAAC;EAAqC;EAAgC;EAAkC,CAAC,EACjH,QAAQ,6BACR,mHACD;CAED,IAAI;AACJ,KAAI,0BAA0B,OAAO,EAAE;AACrC,QAAM,MAAM,iBAAiB;GAAE,kBAAkB;GAAQ;GAAW;GAAQ,CAAC;AAQ7E,gCAA8B,6CAA6C;GACzE,6BAP2C,uBAC3CA,IAAE,MAAM,CAAC,qCAAqC,+BAA+B,CAAC,EAC9E,IAAI,6BACJ,gGACD;GAIC;GACA,KAAK;GACL;GACA;GACD,CAAC;OAEF,+BAA8B,6CAA6C;EACzE,6BAA6B;EAC7B;EACA,KAAK;EACL;EACA;EACD,CAAC;CAGJ,MAAM,UAAU,iCAAiC,4BAA4B;CAC7E,IAAI,iBAAiB,4BAA4B;AACjD,KACE,CAAC,qCAAqC,4BAA4B,IAClE,CAAC,kBACD,4BAA4B,oBAE5B,kBAAiB,MAAM,oBAAoB,EAAE,mBAAmB,4BAA4B,qBAAqB,CAAC;CAGpH,MAAM,aAAa,MAAM,0BAA0B;EACjD,6BAA6B;GAC3B,GAAG;GACH,iBAAiB;GAClB;EACD;EACA;EACA;EACA;EACD,CAAC;CAEF,IAAI;CACJ,IAAI;AAEJ,KAAI,4BAA4B,2BAA2B,4BAA4B,6BAA6B;AAClH,MAAI,4BAA4B,4BAC9B,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,QAAM;GACJ,yBAAyB,4BAA4B;GACrD,6BAA6B,4BAA4B;GAC1D;;AAGH,KAAI,4BAA4B,WAC9B,QAAO,EAAE,OAAO,4BAA4B,YAAY;AAO1D,QAAO;EACL,iBALsB,4BAA4B,mBAChD,qBAAqB,EAAE,iBAAiB,4BAA4B,kBAAkB,CAAC,GACvF;EAIF;EACA;EACA,QAAQ;EACR;EACA;EACA;EACD;;AAGH,SAAS,6CAA6C,SAMnD;CACD,MAAM,EAAE,6BAA6B,QAAQ,KAAK,QAAQ,4BAA4B;AAEtF,KAAI,qCAAqC,4BAA4B,EAAE;AACrE,oDAAkD;GAChD,QAAQ;GACR,cAAc;GACd;GACA;GACD,CAAC;AAEF,SAAO;;AAGT,8CAA6C;EAC3C,QAAQ;EACR,2BAA2B;EAC5B,CAAC;AACF,QAAO;;;;;AC5KT,SAAgB,iBAAiB,MAAY,SAAiB;AAC5D,QAAO,IAAI,KAAK,KAAK,SAAS,GAAG,UAAU,IAAK;;;;;ACQlD,eAAsB,gCAAgC,SAAiD;CACrG,MAAM,EAAE,2BAA2B,cAAc,WAAW,cAAc;AAC1E,KAAI,CAAC,aAAa,cAAc;EAC9B,MAAM,EAAE,QAAQ,MAAM,UAAU,WAAW,cAAc,KAAK,UAAU,0BAA0B,CAAC;AACnG,SAAO,EAAE,8BAA8B,KAAK;;AAG9C,KAAI,aAAa,CAAC,aAKhB,QAAO,EAAE,+BAJM,MAAM,UAAU,QAAQ,WAAW;EAChD,QAAQ,uBAAuB,UAAU;EACzC,SAAS;EACV,CAAC,EAC4C,KAAK;AAGrD,KAAI,CAAC,aAAa,CAAC,aACjB,OAAM,IAAI,YAAY,2EAA2E;CAEnG,MAAM,SAAS,MAAM,UAAU,QAAQ,WAAW;EAChD,QAAQ,uBAAuB,UAAU;EACzC,SAAS;EACV,CAAC;AAIF,QAAO,EAAE,+BAFS,MAAM,UAAU,WAAW,cAAc,OAAO,IAAI,EAErB,KAAK;;;;;AC1CxD,SAAgB,6BACd,MACA,EACE,KACA,sBAKF;AACA,KAAI,IACF,QAAO,KAAK,KAAK,MAAM,QAAQ,IAAI,QAAQ,IAAI;CAGjD,IAAI,cAAc,KAAK,KAAK,QAAQ,QAAQ,IAAI,OAAO,oBAAoB,SAAS,IAAI,IAAI,CAAC;AAC7F,KAAI,YAAY,WAAW,EAAG,eAAc,KAAK;CAEjD,IAAI,cAAc,YAAY,QAAQ,QAAQ,IAAI,QAAQ,MAAM;AAChE,KAAI,CAAC,YAAa,eAAc,YAAY,QAAQ,QAAQ,IAAI,QAAQ,MAAM;AAE9E,QAAO,YAAY,SAAS,IAAI,YAAY,KAAK,KAAK,KAAK;;;;;ACpB7D,MAAa,mBAAmB;CAC9B;CACA;CACA;CACA;CACA;CACA;CACD;AACD,MAAa,oBAAoB,EAAE,KAAK,iBAAiB;AAIzD,MAAa,sBAAsB,iBAA2D;AAC5F,QAAO,iBAAiB,SAAS,aAAiC;;;;;ACLpE,SAAgB,qBAAwB,SAAqC;CAC3E,MAAM,EAAE,cAAc,WAAW,WAAW;CAC5C,MAAM,eAAe,UAAU,MAAM,UAAU,UAAU,OAAO;AAEhE,KAAI,CAAC,aACH,OAAM,IAAI,YAAY,aAAa;AAGrC,QAAO;;AAGT,SAAgB,4BAA4B,SAGzC;CACD,MAAM,EAAE,gBAAgB,mBAAmB;CAC3C,MAAM,uBAAuB,0BAA0B,MAAM,eAAe;AAE5E,KAAI,qBAAqB,SAAS,kBAAkB,qBAAqB,SAAS,WAAW;AAC3F,MAAI,eAAe,8CACjB,sBAAqB;GACnB,WAAW,eAAe;GAC1B,QAAQ,qBAAqB,gBAAgB;GAC7C,cAAc;GACf,CAAC;AAGJ,MAAI,eAAe,8CACjB,sBAAqB;GACnB,WAAW,eAAe;GAC1B,QAAQ,qBAAqB,gBAAgB;GAC7C,cAAc;GACf,CAAC;;AAIN,KACE,eAAe,+CACd,qBAAqB,SAAS,UAAU,qBAAqB,SAAS,gBAEvE,sBAAqB;EACnB,WAAW,eAAe;EAC1B,QAAQ,qBAAqB,gBAAgB;EAC7C,cAAc;EACf,CAAC;AAGJ,QAAO;;;;;ACYT,eAAsB,qCACpB,SACqD;CACrD,MAAM,EAAE,6BAA6B,MAAM,WAAW,WAAW;CAEjE,MAAM,+BAA+B;EACnC,GAAG,QAAQ;EACX,OAAO,4BAA4B;EACpC;CAED,MAAM,EAAE,mBAAmB,qBAAqB;EAC9C,cAAc,4BAA4B;EAC1C,UAAU,4BAA4B;EACtC,sBAAsB,4BAA4B;EAClD;EACD,CAAC;AAEF,KACE,4BAA4B,iBAC5B,mBAAmB,4BAA4B,cAAc,IAC7D,CAAC,KAED,OAAM,IAAI,YACR,uEAAuE,4BAA4B,cAAc,GAClH;AAGH,KAAI,CAAC,KACH,QAAO,EACL,8BACD;AAIH,KAAI,mBAAmB,uBAAuB,CAAC,QAAQ,eACrD,OAAM,IAAI,YACR,wMACD;CAGH,MAAM,iBAAiB,QAAQ,kBAAkB,4BAA4B;AAC7E,KAAI,CAAC,eACH,OAAM,IAAI,YAAY,iFAAiF;CAGzG,IAAI;AAEJ,KAAI,eAAe,KACjB,QAAO,eAAe;UACb,eAAe,SACxB,QAAO,MAAM,UAAU,eAAe,UAAU,QAAQ,UAAU,MAAM;KAExE,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAGJ,KACE,eAAe,wCACf,eAAe,wCACf,eAAe,kCAEf,6BAA4B;EACV;EAChB,gBAAgB,KAAK;EACtB,CAAC;CAGJ,MAAM,SAEJ,MAAM,YAAY,OAClB,6BAA6B,MAAM,EACjC,oBACE,KAAK,eAAe,kDACnB,eAAe,uCACZ,CAAC,eAAe,qCAAqC,GACrD,SACP,CAAC;AAEJ,KAAI,CAAC,OACH,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBACE;EACH,CAAC;CAGJ,IAAI;AACJ,KAAI,eAAe,wCAEjB,OACE,KAAK,eAAe,8CAA8C,MAAM,UACtE,eAAe,yCAAyC,SAASC,MAAI,CACtE,IAAI,eAAe,wCAAwC;KAG9D,OAAM,eAAe,wCAAwC;AAG/D,sBAAqB;EACnB,QAAQ;EACR,WAAW,KAAK,eAAe;EAC/B,cAAc,uBAAuB,IAAI,yBAAyB,KAAK,eAAe,8CAA8C,KAAK,KAAK;EAC/I,CAAC;CAEF,MAAM,MAAM,OAAO,OAAO,eAAe,wCAAwC;AACjF,sBAAqB;EACnB,QAAQ;EACR,WAAW,KAAK,eAAe;EAC/B,cAAc,uBAAuB,IAAI,yBAAyB,KAAK,eAAe,8CAA8C,KAAK,KAAK;EAC/I,CAAC;CAKF,IAAI;AACJ,KAAI,MAAM,WAAW;AACnB,MAAI,CAAC,KAAK,oBACR,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,MAAI,CAAC,KAAK,SACR,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,yBAAuB;GACrB,KAAK,KAAK;GACV,KAAK,KAAK;GACV,KAAK,KAAK,oBAAoB,cAAc,iCAAiB,IAAI,MAAM,EAAE,IAAQ,CAAC;GACnF;;CAGH,MAAM,sBAAsB;EAC1B,GAAG;EACH,GAAG;EACJ;AAqBD,QAAO;EACL,8BAA8B;EAC9B,MAAM;GAAE,cArBK,MAAM,gCAAgC;IACnD,2BAA2B;IAC3B,WAAW,MAAM;IACjB,cAAc,MAAM,aAChB;KACE,QAAQ;KACR,WAAW;KACX,KAAK,KAAK,WAAW,QAAQ,kBAAkB,KAAK,WAAW,MAAM,GAAG;KACxE,KAAK,kBAAkB,4BAA4B,MAAM;KACzD;KACA;KACD,GACD;IACJ,WAAW;KACT,SAAS,UAAU;KACnB,YAAY,UAAU;KACvB;IACF,CAAC,EAI4B;GAA8B,eAAe;GAAQ;EAClF;;;;;ACzOH,MAAa,6BAA6B,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC;AACvE,MAAa,6BAA6B,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC;;;;ACDvE,MAAM,4BAA4B,EAAE,MAAM,CAAC,EAAE,QAAQ,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EACrF,SAAS,wDACV,CAAC;AAGF,MAAa,cAAc,EAAE,MAC3B,CACE,2BACA,EAAE,MAAM,CAAC,0BAA0B,EAAE,2BAA2B,6CAA6C,CAC9G,EACD,EACE,SAAS,mFACV,CACF;AAGD,MAAa,eAAe,EAAE,OAC5B,EAAE,QAAQ,EACV,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,0BAA0B,EAAE,0BAA0B,EAAE,0BAA0B,CAAC,EACrG,EACE,SACE,iKACH,CACF;AAGD,MAAa,WAAW,aAAa,GAAG,YAAY;;;;ACvBpD,MAAa,kCAAkC,EAC5C,OAAO;CACN,OAAO,EAAE,QAAQ,CAAC,UAAU;CAC5B,UAAU,EAAE,QAAQ,CAAC,UAAU;CAC/B,UAAU;CACV,yBAAyB,2BAA2B,GAAG,cAAc,CAAC,UAAU;CAChF,eAAe,EAAE,QAAQ,CAAC,UAAU;CACpC,YAAY,EAAE,QAAQ,CAAC,UAAU;CACjC,cAAc,EAAE,QAAQ,CAAC,UAAU;CACnC,YAAY,EAAE,OAAO,QAAQ,CAAC,UAAU;CACzC,CAAC,CACD,OAAO;;;;ACbV,SAAgB,2CAA2C,SAAkC;AAC3F,QAAO,uBACL,iCACA,SACA,oDACD;;;;;ACLH,MAAa,cAAc,EAAE,OAAO;CAAE,GAAG,WAAW;CAAO,KAAK,EAAE,QAAQ,CAAC,UAAU;CAAE,KAAK,EAAE,QAAQ,CAAC,UAAU;CAAE,CAAC;AAGpH,MAAa,6BAA6B,EACvC,OAAO;CAMN,GAAG,YAAY;CACf,GAAG,YAAY,KAAK;EAAE,KAAK;EAAM,KAAK;EAAM,KAAK;EAAM,CAAC,CAAC,UAAU,CAAC;CACpE,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC9B,CAAC,CACD,OAAO;AAIV,MAAa,0CAA0C,EACpD,OAAO;CACN,GAAG,YAAY;CACf,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC9B,CAAC,CACD,OAAO;;;;AClBV,MAAa,qCAAqC,YAG5C;CACJ,MAAM,EAAE,kBAAkB,0BAA0B;AAGpD,KAAI,CAAC,2BAA2B,UAAU,sBAAsB,CAAC,QAC/D;AAIF,KACG,MAAM,QAAQ,sBAAsB,IAAI,IAAI,CAAC,sBAAsB,IAAI,SAAS,iBAAiB,IACjG,OAAO,sBAAsB,QAAQ,YAAY,sBAAsB,QAAQ,iBAEhF,OAAM,IAAI,YACR,iEACE,iBACD,cAAc,KAAK,UAAU,sBAAsB,IAAI,CAAC,IAC1D;AAKH,KAAI,sBAAsB,QAAQ,UAAa,sBAAsB,MAAM,eAAe,CACxF,OAAM,IAAI,YAAY,iCAAiC;;;;;ACV3D,IAAY,gDAAL;AACL;AACA;AACA;;;;;;;;;;AAUF,MAAM,sCAAsC,OAAO,YAI7C;CACJ,MAAM,EAAE,8BAA8B,WAAW,gCAAgC;CAEjF,IAAI;CACJ,MAAM,EAAE,WAAW,gBAAgB,EACjC,KAAK,8BACN,CAAC;AAKF,KAAI,4BAA4B,iBAAiB,KAI/C,iBAAgB,6BAA6B,4BAA4B,gBAAgB,MAAM;EAE7F,KAAK,OAAO;EAGZ,oBAAoB,4BAA4B,gBAAgB,uCAC5D,CAAC,4BAA4B,gBAAgB,qCAAqC,GAClF;EACL,CAAC;CAGJ,MAAM,SAAS,MAAM,UAAU,WAAW,8BAA8B,EAAE,KAAK,eAAe,CAAC;AAC/F,KAAI,CAAC,OAAO,UACV,OAAM,IAAI,YAAY,wCAAwC;AAGhE,QAAO;EACL,eAAe,OAAO;EACtB,SAAS,OAAO;EACjB;;;;;;;AAyBH,eAAsB,gCAAgC,SAAiD;CACrG,MAAM,EAAE,8BAA8B,WAAW,kBAAkB,gCAAgC;CAEnG,MAAM,yBAAyB,YAAY,UAAU,6BAA6B,CAAC;CACnF,MAAM,uBAAuB,yBACzB,MAAM,oCAAoC;EACxC;EACA;EACA;EACD,CAAC,GACF;EAAE,SAAS;EAA8B,eAAe;EAAW;CAEvE,MAAM,mBAAmB,YAAY,UAAU,qBAAqB,QAAQ,CAAC;AAC7E,KAAI,CAAC,0BAA0B,CAAC,iBAC9B,OAAM,IAAI,YAAY,gFAAgF;CAGxG,IAAI;AAEJ,KAAI,kBAAkB;EACpB,MAAM,EAAE,QAAQ,oBAAoB,SAAS,eAAe,UAAU;GACpE,KAAK,qBAAqB;GAC1B,cAAcC,IAAE,OAAO;IAAE,GAAG,WAAW;IAAO,KAAKA,IAAE,QAAQ;IAAE,CAAC;GACjE,CAAC;EAEF,MAAM,WAAW,2BAA2B,MAAM,WAAW;EAC7D,MAAM,YAAY,iBAAiB;GAAE,QAAQ;GAAoB,SAAS;GAAY,CAAC;AAQvF,MAAI,EANuB,MAAM,QAAQ,UAAU,UAAU,WAAW;GACtE,SAAS,qBAAqB;GAC9B,QAAQ;GACR,SAAS;GACV,CAAC,EAEsB,SACtB,OAAM,IAAI,YAAY,mCAAmC;AAG3D,8BAA4B;QACvB;EACL,MAAM,kBAAkB,8BACtB,qBAAqB,SACrB,kDACD;AACD,8BAA4B,wCAAwC,MAAM,gBAAgB;;AAG5F,mCAAkC;EAChC;EACA,uBAAuB;EACxB,CAAC;CACF,MAAM,OACJ,0BAA0B,mBACtB,SAAS,kBACT,yBACE,SAAS,YACT,SAAS;CAEjB,MAAM,SAAS,0BAA0B;AACzC,QAAO;EACL;EACA;EACA;EACA,eAAe,qBAAqB;EACrC;;;;;ACjKH,SAAgB,gBAAgB,SAA6E;CAC3G,MAAM,gBAAgB,uBACpB,aACA,YAAY,QAAQ,EACpB,2FACD;AAED,QAAO,MAAM,QAAQ,cAAc,GAC9B,gBACD,CAAC,cAAc;;AAGrB,SAAgB,iBACd,SAC2E;CAC3E,MAAM,gBAAgB,uBACpB,cACA,YAAY,QAAQ,EACpB,+FACD;AAED,QAAO,OAAO,YACZ,OAAO,QAAQ,cAAc,CAAC,KAAK,CAAC,SAAS,mBAAmB,CAC9D,SACA,MAAM,QAAQ,cAAc,GACvB,gBACD,CAAC,cAAc,CACpB,CAAC,CACH;;;;;;;;;;;;ACZH,SAAgB,8CACd,SAC8C;CAC9C,MAAM,EAAE,6BAA6B,iCAAiC;AAEtE,KAAI,4BAA4B,SAAS,4BAA4B,UAAU,6BAA6B,MAC1G,OAAM,IAAI,YAAY,mDAAmD;AAI3E,KAAI,6BAA6B,SAC/B,OAAM,IAAI,YAAY,8DAA8D;AAGtF,KAAI,6BAA6B,yBAAyB;AACxD,MAAI,CAAC,4BAA4B,wBAC/B,OAAM,IAAI,YAAY,mFAAmF;AAG3G,SAAO;GACL,MAAM;GACN,KAAK,4BAA4B,QAC7B;IACE,OAAO,4BAA4B;IACnC,wBAAwB,6BAA6B;IACrD,eAAe,gBAAgB,6BAA6B,SAAS;IACtE,GACD;IACE,wBAAwB,4BAA4B;IACpD,wBAAwB,6BAA6B;IACrD,eAAe,gBAAgB,6BAA6B,SAAS;IACtE;GACN;;AAGH,KAAI,4BAA4B,YAAY;EAC1C,MAAM,gBAAgB,iBAAiB,6BAA6B,SAAS;AAE7E,SAAO;GACL,MAAM;GACN,MAAM,4BAA4B,QAC9B;IACE,OAAO,4BAA4B;IACnC;IACD,GACD;IACE,OAAO,4BAA4B;IACnC;IACD;GACN;;AAGH,OAAM,IAAI,YACR,mIACD;;;;;ACrDH,eAAsB,+BACpB,SAC+C;CAC/C,MAAM,EAAE,iBAAiB,WAAW,6BAA6B,qBAAqB;CAEtF,MAAM,+BAA+B,uBACnCC,IAAE,MAAM,CAAC,aAAa,YAAY,CAAC,EACnC,iBACA,2CACD;CAED,MAAM,uBAAuB,MAAM,gCAAgC;EACjE;EACA;EACA;EACA;EACD,CAAC;CAEF,MAAM,EAAE,QAAQ,eAAe,gBAAgB;EAC7C,KAAK;EACL,cAAc;EACf,CAAC;CAEF,MAAM,+BAA+B,2CACnC,qBAAqB,0BACtB;CACD,MAAM,4BAA4B,8CAA8C;EACjD;EACC;EAC/B,CAAC;AAEF,KAAI,CAAC,4BAA4B,iBAAiB,CAAC,mBAAmB,4BAA4B,cAAc,CAC9G,OAAM,IAAI,YACR,4DAA4D,4BAA4B,iBAAiB,WAAW,GACrH;AAGH,QAAO;EACL,GAAG;EACH,MAAM;GAAE,GAAG;GAAsB;GAAY;EAE7C,eAAe,4BAA4B;EAC3C;EACD;;;;;AC9BH,eAAsB,oCACpB,SAC+C;CAC/C,MAAM,EAAE,uBAAuB,WAAW,6BAA6B,WAAW;CAElF,MAAM,mBAAmB,qBAAqB;EAC5C;EACA,cAAc,4BAA4B;EAC1C,UAAU,4BAA4B;EACtC,sBAAsB,4BAA4B;EACnD,CAAC;AACF,KAAI,sBAAsB,SACxB,QAAO,+BAA+B;EACpC,iBAAiB,sBAAsB;EACvC;EACA;EACA,kBAAkB,iBAAiB;EACpC,CAAC;CAGJ,MAAM,+BAA+B,2CAA2C,sBAAsB;CAEtG,MAAM,6BAA6B,8CAA8C;EAClD;EACC;EAC/B,CAAC;AAEF,KAAI,4BAA4B,iBAAiB,mBAAmB,4BAA4B,cAAc,CAC5G,OAAM,IAAI,+BACR;EACE,OAAO;EACP,mBAAmB;EACpB,EACD,EACE,QAAQ,KACT,CACF;AAGH,QAAO;EACL,GAAG;EACH,eAAe,4BAA4B;EAE3C;EACA,MAAM;EACP;;;;;AClEH,MAAa,iCAAiC,YAAkD;CAC9F,MAAM,EAAE,6BAA6B,8BAA8B,cAAc;CAEjF,MAAM,mBAAmB,4BAA4B,gBAAgB,4BAA4B;AACjG,KAAI,CAAC,iBACH,OAAM,IAAI,YAAY,wFAAwF;AAIhH,QAAO,oBADqB,IAAI,IAAI,iBAAiB,EACL,8BAA8B,UAAU;;AAG1F,eAAe,oBACb,kBACA,aACA,WACA;AAOA,QAAO;EACL,cAAc;EACd,UARe,MAAM,cAAc,UAAU,MAAM,CAAC,kBAAkB;GACtE,QAAQ;GACR,SAAS,EAAE,gBAAgB,YAAY,oBAAoB;GAC3D,MAAM,YAAY;GACnB,CAAC;EAKD;;;;;ACzBH,eAAsB,qCAAqC,SAAsD;CAC/G,MAAM,EAAE,6BAA6B,8BAA8B,MAAM,cAAc;CACvF,MAAM,MAAM,4BAA4B;AAExC,KAAI,KACF,QAAO,8BAA8B;EACnC;EACA,8BAA8B,KAAK;EACnC;EACD,CAAC;AAGJ,KAAI,CAAC,IACH,OAAM,IAAI,YACR,+FACD;AAaH,QAAO;EACL,cAAc;EACd,UAVyB,MAFb,cAAc,UAAU,MAAM,CAEL,KAAK;GAC1C,QAAQ;GACR,MAHsB,oBAAoB,6BAA6B,CAGjD,UAAU;GAChC,SAAS,EACP,gBAAgB,YAAY,oBAC7B;GACF,CAAC;EAKD;;;;;AC3CH,MAAa,oBAAoB,EAAE,KAAK;CAAC;CAAe;CAAU;CAAY;CAAa;CAAY,CAAC;;;;ACAxG,MAAa,eAAe,EAAE,KAAK;CAAC;CAAe;CAAU;CAAS;CAAa;CAAa;CAAW,CAAC;;;;ACG5G,MAAa,kBAAkB,EAAE,OAAO;CACtC,uCAAuC,EAAE,SAAS,EAAE,SAAS,CAAC;CAG9D,sBAAsB,EAAE,SAAS,oBAAoB,GAAG,iBAAiB,CAAC;CAE1E,6BAA6B,EAAE,SAE7B,EAAE,MAAM,gBAAgB,QAAQ,CAAC,4BAA4B,oBAAoB,CAAC,CAAC,CACpF;CAED,8BAA8B,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;CAEzE,6CAA6C,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;CAC5E,+CAA+C,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;CAC9E,+CAA+C,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;CAC/E,CAAC;;;;ACGF,IAAa,kBAAb,MAA6B;CAC3B,AAAO,YAAY,AAAQ,SAAiC;EAAjC;;CAE3B,AAAO,mCAAmC,SAAoD;AAC5F,SAAO,mCAAmC,QAAQ;;CAGpD,MAAa,qCACX,SACA;AACA,SAAO,qCAAqC;GAAE,GAAG;GAAS,WAAW,KAAK,QAAQ;GAAW,CAAC;;CAGhG,MAAa,qCACX,SACA;AACA,SAAO,qCAAqC;GAAE,GAAG;GAAS,WAAW,KAAK,QAAQ;GAAW,CAAC;;CAGhG,MAAa,qCACX,SACA;AACA,SAAO,qCAAqC;GAAE,GAAG;GAAS,WAAW,KAAK,QAAQ;GAAW,CAAC;;;;;;ACNlG,eAAsB,sBACpB,SACyC;CACzC,MAAM,wBAAwB,qBAAqB,EACjD,iBAAiB,QAAQ,iBAC1B,CAAC;CAEF,MAAM,iBAAsD,EAAE;AAC9D,MAAK,MAAM,eAAe,uBAAuB;EAC/C,MAAM,eAAe,MAAM,2BAA2B;GACpD,OAAO;GACP,WAAW,QAAQ;GACnB,aAAa,QAAQ;GACtB,CAAC;AAEF,iBAAe,KAAK,aAAa;;AAGnC,QAAO;;AAeT,eAAe,2BAA2B,EACxC,OACA,aACA,aAKwC;CACxC,MAAM,cAAc,MAAM,gBAAgB,+BAA+B,CAAC,UAAU;CACpF,MAAM,gBAAiC,YAAY,QAAQ,QACzD,OAAO,OAAO,cAAc,CAAC,SAAS,IAAqB,CAC5D;CAED,MAAM,SAA8C,EAAE;AACtD,MAAK,MAAM,OAAO,cAChB,QAAO,OAAO,kBAAkB,MAAM,UAAU,KAAK,iBAAiB,MAAM,QAAQ,EAAE,IAAI,CAAC;AAG7F,MAAK,MAAM,gBAAgB,MAAM,gBAAgB,gBAAgB;EAC/D,MAAM,mCAAmC,YAAY;AACrD,MAAI,CAAC,iCAAkC;EAEvC,MAAM,gBAAyE,EAAE;AAEjF,OAAK,MAAM,mCAAmC,kCAAkC;GAC9E,MAAM,MAAM,gCAAgC,+BAA+B;GAC3E,MAAM,OAAO,OAAO;GACpB,MAAM,oBAAoB,iCAAiC,QAAQ,gCAAgC;AAEnG,OAAI,CAAC,YAAY,SAAS,IAAI,CAC5B,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB,qCAAqC,MAAM,qBAAqB,oBAAoB,aAAa,cAAc,kBAAkB,wBAAwB,IAAI,qDAAqD,YAAY,KAAK,KAAK,CAAC;IAC7P,CAAC;AAGJ,OAAI,CAAC,KAEH,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB,qCAAqC,MAAM,qBAAqB,oBAAoB,aAAa,cAAc,kBAAkB,oCAAoC,IAAI,yFAAyF,OAAO,OAAO,cAAc,CAAC,KAAK,KAAK,CAAC;IAC9T,CAAC;GAGJ,MAAM,sBAAsB,gCAAgC,wBAAwB,QAAQ,KAAK;AAEjG,OAAI,wBAAwB,GAE1B,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB,qCAAqC,MAAM,qBAAqB,oBAAoB,aAAa,cAAc,kBAAkB;IACrJ,CAAC;AAGJ,iBAAc,KAAK;IACjB;IACA;IACA,SAAS;IACT;IACD,CAAC;;AAGJ,SAAO;GACL,sBAAsB;GACtB;GACe;GAChB;;AAIH,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,qCAAqC,MAAM,qBAAqB;EACpF,CAAC;;;;;ACrHJ,IAAa,oBAAb,MAA+B;CAC7B,AAAO,YAAY,AAAQ,SAAmC;EAAnC;;CAE3B,MAAa,oCACX,SACA;AACA,SAAO,oCAAoC;GAAE,GAAG;GAAS,WAAW,KAAK,QAAQ;GAAW,CAAC;;CAG/F,AAAO,0CAA0C,SAAoD;AACnG,SAAO,mCAAmC,QAAQ;;CAGpD,AAAO,oCAAoC,SAAqD;AAC9F,SAAO,oCAAoC,QAAQ;;CAGrD,AAAO,8CAA8C,SAAwD;AAC3G,SAAO,8CAA8C,QAAQ;;CAG/D,AAAO,gBAAgB,SAAkB;AACvC,SAAO,gBAAgB,QAAQ;;CAGjC,AAAO,iBAAiB,SAAkB;AACxC,SAAO,iBAAiB,QAAQ;;CAGlC,AAAO,qBAAqB,SAAsC;AAChE,SAAO,qBAAqB,QAAQ;;;;;;;;;;CAWtC,AAAO,sBAAsB,SAA0D;AACrF,SAAO,sBAAsB;GAC3B,GAAG;GACH,WAAW,KAAK,QAAQ;GACzB,CAAC"}
1	+ {"version":3,"file":"index.mjs","names":["z","url","z","parsedClientIdPrefixAndIdentifier","clientIdScheme","clientIdIdentifier","uniformClientIdScheme","decoded","z","enc","z","z"],"sources":["../src/authorization-request/validate-authorization-request.ts","../src/authorization-request/validate-authorization-request-dc-api.ts","../src/authorization-request/validate-authorization-request-iae.ts","../src/jarm/metadata/z-jarm-client-metadata.ts","../src/models/z-vp-formats-supported.ts","../src/models/z-client-metadata.ts","../src/models/z-verifier-attestations.ts","../src/authorization-request/z-authorization-request.ts","../src/authorization-request/z-authorization-request-dc-api.ts","../src/authorization-request/z-authorization-request-iae.ts","../src/authorization-request/create-authorization-request.ts","../src/jar/z-jar-authorization-request.ts","../src/authorization-request/parse-authorization-request-params.ts","../src/client-identifier-prefix/x509-hash.ts","../src/client-identifier-prefix/z-client-id-prefix.ts","../src/client-identifier-prefix/parse-client-identifier-prefix.ts","../src/fetch-client-metadata.ts","../src/version.ts","../src/jar/jar-request-object/fetch-jar-request-object.ts","../src/jar/handle-jar-request/verify-jar-request.ts","../src/transaction-data/z-transaction-data.ts","../src/transaction-data/parse-transaction-data.ts","../src/authorization-request/resolve-authorization-request.ts","../../utils/src/date.ts","../src/jarm/jarm-authorization-response-create.ts","../src/jarm/jarm-extract-jwks.ts","../src/jarm/jarm-response-mode.ts","../src/jarm/metadata/jarm-assert-metadata-supported.ts","../src/authorization-response/create-authorization-response.ts","../src/models/z-pex.ts","../src/vp-token/z-vp-token.ts","../src/authorization-response/z-authorization-response.ts","../src/authorization-response/parse-authorization-response-payload.ts","../src/jarm/jarm-authorization-response/z-jarm-authorization-response.ts","../src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts","../src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts","../src/vp-token/parse-vp-token.ts","../src/authorization-response/validate-authorization-response.ts","../src/authorization-response/parse-jarm-authorization-response.ts","../src/authorization-response/parse-authorization-response.ts","../src/jarm/jarm-authorization-response-send.ts","../src/authorization-response/submit-authorization-response.ts","../src/models/z-credential-formats.ts","../src/models/z-proof-formats.ts","../src/models/z-wallet-metadata.ts","../src/Openid4vpClient.ts","../src/transaction-data/verify-transaction-data.ts","../src/Openid4vpVerifier.ts"],"sourcesContent":["import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { zHttpsUrl } from '@openid4vc/utils'\nimport type { WalletMetadata } from '../models/z-wallet-metadata'\nimport type { Openid4vpAuthorizationRequest } from './z-authorization-request'\n\nexport interface WalletVerificationOptions {\n expectedNonce?: string\n metadata?: WalletMetadata\n}\n\nexport interface ValidateOpenid4vpAuthorizationRequestPayloadOptions {\n params: Openid4vpAuthorizationRequest\n walletVerificationOptions?: WalletVerificationOptions\n}\n\n/*\n Validate the OpenId4Vp Authorization Request parameters\n /\nexport const validateOpenid4vpAuthorizationRequestPayload = (\n options: ValidateOpenid4vpAuthorizationRequestPayloadOptions\n) => {\n const { params, walletVerificationOptions } = options\n\n if (!params.redirect_uri && !params.response_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`,\n })\n }\n\n if (params.response_uri && !['direct_post', 'direct_post.jwt'].find((mode) => mode === params.response_mode)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`,\n })\n }\n\n if (\n [params.presentation_definition_uri, params.presentation_definition, params.dcql_query, params.scope].filter(\n Boolean\n ).length > 1\n ) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition.',\n })\n }\n\n if (params.request_uri_method && !params.request_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"request_uri_method\" parameter MUST NOT be present in the authorization request if the \"request_uri\" parameter is not present.',\n })\n }\n\n if (params.request_uri_method && !['GET', 'POST'].includes(params.request_uri_method)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestUriMethod,\n error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`,\n })\n }\n\n if (params.trust_chain && !zHttpsUrl.safeParse(params.client_id).success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"trust_chain\" parameter MUST NOT be present in the authorization request if the \"client_id\" is not an OpenId Federation Entity Identifier starting with http:// or https://.',\n })\n }\n\n if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"wallet_nonce\" parameter MUST be present in the authorization request when the \"expectedNonce\" parameter is provided.',\n })\n }\n\n if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"wallet_nonce\" parameter MUST match the \"expectedNonce\" parameter when the \"expectedNonce\" parameter is provided.',\n })\n }\n\n if (params.client_id.startsWith('web-origin:') \|\| params.client_id.startsWith('origin:')) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'client_id' parameter MUST NOT use client identifier scheme '${params.client_id.split(':')[0]}' when not using the dc_api response mode. Current: ${params.client_id}`,\n })\n }\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequestDcApi } from './z-authorization-request-dc-api'\n\nexport interface ValidateOpenid4vpAuthorizationRequestDcApiPayloadOptions {\n params: Openid4vpAuthorizationRequestDcApi\n isJarRequest: boolean\n disableOriginValidation?: boolean\n origin?: string\n}\n\n/\n Validate the OpenId4Vp Authorization Request parameters for the dc_api response mode\n /\nexport const validateOpenid4vpAuthorizationRequestDcApiPayload = (\n options: ValidateOpenid4vpAuthorizationRequestDcApiPayloadOptions\n) => {\n const { params, isJarRequest, disableOriginValidation, origin } = options\n\n if (isJarRequest && !params.expected_origins) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combination with jar.`,\n })\n }\n\n if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query or presentation_definition',\n })\n }\n\n if (params.expected_origins && !disableOriginValidation) {\n if (!origin) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`,\n })\n }\n\n if (!params.expected_origins.includes(origin)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(', ')}`,\n })\n }\n }\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequestIae } from './z-authorization-request-iae'\n\nexport interface ValidateOpenid4vpAuthorizationRequestIaePayloadOptions {\n params: Openid4vpAuthorizationRequestIae\n isJarRequest: boolean\n /* The URL of the endpoint that will receive the response (for validating expected_url) /\n expectedUrl?: string\n\n disableExpectedUrlValidation?: boolean\n}\n\n/\n Validate the OpenId4Vp Authorization Request parameters for the IAE (Interactive Authorization Endpoint) response mode\n \n The IAE flow is part of OpenID4VCI 1.1 and is used when the authorization server needs to\n * interact directly with the wallet during the authorization process.\n \n Key validation rules:\n * - For signed requests (JAR), expected_url parameter is validated against the actual endpoint URL\n * - expected_url is used instead of expected_origins to prevent replay attacks\n * - dcql_query must be present\n /\nexport const validateOpenid4vpAuthorizationRequestIaePayload = (\n options: ValidateOpenid4vpAuthorizationRequestIaePayloadOptions\n) => {\n const { params, isJarRequest, expectedUrl, disableExpectedUrlValidation } = options\n\n // OpenID4VCI 1.1 IAE: expected_url validation for signed requests\n if (isJarRequest && !params.expected_url) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'expected_url' parameter MUST be present when using the iae_post response mode in combination with jar.`,\n })\n }\n\n if (!params.dcql_query) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'dcql_query MUST be present when using iae_post response mode.',\n })\n }\n\n if (params.expected_url && !disableExpectedUrlValidation) {\n if (!expectedUrl) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to validate the 'expected_url' of the authorization request. The 'expectedUrl' was not provided for validation.`,\n })\n }\n\n if (params.expected_url !== expectedUrl) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'expected_url' parameter does not match the follow-up request URL. This prevents replay attacks from malicious verifiers.`,\n })\n }\n }\n}\n","import { Oauth2Error, zAlgValueNotNone } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport { z } from 'zod'\n\nexport const zJarmSignOnlyClientMetadata = z.object({\n authorization_signed_response_alg: zAlgValueNotNone,\n\n authorization_encrypted_response_alg: z.optional(z.never()),\n authorization_encrypted_response_enc: z.optional(z.never()),\n})\nexport type JarmSignOnlyClientMetadata = z.infer<typeof zJarmSignOnlyClientMetadata>\n\nexport const zJarmEncryptOnlyClientMetadata = z.object({\n authorization_signed_response_alg: z.optional(z.never()),\n authorization_encrypted_response_alg: z.string(),\n\n authorization_encrypted_response_enc: z.optional(z.string()),\n})\nexport type JarmEncryptOnlyClientMetadata = z.infer<typeof zJarmEncryptOnlyClientMetadata>\n\nexport const zJarmSignEncryptClientMetadata = z.object({\n authorization_signed_response_alg: zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg,\n authorization_encrypted_response_alg: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg,\n authorization_encrypted_response_enc: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc,\n})\nexport type JarmSignEncryptClientMetadata = z.infer<typeof zJarmSignEncryptClientMetadata>\n\n/\n Clients may register their public encryption keys using the jwks_uri or jwks metadata parameters.\n /\nexport const zJarmClientMetadata = z.object({\n authorization_signed_response_alg: z.optional(zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg),\n authorization_encrypted_response_alg: z.optional(\n zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg\n ),\n authorization_encrypted_response_enc: z.optional(\n zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc\n ),\n})\nexport type JarmClientMetadata = z.infer<typeof zJarmClientMetadata>\n\nexport const zJarmClientMetadataParsed = zJarmClientMetadata.transform((client_metadata) => {\n const parsedClientMeta = parseWithErrorHandling(\n z.union([zJarmEncryptOnlyClientMetadata, zJarmSignOnlyClientMetadata, zJarmSignEncryptClientMetadata]),\n client_metadata,\n 'Invalid jarm client metadata.'\n )\n\n const SignEncrypt = zJarmSignEncryptClientMetadata.safeParse(parsedClientMeta)\n if (SignEncrypt.success) {\n return {\n type: 'sign_encrypt',\n client_metadata: {\n ...SignEncrypt.data,\n authorization_encrypted_response_enc: client_metadata.authorization_encrypted_response_enc,\n },\n } as const\n }\n\n const encryptOnly = zJarmEncryptOnlyClientMetadata.safeParse(parsedClientMeta)\n if (encryptOnly.success) {\n return {\n type: 'encrypt',\n client_metadata: {\n ...encryptOnly.data,\n authorization_encrypted_response_enc: parsedClientMeta.authorization_encrypted_response_enc,\n },\n } as const\n }\n\n // this must be the last entry\n const signOnly = zJarmSignOnlyClientMetadata.safeParse(parsedClientMeta)\n if (signOnly.success) {\n return {\n type: 'sign',\n client_metadata: {\n ...signOnly.data,\n authorization_signed_response_alg: parsedClientMeta.authorization_signed_response_alg,\n },\n } as const\n }\n\n throw new Oauth2Error('Invalid jarm client metadata. Failed to parse.')\n})\nexport type JarmClientMetadataParsed = z.infer<typeof zJarmClientMetadataParsed>\n","import { z } from 'zod'\n\nexport const zVpFormatsSupported = z\n // Define known formats\n .object({\n 'dc+sd-jwt': z.optional(\n z\n .object({\n 'sd-jwt_alg_values': z.optional(z.tuple([z.string()], z.string())),\n 'kb-jwt_alg_values': z.optional(z.tuple([z.string()], z.string())),\n })\n .loose()\n ),\n jwt_vc_json: z.optional(\n z\n .object({\n alg_values: z.optional(z.tuple([z.string()], z.string())),\n })\n .loose()\n ),\n ldp_vc: z.optional(\n z\n .object({\n proof_type_values: z.optional(z.tuple([z.string()], z.string())),\n cryptosuite_values: z.optional(z.tuple([z.string()], z.string())),\n })\n .loose()\n ),\n mso_mdoc: z.optional(\n z\n .object({\n // Draft 27\n issuer_signed_alg_values: z.optional(z.tuple([z.number()], z.number())),\n device_signed_alg_values: z.optional(z.tuple([z.number()], z.number())),\n\n // Draft 28+\n issuerauth_alg_values: z.optional(z.tuple([z.number()], z.number())),\n deviceauth_alg_values: z.optional(z.tuple([z.number()], z.number())),\n })\n .loose()\n ),\n })\n .loose()\n // Require object for all unknown formats\n .catchall(z.object({}).loose())\n\nexport type VpFormatsSupported = z.infer<typeof zVpFormatsSupported>\n\nexport const zLegacyVpFormats = z.record(\n z.string(),\n z\n .object({\n alg_values_supported: z.optional(z.array(z.string())),\n })\n .loose()\n)\n\nexport type LegacyVpFormats = z.infer<typeof zLegacyVpFormats>\n","import { zJwkSet } from '@openid4vc/oauth2'\nimport { zDataUrl, zHttpsUrl } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport { zJarmClientMetadata } from '../jarm/metadata/z-jarm-client-metadata'\nimport { zLegacyVpFormats, zVpFormatsSupported } from './z-vp-formats-supported'\n\n// Authoritative data the Wallet is able to obtain about the Client from other sources,\n// for example those from an OpenID Federation Entity Statement, take precedence over the values passed in client_metadata.\nexport const zClientMetadata = z\n .object({\n // Up until draft 22\n jwks_uri: z.url().optional(),\n jwks: z.optional(zJwkSet),\n\n // Up until draft 26\n vp_formats: z.optional(zLegacyVpFormats),\n\n // From draft 27\n vp_formats_supported: z.optional(zVpFormatsSupported),\n\n // From draft 28\n encrypted_response_enc_values_supported: z.optional(z.array(z.string())),\n\n ...zJarmClientMetadata.shape,\n\n logo_uri: zHttpsUrl.or(zDataUrl).optional(),\n client_name: z.string().optional(),\n })\n .loose()\nexport type ClientMetadata = z.infer<typeof zClientMetadata>\n","import z from 'zod'\n\nconst zVerifierAttestation = z.object({\n format: z.string(),\n data: z.record(z.string(), z.unknown()).or(z.string()),\n credential_ids: z.array(z.string()).optional(),\n})\n\nexport const zVerifierAttestations = z.array(zVerifierAttestation)\n\nexport type VerifierAttestation = z.infer<typeof zVerifierAttestation>\nexport type VerifierAttestations = z.infer<typeof zVerifierAttestations>\n","import { URL, zHttpsUrl, zStringToJson } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport { zClientMetadata } from '../models/z-client-metadata'\nimport { zVerifierAttestations } from '../models/z-verifier-attestations'\n\nexport const zOpenid4vpAuthorizationRequest = z\n .object({\n response_type: z.literal('vp_token'),\n client_id: z.string(),\n redirect_uri: zHttpsUrl.optional(),\n response_uri: zHttpsUrl.optional(),\n request_uri: zHttpsUrl.optional(),\n request_uri_method: z.optional(z.string()),\n response_mode: z.enum(['direct_post', 'direct_post.jwt']).optional(),\n nonce: z.string(),\n wallet_nonce: z.string().optional(),\n scope: z.string().optional(),\n presentation_definition: z\n .record(z.string(), z.any())\n // for backwards compat\n .or(zStringToJson)\n .optional(),\n presentation_definition_uri: zHttpsUrl.optional(),\n dcql_query: z\n .record(z.string(), z.any())\n // for backwards compat\n .or(zStringToJson)\n .optional(),\n client_metadata: zClientMetadata.optional(),\n client_metadata_uri: zHttpsUrl.optional(),\n state: z.string().optional(),\n transaction_data: z.array(z.base64url()).optional(),\n trust_chain: z.tuple([z.string()], z.string()).optional(),\n client_id_scheme: z\n .enum([\n 'pre-registered',\n 'redirect_uri',\n 'entity_id',\n 'did',\n 'verifier_attestation',\n 'x509_san_dns',\n 'x509_san_uri',\n 'x509_hash',\n ])\n .optional(),\n verifier_attestations: zVerifierAttestations.optional(),\n verifier_info: zVerifierAttestations.optional(),\n })\n .loose()\n\n// Helps with parsing from an URI to a valid authorization request object\nexport const zOpenid4vpAuthorizationRequestFromUriParams = z\n .url()\n .transform((url): unknown => Object.fromEntries(new URL(url).searchParams))\n .pipe(\n z\n .object({\n presentation_definition: zStringToJson.optional(),\n client_metadata: zStringToJson.optional(),\n dcql_query: zStringToJson.optional(),\n transaction_data: zStringToJson.optional(),\n verifier_attestations: zStringToJson.optional(),\n verifier_info: zStringToJson.optional(),\n })\n .loose()\n )\n\nexport type Openid4vpAuthorizationRequest = z.infer<typeof zOpenid4vpAuthorizationRequest>\n","import { z } from 'zod'\nimport type { Openid4vpJarAuthorizationRequest } from '../jar/z-jar-authorization-request'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\n\nconst zOpenid4vpResponseModeDcApi = z.enum(['dc_api', 'dc_api.jwt', 'w3c_dc_api.jwt', 'w3c_dc_api'])\nexport const zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest\n .pick({\n response_type: true,\n nonce: true,\n presentation_definition: true,\n client_metadata: true,\n transaction_data: true,\n dcql_query: true,\n trust_chain: true,\n state: true,\n verifier_attestations: true,\n verifier_info: true,\n })\n .extend({\n client_id: z.optional(z.string()),\n expected_origins: z.array(z.string()).optional(),\n response_mode: zOpenid4vpResponseModeDcApi,\n\n // Not allowed with dc_api, but added to make working with interfaces easier\n client_id_scheme: z.never().optional(),\n scope: z.never().optional(),\n\n // TODO: should we disallow any properties specifically, such as redirect_uri and response_uri?\n })\n\nexport type Openid4vpAuthorizationRequestDcApi = z.infer<typeof zOpenid4vpAuthorizationRequestDcApi>\n\nexport function isOpenid4vpResponseModeDcApi(\n responseMode: unknown\n): responseMode is Openid4vpAuthorizationRequestDcApi['response_mode'] {\n return (\n responseMode !== undefined &&\n zOpenid4vpResponseModeDcApi.options.includes(responseMode as Openid4vpAuthorizationRequestDcApi['response_mode'])\n )\n}\n\nexport function isOpenid4vpAuthorizationRequestDcApi(\n request: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi \| Openid4vpJarAuthorizationRequest\n): request is Openid4vpAuthorizationRequestDcApi {\n return isOpenid4vpResponseModeDcApi(request.response_mode)\n}\n","import { z } from 'zod'\nimport type { Openid4vpJarAuthorizationRequest } from '../jar/z-jar-authorization-request'\nimport type { Openid4vpAuthorizationRequest } from './z-authorization-request'\nimport { zOpenid4vpAuthorizationRequestDcApi } from './z-authorization-request-dc-api'\n\n/\n Response modes for Interactive Authorization Endpoint (IAE) flow\n * Part of OpenID4VCI 1.1 specification\n /\nconst zOpenid4vpResponseModeIae = z.enum(['iae_post', 'iae_post.jwt'])\n\n/\n Authorization Request schema for Interactive Authorization Endpoint (IAE) flow\n \n IAE is used in OpenID4VCI when the authorization server needs to interact\n * directly with the wallet (e.g., requesting credential presentation) as part\n * of the authorization process.\n \n Key differences from DC API:\n * - Uses iae_post/iae_post.jwt response modes\n * - Uses expected_url instead of expected_origins for signed requests\n * - Response is sent back to the Interactive Authorization Endpoint\n /\nexport const zOpenid4vpAuthorizationRequestIae = zOpenid4vpAuthorizationRequestDcApi\n .omit({\n response_mode: true,\n expected_origins: true,\n\n presentation_definition: true,\n })\n .extend({\n response_mode: zOpenid4vpResponseModeIae,\n\n // Required for IAE, no support for PEX\n dcql_query: z.record(z.string(), z.any()),\n\n // OpenID4VCI 1.1 Interactive Authorization Endpoint - expected_url parameter\n // Used in signed requests to prevent replay attacks from malicious verifiers\n expected_url: z.string().optional(),\n\n // expected_url is used instead\n expected_origins: z\n .never(\n \"The 'expected_origins' parameter MUST NOT be present when using Interactive Authorization response mode. \"\n )\n .optional(),\n })\n\nexport type Openid4vpAuthorizationRequestIae = z.infer<typeof zOpenid4vpAuthorizationRequestIae>\n\nexport function isOpenid4vpResponseModeIae(\n responseMode: unknown\n): responseMode is Openid4vpAuthorizationRequestIae['response_mode'] {\n return (\n responseMode !== undefined &&\n zOpenid4vpResponseModeIae.options.includes(responseMode as Openid4vpAuthorizationRequestIae['response_mode'])\n )\n}\n\nexport function isOpenid4vpAuthorizationRequestIae(\n request: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestIae \| Openid4vpJarAuthorizationRequest\n): request is Openid4vpAuthorizationRequestIae {\n return isOpenid4vpResponseModeIae(request.response_mode)\n}\n","import {\n type CallbackContext,\n type CreateJarAuthorizationRequestOptions,\n createJarAuthorizationRequest,\n} from '@openid4vc/oauth2'\nimport { objectToQueryParams, parseWithErrorHandling, URL, URLSearchParams } from '@openid4vc/utils'\nimport {\n validateOpenid4vpAuthorizationRequestPayload,\n type WalletVerificationOptions,\n} from './validate-authorization-request'\nimport { validateOpenid4vpAuthorizationRequestDcApiPayload } from './validate-authorization-request-dc-api'\nimport { validateOpenid4vpAuthorizationRequestIaePayload } from './validate-authorization-request-iae'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\nimport {\n isOpenid4vpAuthorizationRequestDcApi,\n type Openid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestDcApi,\n} from './z-authorization-request-dc-api'\nimport {\n isOpenid4vpAuthorizationRequestIae,\n type Openid4vpAuthorizationRequestIae,\n zOpenid4vpAuthorizationRequestIae,\n} from './z-authorization-request-iae'\n\nexport interface CreateOpenid4vpAuthorizationRequestOptions {\n scheme?: string\n authorizationRequestPayload:\n \| Openid4vpAuthorizationRequest\n \| Openid4vpAuthorizationRequestDcApi\n \| Openid4vpAuthorizationRequestIae\n jar?: Pick<\n CreateJarAuthorizationRequestOptions,\n 'additionalJwtPayload' \| 'requestUri' \| 'jwtSigner' \| 'expiresInSeconds'\n >\n\n wallet?: WalletVerificationOptions\n callbacks: Pick<CallbackContext, 'signJwt' \| 'encryptJwe'>\n\n /\n Date that should be used as now. If not provided current date will be used.\n /\n now?: Date\n}\n\n/\n Creates an OpenID4VP authorization request, optionally with a JWT Secured Authorization Request (JAR)\n * If the request is created after receiving wallet metadata via a POST to the request_uri endpoint, the wallet nonce needs to be provided\n \n @param options Configuration options for creating the authorization request\n * @param input.scheme Optional URI scheme to use (defaults to 'openid4vp://')\n * @param input.authorizationRequestPayload The OpenID4VP authorization request parameters\n * @param input.jar Optional JWT Secured Authorization Request (JAR) configuration\n * @param input.jar.requestUri The URI where the JAR will be accessible\n * @param input.jar.jwtSigner Function to sign the JAR JWT\n * @param input.jar.jweEncryptor Optional function to encrypt the JAR JWT\n * @param input.jar.additionalJwtPayload Optional additional claims to include in JAR JWT\n * @param input.wallet Optional wallet-specific parameters\n * @param input.wallet.nonce Optional wallet nonce\n * @param input.callbacks Callback functions for JWT operations\n * @returns Object containing the authorization request parameters, URI and optional JAR details\n /\nexport async function createOpenid4vpAuthorizationRequest(options: CreateOpenid4vpAuthorizationRequestOptions) {\n const { jar, scheme = 'openid4vp://', wallet, callbacks } = options\n\n let additionalJwtPayload: Record<string, unknown> \| undefined\n\n let authorizationRequestPayload:\n \| Openid4vpAuthorizationRequest\n \| Openid4vpAuthorizationRequestDcApi\n \| Openid4vpAuthorizationRequestIae\n if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {\n authorizationRequestPayload = parseWithErrorHandling(\n zOpenid4vpAuthorizationRequestDcApi,\n options.authorizationRequestPayload,\n 'Invalid authorization request. Could not parse openid4vp dc_api authorization request.'\n )\n\n validateOpenid4vpAuthorizationRequestDcApiPayload({\n params: authorizationRequestPayload,\n isJarRequest: Boolean(jar),\n disableOriginValidation: true,\n })\n } else if (isOpenid4vpAuthorizationRequestIae(options.authorizationRequestPayload)) {\n authorizationRequestPayload = parseWithErrorHandling(\n zOpenid4vpAuthorizationRequestIae,\n options.authorizationRequestPayload,\n 'Invalid authorization request. Could not parse openid4vp iae_post authorization request.'\n )\n\n validateOpenid4vpAuthorizationRequestIaePayload({\n params: authorizationRequestPayload,\n isJarRequest: Boolean(jar),\n disableExpectedUrlValidation: true,\n })\n } else {\n authorizationRequestPayload = parseWithErrorHandling(\n zOpenid4vpAuthorizationRequest,\n options.authorizationRequestPayload,\n 'Invalid authorization request. Could not parse openid4vp authorization request.'\n )\n validateOpenid4vpAuthorizationRequestPayload({\n params: authorizationRequestPayload,\n walletVerificationOptions: wallet,\n })\n }\n\n if (jar) {\n additionalJwtPayload = !jar.additionalJwtPayload?.aud\n ? { ...jar.additionalJwtPayload, aud: jar.requestUri }\n : jar.additionalJwtPayload\n\n const jarResult = await createJarAuthorizationRequest({\n ...jar,\n authorizationRequestPayload,\n additionalJwtPayload,\n callbacks,\n })\n\n const url = new URL(scheme)\n url.search = `?${new URLSearchParams([\n ...url.searchParams.entries(),\n ...objectToQueryParams(jarResult.jarAuthorizationRequest).entries(),\n // Add client_id_scheme if defined for backwards compat\n ...(authorizationRequestPayload.client_id_scheme\n ? [['client_id_scheme', authorizationRequestPayload.client_id_scheme]]\n : []),\n ]).toString()}`\n\n return {\n authorizationRequestPayload,\n authorizationRequestObject: jarResult.jarAuthorizationRequest,\n authorizationRequest: url.toString(),\n jar: { ...jar, ...jarResult },\n }\n }\n\n const url = new URL(scheme)\n url.search = `?${new URLSearchParams([\n ...url.searchParams.entries(),\n ...objectToQueryParams(authorizationRequestPayload).entries(),\n ]).toString()}`\n\n return {\n authorizationRequestPayload,\n authorizationRequestObject: authorizationRequestPayload,\n authorizationRequest: url.toString(),\n jar: undefined,\n }\n}\n","import { zJarAuthorizationRequest } from '@openid4vc/oauth2'\nimport { z } from 'zod'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\n\nexport const zOpenid4vpJarAuthorizationRequest = zJarAuthorizationRequest.extend({\n request_uri_method: z.optional(z.string()),\n})\nexport type Openid4vpJarAuthorizationRequest = z.infer<typeof zOpenid4vpJarAuthorizationRequest>\n\nexport function isJarAuthorizationRequest(\n request: Openid4vpAuthorizationRequest \| Openid4vpJarAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n): request is Openid4vpJarAuthorizationRequest {\n return 'request' in request \|\| 'request_uri' in request\n}\n","import { decodeJwt } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport {\n isJarAuthorizationRequest,\n type Openid4vpJarAuthorizationRequest,\n zOpenid4vpJarAuthorizationRequest,\n} from '../jar/z-jar-authorization-request'\nimport {\n type Openid4vpAuthorizationRequest,\n zOpenid4vpAuthorizationRequest,\n zOpenid4vpAuthorizationRequestFromUriParams,\n} from './z-authorization-request'\nimport {\n isOpenid4vpAuthorizationRequestDcApi,\n type Openid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestDcApi,\n} from './z-authorization-request-dc-api'\nimport {\n isOpenid4vpAuthorizationRequestIae,\n type Openid4vpAuthorizationRequestIae,\n zOpenid4vpAuthorizationRequestIae,\n} from './z-authorization-request-iae'\n\nexport interface ParsedJarRequest {\n type: 'jar'\n provided: 'uri' \| 'jwt' \| 'params'\n params: Openid4vpJarAuthorizationRequest\n}\n\nexport interface ParsedOpenid4vpAuthorizationRequest {\n type: 'openid4vp'\n provided: 'uri' \| 'jwt' \| 'params'\n params: Openid4vpAuthorizationRequest\n}\n\nexport interface ParsedOpenid4vpDcApiAuthorizationRequest {\n type: 'openid4vp_dc_api'\n provided: 'uri' \| 'jwt' \| 'params'\n params: Openid4vpAuthorizationRequestDcApi\n}\n\nexport interface ParsedOpenid4vpIaeAuthorizationRequest {\n type: 'openid4vp_iae'\n provided: 'uri' \| 'jwt' \| 'params'\n params: Openid4vpAuthorizationRequestIae\n}\n\nexport interface ParseOpenid4vpAuthorizationRequestOptions {\n authorizationRequest: string \| Record<string, unknown>\n}\n\nexport function parseOpenid4vpAuthorizationRequest(\n options: ParseOpenid4vpAuthorizationRequestOptions\n):\n \| ParsedOpenid4vpAuthorizationRequest\n \| ParsedJarRequest\n \| ParsedOpenid4vpDcApiAuthorizationRequest\n \| ParsedOpenid4vpIaeAuthorizationRequest {\n const { authorizationRequest } = options\n let provided: 'uri' \| 'jwt' \| 'params' = 'params'\n\n let params: Record<string, unknown>\n if (typeof authorizationRequest === 'string') {\n // JWT will never contain :\n if (authorizationRequest.includes(':')) {\n params = parseWithErrorHandling(\n zOpenid4vpAuthorizationRequestFromUriParams,\n authorizationRequest,\n 'Unable to parse openid4vp authorization request uri to a valid object'\n )\n provided = 'uri'\n } else {\n const decoded = decodeJwt({ jwt: authorizationRequest })\n params = decoded.payload\n provided = 'jwt'\n }\n } else {\n params = authorizationRequest\n }\n\n const parsedRequest = parseWithErrorHandling(\n z.union([\n zOpenid4vpAuthorizationRequest,\n zOpenid4vpJarAuthorizationRequest,\n zOpenid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestIae,\n ]),\n params\n )\n\n if (isJarAuthorizationRequest(parsedRequest)) {\n return {\n type: 'jar',\n provided,\n params: parsedRequest,\n }\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(parsedRequest)) {\n return {\n type: 'openid4vp_dc_api',\n provided,\n params: parsedRequest,\n }\n }\n\n if (isOpenid4vpAuthorizationRequestIae(parsedRequest)) {\n return {\n type: 'openid4vp_iae',\n provided,\n params: parsedRequest,\n }\n }\n\n return {\n type: 'openid4vp',\n provided,\n params: parsedRequest,\n }\n}\n","import { type CallbackContext, HashAlgorithm } from '@openid4vc/oauth2'\nimport { decodeBase64, encodeToBase64Url } from '@openid4vc/utils'\n\nexport async function calculateX509HashClientIdPrefixValue({\n x509Certificate,\n hash,\n}: {\n /\n DER encoded x509 certificate. Either encoded as base64 or directly as Uint8Array\n /\n x509Certificate: string \| Uint8Array\n\n hash: CallbackContext['hash']\n}) {\n return encodeToBase64Url(\n await hash(\n typeof x509Certificate === 'string' ? decodeBase64(x509Certificate) : x509Certificate,\n HashAlgorithm.Sha256\n )\n )\n}\n","import { getGlobalConfig } from '@openid4vc/utils'\nimport { z } from 'zod'\n\nexport const zClientIdPrefix = z.enum([\n 'pre-registered',\n 'redirect_uri',\n 'verifier_attestation',\n\n 'https', // pre draft 26\n 'openid_federation', // from draft 26\n\n 'did', // pre draft 26\n 'decentralized_identifier', // from draft 26\n\n 'x509_san_uri', // pre-draft 25\n 'x509_hash', // from draft 25\n\n 'x509_san_dns',\n\n 'origin', // from draft 25\n 'web-origin', // pre-draft 25\n])\n\nexport const zUniformClientIdPrefix = zClientIdPrefix.exclude(['did', 'https', 'web-origin'])\n\nexport type ClientIdPrefix = z.infer<typeof zClientIdPrefix>\nexport type UniformClientIdPrefix = z.infer<typeof zUniformClientIdPrefix>\n\nexport const zClientIdToClientIdPrefixAndIdentifier = z.union(\n [\n z\n .string({ message: 'client_id MUST be a string' })\n .includes(':')\n .transform((clientId) => {\n const colonIndex = clientId.indexOf(':')\n const clientIdPrefix = clientId.slice(0, colonIndex)\n const clientIdIdentifier = clientId.slice(colonIndex + 1)\n\n // If we allow http, we parse it as https\n if (clientIdPrefix === 'http' && getGlobalConfig().allowInsecureUrls) {\n return ['https', clientId]\n }\n\n if (clientIdPrefix === 'did' \|\| clientIdPrefix === 'http' \|\| clientIdPrefix === 'https') {\n return [clientIdPrefix, clientId]\n }\n\n return [clientIdPrefix, clientIdIdentifier]\n })\n .pipe(z.tuple([zClientIdPrefix.exclude(['pre-registered']), z.string()])),\n z\n .string()\n .refine((clientId) => clientId.includes(':') === false)\n .transform((clientId) => ['pre-registered', clientId] as const),\n ],\n {\n message: `client_id must either start with a known prefix followed by ':' or contain no ':'. Known prefixes are ${zClientIdPrefix.exclude(['pre-registered']).options.join(', ')}`,\n }\n)\n\nexport const zClientIdPrefixToUniform = zClientIdPrefix.transform((prefix) =>\n prefix === 'did'\n ? 'decentralized_identifier'\n : prefix === 'https'\n ? 'openid_federation'\n : prefix === 'web-origin'\n ? 'origin'\n : prefix\n)\n\nexport const zLegacyClientIdScheme = z.enum([\n 'pre-registered',\n 'redirect_uri',\n 'entity_id',\n 'did',\n 'verifier_attestation',\n 'x509_san_dns',\n 'x509_san_uri',\n])\n\nexport type LegacyClientIdScheme = z.infer<typeof zLegacyClientIdScheme>\n\nexport const zLegacyClientIdSchemeToClientIdPrefix = zLegacyClientIdScheme\n .optional()\n .default('pre-registered')\n .transform((clientIdScheme) =>\n clientIdScheme === 'entity_id'\n ? 'openid_federation'\n : clientIdScheme === 'did'\n ? 'decentralized_identifier'\n : clientIdScheme\n )\n","import { type CallbackContext, Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { URL, zHttpsUrl } from '@openid4vc/utils'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport {\n isOpenid4vpAuthorizationRequestDcApi,\n isOpenid4vpResponseModeDcApi,\n type Openid4vpAuthorizationRequestDcApi,\n} from '../authorization-request/z-authorization-request-dc-api'\nimport {\n isOpenid4vpAuthorizationRequestIae,\n isOpenid4vpResponseModeIae,\n type Openid4vpAuthorizationRequestIae,\n} from '../authorization-request/z-authorization-request-iae'\nimport type { VerifiedJarRequest } from '../jar/handle-jar-request/verify-jar-request'\nimport type { ClientMetadata } from '../models/z-client-metadata'\nimport type { Openid4vpVersionNumber } from '../version'\nimport { calculateX509HashClientIdPrefixValue } from './x509-hash'\nimport {\n type ClientIdPrefix,\n type LegacyClientIdScheme,\n type UniformClientIdPrefix,\n zClientIdPrefix,\n zClientIdPrefixToUniform,\n zClientIdToClientIdPrefixAndIdentifier,\n zLegacyClientIdSchemeToClientIdPrefix,\n} from './z-client-id-prefix'\n\ntype ParsedClientIdentifierBase = {\n /\n The effective client identifier, and can be used to create and validate the session binding in e.g. the `aud`\n * of the SD-JWT KB-JWT.\n /\n effective: string\n\n /\n The identifier part of the client id. E.g. `did:example:123` for `decentralized_identifier:did:example:123`\n /\n identifier: string\n\n /\n These are the original raw unvalidated values for the client id. Be cautious with using these.\n /\n original: {\n /\n This is the actual `client_id` parameter. May be undefined in case of unsigned\n * DC API request.\n /\n clientId?: string\n\n /\n This is the legacy `client_id_scheme` parameter\n /\n clientIdScheme?: LegacyClientIdScheme\n }\n}\n\n/\n Result of parsing a client identifier\n /\nexport type ParsedClientIdentifier = (\n \| {\n prefix: 'redirect_uri'\n redirectUri: string\n clientMetadata?: ClientMetadata\n }\n \| {\n prefix: 'openid_federation'\n trustChain?: unknown\n clientMetadata?: never // clientMetadata must be obtained from the entity statement\n }\n \| {\n prefix: 'decentralized_identifier'\n didUrl: string\n clientMetadata?: ClientMetadata\n }\n \| {\n prefix: 'x509_san_uri' \| 'x509_san_dns' \| 'x509_hash'\n clientMetadata?: ClientMetadata\n x5c: string[]\n }\n \| {\n prefix: 'verifier_attestation' \| 'pre-registered' \| 'origin'\n clientMetadata?: ClientMetadata\n }\n) &\n ParsedClientIdentifierBase\n\nexport interface GetOpenid4vpClientIdOptions {\n /\n The client_id. Could be undefined in case of DC API\n /\n clientId?: string\n\n /\n Legacy client id scheme from the authorization request payload\n /\n legacyClientIdScheme?: unknown\n\n responseMode: unknown\n origin?: string\n\n /\n The version of OpenID4VP used.\n \n Currently it is only used for:\n * - determining whether effective client id is `origin:` or `web-origin:` when DC API is used.\n \n When no version is provided, it is assumed version 1.0 (100) is used.\n /\n version?: Openid4vpVersionNumber\n}\n\n/\n Get the client id for an authorization request based on the response_mode, client_id, client_id_scheme and origin values.\n \n It will return the client id prefix as used in OpenID4VP v1, and optionally provide the legacyClientId if the\n * client id was provided with a client_id_scheme\n /\nexport function getOpenid4vpClientId(options: GetOpenid4vpClientIdOptions): {\n /\n The identifier part of the client id. E.g. `did:example:123`, or `https://federation.com`\n /\n clientIdIdentifier: string\n\n /\n The client id prefix according to the latest version of OpenID4VP. Older prefixes are\n * transformed into a singular value. Do not use this for checking the actual client id prefix\n * used, but can be used to understand which method is used.\n \n E.g. `did` will be put as `decentralized_identifier`\n /\n clientIdPrefix: UniformClientIdPrefix\n\n /\n The effective client id prefix, is the client id prefix that was used in the actual request.\n \n E.g. `did` will remain as `did`\n /\n effectiveClientIdPrefix: ClientIdPrefix \| LegacyClientIdScheme\n\n /\n The effective client id is the client id that should be used for validation. E.g. if you're comparing\n * the `aud` claim in a SD-JWT KB-JWT, this is the value where you should match against.\n /\n effectiveClientId: string\n\n /\n These are the original raw unvalidated values for the client id\n /\n original: {\n /\n This is the actual `client_id` parameter. May be undefined in case of unsigned\n * DC API request.\n /\n clientId?: string\n\n /\n This is the legacy `client_id_scheme` parameter\n /\n clientIdScheme?: LegacyClientIdScheme\n }\n} {\n const original = {\n clientId: options.clientId,\n }\n\n const version = options.version ?? 101\n\n // Handle DC API\n if (isOpenid4vpResponseModeDcApi(options.responseMode)) {\n if (!options.clientId) {\n if (!options.origin) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n \"Failed to parse client identifier. 'origin' is required for requests without a client_id and response_mode 'dc_api' and 'dc_api.jwt'\",\n })\n }\n\n return {\n clientIdPrefix: 'origin',\n effectiveClientIdPrefix: 'origin',\n clientIdIdentifier: options.origin,\n effectiveClientId: version >= 25 ? `origin:${options.origin}` : `web-origin:${options.origin}`,\n original,\n }\n }\n\n const parsedClientIdPrefixAndIdentifier = zClientIdToClientIdPrefixAndIdentifier.safeParse(options.clientId)\n if (!parsedClientIdPrefixAndIdentifier.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`,\n })\n }\n\n const [clientIdScheme, clientIdIdentifier] = parsedClientIdPrefixAndIdentifier.data\n const uniformClientIdScheme = zClientIdPrefixToUniform.safeParse(clientIdScheme)\n if (!uniformClientIdScheme.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`,\n })\n }\n\n return {\n effectiveClientId: options.clientId,\n effectiveClientIdPrefix: clientIdScheme,\n original,\n\n clientIdPrefix: uniformClientIdScheme.data,\n clientIdIdentifier,\n }\n }\n\n // FIXME: it could be there's no client_id and IAE is used. For now we don't allow this\n // See https://github.com/openid/OpenID4VCI/issues/701\n\n // If no DC API, client_id is required\n if (!options.clientId) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Missing required client_id parameter for response_mode '${options.responseMode}'.`,\n })\n }\n\n // Handle legacy client id scheme (not allowed for IAE)\n if (options.legacyClientIdScheme && !isOpenid4vpResponseModeIae(options.responseMode)) {\n const parsedClientIdPrefix = zLegacyClientIdSchemeToClientIdPrefix.safeParse(options.legacyClientIdScheme)\n if (!parsedClientIdPrefix.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Unsupported client_id_scheme value '${options.legacyClientIdScheme}'.`,\n })\n }\n\n const clientIdPrefix = parsedClientIdPrefix.data\n\n return {\n effectiveClientId: options.clientId,\n clientIdIdentifier: options.clientId,\n clientIdPrefix,\n effectiveClientIdPrefix: (options.legacyClientIdScheme ?? 'pre-registered') as LegacyClientIdScheme,\n original: {\n ...original,\n clientIdScheme: options.legacyClientIdScheme as LegacyClientIdScheme \| undefined,\n },\n }\n }\n\n const parsedClientIdPrefixAndIdentifier = zClientIdToClientIdPrefixAndIdentifier.safeParse(options.clientId)\n if (!parsedClientIdPrefixAndIdentifier.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`,\n })\n }\n\n const [clientIdScheme, clientIdIdentifier] = parsedClientIdPrefixAndIdentifier.data\n const uniformClientIdScheme = zClientIdPrefixToUniform.safeParse(clientIdScheme)\n if (!uniformClientIdScheme.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`,\n })\n }\n\n // Fall back to modern client id. We don't validate it yet, we just want to get the\n // modern client id\n return {\n effectiveClientId: options.clientId,\n clientIdPrefix: uniformClientIdScheme.data,\n effectiveClientIdPrefix: clientIdScheme,\n clientIdIdentifier,\n original,\n }\n}\n\n/\n Configuration options for the parser\n /\nexport interface ValidateOpenid4vpClientIdParserConfig {\n supportedSchemes?: UniformClientIdPrefix[]\n}\n\nexport interface ValidateOpenid4vpClientIdOptions {\n authorizationRequestPayload:\n \| Openid4vpAuthorizationRequest\n \| Openid4vpAuthorizationRequestDcApi\n \| Openid4vpAuthorizationRequestIae\n jar?: VerifiedJarRequest\n origin?: string\n callbacks: Pick<CallbackContext, 'getX509CertificateMetadata' \| 'hash'>\n\n version: Openid4vpVersionNumber\n}\n\n/\n Parse and validate a client identifier\n /\nexport async function validateOpenid4vpClientId(\n options: ValidateOpenid4vpClientIdOptions,\n parserConfig?: ValidateOpenid4vpClientIdParserConfig\n): Promise<ParsedClientIdentifier> {\n const { authorizationRequestPayload, jar, origin } = options\n\n // By default require signatures for these schemes\n const parserConfigWithDefaults = {\n supportedSchemes: parserConfig?.supportedSchemes \|\| Object.values(zClientIdPrefix.options),\n }\n\n const { clientIdIdentifier, clientIdPrefix, effectiveClientId, original } = getOpenid4vpClientId({\n clientId: authorizationRequestPayload.client_id,\n legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,\n responseMode: authorizationRequestPayload.response_mode,\n origin,\n })\n\n if (!parserConfigWithDefaults.supportedSchemes.includes(clientIdPrefix)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Unsupported client identifier prefix. ${clientIdPrefix} is not supported.`,\n })\n }\n\n if (clientIdPrefix === 'pre-registered') {\n return {\n prefix: 'pre-registered',\n identifier: clientIdIdentifier,\n effective: effectiveClientId,\n original,\n }\n }\n\n if (clientIdPrefix === 'openid_federation') {\n if (!zHttpsUrl.safeParse(clientIdIdentifier).success) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Invalid client identifier. Client identifier must start with https://',\n },\n {\n internalMessage: `Insecure http:// urls can be enabled by setting the 'allowInsecureUrls' option using setGlobalConfig`,\n }\n )\n }\n\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier prefix \"https\" requires a signed JAR request.',\n })\n }\n\n if (jar.signer.method !== 'federation') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Something went wrong. The JWT signer method is not federation but the client identifier prefix is https.',\n })\n }\n\n return {\n prefix: 'openid_federation',\n identifier: clientIdIdentifier,\n effective: effectiveClientId,\n original,\n trustChain: authorizationRequestPayload.trust_chain,\n }\n }\n\n if (clientIdPrefix === 'redirect_uri') {\n if (jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier prefix \"redirect_uri\" the request MUST NOT be signed.',\n })\n }\n\n if (\n isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) \|\|\n isOpenid4vpAuthorizationRequestIae(authorizationRequestPayload)\n ) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The client identifier prefix 'redirect_uri' is not supported when using the ${authorizationRequestPayload.response_mode} response mode.`,\n })\n }\n\n if (authorizationRequestPayload.redirect_uri && authorizationRequestPayload.redirect_uri !== clientIdIdentifier) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidClient,\n error_description: `When the client identifier prefix is 'redirect_uri', the client id identifier MUST match the redirect_uri.`,\n })\n }\n\n if (authorizationRequestPayload.response_uri && authorizationRequestPayload.response_uri !== clientIdIdentifier) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidClient,\n error_description: `When the client identifier prefix is 'redirect_uri', the client id identifier MUST match the response_uri.`,\n })\n }\n\n return {\n prefix: clientIdPrefix,\n identifier: clientIdIdentifier,\n effective: effectiveClientId,\n original,\n clientMetadata: authorizationRequestPayload.client_metadata,\n redirectUri: (authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri) as string,\n }\n }\n\n if (clientIdPrefix === 'decentralized_identifier') {\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier prefix \"decentralized_identifier\" requires a signed JAR request.',\n })\n }\n\n if (jar.signer.method !== 'did') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Something went wrong. The JWT signer method is not did but the client identifier prefix is did.',\n })\n }\n\n if (!clientIdIdentifier.startsWith('did:')) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: \"Invalid client identifier. Client id identifier must start with 'did:'\",\n })\n }\n\n const [did] = jar.signer.didUrl.split('#')\n if (clientIdIdentifier !== did) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `With client identifier prefix '${clientIdPrefix}' the JAR request must be signed by the same DID as the client identifier.`,\n })\n }\n\n return {\n prefix: 'decentralized_identifier',\n identifier: clientIdIdentifier,\n effective: effectiveClientId,\n original,\n clientMetadata: authorizationRequestPayload.client_metadata,\n didUrl: jar.signer.didUrl,\n }\n }\n\n if (clientIdPrefix === 'x509_san_dns' \|\| clientIdPrefix === 'x509_san_uri' \|\| clientIdPrefix === 'x509_hash') {\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Using client identifier prefix '${clientIdPrefix}' requires a signed JAR request.`,\n })\n }\n\n if (jar.signer.method !== 'x5c') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Something went wrong. The JWT signer method is not x5c but the client identifier prefix is '${clientIdPrefix}'`,\n })\n }\n\n if (!options.callbacks.getX509CertificateMetadata) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.ServerError,\n },\n {\n internalMessage: `Missing required 'getX509CertificateMetadata' callback for verification of '${clientIdPrefix}' client id prefix`,\n }\n )\n }\n\n if (clientIdPrefix === 'x509_san_dns') {\n const { sanDnsNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0])\n if (!sanDnsNames.includes(clientIdIdentifier)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(', ')}] must match the client identifier '${clientIdIdentifier}'. `,\n })\n }\n\n if (\n !isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) &&\n !isOpenid4vpAuthorizationRequestIae(authorizationRequestPayload)\n ) {\n const uri = authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri\n if (!uri \|\| new URL(uri).hostname !== clientIdIdentifier) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns.',\n })\n }\n }\n } else if (clientIdPrefix === 'x509_san_uri') {\n const { sanUriNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0])\n if (!sanUriNames.includes(clientIdIdentifier)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(', ')}] must match the client identifier '${clientIdIdentifier}'.`,\n })\n }\n\n if (\n !isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) &&\n !isOpenid4vpAuthorizationRequestIae(authorizationRequestPayload)\n ) {\n const uri = authorizationRequestPayload.redirect_uri \|\| authorizationRequestPayload.response_uri\n if (!uri \|\| uri !== clientIdIdentifier) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The redirect_uri value MUST match the Client Identifier without the prefix x509_san_uri',\n })\n }\n }\n } else if (clientIdPrefix === 'x509_hash') {\n const x509Hash = await calculateX509HashClientIdPrefixValue({\n hash: options.callbacks.hash,\n x509Certificate: jar.signer.x5c[0],\n })\n\n if (x509Hash !== clientIdIdentifier) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Invalid client identifier. Expected the base64url encoded sha-256 hash of the leaf x5c certificate ('${x509Hash}') to match the client identifier '${clientIdIdentifier}'.`,\n })\n }\n }\n\n return {\n prefix: clientIdPrefix,\n identifier: clientIdIdentifier,\n effective: effectiveClientId,\n original,\n x5c: jar.signer.x5c,\n clientMetadata: authorizationRequestPayload.client_metadata,\n }\n }\n\n if (clientIdPrefix === 'origin') {\n if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The client identifier prefix 'origin' is only supported when using a DC API response mode.`,\n })\n }\n\n return {\n prefix: clientIdPrefix,\n identifier: clientIdIdentifier,\n effective: effectiveClientId,\n original,\n clientMetadata: authorizationRequestPayload.client_metadata,\n }\n }\n\n if (clientIdPrefix === 'verifier_attestation') {\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier prefix \"verifier_attestation\" requires a signed JAR request.',\n })\n }\n }\n\n return {\n prefix: clientIdPrefix,\n clientMetadata: authorizationRequestPayload.client_metadata,\n identifier: clientIdIdentifier,\n effective: effectiveClientId,\n original,\n }\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { ContentType, createZodFetcher, type Fetch } from '@openid4vc/utils'\nimport { type ClientMetadata, zClientMetadata } from './models/z-client-metadata'\n\nexport async function fetchClientMetadata(options: {\n clientMetadataUri: string\n fetch?: Fetch\n}): Promise<ClientMetadata> {\n const { fetch, clientMetadataUri } = options\n const fetcher = createZodFetcher(fetch)\n\n const { result, response } = await fetcher(zClientMetadata, ContentType.Json, clientMetadataUri, {\n method: 'GET',\n headers: {\n Accept: ContentType.Json,\n },\n })\n\n if (!response.ok) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Fetching client metadata from '${clientMetadataUri}' failed with status code '${response.status}'.`,\n error: Oauth2ErrorCodes.InvalidRequestUri,\n })\n }\n\n if (!result \|\| !result.success) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Parsing client metadata from '${clientMetadataUri}' failed.`,\n error: Oauth2ErrorCodes.InvalidRequestObject,\n })\n }\n\n return result.data\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequest } from './authorization-request/z-authorization-request'\nimport {\n isOpenid4vpAuthorizationRequestDcApi,\n type Openid4vpAuthorizationRequestDcApi,\n} from './authorization-request/z-authorization-request-dc-api'\nimport {\n isOpenid4vpAuthorizationRequestIae,\n type Openid4vpAuthorizationRequestIae,\n} from './authorization-request/z-authorization-request-iae'\nimport { zClientIdPrefix } from './client-identifier-prefix/z-client-id-prefix'\n\n/\n The Openid4vpVersionNumber\n \n 100 means 1.0 final\n * 101 means 1.1 draft 1\n * 110 will mean 1.1 final\n * all others are pre-1.0 draft versions\n /\nexport type Openid4vpVersionNumber = 18 \| 19 \| 20 \| 21 \| 22 \| 23 \| 24 \| 25 \| 26 \| 27 \| 28 \| 100 \| 101\n\nexport function parseAuthorizationRequestVersion(\n request: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi \| Openid4vpAuthorizationRequestIae\n): Openid4vpVersionNumber {\n const requirements: ['<' \| '>=', Openid4vpVersionNumber][] = []\n\n // 1.1 draft\n if (isOpenid4vpAuthorizationRequestIae(request)) {\n requirements.push(['>=', 101])\n }\n\n // 29\n if (request.verifier_info) {\n requirements.push(['>=', 100])\n }\n if (request.verifier_attestations) {\n requirements.push(['<', 100])\n }\n\n // 28\n if (\n request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values \|\|\n request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuerauth_alg_values\n ) {\n requirements.push(['>=', 28])\n }\n\n if (\n request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuer_signed_alg_values \|\|\n request.client_metadata?.vp_formats_supported?.mso_mdoc?.device_signed_alg_values\n ) {\n requirements.push(['<', 28])\n }\n\n // 27\n\n if (request.client_metadata?.vp_formats_supported) {\n requirements.push(['>=', 27])\n }\n if (request.client_metadata?.vp_formats) {\n requirements.push(['<', 27])\n }\n\n // 26\n if (\n request.client_id?.startsWith('openid_federation:') \|\|\n request.client_id?.startsWith('decentralized_identifier:')\n ) {\n requirements.push(['>=', 26])\n }\n\n if (request.client_id?.startsWith('did:')) {\n requirements.push(['<', 26])\n }\n\n if (request.presentation_definition \|\| request.presentation_definition_uri) {\n requirements.push(['<', 26])\n }\n\n if (request.verifier_attestations) {\n requirements.push(['>=', 26])\n }\n\n // 25\n if (request.client_id?.startsWith('x509_san_uri:')) {\n requirements.push(['<', 25])\n }\n\n if (request.client_id?.startsWith('x509_hash:')) {\n requirements.push(['>=', 25])\n }\n\n if (request.client_id?.startsWith('web-origin:')) {\n requirements.push(['<', 25])\n }\n\n if (request.client_id?.startsWith('origin:')) {\n requirements.push(['>=', 25])\n }\n\n // 23\n if (\n isOpenid4vpAuthorizationRequestDcApi(request) &&\n (request.response_mode === 'w3c_dc_api' \|\| request.response_mode === 'w3c_dc_api.jwt')\n ) {\n requirements.push(['<', 23])\n requirements.push(['>=', 21])\n }\n\n if (\n isOpenid4vpAuthorizationRequestDcApi(request) &&\n (request.response_mode === 'dc_api' \|\| request.response_mode === 'dc_api.jwt')\n ) {\n requirements.push(['>=', 23])\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data \|\| request.dcql_query)) {\n requirements.push(['>=', 23])\n }\n\n // 22\n\n if (request.transaction_data) {\n requirements.push(['>=', 22])\n }\n\n if (request.client_id_scheme) {\n requirements.push(['<', 22])\n }\n\n // what happens if we don't have a client_id_scheme?\n\n // if the client_id is prefixed with a scheme, we know for sure that the version is >= 22\n // if it is not prefixed we don't know anything since it can default in all versions to pre-registered\n if (request.client_id) {\n const colonIndex = request.client_id.indexOf(':')\n const schemePart = request.client_id.substring(0, colonIndex)\n const parsedScheme = zClientIdPrefix.safeParse(schemePart)\n\n // we know this for sure\n if (parsedScheme.success && parsedScheme.data !== 'did' && parsedScheme.data !== 'https') {\n requirements.push(['>=', 22])\n }\n }\n\n // 21\n\n // only possible with dc_api which is available in 21\n if (!request.client_id) {\n requirements.push(['>=', 21])\n }\n\n // NOTE: DCQL was added in 22, but we've used it with draft 21 before, so it's\n // not 100% correct, but prevents interop issues\n if (request.dcql_query) {\n requirements.push(['>=', 21])\n }\n\n if (request.client_metadata_uri) {\n requirements.push(['<', 21])\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(request)) {\n requirements.push(['>=', 21])\n }\n\n if (request.request_uri_method \|\| request.wallet_nonce) {\n requirements.push(['>=', 21])\n }\n\n // 20\n\n if (request.client_id_scheme === 'verifier_attestation') {\n requirements.push(['>=', 20])\n }\n\n // 19\n\n if (request.client_id_scheme === 'x509_san_dns' \|\| request.client_id_scheme === 'x509_san_uri') {\n requirements.push(['>=', 19])\n }\n\n // The minimum version which satisfies all requirements\n const lessThanVersions = requirements.filter(([operator]) => operator === '<').map(([_, version]) => version)\n\n const greaterThanVersions = requirements.filter(([operator]) => operator === '>=').map(([_, version]) => version)\n\n // Find the minimum version that satisfies all \"less than\" constraints\n const highestPossibleVersion =\n lessThanVersions.length > 0\n ? (Math.max(Math.min(...lessThanVersions) - 1, 18) as Openid4vpVersionNumber)\n : (101 as const) // Default to highest version\n\n // Find the maximum version that satisfies all \"greater than or equal to\" constraints\n const lowestRequiredVersion =\n greaterThanVersions.length > 0 ? (Math.max(...greaterThanVersions) as Openid4vpVersionNumber) : (18 as const) // Default to lowest version\n\n // The acceptable range is [lowestRequiredVersion, highestPossibleVersion]\n // We return the lowest possible version that satisfies all constraints\n if (lowestRequiredVersion > highestPossibleVersion) {\n // No valid version exists that satisfies all constraints\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Could not infer openid4vp version from the openid4vp request payload. Based on specification requirements, lowest required version is ${lowestRequiredVersion} and highest possible version is ${highestPossibleVersion}`,\n })\n }\n\n return highestPossibleVersion\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { ContentType, createFetcher, type Fetch, objectToQueryParams } from '@openid4vc/utils'\nimport type { ClientIdPrefix } from '../../client-identifier-prefix/z-client-id-prefix'\nimport type { WalletMetadata } from '../../models/z-wallet-metadata'\n\n/\n Fetch a request object and parse the response.\n * If you want to fetch the request object without providing wallet_metadata or wallet_nonce as defined in jar you can use the `fetchJarRequestObject` function.\n \n Returns validated request object if successful response\n * Throws error otherwise\n \n @throws {ValidationError} if successful response but validation of response failed\n * @throws {InvalidFetchResponseError} if no successful or 404 response\n * @throws {Error} if parsing json from response fails\n /\nexport async function fetchJarRequestObject(options: {\n requestUri: string\n clientIdPrefix?: ClientIdPrefix\n method: 'get' \| 'post'\n wallet: {\n metadata?: WalletMetadata\n nonce?: string\n }\n fetch?: Fetch\n}): Promise<string> {\n const { requestUri, clientIdPrefix, method, wallet, fetch } = options\n\n let requestBody = wallet.metadata ? { wallet_metadata: wallet.metadata, wallet_nonce: wallet.nonce } : undefined\n if (requestBody?.wallet_metadata?.request_object_signing_alg_values_supported && clientIdPrefix === 'redirect_uri') {\n // This value indicates that the Client Identifier (without the prefix redirect_uri:) is the Verifier's Redirect URI (or Response URI when Response Mode direct_post is used). The Authorization Request MUST NOT be signed.\n const { request_object_signing_alg_values_supported, ...rest } = requestBody.wallet_metadata\n requestBody = { ...requestBody, wallet_metadata: { ...rest } }\n }\n\n const response = await createFetcher(fetch)(requestUri, {\n method,\n body: method === 'post' ? objectToQueryParams(wallet.metadata ?? {}) : undefined,\n headers: {\n Accept: `${ContentType.OAuthAuthorizationRequestJwt}, ${ContentType.Jwt};q=0.9, text/plain`,\n 'Content-Type': ContentType.XWwwFormUrlencoded,\n },\n }).catch(() => {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Fetching request_object from request_uri '${requestUri}' failed`,\n error: Oauth2ErrorCodes.InvalidRequestUri,\n })\n })\n\n if (!response.ok) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Fetching request_object from request_uri '${requestUri}' failed with status code '${response.status}'.`,\n error: Oauth2ErrorCodes.InvalidRequestUri,\n })\n }\n\n return await response.text()\n}\n","import {\n type CallbackContext,\n type DecodeJwtResult,\n decodeJwt,\n type JarRequestObjectPayload,\n type Jwk,\n type JwtSigner,\n type JwtSignerWithJwk,\n jwtSignerFromJwt,\n Oauth2Error,\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n signedAuthorizationRequestJwtHeaderTyp,\n validateJarRequestParams,\n verifyJwt,\n zCompactJwe,\n zCompactJwt,\n zJarRequestObjectPayload,\n} from '@openid4vc/oauth2'\nimport { isOpenid4vpResponseModeDcApi } from '../../authorization-request/z-authorization-request-dc-api'\nimport { isOpenid4vpResponseModeIae } from '../../authorization-request/z-authorization-request-iae'\nimport { getOpenid4vpClientId } from '../../client-identifier-prefix/parse-client-identifier-prefix'\nimport {\n type ClientIdPrefix,\n type UniformClientIdPrefix,\n zClientIdPrefix,\n} from '../../client-identifier-prefix/z-client-id-prefix'\nimport type { WalletMetadata } from '../../models/z-wallet-metadata'\nimport { parseAuthorizationRequestVersion } from '../../version'\nimport { fetchJarRequestObject } from '../jar-request-object/fetch-jar-request-object'\nimport type { Openid4vpJarAuthorizationRequest } from '../z-jar-authorization-request'\n\nexport interface VerifyJarRequestOptions {\n jarRequestParams: Openid4vpJarAuthorizationRequest\n\n /\n Whether to allow the JAR request to contain a remote\n * `request_uri` parameter that should be fetched.\n \n If set to false and the JAR request contains a\n * `request_uri` parameter the method will throw an error\n \n @default true\n /\n allowRequestUri?: boolean\n\n callbacks: Pick<CallbackContext, 'verifyJwt' \| 'decryptJwe' \| 'fetch'>\n wallet?: {\n metadata?: WalletMetadata\n nonce?: string\n }\n}\n\nexport interface VerifiedJarRequest {\n authorizationRequestPayload: JarRequestObjectPayload\n sendBy: 'value' \| 'reference'\n decryptionJwk?: Jwk\n signer: JwtSignerWithJwk\n jwt: DecodeJwtResult<undefined, typeof zJarRequestObjectPayload>\n}\n\n/\n Verifies a JAR (JWT Secured Authorization Request) request by validating, decrypting, and verifying signatures.\n \n @param options - The input parameters\n * @param options.jarRequestParams - The JAR authorization request parameters\n * @param options.callbacks - Context containing the relevant Jose crypto operations\n * @returns The verified authorization request parameters and metadata\n /\nexport async function verifyJarRequest(options: VerifyJarRequestOptions): Promise<VerifiedJarRequest> {\n const { callbacks, wallet = {} } = options\n\n const jarRequestParams = {\n ...options.jarRequestParams,\n ...validateJarRequestParams(options),\n } as Openid4vpJarAuthorizationRequest & ReturnType<typeof validateJarRequestParams>\n\n const sendBy = jarRequestParams.request ? 'value' : 'reference'\n\n // We can't know the client id prefix here if draft was before client_id_scheme became prefix\n const clientIdPrefix: ClientIdPrefix \| undefined = jarRequestParams.client_id\n ? zClientIdPrefix.safeParse(jarRequestParams.client_id.split(':')[0]).data\n : 'origin'\n\n const method = jarRequestParams.request_uri_method ?? 'get'\n if (method !== 'get' && method !== 'post') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestUriMethod,\n error_description: `Invalid request_uri_method. Must be 'get' or 'post'.`,\n })\n }\n\n const requestObject =\n jarRequestParams.request ??\n (await fetchJarRequestObject({\n requestUri: jarRequestParams.request_uri,\n clientIdPrefix,\n method,\n wallet,\n fetch: callbacks.fetch,\n }))\n\n const requestObjectIsEncrypted = zCompactJwe.safeParse(requestObject).success\n const { decryptionJwk, payload: decryptedRequestObject } = requestObjectIsEncrypted\n ? await decryptJarRequest({ jwe: requestObject, callbacks })\n : { payload: requestObject, decryptionJwk: undefined }\n\n const requestIsSigned = zCompactJwt.safeParse(decryptedRequestObject).success\n if (!requestIsSigned) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'JAR request object is not a valid JWT.',\n })\n }\n\n const { authorizationRequestPayload, signer, jwt } = await verifyJarRequestObject({\n decryptedRequestObject,\n callbacks,\n })\n if (!authorizationRequestPayload.client_id) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'Jar Request Object is missing the required \"client_id\" field.',\n })\n }\n\n // Expect the client_id from the jar request to match the payload, but only if we're not using DC API / IAE\n if (\n !isOpenid4vpResponseModeDcApi(authorizationRequestPayload.response_mode) &&\n !isOpenid4vpResponseModeIae(authorizationRequestPayload.response_mode) &&\n jarRequestParams.client_id !== authorizationRequestPayload.client_id\n ) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'client_id does not match the request object client_id.',\n })\n }\n if (\n jarRequestParams.client_id_scheme &&\n jarRequestParams.client_id_scheme !== authorizationRequestPayload.client_id_scheme\n ) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'client_id_scheme does not match the request object client_id_scheme.',\n })\n }\n\n return {\n sendBy,\n jwt,\n authorizationRequestPayload,\n signer,\n decryptionJwk,\n }\n}\n\nasync function decryptJarRequest(options: { jwe: string; callbacks: Pick<CallbackContext, 'decryptJwe'> }) {\n const { jwe, callbacks } = options\n\n const { header } = decodeJwt({ jwt: jwe })\n if (!header.kid) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'Jar JWE is missing the protected header field \"kid\".',\n })\n }\n\n const decryptionResult = await callbacks.decryptJwe(jwe)\n if (!decryptionResult.decrypted) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'Failed to decrypt jar request object.',\n })\n }\n\n return decryptionResult\n}\n\nasync function verifyJarRequestObject(options: {\n decryptedRequestObject: string\n callbacks: Pick<CallbackContext, 'verifyJwt'>\n}) {\n const { decryptedRequestObject, callbacks } = options\n\n const jwt = decodeJwt({ jwt: decryptedRequestObject, payloadSchema: zJarRequestObjectPayload })\n\n let jwtSigner: JwtSigner\n\n const { clientIdPrefix } = getOpenid4vpClientId({\n responseMode: jwt.payload.response_mode,\n clientId: jwt.payload.client_id,\n legacyClientIdScheme: jwt.payload.client_id_scheme,\n })\n\n // Allowed signer methods for each of the client id schemes\n const clientIdToSignerMethod: Record<UniformClientIdPrefix, JwtSigner['method'][]> = {\n decentralized_identifier: ['did'],\n\n 'pre-registered': ['custom', 'did', 'jwk'],\n origin: [], // no signing allowed\n redirect_uri: [], // no signing allowed\n\n // Not 100% sure which one are allowed?\n verifier_attestation: ['did', 'federation', 'jwk', 'x5c', 'custom'],\n\n x509_san_dns: ['x5c'],\n x509_san_uri: ['x5c'],\n x509_hash: ['x5c'],\n\n // Handled separately\n openid_federation: [],\n }\n\n // The logic to determine the signer for a JWT is different for signed authorization request and federation\n if (clientIdPrefix === 'openid_federation') {\n if (!jwt.header.kid) {\n throw new Oauth2Error(\n `When OpenID Federation is used for signed authorization request, the 'kid' parameter is required.`\n )\n }\n\n jwtSigner = {\n method: 'federation',\n alg: jwt.header.alg,\n trustChain: jwt.payload.trust_chain,\n kid: jwt.header.kid,\n }\n } else {\n jwtSigner = jwtSignerFromJwt({ ...jwt, allowedSignerMethods: clientIdToSignerMethod[clientIdPrefix] })\n }\n\n const { signer } = await verifyJwt({\n verifyJwtCallback: callbacks.verifyJwt,\n compact: decryptedRequestObject,\n header: jwt.header,\n payload: jwt.payload,\n signer: jwtSigner,\n })\n\n // biome-ignore lint/suspicious/noExplicitAny: no explanation\n const version = parseAuthorizationRequestVersion(jwt.payload as any)\n if (jwt.header.typ !== signedAuthorizationRequestJwtHeaderTyp && version >= 24) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: `Invalid Jar Request Object typ header. Expected \"oauth-authz-req+jwt\", received \"${jwt.header.typ}\".`,\n })\n }\n\n return {\n signer,\n jwt,\n authorizationRequestPayload: jwt.payload,\n }\n}\n","import { z } from 'zod'\n\nexport const zTransactionEntry = z\n .object({\n type: z.string(),\n credential_ids: z.tuple([z.string()], z.string()),\n\n // SD-JWT VC specific\n transaction_data_hashes_alg: z.tuple([z.string()], z.string()).optional(),\n })\n .loose()\nexport type TransactionDataEntry = z.infer<typeof zTransactionEntry>\n\nexport const zTransactionData = z.array(zTransactionEntry)\nexport type TransactionData = z.infer<typeof zTransactionData>\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { decodeBase64, encodeToUtf8String, parseIfJson } from '@openid4vc/utils'\nimport { type TransactionDataEntry, zTransactionData } from './z-transaction-data'\n\nexport interface ParseTransactionDataOptions {\n transactionData: string[]\n}\n\nexport interface ParsedTransactionDataEntry {\n transactionData: TransactionDataEntry\n transactionDataIndex: number\n encoded: string\n}\n\nexport function parseTransactionData(options: ParseTransactionDataOptions): ParsedTransactionDataEntry[] {\n const { transactionData } = options\n\n const decoded = transactionData.map((tdEntry) => parseIfJson(encodeToUtf8String(decodeBase64(tdEntry))))\n\n const parsedResult = zTransactionData.safeParse(decoded)\n if (!parsedResult.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: 'Failed to parse transaction data.',\n })\n }\n\n return parsedResult.data.map((decoded, index) => ({\n transactionData: decoded,\n encoded: transactionData[index],\n transactionDataIndex: index,\n }))\n}\n","import { type CallbackContext, Oauth2Error, Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport {\n type ParsedClientIdentifier,\n validateOpenid4vpClientId,\n} from '../client-identifier-prefix/parse-client-identifier-prefix'\nimport { fetchClientMetadata } from '../fetch-client-metadata'\nimport { type VerifiedJarRequest, verifyJarRequest } from '../jar/handle-jar-request/verify-jar-request'\nimport {\n isJarAuthorizationRequest,\n type Openid4vpJarAuthorizationRequest,\n zOpenid4vpJarAuthorizationRequest,\n} from '../jar/z-jar-authorization-request'\nimport type { PexPresentationDefinition } from '../models/z-pex'\nimport { type ParsedTransactionDataEntry, parseTransactionData } from '../transaction-data/parse-transaction-data'\nimport { type Openid4vpVersionNumber, parseAuthorizationRequestVersion } from '../version'\nimport {\n validateOpenid4vpAuthorizationRequestPayload,\n type WalletVerificationOptions,\n} from './validate-authorization-request'\nimport { validateOpenid4vpAuthorizationRequestDcApiPayload } from './validate-authorization-request-dc-api'\nimport { validateOpenid4vpAuthorizationRequestIaePayload } from './validate-authorization-request-iae'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\nimport {\n isOpenid4vpAuthorizationRequestDcApi,\n type Openid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestDcApi,\n} from './z-authorization-request-dc-api'\nimport {\n isOpenid4vpAuthorizationRequestIae,\n type Openid4vpAuthorizationRequestIae,\n zOpenid4vpAuthorizationRequestIae,\n} from './z-authorization-request-iae'\n\nexport interface ResolveOpenid4vpAuthorizationRequestOptions {\n authorizationRequestPayload:\n \| Openid4vpAuthorizationRequest\n \| Openid4vpAuthorizationRequestDcApi\n \| Openid4vpAuthorizationRequestIae\n \| Openid4vpJarAuthorizationRequest\n wallet?: WalletVerificationOptions\n\n /\n The response mode that is expected for the resolved presentation request.\n /\n responseMode: ExpectedResponseMode\n\n callbacks: Pick<CallbackContext, 'verifyJwt' \| 'decryptJwe' \| 'getX509CertificateMetadata' \| 'fetch' \| 'hash'>\n}\n\nexport type ResolvedOpenid4vpAuthorizationRequest = {\n transactionData?: ParsedTransactionDataEntry[]\n authorizationRequestPayload:\n \| Openid4vpAuthorizationRequest\n \| Openid4vpAuthorizationRequestDcApi\n \| Openid4vpAuthorizationRequestIae\n jar: VerifiedJarRequest \| undefined\n client: ParsedClientIdentifier\n pex?: {\n presentation_definition?: PexPresentationDefinition\n presentation_definition_uri?: string\n }\n dcql?: { query: unknown } \| undefined\n\n /\n The highest possible version number based on (draft)-version checks done on the request.\n \n 100 means 1.0 final, all other numbers are draft versions.\n /\n version: Openid4vpVersionNumber\n}\n\nexport async function resolveOpenid4vpAuthorizationRequest(\n options: ResolveOpenid4vpAuthorizationRequestOptions\n): Promise<ResolvedOpenid4vpAuthorizationRequest> {\n const { wallet, callbacks } = options\n\n let authorizationRequestPayload:\n \| Openid4vpAuthorizationRequest\n \| ((Openid4vpAuthorizationRequestDcApi \| Openid4vpAuthorizationRequestIae) & {\n presentation_definition_uri?: never\n })\n\n const parsed = parseWithErrorHandling(\n z.union([\n zOpenid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestIae,\n zOpenid4vpAuthorizationRequest,\n zOpenid4vpJarAuthorizationRequest,\n ]),\n options.authorizationRequestPayload,\n 'Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request.'\n )\n\n let jar: VerifiedJarRequest \| undefined\n if (isJarAuthorizationRequest(parsed)) {\n jar = await verifyJarRequest({\n jarRequestParams: parsed,\n callbacks,\n wallet,\n // For IAE/DC API only request is allowed\n allowRequestUri: options.responseMode.type === 'direct_post',\n })\n\n const parsedJarAuthorizationRequestPayload = parseWithErrorHandling(\n z.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequestIae, zOpenid4vpAuthorizationRequest]),\n jar.authorizationRequestPayload,\n 'Invalid authorization request. Could not parse jar request payload as openid4vp auth request.'\n )\n\n authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({\n authorizationRequestPayload: parsedJarAuthorizationRequestPayload,\n wallet,\n jar: true,\n responseMode: options.responseMode,\n })\n } else {\n authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({\n authorizationRequestPayload: parsed,\n wallet,\n jar: false,\n\n responseMode: options.responseMode,\n })\n }\n\n const version = parseAuthorizationRequestVersion(authorizationRequestPayload)\n let clientMetadata = authorizationRequestPayload.client_metadata\n if (\n !isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) &&\n !isOpenid4vpAuthorizationRequestIae(authorizationRequestPayload) &&\n !clientMetadata &&\n authorizationRequestPayload.client_metadata_uri\n ) {\n clientMetadata = await fetchClientMetadata({ clientMetadataUri: authorizationRequestPayload.client_metadata_uri })\n }\n\n const clientMeta = await validateOpenid4vpClientId({\n authorizationRequestPayload: {\n ...authorizationRequestPayload,\n client_metadata: clientMetadata,\n },\n jar,\n\n callbacks,\n origin: options.responseMode.type === 'dc_api' ? options.responseMode.expectedOrigin : undefined,\n version,\n })\n\n let pex: ResolvedOpenid4vpAuthorizationRequest['pex'] \| undefined\n let dcql: ResolvedOpenid4vpAuthorizationRequest['dcql'] \| undefined\n\n if (authorizationRequestPayload.presentation_definition \|\| authorizationRequestPayload.presentation_definition_uri) {\n if (authorizationRequestPayload.presentation_definition_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Cannot fetch presentation definition from URI. Not supported.',\n })\n }\n\n pex = {\n presentation_definition: authorizationRequestPayload.presentation_definition,\n presentation_definition_uri: authorizationRequestPayload.presentation_definition_uri,\n }\n }\n\n if (authorizationRequestPayload.dcql_query) {\n dcql = { query: authorizationRequestPayload.dcql_query }\n }\n\n const transactionData = authorizationRequestPayload.transaction_data\n ? parseTransactionData({ transactionData: authorizationRequestPayload.transaction_data })\n : undefined\n\n return {\n transactionData,\n authorizationRequestPayload,\n jar,\n client: clientMeta,\n pex,\n dcql,\n version,\n }\n}\n\ntype ExpectedResponseMode =\n \| {\n /\n Enforces the response is `iae` or `iae_post`, meaning the presentation\n * is created as part of an issuance session.\n /\n type: 'iae'\n\n /\n The expectedUrl for the IAE session. Must always be provided, but will\n * only be verified if the OpenID4VP request is signed (and thus MUST contain `expected_url`)\n /\n expectedUrl: string\n }\n \| {\n /\n Enforces the response is `dc_api` or `dc_api.jwt` (including legacy support for `w3c_dc_api` and `w3c_dc_api.jwt`),\n * meaning the presentation will be shared using the Digital Credentials API.\n /\n type: 'dc_api'\n\n /\n The expected origin for the DC API session. Must always be provided, but will\n * only be verified if the OpenID4VP request is signed (and thus MUST contain `expected_origins`)\n /\n expectedOrigin: string\n }\n \| {\n /\n Enforces the response is `direct_post` or `direct_post.jwt`\n /\n type: 'direct_post'\n }\n\nfunction validateOpenId4vpAuthorizationRequestPayload(options: {\n authorizationRequestPayload:\n \| Openid4vpAuthorizationRequest\n \| Openid4vpAuthorizationRequestDcApi\n \| Openid4vpAuthorizationRequestIae\n wallet?: WalletVerificationOptions\n jar: boolean\n\n responseMode: ExpectedResponseMode\n}) {\n const { authorizationRequestPayload, wallet, jar, responseMode } = options\n\n if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {\n if (responseMode.type !== 'dc_api') {\n throw new Oauth2Error(\n `Authorization request uses response mode ${authorizationRequestPayload.response_mode}, but expected to use a response mode in the ${responseMode.type} category.`\n )\n }\n\n validateOpenid4vpAuthorizationRequestDcApiPayload({\n params: authorizationRequestPayload,\n isJarRequest: jar,\n origin: responseMode.expectedOrigin,\n })\n\n return authorizationRequestPayload\n }\n\n if (isOpenid4vpAuthorizationRequestIae(authorizationRequestPayload)) {\n if (responseMode.type !== 'iae') {\n throw new Oauth2Error(\n `Authorization request uses response mode ${authorizationRequestPayload.response_mode}, but expected to use a response mode in the ${responseMode.type} category.`\n )\n }\n\n validateOpenid4vpAuthorizationRequestIaePayload({\n params: authorizationRequestPayload,\n isJarRequest: jar,\n expectedUrl: responseMode.expectedUrl,\n })\n\n return authorizationRequestPayload\n }\n\n if (responseMode.type !== 'direct_post') {\n throw new Oauth2Error(\n `Authorization request uses response mode ${authorizationRequestPayload.response_mode}, but expected to use a response mode in the ${responseMode.type} category.`\n )\n }\n\n validateOpenid4vpAuthorizationRequestPayload({\n params: authorizationRequestPayload,\n walletVerificationOptions: wallet,\n })\n return authorizationRequestPayload\n}\n","/\n Get the time in seconds since epoch for a date.\n * If date is not provided the current time will be used.\n /\nexport function dateToSeconds(date?: Date) {\n const milliseconds = date?.getTime() ?? Date.now()\n\n return Math.floor(milliseconds / 1000)\n}\n\nexport function addSecondsToDate(date: Date, seconds: number) {\n return new Date(date.getTime() + seconds 1000)\n}\n","import {\n type CallbackContext,\n type JweEncryptor,\n type JwtSigner,\n jwtHeaderFromJwtSigner,\n Oauth2Error,\n} from '@openid4vc/oauth2'\nimport type {\n JarmAuthorizationResponse,\n JarmAuthorizationResponseEncryptedOnly,\n} from './jarm-authorization-response/z-jarm-authorization-response'\n\nexport interface CreateJarmAuthorizationResponseOptions {\n jarmAuthorizationResponse: JarmAuthorizationResponse \| JarmAuthorizationResponseEncryptedOnly\n jwtSigner?: JwtSigner\n jweEncryptor?: JweEncryptor\n callbacks: Pick<CallbackContext, 'signJwt' \| 'encryptJwe'>\n}\n\nexport async function createJarmAuthorizationResponse(options: CreateJarmAuthorizationResponseOptions) {\n const { jarmAuthorizationResponse, jweEncryptor, jwtSigner, callbacks } = options\n if (!jwtSigner && jweEncryptor) {\n const { jwe } = await callbacks.encryptJwe(jweEncryptor, JSON.stringify(jarmAuthorizationResponse))\n return { jarmAuthorizationResponseJwt: jwe }\n }\n\n if (jwtSigner && !jweEncryptor) {\n const signed = await callbacks.signJwt(jwtSigner, {\n header: jwtHeaderFromJwtSigner(jwtSigner),\n payload: jarmAuthorizationResponse,\n })\n return { jarmAuthorizationResponseJwt: signed.jwt }\n }\n\n if (!jwtSigner \|\| !jweEncryptor) {\n throw new Oauth2Error('JWT signer and/or encryptor are required to create a JARM auth response.')\n }\n const signed = await callbacks.signJwt(jwtSigner, {\n header: jwtHeaderFromJwtSigner(jwtSigner),\n payload: jarmAuthorizationResponse,\n })\n\n const encrypted = await callbacks.encryptJwe(jweEncryptor, signed.jwt)\n\n return { jarmAuthorizationResponseJwt: encrypted.jwe }\n}\n","import type { JwkSet } from '@openid4vc/oauth2'\n\nexport function extractEncryptionJwkFromJwks(\n jwks: JwkSet,\n {\n kid,\n supportedAlgValues,\n }: {\n kid?: string\n supportedAlgValues?: string[]\n }\n) {\n if (kid) {\n return jwks.keys.find((jwk) => jwk.kid === kid)\n }\n\n let algFiltered = jwks.keys.filter((key) => key.alg && supportedAlgValues?.includes(key.alg))\n if (algFiltered.length === 0) algFiltered = jwks.keys\n\n let encFiltered = algFiltered.filter((key) => key.use === 'enc')\n if (!encFiltered) encFiltered = algFiltered.filter((key) => key.use !== 'sig')\n\n return encFiltered.length > 0 ? encFiltered[0] : jwks.keys[0]\n}\n","import { z } from 'zod'\n\nexport const jarmResponseMode = [\n 'jwt',\n 'query.jwt',\n 'fragment.jwt',\n 'form_post.jwt',\n 'direct_post.jwt',\n 'dc_api.jwt',\n] as const\nexport const zJarmResponseMode = z.enum(jarmResponseMode)\n\nexport type JarmResponseMode = (typeof jarmResponseMode)[number]\n\nexport const isJarmResponseMode = (responseMode: string): responseMode is JarmResponseMode => {\n return jarmResponseMode.includes(responseMode as JarmResponseMode)\n}\n","import { Oauth2Error } from '@openid4vc/oauth2'\nimport type { JarmServerMetadata } from './z-jarm-authorization-server-metadata'\nimport { type JarmClientMetadata, zJarmClientMetadataParsed } from './z-jarm-client-metadata'\n\ninterface AssertValueSupported<T> {\n supported: T[]\n actual: T\n errorMessage: string\n}\n\nexport function assertValueSupported<T>(options: AssertValueSupported<T>): T {\n const { errorMessage, supported, actual } = options\n const intersection = supported.find((value) => value === actual)\n\n if (!intersection) {\n throw new Oauth2Error(errorMessage)\n }\n\n return intersection\n}\n\nexport function jarmAssertMetadataSupported(options: {\n clientMetadata: JarmClientMetadata\n serverMetadata: JarmServerMetadata\n}) {\n const { clientMetadata, serverMetadata } = options\n const parsedClientMetadata = zJarmClientMetadataParsed.parse(clientMetadata)\n\n if (parsedClientMetadata.type === 'sign_encrypt' \|\| parsedClientMetadata.type === 'encrypt') {\n if (serverMetadata.authorization_encryption_alg_values_supported) {\n assertValueSupported({\n supported: serverMetadata.authorization_encryption_alg_values_supported,\n actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_alg,\n errorMessage: 'Invalid authorization_encryption_alg',\n })\n }\n\n if (serverMetadata.authorization_encryption_enc_values_supported) {\n assertValueSupported({\n supported: serverMetadata.authorization_encryption_enc_values_supported,\n actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_enc,\n errorMessage: 'Invalid authorization_encryption_enc',\n })\n }\n }\n\n if (\n serverMetadata.authorization_signing_alg_values_supported &&\n (parsedClientMetadata.type === 'sign' \|\| parsedClientMetadata.type === 'sign_encrypt')\n ) {\n assertValueSupported({\n supported: serverMetadata.authorization_signing_alg_values_supported,\n actual: parsedClientMetadata.client_metadata.authorization_signed_response_alg,\n errorMessage: 'Invalid authorization_signed_response_alg',\n })\n }\n\n return parsedClientMetadata\n}\n","import {\n type CallbackContext,\n fetchJwks,\n type Jwk,\n type JwkSet,\n type JwtSigner,\n Oauth2Error,\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n} from '@openid4vc/oauth2'\nimport { dateToSeconds, encodeToBase64Url } from '@openid4vc/utils'\nimport { addSecondsToDate } from '../../../utils/src/date'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport { getOpenid4vpClientId } from '../client-identifier-prefix/parse-client-identifier-prefix'\nimport { createJarmAuthorizationResponse } from '../jarm/jarm-authorization-response-create'\nimport { extractEncryptionJwkFromJwks } from '../jarm/jarm-extract-jwks'\nimport { isJarmResponseMode } from '../jarm/jarm-response-mode'\nimport { assertValueSupported, jarmAssertMetadataSupported } from '../jarm/metadata/jarm-assert-metadata-supported'\nimport type { JarmServerMetadata } from '../jarm/metadata/z-jarm-authorization-server-metadata'\nimport type { ClientMetadata } from '../models/z-client-metadata'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface CreateOpenid4vpAuthorizationResponseOptions {\n authorizationRequestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n\n /*\n Optional client metadata to use for sending the authorization response. In case of e.g. OpenID Federation\n * the client metadata needs to be resolved and verified externally.\n /\n clientMetadata?: ClientMetadata\n\n /\n The origin of the reuqest, required when creating a response for the Digital Credentials API.\n /\n origin?: string\n\n authorizationResponsePayload: Openid4vpAuthorizationResponse & { state?: never }\n jarm?: {\n jwtSigner?: JwtSigner\n encryption?: {\n nonce: string\n\n /\n The JWK that should be used for encryption of the JARM response.\n \n If not defined, the Jwk will be determined based on the client_metadata.\n /\n jwk?: Jwk\n }\n serverMetadata: JarmServerMetadata\n authorizationServer?: string // The issuer URL of the authorization server that created the response\n audience?: string // The client_id of the client the response is intended for\n expiresInSeconds?: number // The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.\n }\n callbacks: Pick<CallbackContext, 'signJwt' \| 'encryptJwe' \| 'fetch'>\n}\n\nexport interface CreateOpenid4vpAuthorizationResponseResult {\n authorizationResponsePayload: Openid4vpAuthorizationResponse\n jarm?: {\n responseJwt: string\n /\n The JWK used to encrypt the JARM response. Only defined if the response is encrypted.\n /\n encryptionJwk?: Jwk\n }\n}\n\nexport async function createOpenid4vpAuthorizationResponse(\n options: CreateOpenid4vpAuthorizationResponseOptions\n): Promise<CreateOpenid4vpAuthorizationResponseResult> {\n const { authorizationRequestPayload, jarm, callbacks, origin } = options\n\n const authorizationResponsePayload = {\n ...options.authorizationResponsePayload,\n state: authorizationRequestPayload.state,\n } satisfies Openid4vpAuthorizationResponse\n\n const { clientIdPrefix } = getOpenid4vpClientId({\n responseMode: authorizationRequestPayload.response_mode,\n clientId: authorizationRequestPayload.client_id,\n legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,\n origin,\n })\n\n if (\n authorizationRequestPayload.response_mode &&\n isJarmResponseMode(authorizationRequestPayload.response_mode) &&\n !jarm\n ) {\n throw new Oauth2Error(\n `Missing jarm options for creating Jarm response with response mode '${authorizationRequestPayload.response_mode}'`\n )\n }\n\n if (!jarm) {\n return {\n authorizationResponsePayload,\n }\n }\n\n // When using OpenID Federation, we must not rely on the client metadata from the request\n if (clientIdPrefix === 'openid_federation' && !options.clientMetadata) {\n throw new Oauth2Error(\n \"When OpenID Federation is used as the client id prefix (https/openid_federation), passing externally fetched and verified 'clientMetadata' to the 'createOpenid4vpAuthorizationResponse' is required.\"\n )\n }\n\n const clientMetadata = options.clientMetadata ?? authorizationRequestPayload.client_metadata\n if (!clientMetadata) {\n throw new Oauth2Error('Missing client metadata in the request params to assert Jarm metadata support.')\n }\n\n let jwks: JwkSet\n\n if (clientMetadata.jwks) {\n jwks = clientMetadata.jwks\n } else if (clientMetadata.jwks_uri) {\n jwks = await fetchJwks(clientMetadata.jwks_uri, options.callbacks.fetch)\n } else {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Missing 'jwks' or 'jwks_uri' in client metadata. Cannot extract encryption JWK.`,\n })\n }\n\n if (\n clientMetadata.authorization_encrypted_response_alg \|\|\n clientMetadata.authorization_encrypted_response_enc \|\|\n clientMetadata.authorization_signed_response_alg\n ) {\n jarmAssertMetadataSupported({\n clientMetadata: clientMetadata,\n serverMetadata: jarm.serverMetadata,\n })\n }\n\n const encJwk =\n // User-provided JWK takes precedence\n jarm?.encryption?.jwk ??\n extractEncryptionJwkFromJwks(jwks, {\n supportedAlgValues:\n jarm.serverMetadata.authorization_encryption_alg_values_supported ??\n (clientMetadata.authorization_encrypted_response_alg\n ? [clientMetadata.authorization_encrypted_response_alg]\n : undefined),\n })\n\n if (!encJwk) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'No encryption JWK provided and could not extract encryption JWK from client metadata. Failed to create JARM response.',\n })\n }\n\n let enc: string\n if (clientMetadata.encrypted_response_enc_values_supported) {\n // Take first supported, or otherwise the first value\n enc =\n jarm.serverMetadata.authorization_encryption_enc_values_supported.find((enc) =>\n clientMetadata.encrypted_response_enc_values_supported?.includes(enc)\n ) ?? clientMetadata.encrypted_response_enc_values_supported[0]\n } else {\n // Use old value, or otherwise fallback to default\n enc = clientMetadata.authorization_encrypted_response_enc ?? 'A128GCM'\n }\n\n assertValueSupported({\n actual: enc,\n supported: jarm.serverMetadata.authorization_encryption_enc_values_supported,\n errorMessage: `Invalid 'enc' value ${enc}. Supported values are ${jarm.serverMetadata.authorization_encryption_enc_values_supported.join(', ')}`,\n })\n\n const alg = encJwk.alg ?? clientMetadata.authorization_encrypted_response_alg ?? 'ECDH-ES'\n assertValueSupported({\n actual: alg,\n supported: jarm.serverMetadata.authorization_encryption_alg_values_supported,\n errorMessage: `Invalid 'alg' value ${alg}. Supported values are ${jarm.serverMetadata.authorization_encryption_alg_values_supported.join(', ')}`,\n })\n\n // TODO: we can remove this once support for pre-1.0 versions have been removed\n // TODO: we should keep the JARM implementation and move it to oauth2 package\n // When the response is NOT only encrypted, the JWT payload needs to include the iss, aud and exp.\n let additionalJwtPayload: Record<string, string \| number> \| undefined\n if (jarm?.jwtSigner) {\n if (!jarm.authorizationServer) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Missing required iss in JARM configuration for creating OpenID4VP authorization response.',\n })\n }\n\n if (!jarm.audience) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Missing required aud in JARM configuration for creating OpenID4VP authorization response.',\n })\n }\n\n additionalJwtPayload = {\n iss: jarm.authorizationServer,\n aud: jarm.audience,\n exp: jarm.expiresInSeconds ?? dateToSeconds(addSecondsToDate(new Date(), 60 10)), // default: 10 minutes\n }\n }\n\n const jarmResponsePayload = {\n ...authorizationResponsePayload,\n ...additionalJwtPayload,\n } satisfies Openid4vpAuthorizationResponse\n\n const result = await createJarmAuthorizationResponse({\n jarmAuthorizationResponse: jarmResponsePayload,\n jwtSigner: jarm?.jwtSigner,\n jweEncryptor: jarm?.encryption\n ? {\n method: 'jwk',\n publicJwk: encJwk,\n apu: jarm.encryption.nonce ? encodeToBase64Url(jarm.encryption.nonce) : undefined,\n apv: encodeToBase64Url(authorizationRequestPayload.nonce),\n alg,\n enc,\n }\n : undefined,\n callbacks: {\n signJwt: callbacks.signJwt,\n encryptJwe: callbacks.encryptJwe,\n },\n })\n\n return {\n authorizationResponsePayload: jarmResponsePayload,\n jarm: { responseJwt: result.jarmAuthorizationResponseJwt, encryptionJwk: encJwk },\n }\n}\n","import { z } from 'zod'\n\nexport const zPexPresentationDefinition = z.record(z.string(), z.any())\nexport const zPexPresentationSubmission = z.record(z.string(), z.any())\n\nexport type PexPresentationDefinition = z.infer<typeof zPexPresentationDefinition>\nexport type PexPresentationSubmission = z.infer<typeof zPexPresentationSubmission>\n","import { z } from 'zod'\n\nconst zVpTokenPresentationEntry = z.union([z.string(), z.record(z.string(), z.any())], {\n message: 'vp_token presentation entry must be string or object',\n})\nexport type VpTokenPresentationEntry = z.infer<typeof zVpTokenPresentationEntry>\n\nexport const zVpTokenPex = z.union(\n [\n zVpTokenPresentationEntry,\n z.tuple([zVpTokenPresentationEntry], zVpTokenPresentationEntry, 'Must have at least entry in vp_token array'),\n ],\n {\n message: 'pex vp_token must be a string, object or non-empty array of strings and objects',\n }\n)\nexport type VpTokenPex = z.infer<typeof zVpTokenPex>\n\nexport const zVpTokenDcql = z.record(\n z.string(),\n z.union([z.tuple([zVpTokenPresentationEntry], zVpTokenPresentationEntry), zVpTokenPresentationEntry]),\n {\n message:\n 'dcql vp_token must be an object with keys referencing the dcql credential query id, and values a non-empty array of strings and objects, or string, or object',\n }\n)\nexport type VpTokenDcql = z.infer<typeof zVpTokenDcql>\n\nexport const zVpToken = zVpTokenDcql.or(zVpTokenPex)\nexport type VpToken = z.infer<typeof zVpToken>\n","import { zStringToJson } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport { zPexPresentationSubmission } from '../models/z-pex'\nimport { zVpToken } from '../vp-token/z-vp-token'\n\nexport const zOpenid4vpAuthorizationResponse = z\n .object({\n state: z.string().optional(),\n id_token: z.string().optional(),\n vp_token: zVpToken,\n presentation_submission: zPexPresentationSubmission.or(zStringToJson).optional(),\n refresh_token: z.string().optional(),\n token_type: z.string().optional(),\n access_token: z.string().optional(),\n expires_in: z.coerce.number().optional(),\n })\n .loose()\nexport type Openid4vpAuthorizationResponse = z.infer<typeof zOpenid4vpAuthorizationResponse>\n","import { parseWithErrorHandling } from '@openid4vc/utils'\nimport { zOpenid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport function parseOpenid4VpAuthorizationResponsePayload(payload: Record<string, unknown>) {\n return parseWithErrorHandling(\n zOpenid4vpAuthorizationResponse,\n payload,\n 'Failed to parse openid4vp authorization response.'\n )\n}\n","import { zJwtHeader, zJwtPayload } from '@openid4vc/oauth2'\nimport { z } from 'zod'\n\nexport const zJarmHeader = z.object({ ...zJwtHeader.shape, apu: z.string().optional(), apv: z.string().optional() })\nexport type JarmHeader = z.infer<typeof zJarmHeader>\n\nexport const zJarmAuthorizationResponse = z\n .object({\n /*\n iss: The issuer URL of the authorization server that created the response\n * aud: The client_id of the client the response is intended for\n * exp: The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.\n /\n ...zJwtPayload.shape,\n ...zJwtPayload.pick({ iss: true, aud: true, exp: true }).required().shape,\n state: z.optional(z.string()),\n })\n .loose()\n\nexport type JarmAuthorizationResponse = z.infer<typeof zJarmAuthorizationResponse>\n\nexport const zJarmAuthorizationResponseEncryptedOnly = z\n .object({\n ...zJwtPayload.shape,\n state: z.optional(z.string()),\n })\n .loose()\nexport type JarmAuthorizationResponseEncryptedOnly = z.infer<typeof zJarmAuthorizationResponseEncryptedOnly>\n","import { Oauth2Error } from '@openid4vc/oauth2'\nimport { dateToSeconds } from '@openid4vc/utils'\nimport {\n type JarmAuthorizationResponse,\n type JarmAuthorizationResponseEncryptedOnly,\n zJarmAuthorizationResponse,\n} from './z-jarm-authorization-response'\n\nexport const jarmAuthorizationResponseValidate = (options: {\n expectedClientId: string\n authorizationResponse: JarmAuthorizationResponse \| JarmAuthorizationResponseEncryptedOnly\n}) => {\n const { expectedClientId, authorizationResponse } = options\n\n // The traditional Jarm Validation Methods do not account for the encrypted response.\n if (!zJarmAuthorizationResponse.safeParse(authorizationResponse).success) {\n return\n }\n\n // 3. The client obtains the aud element from the JWT and checks whether it matches the client id the client used to identify itself in the corresponding authorization request. If the check fails, the client MUST abort processing and refuse the response.\n if (\n (Array.isArray(authorizationResponse.aud) && !authorizationResponse.aud.includes(expectedClientId)) \|\|\n (typeof authorizationResponse.aud === 'string' && authorizationResponse.aud !== expectedClientId)\n ) {\n throw new Oauth2Error(\n `Invalid 'aud' claim in JARM authorization response. Expected '${\n expectedClientId\n }' received '${JSON.stringify(authorizationResponse.aud)}'.`\n )\n }\n\n // 4. The client checks the JWT's exp element to determine if the JWT is still valid. If the check fails, the client MUST abort processing and refuse the response.\n // 120 seconds clock skew\n if (authorizationResponse.exp !== undefined && authorizationResponse.exp < dateToSeconds()) {\n throw new Oauth2Error('JARM auth response is expired.')\n }\n}\n","import {\n type CallbackContext,\n decodeJwt,\n decodeJwtHeader,\n type Jwk,\n jwtSignerFromJwt,\n Oauth2Error,\n zCompactJwe,\n zCompactJwt,\n zJwtHeader,\n} from '@openid4vc/oauth2'\nimport { stringToJsonWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport type { Openid4vpAuthorizationRequest } from '../../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../../authorization-request/z-authorization-request-dc-api'\nimport { extractEncryptionJwkFromJwks } from '../jarm-extract-jwks'\nimport { jarmAuthorizationResponseValidate } from './jarm-validate-authorization-response'\nimport {\n type JarmAuthorizationResponse,\n type JarmAuthorizationResponseEncryptedOnly,\n zJarmAuthorizationResponse,\n zJarmAuthorizationResponseEncryptedOnly,\n} from './z-jarm-authorization-response'\n\nexport enum JarmMode {\n Signed = 'Signed',\n Encrypted = 'Encrypted',\n SignedEncrypted = 'SignedEncrypted',\n}\n\n/\n The client decrypts the JWT using the default key for the respective issuer or,\n * if applicable, determined by the kid JWT header parameter.\n * The key might be a private key, where the corresponding public key is registered\n * with the expected issuer of the response (\"use\":\"enc\" via the client's metadata jwks or jwks_uri)\n * or a key derived from its client secret (see Section 2.2).\n /\nconst decryptJarmAuthorizationResponseJwt = async (options: {\n jarmAuthorizationResponseJwt: string\n callbacks: Pick<CallbackContext, 'decryptJwe'>\n authorizationRequestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n}) => {\n const { jarmAuthorizationResponseJwt, callbacks, authorizationRequestPayload } = options\n\n let encryptionJwk: Jwk \| undefined\n const { header } = decodeJwtHeader({\n jwt: jarmAuthorizationResponseJwt,\n })\n\n // NOTE: previously we required `kid` to be present in the JARM header, but not all implementations seem to\n // add this, so we removed the check. Starting from draft 26 it's required again, so we can add the check again when\n // removing support for drafts <26\n if (authorizationRequestPayload.client_metadata?.jwks) {\n // If there's no kid, we try to extract the JWK from the request, if we are not successful\n // (because e.g. the request used client_metadata_uri) the decryptJwe callback has to handle this edge case\n // See https://github.com/openid/OpenID4VP/issues/441\n encryptionJwk = extractEncryptionJwkFromJwks(authorizationRequestPayload.client_metadata.jwks, {\n // Kid always take precedence\n kid: header.kid,\n\n // This value was removed in draft 26, but if it's still provided, we can use it to determine the key to use\n supportedAlgValues: authorizationRequestPayload.client_metadata.authorization_encrypted_response_alg\n ? [authorizationRequestPayload.client_metadata.authorization_encrypted_response_alg]\n : undefined,\n })\n }\n\n const result = await callbacks.decryptJwe(jarmAuthorizationResponseJwt, { jwk: encryptionJwk })\n if (!result.decrypted) {\n throw new Oauth2Error('Failed to decrypt jarm auth response.')\n }\n\n return {\n decryptionJwk: result.decryptionJwk,\n payload: result.payload,\n }\n}\n\nexport interface VerifyJarmAuthorizationResponseOptions {\n jarmAuthorizationResponseJwt: string\n\n authorizationRequestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n\n /\n The client id of the authorization request. This should be the effective client id,\n * meaning that if no client_id was present in the authorization request and DC API is used\n * it should be `web-origin:<origin>` (until draft 24) or `origin:<origin>` (from draft 25)\n /\n expectedClientId: string\n\n callbacks: Pick<CallbackContext, 'decryptJwe' \| 'verifyJwt'>\n}\n\nexport type VerifiedJarmAuthorizationResponse = Awaited<ReturnType<typeof verifyJarmAuthorizationResponse>>\n\n/\n Validate a JARM direct_post.jwt compliant authentication response\n * * The decryption key should be resolvable using the the protected header's 'kid' field\n * * The signature verification jwk should be resolvable using the jws protected header's 'kid' field and the payload's 'iss' field.\n /\nexport async function verifyJarmAuthorizationResponse(options: VerifyJarmAuthorizationResponseOptions) {\n const { jarmAuthorizationResponseJwt, callbacks, expectedClientId, authorizationRequestPayload } = options\n\n const requestDataIsEncrypted = zCompactJwe.safeParse(jarmAuthorizationResponseJwt).success\n const decryptedRequestData = requestDataIsEncrypted\n ? await decryptJarmAuthorizationResponseJwt({\n jarmAuthorizationResponseJwt,\n callbacks,\n authorizationRequestPayload,\n })\n : { payload: jarmAuthorizationResponseJwt, decryptionJwk: undefined }\n\n const responseIsSigned = zCompactJwt.safeParse(decryptedRequestData.payload).success\n if (!requestDataIsEncrypted && !responseIsSigned) {\n throw new Oauth2Error('Jarm Auth Response must be either encrypted, signed, or signed and encrypted.')\n }\n\n let jarmAuthorizationResponse: JarmAuthorizationResponse \| JarmAuthorizationResponseEncryptedOnly\n\n if (responseIsSigned) {\n const { header: jwsProtectedHeader, payload: jwsPayload } = decodeJwt({\n jwt: decryptedRequestData.payload,\n headerSchema: z.object({ ...zJwtHeader.shape, kid: z.string() }),\n })\n\n const response = zJarmAuthorizationResponse.parse(jwsPayload)\n const jwtSigner = jwtSignerFromJwt({ header: jwsProtectedHeader, payload: jwsPayload })\n\n const verificationResult = await options.callbacks.verifyJwt(jwtSigner, {\n compact: decryptedRequestData.payload,\n header: jwsProtectedHeader,\n payload: jwsPayload,\n })\n\n if (!verificationResult.verified) {\n throw new Oauth2Error('Jarm Auth Response is not valid.')\n }\n\n jarmAuthorizationResponse = response\n } else {\n const jsonRequestData = stringToJsonWithErrorHandling(\n decryptedRequestData.payload,\n 'Unable to parse decrypted JARM JWE body to JSON'\n )\n jarmAuthorizationResponse = zJarmAuthorizationResponseEncryptedOnly.parse(jsonRequestData)\n }\n\n jarmAuthorizationResponseValidate({\n expectedClientId,\n authorizationResponse: jarmAuthorizationResponse,\n })\n const type: JarmMode =\n requestDataIsEncrypted && responseIsSigned\n ? JarmMode.SignedEncrypted\n : requestDataIsEncrypted\n ? JarmMode.Encrypted\n : JarmMode.Signed\n\n const issuer = jarmAuthorizationResponse.iss\n return {\n jarmAuthorizationResponse,\n type,\n issuer,\n decryptionJwk: decryptedRequestData.decryptionJwk,\n }\n}\n","import { parseIfJson, parseWithErrorHandling } from '@openid4vc/utils'\nimport { type VpTokenPresentationEntry, zVpTokenDcql, zVpTokenPex } from './z-vp-token'\n\nexport function parsePexVpToken(vpToken: unknown): [VpTokenPresentationEntry, ...VpTokenPresentationEntry[]] {\n const parsedVpToken = parseWithErrorHandling(\n zVpTokenPex,\n parseIfJson(vpToken),\n 'Could not parse presentation exchange vp_token. Expected a string or an array of strings'\n )\n\n return Array.isArray(parsedVpToken)\n ? (parsedVpToken as [VpTokenPresentationEntry, ...VpTokenPresentationEntry[]])\n : [parsedVpToken]\n}\n\nexport function parseDcqlVpToken(\n vpToken: unknown\n): Record<string, [VpTokenPresentationEntry, ...VpTokenPresentationEntry[]]> {\n const parsedVpToken = parseWithErrorHandling(\n zVpTokenDcql,\n parseIfJson(vpToken),\n 'Could not parse dcql vp_token. Expected an object where the values are encoded presentations'\n )\n\n return Object.fromEntries(\n Object.entries(parsedVpToken).map(([queryId, presentations]) => [\n queryId,\n Array.isArray(presentations)\n ? (presentations as [VpTokenPresentationEntry, ...VpTokenPresentationEntry[]])\n : [presentations],\n ])\n )\n}\n","import { Oauth2Error } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport type { Openid4vpAuthorizationRequestIae } from '../authorization-request/z-authorization-request-iae'\nimport { parseDcqlVpToken, parsePexVpToken } from '../vp-token/parse-vp-token'\nimport type { ValidateOpenid4VpAuthorizationResponseResult } from './validate-authorization-response-result'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface ValidateOpenid4vpAuthorizationResponseOptions {\n authorizationRequestPayload:\n \| Openid4vpAuthorizationRequest\n \| Openid4vpAuthorizationRequestDcApi\n \| Openid4vpAuthorizationRequestIae\n authorizationResponsePayload: Openid4vpAuthorizationResponse\n}\n\n/\n The following steps need to be performed outside of this library\n * - verifying the presentations\n * - validating the presentations against the presentation definition\n * - checking the revocation status of the presentations\n * - checking the nonce of the presentations matches the nonce of the request (for mdoc's)\n /\nexport function validateOpenid4vpAuthorizationResponsePayload(\n options: ValidateOpenid4vpAuthorizationResponseOptions\n): ValidateOpenid4VpAuthorizationResponseResult {\n const { authorizationRequestPayload, authorizationResponsePayload } = options\n\n if (authorizationRequestPayload.state && authorizationRequestPayload.state !== authorizationResponsePayload.state) {\n throw new Oauth2Error('OpenId4Vp Authorization Response state mismatch.')\n }\n\n // TODO: implement id_token handling\n if (authorizationResponsePayload.id_token) {\n throw new Oauth2Error('OpenId4Vp Authorization Response id_token is not supported.')\n }\n\n if (authorizationResponsePayload.presentation_submission) {\n if (!authorizationRequestPayload.presentation_definition) {\n throw new Oauth2Error('OpenId4Vp Authorization Request is missing the required presentation_definition.')\n }\n\n return {\n type: 'pex',\n pex: authorizationRequestPayload.scope\n ? {\n scope: authorizationRequestPayload.scope,\n presentationSubmission: authorizationResponsePayload.presentation_submission,\n presentations: parsePexVpToken(authorizationResponsePayload.vp_token),\n }\n : {\n presentationDefinition: authorizationRequestPayload.presentation_definition,\n presentationSubmission: authorizationResponsePayload.presentation_submission,\n presentations: parsePexVpToken(authorizationResponsePayload.vp_token),\n },\n }\n }\n\n if (authorizationRequestPayload.dcql_query) {\n const presentations = parseDcqlVpToken(authorizationResponsePayload.vp_token)\n\n return {\n type: 'dcql',\n dcql: authorizationRequestPayload.scope\n ? {\n scope: authorizationRequestPayload.scope,\n presentations,\n }\n : {\n query: authorizationRequestPayload.dcql_query,\n presentations,\n },\n }\n }\n\n throw new Oauth2Error(\n 'Invalid OpenId4Vp Authorization Response. Response neither contains a presentation_submission nor request contains a dcql_query.'\n )\n}\n","import { type CallbackContext, decodeJwtHeader, Oauth2Error, zCompactJwe, zCompactJwt } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport { verifyJarmAuthorizationResponse } from '../jarm/jarm-authorization-response/verify-jarm-authorization-response'\nimport { zJarmHeader } from '../jarm/jarm-authorization-response/z-jarm-authorization-response'\nimport { isJarmResponseMode } from '../jarm/jarm-response-mode'\nimport type { ParsedOpenid4vpAuthorizationResponse } from './parse-authorization-response'\nimport { parseOpenid4VpAuthorizationResponsePayload } from './parse-authorization-response-payload'\nimport { validateOpenid4vpAuthorizationResponsePayload } from './validate-authorization-response'\n\nexport interface ParseJarmAuthorizationResponseOptions {\n jarmResponseJwt: string\n authorizationRequestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n callbacks: Pick<CallbackContext, 'decryptJwe' \| 'verifyJwt'>\n\n expectedClientId: string\n}\n\nexport async function parseJarmAuthorizationResponse(\n options: ParseJarmAuthorizationResponseOptions\n): Promise<ParsedOpenid4vpAuthorizationResponse> {\n const { jarmResponseJwt, callbacks, authorizationRequestPayload, expectedClientId } = options\n\n const jarmAuthorizationResponseJwt = parseWithErrorHandling(\n z.union([zCompactJwt, zCompactJwe]),\n jarmResponseJwt,\n 'Invalid jarm authorization response jwt.'\n )\n\n const verifiedJarmResponse = await verifyJarmAuthorizationResponse({\n jarmAuthorizationResponseJwt,\n callbacks,\n expectedClientId,\n authorizationRequestPayload,\n })\n\n const { header: jarmHeader } = decodeJwtHeader({\n jwt: jarmAuthorizationResponseJwt,\n headerSchema: zJarmHeader,\n })\n\n const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(\n verifiedJarmResponse.jarmAuthorizationResponse\n )\n const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({\n authorizationRequestPayload: authorizationRequestPayload,\n authorizationResponsePayload: authorizationResponsePayload,\n })\n\n if (!authorizationRequestPayload.response_mode \|\| !isJarmResponseMode(authorizationRequestPayload.response_mode)) {\n throw new Oauth2Error(\n `Invalid response mode for jarm response. Response mode: '${authorizationRequestPayload.response_mode ?? 'fragment'}'`\n )\n }\n\n return {\n ...validateOpenId4vpResponse,\n jarm: { ...verifiedJarmResponse, jarmHeader },\n\n expectedNonce: authorizationRequestPayload.nonce,\n authorizationResponsePayload,\n }\n}\n","import { type CallbackContext, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport { getOpenid4vpClientId } from '../client-identifier-prefix/parse-client-identifier-prefix'\nimport type { VerifiedJarmAuthorizationResponse } from '../jarm/jarm-authorization-response/verify-jarm-authorization-response'\nimport type { JarmHeader } from '../jarm/jarm-authorization-response/z-jarm-authorization-response'\nimport { isJarmResponseMode } from '../jarm/jarm-response-mode'\nimport { parseOpenid4VpAuthorizationResponsePayload } from './parse-authorization-response-payload'\nimport { parseJarmAuthorizationResponse } from './parse-jarm-authorization-response'\nimport { validateOpenid4vpAuthorizationResponsePayload } from './validate-authorization-response'\nimport type { ValidateOpenid4VpAuthorizationResponseResult } from './validate-authorization-response-result'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface ParseOpenid4vpAuthorizationResponseOptions {\n /\n The authorization response as received from the wallet, and can optionally still be encrypted.\n /\n authorizationResponse: Record<string, unknown>\n\n authorizationRequestPayload: Openid4vpAuthorizationRequest \| Openid4vpAuthorizationRequestDcApi\n callbacks: Pick<CallbackContext, 'decryptJwe' \| 'verifyJwt'>\n\n origin?: string\n}\n\nexport type ParsedOpenid4vpAuthorizationResponse = ValidateOpenid4VpAuthorizationResponseResult & {\n authorizationResponsePayload: Openid4vpAuthorizationResponse\n expectedNonce: string\n jarm?: VerifiedJarmAuthorizationResponse & {\n jarmHeader: JarmHeader\n }\n}\n\nexport async function parseOpenid4vpAuthorizationResponse(\n options: ParseOpenid4vpAuthorizationResponseOptions\n): Promise<ParsedOpenid4vpAuthorizationResponse> {\n const { authorizationResponse, callbacks, authorizationRequestPayload, origin } = options\n\n const expectedClientId = getOpenid4vpClientId({\n origin,\n responseMode: authorizationRequestPayload.response_mode,\n clientId: authorizationRequestPayload.client_id,\n legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,\n })\n if (authorizationResponse.response) {\n return parseJarmAuthorizationResponse({\n jarmResponseJwt: authorizationResponse.response as string,\n callbacks,\n authorizationRequestPayload,\n expectedClientId: expectedClientId.effectiveClientId,\n })\n }\n\n const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(authorizationResponse)\n\n const validatedOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({\n authorizationRequestPayload: authorizationRequestPayload,\n authorizationResponsePayload: authorizationResponsePayload,\n })\n\n if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode)) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: 'invalid_request',\n error_description: 'Invalid response mode for openid4vp response. Expected jarm response.',\n },\n {\n status: 400,\n }\n )\n }\n\n return {\n ...validatedOpenId4vpResponse,\n expectedNonce: authorizationRequestPayload.nonce,\n\n authorizationResponsePayload,\n jarm: undefined,\n }\n}\n","import { type CallbackContext, Oauth2Error } from '@openid4vc/oauth2'\nimport { ContentType, createFetcher, URL } from '@openid4vc/utils'\n\ninterface JarmAuthorizationResponseSendOptions {\n authorizationRequestPayload: {\n response_uri?: string\n redirect_uri?: string\n }\n jarmAuthorizationResponseJwt: string\n callbacks: Pick<CallbackContext, 'fetch'>\n}\n\nexport const jarmAuthorizationResponseSend = (options: JarmAuthorizationResponseSendOptions) => {\n const { authorizationRequestPayload, jarmAuthorizationResponseJwt, callbacks } = options\n\n const responseEndpoint = authorizationRequestPayload.response_uri ?? authorizationRequestPayload.redirect_uri\n if (!responseEndpoint) {\n throw new Oauth2Error(`Either 'response_uri' or 'redirect_uri' MUST be present in the authorization request`)\n }\n\n const responseEndpointUrl = new URL(responseEndpoint)\n return handleDirectPostJwt(responseEndpointUrl, jarmAuthorizationResponseJwt, callbacks)\n}\n\nasync function handleDirectPostJwt(\n responseEndpoint: URL,\n responseJwt: string,\n callbacks: Pick<CallbackContext, 'fetch'>\n) {\n const response = await createFetcher(callbacks.fetch)(responseEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': ContentType.XWwwFormUrlencoded },\n body: `response=${responseJwt}`,\n })\n\n return {\n responseMode: 'direct_post.jwt',\n response,\n } as const\n}\n","import { type CallbackContext, Oauth2Error } from '@openid4vc/oauth2'\nimport { ContentType, createFetcher, objectToQueryParams } from '@openid4vc/utils'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport { jarmAuthorizationResponseSend } from '../jarm/jarm-authorization-response-send'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface SubmitOpenid4vpAuthorizationResponseOptions {\n authorizationRequestPayload: Pick<Openid4vpAuthorizationRequest, 'response_uri'>\n authorizationResponsePayload: Openid4vpAuthorizationResponse\n jarm?: { responseJwt: string }\n callbacks: Pick<CallbackContext, 'fetch'>\n}\n\nexport async function submitOpenid4vpAuthorizationResponse(options: SubmitOpenid4vpAuthorizationResponseOptions) {\n const { authorizationRequestPayload, authorizationResponsePayload, jarm, callbacks } = options\n const url = authorizationRequestPayload.response_uri\n\n if (jarm) {\n return jarmAuthorizationResponseSend({\n authorizationRequestPayload,\n jarmAuthorizationResponseJwt: jarm.responseJwt,\n callbacks,\n })\n }\n\n if (!url) {\n throw new Oauth2Error(\n 'Failed to submit OpenId4Vp Authorization Response. No redirect_uri or response_uri provided.'\n )\n }\n\n const fetch = createFetcher(callbacks.fetch)\n const encodedResponse = objectToQueryParams(authorizationResponsePayload)\n const submissionResponse = await fetch(url, {\n method: 'POST',\n body: encodedResponse.toString(),\n headers: {\n 'Content-Type': ContentType.XWwwFormUrlencoded,\n },\n })\n\n return {\n responseMode: 'direct_post',\n response: submissionResponse,\n }\n}\n","import { z } from 'zod'\nexport const zCredentialFormat = z.enum(['jwt_vc_json', 'ldp_vc', 'mso_mdoc', 'dc+sd-jwt', 'vc+sd-jwt'])\nexport type CredentialFormat = z.infer<typeof zCredentialFormat>\n","import { z } from 'zod'\nexport const zProofFormat = z.enum(['jwt_vp_json', 'ldc_vp', 'ac_vp', 'dc+sd-jwt', 'vc+sd-jwt', 'mso_mdoc'])\nexport type ProofFormat = z.infer<typeof zProofFormat>\n","import { z } from 'zod'\nimport { zClientIdPrefix, zUniformClientIdPrefix } from '../client-identifier-prefix/z-client-id-prefix'\nimport { zLegacyVpFormats, zVpFormatsSupported } from './z-vp-formats-supported'\n\nexport const zWalletMetadata = z.object({\n presentation_definition_uri_supported: z.optional(z.boolean()),\n\n // Up until draft 26 the legacy format was used\n vp_formats_supported: z.optional(zVpFormatsSupported.or(zLegacyVpFormats)),\n\n client_id_schemes_supported: z.optional(\n // client_id_schemes_supported was from before decentralized_identifier and openid_federation were defined\n z.array(zClientIdPrefix.exclude(['decentralized_identifier', 'openid_federation']))\n ),\n\n client_id_prefixes_supported: z.optional(z.array(zUniformClientIdPrefix)),\n\n request_object_signing_alg_values_supported: z.optional(z.array(z.string())),\n authorization_encryption_alg_values_supported: z.optional(z.array(z.string())),\n authorization_encryption_enc_values_supported: z.optional(z.array(z.string())),\n})\n\nexport type WalletMetadata = z.infer<typeof zWalletMetadata>\n","import type { CallbackContext } from '@openid4vc/oauth2'\nimport type { ParseOpenid4vpAuthorizationRequestOptions } from './authorization-request/parse-authorization-request-params'\nimport { parseOpenid4vpAuthorizationRequest } from './authorization-request/parse-authorization-request-params'\nimport {\n type ResolveOpenid4vpAuthorizationRequestOptions,\n resolveOpenid4vpAuthorizationRequest,\n} from './authorization-request/resolve-authorization-request'\nimport {\n type CreateOpenid4vpAuthorizationResponseOptions,\n createOpenid4vpAuthorizationResponse,\n} from './authorization-response/create-authorization-response'\nimport {\n type SubmitOpenid4vpAuthorizationResponseOptions,\n submitOpenid4vpAuthorizationResponse,\n} from './authorization-response/submit-authorization-response'\n\nexport interface Openid4vpClientOptions {\n /\n Callbacks required for the openid4vp client\n /\n callbacks: Omit<CallbackContext, 'generateRandom' \| 'clientAuthentication'>\n}\n\nexport class Openid4vpClient {\n public constructor(private options: Openid4vpClientOptions) {}\n\n public parseOpenid4vpAuthorizationRequest(options: ParseOpenid4vpAuthorizationRequestOptions) {\n return parseOpenid4vpAuthorizationRequest(options)\n }\n\n public async resolveOpenId4vpAuthorizationRequest(\n options: Omit<ResolveOpenid4vpAuthorizationRequestOptions, 'callbacks'>\n ) {\n return resolveOpenid4vpAuthorizationRequest({ ...options, callbacks: this.options.callbacks })\n }\n\n public async createOpenid4vpAuthorizationResponse(\n options: Omit<CreateOpenid4vpAuthorizationResponseOptions, 'callbacks'>\n ) {\n return createOpenid4vpAuthorizationResponse({ ...options, callbacks: this.options.callbacks })\n }\n\n public async submitOpenid4vpAuthorizationResponse(\n options: Omit<SubmitOpenid4vpAuthorizationResponseOptions, 'callbacks'>\n ) {\n return submitOpenid4vpAuthorizationResponse({ ...options, callbacks: this.options.callbacks })\n }\n}\n","import {\n type CallbackContext,\n HashAlgorithm,\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n} from '@openid4vc/oauth2'\nimport { decodeUtf8String, encodeToBase64Url, type NonEmptyArray } from '@openid4vc/utils'\nimport { type ParsedTransactionDataEntry, parseTransactionData } from './parse-transaction-data'\n\nexport interface TransactionDataHashesCredentials {\n /\n credentialId is the pex input descriptor id\n * or dcql credential query id.\n \n The values must be an array of transaction data hashes\n /\n [credentialId: string]:\n \| NonEmptyArray<{\n /\n The hashes of the transaction data\n /\n transaction_data_hashes: string[]\n\n /\n The transaction data hash alg. If not provided\n * in the presentation, the default value of sha256\n * is used.\n /\n transaction_data_hashes_alg?: string\n }>\n \| undefined\n}\n\nexport interface VerifyTransactionDataOptions {\n transactionData: string[]\n credentials: TransactionDataHashesCredentials\n callbacks: Pick<CallbackContext, 'hash'>\n}\n\nexport async function verifyTransactionData(\n options: VerifyTransactionDataOptions\n): Promise<VerifiedTransactionDataEntry[]> {\n const parsedTransactionData = parseTransactionData({\n transactionData: options.transactionData,\n })\n\n const matchedEntries: Array<VerifiedTransactionDataEntry> = []\n for (const parsedEntry of parsedTransactionData) {\n const matchedEntry = await verifyTransactionDataEntry({\n entry: parsedEntry,\n callbacks: options.callbacks,\n credentials: options.credentials,\n })\n\n matchedEntries.push(matchedEntry)\n }\n\n return matchedEntries\n}\n\nexport interface VerifiedTransactionDataEntry {\n transactionDataEntry: ParsedTransactionDataEntry\n credentialId: string\n\n presentations: NonEmptyArray<{\n presentationIndex: number\n hash: string\n hashAlg: HashAlgorithm\n credentialHashIndex: number\n }>\n}\n\nasync function verifyTransactionDataEntry({\n entry,\n credentials,\n callbacks,\n}: {\n entry: ParsedTransactionDataEntry\n credentials: TransactionDataHashesCredentials\n callbacks: Pick<CallbackContext, 'hash'>\n}): Promise<VerifiedTransactionDataEntry> {\n const allowedAlgs = entry.transactionData.transaction_data_hashes_alg ?? ['sha-256']\n const supportedAlgs: HashAlgorithm[] = allowedAlgs.filter((alg): alg is HashAlgorithm =>\n Object.values(HashAlgorithm).includes(alg as HashAlgorithm)\n )\n\n const hashes: { [key in HashAlgorithm]?: string } = {}\n for (const alg of supportedAlgs) {\n hashes[alg] = encodeToBase64Url(await callbacks.hash(decodeUtf8String(entry.encoded), alg))\n }\n\n for (const credentialId of entry.transactionData.credential_ids) {\n const transactionDataHashesCredentials = credentials[credentialId]\n if (!transactionDataHashesCredentials) continue\n\n const presentations: VerifiedTransactionDataEntry['presentations'][number][] = []\n\n for (const transactionDataHashesCredential of transactionDataHashesCredentials) {\n const alg = transactionDataHashesCredential.transaction_data_hashes_alg ?? 'sha-256'\n const hash = hashes[alg as HashAlgorithm]\n const presentationIndex = transactionDataHashesCredentials.indexOf(transactionDataHashesCredential)\n\n if (!allowedAlgs.includes(alg)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} is hashed using alg '${alg}'. However transaction data only allows alg values ${allowedAlgs.join(', ')}.`,\n })\n }\n\n if (!hash) {\n // This is an error of this library.\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} is hashed using unsupported alg '${alg}'. This library only supports verification of transaction data hashes using alg values ${Object.values(HashAlgorithm).join(', ')}. Either verify the hashes outside of this library, or limit the allowed alg values to the ones supported by this library.`,\n })\n }\n\n const credentialHashIndex = transactionDataHashesCredential.transaction_data_hashes.indexOf(hash)\n\n if (credentialHashIndex === -1) {\n // No matches were found\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} does not have a matching hash in the transaction_data_hashes`,\n })\n }\n\n presentations.push({\n credentialHashIndex,\n hash,\n hashAlg: alg as HashAlgorithm,\n presentationIndex,\n })\n }\n\n return {\n transactionDataEntry: entry,\n credentialId,\n presentations: presentations as VerifiedTransactionDataEntry['presentations'],\n }\n }\n\n // No matches were found\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: `Transaction data entry with index ${entry.transactionDataIndex} does not have a matching hash in any of the submitted credentials`,\n })\n}\n","import type { CallbackContext } from '@openid4vc/oauth2'\nimport {\n type CreateOpenid4vpAuthorizationRequestOptions,\n createOpenid4vpAuthorizationRequest,\n} from './authorization-request/create-authorization-request'\nimport {\n type ParseOpenid4vpAuthorizationRequestOptions,\n parseOpenid4vpAuthorizationRequest,\n} from './authorization-request/parse-authorization-request-params'\nimport {\n type ParseOpenid4vpAuthorizationResponseOptions,\n parseOpenid4vpAuthorizationResponse,\n} from './authorization-response/parse-authorization-response'\nimport {\n type ValidateOpenid4vpAuthorizationResponseOptions,\n validateOpenid4vpAuthorizationResponsePayload,\n} from './authorization-response/validate-authorization-response'\nimport type { ParseTransactionDataOptions } from './transaction-data/parse-transaction-data'\nimport { parseTransactionData } from './transaction-data/parse-transaction-data'\nimport { type VerifyTransactionDataOptions, verifyTransactionData } from './transaction-data/verify-transaction-data'\nimport { parseDcqlVpToken, parsePexVpToken } from './vp-token/parse-vp-token'\n\nexport interface Openid4vpVerifierOptions {\n /\n Callbacks required for the openid4vp verifier\n /\n callbacks: Omit<CallbackContext, 'generateRandom' \| 'clientAuthentication'>\n}\n\nexport class Openid4vpVerifier {\n public constructor(private options: Openid4vpVerifierOptions) {}\n\n public async createOpenId4vpAuthorizationRequest(\n options: Omit<CreateOpenid4vpAuthorizationRequestOptions, 'callbacks'>\n ) {\n return createOpenid4vpAuthorizationRequest({ ...options, callbacks: this.options.callbacks })\n }\n\n public parseOpenid4vpAuthorizationRequestPayload(options: ParseOpenid4vpAuthorizationRequestOptions) {\n return parseOpenid4vpAuthorizationRequest(options)\n }\n\n public parseOpenid4vpAuthorizationResponse(options: ParseOpenid4vpAuthorizationResponseOptions) {\n return parseOpenid4vpAuthorizationResponse(options)\n }\n\n public validateOpenid4vpAuthorizationResponsePayload(options: ValidateOpenid4vpAuthorizationResponseOptions) {\n return validateOpenid4vpAuthorizationResponsePayload(options)\n }\n\n public parsePexVpToken(vpToken: unknown) {\n return parsePexVpToken(vpToken)\n }\n\n public parseDcqlVpToken(vpToken: unknown) {\n return parseDcqlVpToken(vpToken)\n }\n\n public parseTransactionData(options: ParseTransactionDataOptions) {\n return parseTransactionData(options)\n }\n\n /\n Verify transaction data against submitted credentials.\n \n NOTE: this expects transaction data based authorization based on hashes. This is the method defined\n * for SD-JWT VC, but for mDOCs it's much more generic. If you're using transaction data with mDOCs based\n * on hashes, you can extract the values from the DeviceResponse, otherwise you must verify the transaction data\n * manually.\n */\n public verifyTransactionData(options: Omit<VerifyTransactionDataOptions, 'callbacks'>) {\n return verifyTransactionData({\n ...options,\n callbacks: this.options.callbacks,\n })\n }\n}\n"],"mappings":";;;;;;;;AAkBA,MAAa,gDACX,YACG;CACH,MAAM,EAAE,QAAQ,8BAA8B;AAE9C,KAAI,CAAC,OAAO,gBAAgB,CAAC,OAAO,aAClC,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAGJ,KAAI,OAAO,gBAAgB,CAAC,CAAC,eAAe,kBAAkB,CAAC,MAAM,SAAS,SAAS,OAAO,cAAc,CAC1G,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,sHAAsH,OAAO;EACjJ,CAAC;AAGJ,KACE;EAAC,OAAO;EAA6B,OAAO;EAAyB,OAAO;EAAY,OAAO;EAAM,CAAC,OACpG,QACD,CAAC,SAAS,EAEX,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBACE;EACH,CAAC;AAGJ,KAAI,OAAO,sBAAsB,CAAC,OAAO,YACvC,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBACE;EACH,CAAC;AAGJ,KAAI,OAAO,sBAAsB,CAAC,CAAC,OAAO,OAAO,CAAC,SAAS,OAAO,mBAAmB,CACnF,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,wEAAwE,OAAO;EACnG,CAAC;AAGJ,KAAI,OAAO,eAAe,CAAC,UAAU,UAAU,OAAO,UAAU,CAAC,QAC/D,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBACE;EACH,CAAC;AAGJ,KAAI,2BAA2B,iBAAiB,CAAC,OAAO,aACtD,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBACE;EACH,CAAC;AAGJ,KAAI,2BAA2B,kBAAkB,OAAO,aACtD,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBACE;EACH,CAAC;AAGJ,KAAI,OAAO,UAAU,WAAW,cAAc,IAAI,OAAO,UAAU,WAAW,UAAU,CACtF,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,oEAAoE,OAAO,UAAU,MAAM,IAAI,CAAC,GAAG,sDAAsD,OAAO;EACpL,CAAC;;;;;;;;AC/EN,MAAa,qDACX,YACG;CACH,MAAM,EAAE,QAAQ,cAAc,yBAAyB,WAAW;AAElE,KAAI,gBAAgB,CAAC,OAAO,iBAC1B,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAGJ,KAAI,CAAC,OAAO,yBAAyB,OAAO,WAAW,CAAC,OAAO,QAAQ,CAAC,WAAW,EACjF,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBACE;EACH,CAAC;AAGJ,KAAI,OAAO,oBAAoB,CAAC,yBAAyB;AACvD,MAAI,CAAC,OACH,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,MAAI,CAAC,OAAO,iBAAiB,SAAS,OAAO,CAC3C,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB,mGAAmG,OAAO,iBAAiB,KAAK,KAAK;GACzJ,CAAC;;;;;;;;;;;;;;;;;ACtBR,MAAa,mDACX,YACG;CACH,MAAM,EAAE,QAAQ,cAAc,aAAa,iCAAiC;AAG5E,KAAI,gBAAgB,CAAC,OAAO,aAC1B,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAGJ,KAAI,CAAC,OAAO,WACV,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAGJ,KAAI,OAAO,gBAAgB,CAAC,8BAA8B;AACxD,MAAI,CAAC,YACH,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,MAAI,OAAO,iBAAiB,YAC1B,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;;;;;;ACnDR,MAAa,8BAA8B,EAAE,OAAO;CAClD,mCAAmC;CAEnC,sCAAsC,EAAE,SAAS,EAAE,OAAO,CAAC;CAC3D,sCAAsC,EAAE,SAAS,EAAE,OAAO,CAAC;CAC5D,CAAC;AAGF,MAAa,iCAAiC,EAAE,OAAO;CACrD,mCAAmC,EAAE,SAAS,EAAE,OAAO,CAAC;CACxD,sCAAsC,EAAE,QAAQ;CAEhD,sCAAsC,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7D,CAAC;AAGF,MAAa,iCAAiC,EAAE,OAAO;CACrD,mCAAmC,4BAA4B,MAAM;CACrE,sCAAsC,+BAA+B,MAAM;CAC3E,sCAAsC,+BAA+B,MAAM;CAC5E,CAAC;;;;AAMF,MAAa,sBAAsB,EAAE,OAAO;CAC1C,mCAAmC,EAAE,SAAS,4BAA4B,MAAM,kCAAkC;CAClH,sCAAsC,EAAE,SACtC,+BAA+B,MAAM,qCACtC;CACD,sCAAsC,EAAE,SACtC,+BAA+B,MAAM,qCACtC;CACF,CAAC;AAGF,MAAa,4BAA4B,oBAAoB,WAAW,oBAAoB;CAC1F,MAAM,mBAAmB,uBACvB,EAAE,MAAM;EAAC;EAAgC;EAA6B;EAA+B,CAAC,EACtG,iBACA,gCACD;CAED,MAAM,cAAc,+BAA+B,UAAU,iBAAiB;AAC9E,KAAI,YAAY,QACd,QAAO;EACL,MAAM;EACN,iBAAiB;GACf,GAAG,YAAY;GACf,sCAAsC,gBAAgB;GACvD;EACF;CAGH,MAAM,cAAc,+BAA+B,UAAU,iBAAiB;AAC9E,KAAI,YAAY,QACd,QAAO;EACL,MAAM;EACN,iBAAiB;GACf,GAAG,YAAY;GACf,sCAAsC,iBAAiB;GACxD;EACF;CAIH,MAAM,WAAW,4BAA4B,UAAU,iBAAiB;AACxE,KAAI,SAAS,QACX,QAAO;EACL,MAAM;EACN,iBAAiB;GACf,GAAG,SAAS;GACZ,mCAAmC,iBAAiB;GACrD;EACF;AAGH,OAAM,IAAI,YAAY,iDAAiD;EACvE;;;;ACjFF,MAAa,sBAAsB,EAEhC,OAAO;CACN,aAAa,EAAE,SACb,EACG,OAAO;EACN,qBAAqB,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;EAClE,qBAAqB,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;EACnE,CAAC,CACD,OAAO,CACX;CACD,aAAa,EAAE,SACb,EACG,OAAO,EACN,YAAY,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,EAC1D,CAAC,CACD,OAAO,CACX;CACD,QAAQ,EAAE,SACR,EACG,OAAO;EACN,mBAAmB,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;EAChE,oBAAoB,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;EAClE,CAAC,CACD,OAAO,CACX;CACD,UAAU,EAAE,SACV,EACG,OAAO;EAEN,0BAA0B,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;EACvE,0BAA0B,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;EAGvE,uBAAuB,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;EACpE,uBAAuB,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;EACrE,CAAC,CACD,OAAO,CACX;CACF,CAAC,CACD,OAAO,CAEP,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC;AAIjC,MAAa,mBAAmB,EAAE,OAChC,EAAE,QAAQ,EACV,EACG,OAAO,EACN,sBAAsB,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,EACtD,CAAC,CACD,OAAO,CACX;;;;AC/CD,MAAa,kBAAkB,EAC5B,OAAO;CAEN,UAAU,EAAE,KAAK,CAAC,UAAU;CAC5B,MAAM,EAAE,SAAS,QAAQ;CAGzB,YAAY,EAAE,SAAS,iBAAiB;CAGxC,sBAAsB,EAAE,SAAS,oBAAoB;CAGrD,yCAAyC,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;CAExE,GAAG,oBAAoB;CAEvB,UAAU,UAAU,GAAG,SAAS,CAAC,UAAU;CAC3C,aAAa,EAAE,QAAQ,CAAC,UAAU;CACnC,CAAC,CACD,OAAO;;;;AC1BV,MAAM,uBAAuBA,IAAE,OAAO;CACpC,QAAQA,IAAE,QAAQ;CAClB,MAAMA,IAAE,OAAOA,IAAE,QAAQ,EAAEA,IAAE,SAAS,CAAC,CAAC,GAAGA,IAAE,QAAQ,CAAC;CACtD,gBAAgBA,IAAE,MAAMA,IAAE,QAAQ,CAAC,CAAC,UAAU;CAC/C,CAAC;AAEF,MAAa,wBAAwBA,IAAE,MAAM,qBAAqB;;;;ACHlE,MAAa,iCAAiC,EAC3C,OAAO;CACN,eAAe,EAAE,QAAQ,WAAW;CACpC,WAAW,EAAE,QAAQ;CACrB,cAAc,UAAU,UAAU;CAClC,cAAc,UAAU,UAAU;CAClC,aAAa,UAAU,UAAU;CACjC,oBAAoB,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC1C,eAAe,EAAE,KAAK,CAAC,eAAe,kBAAkB,CAAC,CAAC,UAAU;CACpE,OAAO,EAAE,QAAQ;CACjB,cAAc,EAAE,QAAQ,CAAC,UAAU;CACnC,OAAO,EAAE,QAAQ,CAAC,UAAU;CAC5B,yBAAyB,EACtB,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC,CAE3B,GAAG,cAAc,CACjB,UAAU;CACb,6BAA6B,UAAU,UAAU;CACjD,YAAY,EACT,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC,CAE3B,GAAG,cAAc,CACjB,UAAU;CACb,iBAAiB,gBAAgB,UAAU;CAC3C,qBAAqB,UAAU,UAAU;CACzC,OAAO,EAAE,QAAQ,CAAC,UAAU;CAC5B,kBAAkB,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,UAAU;CACnD,aAAa,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,UAAU;CACzD,kBAAkB,EACf,KAAK;EACJ;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACD,CAAC,CACD,UAAU;CACb,uBAAuB,sBAAsB,UAAU;CACvD,eAAe,sBAAsB,UAAU;CAChD,CAAC,CACD,OAAO;AAGV,MAAa,8CAA8C,EACxD,KAAK,CACL,WAAW,QAAiB,OAAO,YAAY,IAAI,IAAI,IAAI,CAAC,aAAa,CAAC,CAC1E,KACC,EACG,OAAO;CACN,yBAAyB,cAAc,UAAU;CACjD,iBAAiB,cAAc,UAAU;CACzC,YAAY,cAAc,UAAU;CACpC,kBAAkB,cAAc,UAAU;CAC1C,uBAAuB,cAAc,UAAU;CAC/C,eAAe,cAAc,UAAU;CACxC,CAAC,CACD,OAAO,CACX;;;;AC7DH,MAAM,8BAA8B,EAAE,KAAK;CAAC;CAAU;CAAc;CAAkB;CAAa,CAAC;AACpG,MAAa,sCAAsC,+BAChD,KAAK;CACJ,eAAe;CACf,OAAO;CACP,yBAAyB;CACzB,iBAAiB;CACjB,kBAAkB;CAClB,YAAY;CACZ,aAAa;CACb,OAAO;CACP,uBAAuB;CACvB,eAAe;CAChB,CAAC,CACD,OAAO;CACN,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;CACjC,kBAAkB,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;CAChD,eAAe;CAGf,kBAAkB,EAAE,OAAO,CAAC,UAAU;CACtC,OAAO,EAAE,OAAO,CAAC,UAAU;CAG5B,CAAC;AAIJ,SAAgB,6BACd,cACqE;AACrE,QACE,iBAAiB,UACjB,4BAA4B,QAAQ,SAAS,aAAoE;;AAIrH,SAAgB,qCACd,SAC+C;AAC/C,QAAO,6BAA6B,QAAQ,cAAc;;;;;;;;;ACnC5D,MAAM,4BAA4B,EAAE,KAAK,CAAC,YAAY,eAAe,CAAC;;;;;;;;;;;;;AActE,MAAa,oCAAoC,oCAC9C,KAAK;CACJ,eAAe;CACf,kBAAkB;CAElB,yBAAyB;CAC1B,CAAC,CACD,OAAO;CACN,eAAe;CAGf,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC;CAIzC,cAAc,EAAE,QAAQ,CAAC,UAAU;CAGnC,kBAAkB,EACf,MACC,4GACD,CACA,UAAU;CACd,CAAC;AAIJ,SAAgB,2BACd,cACmE;AACnE,QACE,iBAAiB,UACjB,0BAA0B,QAAQ,SAAS,aAAkE;;AAIjH,SAAgB,mCACd,SAC6C;AAC7C,QAAO,2BAA2B,QAAQ,cAAc;;;;;;;;;;;;;;;;;;;;;;ACD1D,eAAsB,oCAAoC,SAAqD;CAC7G,MAAM,EAAE,KAAK,SAAS,gBAAgB,QAAQ,cAAc;CAE5D,IAAI;CAEJ,IAAI;AAIJ,KAAI,qCAAqC,QAAQ,4BAA4B,EAAE;AAC7E,gCAA8B,uBAC5B,qCACA,QAAQ,6BACR,yFACD;AAED,oDAAkD;GAChD,QAAQ;GACR,cAAc,QAAQ,IAAI;GAC1B,yBAAyB;GAC1B,CAAC;YACO,mCAAmC,QAAQ,4BAA4B,EAAE;AAClF,gCAA8B,uBAC5B,mCACA,QAAQ,6BACR,2FACD;AAED,kDAAgD;GAC9C,QAAQ;GACR,cAAc,QAAQ,IAAI;GAC1B,8BAA8B;GAC/B,CAAC;QACG;AACL,gCAA8B,uBAC5B,gCACA,QAAQ,6BACR,kFACD;AACD,+CAA6C;GAC3C,QAAQ;GACR,2BAA2B;GAC5B,CAAC;;AAGJ,KAAI,KAAK;AACP,yBAAuB,CAAC,IAAI,sBAAsB,MAC9C;GAAE,GAAG,IAAI;GAAsB,KAAK,IAAI;GAAY,GACpD,IAAI;EAER,MAAM,YAAY,MAAM,8BAA8B;GACpD,GAAG;GACH;GACA;GACA;GACD,CAAC;EAEF,MAAMC,QAAM,IAAI,IAAI,OAAO;AAC3B,QAAI,SAAS,IAAI,IAAI,gBAAgB;GACnC,GAAGA,MAAI,aAAa,SAAS;GAC7B,GAAG,oBAAoB,UAAU,wBAAwB,CAAC,SAAS;GAEnE,GAAI,4BAA4B,mBAC5B,CAAC,CAAC,oBAAoB,4BAA4B,iBAAiB,CAAC,GACpE,EAAE;GACP,CAAC,CAAC,UAAU;AAEb,SAAO;GACL;GACA,4BAA4B,UAAU;GACtC,sBAAsBA,MAAI,UAAU;GACpC,KAAK;IAAE,GAAG;IAAK,GAAG;IAAW;GAC9B;;CAGH,MAAM,MAAM,IAAI,IAAI,OAAO;AAC3B,KAAI,SAAS,IAAI,IAAI,gBAAgB,CACnC,GAAG,IAAI,aAAa,SAAS,EAC7B,GAAG,oBAAoB,4BAA4B,CAAC,SAAS,CAC9D,CAAC,CAAC,UAAU;AAEb,QAAO;EACL;EACA,4BAA4B;EAC5B,sBAAsB,IAAI,UAAU;EACpC,KAAK;EACN;;;;;AC9IH,MAAa,oCAAoC,yBAAyB,OAAO,EAC/E,oBAAoB,EAAE,SAAS,EAAE,QAAQ,CAAC,EAC3C,CAAC;AAGF,SAAgB,0BACd,SAC6C;AAC7C,QAAO,aAAa,WAAW,iBAAiB;;;;;ACuClD,SAAgB,mCACd,SAKyC;CACzC,MAAM,EAAE,yBAAyB;CACjC,IAAI,WAAqC;CAEzC,IAAI;AACJ,KAAI,OAAO,yBAAyB,SAElC,KAAI,qBAAqB,SAAS,IAAI,EAAE;AACtC,WAAS,uBACP,6CACA,sBACA,wEACD;AACD,aAAW;QACN;AAEL,WADgB,UAAU,EAAE,KAAK,sBAAsB,CAAC,CACvC;AACjB,aAAW;;KAGb,UAAS;CAGX,MAAM,gBAAgB,uBACpBC,IAAE,MAAM;EACN;EACA;EACA;EACA;EACD,CAAC,EACF,OACD;AAED,KAAI,0BAA0B,cAAc,CAC1C,QAAO;EACL,MAAM;EACN;EACA,QAAQ;EACT;AAGH,KAAI,qCAAqC,cAAc,CACrD,QAAO;EACL,MAAM;EACN;EACA,QAAQ;EACT;AAGH,KAAI,mCAAmC,cAAc,CACnD,QAAO;EACL,MAAM;EACN;EACA,QAAQ;EACT;AAGH,QAAO;EACL,MAAM;EACN;EACA,QAAQ;EACT;;;;;ACpHH,eAAsB,qCAAqC,EACzD,iBACA,QAQC;AACD,QAAO,kBACL,MAAM,KACJ,OAAO,oBAAoB,WAAW,aAAa,gBAAgB,GAAG,iBACtE,cAAc,OACf,CACF;;;;;AChBH,MAAa,kBAAkB,EAAE,KAAK;CACpC;CACA;CACA;CAEA;CACA;CAEA;CACA;CAEA;CACA;CAEA;CAEA;CACA;CACD,CAAC;AAEF,MAAa,yBAAyB,gBAAgB,QAAQ;CAAC;CAAO;CAAS;CAAa,CAAC;AAK7F,MAAa,yCAAyC,EAAE,MACtD,CACE,EACG,OAAO,EAAE,SAAS,8BAA8B,CAAC,CACjD,SAAS,IAAI,CACb,WAAW,aAAa;CACvB,MAAM,aAAa,SAAS,QAAQ,IAAI;CACxC,MAAM,iBAAiB,SAAS,MAAM,GAAG,WAAW;CACpD,MAAM,qBAAqB,SAAS,MAAM,aAAa,EAAE;AAGzD,KAAI,mBAAmB,UAAU,iBAAiB,CAAC,kBACjD,QAAO,CAAC,SAAS,SAAS;AAG5B,KAAI,mBAAmB,SAAS,mBAAmB,UAAU,mBAAmB,QAC9E,QAAO,CAAC,gBAAgB,SAAS;AAGnC,QAAO,CAAC,gBAAgB,mBAAmB;EAC3C,CACD,KAAK,EAAE,MAAM,CAAC,gBAAgB,QAAQ,CAAC,iBAAiB,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC,EAC3E,EACG,QAAQ,CACR,QAAQ,aAAa,SAAS,SAAS,IAAI,KAAK,MAAM,CACtD,WAAW,aAAa,CAAC,kBAAkB,SAAS,CAAU,CAClE,EACD,EACE,SAAS,yGAAyG,gBAAgB,QAAQ,CAAC,iBAAiB,CAAC,CAAC,QAAQ,KAAK,KAAK,IACjL,CACF;AAED,MAAa,2BAA2B,gBAAgB,WAAW,WACjE,WAAW,QACP,6BACA,WAAW,UACT,sBACA,WAAW,eACT,WACA,OACT;AAED,MAAa,wBAAwB,EAAE,KAAK;CAC1C;CACA;CACA;CACA;CACA;CACA;CACA;CACD,CAAC;AAIF,MAAa,wCAAwC,sBAClD,UAAU,CACV,QAAQ,iBAAiB,CACzB,WAAW,mBACV,mBAAmB,cACf,sBACA,mBAAmB,QACjB,6BACA,eACP;;;;;;;;;;AC2BH,SAAgB,qBAAqB,SA2CnC;CACA,MAAM,WAAW,EACf,UAAU,QAAQ,UACnB;CAED,MAAM,UAAU,QAAQ,WAAW;AAGnC,KAAI,6BAA6B,QAAQ,aAAa,EAAE;AACtD,MAAI,CAAC,QAAQ,UAAU;AACrB,OAAI,CAAC,QAAQ,OACX,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBACE;IACH,CAAC;AAGJ,UAAO;IACL,gBAAgB;IAChB,yBAAyB;IACzB,oBAAoB,QAAQ;IAC5B,mBAAmB,WAAW,KAAK,UAAU,QAAQ,WAAW,cAAc,QAAQ;IACtF;IACD;;EAGH,MAAMC,sCAAoC,uCAAuC,UAAU,QAAQ,SAAS;AAC5G,MAAI,CAACA,oCAAkC,QACrC,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB,6DAA6D,QAAQ,SAAS;GAClG,CAAC;EAGJ,MAAM,CAACC,kBAAgBC,wBAAsBF,oCAAkC;EAC/E,MAAMG,0BAAwB,yBAAyB,UAAUF,iBAAe;AAChF,MAAI,CAACE,wBAAsB,QACzB,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB,6DAA6D,QAAQ,SAAS;GAClG,CAAC;AAGJ,SAAO;GACL,mBAAmB,QAAQ;GAC3B,yBAAyBF;GACzB;GAEA,gBAAgBE,wBAAsB;GACtC;GACD;;AAOH,KAAI,CAAC,QAAQ,SACX,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,8FAA8F,QAAQ,aAAa;EACvI,CAAC;AAIJ,KAAI,QAAQ,wBAAwB,CAAC,2BAA2B,QAAQ,aAAa,EAAE;EACrF,MAAM,uBAAuB,sCAAsC,UAAU,QAAQ,qBAAqB;AAC1G,MAAI,CAAC,qBAAqB,QACxB,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB,0EAA0E,QAAQ,qBAAqB;GAC3H,CAAC;EAGJ,MAAM,iBAAiB,qBAAqB;AAE5C,SAAO;GACL,mBAAmB,QAAQ;GAC3B,oBAAoB,QAAQ;GAC5B;GACA,yBAA0B,QAAQ,wBAAwB;GAC1D,UAAU;IACR,GAAG;IACH,gBAAgB,QAAQ;IACzB;GACF;;CAGH,MAAM,oCAAoC,uCAAuC,UAAU,QAAQ,SAAS;AAC5G,KAAI,CAAC,kCAAkC,QACrC,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,6DAA6D,QAAQ,SAAS;EAClG,CAAC;CAGJ,MAAM,CAAC,gBAAgB,sBAAsB,kCAAkC;CAC/E,MAAM,wBAAwB,yBAAyB,UAAU,eAAe;AAChF,KAAI,CAAC,sBAAsB,QACzB,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,6DAA6D,QAAQ,SAAS;EAClG,CAAC;AAKJ,QAAO;EACL,mBAAmB,QAAQ;EAC3B,gBAAgB,sBAAsB;EACtC,yBAAyB;EACzB;EACA;EACD;;;;;AAyBH,eAAsB,0BACpB,SACA,cACiC;CACjC,MAAM,EAAE,6BAA6B,KAAK,WAAW;CAGrD,MAAM,2BAA2B,EAC/B,kBAAkB,cAAc,oBAAoB,OAAO,OAAO,gBAAgB,QAAQ,EAC3F;CAED,MAAM,EAAE,oBAAoB,gBAAgB,mBAAmB,aAAa,qBAAqB;EAC/F,UAAU,4BAA4B;EACtC,sBAAsB,4BAA4B;EAClD,cAAc,4BAA4B;EAC1C;EACD,CAAC;AAEF,KAAI,CAAC,yBAAyB,iBAAiB,SAAS,eAAe,CACrE,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,yCAAyC,eAAe;EAC5E,CAAC;AAGJ,KAAI,mBAAmB,iBACrB,QAAO;EACL,QAAQ;EACR,YAAY;EACZ,WAAW;EACX;EACD;AAGH,KAAI,mBAAmB,qBAAqB;AAC1C,MAAI,CAAC,UAAU,UAAU,mBAAmB,CAAC,QAC3C,OAAM,IAAI,+BACR;GACE,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,EACD,EACE,iBAAiB,wGAClB,CACF;AAGH,MAAI,CAAC,IACH,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,MAAI,IAAI,OAAO,WAAW,aACxB,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBACE;GACH,CAAC;AAGJ,SAAO;GACL,QAAQ;GACR,YAAY;GACZ,WAAW;GACX;GACA,YAAY,4BAA4B;GACzC;;AAGH,KAAI,mBAAmB,gBAAgB;AACrC,MAAI,IACF,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,MACE,qCAAqC,4BAA4B,IACjE,mCAAmC,4BAA4B,CAE/D,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB,+EAA+E,4BAA4B,cAAc;GAC7I,CAAC;AAGJ,MAAI,4BAA4B,gBAAgB,4BAA4B,iBAAiB,mBAC3F,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,MAAI,4BAA4B,gBAAgB,4BAA4B,iBAAiB,mBAC3F,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,SAAO;GACL,QAAQ;GACR,YAAY;GACZ,WAAW;GACX;GACA,gBAAgB,4BAA4B;GAC5C,aAAc,4BAA4B,gBAAgB,4BAA4B;GACvF;;AAGH,KAAI,mBAAmB,4BAA4B;AACjD,MAAI,CAAC,IACH,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,MAAI,IAAI,OAAO,WAAW,MACxB,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBACE;GACH,CAAC;AAGJ,MAAI,CAAC,mBAAmB,WAAW,OAAO,CACxC,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;EAGJ,MAAM,CAAC,OAAO,IAAI,OAAO,OAAO,MAAM,IAAI;AAC1C,MAAI,uBAAuB,IACzB,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB,kCAAkC,eAAe;GACrE,CAAC;AAGJ,SAAO;GACL,QAAQ;GACR,YAAY;GACZ,WAAW;GACX;GACA,gBAAgB,4BAA4B;GAC5C,QAAQ,IAAI,OAAO;GACpB;;AAGH,KAAI,mBAAmB,kBAAkB,mBAAmB,kBAAkB,mBAAmB,aAAa;AAC5G,MAAI,CAAC,IACH,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB,mCAAmC,eAAe;GACtE,CAAC;AAGJ,MAAI,IAAI,OAAO,WAAW,MACxB,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB,+FAA+F,eAAe;GAClI,CAAC;AAGJ,MAAI,CAAC,QAAQ,UAAU,2BACrB,OAAM,IAAI,+BACR,EACE,OAAO,iBAAiB,aACzB,EACD,EACE,iBAAiB,+EAA+E,eAAe,qBAChH,CACF;AAGH,MAAI,mBAAmB,gBAAgB;GACrC,MAAM,EAAE,gBAAgB,QAAQ,UAAU,2BAA2B,IAAI,OAAO,IAAI,GAAG;AACvF,OAAI,CAAC,YAAY,SAAS,mBAAmB,CAC3C,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB,0EAA0E,YAAY,KAAK,KAAK,CAAC,sCAAsC,mBAAmB;IAC9K,CAAC;AAGJ,OACE,CAAC,qCAAqC,4BAA4B,IAClE,CAAC,mCAAmC,4BAA4B,EAChE;IACA,MAAM,MAAM,4BAA4B,gBAAgB,4BAA4B;AACpF,QAAI,CAAC,OAAO,IAAI,IAAI,IAAI,CAAC,aAAa,mBACpC,OAAM,IAAI,+BAA+B;KACvC,OAAO,iBAAiB;KACxB,mBACE;KACH,CAAC;;aAGG,mBAAmB,gBAAgB;GAC5C,MAAM,EAAE,gBAAgB,QAAQ,UAAU,2BAA2B,IAAI,OAAO,IAAI,GAAG;AACvF,OAAI,CAAC,YAAY,SAAS,mBAAmB,CAC3C,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB,0EAA0E,YAAY,KAAK,KAAK,CAAC,sCAAsC,mBAAmB;IAC9K,CAAC;AAGJ,OACE,CAAC,qCAAqC,4BAA4B,IAClE,CAAC,mCAAmC,4BAA4B,EAChE;IACA,MAAM,MAAM,4BAA4B,gBAAgB,4BAA4B;AACpF,QAAI,CAAC,OAAO,QAAQ,mBAClB,OAAM,IAAI,+BAA+B;KACvC,OAAO,iBAAiB;KACxB,mBACE;KACH,CAAC;;aAGG,mBAAmB,aAAa;GACzC,MAAM,WAAW,MAAM,qCAAqC;IAC1D,MAAM,QAAQ,UAAU;IACxB,iBAAiB,IAAI,OAAO,IAAI;IACjC,CAAC;AAEF,OAAI,aAAa,mBACf,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB,wGAAwG,SAAS,qCAAqC,mBAAmB;IAC7L,CAAC;;AAIN,SAAO;GACL,QAAQ;GACR,YAAY;GACZ,WAAW;GACX;GACA,KAAK,IAAI,OAAO;GAChB,gBAAgB,4BAA4B;GAC7C;;AAGH,KAAI,mBAAmB,UAAU;AAC/B,MAAI,CAAC,qCAAqC,4BAA4B,CACpE,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,SAAO;GACL,QAAQ;GACR,YAAY;GACZ,WAAW;GACX;GACA,gBAAgB,4BAA4B;GAC7C;;AAGH,KAAI,mBAAmB,wBACrB;MAAI,CAAC,IACH,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;;AAIN,QAAO;EACL,QAAQ;EACR,gBAAgB,4BAA4B;EAC5C,YAAY;EACZ,WAAW;EACX;EACD;;;;;AChkBH,eAAsB,oBAAoB,SAGd;CAC1B,MAAM,EAAE,OAAO,sBAAsB;CAGrC,MAAM,EAAE,QAAQ,aAAa,MAFb,iBAAiB,MAAM,CAEI,iBAAiB,YAAY,MAAM,mBAAmB;EAC/F,QAAQ;EACR,SAAS,EACP,QAAQ,YAAY,MACrB;EACF,CAAC;AAEF,KAAI,CAAC,SAAS,GACZ,OAAM,IAAI,+BAA+B;EACvC,mBAAmB,kCAAkC,kBAAkB,6BAA6B,SAAS,OAAO;EACpH,OAAO,iBAAiB;EACzB,CAAC;AAGJ,KAAI,CAAC,UAAU,CAAC,OAAO,QACrB,OAAM,IAAI,+BAA+B;EACvC,mBAAmB,iCAAiC,kBAAkB;EACtE,OAAO,iBAAiB;EACzB,CAAC;AAGJ,QAAO,OAAO;;;;;ACVhB,SAAgB,iCACd,SACwB;CACxB,MAAM,eAAuD,EAAE;AAG/D,KAAI,mCAAmC,QAAQ,CAC7C,cAAa,KAAK,CAAC,MAAM,IAAI,CAAC;AAIhC,KAAI,QAAQ,cACV,cAAa,KAAK,CAAC,MAAM,IAAI,CAAC;AAEhC,KAAI,QAAQ,sBACV,cAAa,KAAK,CAAC,KAAK,IAAI,CAAC;AAI/B,KACE,QAAQ,iBAAiB,sBAAsB,UAAU,yBACzD,QAAQ,iBAAiB,sBAAsB,UAAU,sBAEzD,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAG/B,KACE,QAAQ,iBAAiB,sBAAsB,UAAU,4BACzD,QAAQ,iBAAiB,sBAAsB,UAAU,yBAEzD,cAAa,KAAK,CAAC,KAAK,GAAG,CAAC;AAK9B,KAAI,QAAQ,iBAAiB,qBAC3B,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAE/B,KAAI,QAAQ,iBAAiB,WAC3B,cAAa,KAAK,CAAC,KAAK,GAAG,CAAC;AAI9B,KACE,QAAQ,WAAW,WAAW,qBAAqB,IACnD,QAAQ,WAAW,WAAW,4BAA4B,CAE1D,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAG/B,KAAI,QAAQ,WAAW,WAAW,OAAO,CACvC,cAAa,KAAK,CAAC,KAAK,GAAG,CAAC;AAG9B,KAAI,QAAQ,2BAA2B,QAAQ,4BAC7C,cAAa,KAAK,CAAC,KAAK,GAAG,CAAC;AAG9B,KAAI,QAAQ,sBACV,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAI/B,KAAI,QAAQ,WAAW,WAAW,gBAAgB,CAChD,cAAa,KAAK,CAAC,KAAK,GAAG,CAAC;AAG9B,KAAI,QAAQ,WAAW,WAAW,aAAa,CAC7C,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAG/B,KAAI,QAAQ,WAAW,WAAW,cAAc,CAC9C,cAAa,KAAK,CAAC,KAAK,GAAG,CAAC;AAG9B,KAAI,QAAQ,WAAW,WAAW,UAAU,CAC1C,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAI/B,KACE,qCAAqC,QAAQ,KAC5C,QAAQ,kBAAkB,gBAAgB,QAAQ,kBAAkB,mBACrE;AACA,eAAa,KAAK,CAAC,KAAK,GAAG,CAAC;AAC5B,eAAa,KAAK,CAAC,MAAM,GAAG,CAAC;;AAG/B,KACE,qCAAqC,QAAQ,KAC5C,QAAQ,kBAAkB,YAAY,QAAQ,kBAAkB,cAEjE,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAG/B,KAAI,qCAAqC,QAAQ,KAAK,QAAQ,oBAAoB,QAAQ,YACxF,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAK/B,KAAI,QAAQ,iBACV,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAG/B,KAAI,QAAQ,iBACV,cAAa,KAAK,CAAC,KAAK,GAAG,CAAC;AAO9B,KAAI,QAAQ,WAAW;EACrB,MAAM,aAAa,QAAQ,UAAU,QAAQ,IAAI;EACjD,MAAM,aAAa,QAAQ,UAAU,UAAU,GAAG,WAAW;EAC7D,MAAM,eAAe,gBAAgB,UAAU,WAAW;AAG1D,MAAI,aAAa,WAAW,aAAa,SAAS,SAAS,aAAa,SAAS,QAC/E,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;;AAOjC,KAAI,CAAC,QAAQ,UACX,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAK/B,KAAI,QAAQ,WACV,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAG/B,KAAI,QAAQ,oBACV,cAAa,KAAK,CAAC,KAAK,GAAG,CAAC;AAG9B,KAAI,qCAAqC,QAAQ,CAC/C,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAG/B,KAAI,QAAQ,sBAAsB,QAAQ,aACxC,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAK/B,KAAI,QAAQ,qBAAqB,uBAC/B,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;AAK/B,KAAI,QAAQ,qBAAqB,kBAAkB,QAAQ,qBAAqB,eAC9E,cAAa,KAAK,CAAC,MAAM,GAAG,CAAC;CAI/B,MAAM,mBAAmB,aAAa,QAAQ,CAAC,cAAc,aAAa,IAAI,CAAC,KAAK,CAAC,GAAG,aAAa,QAAQ;CAE7G,MAAM,sBAAsB,aAAa,QAAQ,CAAC,cAAc,aAAa,KAAK,CAAC,KAAK,CAAC,GAAG,aAAa,QAAQ;CAGjH,MAAM,yBACJ,iBAAiB,SAAS,IACrB,KAAK,IAAI,KAAK,IAAI,GAAG,iBAAiB,GAAG,GAAG,GAAG,GAC/C;CAGP,MAAM,wBACJ,oBAAoB,SAAS,IAAK,KAAK,IAAI,GAAG,oBAAoB,GAA+B;AAInG,KAAI,wBAAwB,uBAE1B,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,yIAAyI,sBAAsB,mCAAmC;EACtN,CAAC;AAGJ,QAAO;;;;;;;;;;;;;;;;AChMT,eAAsB,sBAAsB,SASxB;CAClB,MAAM,EAAE,YAAY,gBAAgB,QAAQ,QAAQ,UAAU;CAE9D,IAAI,cAAc,OAAO,WAAW;EAAE,iBAAiB,OAAO;EAAU,cAAc,OAAO;EAAO,GAAG;AACvG,KAAI,aAAa,iBAAiB,+CAA+C,mBAAmB,gBAAgB;EAElH,MAAM,EAAE,6CAA6C,GAAG,SAAS,YAAY;AAC7E,gBAAc;GAAE,GAAG;GAAa,iBAAiB,EAAE,GAAG,MAAM;GAAE;;CAGhE,MAAM,WAAW,MAAM,cAAc,MAAM,CAAC,YAAY;EACtD;EACA,MAAM,WAAW,SAAS,oBAAoB,OAAO,YAAY,EAAE,CAAC,GAAG;EACvE,SAAS;GACP,QAAQ,GAAG,YAAY,6BAA6B,IAAI,YAAY,IAAI;GACxE,gBAAgB,YAAY;GAC7B;EACF,CAAC,CAAC,YAAY;AACb,QAAM,IAAI,+BAA+B;GACvC,mBAAmB,6CAA6C,WAAW;GAC3E,OAAO,iBAAiB;GACzB,CAAC;GACF;AAEF,KAAI,CAAC,SAAS,GACZ,OAAM,IAAI,+BAA+B;EACvC,mBAAmB,6CAA6C,WAAW,6BAA6B,SAAS,OAAO;EACxH,OAAO,iBAAiB;EACzB,CAAC;AAGJ,QAAO,MAAM,SAAS,MAAM;;;;;;;;;;;;;ACa9B,eAAsB,iBAAiB,SAA+D;CACpG,MAAM,EAAE,WAAW,SAAS,EAAE,KAAK;CAEnC,MAAM,mBAAmB;EACvB,GAAG,QAAQ;EACX,GAAG,yBAAyB,QAAQ;EACrC;CAED,MAAM,SAAS,iBAAiB,UAAU,UAAU;CAGpD,MAAM,iBAA6C,iBAAiB,YAChE,gBAAgB,UAAU,iBAAiB,UAAU,MAAM,IAAI,CAAC,GAAG,CAAC,OACpE;CAEJ,MAAM,SAAS,iBAAiB,sBAAsB;AACtD,KAAI,WAAW,SAAS,WAAW,OACjC,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;CAGJ,MAAM,gBACJ,iBAAiB,WAChB,MAAM,sBAAsB;EAC3B,YAAY,iBAAiB;EAC7B;EACA;EACA;EACA,OAAO,UAAU;EAClB,CAAC;CAGJ,MAAM,EAAE,eAAe,SAAS,2BADC,YAAY,UAAU,cAAc,CAAC,UAElE,MAAM,kBAAkB;EAAE,KAAK;EAAe;EAAW,CAAC,GAC1D;EAAE,SAAS;EAAe,eAAe;EAAW;AAGxD,KAAI,CADoB,YAAY,UAAU,uBAAuB,CAAC,QAEpE,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;CAGJ,MAAM,EAAE,6BAA6B,QAAQ,QAAQ,MAAM,uBAAuB;EAChF;EACA;EACD,CAAC;AACF,KAAI,CAAC,4BAA4B,UAC/B,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAIJ,KACE,CAAC,6BAA6B,4BAA4B,cAAc,IACxE,CAAC,2BAA2B,4BAA4B,cAAc,IACtE,iBAAiB,cAAc,4BAA4B,UAE3D,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAEJ,KACE,iBAAiB,oBACjB,iBAAiB,qBAAqB,4BAA4B,iBAElE,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAGJ,QAAO;EACL;EACA;EACA;EACA;EACA;EACD;;AAGH,eAAe,kBAAkB,SAA0E;CACzG,MAAM,EAAE,KAAK,cAAc;CAE3B,MAAM,EAAE,WAAW,UAAU,EAAE,KAAK,KAAK,CAAC;AAC1C,KAAI,CAAC,OAAO,IACV,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;CAGJ,MAAM,mBAAmB,MAAM,UAAU,WAAW,IAAI;AACxD,KAAI,CAAC,iBAAiB,UACpB,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAGJ,QAAO;;AAGT,eAAe,uBAAuB,SAGnC;CACD,MAAM,EAAE,wBAAwB,cAAc;CAE9C,MAAM,MAAM,UAAU;EAAE,KAAK;EAAwB,eAAe;EAA0B,CAAC;CAE/F,IAAI;CAEJ,MAAM,EAAE,mBAAmB,qBAAqB;EAC9C,cAAc,IAAI,QAAQ;EAC1B,UAAU,IAAI,QAAQ;EACtB,sBAAsB,IAAI,QAAQ;EACnC,CAAC;CAGF,MAAM,yBAA+E;EACnF,0BAA0B,CAAC,MAAM;EAEjC,kBAAkB;GAAC;GAAU;GAAO;GAAM;EAC1C,QAAQ,EAAE;EACV,cAAc,EAAE;EAGhB,sBAAsB;GAAC;GAAO;GAAc;GAAO;GAAO;GAAS;EAEnE,cAAc,CAAC,MAAM;EACrB,cAAc,CAAC,MAAM;EACrB,WAAW,CAAC,MAAM;EAGlB,mBAAmB,EAAE;EACtB;AAGD,KAAI,mBAAmB,qBAAqB;AAC1C,MAAI,CAAC,IAAI,OAAO,IACd,OAAM,IAAI,YACR,oGACD;AAGH,cAAY;GACV,QAAQ;GACR,KAAK,IAAI,OAAO;GAChB,YAAY,IAAI,QAAQ;GACxB,KAAK,IAAI,OAAO;GACjB;OAED,aAAY,iBAAiB;EAAE,GAAG;EAAK,sBAAsB,uBAAuB;EAAiB,CAAC;CAGxG,MAAM,EAAE,WAAW,MAAM,UAAU;EACjC,mBAAmB,UAAU;EAC7B,SAAS;EACT,QAAQ,IAAI;EACZ,SAAS,IAAI;EACb,QAAQ;EACT,CAAC;CAGF,MAAM,UAAU,iCAAiC,IAAI,QAAe;AACpE,KAAI,IAAI,OAAO,QAAQ,0CAA0C,WAAW,GAC1E,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,oFAAoF,IAAI,OAAO,IAAI;EACvH,CAAC;AAGJ,QAAO;EACL;EACA;EACA,6BAA6B,IAAI;EAClC;;;;;AC1PH,MAAa,oBAAoB,EAC9B,OAAO;CACN,MAAM,EAAE,QAAQ;CAChB,gBAAgB,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC;CAGjD,6BAA6B,EAAE,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,UAAU;CAC1E,CAAC,CACD,OAAO;AAGV,MAAa,mBAAmB,EAAE,MAAM,kBAAkB;;;;ACC1D,SAAgB,qBAAqB,SAAoE;CACvG,MAAM,EAAE,oBAAoB;CAE5B,MAAM,UAAU,gBAAgB,KAAK,YAAY,YAAY,mBAAmB,aAAa,QAAQ,CAAC,CAAC,CAAC;CAExG,MAAM,eAAe,iBAAiB,UAAU,QAAQ;AACxD,KAAI,CAAC,aAAa,QAChB,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAGJ,QAAO,aAAa,KAAK,KAAK,WAAS,WAAW;EAChD,iBAAiBC;EACjB,SAAS,gBAAgB;EACzB,sBAAsB;EACvB,EAAE;;;;;AC0CL,eAAsB,qCACpB,SACgD;CAChD,MAAM,EAAE,QAAQ,cAAc;CAE9B,IAAI;CAMJ,MAAM,SAAS,uBACbC,IAAE,MAAM;EACN;EACA;EACA;EACA;EACD,CAAC,EACF,QAAQ,6BACR,mHACD;CAED,IAAI;AACJ,KAAI,0BAA0B,OAAO,EAAE;AACrC,QAAM,MAAM,iBAAiB;GAC3B,kBAAkB;GAClB;GACA;GAEA,iBAAiB,QAAQ,aAAa,SAAS;GAChD,CAAC;AAQF,gCAA8B,6CAA6C;GACzE,6BAP2C,uBAC3CA,IAAE,MAAM;IAAC;IAAqC;IAAmC;IAA+B,CAAC,EACjH,IAAI,6BACJ,gGACD;GAIC;GACA,KAAK;GACL,cAAc,QAAQ;GACvB,CAAC;OAEF,+BAA8B,6CAA6C;EACzE,6BAA6B;EAC7B;EACA,KAAK;EAEL,cAAc,QAAQ;EACvB,CAAC;CAGJ,MAAM,UAAU,iCAAiC,4BAA4B;CAC7E,IAAI,iBAAiB,4BAA4B;AACjD,KACE,CAAC,qCAAqC,4BAA4B,IAClE,CAAC,mCAAmC,4BAA4B,IAChE,CAAC,kBACD,4BAA4B,oBAE5B,kBAAiB,MAAM,oBAAoB,EAAE,mBAAmB,4BAA4B,qBAAqB,CAAC;CAGpH,MAAM,aAAa,MAAM,0BAA0B;EACjD,6BAA6B;GAC3B,GAAG;GACH,iBAAiB;GAClB;EACD;EAEA;EACA,QAAQ,QAAQ,aAAa,SAAS,WAAW,QAAQ,aAAa,iBAAiB;EACvF;EACD,CAAC;CAEF,IAAI;CACJ,IAAI;AAEJ,KAAI,4BAA4B,2BAA2B,4BAA4B,6BAA6B;AAClH,MAAI,4BAA4B,4BAC9B,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,QAAM;GACJ,yBAAyB,4BAA4B;GACrD,6BAA6B,4BAA4B;GAC1D;;AAGH,KAAI,4BAA4B,WAC9B,QAAO,EAAE,OAAO,4BAA4B,YAAY;AAO1D,QAAO;EACL,iBALsB,4BAA4B,mBAChD,qBAAqB,EAAE,iBAAiB,4BAA4B,kBAAkB,CAAC,GACvF;EAIF;EACA;EACA,QAAQ;EACR;EACA;EACA;EACD;;AAqCH,SAAS,6CAA6C,SASnD;CACD,MAAM,EAAE,6BAA6B,QAAQ,KAAK,iBAAiB;AAEnE,KAAI,qCAAqC,4BAA4B,EAAE;AACrE,MAAI,aAAa,SAAS,SACxB,OAAM,IAAI,YACR,4CAA4C,4BAA4B,cAAc,+CAA+C,aAAa,KAAK,YACxJ;AAGH,oDAAkD;GAChD,QAAQ;GACR,cAAc;GACd,QAAQ,aAAa;GACtB,CAAC;AAEF,SAAO;;AAGT,KAAI,mCAAmC,4BAA4B,EAAE;AACnE,MAAI,aAAa,SAAS,MACxB,OAAM,IAAI,YACR,4CAA4C,4BAA4B,cAAc,+CAA+C,aAAa,KAAK,YACxJ;AAGH,kDAAgD;GAC9C,QAAQ;GACR,cAAc;GACd,aAAa,aAAa;GAC3B,CAAC;AAEF,SAAO;;AAGT,KAAI,aAAa,SAAS,cACxB,OAAM,IAAI,YACR,4CAA4C,4BAA4B,cAAc,+CAA+C,aAAa,KAAK,YACxJ;AAGH,8CAA6C;EAC3C,QAAQ;EACR,2BAA2B;EAC5B,CAAC;AACF,QAAO;;;;;ACxQT,SAAgB,iBAAiB,MAAY,SAAiB;AAC5D,QAAO,IAAI,KAAK,KAAK,SAAS,GAAG,UAAU,IAAK;;;;;ACQlD,eAAsB,gCAAgC,SAAiD;CACrG,MAAM,EAAE,2BAA2B,cAAc,WAAW,cAAc;AAC1E,KAAI,CAAC,aAAa,cAAc;EAC9B,MAAM,EAAE,QAAQ,MAAM,UAAU,WAAW,cAAc,KAAK,UAAU,0BAA0B,CAAC;AACnG,SAAO,EAAE,8BAA8B,KAAK;;AAG9C,KAAI,aAAa,CAAC,aAKhB,QAAO,EAAE,+BAJM,MAAM,UAAU,QAAQ,WAAW;EAChD,QAAQ,uBAAuB,UAAU;EACzC,SAAS;EACV,CAAC,EAC4C,KAAK;AAGrD,KAAI,CAAC,aAAa,CAAC,aACjB,OAAM,IAAI,YAAY,2EAA2E;CAEnG,MAAM,SAAS,MAAM,UAAU,QAAQ,WAAW;EAChD,QAAQ,uBAAuB,UAAU;EACzC,SAAS;EACV,CAAC;AAIF,QAAO,EAAE,+BAFS,MAAM,UAAU,WAAW,cAAc,OAAO,IAAI,EAErB,KAAK;;;;;AC1CxD,SAAgB,6BACd,MACA,EACE,KACA,sBAKF;AACA,KAAI,IACF,QAAO,KAAK,KAAK,MAAM,QAAQ,IAAI,QAAQ,IAAI;CAGjD,IAAI,cAAc,KAAK,KAAK,QAAQ,QAAQ,IAAI,OAAO,oBAAoB,SAAS,IAAI,IAAI,CAAC;AAC7F,KAAI,YAAY,WAAW,EAAG,eAAc,KAAK;CAEjD,IAAI,cAAc,YAAY,QAAQ,QAAQ,IAAI,QAAQ,MAAM;AAChE,KAAI,CAAC,YAAa,eAAc,YAAY,QAAQ,QAAQ,IAAI,QAAQ,MAAM;AAE9E,QAAO,YAAY,SAAS,IAAI,YAAY,KAAK,KAAK,KAAK;;;;;ACpB7D,MAAa,mBAAmB;CAC9B;CACA;CACA;CACA;CACA;CACA;CACD;AACD,MAAa,oBAAoB,EAAE,KAAK,iBAAiB;AAIzD,MAAa,sBAAsB,iBAA2D;AAC5F,QAAO,iBAAiB,SAAS,aAAiC;;;;;ACLpE,SAAgB,qBAAwB,SAAqC;CAC3E,MAAM,EAAE,cAAc,WAAW,WAAW;CAC5C,MAAM,eAAe,UAAU,MAAM,UAAU,UAAU,OAAO;AAEhE,KAAI,CAAC,aACH,OAAM,IAAI,YAAY,aAAa;AAGrC,QAAO;;AAGT,SAAgB,4BAA4B,SAGzC;CACD,MAAM,EAAE,gBAAgB,mBAAmB;CAC3C,MAAM,uBAAuB,0BAA0B,MAAM,eAAe;AAE5E,KAAI,qBAAqB,SAAS,kBAAkB,qBAAqB,SAAS,WAAW;AAC3F,MAAI,eAAe,8CACjB,sBAAqB;GACnB,WAAW,eAAe;GAC1B,QAAQ,qBAAqB,gBAAgB;GAC7C,cAAc;GACf,CAAC;AAGJ,MAAI,eAAe,8CACjB,sBAAqB;GACnB,WAAW,eAAe;GAC1B,QAAQ,qBAAqB,gBAAgB;GAC7C,cAAc;GACf,CAAC;;AAIN,KACE,eAAe,+CACd,qBAAqB,SAAS,UAAU,qBAAqB,SAAS,gBAEvE,sBAAqB;EACnB,WAAW,eAAe;EAC1B,QAAQ,qBAAqB,gBAAgB;EAC7C,cAAc;EACf,CAAC;AAGJ,QAAO;;;;;ACYT,eAAsB,qCACpB,SACqD;CACrD,MAAM,EAAE,6BAA6B,MAAM,WAAW,WAAW;CAEjE,MAAM,+BAA+B;EACnC,GAAG,QAAQ;EACX,OAAO,4BAA4B;EACpC;CAED,MAAM,EAAE,mBAAmB,qBAAqB;EAC9C,cAAc,4BAA4B;EAC1C,UAAU,4BAA4B;EACtC,sBAAsB,4BAA4B;EAClD;EACD,CAAC;AAEF,KACE,4BAA4B,iBAC5B,mBAAmB,4BAA4B,cAAc,IAC7D,CAAC,KAED,OAAM,IAAI,YACR,uEAAuE,4BAA4B,cAAc,GAClH;AAGH,KAAI,CAAC,KACH,QAAO,EACL,8BACD;AAIH,KAAI,mBAAmB,uBAAuB,CAAC,QAAQ,eACrD,OAAM,IAAI,YACR,wMACD;CAGH,MAAM,iBAAiB,QAAQ,kBAAkB,4BAA4B;AAC7E,KAAI,CAAC,eACH,OAAM,IAAI,YAAY,iFAAiF;CAGzG,IAAI;AAEJ,KAAI,eAAe,KACjB,QAAO,eAAe;UACb,eAAe,SACxB,QAAO,MAAM,UAAU,eAAe,UAAU,QAAQ,UAAU,MAAM;KAExE,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAGJ,KACE,eAAe,wCACf,eAAe,wCACf,eAAe,kCAEf,6BAA4B;EACV;EAChB,gBAAgB,KAAK;EACtB,CAAC;CAGJ,MAAM,SAEJ,MAAM,YAAY,OAClB,6BAA6B,MAAM,EACjC,oBACE,KAAK,eAAe,kDACnB,eAAe,uCACZ,CAAC,eAAe,qCAAqC,GACrD,SACP,CAAC;AAEJ,KAAI,CAAC,OACH,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBACE;EACH,CAAC;CAGJ,IAAI;AACJ,KAAI,eAAe,wCAEjB,OACE,KAAK,eAAe,8CAA8C,MAAM,UACtE,eAAe,yCAAyC,SAASC,MAAI,CACtE,IAAI,eAAe,wCAAwC;KAG9D,OAAM,eAAe,wCAAwC;AAG/D,sBAAqB;EACnB,QAAQ;EACR,WAAW,KAAK,eAAe;EAC/B,cAAc,uBAAuB,IAAI,yBAAyB,KAAK,eAAe,8CAA8C,KAAK,KAAK;EAC/I,CAAC;CAEF,MAAM,MAAM,OAAO,OAAO,eAAe,wCAAwC;AACjF,sBAAqB;EACnB,QAAQ;EACR,WAAW,KAAK,eAAe;EAC/B,cAAc,uBAAuB,IAAI,yBAAyB,KAAK,eAAe,8CAA8C,KAAK,KAAK;EAC/I,CAAC;CAKF,IAAI;AACJ,KAAI,MAAM,WAAW;AACnB,MAAI,CAAC,KAAK,oBACR,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,MAAI,CAAC,KAAK,SACR,OAAM,IAAI,+BAA+B;GACvC,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,CAAC;AAGJ,yBAAuB;GACrB,KAAK,KAAK;GACV,KAAK,KAAK;GACV,KAAK,KAAK,oBAAoB,cAAc,iCAAiB,IAAI,MAAM,EAAE,IAAQ,CAAC;GACnF;;CAGH,MAAM,sBAAsB;EAC1B,GAAG;EACH,GAAG;EACJ;AAqBD,QAAO;EACL,8BAA8B;EAC9B,MAAM;GAAE,cArBK,MAAM,gCAAgC;IACnD,2BAA2B;IAC3B,WAAW,MAAM;IACjB,cAAc,MAAM,aAChB;KACE,QAAQ;KACR,WAAW;KACX,KAAK,KAAK,WAAW,QAAQ,kBAAkB,KAAK,WAAW,MAAM,GAAG;KACxE,KAAK,kBAAkB,4BAA4B,MAAM;KACzD;KACA;KACD,GACD;IACJ,WAAW;KACT,SAAS,UAAU;KACnB,YAAY,UAAU;KACvB;IACF,CAAC,EAI4B;GAA8B,eAAe;GAAQ;EAClF;;;;;ACzOH,MAAa,6BAA6B,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC;AACvE,MAAa,6BAA6B,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC;;;;ACDvE,MAAM,4BAA4B,EAAE,MAAM,CAAC,EAAE,QAAQ,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EACrF,SAAS,wDACV,CAAC;AAGF,MAAa,cAAc,EAAE,MAC3B,CACE,2BACA,EAAE,MAAM,CAAC,0BAA0B,EAAE,2BAA2B,6CAA6C,CAC9G,EACD,EACE,SAAS,mFACV,CACF;AAGD,MAAa,eAAe,EAAE,OAC5B,EAAE,QAAQ,EACV,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,0BAA0B,EAAE,0BAA0B,EAAE,0BAA0B,CAAC,EACrG,EACE,SACE,iKACH,CACF;AAGD,MAAa,WAAW,aAAa,GAAG,YAAY;;;;ACvBpD,MAAa,kCAAkC,EAC5C,OAAO;CACN,OAAO,EAAE,QAAQ,CAAC,UAAU;CAC5B,UAAU,EAAE,QAAQ,CAAC,UAAU;CAC/B,UAAU;CACV,yBAAyB,2BAA2B,GAAG,cAAc,CAAC,UAAU;CAChF,eAAe,EAAE,QAAQ,CAAC,UAAU;CACpC,YAAY,EAAE,QAAQ,CAAC,UAAU;CACjC,cAAc,EAAE,QAAQ,CAAC,UAAU;CACnC,YAAY,EAAE,OAAO,QAAQ,CAAC,UAAU;CACzC,CAAC,CACD,OAAO;;;;ACbV,SAAgB,2CAA2C,SAAkC;AAC3F,QAAO,uBACL,iCACA,SACA,oDACD;;;;;ACLH,MAAa,cAAc,EAAE,OAAO;CAAE,GAAG,WAAW;CAAO,KAAK,EAAE,QAAQ,CAAC,UAAU;CAAE,KAAK,EAAE,QAAQ,CAAC,UAAU;CAAE,CAAC;AAGpH,MAAa,6BAA6B,EACvC,OAAO;CAMN,GAAG,YAAY;CACf,GAAG,YAAY,KAAK;EAAE,KAAK;EAAM,KAAK;EAAM,KAAK;EAAM,CAAC,CAAC,UAAU,CAAC;CACpE,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC9B,CAAC,CACD,OAAO;AAIV,MAAa,0CAA0C,EACpD,OAAO;CACN,GAAG,YAAY;CACf,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC9B,CAAC,CACD,OAAO;;;;AClBV,MAAa,qCAAqC,YAG5C;CACJ,MAAM,EAAE,kBAAkB,0BAA0B;AAGpD,KAAI,CAAC,2BAA2B,UAAU,sBAAsB,CAAC,QAC/D;AAIF,KACG,MAAM,QAAQ,sBAAsB,IAAI,IAAI,CAAC,sBAAsB,IAAI,SAAS,iBAAiB,IACjG,OAAO,sBAAsB,QAAQ,YAAY,sBAAsB,QAAQ,iBAEhF,OAAM,IAAI,YACR,iEACE,iBACD,cAAc,KAAK,UAAU,sBAAsB,IAAI,CAAC,IAC1D;AAKH,KAAI,sBAAsB,QAAQ,UAAa,sBAAsB,MAAM,eAAe,CACxF,OAAM,IAAI,YAAY,iCAAiC;;;;;ACV3D,IAAY,gDAAL;AACL;AACA;AACA;;;;;;;;;;AAUF,MAAM,sCAAsC,OAAO,YAI7C;CACJ,MAAM,EAAE,8BAA8B,WAAW,gCAAgC;CAEjF,IAAI;CACJ,MAAM,EAAE,WAAW,gBAAgB,EACjC,KAAK,8BACN,CAAC;AAKF,KAAI,4BAA4B,iBAAiB,KAI/C,iBAAgB,6BAA6B,4BAA4B,gBAAgB,MAAM;EAE7F,KAAK,OAAO;EAGZ,oBAAoB,4BAA4B,gBAAgB,uCAC5D,CAAC,4BAA4B,gBAAgB,qCAAqC,GAClF;EACL,CAAC;CAGJ,MAAM,SAAS,MAAM,UAAU,WAAW,8BAA8B,EAAE,KAAK,eAAe,CAAC;AAC/F,KAAI,CAAC,OAAO,UACV,OAAM,IAAI,YAAY,wCAAwC;AAGhE,QAAO;EACL,eAAe,OAAO;EACtB,SAAS,OAAO;EACjB;;;;;;;AAyBH,eAAsB,gCAAgC,SAAiD;CACrG,MAAM,EAAE,8BAA8B,WAAW,kBAAkB,gCAAgC;CAEnG,MAAM,yBAAyB,YAAY,UAAU,6BAA6B,CAAC;CACnF,MAAM,uBAAuB,yBACzB,MAAM,oCAAoC;EACxC;EACA;EACA;EACD,CAAC,GACF;EAAE,SAAS;EAA8B,eAAe;EAAW;CAEvE,MAAM,mBAAmB,YAAY,UAAU,qBAAqB,QAAQ,CAAC;AAC7E,KAAI,CAAC,0BAA0B,CAAC,iBAC9B,OAAM,IAAI,YAAY,gFAAgF;CAGxG,IAAI;AAEJ,KAAI,kBAAkB;EACpB,MAAM,EAAE,QAAQ,oBAAoB,SAAS,eAAe,UAAU;GACpE,KAAK,qBAAqB;GAC1B,cAAcC,IAAE,OAAO;IAAE,GAAG,WAAW;IAAO,KAAKA,IAAE,QAAQ;IAAE,CAAC;GACjE,CAAC;EAEF,MAAM,WAAW,2BAA2B,MAAM,WAAW;EAC7D,MAAM,YAAY,iBAAiB;GAAE,QAAQ;GAAoB,SAAS;GAAY,CAAC;AAQvF,MAAI,EANuB,MAAM,QAAQ,UAAU,UAAU,WAAW;GACtE,SAAS,qBAAqB;GAC9B,QAAQ;GACR,SAAS;GACV,CAAC,EAEsB,SACtB,OAAM,IAAI,YAAY,mCAAmC;AAG3D,8BAA4B;QACvB;EACL,MAAM,kBAAkB,8BACtB,qBAAqB,SACrB,kDACD;AACD,8BAA4B,wCAAwC,MAAM,gBAAgB;;AAG5F,mCAAkC;EAChC;EACA,uBAAuB;EACxB,CAAC;CACF,MAAM,OACJ,0BAA0B,mBACtB,SAAS,kBACT,yBACE,SAAS,YACT,SAAS;CAEjB,MAAM,SAAS,0BAA0B;AACzC,QAAO;EACL;EACA;EACA;EACA,eAAe,qBAAqB;EACrC;;;;;ACjKH,SAAgB,gBAAgB,SAA6E;CAC3G,MAAM,gBAAgB,uBACpB,aACA,YAAY,QAAQ,EACpB,2FACD;AAED,QAAO,MAAM,QAAQ,cAAc,GAC9B,gBACD,CAAC,cAAc;;AAGrB,SAAgB,iBACd,SAC2E;CAC3E,MAAM,gBAAgB,uBACpB,cACA,YAAY,QAAQ,EACpB,+FACD;AAED,QAAO,OAAO,YACZ,OAAO,QAAQ,cAAc,CAAC,KAAK,CAAC,SAAS,mBAAmB,CAC9D,SACA,MAAM,QAAQ,cAAc,GACvB,gBACD,CAAC,cAAc,CACpB,CAAC,CACH;;;;;;;;;;;;ACRH,SAAgB,8CACd,SAC8C;CAC9C,MAAM,EAAE,6BAA6B,iCAAiC;AAEtE,KAAI,4BAA4B,SAAS,4BAA4B,UAAU,6BAA6B,MAC1G,OAAM,IAAI,YAAY,mDAAmD;AAI3E,KAAI,6BAA6B,SAC/B,OAAM,IAAI,YAAY,8DAA8D;AAGtF,KAAI,6BAA6B,yBAAyB;AACxD,MAAI,CAAC,4BAA4B,wBAC/B,OAAM,IAAI,YAAY,mFAAmF;AAG3G,SAAO;GACL,MAAM;GACN,KAAK,4BAA4B,QAC7B;IACE,OAAO,4BAA4B;IACnC,wBAAwB,6BAA6B;IACrD,eAAe,gBAAgB,6BAA6B,SAAS;IACtE,GACD;IACE,wBAAwB,4BAA4B;IACpD,wBAAwB,6BAA6B;IACrD,eAAe,gBAAgB,6BAA6B,SAAS;IACtE;GACN;;AAGH,KAAI,4BAA4B,YAAY;EAC1C,MAAM,gBAAgB,iBAAiB,6BAA6B,SAAS;AAE7E,SAAO;GACL,MAAM;GACN,MAAM,4BAA4B,QAC9B;IACE,OAAO,4BAA4B;IACnC;IACD,GACD;IACE,OAAO,4BAA4B;IACnC;IACD;GACN;;AAGH,OAAM,IAAI,YACR,mIACD;;;;;ACzDH,eAAsB,+BACpB,SAC+C;CAC/C,MAAM,EAAE,iBAAiB,WAAW,6BAA6B,qBAAqB;CAEtF,MAAM,+BAA+B,uBACnCC,IAAE,MAAM,CAAC,aAAa,YAAY,CAAC,EACnC,iBACA,2CACD;CAED,MAAM,uBAAuB,MAAM,gCAAgC;EACjE;EACA;EACA;EACA;EACD,CAAC;CAEF,MAAM,EAAE,QAAQ,eAAe,gBAAgB;EAC7C,KAAK;EACL,cAAc;EACf,CAAC;CAEF,MAAM,+BAA+B,2CACnC,qBAAqB,0BACtB;CACD,MAAM,4BAA4B,8CAA8C;EACjD;EACC;EAC/B,CAAC;AAEF,KAAI,CAAC,4BAA4B,iBAAiB,CAAC,mBAAmB,4BAA4B,cAAc,CAC9G,OAAM,IAAI,YACR,4DAA4D,4BAA4B,iBAAiB,WAAW,GACrH;AAGH,QAAO;EACL,GAAG;EACH,MAAM;GAAE,GAAG;GAAsB;GAAY;EAE7C,eAAe,4BAA4B;EAC3C;EACD;;;;;AC9BH,eAAsB,oCACpB,SAC+C;CAC/C,MAAM,EAAE,uBAAuB,WAAW,6BAA6B,WAAW;CAElF,MAAM,mBAAmB,qBAAqB;EAC5C;EACA,cAAc,4BAA4B;EAC1C,UAAU,4BAA4B;EACtC,sBAAsB,4BAA4B;EACnD,CAAC;AACF,KAAI,sBAAsB,SACxB,QAAO,+BAA+B;EACpC,iBAAiB,sBAAsB;EACvC;EACA;EACA,kBAAkB,iBAAiB;EACpC,CAAC;CAGJ,MAAM,+BAA+B,2CAA2C,sBAAsB;CAEtG,MAAM,6BAA6B,8CAA8C;EAClD;EACC;EAC/B,CAAC;AAEF,KAAI,4BAA4B,iBAAiB,mBAAmB,4BAA4B,cAAc,CAC5G,OAAM,IAAI,+BACR;EACE,OAAO;EACP,mBAAmB;EACpB,EACD,EACE,QAAQ,KACT,CACF;AAGH,QAAO;EACL,GAAG;EACH,eAAe,4BAA4B;EAE3C;EACA,MAAM;EACP;;;;;AClEH,MAAa,iCAAiC,YAAkD;CAC9F,MAAM,EAAE,6BAA6B,8BAA8B,cAAc;CAEjF,MAAM,mBAAmB,4BAA4B,gBAAgB,4BAA4B;AACjG,KAAI,CAAC,iBACH,OAAM,IAAI,YAAY,wFAAwF;AAIhH,QAAO,oBADqB,IAAI,IAAI,iBAAiB,EACL,8BAA8B,UAAU;;AAG1F,eAAe,oBACb,kBACA,aACA,WACA;AAOA,QAAO;EACL,cAAc;EACd,UARe,MAAM,cAAc,UAAU,MAAM,CAAC,kBAAkB;GACtE,QAAQ;GACR,SAAS,EAAE,gBAAgB,YAAY,oBAAoB;GAC3D,MAAM,YAAY;GACnB,CAAC;EAKD;;;;;ACzBH,eAAsB,qCAAqC,SAAsD;CAC/G,MAAM,EAAE,6BAA6B,8BAA8B,MAAM,cAAc;CACvF,MAAM,MAAM,4BAA4B;AAExC,KAAI,KACF,QAAO,8BAA8B;EACnC;EACA,8BAA8B,KAAK;EACnC;EACD,CAAC;AAGJ,KAAI,CAAC,IACH,OAAM,IAAI,YACR,+FACD;AAaH,QAAO;EACL,cAAc;EACd,UAVyB,MAFb,cAAc,UAAU,MAAM,CAEL,KAAK;GAC1C,QAAQ;GACR,MAHsB,oBAAoB,6BAA6B,CAGjD,UAAU;GAChC,SAAS,EACP,gBAAgB,YAAY,oBAC7B;GACF,CAAC;EAKD;;;;;AC3CH,MAAa,oBAAoB,EAAE,KAAK;CAAC;CAAe;CAAU;CAAY;CAAa;CAAY,CAAC;;;;ACAxG,MAAa,eAAe,EAAE,KAAK;CAAC;CAAe;CAAU;CAAS;CAAa;CAAa;CAAW,CAAC;;;;ACG5G,MAAa,kBAAkB,EAAE,OAAO;CACtC,uCAAuC,EAAE,SAAS,EAAE,SAAS,CAAC;CAG9D,sBAAsB,EAAE,SAAS,oBAAoB,GAAG,iBAAiB,CAAC;CAE1E,6BAA6B,EAAE,SAE7B,EAAE,MAAM,gBAAgB,QAAQ,CAAC,4BAA4B,oBAAoB,CAAC,CAAC,CACpF;CAED,8BAA8B,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;CAEzE,6CAA6C,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;CAC5E,+CAA+C,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;CAC9E,+CAA+C,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;CAC/E,CAAC;;;;ACGF,IAAa,kBAAb,MAA6B;CAC3B,AAAO,YAAY,AAAQ,SAAiC;EAAjC;;CAE3B,AAAO,mCAAmC,SAAoD;AAC5F,SAAO,mCAAmC,QAAQ;;CAGpD,MAAa,qCACX,SACA;AACA,SAAO,qCAAqC;GAAE,GAAG;GAAS,WAAW,KAAK,QAAQ;GAAW,CAAC;;CAGhG,MAAa,qCACX,SACA;AACA,SAAO,qCAAqC;GAAE,GAAG;GAAS,WAAW,KAAK,QAAQ;GAAW,CAAC;;CAGhG,MAAa,qCACX,SACA;AACA,SAAO,qCAAqC;GAAE,GAAG;GAAS,WAAW,KAAK,QAAQ;GAAW,CAAC;;;;;;ACNlG,eAAsB,sBACpB,SACyC;CACzC,MAAM,wBAAwB,qBAAqB,EACjD,iBAAiB,QAAQ,iBAC1B,CAAC;CAEF,MAAM,iBAAsD,EAAE;AAC9D,MAAK,MAAM,eAAe,uBAAuB;EAC/C,MAAM,eAAe,MAAM,2BAA2B;GACpD,OAAO;GACP,WAAW,QAAQ;GACnB,aAAa,QAAQ;GACtB,CAAC;AAEF,iBAAe,KAAK,aAAa;;AAGnC,QAAO;;AAeT,eAAe,2BAA2B,EACxC,OACA,aACA,aAKwC;CACxC,MAAM,cAAc,MAAM,gBAAgB,+BAA+B,CAAC,UAAU;CACpF,MAAM,gBAAiC,YAAY,QAAQ,QACzD,OAAO,OAAO,cAAc,CAAC,SAAS,IAAqB,CAC5D;CAED,MAAM,SAA8C,EAAE;AACtD,MAAK,MAAM,OAAO,cAChB,QAAO,OAAO,kBAAkB,MAAM,UAAU,KAAK,iBAAiB,MAAM,QAAQ,EAAE,IAAI,CAAC;AAG7F,MAAK,MAAM,gBAAgB,MAAM,gBAAgB,gBAAgB;EAC/D,MAAM,mCAAmC,YAAY;AACrD,MAAI,CAAC,iCAAkC;EAEvC,MAAM,gBAAyE,EAAE;AAEjF,OAAK,MAAM,mCAAmC,kCAAkC;GAC9E,MAAM,MAAM,gCAAgC,+BAA+B;GAC3E,MAAM,OAAO,OAAO;GACpB,MAAM,oBAAoB,iCAAiC,QAAQ,gCAAgC;AAEnG,OAAI,CAAC,YAAY,SAAS,IAAI,CAC5B,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB,qCAAqC,MAAM,qBAAqB,oBAAoB,aAAa,cAAc,kBAAkB,wBAAwB,IAAI,qDAAqD,YAAY,KAAK,KAAK,CAAC;IAC7P,CAAC;AAGJ,OAAI,CAAC,KAEH,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB,qCAAqC,MAAM,qBAAqB,oBAAoB,aAAa,cAAc,kBAAkB,oCAAoC,IAAI,yFAAyF,OAAO,OAAO,cAAc,CAAC,KAAK,KAAK,CAAC;IAC9T,CAAC;GAGJ,MAAM,sBAAsB,gCAAgC,wBAAwB,QAAQ,KAAK;AAEjG,OAAI,wBAAwB,GAE1B,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB,qCAAqC,MAAM,qBAAqB,oBAAoB,aAAa,cAAc,kBAAkB;IACrJ,CAAC;AAGJ,iBAAc,KAAK;IACjB;IACA;IACA,SAAS;IACT;IACD,CAAC;;AAGJ,SAAO;GACL,sBAAsB;GACtB;GACe;GAChB;;AAIH,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB,qCAAqC,MAAM,qBAAqB;EACpF,CAAC;;;;;ACrHJ,IAAa,oBAAb,MAA+B;CAC7B,AAAO,YAAY,AAAQ,SAAmC;EAAnC;;CAE3B,MAAa,oCACX,SACA;AACA,SAAO,oCAAoC;GAAE,GAAG;GAAS,WAAW,KAAK,QAAQ;GAAW,CAAC;;CAG/F,AAAO,0CAA0C,SAAoD;AACnG,SAAO,mCAAmC,QAAQ;;CAGpD,AAAO,oCAAoC,SAAqD;AAC9F,SAAO,oCAAoC,QAAQ;;CAGrD,AAAO,8CAA8C,SAAwD;AAC3G,SAAO,8CAA8C,QAAQ;;CAG/D,AAAO,gBAAgB,SAAkB;AACvC,SAAO,gBAAgB,QAAQ;;CAGjC,AAAO,iBAAiB,SAAkB;AACxC,SAAO,iBAAiB,QAAQ;;CAGlC,AAAO,qBAAqB,SAAsC;AAChE,SAAO,qBAAqB,QAAQ;;;;;;;;;;CAWtC,AAAO,sBAAsB,SAA0D;AACrF,SAAO,sBAAsB;GAC3B,GAAG;GACH,WAAW,KAAK,QAAQ;GACzB,CAAC"}