@openleash/core 0.0.3 → 0.2.0

package/dist/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../src/engine.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuBA,4BAiHC;AAxID,oDAAsC;AAWtC,uDAAsD;AACtD,mDAA+C;AAC/C,qDAAuD;AACvD,qDAAiE;AASjE,SAAgB,QAAQ,CACtB,MAAqB,EACrB,MAAc,EACd,OASC;IAED,MAAM,UAAU,GAAG,IAAA,mCAAiB,EAAC,MAAM,CAAC,CAAC;IAC7C,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IACvC,MAAM,MAAM,GAAgB,EAAE,CAAC;IAE/B,IAAI,WAAW,GAAsB,IAAI,CAAC;IAE1C,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QAChC,MAAM,YAAY,GAAG,WAAW,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAClE,IAAI,SAAS,GAAmB,IAAI,CAAC;QACrC,IAAI,gBAAgB,GAAmB,IAAI,CAAC;QAC5C,IAAI,UAAU,GAAG,KAAK,CAAC;QAEvB,IAAI,YAAY,EAAE,CAAC;YACjB,2BAA2B;YAC3B,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBACd,SAAS,GAAG,IAAA,4BAAY,EAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAC9C,CAAC;iBAAM,CAAC;gBACN,SAAS,GAAG,IAAI,CAAC;YACnB,CAAC;YAED,IAAI,SAAS,EAAE,CAAC;gBACd,uBAAuB;gBACvB,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBACrB,gBAAgB,GAAG,IAAA,oCAAmB,EAAC,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;gBACnE,CAAC;qBAAM,CAAC;oBACN,gBAAgB,GAAG,IAAI,CAAC;gBAC1B,CAAC;gBAED,IAAI,gBAAgB,EAAE,CAAC;oBACrB,UAAU,GAAG,IAAI,CAAC;gBACpB,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,CAAC,IAAI,CAAC;YACV,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI;YAC3C,iBAAiB,EAAE,YAAY,IAAI,SAAS,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI;YACtE,WAAW,EAAE,UAAU;SACxB,CAAC,CAAC;QAEH,IAAI,UAAU,IAAI,CAAC,WAAW,EAAE,CAAC;YAC/B,WAAW,GAAG,IAAI,CAAC;YACnB,wCAAwC;QAC1C,CAAC;IACH,CAAC;IAED,yBAAyB;IACzB,IAAI,MAAsB,CAAC;IAC3B,IAAI,WAAW,GAAiB,EAAE,CAAC;IACnC,IAAI,MAAc,CAAC;IAEnB,IAAI,WAAW,EAAE,CAAC;QAChB,IAAI,WAAW,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAClC,MAAM,GAAG,MAAM,CAAC;YAChB,MAAM,GAAG,mBAAmB,WAAW,CAAC,EAAE,GAAG,CAAC;QAChD,CAAC;aAAM,CAAC;YACN,MAAM,QAAQ,GAAG,IAAA,8CAA6B,EAC5C,WAAW,CAAC,WAAW,EACvB,WAAW,CAAC,YAAY,EACxB,MAAM,CACP,CAAC;YACF,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;YACzB,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC;YACnC,MAAM,GAAG,MAAM,KAAK,OAAO;gBACzB,CAAC,CAAC,oBAAoB,WAAW,CAAC,EAAE,GAAG;gBACvC,CAAC,CAAC,SAAS,WAAW,CAAC,EAAE,eAAe,MAAM,EAAE,CAAC;QACrD,CAAC;IACH,CAAC;SAAM,CAAC;QACN,cAAc;QACd,MAAM,GAAG,MAAM,CAAC,OAAO,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;QACvD,MAAM,GAAG,oCAAoC,MAAM,CAAC,OAAO,EAAE,CAAC;IAChE,CAAC;IAED,8BAA8B;IAC9B,MAAM,YAAY,GAAG,MAAM,CAAC,aAAa,EAAE,aAAa,CAAC;IACzD,MAAM,aAAa,GACjB,CAAC,WAAW,EAAE,KAAK,EAAE,QAAQ,KAAK,IAAI,CAAC;QACvC,CAAC,YAAY,KAAK,MAAM,IAAI,YAAY,KAAK,WAAW,CAAC,CAAC;IAE5D,MAAM,eAAe,GAAG,WAAW,EAAE,KAAK,EAAE,WAAW,IAAI,OAAO,EAAE,eAAe,IAAI,IAAI,CAAC;IAE5F,OAAO;QACL,QAAQ,EAAE;YACR,WAAW,EAAE,UAAU;YACvB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,WAAW,EAAE,UAAU;YACvB,MAAM;YACN,eAAe,EAAE,WAAW,EAAE,EAAE,IAAI,IAAI;YACxC,MAAM;YACN,WAAW,EAAE,IAAI;YACjB,gBAAgB,EAAE,IAAI;YACtB,WAAW;SACZ;QACD,KAAK,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE;QACxB,aAAa;QACb,eAAe;KAChB,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,UAAkB,EAAE,OAAe;IACtD,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACjC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACpC,OAAO,UAAU,KAAK,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC;IACtE,CAAC;IACD,OAAO,UAAU,KAAK,OAAO,CAAC;AAChC,CAAC"}

package/dist/expression.d.ts

@@ -0,0 +1,3 @@
+import type { PolicyExpr } from './types.js';
+export declare function evaluateExpr(expr: PolicyExpr, data: unknown): boolean;
+//# sourceMappingURL=expression.d.ts.map

package/dist/expression.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"expression.d.ts","sourceRoot":"","sources":["../src/expression.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAmB,MAAM,YAAY,CAAC;AAE9D,wBAAgB,YAAY,CAAC,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAcrE"}

package/dist/expression.js

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.evaluateExpr = evaluateExpr;
+const jsonpath_js_1 = require("./jsonpath.js");
+function evaluateExpr(expr, data) {
+    if ('all' in expr) {
+        return expr.all.every((e) => evaluateExpr(e, data));
+    }
+    if ('any' in expr) {
+        return expr.any.some((e) => evaluateExpr(e, data));
+    }
+    if ('not' in expr) {
+        return !evaluateExpr(expr.not, data);
+    }
+    if ('match' in expr) {
+        return evaluateMatch(expr.match, data);
+    }
+    return false;
+}
+function evaluateMatch(match, data) {
+    const actual = (0, jsonpath_js_1.jsonPathGet)(data, match.path);
+    const { op, value } = match;
+    switch (op) {
+        case 'exists':
+            return actual !== undefined && actual !== null;
+        case 'eq':
+            return actual === value;
+        case 'neq':
+            return actual !== value;
+        case 'in':
+            if (!Array.isArray(value))
+                return false;
+            return value.includes(actual);
+        case 'nin':
+            if (!Array.isArray(value))
+                return false;
+            return !value.includes(actual);
+        case 'lt':
+            return typeof actual === 'number' && typeof value === 'number' && actual < value;
+        case 'lte':
+            return typeof actual === 'number' && typeof value === 'number' && actual <= value;
+        case 'gt':
+            return typeof actual === 'number' && typeof value === 'number' && actual > value;
+        case 'gte':
+            return typeof actual === 'number' && typeof value === 'number' && actual >= value;
+        case 'regex': {
+            if (typeof actual !== 'string' || typeof value !== 'string')
+                return false;
+            try {
+                return new RegExp(value).test(actual);
+            }
+            catch {
+                return false;
+            }
+        }
+        default:
+            return false;
+    }
+}
+//# sourceMappingURL=expression.js.map

package/dist/expression.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"expression.js","sourceRoot":"","sources":["../src/expression.ts"],"names":[],"mappings":";;AAGA,oCAcC;AAjBD,+CAA4C;AAG5C,SAAgB,YAAY,CAAC,IAAgB,EAAE,IAAa;IAC1D,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;QAClB,OAAO,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;QAClB,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;IACrD,CAAC;IACD,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;QAClB,OAAO,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACvC,CAAC;IACD,IAAI,OAAO,IAAI,IAAI,EAAE,CAAC;QACpB,OAAO,aAAa,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa,CAAC,KAAsB,EAAE,IAAa;IAC1D,MAAM,MAAM,GAAG,IAAA,yBAAW,EAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;IAC7C,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC;IAE5B,QAAQ,EAAE,EAAE,CAAC;QACX,KAAK,QAAQ;YACX,OAAO,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,IAAI,CAAC;QACjD,KAAK,IAAI;YACP,OAAO,MAAM,KAAK,KAAK,CAAC;QAC1B,KAAK,KAAK;YACR,OAAO,MAAM,KAAK,KAAK,CAAC;QAC1B,KAAK,IAAI;YACP,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YACxC,OAAO,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAChC,KAAK,KAAK;YACR,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YACxC,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACjC,KAAK,IAAI;YACP,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,MAAM,GAAG,KAAK,CAAC;QACnF,KAAK,KAAK;YACR,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,MAAM,IAAI,KAAK,CAAC;QACpF,KAAK,IAAI;YACP,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,MAAM,GAAG,KAAK,CAAC;QACnF,KAAK,KAAK;YACR,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,MAAM,IAAI,KAAK,CAAC;QACpF,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,QAAQ;gBAAE,OAAO,KAAK,CAAC;YAC1E,IAAI,CAAC;gBACH,OAAO,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACxC,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,15 @@
+export * from './types.js';
+export * from './canonicalize.js';
+export * from './jsonpath.js';
+export * from './expression.js';
+export * from './constraints.js';
+export * from './obligations.js';
+export * from './policy-parser.js';
+export * from './engine.js';
+export * from './keys.js';
+export * from './tokens.js';
+export * from './state.js';
+export * from './audit.js';
+export * from './nonce-cache.js';
+export * from './signing.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,mBAAmB,CAAC;AAClC,cAAc,eAAe,CAAC;AAC9B,cAAc,iBAAiB,CAAC;AAChC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,oBAAoB,CAAC;AACnC,cAAc,aAAa,CAAC;AAC5B,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC;AAC3B,cAAc,YAAY,CAAC;AAC3B,cAAc,kBAAkB,CAAC;AACjC,cAAc,cAAc,CAAC"}

package/dist/index.js

@@ -0,0 +1,31 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./types.js"), exports);
+__exportStar(require("./canonicalize.js"), exports);
+__exportStar(require("./jsonpath.js"), exports);
+__exportStar(require("./expression.js"), exports);
+__exportStar(require("./constraints.js"), exports);
+__exportStar(require("./obligations.js"), exports);
+__exportStar(require("./policy-parser.js"), exports);
+__exportStar(require("./engine.js"), exports);
+__exportStar(require("./keys.js"), exports);
+__exportStar(require("./tokens.js"), exports);
+__exportStar(require("./state.js"), exports);
+__exportStar(require("./audit.js"), exports);
+__exportStar(require("./nonce-cache.js"), exports);
+__exportStar(require("./signing.js"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,6CAA2B;AAC3B,oDAAkC;AAClC,gDAA8B;AAC9B,kDAAgC;AAChC,mDAAiC;AACjC,mDAAiC;AACjC,qDAAmC;AACnC,8CAA4B;AAC5B,4CAA0B;AAC1B,8CAA4B;AAC5B,6CAA2B;AAC3B,6CAA2B;AAC3B,mDAAiC;AACjC,+CAA6B"}

package/dist/jsonpath.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Minimal JSONPath accessor.
+ * Supports dot access and array indexes only:
+ *   $.payload.amount_minor
+ *   $.payload.items[0].sku
+ */
+export declare function jsonPathGet(obj: unknown, path: string): unknown;
+//# sourceMappingURL=jsonpath.d.ts.map

package/dist/jsonpath.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jsonpath.d.ts","sourceRoot":"","sources":["../src/jsonpath.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAoB/D"}

package/dist/jsonpath.js

@@ -0,0 +1,48 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.jsonPathGet = jsonPathGet;
+/**
+ * Minimal JSONPath accessor.
+ * Supports dot access and array indexes only:
+ *   $.payload.amount_minor
+ *   $.payload.items[0].sku
+ */
+function jsonPathGet(obj, path) {
+    if (!path.startsWith('$.')) {
+        throw new Error(`Invalid JSONPath: must start with "$." — got "${path}"`);
+    }
+    const stripped = path.slice(2); // remove "$."
+    const segments = parseSegments(stripped);
+    let current = obj;
+    for (const seg of segments) {
+        if (current === null || current === undefined)
+            return undefined;
+        if (seg.type === 'key') {
+            if (typeof current !== 'object')
+                return undefined;
+            current = current[seg.value];
+        }
+        else {
+            if (!Array.isArray(current))
+                return undefined;
+            current = current[seg.value];
+        }
+    }
+    return current;
+}
+function parseSegments(path) {
+    const segments = [];
+    const re = /([a-zA-Z_][a-zA-Z0-9_]*)|\[(\d+)\]|\./g;
+    let m;
+    while ((m = re.exec(path)) !== null) {
+        if (m[1] !== undefined) {
+            segments.push({ type: 'key', value: m[1] });
+        }
+        else if (m[2] !== undefined) {
+            segments.push({ type: 'index', value: parseInt(m[2], 10) });
+        }
+        // dots are just separators
+    }
+    return segments;
+}
+//# sourceMappingURL=jsonpath.js.map

package/dist/jsonpath.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jsonpath.js","sourceRoot":"","sources":["../src/jsonpath.ts"],"names":[],"mappings":";;AAMA,kCAoBC;AA1BD;;;;;GAKG;AACH,SAAgB,WAAW,CAAC,GAAY,EAAE,IAAY;IACpD,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,iDAAiD,IAAI,GAAG,CAAC,CAAC;IAC5E,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc;IAC9C,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IAEzC,IAAI,OAAO,GAAY,GAAG,CAAC;IAC3B,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,IAAI,OAAO,KAAK,IAAI,IAAI,OAAO,KAAK,SAAS;YAAE,OAAO,SAAS,CAAC;QAChE,IAAI,GAAG,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;YACvB,IAAI,OAAO,OAAO,KAAK,QAAQ;gBAAE,OAAO,SAAS,CAAC;YAClD,OAAO,GAAI,OAAmC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC5D,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;gBAAE,OAAO,SAAS,CAAC;YAC9C,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAMD,SAAS,aAAa,CAAC,IAAY;IACjC,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,EAAE,GAAG,wCAAwC,CAAC;IACpD,IAAI,CAAyB,CAAC;IAE9B,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACpC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,SAAS,EAAE,CAAC;YACvB,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC9C,CAAC;aAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,SAAS,EAAE,CAAC;YAC9B,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;QAC9D,CAAC;QACD,2BAA2B;IAC7B,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/keys.d.ts

@@ -0,0 +1,9 @@
+import * as crypto from 'node:crypto';
+import type { ServerKeyFile } from './types.js';
+export declare function generateSigningKey(): ServerKeyFile;
+export declare function writeKeyFile(dataDir: string, key: ServerKeyFile): void;
+export declare function readKeyFile(dataDir: string, kid: string): ServerKeyFile;
+export declare function getPrivateKeyObject(key: ServerKeyFile): crypto.KeyObject;
+export declare function getPublicKeyObject(key: ServerKeyFile): crypto.KeyObject;
+export declare function getPublicKeyObjectFromB64(publicKeyB64: string): crypto.KeyObject;
+//# sourceMappingURL=keys.d.ts.map

package/dist/keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../src/keys.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAGtC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAEhD,wBAAgB,kBAAkB,IAAI,aAAa,CAclD;AAED,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,aAAa,GAAG,IAAI,CAKtE;AAED,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,aAAa,CAGvE;AAED,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,aAAa,GAAG,MAAM,CAAC,SAAS,CAGxE;AAED,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,aAAa,GAAG,MAAM,CAAC,SAAS,CAGvE;AAED,wBAAgB,yBAAyB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAAC,SAAS,CAGhF"}

package/dist/keys.js

@@ -0,0 +1,80 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateSigningKey = generateSigningKey;
+exports.writeKeyFile = writeKeyFile;
+exports.readKeyFile = readKeyFile;
+exports.getPrivateKeyObject = getPrivateKeyObject;
+exports.getPublicKeyObject = getPublicKeyObject;
+exports.getPublicKeyObjectFromB64 = getPublicKeyObjectFromB64;
+const crypto = __importStar(require("node:crypto"));
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+function generateSigningKey() {
+    const kid = crypto.randomUUID();
+    const keypair = crypto.generateKeyPairSync('ed25519');
+    const publicKeyDer = keypair.publicKey.export({ type: 'spki', format: 'der' });
+    const privateKeyDer = keypair.privateKey.export({ type: 'pkcs8', format: 'der' });
+    return {
+        kid,
+        public_key_b64: publicKeyDer.toString('base64'),
+        private_key_b64: privateKeyDer.toString('base64'),
+        created_at: new Date().toISOString(),
+        revoked_at: null,
+    };
+}
+function writeKeyFile(dataDir, key) {
+    const keysDir = path.join(dataDir, 'keys');
+    fs.mkdirSync(keysDir, { recursive: true });
+    const filePath = path.join(keysDir, `${key.kid}.json`);
+    fs.writeFileSync(filePath, JSON.stringify(key, null, 2), 'utf-8');
+}
+function readKeyFile(dataDir, kid) {
+    const filePath = path.join(dataDir, 'keys', `${kid}.json`);
+    return JSON.parse(fs.readFileSync(filePath, 'utf-8'));
+}
+function getPrivateKeyObject(key) {
+    const der = Buffer.from(key.private_key_b64, 'base64');
+    return crypto.createPrivateKey({ key: der, format: 'der', type: 'pkcs8' });
+}
+function getPublicKeyObject(key) {
+    const der = Buffer.from(key.public_key_b64, 'base64');
+    return crypto.createPublicKey({ key: der, format: 'der', type: 'spki' });
+}
+function getPublicKeyObjectFromB64(publicKeyB64) {
+    const der = Buffer.from(publicKeyB64, 'base64');
+    return crypto.createPublicKey({ key: der, format: 'der', type: 'spki' });
+}
+//# sourceMappingURL=keys.js.map

package/dist/keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.js","sourceRoot":"","sources":["../src/keys.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAKA,gDAcC;AAED,oCAKC;AAED,kCAGC;AAED,kDAGC;AAED,gDAGC;AAED,8DAGC;AA9CD,oDAAsC;AACtC,4CAA8B;AAC9B,gDAAkC;AAGlC,SAAgB,kBAAkB;IAChC,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,MAAM,OAAO,GAAG,MAAM,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;IAEtD,MAAM,YAAY,GAAG,OAAO,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IAC/E,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IAElF,OAAO;QACL,GAAG;QACH,cAAc,EAAE,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC/C,eAAe,EAAE,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACjD,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACpC,UAAU,EAAE,IAAI;KACjB,CAAC;AACJ,CAAC;AAED,SAAgB,YAAY,CAAC,OAAe,EAAE,GAAkB;IAC9D,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC3C,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC;IACvD,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;AACpE,CAAC;AAED,SAAgB,WAAW,CAAC,OAAe,EAAE,GAAW;IACtD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,GAAG,OAAO,CAAC,CAAC;IAC3D,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;AACxD,CAAC;AAED,SAAgB,mBAAmB,CAAC,GAAkB;IACpD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;IACvD,OAAO,MAAM,CAAC,gBAAgB,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;AAC7E,CAAC;AAED,SAAgB,kBAAkB,CAAC,GAAkB;IACnD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC;IACtD,OAAO,MAAM,CAAC,eAAe,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;AAC3E,CAAC;AAED,SAAgB,yBAAyB,CAAC,YAAoB;IAC5D,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;IAChD,OAAO,MAAM,CAAC,eAAe,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;AAC3E,CAAC"}

package/dist/nonce-cache.d.ts

@@ -0,0 +1,17 @@
+/**
+ * In-memory TTL nonce cache for replay protection.
+ */
+export declare class NonceCache {
+    private cache;
+    private ttlMs;
+    private cleanupInterval;
+    constructor(ttlSeconds?: number);
+    /**
+     * Check if nonce has been seen. Returns true if nonce is fresh (not seen before).
+     * Returns false if nonce is a replay.
+     */
+    check(agentId: string, nonce: string): boolean;
+    private cleanup;
+    destroy(): void;
+}
+//# sourceMappingURL=nonce-cache.d.ts.map

package/dist/nonce-cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nonce-cache.d.ts","sourceRoot":"","sources":["../src/nonce-cache.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,KAAK,CAA6B;IAC1C,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,eAAe,CAA+C;gBAE1D,UAAU,GAAE,MAAY;IAUpC;;;OAGG;IACH,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO;IAe9C,OAAO,CAAC,OAAO;IASf,OAAO,IAAI,IAAI;CAOhB"}

package/dist/nonce-cache.js

@@ -0,0 +1,53 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NonceCache = void 0;
+/**
+ * In-memory TTL nonce cache for replay protection.
+ */
+class NonceCache {
+    cache = new Map(); // nonce -> expiry timestamp
+    ttlMs;
+    cleanupInterval = null;
+    constructor(ttlSeconds = 600) {
+        this.ttlMs = ttlSeconds * 1000;
+        // Periodic cleanup every 60 seconds
+        this.cleanupInterval = setInterval(() => this.cleanup(), 60_000);
+        // Allow Node to exit even if interval is running
+        if (this.cleanupInterval.unref) {
+            this.cleanupInterval.unref();
+        }
+    }
+    /**
+     * Check if nonce has been seen. Returns true if nonce is fresh (not seen before).
+     * Returns false if nonce is a replay.
+     */
+    check(agentId, nonce) {
+        const key = `${agentId}:${nonce}`;
+        const now = Date.now();
+        // Check if nonce exists and hasn't expired
+        const expiry = this.cache.get(key);
+        if (expiry !== undefined && expiry > now) {
+            return false; // replay
+        }
+        // Store nonce
+        this.cache.set(key, now + this.ttlMs);
+        return true; // fresh
+    }
+    cleanup() {
+        const now = Date.now();
+        for (const [key, expiry] of this.cache) {
+            if (expiry <= now) {
+                this.cache.delete(key);
+            }
+        }
+    }
+    destroy() {
+        if (this.cleanupInterval) {
+            clearInterval(this.cleanupInterval);
+            this.cleanupInterval = null;
+        }
+        this.cache.clear();
+    }
+}
+exports.NonceCache = NonceCache;
+//# sourceMappingURL=nonce-cache.js.map

package/dist/nonce-cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nonce-cache.js","sourceRoot":"","sources":["../src/nonce-cache.ts"],"names":[],"mappings":";;;AAAA;;GAEG;AACH,MAAa,UAAU;IACb,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC,CAAC,4BAA4B;IAC/D,KAAK,CAAS;IACd,eAAe,GAA0C,IAAI,CAAC;IAEtE,YAAY,aAAqB,GAAG;QAClC,IAAI,CAAC,KAAK,GAAG,UAAU,GAAG,IAAI,CAAC;QAC/B,oCAAoC;QACpC,IAAI,CAAC,eAAe,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,MAAM,CAAC,CAAC;QACjE,iDAAiD;QACjD,IAAI,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;YAC/B,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QAC/B,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,OAAe,EAAE,KAAa;QAClC,MAAM,GAAG,GAAG,GAAG,OAAO,IAAI,KAAK,EAAE,CAAC;QAClC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,2CAA2C;QAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;YACzC,OAAO,KAAK,CAAC,CAAC,SAAS;QACzB,CAAC;QAED,cAAc;QACd,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QACtC,OAAO,IAAI,CAAC,CAAC,QAAQ;IACvB,CAAC;IAEO,OAAO;QACb,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACvC,IAAI,MAAM,IAAI,GAAG,EAAE,CAAC;gBAClB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzB,aAAa,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACpC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;QAC9B,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;CACF;AAlDD,gCAkDC"}

package/dist/obligations.d.ts

@@ -0,0 +1,9 @@
+import type { ActionRequest, DecisionResult, Obligation, PolicyObligation, PolicyRequirements } from './types.js';
+/**
+ * Compute obligations from rule obligations + requirements, then derive decision.
+ */
+export declare function computeObligationsAndDecision(ruleObligations: PolicyObligation[] | undefined, requirements: PolicyRequirements | undefined, action: ActionRequest): {
+    result: DecisionResult;
+    obligations: Obligation[];
+};
+//# sourceMappingURL=obligations.d.ts.map

package/dist/obligations.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"obligations.d.ts","sourceRoot":"","sources":["../src/obligations.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,aAAa,EACb,cAAc,EACd,UAAU,EACV,gBAAgB,EAChB,kBAAkB,EACnB,MAAM,YAAY,CAAC;AAQpB;;GAEG;AACH,wBAAgB,6BAA6B,CAC3C,eAAe,EAAE,gBAAgB,EAAE,GAAG,SAAS,EAC/C,YAAY,EAAE,kBAAkB,GAAG,SAAS,EAC5C,MAAM,EAAE,aAAa,GACpB;IAAE,MAAM,EAAE,cAAc,CAAC;IAAC,WAAW,EAAE,UAAU,EAAE,CAAA;CAAE,CA6CvD"}

package/dist/obligations.js

@@ -0,0 +1,89 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.computeObligationsAndDecision = computeObligationsAndDecision;
+const crypto = __importStar(require("node:crypto"));
+const ASSURANCE_ORDER = {
+    LOW: 0,
+    SUBSTANTIAL: 1,
+    HIGH: 2,
+};
+/**
+ * Compute obligations from rule obligations + requirements, then derive decision.
+ */
+function computeObligationsAndDecision(ruleObligations, requirements, action) {
+    const obligations = [];
+    // Collect explicit obligations from rule
+    if (ruleObligations) {
+        for (const ob of ruleObligations) {
+            obligations.push({
+                obligation_id: crypto.randomUUID(),
+                type: ob.type,
+                status: 'PENDING',
+                details_json: ob.params ?? {},
+            });
+        }
+    }
+    // Check requirements -> may add STEP_UP_AUTH obligation
+    if (requirements?.min_assurance_level) {
+        const required = requirements.min_assurance_level;
+        const actual = action.payload.assurance_level || 'LOW';
+        const requiredLevel = ASSURANCE_ORDER[required] ?? 0;
+        const actualLevel = ASSURANCE_ORDER[actual] ?? 0;
+        if (actualLevel < requiredLevel) {
+            obligations.push({
+                obligation_id: crypto.randomUUID(),
+                type: 'STEP_UP_AUTH',
+                status: 'PENDING',
+                details_json: { min_assurance_level: required },
+            });
+        }
+    }
+    // Determine decision from obligations (blocking precedence)
+    const types = new Set(obligations.map((o) => o.type));
+    let result = 'ALLOW';
+    if (types.has('HUMAN_APPROVAL')) {
+        result = 'REQUIRE_APPROVAL';
+    }
+    else if (types.has('STEP_UP_AUTH')) {
+        result = 'REQUIRE_STEP_UP';
+    }
+    else if (types.has('DEPOSIT')) {
+        result = 'REQUIRE_DEPOSIT';
+    }
+    // COUNTERPARTY_ATTESTATION is non-blocking: result stays ALLOW
+    return { result, obligations };
+}
+//# sourceMappingURL=obligations.js.map

package/dist/obligations.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"obligations.js","sourceRoot":"","sources":["../src/obligations.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkBA,sEAiDC;AAnED,oDAAsC;AAStC,MAAM,eAAe,GAA2B;IAC9C,GAAG,EAAE,CAAC;IACN,WAAW,EAAE,CAAC;IACd,IAAI,EAAE,CAAC;CACR,CAAC;AAEF;;GAEG;AACH,SAAgB,6BAA6B,CAC3C,eAA+C,EAC/C,YAA4C,EAC5C,MAAqB;IAErB,MAAM,WAAW,GAAiB,EAAE,CAAC;IAErC,yCAAyC;IACzC,IAAI,eAAe,EAAE,CAAC;QACpB,KAAK,MAAM,EAAE,IAAI,eAAe,EAAE,CAAC;YACjC,WAAW,CAAC,IAAI,CAAC;gBACf,aAAa,EAAE,MAAM,CAAC,UAAU,EAAE;gBAClC,IAAI,EAAE,EAAE,CAAC,IAA0B;gBACnC,MAAM,EAAE,SAAS;gBACjB,YAAY,EAAE,EAAE,CAAC,MAAM,IAAI,EAAE;aAC9B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,wDAAwD;IACxD,IAAI,YAAY,EAAE,mBAAmB,EAAE,CAAC;QACtC,MAAM,QAAQ,GAAG,YAAY,CAAC,mBAAmB,CAAC;QAClD,MAAM,MAAM,GAAI,MAAM,CAAC,OAAO,CAAC,eAA0B,IAAI,KAAK,CAAC;QACnE,MAAM,aAAa,GAAG,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACrD,MAAM,WAAW,GAAG,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACjD,IAAI,WAAW,GAAG,aAAa,EAAE,CAAC;YAChC,WAAW,CAAC,IAAI,CAAC;gBACf,aAAa,EAAE,MAAM,CAAC,UAAU,EAAE;gBAClC,IAAI,EAAE,cAAc;gBACpB,MAAM,EAAE,SAAS;gBACjB,YAAY,EAAE,EAAE,mBAAmB,EAAE,QAAQ,EAAE;aAChD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,4DAA4D;IAC5D,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAEtD,IAAI,MAAM,GAAmB,OAAO,CAAC;IACrC,IAAI,KAAK,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAChC,MAAM,GAAG,kBAAkB,CAAC;IAC9B,CAAC;SAAM,IAAI,KAAK,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;QACrC,MAAM,GAAG,iBAAiB,CAAC;IAC7B,CAAC;SAAM,IAAI,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;QAChC,MAAM,GAAG,iBAAiB,CAAC;IAC7B,CAAC;IACD,+DAA+D;IAE/D,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;AACjC,CAAC"}