@pagopa/io-react-native-wallet 0.27.1 → 0.28.1

package/lib/module/credential/presentation/03-get-request-object.js

@@ -1,60 +1,48 @@
-import { v4 as uuidv4 } from "uuid";
-import { decode as decodeJwt, sha256ToBase64, verify } from "@pagopa/io-react-native-jwt";
-import { createDPopToken } from "../../utils/dpop";
-import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
 import { hasStatusOrThrow } from "../../utils/misc";
-import { RequestObject } from "./types";
+import { RequestObjectWalletCapabilities } from "./types";
 /**
- * Obtain the Request Object for RP authentication
+ * Obtain the Request Object for RP authentication. Both the GET and POST `request_uri_method` are supported.
  * @see https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/relying-party-solution.html
  *
  * @param requestUri The url for the Relying Party to connect with
- * @param rpConf The Relying Party's configuration
- * @param context.wiaCryptoContext The context to access the key associated with the Wallet Instance Attestation
- * @param context.walletInstanceAttestation The Wallet Instance Attestation token
+ * @param rpConf The Relying Party's configuration * @param context.walletInstanceAttestation The Wallet Instance Attestation token
+ * @param context.walletCapabilities (optional) An object containing the wallet technical capabilities that will be sent with a POST request
  * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
  * @returns The Request Object that describes the presentation
  */
-export const getRequestObject = async (requestUri, rpConf, _ref) => {
+export const getRequestObject = async (requestUri, _ref) => {
   let {
-    wiaCryptoContext,
     appFetch = fetch,
-    walletInstanceAttestation
+    walletCapabilities
   } = _ref;
-  const signedWalletInstanceDPoP = await createDPopToken({
-    jti: `${uuidv4()}`,
-    htm: "GET",
-    htu: requestUri,
-    ath: await sha256ToBase64(walletInstanceAttestation)
-  }, wiaCryptoContext);
-  const responseEncodedJwt = await appFetch(requestUri, {
-    method: "GET",
-    headers: {
-      Authorization: `DPoP ${walletInstanceAttestation}`,
-      DPoP: signedWalletInstanceDPoP
-    }
-  }).then(hasStatusOrThrow(200)).then(res => res.json()).then(responseJson => responseJson.response);
-  const responseJwt = decodeJwt(responseEncodedJwt);
-
-  // verify token signature according to RP's entity configuration
-  // to ensure the request object is authentic
-  {
-    const pubKey = rpConf.wallet_relying_party.jwks.keys.find(_ref2 => {
-      let {
-        kid
-      } = _ref2;
-      return kid === responseJwt.protectedHeader.kid;
+  if (walletCapabilities) {
+    // Validate external input
+    const {
+      wallet_metadata,
+      wallet_nonce
+    } = RequestObjectWalletCapabilities.parse(walletCapabilities);
+    const formUrlEncodedBody = new URLSearchParams({
+      wallet_metadata: JSON.stringify(wallet_metadata),
+      ...(wallet_nonce && {
+        wallet_nonce
+      })
     });
-    if (!pubKey) {
-      throw new NoSuitableKeysFoundInEntityConfiguration("Request Object signature verification");
-    }
-    await verify(responseEncodedJwt, pubKey);
+    const requestObjectEncodedJwt = await appFetch(requestUri, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: formUrlEncodedBody.toString()
+    }).then(hasStatusOrThrow(200)).then(res => res.text());
+    return {
+      requestObjectEncodedJwt
+    };
   }
-
-  // Ensure that the request object conforms to the expected specification.
-  const requestObject = RequestObject.parse(responseJwt.payload);
+  const requestObjectEncodedJwt = await appFetch(requestUri, {
+    method: "GET"
+  }).then(hasStatusOrThrow(200)).then(res => res.text());
   return {
-    requestObject
+    requestObjectEncodedJwt
   };
 };
 //# sourceMappingURL=03-get-request-object.js.map

package/lib/module/credential/presentation/03-get-request-object.js.map

@@ -1 +1 @@
-{"version":3,"names":["v4","uuidv4","decode","decodeJwt","sha256ToBase64","verify","createDPopToken","NoSuitableKeysFoundInEntityConfiguration","hasStatusOrThrow","RequestObject","getRequestObject","requestUri","rpConf","_ref","wiaCryptoContext","appFetch","fetch","walletInstanceAttestation","signedWalletInstanceDPoP","jti","htm","htu","ath","responseEncodedJwt","method","headers","Authorization","DPoP","then","res","json","responseJson","response","responseJwt","pubKey","wallet_relying_party","jwks","keys","find","_ref2","kid","protectedHeader","requestObject","parse","payload"],"sourceRoot":"../../../../src","sources":["credential/presentation/03-get-request-object.ts"],"mappings":"AAAA,SAASA,EAAE,IAAIC,MAAM,QAAQ,MAAM;AACnC,SACEC,MAAM,IAAIC,SAAS,EACnBC,cAAc,EACdC,MAAM,QAED,6BAA6B;AAEpC,SAASC,eAAe,QAAQ,kBAAkB;AAClD,SAASC,wCAAwC,QAAQ,UAAU;AAEnE,SAASC,gBAAgB,QAAkB,kBAAkB;AAE7D,SAASC,aAAa,QAAQ,SAAS;AAYvC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,gBAAkC,GAAG,MAAAA,CAChDC,UAAU,EACVC,MAAM,EAAAC,IAAA,KAEH;EAAA,IADH;IAAEC,gBAAgB;IAAEC,QAAQ,GAAGC,KAAK;IAAEC;EAA0B,CAAC,GAAAJ,IAAA;EAEjE,MAAMK,wBAAwB,GAAG,MAAMZ,eAAe,CACpD;IACEa,GAAG,EAAG,GAAElB,MAAM,CAAC,CAAE,EAAC;IAClBmB,GAAG,EAAE,KAAK;IACVC,GAAG,EAAEV,UAAU;IACfW,GAAG,EAAE,MAAMlB,cAAc,CAACa,yBAAyB;EACrD,CAAC,EACDH,gBACF,CAAC;EAED,MAAMS,kBAAkB,GAAG,MAAMR,QAAQ,CAACJ,UAAU,EAAE;IACpDa,MAAM,EAAE,KAAK;IACbC,OAAO,EAAE;MACPC,aAAa,EAAG,QAAOT,yBAA0B,EAAC;MAClDU,IAAI,EAAET;IACR;EACF,CAAC,CAAC,CACCU,IAAI,CAACpB,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3BoB,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEG,YAAY,IAAKA,YAAY,CAACC,QAAQ,CAAC;EAEhD,MAAMC,WAAW,GAAG9B,SAAS,CAACoB,kBAAkB,CAAC;;EAEjD;EACA;EACA;IACE,MAAMW,MAAM,GAAGtB,MAAM,CAACuB,oBAAoB,CAACC,IAAI,CAACC,IAAI,CAACC,IAAI,CACvDC,KAAA;MAAA,IAAC;QAAEC;MAAI,CAAC,GAAAD,KAAA;MAAA,OAAKC,GAAG,KAAKP,WAAW,CAACQ,eAAe,CAACD,GAAG;IAAA,CACtD,CAAC;IACD,IAAI,CAACN,MAAM,EAAE;MACX,MAAM,IAAI3B,wCAAwC,CAChD,uCACF,CAAC;IACH;IACA,MAAMF,MAAM,CAACkB,kBAAkB,EAAEW,MAAM,CAAC;EAC1C;;EAEA;EACA,MAAMQ,aAAa,GAAGjC,aAAa,CAACkC,KAAK,CAACV,WAAW,CAACW,OAAO,CAAC;EAE9D,OAAO;IACLF;EACF,CAAC;AACH,CAAC"}
+{"version":3,"names":["hasStatusOrThrow","RequestObjectWalletCapabilities","getRequestObject","requestUri","_ref","appFetch","fetch","walletCapabilities","wallet_metadata","wallet_nonce","parse","formUrlEncodedBody","URLSearchParams","JSON","stringify","requestObjectEncodedJwt","method","headers","body","toString","then","res","text"],"sourceRoot":"../../../../src","sources":["credential/presentation/03-get-request-object.ts"],"mappings":"AAAA,SAASA,gBAAgB,QAAkB,kBAAkB;AAE7D,SAASC,+BAA+B,QAAQ,SAAS;AAWzD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,gBAAkC,GAAG,MAAAA,CAChDC,UAAU,EAAAC,IAAA,KAEP;EAAA,IADH;IAAEC,QAAQ,GAAGC,KAAK;IAAEC;EAAmB,CAAC,GAAAH,IAAA;EAExC,IAAIG,kBAAkB,EAAE;IACtB;IACA,MAAM;MAAEC,eAAe;MAAEC;IAAa,CAAC,GACrCR,+BAA+B,CAACS,KAAK,CAACH,kBAAkB,CAAC;IAE3D,MAAMI,kBAAkB,GAAG,IAAIC,eAAe,CAAC;MAC7CJ,eAAe,EAAEK,IAAI,CAACC,SAAS,CAACN,eAAe,CAAC;MAChD,IAAIC,YAAY,IAAI;QAAEA;MAAa,CAAC;IACtC,CAAC,CAAC;IAEF,MAAMM,uBAAuB,GAAG,MAAMV,QAAQ,CAACF,UAAU,EAAE;MACzDa,MAAM,EAAE,MAAM;MACdC,OAAO,EAAE;QACP,cAAc,EAAE;MAClB,CAAC;MACDC,IAAI,EAAEP,kBAAkB,CAACQ,QAAQ,CAAC;IACpC,CAAC,CAAC,CACCC,IAAI,CAACpB,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3BoB,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;IAE5B,OAAO;MACLP;IACF,CAAC;EACH;EAEA,MAAMA,uBAAuB,GAAG,MAAMV,QAAQ,CAACF,UAAU,EAAE;IACzDa,MAAM,EAAE;EACV,CAAC,CAAC,CACCI,IAAI,CAACpB,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3BoB,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;EAE5B,OAAO;IACLP;EACF,CAAC;AACH,CAAC"}

package/lib/module/credential/presentation/04-retrieve-rp-jwks.js

@@ -0,0 +1,25 @@
+/**
+ * Defines the signature for a function that retrieves JSON Web Key Sets (JWKS) from a client.
+ *
+ * @template T - The tuple type representing the function arguments.
+ * @param args - The arguments passed to the function.
+ * @returns A promise resolving to an object containing an array of JWKs.
+ */
+
+/**
+ * Retrieves the JSON Web Key Set (JWKS) from a Relying Party's entity configuration.
+ *
+ * @param rpConfig - The configuration object of the Relying Party entity.
+ * @returns An object containing an array of JWKs.
+ * @throws Will throw an error if the configuration is invalid or if JWKS is not found.
+ */
+export const getJwksFromConfig = rpConfig => {
+  const jwks = rpConfig.openid_credential_verifier.jwks;
+  if (!jwks || !Array.isArray(jwks.keys)) {
+    throw new Error("JWKS not found in Relying Party configuration.");
+  }
+  return {
+    keys: jwks.keys
+  };
+};
+//# sourceMappingURL=04-retrieve-rp-jwks.js.map

package/lib/module/credential/presentation/04-retrieve-rp-jwks.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["getJwksFromConfig","rpConfig","jwks","openid_credential_verifier","Array","isArray","keys","Error"],"sourceRoot":"../../../../src","sources":["credential/presentation/04-retrieve-rp-jwks.ts"],"mappings":"AAGA;AACA;AACA;AACA;AACA;AACA;AACA;;AAKA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMA,iBAEZ,GAAIC,QAAQ,IAAK;EAChB,MAAMC,IAAI,GAAGD,QAAQ,CAACE,0BAA0B,CAACD,IAAI;EAErD,IAAI,CAACA,IAAI,IAAI,CAACE,KAAK,CAACC,OAAO,CAACH,IAAI,CAACI,IAAI,CAAC,EAAE;IACtC,MAAM,IAAIC,KAAK,CAAC,gDAAgD,CAAC;EACnE;EAEA,OAAO;IACLD,IAAI,EAAEJ,IAAI,CAACI;EACb,CAAC;AACH,CAAC"}

package/lib/module/credential/presentation/05-verify-request-object.js

@@ -0,0 +1,46 @@
+import { decode as decodeJwt, verify } from "@pagopa/io-react-native-jwt";
+import { UnverifiedEntityError } from "./errors";
+import { RequestObject } from "./types";
+import { getJwksFromConfig } from "./04-retrieve-rp-jwks";
+/**
+ * Function to verify the Request Object's signature and the client ID.
+ * @param requestObjectEncodedJwt The Request Object in JWT format
+ * @param context.clientId The client ID to verify
+ * @param context.jwkKeys The set of keys to verify the signature
+ * @param context.rpConf The Entity Configuration of the Relying Party
+ * @returns The verified Request Object
+ */
+export const verifyRequestObject = async (requestObjectEncodedJwt, _ref) => {
+  let {
+    clientId,
+    rpConf
+  } = _ref;
+  const requestObjectJwt = decodeJwt(requestObjectEncodedJwt);
+  const {
+    keys
+  } = getJwksFromConfig(rpConf.metadata);
+
+  // Verify token signature to ensure the request object is authentic
+  const pubKey = keys === null || keys === void 0 ? void 0 : keys.find(_ref2 => {
+    let {
+      kid
+    } = _ref2;
+    return kid === requestObjectJwt.protectedHeader.kid;
+  });
+  if (!pubKey) {
+    throw new UnverifiedEntityError("Request Object signature verification!");
+  }
+
+  // Standard claims are verified within `verify`
+  await verify(requestObjectEncodedJwt, pubKey, {
+    issuer: clientId
+  });
+  const requestObject = RequestObject.parse(requestObjectJwt.payload);
+  if (!(clientId === requestObject.client_id && clientId === rpConf.sub)) {
+    throw new UnverifiedEntityError("Client ID does not match Request Object or Entity Configuration");
+  }
+  return {
+    requestObject
+  };
+};
+//# sourceMappingURL=05-verify-request-object.js.map

package/lib/module/credential/presentation/05-verify-request-object.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["decode","decodeJwt","verify","UnverifiedEntityError","RequestObject","getJwksFromConfig","verifyRequestObject","requestObjectEncodedJwt","_ref","clientId","rpConf","requestObjectJwt","keys","metadata","pubKey","find","_ref2","kid","protectedHeader","issuer","requestObject","parse","payload","client_id","sub"],"sourceRoot":"../../../../src","sources":["credential/presentation/05-verify-request-object.ts"],"mappings":"AAAA,SAASA,MAAM,IAAIC,SAAS,EAAEC,MAAM,QAAQ,6BAA6B;AAEzE,SAASC,qBAAqB,QAAQ,UAAU;AAChD,SAASC,aAAa,QAAQ,SAAS;AACvC,SAASC,iBAAiB,QAAQ,uBAAuB;AAWzD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,mBAAwC,GAAG,MAAAA,CACtDC,uBAAuB,EAAAC,IAAA,KAEpB;EAAA,IADH;IAAEC,QAAQ;IAAEC;EAAO,CAAC,GAAAF,IAAA;EAEpB,MAAMG,gBAAgB,GAAGV,SAAS,CAACM,uBAAuB,CAAC;EAC3D,MAAM;IAAEK;EAAK,CAAC,GAAGP,iBAAiB,CAACK,MAAM,CAACG,QAAQ,CAAC;;EAEnD;EACA,MAAMC,MAAM,GAAGF,IAAI,aAAJA,IAAI,uBAAJA,IAAI,CAAEG,IAAI,CACvBC,KAAA;IAAA,IAAC;MAAEC;IAAI,CAAC,GAAAD,KAAA;IAAA,OAAKC,GAAG,KAAKN,gBAAgB,CAACO,eAAe,CAACD,GAAG;EAAA,CAC3D,CAAC;EAED,IAAI,CAACH,MAAM,EAAE;IACX,MAAM,IAAIX,qBAAqB,CAAC,wCAAwC,CAAC;EAC3E;;EAEA;EACA,MAAMD,MAAM,CAACK,uBAAuB,EAAEO,MAAM,EAAE;IAAEK,MAAM,EAAEV;EAAS,CAAC,CAAC;EAEnE,MAAMW,aAAa,GAAGhB,aAAa,CAACiB,KAAK,CAACV,gBAAgB,CAACW,OAAO,CAAC;EAEnE,IAAI,EAAEb,QAAQ,KAAKW,aAAa,CAACG,SAAS,IAAId,QAAQ,KAAKC,MAAM,CAACc,GAAG,CAAC,EAAE;IACtE,MAAM,IAAIrB,qBAAqB,CAC7B,iEACF,CAAC;EACH;EAEA,OAAO;IAAEiB;EAAc,CAAC;AAC1B,CAAC"}

package/lib/module/credential/presentation/06-fetch-presentation-definition.js

@@ -0,0 +1,32 @@
+/**
+ * Retrieves a PresentationDefinition based on the given parameters.
+ *
+ * The method attempts the following strategies in order:
+ * 1. Checks if `presentation_definition` is directly available in the request object.
+ * 2. Uses a pre-configured `presentation_definition` from the relying party configuration if the `scope` is present in the request object.
+ *
+ * If none of the above conditions are met, the function throws an error indicating the definition could not be found. Note that `presentation_definition_uri` is not supported in 0.9.x.
+ *
+ * @param {RequestObject} requestObject - The request object containing the presentation definition or references to it.
+ * @param {RelyingPartyEntityConfiguration["payload"]["metadata"]} [rpConf] - Optional relying party configuration.
+ * @returns {Promise<{ presentationDefinition: PresentationDefinition }>} - Resolves with the presentation definition.
+ * @throws {Error} - Throws if the presentation definition cannot be found or fetched.
+ */
+export const fetchPresentDefinition = async (requestObject, rpConf) => {
+  var _rpConf$openid_creden;
+  // Check if `presentation_definition` is directly available in the request object
+  if (requestObject.presentation_definition) {
+    return {
+      presentationDefinition: requestObject.presentation_definition
+    };
+  }
+
+  // Check if `scope` is present in the request object and a pre-configured presentation definition exists
+  if (requestObject.scope && rpConf !== null && rpConf !== void 0 && (_rpConf$openid_creden = rpConf.openid_credential_verifier) !== null && _rpConf$openid_creden !== void 0 && _rpConf$openid_creden.presentation_definition) {
+    return {
+      presentationDefinition: rpConf.openid_credential_verifier.presentation_definition
+    };
+  }
+  throw new Error("Presentation definition not found");
+};
+//# sourceMappingURL=06-fetch-presentation-definition.js.map

package/lib/module/credential/presentation/06-fetch-presentation-definition.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["fetchPresentDefinition","requestObject","rpConf","_rpConf$openid_creden","presentation_definition","presentationDefinition","scope","openid_credential_verifier","Error"],"sourceRoot":"../../../../src","sources":["credential/presentation/06-fetch-presentation-definition.ts"],"mappings":"AAUA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMA,sBAAmD,GAAG,MAAAA,CACjEC,aAAa,EACbC,MAAM,KACH;EAAA,IAAAC,qBAAA;EACH;EACA,IAAIF,aAAa,CAACG,uBAAuB,EAAE;IACzC,OAAO;MACLC,sBAAsB,EAAEJ,aAAa,CAACG;IACxC,CAAC;EACH;;EAEA;EACA,IACEH,aAAa,CAACK,KAAK,IACnBJ,MAAM,aAANA,MAAM,gBAAAC,qBAAA,GAAND,MAAM,CAAEK,0BAA0B,cAAAJ,qBAAA,eAAlCA,qBAAA,CAAoCC,uBAAuB,EAC3D;IACA,OAAO;MACLC,sBAAsB,EACpBH,MAAM,CAACK,0BAA0B,CAACH;IACtC,CAAC;EACH;EAEA,MAAM,IAAII,KAAK,CAAC,mCAAmC,CAAC;AACtD,CAAC"}

package/lib/module/credential/presentation/07-evaluate-dcql-query.js

@@ -0,0 +1,117 @@
+import { DcqlQuery, DcqlError, DcqlCredentialSetError } from "dcql";
+import { isValiError } from "valibot";
+import { decode, prepareVpToken } from "../../sd-jwt";
+import { ValidationFailed } from "../../utils/errors";
+import { createCryptoContextFor } from "../../utils/crypto";
+/**
+ * Convert a credential in JWT format to an object with claims
+ * for correct parsing by the `dcql` library.
+ */
+const mapCredentialToObject = jwt => {
+  const {
+    sdJwt,
+    disclosures
+  } = decode(jwt);
+  const credentialFormat = sdJwt.header.typ;
+
+  // TODO [SIW-2082]: support MDOC credentials
+  if (credentialFormat !== "vc+sd-jwt") {
+    throw new Error(`Unsupported credential format: ${credentialFormat}`);
+  }
+  return {
+    vct: sdJwt.payload.vct,
+    credential_format: credentialFormat,
+    claims: disclosures.reduce((acc, disclosure) => ({
+      ...acc,
+      [disclosure.decoded[1]]: disclosure.decoded
+    }), {})
+  };
+};
+
+/**
+ * Extract only successful matches from the DCQL query result.
+ */
+const getDcqlQueryMatches = result => Object.entries(result.credential_matches).filter(_ref => {
+  let [, match] = _ref;
+  return match.success === true;
+});
+export const evaluateDcqlQuery = (credentialsSdJwt, query) => {
+  const credentials = credentialsSdJwt.map(_ref2 => {
+    let [, credential] = _ref2;
+    return mapCredentialToObject(credential);
+  });
+  try {
+    // Validate the query
+    const parsedQuery = DcqlQuery.parse(query);
+    DcqlQuery.validate(parsedQuery);
+    const queryResult = DcqlQuery.query(parsedQuery, credentials);
+    if (!queryResult.canBeSatisfied) {
+      throw new Error("No credential can satisfy the provided DCQL query");
+    }
+
+    // Build an object vct:credentialJwt to map matched credentials to their JWT
+    const credentialsSdJwtByVct = credentials.reduce((acc, c, i) => ({
+      ...acc,
+      [c.vct]: credentialsSdJwt[i]
+    }), {});
+    return getDcqlQueryMatches(queryResult).map(_ref3 => {
+      var _queryResult$credenti;
+      let [id, match] = _ref3;
+      if (match.output.credential_format !== "vc+sd-jwt") {
+        throw new Error("Unsupported format"); // TODO [SIW-2082]: support MDOC credentials
+      }
+
+      const {
+        vct,
+        claims
+      } = match.output;
+
+      // Find a matching credential set to see whether the credential is optional
+      // If no credential set is found, then the credential is required by default
+      // NOTE: This is an extra, it might not be necessary
+      const credentialSet = (_queryResult$credenti = queryResult.credential_sets) === null || _queryResult$credenti === void 0 ? void 0 : _queryResult$credenti.find(set => {
+        var _set$matching_options;
+        return (_set$matching_options = set.matching_options) === null || _set$matching_options === void 0 ? void 0 : _set$matching_options.flat().includes(vct);
+      });
+      const isOptional = credentialSet ? !credentialSet.required : false;
+      const [keyTag, credential] = credentialsSdJwtByVct[vct];
+      const requiredDisclosures = Object.values(claims);
+      return {
+        id,
+        keyTag,
+        credential,
+        isOptional,
+        requiredDisclosures
+      };
+    });
+  } catch (error) {
+    // Invalid DCQL query structure
+    if (isValiError(error)) {
+      throw new ValidationFailed({
+        message: "Invalid DCQL query",
+        reason: error.issues.map(issue => issue.message).join(", ")
+      });
+    }
+    if (error instanceof DcqlError) {
+      // TODO [SIW-2110]: handle invalid DQCL query or let the error propagate
+    }
+    if (error instanceof DcqlCredentialSetError) {
+      // TODO [SIW-2110]: handle missing credentials or let the error propagate
+    }
+    throw error;
+  }
+};
+export const prepareRemotePresentations = async (credentials, nonce, clientId) => {
+  return Promise.all(credentials.map(async item => {
+    const {
+      vp_token
+    } = await prepareVpToken(nonce, clientId, [item.credential, item.requestedClaims, createCryptoContextFor(item.keyTag)]);
+    return {
+      credentialId: item.id,
+      requestedClaims: item.requestedClaims,
+      vpToken: vp_token,
+      format: "vc+sd-jwt"
+    };
+  }));
+};
+//# sourceMappingURL=07-evaluate-dcql-query.js.map

package/lib/module/credential/presentation/07-evaluate-dcql-query.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["DcqlQuery","DcqlError","DcqlCredentialSetError","isValiError","decode","prepareVpToken","ValidationFailed","createCryptoContextFor","mapCredentialToObject","jwt","sdJwt","disclosures","credentialFormat","header","typ","Error","vct","payload","credential_format","claims","reduce","acc","disclosure","decoded","getDcqlQueryMatches","result","Object","entries","credential_matches","filter","_ref","match","success","evaluateDcqlQuery","credentialsSdJwt","query","credentials","map","_ref2","credential","parsedQuery","parse","validate","queryResult","canBeSatisfied","credentialsSdJwtByVct","c","i","_ref3","_queryResult$credenti","id","output","credentialSet","credential_sets","find","set","_set$matching_options","matching_options","flat","includes","isOptional","required","keyTag","requiredDisclosures","values","error","message","reason","issues","issue","join","prepareRemotePresentations","nonce","clientId","Promise","all","item","vp_token","requestedClaims","credentialId","vpToken","format"],"sourceRoot":"../../../../src","sources":["credential/presentation/07-evaluate-dcql-query.ts"],"mappings":"AAAA,SACEA,SAAS,EACTC,SAAS,EACTC,sBAAsB,QAEjB,MAAM;AACb,SAASC,WAAW,QAAQ,SAAS;AACrC,SAASC,MAAM,EAAEC,cAAc,QAAQ,cAAc;AAErD,SAASC,gBAAgB,QAAQ,oBAAoB;AACrD,SAASC,sBAAsB,QAAQ,oBAAoB;AA8B3D;AACA;AACA;AACA;AACA,MAAMC,qBAAqB,GAAIC,GAAW,IAAK;EAC7C,MAAM;IAAEC,KAAK;IAAEC;EAAY,CAAC,GAAGP,MAAM,CAACK,GAAG,CAAC;EAC1C,MAAMG,gBAAgB,GAAGF,KAAK,CAACG,MAAM,CAACC,GAAG;;EAEzC;EACA,IAAIF,gBAAgB,KAAK,WAAW,EAAE;IACpC,MAAM,IAAIG,KAAK,CAAE,kCAAiCH,gBAAiB,EAAC,CAAC;EACvE;EAEA,OAAO;IACLI,GAAG,EAAEN,KAAK,CAACO,OAAO,CAACD,GAAG;IACtBE,iBAAiB,EAAEN,gBAAgB;IACnCO,MAAM,EAAER,WAAW,CAACS,MAAM,CACxB,CAACC,GAAG,EAAEC,UAAU,MAAM;MACpB,GAAGD,GAAG;MACN,CAACC,UAAU,CAACC,OAAO,CAAC,CAAC,CAAC,GAAGD,UAAU,CAACC;IACtC,CAAC,CAAC,EACF,CAAC,CACH;EACF,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA,MAAMC,mBAAmB,GAAIC,MAAuB,IAClDC,MAAM,CAACC,OAAO,CAACF,MAAM,CAACG,kBAAkB,CAAC,CAACC,MAAM,CAC9CC,IAAA;EAAA,IAAC,GAAGC,KAAK,CAAC,GAAAD,IAAA;EAAA,OAAKC,KAAK,CAACC,OAAO,KAAK,IAAI;AAAA,CACvC,CAAiC;AAEnC,OAAO,MAAMC,iBAAoC,GAAGA,CAClDC,gBAAgB,EAChBC,KAAK,KACF;EACH,MAAMC,WAAW,GAAGF,gBAAgB,CAACG,GAAG,CAACC,KAAA;IAAA,IAAC,GAAGC,UAAU,CAAC,GAAAD,KAAA;IAAA,OACtD9B,qBAAqB,CAAC+B,UAAU,CAAC;EAAA,CACnC,CAAC;EAED,IAAI;IACF;IACA,MAAMC,WAAW,GAAGxC,SAAS,CAACyC,KAAK,CAACN,KAAK,CAAC;IAC1CnC,SAAS,CAAC0C,QAAQ,CAACF,WAAW,CAAC;IAE/B,MAAMG,WAAW,GAAG3C,SAAS,CAACmC,KAAK,CAACK,WAAW,EAAEJ,WAAW,CAAC;IAE7D,IAAI,CAACO,WAAW,CAACC,cAAc,EAAE;MAC/B,MAAM,IAAI7B,KAAK,CAAC,mDAAmD,CAAC;IACtE;;IAEA;IACA,MAAM8B,qBAAqB,GAAGT,WAAW,CAAChB,MAAM,CAC9C,CAACC,GAAG,EAAEyB,CAAC,EAAEC,CAAC,MAAM;MAAE,GAAG1B,GAAG;MAAE,CAACyB,CAAC,CAAC9B,GAAG,GAAGkB,gBAAgB,CAACa,CAAC;IAAG,CAAC,CAAC,EAC1D,CAAC,CACH,CAAC;IAED,OAAOvB,mBAAmB,CAACmB,WAAW,CAAC,CAACN,GAAG,CAACW,KAAA,IAAiB;MAAA,IAAAC,qBAAA;MAAA,IAAhB,CAACC,EAAE,EAAEnB,KAAK,CAAC,GAAAiB,KAAA;MACtD,IAAIjB,KAAK,CAACoB,MAAM,CAACjC,iBAAiB,KAAK,WAAW,EAAE;QAClD,MAAM,IAAIH,KAAK,CAAC,oBAAoB,CAAC,CAAC,CAAC;MACzC;;MACA,MAAM;QAAEC,GAAG;QAAEG;MAAO,CAAC,GAAGY,KAAK,CAACoB,MAAM;;MAEpC;MACA;MACA;MACA,MAAMC,aAAa,IAAAH,qBAAA,GAAGN,WAAW,CAACU,eAAe,cAAAJ,qBAAA,uBAA3BA,qBAAA,CAA6BK,IAAI,CAAEC,GAAG;QAAA,IAAAC,qBAAA;QAAA,QAAAA,qBAAA,GAC1DD,GAAG,CAACE,gBAAgB,cAAAD,qBAAA,uBAApBA,qBAAA,CAAsBE,IAAI,CAAC,CAAC,CAACC,QAAQ,CAAC3C,GAAG,CAAC;MAAA,CAC5C,CAAC;MACD,MAAM4C,UAAU,GAAGR,aAAa,GAAG,CAACA,aAAa,CAACS,QAAQ,GAAG,KAAK;MAElE,MAAM,CAACC,MAAM,EAAEvB,UAAU,CAAC,GAAGM,qBAAqB,CAAC7B,GAAG,CAAE;MACxD,MAAM+C,mBAAmB,GAAGrC,MAAM,CAACsC,MAAM,CACvC7C,MACF,CAA4B;MAC5B,OAAO;QACL+B,EAAE;QACFY,MAAM;QACNvB,UAAU;QACVqB,UAAU;QACVG;MACF,CAAC;IACH,CAAC,CAAC;EACJ,CAAC,CAAC,OAAOE,KAAK,EAAE;IACd;IACA,IAAI9D,WAAW,CAAC8D,KAAK,CAAC,EAAE;MACtB,MAAM,IAAI3D,gBAAgB,CAAC;QACzB4D,OAAO,EAAE,oBAAoB;QAC7BC,MAAM,EAAEF,KAAK,CAACG,MAAM,CAAC/B,GAAG,CAAEgC,KAAK,IAAKA,KAAK,CAACH,OAAO,CAAC,CAACI,IAAI,CAAC,IAAI;MAC9D,CAAC,CAAC;IACJ;IAEA,IAAIL,KAAK,YAAYhE,SAAS,EAAE;MAC9B;IAAA;IAEF,IAAIgE,KAAK,YAAY/D,sBAAsB,EAAE;MAC3C;IAAA;IAEF,MAAM+D,KAAK;EACb;AACF,CAAC;AAED,OAAO,MAAMM,0BAAsD,GAAG,MAAAA,CACpEnC,WAAW,EACXoC,KAAK,EACLC,QAAQ,KACL;EACH,OAAOC,OAAO,CAACC,GAAG,CAChBvC,WAAW,CAACC,GAAG,CAAC,MAAOuC,IAAI,IAAK;IAC9B,MAAM;MAAEC;IAAS,CAAC,GAAG,MAAMxE,cAAc,CAACmE,KAAK,EAAEC,QAAQ,EAAE,CACzDG,IAAI,CAACrC,UAAU,EACfqC,IAAI,CAACE,eAAe,EACpBvE,sBAAsB,CAACqE,IAAI,CAACd,MAAM,CAAC,CACpC,CAAC;IAEF,OAAO;MACLiB,YAAY,EAAEH,IAAI,CAAC1B,EAAE;MACrB4B,eAAe,EAAEF,IAAI,CAACE,eAAe;MACrCE,OAAO,EAAEH,QAAQ;MACjBI,MAAM,EAAE;IACV,CAAC;EACH,CAAC,CACH,CAAC;AACH,CAAC"}

package/lib/module/credential/presentation/07-evaluate-input-descriptor.js

@@ -0,0 +1,278 @@
+import { decode, prepareVpToken } from "../../sd-jwt";
+import { createCryptoContextFor } from "../../utils/crypto";
+import { JSONPath } from "jsonpath-plus";
+import { CredentialNotFoundError, MissingDataError } from "./errors";
+import Ajv from "ajv";
+const ajv = new Ajv({
+  allErrors: true
+});
+const INDEX_CLAIM_NAME = 1;
+/**
+ * Transforms an array of DisclosureWithEncoded objects into a key-value map.
+ * @param disclosures - An array of DisclosureWithEncoded, each containing a decoded property with [?, claimName, claimValue].
+ * @returns An object mapping claim names to their corresponding values.
+ */
+const mapDisclosuresToObject = disclosures => {
+  return disclosures.reduce((obj, _ref) => {
+    let {
+      decoded
+    } = _ref;
+    const [, claimName, claimValue] = decoded;
+    obj[claimName] = claimValue;
+    return obj;
+  }, {});
+};
+
+/**
+ * Finds a claim within the payload based on provided JSONPath expressions.
+ * @param paths - An array of JSONPath expressions to search for in the payload.
+ * @param payload - The object to search within using JSONPath.
+ * @returns A tuple with the first matched JSONPath and its corresponding value, or [undefined, undefined] if not found.
+ */
+const findMatchedClaim = (paths, payload) => {
+  let matchedPath;
+  let matchedValue;
+  paths.some(singlePath => {
+    try {
+      const result = JSONPath({
+        path: singlePath,
+        json: payload
+      });
+      if (result.length > 0) {
+        matchedPath = singlePath;
+        matchedValue = result[0];
+        return true;
+      }
+    } catch (error) {
+      throw new MissingDataError(`JSONPath for "${singlePath}" does not match the provided payload.`);
+    }
+    return false;
+  });
+  return [matchedPath, matchedValue];
+};
+
+/**
+ * Extracts the claim name from a path that can be in one of the following formats:
+ * 1. $.propertyName
+ * 2. $["propertyName"] or $['propertyName']
+ *
+ * @param path - The path string containing the claim reference.
+ * @returns The extracted claim name if matched; otherwise, throws an exception.
+ */
+const extractClaimName = path => {
+  // Define a regular expression that matches both formats:
+  // 1. $.propertyName
+  // 2. $["propertyName"] or $['propertyName']
+  const regex = /^\$\.(\w+)$|^\$\[(?:'|")(\w+)(?:'|")\]$/;
+  const match = path.match(regex);
+  if (match) {
+    // match[1] corresponds to the first capture group (\w+) after $.
+    // match[2] corresponds to the second capture group (\w+) inside [""] or ['']
+    return match[1] || match[2];
+  }
+
+  // If the input doesn't match any of the expected formats, return null
+
+  throw new Error(`Invalid input format: "${path}". Expected formats are "$.propertyName", "$['propertyName']", or '$["propertyName"]'.`);
+};
+
+/**
+ * Evaluates an InputDescriptor for an SD-JWT-based verifiable credential.
+ *
+ * - Checks each field in the InputDescriptor against the provided `payloadCredential`
+ *   and `disclosures` (selectively disclosed claims).
+ * - Validates whether required fields are present (unless marked optional)
+ *   and match any specified JSONPath.
+ * - If a field includes a JSON Schema filter, validates the claim value against that schema.
+ * - Enforces `limit_disclosure` rules by returning only disclosures, required and optional, matching the specified fields
+ *   if set to "required". Otherwise also return the array unrequestedDisclosures with disclosures which can be passed for a particular use case.
+ * - Throws an error if a required field is invalid or missing.
+ *
+ * @param inputDescriptor - Describes constraints (fields, filters, etc.) that must be satisfied.
+ * @param payloadCredential - The credential payload to check against.
+ * @param disclosures - An array of DisclosureWithEncoded objects representing selective disclosures.
+ * @returns A filtered list of disclosures satisfying the descriptor constraints, or throws an error if not.
+ * @throws Will throw an error if any required constraint fails or if JSONPath lookups are invalid.
+ */
+export const evaluateInputDescriptorForSdJwt4VC = (inputDescriptor, payloadCredential, disclosures) => {
+  var _inputDescriptor$cons;
+  if (!(inputDescriptor !== null && inputDescriptor !== void 0 && (_inputDescriptor$cons = inputDescriptor.constraints) !== null && _inputDescriptor$cons !== void 0 && _inputDescriptor$cons.fields)) {
+    // No validation, all field are optional
+    return {
+      requiredDisclosures: [],
+      optionalDisclosures: [],
+      unrequestedDisclosures: disclosures
+    };
+  }
+  const requiredClaimNames = [];
+  const optionalClaimNames = [];
+
+  // Transform disclosures to find claim using JSONPath
+  const disclosuresAsPayload = mapDisclosuresToObject(disclosures);
+
+  // For each field, we need at least one matching path
+  // If we succeed, we push the matched disclosure in matchedDisclosures and stop checking further paths
+  const allFieldsValid = inputDescriptor.constraints.fields.every(field => {
+    // For Potential profile, selectively disclosed claims will always be built as an individual object property, by using a name-value pair.
+    // Hence that selective claim for array element and recursive disclosures are not supported by Potential for the first iteration of Piloting.
+    // We need to check inside disclosures or inside credential payload. Example path: "$.given_name"
+    let [matchedPath, matchedValue] = findMatchedClaim(field.path, disclosuresAsPayload);
+    if (!matchedPath) {
+      [matchedPath, matchedValue] = findMatchedClaim(field.path, payloadCredential);
+      if (!matchedPath) {
+        // Path could be optional, in this case no need to validate! continue to next field
+        return field === null || field === void 0 ? void 0 : field.optional;
+      }
+    } else {
+      // if match a disclouse we save which is required or optional
+      const claimName = extractClaimName(matchedPath);
+      if (claimName) {
+        (field !== null && field !== void 0 && field.optional ? optionalClaimNames : requiredClaimNames).push(claimName);
+      }
+    }
+
+    // FILTER validation
+    // If this field has a "filter" (JSON Schema), validate the claimValue
+    if (field.filter) {
+      try {
+        const validateSchema = ajv.compile(field.filter);
+        if (!validateSchema(matchedValue)) {
+          throw new MissingDataError(`Claim value "${matchedValue}" for path "${matchedPath}" does not match the provided JSON Schema.`);
+        }
+      } catch (error) {
+        return false;
+      }
+    }
+    // Submission Requirements validation
+    // TODO: [EUDIW-216] Read rule value if “all” o “pick” and validate
+
+    return true;
+  });
+  if (!allFieldsValid) {
+    throw new MissingDataError("Credential validation failed: Required fields are missing or do not match the input descriptor.");
+  }
+
+  // Categorizes disclosures into required and optional based on claim names and disclosure constraints.
+
+  const requiredDisclosures = disclosures.filter(disclosure => requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME]));
+  const optionalDisclosures = disclosures.filter(disclosure => optionalClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME]));
+  const isNotLimitDisclosure = !(inputDescriptor.constraints.limit_disclosure === "required");
+  const unrequestedDisclosures = isNotLimitDisclosure ? disclosures.filter(disclosure => !optionalClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME]) && !requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])) : [];
+  return {
+    requiredDisclosures,
+    optionalDisclosures,
+    unrequestedDisclosures
+  };
+};
+/**
+ * Finds the first credential that satisfies the input descriptor constraints.
+ * @param inputDescriptor The input descriptor to evaluate.
+ * @param decodedSdJwtCredentials An array of decoded SD-JWT credentials.
+ * @returns An object containing the matched evaluation, keyTag, and credential.
+ */
+export const findCredentialSdJwt = (inputDescriptor, decodedSdJwtCredentials) => {
+  for (const {
+    keyTag,
+    credential,
+    sdJwt,
+    disclosures
+  } of decodedSdJwtCredentials) {
+    try {
+      const evaluatedDisclosure = evaluateInputDescriptorForSdJwt4VC(inputDescriptor, sdJwt.payload, disclosures);
+      return {
+        matchedEvaluation: evaluatedDisclosure,
+        matchedKeyTag: keyTag,
+        matchedCredential: credential
+      };
+    } catch {
+      // skip to next credential
+      continue;
+    }
+  }
+  throw new CredentialNotFoundError("None of the vc+sd-jwt credentials satisfy the requirements.");
+};
+
+/**
+ * Evaluates multiple input descriptors against provided SD-JWT and MDOC credentials.
+ *
+ * For each input descriptor, this function:
+ * - Checks the credential format.
+ * - Decodes the credential.
+ * - Evaluates the descriptor using the associated disclosures.
+ *
+ * @param inputDescriptors - An array of input descriptors.
+ * @param credentialsSdJwt - An array of tuples containing keyTag and SD-JWT credential.
+ * @returns An array of objects, each containing the evaluated disclosures,
+ *          the input descriptor, the credential, and the keyTag.
+ * @throws {CredentialNotFoundError} When the credential format is unsupported.
+ */
+export const evaluateInputDescriptors = async (inputDescriptors, credentialsSdJwt) => {
+  // We need decode SD-JWT credentials for evaluation
+  const decodedSdJwtCredentials = (credentialsSdJwt === null || credentialsSdJwt === void 0 ? void 0 : credentialsSdJwt.map(_ref2 => {
+    let [keyTag, credential] = _ref2;
+    const {
+      sdJwt,
+      disclosures
+    } = decode(credential);
+    return {
+      keyTag,
+      credential,
+      sdJwt,
+      disclosures
+    };
+  })) || [];
+  return Promise.all(inputDescriptors.map(async descriptor => {
+    var _descriptor$format;
+    if ((_descriptor$format = descriptor.format) !== null && _descriptor$format !== void 0 && _descriptor$format["vc+sd-jwt"]) {
+      if (!decodedSdJwtCredentials.length) {
+        throw new CredentialNotFoundError("vc+sd-jwt credential is not supported.");
+      }
+      const {
+        matchedEvaluation,
+        matchedKeyTag,
+        matchedCredential
+      } = findCredentialSdJwt(descriptor, decodedSdJwtCredentials);
+      return {
+        evaluatedDisclosure: matchedEvaluation,
+        inputDescriptor: descriptor,
+        credential: matchedCredential,
+        keyTag: matchedKeyTag
+      };
+    }
+    throw new CredentialNotFoundError(`${descriptor.format} format is not supported.`);
+  }));
+};
+
+/**
+ * Prepares remote presentations for a set of credentials based on input descriptors.
+ *
+ * For each credential and its corresponding input descriptor, this function:
+ * - Validates the credential format.
+ * - Generates a verifiable presentation token (vpToken) using the provided nonce and client identifier.
+ *
+ * @param credentialAndDescriptors - An array containing objects with requested claims,
+ *                                   input descriptor, credential, and keyTag.
+ * @param nonce - A unique nonce for the verifiable presentation token.
+ * @param client_id - The client identifier.
+ * @returns A promise that resolves to an array of RemotePresentation objects.
+ * @throws {CredentialNotFoundError} When the credential format is unsupported.
+ */
+export const prepareRemotePresentations = async (credentialAndDescriptors, nonce, client_id) => {
+  return Promise.all(credentialAndDescriptors.map(async item => {
+    var _descriptor$format2;
+    const descriptor = item.inputDescriptor;
+    if ((_descriptor$format2 = descriptor.format) !== null && _descriptor$format2 !== void 0 && _descriptor$format2["vc+sd-jwt"]) {
+      const {
+        vp_token
+      } = await prepareVpToken(nonce, client_id, [item.credential, item.requestedClaims, createCryptoContextFor(item.keyTag)]);
+      return {
+        requestedClaims: item.requestedClaims,
+        inputDescriptor: descriptor,
+        vpToken: vp_token,
+        format: "vc+sd-jwt"
+      };
+    }
+    throw new CredentialNotFoundError(`${descriptor.format} format is not supported.`);
+  }));
+};
+//# sourceMappingURL=07-evaluate-input-descriptor.js.map

package/lib/module/credential/presentation/07-evaluate-input-descriptor.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["decode","prepareVpToken","createCryptoContextFor","JSONPath","CredentialNotFoundError","MissingDataError","Ajv","ajv","allErrors","INDEX_CLAIM_NAME","mapDisclosuresToObject","disclosures","reduce","obj","_ref","decoded","claimName","claimValue","findMatchedClaim","paths","payload","matchedPath","matchedValue","some","singlePath","result","path","json","length","error","extractClaimName","regex","match","Error","evaluateInputDescriptorForSdJwt4VC","inputDescriptor","payloadCredential","_inputDescriptor$cons","constraints","fields","requiredDisclosures","optionalDisclosures","unrequestedDisclosures","requiredClaimNames","optionalClaimNames","disclosuresAsPayload","allFieldsValid","every","field","optional","push","filter","validateSchema","compile","disclosure","includes","isNotLimitDisclosure","limit_disclosure","findCredentialSdJwt","decodedSdJwtCredentials","keyTag","credential","sdJwt","evaluatedDisclosure","matchedEvaluation","matchedKeyTag","matchedCredential","evaluateInputDescriptors","inputDescriptors","credentialsSdJwt","map","_ref2","Promise","all","descriptor","_descriptor$format","format","prepareRemotePresentations","credentialAndDescriptors","nonce","client_id","item","_descriptor$format2","vp_token","requestedClaims","vpToken"],"sourceRoot":"../../../../src","sources":["credential/presentation/07-evaluate-input-descriptor.ts"],"mappings":"AAEA,SAASA,MAAM,EAAEC,cAAc,QAAQ,cAAc;AACrD,SAASC,sBAAsB,QAAQ,oBAAoB;AAC3D,SAASC,QAAQ,QAAQ,eAAe;AACxC,SAASC,uBAAuB,EAAEC,gBAAgB,QAAQ,UAAU;AACpE,OAAOC,GAAG,MAAM,KAAK;AAErB,MAAMC,GAAG,GAAG,IAAID,GAAG,CAAC;EAAEE,SAAS,EAAE;AAAK,CAAC,CAAC;AACxC,MAAMC,gBAAgB,GAAG,CAAC;AAqC1B;AACA;AACA;AACA;AACA;AACA,MAAMC,sBAAsB,GAC1BC,WAAoC,IACR;EAC5B,OAAOA,WAAW,CAACC,MAAM,CACvB,CAACC,GAAG,EAAAC,IAAA,KAAkB;IAAA,IAAhB;MAAEC;IAAQ,CAAC,GAAAD,IAAA;IACf,MAAM,GAAGE,SAAS,EAAEC,UAAU,CAAC,GAAGF,OAAO;IACzCF,GAAG,CAACG,SAAS,CAAC,GAAGC,UAAU;IAC3B,OAAOJ,GAAG;EACZ,CAAC,EACD,CAAC,CACH,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA,MAAMK,gBAAgB,GAAGA,CACvBC,KAAe,EACfC,OAAY,KACW;EACvB,IAAIC,WAAW;EACf,IAAIC,YAAY;EAChBH,KAAK,CAACI,IAAI,CAAEC,UAAU,IAAK;IACzB,IAAI;MACF,MAAMC,MAAM,GAAGtB,QAAQ,CAAC;QAAEuB,IAAI,EAAEF,UAAU;QAAEG,IAAI,EAAEP;MAAQ,CAAC,CAAC;MAC5D,IAAIK,MAAM,CAACG,MAAM,GAAG,CAAC,EAAE;QACrBP,WAAW,GAAGG,UAAU;QACxBF,YAAY,GAAGG,MAAM,CAAC,CAAC,CAAC;QACxB,OAAO,IAAI;MACb;IACF,CAAC,CAAC,OAAOI,KAAK,EAAE;MACd,MAAM,IAAIxB,gBAAgB,CACvB,iBAAgBmB,UAAW,wCAC9B,CAAC;IACH;IACA,OAAO,KAAK;EACd,CAAC,CAAC;EAEF,OAAO,CAACH,WAAW,EAAEC,YAAY,CAAC;AACpC,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMQ,gBAAgB,GAAIJ,IAAY,IAAyB;EAC7D;EACA;EACA;EACA,MAAMK,KAAK,GAAG,yCAAyC;EAEvD,MAAMC,KAAK,GAAGN,IAAI,CAACM,KAAK,CAACD,KAAK,CAAC;EAC/B,IAAIC,KAAK,EAAE;IACT;IACA;IACA,OAAOA,KAAK,CAAC,CAAC,CAAC,IAAIA,KAAK,CAAC,CAAC,CAAC;EAC7B;;EAEA;;EAEA,MAAM,IAAIC,KAAK,CACZ,0BAAyBP,IAAK,wFACjC,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMQ,kCAAmE,GAC9EA,CAACC,eAAe,EAAEC,iBAAiB,EAAEzB,WAAW,KAAK;EAAA,IAAA0B,qBAAA;EACnD,IAAI,EAACF,eAAe,aAAfA,eAAe,gBAAAE,qBAAA,GAAfF,eAAe,CAAEG,WAAW,cAAAD,qBAAA,eAA5BA,qBAAA,CAA8BE,MAAM,GAAE;IACzC;IACA,OAAO;MACLC,mBAAmB,EAAE,EAAE;MACvBC,mBAAmB,EAAE,EAAE;MACvBC,sBAAsB,EAAE/B;IAC1B,CAAC;EACH;EACA,MAAMgC,kBAA4B,GAAG,EAAE;EACvC,MAAMC,kBAA4B,GAAG,EAAE;;EAEvC;EACA,MAAMC,oBAAoB,GAAGnC,sBAAsB,CAACC,WAAW,CAAC;;EAEhE;EACA;EACA,MAAMmC,cAAc,GAAGX,eAAe,CAACG,WAAW,CAACC,MAAM,CAACQ,KAAK,CAAEC,KAAK,IAAK;IACzE;IACA;IACA;IACA,IAAI,CAAC3B,WAAW,EAAEC,YAAY,CAAC,GAAGJ,gBAAgB,CAChD8B,KAAK,CAACtB,IAAI,EACVmB,oBACF,CAAC;IAED,IAAI,CAACxB,WAAW,EAAE;MAChB,CAACA,WAAW,EAAEC,YAAY,CAAC,GAAGJ,gBAAgB,CAC5C8B,KAAK,CAACtB,IAAI,EACVU,iBACF,CAAC;MAED,IAAI,CAACf,WAAW,EAAE;QAChB;QACA,OAAO2B,KAAK,aAALA,KAAK,uBAALA,KAAK,CAAEC,QAAQ;MACxB;IACF,CAAC,MAAM;MACL;MACA,MAAMjC,SAAS,GAAGc,gBAAgB,CAACT,WAAW,CAAC;MAC/C,IAAIL,SAAS,EAAE;QACb,CAACgC,KAAK,aAALA,KAAK,eAALA,KAAK,CAAEC,QAAQ,GAAGL,kBAAkB,GAAGD,kBAAkB,EAAEO,IAAI,CAC9DlC,SACF,CAAC;MACH;IACF;;IAEA;IACA;IACA,IAAIgC,KAAK,CAACG,MAAM,EAAE;MAChB,IAAI;QACF,MAAMC,cAAc,GAAG7C,GAAG,CAAC8C,OAAO,CAACL,KAAK,CAACG,MAAM,CAAC;QAChD,IAAI,CAACC,cAAc,CAAC9B,YAAY,CAAC,EAAE;UACjC,MAAM,IAAIjB,gBAAgB,CACvB,gBAAeiB,YAAa,eAAcD,WAAY,4CACzD,CAAC;QACH;MACF,CAAC,CAAC,OAAOQ,KAAK,EAAE;QACd,OAAO,KAAK;MACd;IACF;IACA;IACA;;IAEA,OAAO,IAAI;EACb,CAAC,CAAC;EAEF,IAAI,CAACiB,cAAc,EAAE;IACnB,MAAM,IAAIzC,gBAAgB,CACxB,iGACF,CAAC;EACH;;EAEA;;EAEA,MAAMmC,mBAAmB,GAAG7B,WAAW,CAACwC,MAAM,CAAEG,UAAU,IACxDX,kBAAkB,CAACY,QAAQ,CAACD,UAAU,CAACvC,OAAO,CAACN,gBAAgB,CAAC,CAClE,CAAC;EAED,MAAMgC,mBAAmB,GAAG9B,WAAW,CAACwC,MAAM,CAAEG,UAAU,IACxDV,kBAAkB,CAACW,QAAQ,CAACD,UAAU,CAACvC,OAAO,CAACN,gBAAgB,CAAC,CAClE,CAAC;EAED,MAAM+C,oBAAoB,GAAG,EAC3BrB,eAAe,CAACG,WAAW,CAACmB,gBAAgB,KAAK,UAAU,CAC5D;EAED,MAAMf,sBAAsB,GAAGc,oBAAoB,GAC/C7C,WAAW,CAACwC,MAAM,CACfG,UAAU,IACT,CAACV,kBAAkB,CAACW,QAAQ,CAC1BD,UAAU,CAACvC,OAAO,CAACN,gBAAgB,CACrC,CAAC,IACD,CAACkC,kBAAkB,CAACY,QAAQ,CAACD,UAAU,CAACvC,OAAO,CAACN,gBAAgB,CAAC,CACrE,CAAC,GACD,EAAE;EAEN,OAAO;IACL+B,mBAAmB;IACnBC,mBAAmB;IACnBC;EACF,CAAC;AACH,CAAC;AASH;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMgB,mBAAmB,GAAGA,CACjCvB,eAAgC,EAChCwB,uBAAiD,KAK9C;EACH,KAAK,MAAM;IACTC,MAAM;IACNC,UAAU;IACVC,KAAK;IACLnD;EACF,CAAC,IAAIgD,uBAAuB,EAAE;IAC5B,IAAI;MACF,MAAMI,mBAAmB,GAAG7B,kCAAkC,CAC5DC,eAAe,EACf2B,KAAK,CAAC1C,OAAO,EACbT,WACF,CAAC;MAED,OAAO;QACLqD,iBAAiB,EAAED,mBAAmB;QACtCE,aAAa,EAAEL,MAAM;QACrBM,iBAAiB,EAAEL;MACrB,CAAC;IACH,CAAC,CAAC,MAAM;MACN;MACA;IACF;EACF;EAEA,MAAM,IAAIzD,uBAAuB,CAC/B,6DACF,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAM+D,wBAAkD,GAAG,MAAAA,CAChEC,gBAAgB,EAChBC,gBAAgB,KACb;EACH;EACA,MAAMV,uBAAuB,GAC3B,CAAAU,gBAAgB,aAAhBA,gBAAgB,uBAAhBA,gBAAgB,CAAEC,GAAG,CAACC,KAAA,IAA0B;IAAA,IAAzB,CAACX,MAAM,EAAEC,UAAU,CAAC,GAAAU,KAAA;IACzC,MAAM;MAAET,KAAK;MAAEnD;IAAY,CAAC,GAAGX,MAAM,CAAC6D,UAAU,CAAC;IACjD,OAAO;MAAED,MAAM;MAAEC,UAAU;MAAEC,KAAK;MAAEnD;IAAY,CAAC;EACnD,CAAC,CAAC,KAAI,EAAE;EAEV,OAAO6D,OAAO,CAACC,GAAG,CAChBL,gBAAgB,CAACE,GAAG,CAAC,MAAOI,UAAU,IAAK;IAAA,IAAAC,kBAAA;IACzC,KAAAA,kBAAA,GAAID,UAAU,CAACE,MAAM,cAAAD,kBAAA,eAAjBA,kBAAA,CAAoB,WAAW,CAAC,EAAE;MACpC,IAAI,CAAChB,uBAAuB,CAAC/B,MAAM,EAAE;QACnC,MAAM,IAAIxB,uBAAuB,CAC/B,wCACF,CAAC;MACH;MAEA,MAAM;QAAE4D,iBAAiB;QAAEC,aAAa;QAAEC;MAAkB,CAAC,GAC3DR,mBAAmB,CAACgB,UAAU,EAAEf,uBAAuB,CAAC;MAE1D,OAAO;QACLI,mBAAmB,EAAEC,iBAAiB;QACtC7B,eAAe,EAAEuC,UAAU;QAC3Bb,UAAU,EAAEK,iBAAiB;QAC7BN,MAAM,EAAEK;MACV,CAAC;IACH;IAEA,MAAM,IAAI7D,uBAAuB,CAC9B,GAAEsE,UAAU,CAACE,MAAO,2BACvB,CAAC;EACH,CAAC,CACH,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,0BAAsD,GAAG,MAAAA,CACpEC,wBAAwB,EACxBC,KAAK,EACLC,SAAS,KACN;EACH,OAAOR,OAAO,CAACC,GAAG,CAChBK,wBAAwB,CAACR,GAAG,CAAC,MAAOW,IAAI,IAAK;IAAA,IAAAC,mBAAA;IAC3C,MAAMR,UAAU,GAAGO,IAAI,CAAC9C,eAAe;IAEvC,KAAA+C,mBAAA,GAAIR,UAAU,CAACE,MAAM,cAAAM,mBAAA,eAAjBA,mBAAA,CAAoB,WAAW,CAAC,EAAE;MACpC,MAAM;QAAEC;MAAS,CAAC,GAAG,MAAMlF,cAAc,CAAC8E,KAAK,EAAEC,SAAS,EAAE,CAC1DC,IAAI,CAACpB,UAAU,EACfoB,IAAI,CAACG,eAAe,EACpBlF,sBAAsB,CAAC+E,IAAI,CAACrB,MAAM,CAAC,CACpC,CAAC;MAEF,OAAO;QACLwB,eAAe,EAAEH,IAAI,CAACG,eAAe;QACrCjD,eAAe,EAAEuC,UAAU;QAC3BW,OAAO,EAAEF,QAAQ;QACjBP,MAAM,EAAE;MACV,CAAC;IACH;IAEA,MAAM,IAAIxE,uBAAuB,CAC9B,GAAEsE,UAAU,CAACE,MAAO,2BACvB,CAAC;EACH,CAAC,CACH,CAAC;AACH,CAAC"}