@parmanasystems/execution 1.0.19 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/index.d.ts +20 -4
  2. package/dist/index.js +92 -37
  3. package/dist/index.js.map +1 -1
  4. package/package.json +3 -3
package/dist/index.d.ts CHANGED
@@ -66,6 +66,7 @@ interface ExecutionContext {
66
66
  verifier: any;
67
67
  runtime_manifest: any;
68
68
  runtime_requirements: any;
69
+ auditMode?: boolean;
69
70
  }
70
71
 
71
72
  interface ReplayStore {
@@ -83,6 +84,20 @@ interface ExecutionAttestation {
83
84
  signature: string;
84
85
  runtime_hash: string;
85
86
  }
87
+ /**
88
+ * Deterministic attestation canonicalization
89
+ *
90
+ * Used for:
91
+ * - attestation signing
92
+ * - independent verification
93
+ * - reproducibility proofs
94
+ */
95
+ declare function canonicalizeAttestation(attestation: {
96
+ execution_id: string;
97
+ decision: any;
98
+ execution_state: string;
99
+ runtime_hash: string;
100
+ }): string;
86
101
 
87
102
  /**
88
103
  * 🔴 CORE EXECUTION (FULLY DETERMINISTIC)
@@ -211,11 +226,12 @@ declare function verifyRuntimeManifest(manifest: RuntimeManifest, signature: str
211
226
  * In-process Ed25519 {@link Signer} backed by Node.js `crypto`.
212
227
  *
213
228
  * Suitable for development and environments where the private key can be
214
- * securely injected at process start. For hardware-backed or remote signing
229
+ * securely injected at process start. For hardware-backed or remote signing
215
230
  * see {@link AwsKmsSigner}.
216
231
  */
217
232
  declare class LocalSigner implements Signer {
218
233
  private readonly privateKey;
234
+ private readonly keyObject;
219
235
  /**
220
236
  * @param privateKey - PEM-encoded Ed25519 private key (PKCS8 format).
221
237
  */
@@ -578,7 +594,7 @@ declare function stageVerify(token: ExecutionToken, token_signature: string, ver
578
594
  */
579
595
  declare function stageExecute(token: ExecutionToken): void;
580
596
  /**
581
- * 🔒 Stage 3 — Signing (NEW MODEL)
597
+ * 🔒 Stage 3 — Signing (DETERMINISTIC)
582
598
  */
583
599
  declare function stageSign(payload: {
584
600
  execution_id: string;
@@ -589,7 +605,7 @@ declare function stageSign(payload: {
589
605
  };
590
606
  execution_state: "completed" | "blocked" | "pending_override";
591
607
  }, signer: {
592
- sign: (data: Uint8Array) => Uint8Array;
608
+ sign: (payload: string) => string;
593
609
  }, runtime_hash: string): {
594
610
  execution_id: string;
595
611
  decision: {
@@ -807,4 +823,4 @@ declare function resolveOverride(executionId: string, replayStore: AsyncReplaySt
807
823
  resolved: boolean;
808
824
  }>;
809
825
 
810
- export { type AsyncReplayStore, type AsyncSigner, type AuditEntry, type DecisionResult, type DryRunResult, type ExecutionAttestation, type ExecutionContext, type ExecutionToken, FORBIDDEN_GLOBALS, INVARIANT_REGISTRY, type InvariantBoundary, type InvariantEntry, type InvariantId, InvariantViolation, LocalSigner, LocalVerifier, MemoryReplayStore, RedisReplayStore, type ReplayStore, type RuntimeManifest, SEALED_SCOPE_FILES, type Signer, type Verifier, type ViolationReport, canonicalize, evaluateDryRun, evaluatePolicy, executeBatch, executeDecision, executeFromSignals, getRuntimeManifest, governingTime, hashInput, hashRuntime, issueToken, loadPolicy, resolveOverride, runtimeManifestDefinition, signExecutionToken, signRuntimeManifest, stageExecute, stageSign, stageVerify, verifyAuditChain, verifyAuditEntry, verifyExecutionToken, verifyRuntimeManifest, verifyRuntimePolicy, violate };
826
+ export { type AsyncReplayStore, type AsyncSigner, type AuditEntry, type DecisionResult, type DryRunResult, type ExecutionAttestation, type ExecutionContext, type ExecutionToken, FORBIDDEN_GLOBALS, INVARIANT_REGISTRY, type InvariantBoundary, type InvariantEntry, type InvariantId, InvariantViolation, LocalSigner, LocalVerifier, MemoryReplayStore, RedisReplayStore, type ReplayStore, type RuntimeManifest, SEALED_SCOPE_FILES, type Signer, type Verifier, type ViolationReport, canonicalize, canonicalizeAttestation, evaluateDryRun, evaluatePolicy, executeBatch, executeDecision, executeFromSignals, getRuntimeManifest, governingTime, hashInput, hashRuntime, issueToken, loadPolicy, resolveOverride, runtimeManifestDefinition, signExecutionToken, signRuntimeManifest, stageExecute, stageSign, stageVerify, verifyAuditChain, verifyAuditEntry, verifyExecutionToken, verifyRuntimeManifest, verifyRuntimePolicy, violate };
package/dist/index.js CHANGED
@@ -75,48 +75,94 @@ function verifyRuntimePolicy(policyId) {
75
75
  }
76
76
  }
77
77
 
78
+ // src/execution-attestation.ts
79
+ function canonicalizeAttestation(attestation) {
80
+ return JSON.stringify(
81
+ canonicalize3(
82
+ attestation
83
+ )
84
+ );
85
+ }
86
+ function canonicalize3(obj) {
87
+ if (Array.isArray(obj)) {
88
+ return obj.map(
89
+ canonicalize3
90
+ );
91
+ }
92
+ if (obj !== null && typeof obj === "object") {
93
+ return Object.keys(obj).sort().reduce(
94
+ (acc, key) => {
95
+ acc[key] = canonicalize3(
96
+ obj[key]
97
+ );
98
+ return acc;
99
+ },
100
+ {}
101
+ );
102
+ }
103
+ return obj;
104
+ }
105
+
78
106
  // src/pipeline.ts
79
107
  function stageVerify(token, token_signature, verifier, runtime_manifest, runtime_requirements) {
80
108
  const valid = verifier.verify(
81
- Buffer.from(canonicalizeForSigning(token)),
82
- Buffer.from(token_signature, "base64")
109
+ Buffer.from(
110
+ canonicalizeForSigning(
111
+ token
112
+ )
113
+ ),
114
+ Buffer.from(
115
+ token_signature,
116
+ "base64"
117
+ )
83
118
  );
84
119
  if (!valid) {
85
- throw new Error("Invalid token signature");
120
+ throw new Error(
121
+ "Invalid token signature"
122
+ );
86
123
  }
87
124
  if (!runtime_requirements?.supported_runtime_versions || !runtime_requirements.supported_runtime_versions.includes(
88
125
  runtime_manifest.runtime_version
89
126
  )) {
90
- throw new Error("Unsupported runtime version");
127
+ throw new Error(
128
+ "Unsupported runtime version"
129
+ );
91
130
  }
92
131
  for (const cap of runtime_requirements?.required_capabilities || []) {
93
132
  if (!runtime_manifest.capabilities.includes(cap)) {
94
- throw new Error(`Missing required capability: ${cap}`);
133
+ throw new Error(
134
+ `Missing required capability: ${cap}`
135
+ );
95
136
  }
96
137
  }
97
138
  if (!runtime_requirements?.supported_schema_versions || !runtime_requirements.supported_schema_versions.includes(
98
139
  token.schema_version
99
140
  )) {
100
- throw new Error("Unsupported schema version");
141
+ throw new Error(
142
+ "Unsupported schema version"
143
+ );
101
144
  }
102
145
  }
103
146
  function stageExecute(token) {
104
147
  }
105
148
  function stageSign(payload, signer, runtime_hash) {
106
- const message = Buffer.from(
107
- JSON.stringify({
108
- execution_id: payload.execution_id,
109
- decision: payload.decision,
110
- execution_state: payload.execution_state,
111
- runtime_hash
112
- })
149
+ const attestation = {
150
+ execution_id: payload.execution_id,
151
+ decision: payload.decision,
152
+ execution_state: payload.execution_state,
153
+ runtime_hash
154
+ };
155
+ const canonical = canonicalizeAttestation(
156
+ attestation
157
+ );
158
+ const signature = signer.sign(
159
+ canonical
113
160
  );
114
- const signature = signer.sign(message);
115
161
  return {
116
162
  execution_id: payload.execution_id,
117
163
  decision: payload.decision,
118
164
  execution_state: payload.execution_state,
119
- signature: Buffer.from(signature).toString("base64"),
165
+ signature,
120
166
  runtime_hash
121
167
  };
122
168
  }
@@ -152,7 +198,11 @@ function executeDecision(context, replayStore) {
152
198
  runtime_requirements
153
199
  );
154
200
  const store = replayStore ?? new MemoryReplayStore();
155
- store.markExecuted(token.execution_id);
201
+ if (!context.auditMode) {
202
+ store.markExecuted(
203
+ token.execution_id
204
+ );
205
+ }
156
206
  stageExecute(token);
157
207
  const decision = token.decision_payload;
158
208
  const execution_state = decision.requires_override ? "pending_override" : decision.action === "approve" ? "completed" : "blocked";
@@ -179,9 +229,9 @@ function verifyAuditChain() {
179
229
  }
180
230
 
181
231
  // src/hash-runtime.ts
182
- import crypto from "crypto";
232
+ import * as crypto from "crypto";
183
233
  import {
184
- canonicalize as canonicalize3
234
+ canonicalize as canonicalize4
185
235
  } from "@parmanasystems/bundle";
186
236
  var runtimeManifestDefinition = {
187
237
  runtime_version: "1.0.0",
@@ -199,7 +249,7 @@ function hashRuntime() {
199
249
  return crypto.createHash(
200
250
  "sha256"
201
251
  ).update(
202
- canonicalize3(
252
+ canonicalize4(
203
253
  runtimeManifestDefinition
204
254
  )
205
255
  ).digest(
@@ -217,11 +267,11 @@ function getRuntimeManifest() {
217
267
 
218
268
  // src/sign-runtime-manifest.ts
219
269
  import {
220
- canonicalize as canonicalize4
270
+ canonicalize as canonicalize5
221
271
  } from "@parmanasystems/bundle";
222
272
  function signRuntimeManifest(manifest, signer) {
223
273
  return signer.sign(
224
- canonicalize4(manifest)
274
+ canonicalize5(manifest)
225
275
  );
226
276
  }
227
277
 
@@ -241,6 +291,11 @@ var LocalSigner = class {
241
291
  */
242
292
  constructor(privateKey) {
243
293
  this.privateKey = privateKey;
294
+ const normalizedKey = privateKey.replace(/\\n/g, "\n").trim();
295
+ this.keyObject = crypto2.createPrivateKey({
296
+ key: normalizedKey,
297
+ format: "pem"
298
+ });
244
299
  }
245
300
  /**
246
301
  * Signs `payload` (UTF-8) with the Ed25519 private key and returns a
@@ -253,7 +308,7 @@ var LocalSigner = class {
253
308
  payload,
254
309
  "utf8"
255
310
  ),
256
- this.privateKey
311
+ this.keyObject
257
312
  ).toString(
258
313
  "base64"
259
314
  );
@@ -261,7 +316,7 @@ var LocalSigner = class {
261
316
  };
262
317
 
263
318
  // src/local-verifier.ts
264
- import crypto3 from "crypto";
319
+ import * as crypto3 from "crypto";
265
320
  var LocalVerifier = class {
266
321
  /**
267
322
  * @param publicKey - PEM-encoded Ed25519 public key (SPKI format).
@@ -352,8 +407,8 @@ function evaluatePolicy(policy, signals) {
352
407
  }
353
408
 
354
409
  // src/load-policy.ts
355
- import fs from "fs";
356
- import path from "path";
410
+ import * as fs from "fs";
411
+ import * as path from "path";
357
412
  function loadPolicy(policyId, policyVersion, basePath = process.cwd()) {
358
413
  const policyPath = path.resolve(
359
414
  basePath,
@@ -737,7 +792,7 @@ var INVARIANT_REGISTRY = {
737
792
  };
738
793
 
739
794
  // src/violation.ts
740
- import crypto4 from "crypto";
795
+ import * as crypto4 from "crypto";
741
796
  var _seq = 0;
742
797
  var InvariantViolation = class extends Error {
743
798
  constructor(report) {
@@ -792,7 +847,7 @@ async function executeWithRedis(context, redisStore) {
792
847
  }
793
848
 
794
849
  // src/canonical-json.ts
795
- function canonicalize5(value) {
850
+ function canonicalize6(value) {
796
851
  return JSON.stringify(sortValue(value));
797
852
  }
798
853
  function sortValue(value) {
@@ -828,7 +883,7 @@ async function executeFromSignals(input, signer, verifier, replayStore) {
828
883
  "[SYS-005] Invalid decision: rule_id required"
829
884
  );
830
885
  }
831
- const canonicalSignals = canonicalize5(input.signals);
886
+ const canonicalSignals = canonicalize6(input.signals);
832
887
  const executionId = crypto5.createHash("sha256").update(
833
888
  JSON.stringify({
834
889
  policyId: input.policyId,
@@ -961,11 +1016,10 @@ var RedisReplayStore = class {
961
1016
  constructor(url) {
962
1017
  this.client = new Redis(url);
963
1018
  }
964
- // -----------------------------
965
- // Replay protection
966
- // -----------------------------
967
1019
  async hasExecuted(executionId) {
968
- const res = await this.client.exists(`exec:${executionId}`);
1020
+ const res = await this.client.exists(
1021
+ `exec:${executionId}`
1022
+ );
969
1023
  return res === 1;
970
1024
  }
971
1025
  async markExecuted(executionId) {
@@ -980,14 +1034,14 @@ var RedisReplayStore = class {
980
1034
  );
981
1035
  }
982
1036
  }
983
- // -----------------------------
984
- // KV storage (for override)
985
- // -----------------------------
986
1037
  async get(key) {
987
1038
  return this.client.get(key);
988
1039
  }
989
1040
  async set(key, value) {
990
- await this.client.set(key, value);
1041
+ await this.client.set(
1042
+ key,
1043
+ value
1044
+ );
991
1045
  }
992
1046
  async del(key) {
993
1047
  await this.client.del(key);
@@ -1034,7 +1088,8 @@ export {
1034
1088
  MemoryReplayStore,
1035
1089
  RedisReplayStore,
1036
1090
  SEALED_SCOPE_FILES,
1037
- canonicalize5 as canonicalize,
1091
+ canonicalize6 as canonicalize,
1092
+ canonicalizeAttestation,
1038
1093
  evaluateDryRun,
1039
1094
  evaluatePolicy,
1040
1095
  executeBatch,
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/issue-token.ts","../src/canonical-signing.ts","../src/sign-token.ts","../src/verify-token.ts","../src/verify-runtime.ts","../src/pipeline.ts","../src/memory-replay-store.ts","../src/execute.ts","../src/verify-audit.ts","../src/hash-runtime.ts","../src/runtime-manifest.ts","../src/sign-runtime-manifest.ts","../src/verify-runtime-manifest.ts","../src/local-signer.ts","../src/local-verifier.ts","../src/evaluator.ts","../src/load-policy.ts","../src/validate-signals.ts","../src/dry-run.ts","../src/invariant-registry.ts","../src/violation.ts","../src/sealed-vm.ts","../src/execute-from-signals.ts","../src/execute-with-redis.ts","../src/canonical-json.ts","../src/execute-batch.ts","../src/redis-replay-store.ts","../src/resolve-override.ts"],"sourcesContent":["import type { ExecutionToken } from \"./execution-token\";\n\n/**\n * 🔐 Issue Execution Token (FINAL)\n * Fully deterministic — caller provides execution_id\n */\nexport function issueToken(input: {\n execution_id: string;\n policy_id: string;\n decision_payload: any;\n schema_version: string;\n runtime_version: string;\n}): ExecutionToken {\n\n const {\n execution_id,\n policy_id,\n decision_payload,\n schema_version,\n runtime_version\n } = input;\n\n if (!schema_version) {\n throw new Error(\"Invalid token: schema_version missing\");\n }\n\n if (!runtime_version) {\n throw new Error(\"Invalid token: runtime_version missing\");\n }\n\n const token: ExecutionToken = {\n execution_id,\n policy_id,\n decision_payload,\n schema_version,\n runtime_version\n };\n\n return canonicalize(token);\n}\n\n/**\n * 🔒 Local canonicalization\n */\nfunction canonicalize(obj: any): any {\n if (Array.isArray(obj)) {\n return obj.map(canonicalize);\n }\n\n if (obj !== null && typeof obj === \"object\") {\n return Object.keys(obj)\n .sort()\n .reduce((acc: any, key) => {\n acc[key] = canonicalize(obj[key]);\n return acc;\n }, {});\n }\n\n return obj;\n}","import {\n canonicalize,\n} from \"@parmanasystems/bundle\";\n\n/**\n * Returns the canonical JSON string for `value` as used by all signing and\n * verification operations in the execution package. Delegates to the bundle\n * package's `canonicalize` so the representation is consistent across packages.\n */\nexport function canonicalizeForSigning(\n value: unknown\n): string {\n\n return canonicalize(value);\n}\n\n\n\n\n","import {\n canonicalizeForSigning\n} from \"./canonical-signing\";\n\nimport type {\n ExecutionToken,\n} from \"./execution-token\";\n\nimport type {\n Signer,\n} from \"./signer-interface\";\n\n/**\n * Signs the canonical form of `token` with `signer` and returns a\n * base64-encoded Ed25519 signature.\n */\nexport function signExecutionToken(\n token: ExecutionToken,\n signer: Signer\n): string {\n\n const canonical = canonicalizeForSigning(token);\n\n // 🔍 DEBUG (temporary)\nconsole.log(\"SIGN TOKEN:\", canonical);\n\n return signer.sign(canonical);\n}","import {\n canonicalizeForSigning\n} from \"./canonical-signing\";\n\nimport type {\n ExecutionToken,\n} from \"./execution-token\";\n\nimport type {\n Verifier,\n} from \"./verifier-interface\";\n\nexport function verifyExecutionToken(\n token: ExecutionToken,\n signature: string,\n verifier: Verifier\n): boolean {\n\n const canonical = canonicalizeForSigning(token);\n\n // 🔍 DEBUG (temporary)\n console.log(\"VERIFY TOKEN:\", canonical);\n\n return verifier.verify(\n canonical,\n signature\n );\n}","import {\n validatePolicy,\n} from \"@parmanasystems/governance\";\n\n/**\n * Validates that `policyId` passes full bundle and signature verification.\n * Delegates to {@link validatePolicy} and throws if validation fails.\n *\n * @throws When the policy does not exist or any version fails verification.\n */\nexport function verifyRuntimePolicy(\n policyId: string\n): void {\n const valid =\n validatePolicy(\n policyId\n );\n\n if (!valid) {\n throw new Error(\n `Runtime verification failed for policy: ${policyId}`\n );\n }\n}\n\n\n\n\n","import { canonicalizeForSigning } from \"./canonical-signing\";\n\nimport type { ExecutionToken } from \"./execution-token\";\n\n/**\n * 🔒 Stage 1 — Verification\n */\nexport function stageVerify(\n token: ExecutionToken,\n token_signature: string,\n verifier: { verify: (data: Uint8Array, sig: Uint8Array) => boolean },\n runtime_manifest: any,\n runtime_requirements: any\n): void {\n\n const valid = verifier.verify(\n Buffer.from(canonicalizeForSigning(token)),\n Buffer.from(token_signature, \"base64\")\n );\n\n if (!valid) {\n throw new Error(\"Invalid token signature\");\n }\n\n if (\n !runtime_requirements?.supported_runtime_versions ||\n !runtime_requirements.supported_runtime_versions.includes(\n runtime_manifest.runtime_version\n )\n ) {\n throw new Error(\"Unsupported runtime version\");\n }\n\n for (const cap of runtime_requirements?.required_capabilities || []) {\n if (!runtime_manifest.capabilities.includes(cap)) {\n throw new Error(`Missing required capability: ${cap}`);\n }\n }\n\n if (\n !runtime_requirements?.supported_schema_versions ||\n !runtime_requirements.supported_schema_versions.includes(\n token.schema_version\n )\n ) {\n throw new Error(\"Unsupported schema version\");\n }\n}\n\n/**\n * 🔒 Stage 2 — Execution (ENFORCEMENT ONLY)\n */\nexport function stageExecute(\n token: ExecutionToken\n): void {\n // No result generation anymore\n // Execution is just enforcing decision\n}\n\n/**\n * 🔒 Stage 3 — Signing (NEW MODEL)\n */\nexport function stageSign(\n payload: {\n execution_id: string;\n decision: {\n action: \"approve\" | \"reject\";\n requires_override: boolean;\n reason?: string;\n };\n execution_state: \"completed\" | \"blocked\" | \"pending_override\";\n },\n signer: { sign: (data: Uint8Array) => Uint8Array },\n runtime_hash: string\n) {\n\n const message = Buffer.from(\n JSON.stringify({\n execution_id: payload.execution_id,\n decision: payload.decision,\n execution_state: payload.execution_state,\n runtime_hash\n })\n );\n\n const signature = signer.sign(message);\n\n return {\n execution_id: payload.execution_id,\n decision: payload.decision,\n execution_state: payload.execution_state,\n signature: Buffer.from(signature).toString(\"base64\"),\n runtime_hash\n };\n}","import type { ReplayStore } from \"./replay-store-interface\";\n\n/**\n * 🔒 In-memory replay protection\n */\nexport class MemoryReplayStore implements ReplayStore {\n private store = new Set<string>();\n\n markExecuted(execution_id: string): void {\n if (this.store.has(execution_id)) {\n throw new Error(\"Replay attack detected\");\n }\n\n this.store.add(execution_id);\n }\n}\n","import {\n stageVerify,\n stageExecute,\n stageSign\n} from \"./pipeline\";\n\nimport { MemoryReplayStore } from \"./memory-replay-store\";\n\nimport type { ExecutionContext } from \"./execution-context\";\nimport type { ReplayStore } from \"./replay-store-interface\";\nimport type { ExecutionAttestation } from \"./execution-attestation\";\n\n/**\n * 🔴 CORE EXECUTION (FULLY DETERMINISTIC)\n *\n * Principles:\n * - NO time dependency\n * - replay is enforced\n * - decision is precomputed (token-driven)\n * - execution is enforcement only\n */\nexport function executeDecision(\n context: ExecutionContext,\n replayStore: ReplayStore\n): ExecutionAttestation {\n\n const {\n token,\n token_signature,\n signer,\n verifier,\n runtime_manifest,\n runtime_requirements\n } = context;\n\n // -----------------------------\n // Stage 1 — Verification\n // -----------------------------\n stageVerify(\n token,\n token_signature,\n verifier,\n runtime_manifest,\n runtime_requirements\n );\n\n // -----------------------------\n // Replay protection\n // -----------------------------\n const store = replayStore ?? new MemoryReplayStore();\n store.markExecuted(token.execution_id);\n\n // -----------------------------\n // Stage 2 — Execution (side-effect / noop)\n // -----------------------------\n stageExecute(token);\n\n // -----------------------------\n // Derive decision + execution state\n // -----------------------------\n const decision = token.decision_payload;\n\n const execution_state: \"completed\" | \"blocked\" | \"pending_override\" =\n decision.requires_override\n ? \"pending_override\"\n : decision.action === \"approve\"\n ? \"completed\"\n : \"blocked\";\n\n // -----------------------------\n // Stage 3 — Signing (attestation)\n // -----------------------------\n return stageSign(\n {\n execution_id: token.execution_id,\n decision,\n execution_state\n },\n signer,\n runtime_manifest.runtime_hash\n );\n}","import {\n canonicalizeForSigning\n} from \"./canonical-signing\";\n\nimport type {\n Verifier,\n} from \"./verifier-interface\";\n\n/** A single audit log entry with arbitrary governance fields. */\nexport interface AuditEntry {\n [key: string]: unknown;\n}\n\n/**\n * Verifies that `signature` (base64 Ed25519) was produced over the canonical\n * form of `entry` by the authority whose key `verifier` holds.\n */\nexport function verifyAuditEntry(\n entry: AuditEntry,\n signature: string,\n verifier: Verifier\n): boolean {\n\n return verifier.verify(\n canonicalizeForSigning(entry),\n signature\n );\n}\n\n/**\n * Placeholder for full audit-chain integrity verification.\n * A complete implementation would re-hash every JSONL record and validate\n * the `previous_record_hash` linkage.\n *\n * @returns `true` — full chain verification is not yet implemented.\n */\nexport function verifyAuditChain(): boolean {\n return true;\n}\n\n\n\n\n","import crypto from \"crypto\";\n\nimport {\n canonicalize,\n} from \"@parmanasystems/bundle\";\n\n/**\n * The static portion of the runtime manifest (everything except `runtime_hash`).\n * Used both as the canonical source of capability declarations and as the input\n * to {@link hashRuntime}.\n */\nexport const runtimeManifestDefinition = {\n runtime_version:\n \"1.0.0\",\n\n supported_schema_versions: [\n \"1.0.0\",\n ],\n\n capabilities: [\n \"deterministic-evaluation\",\n \"attestation-signing\",\n \"replay-protection\",\n \"bundle-verification\",\n ],\n} as const;\n\n/**\n * Returns the SHA-256 hex digest of the canonicalized {@link runtimeManifestDefinition}.\n * This hash is embedded in every {@link ExecutionResult} as `runtime_hash`,\n * binding the result to a specific version of the runtime.\n */\nexport function hashRuntime(): string {\n return crypto\n .createHash(\n \"sha256\"\n )\n .update(\n canonicalize(\n runtimeManifestDefinition\n )\n )\n .digest(\n \"hex\"\n );\n}\n\n\n\n\n","import {\n hashRuntime,\n runtimeManifestDefinition,\n} from \"./hash-runtime\";\n\n/**\n * Static description of the governance runtime's identity, capabilities, and\n * supported protocol versions.\n *\n * Included in every {@link ExecutionResult} so verifiers can confirm the\n * runtime environment without trusting the operator. The `runtime_hash`\n * field is a deterministic SHA-256 commitment over the manifest definition,\n * binding the result to a specific runtime build.\n */\nexport interface RuntimeManifest {\n /** Semantic version of the governance runtime (e.g. `\"1.0.0\"`). */\n runtime_version: string;\n\n /** SHA-256 hex hash of the canonical runtime manifest definition. */\n runtime_hash: string;\n\n /** Schema version strings that this runtime can process. */\n supported_schema_versions: readonly string[];\n\n /** Capability strings advertised by this runtime (e.g. `\"replay-protection\"`). */\n capabilities: readonly string[];\n}\n\n/**\n * Returns the active {@link RuntimeManifest} for the current process,\n * combining the static manifest definition with a freshly computed `runtime_hash`.\n */\nexport function getRuntimeManifest(): RuntimeManifest {\n\n return {\n runtime_hash:\n hashRuntime(),\n ...runtimeManifestDefinition,\n };\n}","import {\n canonicalize,\n} from \"@parmanasystems/bundle\";\n\nimport type {\n RuntimeManifest,\n} from \"./runtime-manifest\";\n\nimport type {\n Signer,\n} from \"./signer-interface\";\n\n/**\n * Signs the canonical form of `manifest` with `signer` and returns a\n * base64-encoded Ed25519 signature. Use this to produce a verifiable\n * attestation that a specific runtime version was active at a given time.\n */\nexport function signRuntimeManifest(\n manifest: RuntimeManifest,\n signer: Signer\n): string {\n\n return signer.sign(\n canonicalize(manifest)\n );\n}\n\n\n\n\n","import {\n canonicalizeForSigning\n} from \"./canonical-signing\";\n\nimport type {\n RuntimeManifest,\n} from \"./runtime-manifest\";\n\nimport type {\n Verifier,\n} from \"./verifier-interface\";\n\n/**\n * Verifies that `signature` (base64 Ed25519) was produced over the canonical\n * form of `manifest` by the authority whose key `verifier` holds.\n */\nexport function verifyRuntimeManifest(\n manifest: RuntimeManifest,\n signature: string,\n verifier: Verifier\n): boolean {\n\n return verifier.verify(\n canonicalizeForSigning(manifest),\n signature\n );\n}\n\n\n\n\n","import crypto from \"crypto\";\n\nimport type {\n Signer,\n} from \"./signer-interface\";\n\n/**\n * In-process Ed25519 {@link Signer} backed by Node.js `crypto`.\n *\n * Suitable for development and environments where the private key can be\n * securely injected at process start. For hardware-backed or remote signing\n * see {@link AwsKmsSigner}.\n */\nexport class LocalSigner\n implements Signer {\n\n /**\n * @param privateKey - PEM-encoded Ed25519 private key (PKCS8 format).\n */\n constructor(\n private readonly privateKey: string\n ) {}\n\n /**\n * Signs `payload` (UTF-8) with the Ed25519 private key and returns a\n * base64-encoded signature.\n */\n sign(\n payload: string\n ): string {\n\n return crypto\n .sign(\n null,\n\n Buffer.from(\n payload,\n \"utf8\"\n ),\n\n this.privateKey\n )\n\n .toString(\n \"base64\"\n );\n }\n}\n\n\n\n\n","import crypto from \"crypto\";\n\nimport type {\n Verifier,\n} from \"./verifier-interface\";\n\n/**\n * In-process Ed25519 {@link Verifier} backed by Node.js `crypto`.\n *\n * Paired with {@link LocalSigner}; both must use the same Ed25519 key pair.\n */\nexport class LocalVerifier\n implements Verifier {\n\n /**\n * @param publicKey - PEM-encoded Ed25519 public key (SPKI format).\n */\n constructor(\n private readonly publicKey: string\n ) {}\n\n /**\n * Verifies that `signature` (base64 Ed25519) was produced over the UTF-8\n * `payload` by the holder of the corresponding private key.\n */\n verify(\n payload: string,\n signature: string\n ): boolean {\n\n return crypto.verify(\n null,\n\n Buffer.from(\n payload,\n \"utf8\"\n ),\n\n this.publicKey,\n\n Buffer.from(\n signature,\n \"base64\"\n )\n );\n }\n}\n\n\n\n\n","import type { DecisionResult } from \"./execution-result\";\n// -----------------------------\n// Types\n// -----------------------------\ninterface BaseCondition {\n signal: string;\n equals?: unknown;\n greater_than?: number;\n less_than?: number;\n}\n\ninterface AllCondition {\n all: RuleCondition[];\n}\n\ninterface AnyCondition {\n any: RuleCondition[];\n}\n\ntype RuleCondition =\n | BaseCondition\n | AllCondition\n | AnyCondition;\n\ninterface PolicyRule {\n id: string;\n condition: RuleCondition;\n outcome: {\n action: \"approve\" | \"reject\";\n requires_override: boolean;\n reason?: string;\n };\n}\n\nexport interface PolicyDocument {\n schemaVersion: string;\n signalsSchema: Record<string, unknown>;\n rules: PolicyRule[];\n}\n\n// -----------------------------\n// Rule evaluation (PURE)\n// -----------------------------\nfunction evaluateCondition(\n condition: RuleCondition,\n signals: Record<string, unknown>\n): boolean {\n\n if (\"all\" in condition) {\n return condition.all.every(c => evaluateCondition(c, signals));\n }\n\n if (\"any\" in condition) {\n return condition.any.some(c => evaluateCondition(c, signals));\n }\n\n const { signal, equals, greater_than, less_than } = condition;\n\n if (!(signal in signals)) {\n throw new Error(`Signal not found: ${signal}`);\n }\n\n const actual = signals[signal];\n\n if (equals !== undefined) {\n if (typeof actual !== typeof equals) {\n throw new Error(`Type mismatch for ${signal}`);\n }\n return actual === equals;\n }\n\n if (greater_than !== undefined) {\n if (typeof actual !== \"number\") {\n throw new Error(`Expected number for ${signal}`);\n }\n return actual > greater_than;\n }\n\n if (less_than !== undefined) {\n if (typeof actual !== \"number\") {\n throw new Error(`Expected number for ${signal}`);\n }\n return actual < less_than;\n }\n\n return false;\n}\n\n// -----------------------------\n// Schema validation\n// -----------------------------\nfunction validateSchemaVersion(policy: PolicyDocument): void {\n const supported = [\"1.0.0\"];\n\n if (!supported.includes(policy.schemaVersion)) {\n throw new Error(\n `Unsupported schema version: ${policy.schemaVersion}`\n );\n }\n}\n\n// -----------------------------\n// MAIN EVALUATOR (DETERMINISTIC)\n// -----------------------------\nexport function evaluatePolicy(\n policy: PolicyDocument,\n signals: Record<string, unknown>\n): DecisionResult {\n\n validateSchemaVersion(policy);\n\n // -----------------------------\n // Evaluate rules in order\n // -----------------------------\n for (const rule of policy.rules) {\n\n const matched = evaluateCondition(\n rule.condition,\n signals\n );\n\n if (matched) {\n return {\n status: \"decided\",\n outcome: rule.outcome,\n rule_id: rule.id,\n source: \"rule_match\"\n };\n }\n }\n\n // -----------------------------\n // Fail closed (no match)\n // -----------------------------\n throw new Error(\n \"[SYS-006] No rule matched — policy must cover all cases\"\n );\n}","import fs from \"fs\";\nimport path from \"path\";\n\nimport type { PolicyDocument } from \"./evaluator\";\n\nexport function loadPolicy(\n policyId: string,\n policyVersion: string,\n basePath: string = process.cwd()\n): PolicyDocument {\n\n const policyPath = path.resolve(\n basePath,\n \"policies\",\n policyId,\n policyVersion,\n \"policy.json\"\n );\n\n if (!fs.existsSync(policyPath)) {\n throw new Error(`Policy not found: ${policyPath}`);\n }\n\n const raw = fs.readFileSync(policyPath, \"utf8\");\n\n let parsed: any;\n\n try {\n parsed = JSON.parse(raw);\n } catch {\n throw new Error(\n `Invalid policy: malformed JSON in ${policyPath}`\n );\n }\n\n // -----------------------------\n // Basic validation\n // -----------------------------\n if (!parsed || typeof parsed !== \"object\") {\n throw new Error(\n `Invalid policy: expected object in ${policyPath}`\n );\n }\n\n // -----------------------------\n // STRICT schemaVersion only\n // -----------------------------\n if (!parsed.schemaVersion) {\n throw new Error(\n `Invalid policy: missing schemaVersion (camelCase only) in ${policyPath}`\n );\n }\n\n if (parsed.schema_version) {\n throw new Error(\n `Invalid policy: use schemaVersion, not schema_version in ${policyPath}`\n );\n }\n\n // -----------------------------\n // REQUIRED signalsSchema\n // -----------------------------\n if (!parsed.signalsSchema) {\n throw new Error(\n `Invalid policy: missing signalsSchema in ${policyPath}`\n );\n }\n\n if (parsed.signals_schema) {\n throw new Error(\n `Invalid policy: use signalsSchema, not signals_schema in ${policyPath}`\n );\n }\n\n return parsed as PolicyDocument;\n}","type SignalType =\n | \"boolean\"\n | \"integer\"\n | \"string\"\n | \"enum\";\n\ninterface SignalDefinition {\n type: SignalType;\n values?: string[];\n required?: boolean;\n}\n\ninterface PolicySignalsSchema {\n [key: string]: SignalDefinition;\n}\n\nimport type { PolicyDocument } from \"./evaluator\";\n\nexport function validateSignalsStrict(\n signals: Record<string, unknown>,\n policy: PolicyDocument\n): void {\n\n // ✅ FIXED: correct field\n const schema = policy.signalsSchema as PolicySignalsSchema;\n\n if (!schema || typeof schema !== \"object\") {\n throw new Error(\"[VAL-001] Invalid policy: missing signals schema\");\n }\n\n if (!signals || typeof signals !== \"object\") {\n throw new Error(\"[VAL-002] Invalid input: signals must be an object\");\n }\n\n // Reject unknown signals\n for (const key of Object.keys(signals)) {\n if (!Object.prototype.hasOwnProperty.call(schema, key)) {\n throw new Error(`[VAL-003] Unknown signal: ${key}`);\n }\n }\n\n // Validate required + type\n for (const key of Object.keys(schema)) {\n\n const def = schema[key];\n const value = signals[key];\n\n const isRequired = def.required !== false;\n\n if (value === undefined) {\n if (isRequired) {\n throw new Error(`[VAL-004] Missing required signal: ${key}`);\n }\n continue;\n }\n\n if (!def?.type) {\n throw new Error(`[VAL-005] Invalid schema for signal: ${key}`);\n }\n\n switch (def.type) {\n\n case \"boolean\":\n if (typeof value !== \"boolean\") {\n throw new Error(`[VAL-006] ${key} must be boolean`);\n }\n break;\n\n case \"integer\":\n if (typeof value !== \"number\" || !Number.isInteger(value)) {\n throw new Error(`[VAL-007] ${key} must be integer`);\n }\n break;\n\n case \"string\":\n if (typeof value !== \"string\") {\n throw new Error(`[VAL-008] ${key} must be string`);\n }\n break;\n\n case \"enum\":\n if (typeof value !== \"string\") {\n throw new Error(`[VAL-009] ${key} must be enum string`);\n }\n\n if (!Array.isArray(def.values) || def.values.length === 0) {\n throw new Error(`[VAL-010] ${key} enum values missing`);\n }\n\n if (!def.values.includes(value)) {\n throw new Error(\n `[VAL-011] Invalid value for ${key}: ${value}`\n );\n }\n break;\n\n default:\n throw new Error(`[VAL-012] Unsupported signal type: ${def.type}`);\n }\n }\n}","import {\n evaluatePolicy,\n} from \"./evaluator\";\n\nimport {\n loadPolicy,\n} from \"./load-policy\";\n\nimport {\n validateSignalsStrict,\n} from \"./validate-signals\";\n\nimport type {\n DecisionResult\n} from \"./execution-result\";\n\n\nexport interface DryRunResult {\n policy_id: string;\n policy_version: string;\n schema_version: string;\n\n decision: DecisionResult; // ✅ FIXED (not string)\n\n rule_trace: string[];\n\n governed: false;\n dry_run: true;\n\n evaluated_at: string;\n}\n\n\nexport function evaluateDryRun(\n policyId: string,\n policyVersion: string,\n signals: Record<string, unknown>,\n governed_time = new Date().toISOString()\n): DryRunResult {\n\n // -----------------------------\n // 1. Load policy\n // -----------------------------\n const policy =\n loadPolicy(policyId, policyVersion);\n\n // -----------------------------\n // 2. Validate signals\n // -----------------------------\n validateSignalsStrict(signals, policy);\n\n // -----------------------------\n // 3. Evaluate policy\n // -----------------------------\n const decision: DecisionResult =\n evaluatePolicy(policy, signals);\n\n // -----------------------------\n // 4. Return dry-run result\n // -----------------------------\n return {\n policy_id: policyId,\n policy_version: policyVersion,\n schema_version: \"1.0.0\",\n\n decision, // ✅ structured\n\n rule_trace: [],\n\n governed: false,\n dry_run: true,\n\n evaluated_at: governed_time,\n };\n}","export type InvariantBoundary =\n | \"canonicalize\"\n | \"validate\"\n | \"verify\"\n | \"replay\"\n | \"execute\"\n | \"sign\";\n\nexport interface InvariantEntry {\n readonly id: string;\n readonly description: string;\n readonly boundary: InvariantBoundary | readonly InvariantBoundary[];\n}\n\n/**\n * Single source of truth for all governance invariants.\n *\n * Every invariant_id that appears in ViolationReport, source comments,\n * or test coverage maps MUST have an entry here. The CI gate\n * (scripts/ci-invariant-gate.ts) enforces this at build time.\n */\nexport const INVARIANT_REGISTRY = {\n \"INV-001\": {\n id: \"INV-001\",\n description: \"Canonical serialization produces identical bytes for identical inputs\",\n boundary: \"canonicalize\",\n },\n \"INV-002\": {\n id: \"INV-002\",\n description: \"Input payload must be structurally valid\",\n boundary: \"validate\",\n },\n \"INV-003\": {\n id: \"INV-003\",\n description: \"Execution token signature must be cryptographically valid\",\n boundary: \"verify\",\n },\n \"INV-004\": {\n id: \"INV-004\",\n description: \"Execution time is injected deterministically — no wall-clock reads inside the execution scope\",\n boundary: [\"canonicalize\", \"execute\"] as readonly InvariantBoundary[],\n },\n \"INV-005\": {\n id: \"INV-005\",\n description: \"Runtime version must be in the set of supported runtime versions\",\n boundary: \"verify\",\n },\n \"INV-006\": {\n id: \"INV-006\",\n description: \"Schema version 1.0.0 must be supported by both runtime manifest and requirements\",\n boundary: \"verify\",\n },\n \"INV-007\": {\n id: \"INV-007\",\n description: \"Execution token must not be expired at governed_time\",\n boundary: \"verify\",\n },\n \"INV-008\": {\n id: \"INV-008\",\n description: \"The governed field is always in signature scope and equals literal true\",\n boundary: \"sign\",\n },\n \"INV-009\": {\n id: \"INV-009\",\n description: \"Signals hash must be a non-empty string binding execution to specific inputs\",\n boundary: \"validate\",\n },\n \"INV-010\": {\n id: \"INV-010\",\n description: \"Policy ID and policy version must be non-empty strings\",\n boundary: \"validate\",\n },\n \"INV-011\": {\n id: \"INV-011\",\n description: \"All required runtime capabilities must be present in the runtime manifest\",\n boundary: \"verify\",\n },\n \"INV-013\": {\n id: \"INV-013\",\n description: \"Replay protection is always enforced — execution_id is single-use and non-configurable\",\n boundary: \"replay\",\n },\n \"INV-014\": {\n id: \"INV-014\",\n description: \"governed literal true structurally distinguishes ExecutionResult from DryRunResult\",\n boundary: \"execute\",\n },\n \"INV-015\": {\n id: \"INV-015\",\n description: \"Audit record must be written before attestation is issued\",\n boundary: \"execute\",\n },\n \"INV-016\": {\n id: \"INV-016\",\n description: \"Audit records are linearizable via SHA-256 hash chain\",\n boundary: \"execute\",\n },\n \"INV-017\": {\n id: \"INV-017\",\n description: \"Any verification failure causes fail-closed execution — no partial results\",\n boundary: [\"verify\", \"replay\", \"execute\"] as readonly InvariantBoundary[],\n },\n \"INV-020\": {\n id: \"INV-020\",\n description: \"Runtime capability declarations are truthful and non-negotiable\",\n boundary: \"verify\",\n },\n \"INV-022\": {\n id: \"INV-022\",\n description: \"Every policy decision is derivable from the policy document and input signals\",\n boundary: \"execute\",\n },\n \"INV-024\": {\n id: \"INV-024\",\n description: \"Decision values are semantically unambiguous strings\",\n boundary: \"execute\",\n },\n \"INV-025\": {\n id: \"INV-025\",\n description: \"Schema version and runtime version are present in every ExecutionResult\",\n boundary: \"execute\",\n },\n \"INV-030\": {\n id: \"INV-030\",\n description: \"Every attestation contains a runtime_hash binding it to a specific runtime version\",\n boundary: \"execute\",\n },\n \"INV-031\": {\n id: \"INV-031\",\n description: \"Runtime manifest declares explicit supported_schema_versions and runtime_version\",\n boundary: \"verify\",\n },\n \"INV-033\": {\n id: \"INV-033\",\n description: \"Governance properties (replay, audit, attestation) are structurally enforced — not configurable\",\n boundary: \"execute\",\n },\n \"INV-034\": {\n id: \"INV-034\",\n description: \"Any verifier holding the correct public key can independently verify an attestation\",\n boundary: \"sign\",\n },\n \"INV-035\": {\n id: \"INV-035\",\n description: \"Verification is reproducible: same attestation + key produces identical outcome\",\n boundary: \"sign\",\n },\n \"INV-037\": {\n id: \"INV-037\",\n description: \"Signatures from different authority keys do not cross-verify — signing domains are isolated\",\n boundary: \"sign\",\n },\n \"INV-038\": {\n id: \"INV-038\",\n description: \"Cross-key verification failures are consistent: wrong-key always returns false\",\n boundary: \"sign\",\n },\n \"INV-040\": {\n id: \"INV-040\",\n description: \"AI output and governance enforcement are strictly separated — no AI field in execution scope\",\n boundary: \"validate\",\n },\n \"INV-041\": {\n id: \"INV-041\",\n description: \"Governance boundary is explicit: runtime manifest must declare runtime_version\",\n boundary: \"verify\",\n },\n \"INV-047\": {\n id: \"INV-047\",\n description: \"Canonical serialization uses explicit UTF-8 encoding\",\n boundary: \"canonicalize\",\n },\n \"INV-048\": {\n id: \"INV-048\",\n description: \"Unicode normalization is stable across canonicalization calls\",\n boundary: \"canonicalize\",\n },\n \"INV-049\": {\n id: \"INV-049\",\n description: \"Canonical JSON sorts object keys recursively and preserves array order\",\n boundary: \"canonicalize\",\n },\n \"INV-050\": {\n id: \"INV-050\",\n description: \"Duplicate JSON keys must not appear in governance payloads (gap: documented)\",\n boundary: \"canonicalize\",\n },\n \"INV-051\": {\n id: \"INV-051\",\n description: \"Numeric values canonicalize identically regardless of trailing zeros\",\n boundary: \"canonicalize\",\n },\n \"INV-052\": {\n id: \"INV-052\",\n description: \"Object insertion order does not affect canonical form or content-address hash\",\n boundary: \"canonicalize\",\n },\n \"INV-053\": {\n id: \"INV-053\",\n description: \"Array element order is preserved through canonicalization\",\n boundary: \"canonicalize\",\n },\n \"INV-054\": {\n id: \"INV-054\",\n description: \"JSON type closure: NaN and Infinity serialize to null; undefined fields are omitted\",\n boundary: \"canonicalize\",\n },\n \"INV-057\": {\n id: \"INV-057\",\n description: \"Content-address (SHA-256) is stable for identical content across calls\",\n boundary: \"canonicalize\",\n },\n \"INV-059\": {\n id: \"INV-059\",\n description: \"Replay domain is explicit: every execution_id in the store was consumed by a real execution\",\n boundary: \"replay\",\n },\n \"INV-060\": {\n id: \"INV-060\",\n description: \"Attestation verification is idempotent: same inputs always produce identical results\",\n boundary: \"sign\",\n },\n \"INV-061\": {\n id: \"INV-061\",\n description: \"Runtime capability declarations are immutable after build\",\n boundary: \"verify\",\n },\n \"INV-072\": {\n id: \"INV-072\",\n description: \"Dry-run path produces no side effects: no replay store write, no audit record, no signature\",\n boundary: \"execute\",\n },\n \"INV-073\": {\n id: \"INV-073\",\n description: \"Canonical evaluation source files contain no network calls\",\n boundary: \"execute\",\n },\n \"INV-074\": {\n id: \"INV-074\",\n description: \"Every governed executeDecision call produces exactly one audit record\",\n boundary: \"execute\",\n },\n \"INV-075\": {\n id: \"INV-075\",\n description: \"Execution IDs (UUIDv4) are unique per issuance — governance identity is non-reusable\",\n boundary: \"execute\",\n },\n \"INV-077\": {\n id: \"INV-077\",\n description: \"All failure modes are deterministic: same invalid input always produces the same error\",\n boundary: [\"verify\", \"replay\", \"execute\"] as readonly InvariantBoundary[],\n },\n \"INV-078\": {\n id: \"INV-078\",\n description: \"Operational metadata fields must not contaminate deterministic signing scope\",\n boundary: \"validate\",\n },\n \"INV-080\": {\n id: \"INV-080\",\n description: \"Unsupported schema and runtime versions fail explicitly with a descriptive error\",\n boundary: \"verify\",\n },\n \"META-001\": {\n id: \"META-001\",\n description: \"Every governed execution produces a signed, independently verifiable attestation\",\n boundary: \"sign\",\n },\n \"META-004\": {\n id: \"META-004\",\n description: \"Invariant violations always fail closed — no partial results are emitted on violation\",\n boundary: [\"verify\", \"replay\", \"execute\", \"sign\"] as readonly InvariantBoundary[],\n },\n} as const satisfies Record<string, InvariantEntry>;\n\nexport type InvariantId = keyof typeof INVARIANT_REGISTRY;\n","import crypto from \"crypto\";\n\n/**\n * Structured report emitted when a governance invariant is violated.\n *\n * Fields:\n * invariant_id — the invariant from INVARIANT_REGISTRY that was breached\n * boundary — pipeline stage where the violation was detected\n * reason — human-readable explanation of what failed\n * input_hash — SHA-256 of the canonical form of the input that triggered the violation\n * timestamp_seq — monotonically increasing sequence number within the process lifetime\n */\nexport interface ViolationReport {\n readonly invariant_id: string;\n readonly boundary: string;\n readonly reason: string;\n readonly input_hash: string;\n readonly timestamp_seq: number;\n}\n\nlet _seq = 0;\n\n/**\n * Thrown by every pipeline stage boundary when a governance invariant is violated.\n *\n * Carries a structured ViolationReport so downstream consumers can distinguish\n * invariant violations from unexpected runtime errors without string parsing.\n */\nexport class InvariantViolation extends Error {\n readonly report: ViolationReport;\n\n constructor(report: ViolationReport) {\n super(`[${report.invariant_id}@${report.boundary}] ${report.reason}`);\n this.name = \"InvariantViolation\";\n this.report = report;\n }\n}\n\n/**\n * Computes the SHA-256 hex digest of `value` for use as `input_hash` in a ViolationReport.\n * Accepts a string (used as-is) or any value (JSON-stringified before hashing).\n */\nexport function hashInput(value: unknown): string {\n const bytes =\n typeof value === \"string\"\n ? value\n : JSON.stringify(value) ?? \"\";\n\n return crypto\n .createHash(\"sha256\")\n .update(bytes, \"utf8\")\n .digest(\"hex\");\n}\n\n/**\n * Constructs and throws an InvariantViolation.\n * Never returns — the return type `never` enforces this at compile time.\n *\n * @param invariant_id - ID from INVARIANT_REGISTRY\n * @param boundary - Pipeline stage name\n * @param reason - Human-readable reason (must contain the legacy message substring for test compat)\n * @param input - The input that triggered the violation (hashed automatically)\n */\nexport function violate(\n invariant_id: string,\n boundary: string,\n reason: string,\n input: unknown\n): never {\n throw new InvariantViolation({\n invariant_id,\n boundary,\n reason,\n input_hash: hashInput(input),\n timestamp_seq: ++_seq,\n });\n}\n","/**\n * Sealed Execution VM — determinism enforcement for the governance execution scope.\n *\n * The execution stage (execute.ts, pipeline.ts) is forbidden from accessing:\n * - Date.now() — non-deterministic wall clock\n * - Math.random() — non-deterministic PRNG\n * - fs / network IO — external state that varies across environments\n *\n * Time is injected explicitly via governed_time in ExecutionContext.\n * The CI gate (scripts/ci-invariant-gate.ts) enforces these constraints statically.\n *\n * This module provides:\n * - governingTime() — derives execution time from injected governed_time or falls\n * back to the system clock (only acceptable outside execute.ts)\n * - FORBIDDEN_GLOBALS — the list of globals that must not appear in execution-scope files\n */\n\n/** Globals forbidden inside the sealed execution scope. */\nexport const FORBIDDEN_GLOBALS = [\n \"Date.now\",\n \"Math.random\",\n] as const;\n\n/**\n * Files in the execution package whose source must not reference FORBIDDEN_GLOBALS.\n * Enforced by the CI gate.\n */\nexport const SEALED_SCOPE_FILES = [\n \"packages/execution/src/execute.ts\",\n \"packages/execution/src/pipeline.ts\",\n \"packages/execution/src/canonical-signing.ts\",\n \"packages/bundle/src/canonicalize.ts\",\n \"packages/bundle/src/hash.ts\",\n] as const;\n\n/**\n * Returns the governing time for an execution.\n *\n * When `provided` is a non-empty ISO 8601 string it is returned as-is,\n * preserving determinism. When `provided` is absent or empty the current\n * system time is used — this fallback is intentionally limited to\n * non-execution-scope callers (audit.ts, dry-run.ts, tests).\n *\n * MUST NOT be called from execute.ts or pipeline.ts — those files must\n * receive governed_time from their caller and pass it through explicitly.\n */\nexport function governingTime(provided?: string): string {\n if (provided && provided.length > 0) {\n return provided;\n }\n return new Date().toISOString();\n}\n","import * as crypto from \"crypto\";\n\nimport { evaluatePolicy } from \"./evaluator\";\nimport { loadPolicy } from \"./load-policy\";\nimport { validateSignalsStrict } from \"./validate-signals\";\nimport { issueToken } from \"./issue-token\";\nimport { signExecutionToken } from \"./sign-token\";\nimport { getRuntimeManifest } from \"./runtime-manifest\";\nimport { executeWithRedis } from \"./execute-with-redis\";\nimport { canonicalize } from \"./canonical-json\";\n\nimport type { Signer } from \"./signer-interface\";\nimport type { Verifier } from \"./verifier-interface\";\nimport type { AsyncReplayStore } from \"./async-replay-store-interface\";\nimport type { DecisionResult } from \"./execution-result\";\n\nexport async function executeFromSignals(\n input: {\n policyId: string;\n policyVersion: string;\n signals: Record<string, unknown>;\n metadata?: Record<string, unknown>;\n },\n signer: Signer,\n verifier: Verifier,\n replayStore: AsyncReplayStore & {\n get?: (key: string) => Promise<string | null>;\n set?: (key: string, value: string) => Promise<void>;\n del?: (key: string) => Promise<void>;\n }\n) {\n try {\n\n // -----------------------------\n // 1. Load policy\n // -----------------------------\n const policy = loadPolicy(\n input.policyId,\n input.policyVersion\n );\n\n // -----------------------------\n // 2. Validate signals\n // -----------------------------\n validateSignalsStrict(input.signals, policy);\n\n // -----------------------------\n // 3. Evaluate policy\n // -----------------------------\n const decision: DecisionResult =\n evaluatePolicy(policy, input.signals);\n\n // -----------------------------\n // 4. Enforce invariants\n // -----------------------------\n if (decision.status !== \"decided\" || !decision.outcome) {\n throw new Error(\n \"[SYS-004] Invalid policy: execution must resolve to decided\"\n );\n }\n\n if (!decision.rule_id) {\n throw new Error(\n \"[SYS-005] Invalid decision: rule_id required\"\n );\n }\n\n // -----------------------------\n // 5. Canonical signals\n // -----------------------------\n const canonicalSignals = canonicalize(input.signals);\n\n // -----------------------------\n // 6. Deterministic execution_id\n // -----------------------------\n const executionId = crypto\n .createHash(\"sha256\")\n .update(\n JSON.stringify({\n policyId: input.policyId,\n policyVersion: input.policyVersion,\n signals: canonicalSignals\n })\n )\n .digest(\"hex\");\n\n // -----------------------------\n // 7. Runtime manifest\n // -----------------------------\n const runtimeManifest = getRuntimeManifest();\n\n // -----------------------------\n // 8. Issue token\n // -----------------------------\n const token = issueToken({\n execution_id: executionId,\n policy_id: input.policyId,\n decision_payload: decision.outcome,\n schema_version: policy.schemaVersion,\n runtime_version: runtimeManifest.runtime_version\n });\n\n const tokenSignature =\n signExecutionToken(token, signer);\n\n // -----------------------------\n // 9. Runtime requirements\n // -----------------------------\n const runtimeRequirements = {\n required_capabilities: [],\n supported_runtime_versions: [\n runtimeManifest.runtime_version\n ],\n supported_schema_versions: [\n policy.schemaVersion\n ]\n };\n\n // -----------------------------\n // 10. Resolve execution state\n // -----------------------------\n const action = decision.outcome.action;\n const requiresOverride = decision.outcome.requires_override;\n\n let execution_state: \"completed\" | \"blocked\" | \"pending_override\";\n\n if (requiresOverride) {\n execution_state = \"pending_override\";\n } else {\n execution_state =\n action === \"approve\" ? \"completed\" : \"blocked\";\n }\n\n // -----------------------------\n // 11. Handle pending_override\n // -----------------------------\n if (execution_state === \"pending_override\") {\n\n if (!replayStore.set) {\n throw new Error(\n \"[SYS-020] Store does not support pending execution storage\"\n );\n }\n\n await replayStore.set(\n `pending:${executionId}`,\n JSON.stringify({\n token,\n token_signature: tokenSignature,\n runtime_manifest: runtimeManifest,\n runtime_requirements: runtimeRequirements\n })\n );\n\n return {\n status: \"pending_override\" as const,\n execution_id: executionId,\n decision,\n requires_override: true\n };\n }\n\n // -----------------------------\n // 12. Execute\n // -----------------------------\n let execution;\n\n try {\n execution = await executeWithRedis(\n {\n token,\n token_signature: tokenSignature,\n signer,\n verifier,\n runtime_manifest: runtimeManifest,\n runtime_requirements: runtimeRequirements\n },\n replayStore\n );\n\n } catch (err) {\n\n const message =\n err instanceof Error ? err.message : \"Unknown error\";\n\n // ✅ FINAL FIX: replay = idempotent success\n if (message.includes(\"Replay attack detected\")) {\n return {\n status: \"success\" as const,\n execution_id: executionId,\n decision,\n execution_state,\n requires_override: false,\n replay: true\n };\n }\n\n throw err;\n }\n\n // -----------------------------\n // SUCCESS\n // -----------------------------\n return {\n status: \"success\" as const,\n execution_id: executionId,\n decision,\n execution_state,\n requires_override: false,\n signature: execution.signature\n };\n\n } catch (err: unknown) {\n\n return {\n status: \"error\" as const,\n error: err instanceof Error ? err.message : \"Unknown error\"\n };\n }\n}","import type { ExecutionContext } from \"./execution-context\";\nimport type { ExecutionAttestation } from \"./execution-attestation\";\nimport type { AsyncReplayStore } from \"./async-replay-store-interface\";\n\nimport { MemoryReplayStore } from \"./memory-replay-store\";\nimport { executeDecision } from \"./execute\";\n\n/**\n * 🟢 ASYNC ADAPTER\n * Handles Redis, keeps core pure\n */\nexport async function executeWithRedis(\n context: ExecutionContext,\n redisStore: AsyncReplayStore\n): Promise<ExecutionAttestation> {\n\n // Distributed replay protection\n await redisStore.markExecuted(\n context.token.execution_id\n );\n\n // Deterministic execution (sync core)\n const memoryStore = new MemoryReplayStore();\n\n return executeDecision(context, memoryStore);\n}","export function canonicalize(value: any): string {\n return JSON.stringify(sortValue(value));\n}\n\nfunction sortValue(value: any): any {\n if (Array.isArray(value)) {\n return value.map(sortValue);\n }\n\n if (value && typeof value === \"object\") {\n const sorted: Record<string, any> = {};\n\n for (const key of Object.keys(value).sort()) {\n sorted[key] = sortValue(value[key]);\n }\n\n return sorted;\n }\n\n return value;\n}","import {\n executeFromSignals,\n} from \"./execute-from-signals\";\n\nimport type {\n Signer,\n} from \"./signer-interface\";\n\nimport type {\n Verifier,\n} from \"./verifier-interface\";\n\nimport type {\n AsyncReplayStore,\n} from \"./async-replay-store-interface\";\n\n\n/**\n * Executes multiple records sequentially.\n *\n * Each record is processed independently.\n * Errors are captured per-record (fail-isolated).\n */\nexport async function executeBatch(\n records: Array<{\n policyId: string;\n policyVersion: string;\n signals: Record<string, unknown>;\n governed_time: string;\n }>,\n signer: Signer,\n verifier: Verifier,\n replayStore: AsyncReplayStore\n) {\n\n const outputs = [];\n\n for (const record of records) {\n\n try {\n\n const output =\n await executeFromSignals(\n record,\n signer,\n verifier,\n replayStore\n );\n\n outputs.push({\n input: record,\n output\n });\n\n } catch (err: unknown) {\n\n outputs.push({\n input: record,\n output: {\n status: \"error\",\n error:\n err instanceof Error\n ? err.message\n : \"Unknown error\"\n }\n });\n\n }\n }\n\n return outputs;\n}","import Redis from \"ioredis\";\nimport type { AsyncReplayStore } from \"./async-replay-store-interface\";\n\nexport class RedisReplayStore implements AsyncReplayStore {\n\n private client: Redis;\n\n constructor(url: string) {\n this.client = new Redis(url);\n }\n\n // -----------------------------\n // Replay protection\n // -----------------------------\n async hasExecuted(executionId: string): Promise<boolean> {\n const res = await this.client.exists(`exec:${executionId}`);\n return res === 1;\n }\n\n async markExecuted(executionId: string): Promise<void> {\n const result = await this.client.set(\n `exec:${executionId}`,\n \"1\",\n \"NX\"\n );\n\n if (result !== \"OK\") {\n throw new Error(\n `[INV-013@replay] Replay detected: execution_id ${executionId} has already been consumed`\n );\n }\n }\n\n // -----------------------------\n // KV storage (for override)\n // -----------------------------\n async get(key: string): Promise<string | null> {\n return this.client.get(key);\n }\n\n async set(key: string, value: string): Promise<void> {\n await this.client.set(key, value);\n }\n\n async del(key: string): Promise<void> {\n await this.client.del(key);\n }\n\n async close(): Promise<void> {\n await this.client.quit();\n }\n}","import { executeWithRedis } from \"./execute-with-redis\";\n\nimport type { AsyncReplayStore } from \"./async-replay-store-interface\";\nimport type { Signer } from \"./signer-interface\";\nimport type { Verifier } from \"./verifier-interface\";\n\nexport async function resolveOverride(\n executionId: string,\n replayStore: AsyncReplayStore & {\n get: (key: string) => Promise<string | null>;\n del: (key: string) => Promise<void>;\n },\n signer: Signer,\n verifier: Verifier\n) {\n // -----------------------------\n // 1. Load pending execution\n // -----------------------------\n const raw = await replayStore.get(`pending:${executionId}`);\n\n if (!raw) {\n throw new Error(\n `[SYS-021] No pending execution found for ${executionId}`\n );\n }\n\n const stored = JSON.parse(raw);\n\n // -----------------------------\n // 2. Execute (same token)\n // -----------------------------\n const execution = await executeWithRedis(\n {\n token: stored.token,\n token_signature: stored.token_signature,\n signer,\n verifier,\n runtime_manifest: stored.runtime_manifest,\n runtime_requirements: stored.runtime_requirements\n },\n replayStore\n );\n\n // -----------------------------\n // 3. Remove pending state\n // -----------------------------\n await replayStore.del(`pending:${executionId}`);\n\n // -----------------------------\n // 4. Return result\n // -----------------------------\n return {\n status: \"success\" as const,\n execution_id: executionId,\n signature: execution.signature,\n resolved: true\n };\n}"],"mappings":";AAMO,SAAS,WAAW,OAMR;AAEjB,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,MAAI,CAAC,gBAAgB;AACnB,UAAM,IAAI,MAAM,uCAAuC;AAAA,EACzD;AAEA,MAAI,CAAC,iBAAiB;AACpB,UAAM,IAAI,MAAM,wCAAwC;AAAA,EAC1D;AAEA,QAAM,QAAwB;AAAA,IAC5B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,SAAO,aAAa,KAAK;AAC3B;AAKA,SAAS,aAAa,KAAe;AACnC,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,WAAO,IAAI,IAAI,YAAY;AAAA,EAC7B;AAEA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,WAAO,OAAO,KAAK,GAAG,EACnB,KAAK,EACL,OAAO,CAAC,KAAU,QAAQ;AACzB,UAAI,GAAG,IAAI,aAAa,IAAI,GAAG,CAAC;AAChC,aAAO;AAAA,IACT,GAAG,CAAC,CAAC;AAAA,EACT;AAEA,SAAO;AACT;;;AC3DA;AAAA,EACE,gBAAAA;AAAA,OACK;AAOA,SAAS,uBACd,OACQ;AAER,SAAOA,cAAa,KAAK;AAC3B;;;ACEO,SAAS,mBACd,OACA,QACQ;AAER,QAAM,YAAY,uBAAuB,KAAK;AAGhD,UAAQ,IAAI,eAAe,SAAS;AAElC,SAAO,OAAO,KAAK,SAAS;AAC9B;;;ACfO,SAAS,qBACd,OACA,WACA,UACS;AAET,QAAM,YAAY,uBAAuB,KAAK;AAG9C,UAAQ,IAAI,iBAAiB,SAAS;AAEtC,SAAO,SAAS;AAAA,IACd;AAAA,IACA;AAAA,EACF;AACF;;;AC3BA;AAAA,EACE;AAAA,OACK;AAQA,SAAS,oBACd,UACM;AACN,QAAM,QACJ;AAAA,IACE;AAAA,EACF;AAEF,MAAI,CAAC,OAAO;AACV,UAAM,IAAI;AAAA,MACR,2CAA2C,QAAQ;AAAA,IACrD;AAAA,EACF;AACF;;;AChBO,SAAS,YACd,OACA,iBACA,UACA,kBACA,sBACM;AAEN,QAAM,QAAQ,SAAS;AAAA,IACrB,OAAO,KAAK,uBAAuB,KAAK,CAAC;AAAA,IACzC,OAAO,KAAK,iBAAiB,QAAQ;AAAA,EACvC;AAEA,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AAEA,MACE,CAAC,sBAAsB,8BACvB,CAAC,qBAAqB,2BAA2B;AAAA,IAC/C,iBAAiB;AAAA,EACnB,GACA;AACA,UAAM,IAAI,MAAM,6BAA6B;AAAA,EAC/C;AAEA,aAAW,OAAO,sBAAsB,yBAAyB,CAAC,GAAG;AACnE,QAAI,CAAC,iBAAiB,aAAa,SAAS,GAAG,GAAG;AAChD,YAAM,IAAI,MAAM,gCAAgC,GAAG,EAAE;AAAA,IACvD;AAAA,EACF;AAEA,MACE,CAAC,sBAAsB,6BACvB,CAAC,qBAAqB,0BAA0B;AAAA,IAC9C,MAAM;AAAA,EACR,GACA;AACA,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AACF;AAKO,SAAS,aACd,OACM;AAGR;AAKO,SAAS,UACd,SASA,QACA,cACA;AAEA,QAAM,UAAU,OAAO;AAAA,IACrB,KAAK,UAAU;AAAA,MACb,cAAc,QAAQ;AAAA,MACtB,UAAU,QAAQ;AAAA,MAClB,iBAAiB,QAAQ;AAAA,MACzB;AAAA,IACF,CAAC;AAAA,EACH;AAEA,QAAM,YAAY,OAAO,KAAK,OAAO;AAErC,SAAO;AAAA,IACL,cAAc,QAAQ;AAAA,IACtB,UAAU,QAAQ;AAAA,IAClB,iBAAiB,QAAQ;AAAA,IACzB,WAAW,OAAO,KAAK,SAAS,EAAE,SAAS,QAAQ;AAAA,IACnD;AAAA,EACF;AACF;;;ACzFO,IAAM,oBAAN,MAA+C;AAAA,EAA/C;AACL,SAAQ,QAAQ,oBAAI,IAAY;AAAA;AAAA,EAEhC,aAAa,cAA4B;AACvC,QAAI,KAAK,MAAM,IAAI,YAAY,GAAG;AAChC,YAAM,IAAI,MAAM,wBAAwB;AAAA,IAC1C;AAEA,SAAK,MAAM,IAAI,YAAY;AAAA,EAC7B;AACF;;;ACMO,SAAS,gBACd,SACA,aACsB;AAEtB,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAKJ;AAAA,IACE;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAKA,QAAM,QAAQ,eAAe,IAAI,kBAAkB;AACnD,QAAM,aAAa,MAAM,YAAY;AAKrC,eAAa,KAAK;AAKlB,QAAM,WAAW,MAAM;AAEvB,QAAM,kBACJ,SAAS,oBACL,qBACA,SAAS,WAAW,YAClB,cACA;AAKR,SAAO;AAAA,IACL;AAAA,MACE,cAAc,MAAM;AAAA,MACpB;AAAA,MACA;AAAA,IACF;AAAA,IACA;AAAA,IACA,iBAAiB;AAAA,EACnB;AACF;;;AChEO,SAAS,iBACd,OACA,WACA,UACS;AAET,SAAO,SAAS;AAAA,IACd,uBAAuB,KAAK;AAAA,IAC5B;AAAA,EACF;AACF;AASO,SAAS,mBAA4B;AAC1C,SAAO;AACT;;;ACtCA,OAAO,YAAY;AAEnB;AAAA,EACE,gBAAAC;AAAA,OACK;AAOA,IAAM,4BAA4B;AAAA,EACvC,iBACE;AAAA,EAEF,2BAA2B;AAAA,IACzB;AAAA,EACF;AAAA,EAEA,cAAc;AAAA,IACZ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAOO,SAAS,cAAsB;AACpC,SAAO,OACJ;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACCA;AAAA,MACE;AAAA,IACF;AAAA,EACF,EACC;AAAA,IACC;AAAA,EACF;AACJ;;;ACbO,SAAS,qBAAsC;AAEpD,SAAO;AAAA,IACL,cACE,YAAY;AAAA,IACd,GAAG;AAAA,EACL;AACF;;;ACvCA;AAAA,EACE,gBAAAC;AAAA,OACK;AAeA,SAAS,oBACd,UACA,QACQ;AAER,SAAO,OAAO;AAAA,IACZA,cAAa,QAAQ;AAAA,EACvB;AACF;;;ACTO,SAAS,sBACd,UACA,WACA,UACS;AAET,SAAO,SAAS;AAAA,IACd,uBAAuB,QAAQ;AAAA,IAC/B;AAAA,EACF;AACF;;;AC1BA,OAAOC,aAAY;AAaZ,IAAM,cAAN,MACa;AAAA;AAAA;AAAA;AAAA,EAKlB,YACmB,YACjB;AADiB;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMH,KACE,SACQ;AAER,WAAOA,QACJ;AAAA,MACC;AAAA,MAEA,OAAO;AAAA,QACL;AAAA,QACA;AAAA,MACF;AAAA,MAEA,KAAK;AAAA,IACP,EAEC;AAAA,MACC;AAAA,IACF;AAAA,EACJ;AACF;;;AC/CA,OAAOC,aAAY;AAWZ,IAAM,gBAAN,MACe;AAAA;AAAA;AAAA;AAAA,EAKpB,YACmB,WACjB;AADiB;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMH,OACE,SACA,WACS;AAET,WAAOA,QAAO;AAAA,MACZ;AAAA,MAEA,OAAO;AAAA,QACL;AAAA,QACA;AAAA,MACF;AAAA,MAEA,KAAK;AAAA,MAEL,OAAO;AAAA,QACL;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;;;ACHA,SAAS,kBACP,WACA,SACS;AAET,MAAI,SAAS,WAAW;AACtB,WAAO,UAAU,IAAI,MAAM,OAAK,kBAAkB,GAAG,OAAO,CAAC;AAAA,EAC/D;AAEA,MAAI,SAAS,WAAW;AACtB,WAAO,UAAU,IAAI,KAAK,OAAK,kBAAkB,GAAG,OAAO,CAAC;AAAA,EAC9D;AAEA,QAAM,EAAE,QAAQ,QAAQ,cAAc,UAAU,IAAI;AAEpD,MAAI,EAAE,UAAU,UAAU;AACxB,UAAM,IAAI,MAAM,qBAAqB,MAAM,EAAE;AAAA,EAC/C;AAEA,QAAM,SAAS,QAAQ,MAAM;AAE7B,MAAI,WAAW,QAAW;AACxB,QAAI,OAAO,WAAW,OAAO,QAAQ;AACnC,YAAM,IAAI,MAAM,qBAAqB,MAAM,EAAE;AAAA,IAC/C;AACA,WAAO,WAAW;AAAA,EACpB;AAEA,MAAI,iBAAiB,QAAW;AAC9B,QAAI,OAAO,WAAW,UAAU;AAC9B,YAAM,IAAI,MAAM,uBAAuB,MAAM,EAAE;AAAA,IACjD;AACA,WAAO,SAAS;AAAA,EAClB;AAEA,MAAI,cAAc,QAAW;AAC3B,QAAI,OAAO,WAAW,UAAU;AAC9B,YAAM,IAAI,MAAM,uBAAuB,MAAM,EAAE;AAAA,IACjD;AACA,WAAO,SAAS;AAAA,EAClB;AAEA,SAAO;AACT;AAKA,SAAS,sBAAsB,QAA8B;AAC3D,QAAM,YAAY,CAAC,OAAO;AAE1B,MAAI,CAAC,UAAU,SAAS,OAAO,aAAa,GAAG;AAC7C,UAAM,IAAI;AAAA,MACR,+BAA+B,OAAO,aAAa;AAAA,IACrD;AAAA,EACF;AACF;AAKO,SAAS,eACd,QACA,SACgB;AAEhB,wBAAsB,MAAM;AAK5B,aAAW,QAAQ,OAAO,OAAO;AAE/B,UAAM,UAAU;AAAA,MACd,KAAK;AAAA,MACL;AAAA,IACF;AAEA,QAAI,SAAS;AACX,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,SAAS,KAAK;AAAA,QACd,SAAS,KAAK;AAAA,QACd,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAKA,QAAM,IAAI;AAAA,IACR;AAAA,EACF;AACF;;;ACzIA,OAAO,QAAQ;AACf,OAAO,UAAU;AAIV,SAAS,WACd,UACA,eACA,WAAmB,QAAQ,IAAI,GACf;AAEhB,QAAM,aAAa,KAAK;AAAA,IACtB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,MAAI,CAAC,GAAG,WAAW,UAAU,GAAG;AAC9B,UAAM,IAAI,MAAM,qBAAqB,UAAU,EAAE;AAAA,EACnD;AAEA,QAAM,MAAM,GAAG,aAAa,YAAY,MAAM;AAE9C,MAAI;AAEJ,MAAI;AACF,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,QAAQ;AACN,UAAM,IAAI;AAAA,MACR,qCAAqC,UAAU;AAAA,IACjD;AAAA,EACF;AAKA,MAAI,CAAC,UAAU,OAAO,WAAW,UAAU;AACzC,UAAM,IAAI;AAAA,MACR,sCAAsC,UAAU;AAAA,IAClD;AAAA,EACF;AAKA,MAAI,CAAC,OAAO,eAAe;AACzB,UAAM,IAAI;AAAA,MACR,6DAA6D,UAAU;AAAA,IACzE;AAAA,EACF;AAEA,MAAI,OAAO,gBAAgB;AACzB,UAAM,IAAI;AAAA,MACR,4DAA4D,UAAU;AAAA,IACxE;AAAA,EACF;AAKA,MAAI,CAAC,OAAO,eAAe;AACzB,UAAM,IAAI;AAAA,MACR,4CAA4C,UAAU;AAAA,IACxD;AAAA,EACF;AAEA,MAAI,OAAO,gBAAgB;AACzB,UAAM,IAAI;AAAA,MACR,4DAA4D,UAAU;AAAA,IACxE;AAAA,EACF;AAEA,SAAO;AACT;;;ACzDO,SAAS,sBACd,SACA,QACM;AAGN,QAAM,SAAS,OAAO;AAEtB,MAAI,CAAC,UAAU,OAAO,WAAW,UAAU;AACzC,UAAM,IAAI,MAAM,kDAAkD;AAAA,EACpE;AAEA,MAAI,CAAC,WAAW,OAAO,YAAY,UAAU;AAC3C,UAAM,IAAI,MAAM,oDAAoD;AAAA,EACtE;AAGA,aAAW,OAAO,OAAO,KAAK,OAAO,GAAG;AACtC,QAAI,CAAC,OAAO,UAAU,eAAe,KAAK,QAAQ,GAAG,GAAG;AACtD,YAAM,IAAI,MAAM,6BAA6B,GAAG,EAAE;AAAA,IACpD;AAAA,EACF;AAGA,aAAW,OAAO,OAAO,KAAK,MAAM,GAAG;AAErC,UAAM,MAAM,OAAO,GAAG;AACtB,UAAM,QAAQ,QAAQ,GAAG;AAEzB,UAAM,aAAa,IAAI,aAAa;AAEpC,QAAI,UAAU,QAAW;AACvB,UAAI,YAAY;AACd,cAAM,IAAI,MAAM,sCAAsC,GAAG,EAAE;AAAA,MAC7D;AACA;AAAA,IACF;AAEA,QAAI,CAAC,KAAK,MAAM;AACd,YAAM,IAAI,MAAM,wCAAwC,GAAG,EAAE;AAAA,IAC/D;AAEA,YAAQ,IAAI,MAAM;AAAA,MAEhB,KAAK;AACH,YAAI,OAAO,UAAU,WAAW;AAC9B,gBAAM,IAAI,MAAM,aAAa,GAAG,kBAAkB;AAAA,QACpD;AACA;AAAA,MAEF,KAAK;AACH,YAAI,OAAO,UAAU,YAAY,CAAC,OAAO,UAAU,KAAK,GAAG;AACzD,gBAAM,IAAI,MAAM,aAAa,GAAG,kBAAkB;AAAA,QACpD;AACA;AAAA,MAEF,KAAK;AACH,YAAI,OAAO,UAAU,UAAU;AAC7B,gBAAM,IAAI,MAAM,aAAa,GAAG,iBAAiB;AAAA,QACnD;AACA;AAAA,MAEF,KAAK;AACH,YAAI,OAAO,UAAU,UAAU;AAC7B,gBAAM,IAAI,MAAM,aAAa,GAAG,sBAAsB;AAAA,QACxD;AAEA,YAAI,CAAC,MAAM,QAAQ,IAAI,MAAM,KAAK,IAAI,OAAO,WAAW,GAAG;AACzD,gBAAM,IAAI,MAAM,aAAa,GAAG,sBAAsB;AAAA,QACxD;AAEA,YAAI,CAAC,IAAI,OAAO,SAAS,KAAK,GAAG;AAC/B,gBAAM,IAAI;AAAA,YACR,+BAA+B,GAAG,KAAK,KAAK;AAAA,UAC9C;AAAA,QACF;AACA;AAAA,MAEF;AACE,cAAM,IAAI,MAAM,sCAAsC,IAAI,IAAI,EAAE;AAAA,IACpE;AAAA,EACF;AACF;;;ACnEO,SAAS,eACd,UACA,eACA,SACA,iBAAgB,oBAAI,KAAK,GAAE,YAAY,GACzB;AAKd,QAAM,SACJ,WAAW,UAAU,aAAa;AAKpC,wBAAsB,SAAS,MAAM;AAKrC,QAAM,WACJ,eAAe,QAAQ,OAAO;AAKhC,SAAO;AAAA,IACL,WAAW;AAAA,IACX,gBAAgB;AAAA,IAChB,gBAAgB;AAAA,IAEhB;AAAA;AAAA,IAEA,YAAY,CAAC;AAAA,IAEb,UAAU;AAAA,IACV,SAAS;AAAA,IAET,cAAc;AAAA,EAChB;AACF;;;ACrDO,IAAM,qBAAqB;AAAA,EAChC,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU,CAAC,gBAAgB,SAAS;AAAA,EACtC;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU,CAAC,UAAU,UAAU,SAAS;AAAA,EAC1C;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU,CAAC,UAAU,UAAU,SAAS;AAAA,EAC1C;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,YAAY;AAAA,IACV,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,YAAY;AAAA,IACV,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU,CAAC,UAAU,UAAU,WAAW,MAAM;AAAA,EAClD;AACF;;;AChRA,OAAOC,aAAY;AAoBnB,IAAI,OAAO;AAQJ,IAAM,qBAAN,cAAiC,MAAM;AAAA,EAG5C,YAAY,QAAyB;AACnC,UAAM,IAAI,OAAO,YAAY,IAAI,OAAO,QAAQ,KAAK,OAAO,MAAM,EAAE;AACpE,SAAK,OAAO;AACZ,SAAK,SAAS;AAAA,EAChB;AACF;AAMO,SAAS,UAAU,OAAwB;AAChD,QAAM,QACJ,OAAO,UAAU,WACb,QACA,KAAK,UAAU,KAAK,KAAK;AAE/B,SAAOA,QACJ,WAAW,QAAQ,EACnB,OAAO,OAAO,MAAM,EACpB,OAAO,KAAK;AACjB;AAWO,SAAS,QACd,cACA,UACA,QACA,OACO;AACP,QAAM,IAAI,mBAAmB;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY,UAAU,KAAK;AAAA,IAC3B,eAAe,EAAE;AAAA,EACnB,CAAC;AACH;;;AC1DO,IAAM,oBAAoB;AAAA,EAC/B;AAAA,EACA;AACF;AAMO,IAAM,qBAAqB;AAAA,EAChC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAaO,SAAS,cAAc,UAA2B;AACvD,MAAI,YAAY,SAAS,SAAS,GAAG;AACnC,WAAO;AAAA,EACT;AACA,UAAO,oBAAI,KAAK,GAAE,YAAY;AAChC;;;ACnDA,YAAYC,aAAY;;;ACWxB,eAAsB,iBACpB,SACA,YAC+B;AAG/B,QAAM,WAAW;AAAA,IACf,QAAQ,MAAM;AAAA,EAChB;AAGA,QAAM,cAAc,IAAI,kBAAkB;AAE1C,SAAO,gBAAgB,SAAS,WAAW;AAC7C;;;ACzBO,SAASC,cAAa,OAAoB;AAC/C,SAAO,KAAK,UAAU,UAAU,KAAK,CAAC;AACxC;AAEA,SAAS,UAAU,OAAiB;AAClC,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,IAAI,SAAS;AAAA,EAC5B;AAEA,MAAI,SAAS,OAAO,UAAU,UAAU;AACtC,UAAM,SAA8B,CAAC;AAErC,eAAW,OAAO,OAAO,KAAK,KAAK,EAAE,KAAK,GAAG;AAC3C,aAAO,GAAG,IAAI,UAAU,MAAM,GAAG,CAAC;AAAA,IACpC;AAEA,WAAO;AAAA,EACT;AAEA,SAAO;AACT;;;AFJA,eAAsB,mBACpB,OAMA,QACA,UACA,aAKA;AACA,MAAI;AAKF,UAAM,SAAS;AAAA,MACb,MAAM;AAAA,MACN,MAAM;AAAA,IACR;AAKA,0BAAsB,MAAM,SAAS,MAAM;AAK3C,UAAM,WACJ,eAAe,QAAQ,MAAM,OAAO;AAKtC,QAAI,SAAS,WAAW,aAAa,CAAC,SAAS,SAAS;AACtD,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,SAAS,SAAS;AACrB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAKA,UAAM,mBAAmBC,cAAa,MAAM,OAAO;AAKnD,UAAM,cACH,mBAAW,QAAQ,EACnB;AAAA,MACC,KAAK,UAAU;AAAA,QACb,UAAU,MAAM;AAAA,QAChB,eAAe,MAAM;AAAA,QACrB,SAAS;AAAA,MACX,CAAC;AAAA,IACH,EACC,OAAO,KAAK;AAKf,UAAM,kBAAkB,mBAAmB;AAK3C,UAAM,QAAQ,WAAW;AAAA,MACvB,cAAc;AAAA,MACd,WAAW,MAAM;AAAA,MACjB,kBAAkB,SAAS;AAAA,MAC3B,gBAAgB,OAAO;AAAA,MACvB,iBAAiB,gBAAgB;AAAA,IACnC,CAAC;AAED,UAAM,iBACJ,mBAAmB,OAAO,MAAM;AAKlC,UAAM,sBAAsB;AAAA,MAC1B,uBAAuB,CAAC;AAAA,MACxB,4BAA4B;AAAA,QAC1B,gBAAgB;AAAA,MAClB;AAAA,MACA,2BAA2B;AAAA,QACzB,OAAO;AAAA,MACT;AAAA,IACF;AAKA,UAAM,SAAS,SAAS,QAAQ;AAChC,UAAM,mBAAmB,SAAS,QAAQ;AAE1C,QAAI;AAEJ,QAAI,kBAAkB;AACpB,wBAAkB;AAAA,IACpB,OAAO;AACL,wBACE,WAAW,YAAY,cAAc;AAAA,IACzC;AAKA,QAAI,oBAAoB,oBAAoB;AAE1C,UAAI,CAAC,YAAY,KAAK;AACpB,cAAM,IAAI;AAAA,UACR;AAAA,QACF;AAAA,MACF;AAEA,YAAM,YAAY;AAAA,QAChB,WAAW,WAAW;AAAA,QACtB,KAAK,UAAU;AAAA,UACb;AAAA,UACA,iBAAiB;AAAA,UACjB,kBAAkB;AAAA,UAClB,sBAAsB;AAAA,QACxB,CAAC;AAAA,MACH;AAEA,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,mBAAmB;AAAA,MACrB;AAAA,IACF;AAKA,QAAI;AAEJ,QAAI;AACF,kBAAY,MAAM;AAAA,QAChB;AAAA,UACE;AAAA,UACA,iBAAiB;AAAA,UACjB;AAAA,UACA;AAAA,UACA,kBAAkB;AAAA,UAClB,sBAAsB;AAAA,QACxB;AAAA,QACA;AAAA,MACF;AAAA,IAEF,SAAS,KAAK;AAEZ,YAAM,UACJ,eAAe,QAAQ,IAAI,UAAU;AAGvC,UAAI,QAAQ,SAAS,wBAAwB,GAAG;AAC9C,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,cAAc;AAAA,UACd;AAAA,UACA;AAAA,UACA,mBAAmB;AAAA,UACnB,QAAQ;AAAA,QACV;AAAA,MACF;AAEA,YAAM;AAAA,IACR;AAKA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,cAAc;AAAA,MACd;AAAA,MACA;AAAA,MACA,mBAAmB;AAAA,MACnB,WAAW,UAAU;AAAA,IACvB;AAAA,EAEF,SAAS,KAAc;AAErB,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,OAAO,eAAe,QAAQ,IAAI,UAAU;AAAA,IAC9C;AAAA,EACF;AACF;;;AGpMA,eAAsB,aACpB,SAMA,QACA,UACA,aACA;AAEA,QAAM,UAAU,CAAC;AAEjB,aAAW,UAAU,SAAS;AAE5B,QAAI;AAEF,YAAM,SACJ,MAAM;AAAA,QACJ;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEF,cAAQ,KAAK;AAAA,QACX,OAAO;AAAA,QACP;AAAA,MACF,CAAC;AAAA,IAEH,SAAS,KAAc;AAErB,cAAQ,KAAK;AAAA,QACX,OAAO;AAAA,QACP,QAAQ;AAAA,UACN,QAAQ;AAAA,UACR,OACE,eAAe,QACX,IAAI,UACJ;AAAA,QACR;AAAA,MACF,CAAC;AAAA,IAEH;AAAA,EACF;AAEA,SAAO;AACT;;;ACvEA,OAAO,WAAW;AAGX,IAAM,mBAAN,MAAmD;AAAA,EAIxD,YAAY,KAAa;AACvB,SAAK,SAAS,IAAI,MAAM,GAAG;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAY,aAAuC;AACvD,UAAM,MAAM,MAAM,KAAK,OAAO,OAAO,QAAQ,WAAW,EAAE;AAC1D,WAAO,QAAQ;AAAA,EACjB;AAAA,EAEA,MAAM,aAAa,aAAoC;AACrD,UAAM,SAAS,MAAM,KAAK,OAAO;AAAA,MAC/B,QAAQ,WAAW;AAAA,MACnB;AAAA,MACA;AAAA,IACF;AAEA,QAAI,WAAW,MAAM;AACnB,YAAM,IAAI;AAAA,QACR,kDAAkD,WAAW;AAAA,MAC/D;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAI,KAAqC;AAC7C,WAAO,KAAK,OAAO,IAAI,GAAG;AAAA,EAC5B;AAAA,EAEA,MAAM,IAAI,KAAa,OAA8B;AACnD,UAAM,KAAK,OAAO,IAAI,KAAK,KAAK;AAAA,EAClC;AAAA,EAEA,MAAM,IAAI,KAA4B;AACpC,UAAM,KAAK,OAAO,IAAI,GAAG;AAAA,EAC3B;AAAA,EAEA,MAAM,QAAuB;AAC3B,UAAM,KAAK,OAAO,KAAK;AAAA,EACzB;AACF;;;AC7CA,eAAsB,gBACpB,aACA,aAIA,QACA,UACA;AAIA,QAAM,MAAM,MAAM,YAAY,IAAI,WAAW,WAAW,EAAE;AAE1D,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR,4CAA4C,WAAW;AAAA,IACzD;AAAA,EACF;AAEA,QAAM,SAAS,KAAK,MAAM,GAAG;AAK7B,QAAM,YAAY,MAAM;AAAA,IACtB;AAAA,MACE,OAAO,OAAO;AAAA,MACd,iBAAiB,OAAO;AAAA,MACxB;AAAA,MACA;AAAA,MACA,kBAAkB,OAAO;AAAA,MACzB,sBAAsB,OAAO;AAAA,IAC/B;AAAA,IACA;AAAA,EACF;AAKA,QAAM,YAAY,IAAI,WAAW,WAAW,EAAE;AAK9C,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,cAAc;AAAA,IACd,WAAW,UAAU;AAAA,IACrB,UAAU;AAAA,EACZ;AACF;","names":["canonicalize","canonicalize","canonicalize","crypto","crypto","crypto","crypto","canonicalize","canonicalize"]}
1
+ {"version":3,"sources":["../src/issue-token.ts","../src/canonical-signing.ts","../src/sign-token.ts","../src/verify-token.ts","../src/verify-runtime.ts","../src/execution-attestation.ts","../src/pipeline.ts","../src/memory-replay-store.ts","../src/execute.ts","../src/verify-audit.ts","../src/hash-runtime.ts","../src/runtime-manifest.ts","../src/sign-runtime-manifest.ts","../src/verify-runtime-manifest.ts","../src/local-signer.ts","../src/local-verifier.ts","../src/evaluator.ts","../src/load-policy.ts","../src/validate-signals.ts","../src/dry-run.ts","../src/invariant-registry.ts","../src/violation.ts","../src/sealed-vm.ts","../src/execute-from-signals.ts","../src/execute-with-redis.ts","../src/canonical-json.ts","../src/execute-batch.ts","../src/redis-replay-store.ts","../src/resolve-override.ts"],"sourcesContent":["import type { ExecutionToken } from \"./execution-token.js\";\r\n\r\n/**\r\n * 🔐 Issue Execution Token (FINAL)\r\n * Fully deterministic — caller provides execution_id\r\n */\r\nexport function issueToken(input: {\r\n execution_id: string;\r\n policy_id: string;\r\n decision_payload: any;\r\n schema_version: string;\r\n runtime_version: string;\r\n}): ExecutionToken {\r\n\r\n const {\r\n execution_id,\r\n policy_id,\r\n decision_payload,\r\n schema_version,\r\n runtime_version\r\n } = input;\r\n\r\n if (!schema_version) {\r\n throw new Error(\"Invalid token: schema_version missing\");\r\n }\r\n\r\n if (!runtime_version) {\r\n throw new Error(\"Invalid token: runtime_version missing\");\r\n }\r\n\r\n const token: ExecutionToken = {\r\n execution_id,\r\n policy_id,\r\n decision_payload,\r\n schema_version,\r\n runtime_version\r\n };\r\n\r\n return canonicalize(token);\r\n}\r\n\r\n/**\r\n * 🔒 Local canonicalization\r\n */\r\nfunction canonicalize(obj: any): any {\r\n if (Array.isArray(obj)) {\r\n return obj.map(canonicalize);\r\n }\r\n\r\n if (obj !== null && typeof obj === \"object\") {\r\n return Object.keys(obj)\r\n .sort()\r\n .reduce((acc: any, key) => {\r\n acc[key] = canonicalize(obj[key]);\r\n return acc;\r\n }, {});\r\n }\r\n\r\n return obj;\r\n}\r\n","import {\r\n canonicalize,\r\n} from \"@parmanasystems/bundle\";\r\n\r\n/**\r\n * Returns the canonical JSON string for `value` as used by all signing and\r\n * verification operations in the execution package. Delegates to the bundle\r\n * package's `canonicalize` so the representation is consistent across packages.\r\n */\r\nexport function canonicalizeForSigning(\r\n value: unknown\r\n): string {\r\n\r\n return canonicalize(value);\r\n}\r\n\r\n\r\n\r\n\r\n","import {\r\n canonicalizeForSigning\r\n} from \"./canonical-signing.js\";\r\n\r\nimport type {\r\n ExecutionToken,\r\n} from \"./execution-token.js\";\r\n\r\nimport type {\r\n Signer,\r\n} from \"./signer-interface.js\";\r\n\r\n/**\r\n * Signs the canonical form of `token` with `signer` and returns a\r\n * base64-encoded Ed25519 signature.\r\n */\r\nexport function signExecutionToken(\r\n token: ExecutionToken,\r\n signer: Signer\r\n): string {\r\n\r\n const canonical = canonicalizeForSigning(token);\r\n\r\n // 🔍 DEBUG (temporary)\r\nconsole.log(\"SIGN TOKEN:\", canonical);\r\n\r\n return signer.sign(canonical);\r\n}\r\n","import {\r\n canonicalizeForSigning\r\n} from \"./canonical-signing.js\";\r\n\r\nimport type {\r\n ExecutionToken,\r\n} from \"./execution-token.js\";\r\n\r\nimport type {\r\n Verifier,\r\n} from \"./verifier-interface.js\";\r\n\r\nexport function verifyExecutionToken(\r\n token: ExecutionToken,\r\n signature: string,\r\n verifier: Verifier\r\n): boolean {\r\n\r\n const canonical = canonicalizeForSigning(token);\r\n\r\n // 🔍 DEBUG (temporary)\r\n console.log(\"VERIFY TOKEN:\", canonical);\r\n\r\n return verifier.verify(\r\n canonical,\r\n signature\r\n );\r\n}\r\n","import {\r\n validatePolicy,\r\n} from \"@parmanasystems/governance\";\r\n\r\n/**\r\n * Validates that `policyId` passes full bundle and signature verification.\r\n * Delegates to {@link validatePolicy} and throws if validation fails.\r\n *\r\n * @throws When the policy does not exist or any version fails verification.\r\n */\r\nexport function verifyRuntimePolicy(\r\n policyId: string\r\n): void {\r\n const valid =\r\n validatePolicy(\r\n policyId\r\n );\r\n\r\n if (!valid) {\r\n throw new Error(\r\n `Runtime verification failed for policy: ${policyId}`\r\n );\r\n }\r\n}\r\n\r\n\r\n\r\n\r\n","export interface ExecutionAttestation {\r\n execution_id: string;\r\n\r\n decision: {\r\n action: \"approve\" | \"reject\";\r\n requires_override: boolean;\r\n reason?: string;\r\n };\r\n\r\n execution_state: \"completed\" | \"blocked\" | \"pending_override\";\r\n\r\n signature: string;\r\n runtime_hash: string;\r\n}\r\n\r\n/**\r\n * Deterministic attestation canonicalization\r\n *\r\n * Used for:\r\n * - attestation signing\r\n * - independent verification\r\n * - reproducibility proofs\r\n */\r\nexport function canonicalizeAttestation(\r\n attestation: {\r\n execution_id: string;\r\n decision: any;\r\n execution_state: string;\r\n runtime_hash: string;\r\n }\r\n): string {\r\n\r\n return JSON.stringify(\r\n canonicalize(\r\n attestation\r\n )\r\n );\r\n}\r\n\r\n/**\r\n * Deterministic recursive canonicalization\r\n */\r\nfunction canonicalize(\r\n obj: any\r\n): any {\r\n\r\n if (Array.isArray(obj)) {\r\n\r\n return obj.map(\r\n canonicalize\r\n );\r\n }\r\n\r\n if (\r\n obj !== null\r\n &&\r\n typeof obj === \"object\"\r\n ) {\r\n\r\n return Object\r\n .keys(obj)\r\n .sort()\r\n .reduce(\r\n (\r\n acc: any,\r\n key\r\n ) => {\r\n\r\n acc[key] =\r\n canonicalize(\r\n obj[key]\r\n );\r\n\r\n return acc;\r\n },\r\n {}\r\n );\r\n }\r\n\r\n return obj;\r\n}\r\n","import { canonicalizeForSigning }\r\n from \"./canonical-signing.js\";\r\n\r\nimport {\r\n canonicalizeAttestation\r\n} from \"./execution-attestation.js\";\r\n\r\nimport type {\r\n ExecutionToken\r\n} from \"./execution-token.js\";\r\n\r\n/**\r\n * 🔒 Stage 1 — Verification\r\n */\r\nexport function stageVerify(\r\n token: ExecutionToken,\r\n\r\n token_signature: string,\r\n\r\n verifier: {\r\n verify: (\r\n data: Uint8Array,\r\n sig: Uint8Array\r\n ) => boolean\r\n },\r\n\r\n runtime_manifest: any,\r\n\r\n runtime_requirements: any\r\n): void {\r\n\r\n const valid =\r\n verifier.verify(\r\n\r\n Buffer.from(\r\n canonicalizeForSigning(\r\n token\r\n )\r\n ),\r\n\r\n Buffer.from(\r\n token_signature,\r\n \"base64\"\r\n )\r\n );\r\n\r\n if (!valid) {\r\n\r\n throw new Error(\r\n \"Invalid token signature\"\r\n );\r\n }\r\n\r\n // --------------------------------------------------\r\n // Runtime version validation\r\n // --------------------------------------------------\r\n\r\n if (\r\n !runtime_requirements?.supported_runtime_versions\r\n ||\r\n !runtime_requirements\r\n .supported_runtime_versions\r\n .includes(\r\n runtime_manifest.runtime_version\r\n )\r\n ) {\r\n\r\n throw new Error(\r\n \"Unsupported runtime version\"\r\n );\r\n }\r\n\r\n // --------------------------------------------------\r\n // Capability validation\r\n // --------------------------------------------------\r\n\r\n for (\r\n const cap\r\n of runtime_requirements\r\n ?.required_capabilities\r\n || []\r\n ) {\r\n\r\n if (\r\n !runtime_manifest\r\n .capabilities\r\n .includes(cap)\r\n ) {\r\n\r\n throw new Error(\r\n `Missing required capability: ${cap}`\r\n );\r\n }\r\n }\r\n\r\n // --------------------------------------------------\r\n // Schema version validation\r\n // --------------------------------------------------\r\n\r\n if (\r\n !runtime_requirements?.supported_schema_versions\r\n ||\r\n !runtime_requirements\r\n .supported_schema_versions\r\n .includes(\r\n token.schema_version\r\n )\r\n ) {\r\n\r\n throw new Error(\r\n \"Unsupported schema version\"\r\n );\r\n }\r\n}\r\n\r\n/**\r\n * 🔒 Stage 2 — Execution (ENFORCEMENT ONLY)\r\n */\r\nexport function stageExecute(\r\n token: ExecutionToken\r\n): void {\r\n\r\n // Deterministic enforcement only.\r\n // No decision generation here.\r\n}\r\n\r\n/**\r\n * 🔒 Stage 3 — Signing (DETERMINISTIC)\r\n */\r\nexport function stageSign(\r\n payload: {\r\n execution_id: string;\r\n\r\n decision: {\r\n action:\r\n \"approve\"\r\n | \"reject\";\r\n\r\n requires_override: boolean;\r\n\r\n reason?: string;\r\n };\r\n\r\n execution_state:\r\n \"completed\"\r\n | \"blocked\"\r\n | \"pending_override\";\r\n },\r\n\r\n signer: {\r\n sign: (\r\n payload: string\r\n ) => string\r\n },\r\n\r\n runtime_hash: string\r\n) {\r\n\r\n // --------------------------------------------------\r\n // Deterministic attestation payload\r\n // --------------------------------------------------\r\n\r\n const attestation = {\r\n\r\n execution_id:\r\n payload.execution_id,\r\n\r\n decision:\r\n payload.decision,\r\n\r\n execution_state:\r\n payload.execution_state,\r\n\r\n runtime_hash\r\n };\r\n\r\n // --------------------------------------------------\r\n // Deterministic canonicalization\r\n // --------------------------------------------------\r\n\r\n const canonical =\r\n canonicalizeAttestation(\r\n attestation\r\n );\r\n\r\n // --------------------------------------------------\r\n // Deterministic signature\r\n // --------------------------------------------------\r\n\r\n const signature =\r\n signer.sign(\r\n canonical\r\n );\r\n\r\n // --------------------------------------------------\r\n // Final attestation\r\n // --------------------------------------------------\r\n\r\n return {\r\n\r\n execution_id:\r\n payload.execution_id,\r\n\r\n decision:\r\n payload.decision,\r\n\r\n execution_state:\r\n payload.execution_state,\r\n\r\n signature,\r\n\r\n runtime_hash\r\n };\r\n}\r\n","import type { ReplayStore } from \"./replay-store-interface.js\";\r\n\r\n/**\r\n * 🔒 In-memory replay protection\r\n */\r\nexport class MemoryReplayStore implements ReplayStore {\r\n private store = new Set<string>();\r\n\r\n markExecuted(execution_id: string): void {\r\n if (this.store.has(execution_id)) {\r\n throw new Error(\"Replay attack detected\");\r\n }\r\n\r\n this.store.add(execution_id);\r\n }\r\n}\r\n","import {\r\n stageVerify,\r\n stageExecute,\r\n stageSign\r\n} from \"./pipeline.js\";\r\n\r\nimport { MemoryReplayStore } from \"./memory-replay-store.js\";\r\n\r\nimport type { ExecutionContext } from \"./execution-context.js\";\r\nimport type { ReplayStore } from \"./replay-store-interface.js\";\r\nimport type { ExecutionAttestation } from \"./execution-attestation.js\";\r\n\r\n/**\r\n * 🔴 CORE EXECUTION (FULLY DETERMINISTIC)\r\n *\r\n * Principles:\r\n * - NO time dependency\r\n * - replay is enforced\r\n * - decision is precomputed (token-driven)\r\n * - execution is enforcement only\r\n */\r\nexport function executeDecision(\r\n context: ExecutionContext,\r\n replayStore: ReplayStore\r\n): ExecutionAttestation {\r\n\r\n const {\r\n token,\r\n token_signature,\r\n signer,\r\n verifier,\r\n runtime_manifest,\r\n runtime_requirements\r\n } = context;\r\n\r\n // -----------------------------\r\n // Stage 1 — Verification\r\n // -----------------------------\r\n stageVerify(\r\n token,\r\n token_signature,\r\n verifier,\r\n runtime_manifest,\r\n runtime_requirements\r\n );\r\n\r\n // -----------------------------\r\n // Replay protection\r\n // -----------------------------\r\n const store =\r\n replayStore ??\r\n new MemoryReplayStore();\r\n\r\n if (!context.auditMode) {\r\n\r\n store.markExecuted(\r\n token.execution_id\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // Stage 2 — Execution (side-effect / noop)\r\n // -----------------------------\r\n stageExecute(token);\r\n\r\n // -----------------------------\r\n // Derive decision + execution state\r\n // -----------------------------\r\n const decision =\r\n token.decision_payload;\r\n\r\n const execution_state:\r\n \"completed\" |\r\n \"blocked\" |\r\n \"pending_override\" =\r\n\r\n decision.requires_override\r\n ? \"pending_override\"\r\n : decision.action === \"approve\"\r\n ? \"completed\"\r\n : \"blocked\";\r\n\r\n // -----------------------------\r\n // Stage 3 — Signing (attestation)\r\n // -----------------------------\r\n return stageSign(\r\n {\r\n execution_id:\r\n token.execution_id,\r\n\r\n decision,\r\n\r\n execution_state\r\n },\r\n signer,\r\n runtime_manifest.runtime_hash\r\n );\r\n}\r\n","import {\r\n canonicalizeForSigning\r\n} from \"./canonical-signing.js\";\r\n\r\nimport type {\r\n Verifier,\r\n} from \"./verifier-interface.js\";\r\n\r\n/** A single audit log entry with arbitrary governance fields. */\r\nexport interface AuditEntry {\r\n [key: string]: unknown;\r\n}\r\n\r\n/**\r\n * Verifies that `signature` (base64 Ed25519) was produced over the canonical\r\n * form of `entry` by the authority whose key `verifier` holds.\r\n */\r\nexport function verifyAuditEntry(\r\n entry: AuditEntry,\r\n signature: string,\r\n verifier: Verifier\r\n): boolean {\r\n\r\n return verifier.verify(\r\n canonicalizeForSigning(entry),\r\n signature\r\n );\r\n}\r\n\r\n/**\r\n * Placeholder for full audit-chain integrity verification.\r\n * A complete implementation would re-hash every JSONL record and validate\r\n * the `previous_record_hash` linkage.\r\n *\r\n * @returns `true` — full chain verification is not yet implemented.\r\n */\r\nexport function verifyAuditChain(): boolean {\r\n return true;\r\n}\r\n\r\n\r\n\r\n\r\n","import * as crypto from \"node:crypto\";\r\n\r\nimport {\r\n canonicalize,\r\n} from \"@parmanasystems/bundle\";\r\n\r\n/**\r\n * The static portion of the runtime manifest (everything except `runtime_hash`).\r\n * Used both as the canonical source of capability declarations and as the input\r\n * to {@link hashRuntime}.\r\n */\r\nexport const runtimeManifestDefinition = {\r\n runtime_version:\r\n \"1.0.0\",\r\n\r\n supported_schema_versions: [\r\n \"1.0.0\",\r\n ],\r\n\r\n capabilities: [\r\n \"deterministic-evaluation\",\r\n \"attestation-signing\",\r\n \"replay-protection\",\r\n \"bundle-verification\",\r\n ],\r\n} as const;\r\n\r\n/**\r\n * Returns the SHA-256 hex digest of the canonicalized {@link runtimeManifestDefinition}.\r\n * This hash is embedded in every {@link ExecutionResult} as `runtime_hash`,\r\n * binding the result to a specific version of the runtime.\r\n */\r\nexport function hashRuntime(): string {\r\n return crypto\r\n .createHash(\r\n \"sha256\"\r\n )\r\n .update(\r\n canonicalize(\r\n runtimeManifestDefinition\r\n )\r\n )\r\n .digest(\r\n \"hex\"\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import {\r\n hashRuntime,\r\n runtimeManifestDefinition,\r\n} from \"./hash-runtime.js\";\r\n\r\n/**\r\n * Static description of the governance runtime's identity, capabilities, and\r\n * supported protocol versions.\r\n *\r\n * Included in every {@link ExecutionResult} so verifiers can confirm the\r\n * runtime environment without trusting the operator. The `runtime_hash`\r\n * field is a deterministic SHA-256 commitment over the manifest definition,\r\n * binding the result to a specific runtime build.\r\n */\r\nexport interface RuntimeManifest {\r\n /** Semantic version of the governance runtime (e.g. `\"1.0.0\"`). */\r\n runtime_version: string;\r\n\r\n /** SHA-256 hex hash of the canonical runtime manifest definition. */\r\n runtime_hash: string;\r\n\r\n /** Schema version strings that this runtime can process. */\r\n supported_schema_versions: readonly string[];\r\n\r\n /** Capability strings advertised by this runtime (e.g. `\"replay-protection\"`). */\r\n capabilities: readonly string[];\r\n}\r\n\r\n/**\r\n * Returns the active {@link RuntimeManifest} for the current process,\r\n * combining the static manifest definition with a freshly computed `runtime_hash`.\r\n */\r\nexport function getRuntimeManifest(): RuntimeManifest {\r\n\r\n return {\r\n runtime_hash:\r\n hashRuntime(),\r\n ...runtimeManifestDefinition,\r\n };\r\n}\r\n","import {\r\n canonicalize,\r\n} from \"@parmanasystems/bundle\";\r\n\r\nimport type {\r\n RuntimeManifest,\r\n} from \"./runtime-manifest.js\";\r\n\r\nimport type {\r\n Signer,\r\n} from \"./signer-interface.js\";\r\n\r\n/**\r\n * Signs the canonical form of `manifest` with `signer` and returns a\r\n * base64-encoded Ed25519 signature. Use this to produce a verifiable\r\n * attestation that a specific runtime version was active at a given time.\r\n */\r\nexport function signRuntimeManifest(\r\n manifest: RuntimeManifest,\r\n signer: Signer\r\n): string {\r\n\r\n return signer.sign(\r\n canonicalize(manifest)\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import {\r\n canonicalizeForSigning\r\n} from \"./canonical-signing.js\";\r\n\r\nimport type {\r\n RuntimeManifest,\r\n} from \"./runtime-manifest.js\";\r\n\r\nimport type {\r\n Verifier,\r\n} from \"./verifier-interface.js\";\r\n\r\n/**\r\n * Verifies that `signature` (base64 Ed25519) was produced over the canonical\r\n * form of `manifest` by the authority whose key `verifier` holds.\r\n */\r\nexport function verifyRuntimeManifest(\r\n manifest: RuntimeManifest,\r\n signature: string,\r\n verifier: Verifier\r\n): boolean {\r\n\r\n return verifier.verify(\r\n canonicalizeForSigning(manifest),\r\n signature\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import crypto from \"node:crypto\";\r\n\r\nimport type {\r\n Signer,\r\n} from \"./signer-interface.js\";\r\n\r\n/**\r\n * In-process Ed25519 {@link Signer} backed by Node.js `crypto`.\r\n *\r\n * Suitable for development and environments where the private key can be\r\n * securely injected at process start. For hardware-backed or remote signing\r\n * see {@link AwsKmsSigner}.\r\n */\r\nexport class LocalSigner\r\n implements Signer {\r\n\r\n private readonly keyObject: crypto.KeyObject;\r\n\r\n /**\r\n * @param privateKey - PEM-encoded Ed25519 private key (PKCS8 format).\r\n */\r\n constructor(\r\n private readonly privateKey: string\r\n ) {\r\n\r\n const normalizedKey =\r\n privateKey\r\n .replace(/\\\\n/g, \"\\n\")\r\n .trim();\r\n\r\n this.keyObject =\r\n crypto.createPrivateKey({\r\n key: normalizedKey,\r\n format: \"pem\",\r\n });\r\n }\r\n\r\n /**\r\n * Signs `payload` (UTF-8) with the Ed25519 private key and returns a\r\n * base64-encoded signature.\r\n */\r\n sign(\r\n payload: string\r\n ): string {\r\n\r\n return crypto\r\n .sign(\r\n null,\r\n\r\n Buffer.from(\r\n payload,\r\n \"utf8\"\r\n ),\r\n\r\n this.keyObject\r\n )\r\n\r\n .toString(\r\n \"base64\"\r\n );\r\n }\r\n}\r\n","import * as crypto from \"node:crypto\";\r\n\r\nimport type {\r\n Verifier,\r\n} from \"./verifier-interface.js\";\r\n\r\n/**\r\n * In-process Ed25519 {@link Verifier} backed by Node.js `crypto`.\r\n *\r\n * Paired with {@link LocalSigner}; both must use the same Ed25519 key pair.\r\n */\r\nexport class LocalVerifier\r\n implements Verifier {\r\n\r\n /**\r\n * @param publicKey - PEM-encoded Ed25519 public key (SPKI format).\r\n */\r\n constructor(\r\n private readonly publicKey: string\r\n ) {}\r\n\r\n /**\r\n * Verifies that `signature` (base64 Ed25519) was produced over the UTF-8\r\n * `payload` by the holder of the corresponding private key.\r\n */\r\n verify(\r\n payload: string,\r\n signature: string\r\n ): boolean {\r\n\r\n return crypto.verify(\r\n null,\r\n\r\n Buffer.from(\r\n payload,\r\n \"utf8\"\r\n ),\r\n\r\n this.publicKey,\r\n\r\n Buffer.from(\r\n signature,\r\n \"base64\"\r\n )\r\n );\r\n }\r\n}\r\n\r\n\r\n\r\n\r\n","import type { DecisionResult } from \"./execution-result.js\";\r\n// -----------------------------\r\n// Types\r\n// -----------------------------\r\ninterface BaseCondition {\r\n signal: string;\r\n equals?: unknown;\r\n greater_than?: number;\r\n less_than?: number;\r\n}\r\n\r\ninterface AllCondition {\r\n all: RuleCondition[];\r\n}\r\n\r\ninterface AnyCondition {\r\n any: RuleCondition[];\r\n}\r\n\r\ntype RuleCondition =\r\n | BaseCondition\r\n | AllCondition\r\n | AnyCondition;\r\n\r\ninterface PolicyRule {\r\n id: string;\r\n condition: RuleCondition;\r\n outcome: {\r\n action: \"approve\" | \"reject\";\r\n requires_override: boolean;\r\n reason?: string;\r\n };\r\n}\r\n\r\nexport interface PolicyDocument {\r\n schemaVersion: string;\r\n signalsSchema: Record<string, unknown>;\r\n rules: PolicyRule[];\r\n}\r\n\r\n// -----------------------------\r\n// Rule evaluation (PURE)\r\n// -----------------------------\r\nfunction evaluateCondition(\r\n condition: RuleCondition,\r\n signals: Record<string, unknown>\r\n): boolean {\r\n\r\n if (\"all\" in condition) {\r\n return condition.all.every(c => evaluateCondition(c, signals));\r\n }\r\n\r\n if (\"any\" in condition) {\r\n return condition.any.some(c => evaluateCondition(c, signals));\r\n }\r\n\r\n const { signal, equals, greater_than, less_than } = condition;\r\n\r\n if (!(signal in signals)) {\r\n throw new Error(`Signal not found: ${signal}`);\r\n }\r\n\r\n const actual = signals[signal];\r\n\r\n if (equals !== undefined) {\r\n if (typeof actual !== typeof equals) {\r\n throw new Error(`Type mismatch for ${signal}`);\r\n }\r\n return actual === equals;\r\n }\r\n\r\n if (greater_than !== undefined) {\r\n if (typeof actual !== \"number\") {\r\n throw new Error(`Expected number for ${signal}`);\r\n }\r\n return actual > greater_than;\r\n }\r\n\r\n if (less_than !== undefined) {\r\n if (typeof actual !== \"number\") {\r\n throw new Error(`Expected number for ${signal}`);\r\n }\r\n return actual < less_than;\r\n }\r\n\r\n return false;\r\n}\r\n\r\n// -----------------------------\r\n// Schema validation\r\n// -----------------------------\r\nfunction validateSchemaVersion(policy: PolicyDocument): void {\r\n const supported = [\"1.0.0\"];\r\n\r\n if (!supported.includes(policy.schemaVersion)) {\r\n throw new Error(\r\n `Unsupported schema version: ${policy.schemaVersion}`\r\n );\r\n }\r\n}\r\n\r\n// -----------------------------\r\n// MAIN EVALUATOR (DETERMINISTIC)\r\n// -----------------------------\r\nexport function evaluatePolicy(\r\n policy: PolicyDocument,\r\n signals: Record<string, unknown>\r\n): DecisionResult {\r\n\r\n validateSchemaVersion(policy);\r\n\r\n // -----------------------------\r\n // Evaluate rules in order\r\n // -----------------------------\r\n for (const rule of policy.rules) {\r\n\r\n const matched = evaluateCondition(\r\n rule.condition,\r\n signals\r\n );\r\n\r\n if (matched) {\r\n return {\r\n status: \"decided\",\r\n outcome: rule.outcome,\r\n rule_id: rule.id,\r\n source: \"rule_match\"\r\n };\r\n }\r\n }\r\n\r\n // -----------------------------\r\n // Fail closed (no match)\r\n // -----------------------------\r\n throw new Error(\r\n \"[SYS-006] No rule matched — policy must cover all cases\"\r\n );\r\n}\r\n","import * as fs from \"node:fs\";\r\nimport * as path from \"node:path\";\r\n\r\nimport type { PolicyDocument } from \"./evaluator.js\";\r\n\r\nexport function loadPolicy(\r\n policyId: string,\r\n policyVersion: string,\r\n basePath: string = process.cwd()\r\n): PolicyDocument {\r\n\r\n const policyPath = path.resolve(\r\n basePath,\r\n \"policies\",\r\n policyId,\r\n policyVersion,\r\n \"policy.json\"\r\n );\r\n\r\n if (!fs.existsSync(policyPath)) {\r\n throw new Error(`Policy not found: ${policyPath}`);\r\n }\r\n\r\n const raw = fs.readFileSync(policyPath, \"utf8\");\r\n\r\n let parsed: any;\r\n\r\n try {\r\n parsed = JSON.parse(raw);\r\n } catch {\r\n throw new Error(\r\n `Invalid policy: malformed JSON in ${policyPath}`\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // Basic validation\r\n // -----------------------------\r\n if (!parsed || typeof parsed !== \"object\") {\r\n throw new Error(\r\n `Invalid policy: expected object in ${policyPath}`\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // STRICT schemaVersion only\r\n // -----------------------------\r\n if (!parsed.schemaVersion) {\r\n throw new Error(\r\n `Invalid policy: missing schemaVersion (camelCase only) in ${policyPath}`\r\n );\r\n }\r\n\r\n if (parsed.schema_version) {\r\n throw new Error(\r\n `Invalid policy: use schemaVersion, not schema_version in ${policyPath}`\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // REQUIRED signalsSchema\r\n // -----------------------------\r\n if (!parsed.signalsSchema) {\r\n throw new Error(\r\n `Invalid policy: missing signalsSchema in ${policyPath}`\r\n );\r\n }\r\n\r\n if (parsed.signals_schema) {\r\n throw new Error(\r\n `Invalid policy: use signalsSchema, not signals_schema in ${policyPath}`\r\n );\r\n }\r\n\r\n return parsed as PolicyDocument;\r\n}\r\n","type SignalType =\r\n | \"boolean\"\r\n | \"integer\"\r\n | \"string\"\r\n | \"enum\";\r\n\r\ninterface SignalDefinition {\r\n type: SignalType;\r\n values?: string[];\r\n required?: boolean;\r\n}\r\n\r\ninterface PolicySignalsSchema {\r\n [key: string]: SignalDefinition;\r\n}\r\n\r\nimport type { PolicyDocument } from \"./evaluator.js\";\r\n\r\nexport function validateSignalsStrict(\r\n signals: Record<string, unknown>,\r\n policy: PolicyDocument\r\n): void {\r\n\r\n // ✅ FIXED: correct field\r\n const schema = policy.signalsSchema as PolicySignalsSchema;\r\n\r\n if (!schema || typeof schema !== \"object\") {\r\n throw new Error(\"[VAL-001] Invalid policy: missing signals schema\");\r\n }\r\n\r\n if (!signals || typeof signals !== \"object\") {\r\n throw new Error(\"[VAL-002] Invalid input: signals must be an object\");\r\n }\r\n\r\n // Reject unknown signals\r\n for (const key of Object.keys(signals)) {\r\n if (!Object.prototype.hasOwnProperty.call(schema, key)) {\r\n throw new Error(`[VAL-003] Unknown signal: ${key}`);\r\n }\r\n }\r\n\r\n // Validate required + type\r\n for (const key of Object.keys(schema)) {\r\n\r\n const def = schema[key];\r\n const value = signals[key];\r\n\r\n const isRequired = def.required !== false;\r\n\r\n if (value === undefined) {\r\n if (isRequired) {\r\n throw new Error(`[VAL-004] Missing required signal: ${key}`);\r\n }\r\n continue;\r\n }\r\n\r\n if (!def?.type) {\r\n throw new Error(`[VAL-005] Invalid schema for signal: ${key}`);\r\n }\r\n\r\n switch (def.type) {\r\n\r\n case \"boolean\":\r\n if (typeof value !== \"boolean\") {\r\n throw new Error(`[VAL-006] ${key} must be boolean`);\r\n }\r\n break;\r\n\r\n case \"integer\":\r\n if (typeof value !== \"number\" || !Number.isInteger(value)) {\r\n throw new Error(`[VAL-007] ${key} must be integer`);\r\n }\r\n break;\r\n\r\n case \"string\":\r\n if (typeof value !== \"string\") {\r\n throw new Error(`[VAL-008] ${key} must be string`);\r\n }\r\n break;\r\n\r\n case \"enum\":\r\n if (typeof value !== \"string\") {\r\n throw new Error(`[VAL-009] ${key} must be enum string`);\r\n }\r\n\r\n if (!Array.isArray(def.values) || def.values.length === 0) {\r\n throw new Error(`[VAL-010] ${key} enum values missing`);\r\n }\r\n\r\n if (!def.values.includes(value)) {\r\n throw new Error(\r\n `[VAL-011] Invalid value for ${key}: ${value}`\r\n );\r\n }\r\n break;\r\n\r\n default:\r\n throw new Error(`[VAL-012] Unsupported signal type: ${def.type}`);\r\n }\r\n }\r\n}\r\n","import {\r\n evaluatePolicy,\r\n} from \"./evaluator.js\";\r\n\r\nimport {\r\n loadPolicy,\r\n} from \"./load-policy.js\";\r\n\r\nimport {\r\n validateSignalsStrict,\r\n} from \"./validate-signals.js\";\r\n\r\nimport type {\r\n DecisionResult\r\n} from \"./execution-result.js\";\r\n\r\n\r\nexport interface DryRunResult {\r\n policy_id: string;\r\n policy_version: string;\r\n schema_version: string;\r\n\r\n decision: DecisionResult; // ✅ FIXED (not string)\r\n\r\n rule_trace: string[];\r\n\r\n governed: false;\r\n dry_run: true;\r\n\r\n evaluated_at: string;\r\n}\r\n\r\n\r\nexport function evaluateDryRun(\r\n policyId: string,\r\n policyVersion: string,\r\n signals: Record<string, unknown>,\r\n governed_time = new Date().toISOString()\r\n): DryRunResult {\r\n\r\n // -----------------------------\r\n // 1. Load policy\r\n // -----------------------------\r\n const policy =\r\n loadPolicy(policyId, policyVersion);\r\n\r\n // -----------------------------\r\n // 2. Validate signals\r\n // -----------------------------\r\n validateSignalsStrict(signals, policy);\r\n\r\n // -----------------------------\r\n // 3. Evaluate policy\r\n // -----------------------------\r\n const decision: DecisionResult =\r\n evaluatePolicy(policy, signals);\r\n\r\n // -----------------------------\r\n // 4. Return dry-run result\r\n // -----------------------------\r\n return {\r\n policy_id: policyId,\r\n policy_version: policyVersion,\r\n schema_version: \"1.0.0\",\r\n\r\n decision, // ✅ structured\r\n\r\n rule_trace: [],\r\n\r\n governed: false,\r\n dry_run: true,\r\n\r\n evaluated_at: governed_time,\r\n };\r\n}\r\n","export type InvariantBoundary =\r\n | \"canonicalize\"\r\n | \"validate\"\r\n | \"verify\"\r\n | \"replay\"\r\n | \"execute\"\r\n | \"sign\";\r\n\r\nexport interface InvariantEntry {\r\n readonly id: string;\r\n readonly description: string;\r\n readonly boundary: InvariantBoundary | readonly InvariantBoundary[];\r\n}\r\n\r\n/**\r\n * Single source of truth for all governance invariants.\r\n *\r\n * Every invariant_id that appears in ViolationReport, source comments,\r\n * or test coverage maps MUST have an entry here. The CI gate\r\n * (scripts/ci-invariant-gate.ts) enforces this at build time.\r\n */\r\nexport const INVARIANT_REGISTRY = {\r\n \"INV-001\": {\r\n id: \"INV-001\",\r\n description: \"Canonical serialization produces identical bytes for identical inputs\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-002\": {\r\n id: \"INV-002\",\r\n description: \"Input payload must be structurally valid\",\r\n boundary: \"validate\",\r\n },\r\n \"INV-003\": {\r\n id: \"INV-003\",\r\n description: \"Execution token signature must be cryptographically valid\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-004\": {\r\n id: \"INV-004\",\r\n description: \"Execution time is injected deterministically — no wall-clock reads inside the execution scope\",\r\n boundary: [\"canonicalize\", \"execute\"] as readonly InvariantBoundary[],\r\n },\r\n \"INV-005\": {\r\n id: \"INV-005\",\r\n description: \"Runtime version must be in the set of supported runtime versions\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-006\": {\r\n id: \"INV-006\",\r\n description: \"Schema version 1.0.0 must be supported by both runtime manifest and requirements\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-007\": {\r\n id: \"INV-007\",\r\n description: \"Execution token must not be expired at governed_time\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-008\": {\r\n id: \"INV-008\",\r\n description: \"The governed field is always in signature scope and equals literal true\",\r\n boundary: \"sign\",\r\n },\r\n \"INV-009\": {\r\n id: \"INV-009\",\r\n description: \"Signals hash must be a non-empty string binding execution to specific inputs\",\r\n boundary: \"validate\",\r\n },\r\n \"INV-010\": {\r\n id: \"INV-010\",\r\n description: \"Policy ID and policy version must be non-empty strings\",\r\n boundary: \"validate\",\r\n },\r\n \"INV-011\": {\r\n id: \"INV-011\",\r\n description: \"All required runtime capabilities must be present in the runtime manifest\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-013\": {\r\n id: \"INV-013\",\r\n description: \"Replay protection is always enforced — execution_id is single-use and non-configurable\",\r\n boundary: \"replay\",\r\n },\r\n \"INV-014\": {\r\n id: \"INV-014\",\r\n description: \"governed literal true structurally distinguishes ExecutionResult from DryRunResult\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-015\": {\r\n id: \"INV-015\",\r\n description: \"Audit record must be written before attestation is issued\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-016\": {\r\n id: \"INV-016\",\r\n description: \"Audit records are linearizable via SHA-256 hash chain\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-017\": {\r\n id: \"INV-017\",\r\n description: \"Any verification failure causes fail-closed execution — no partial results\",\r\n boundary: [\"verify\", \"replay\", \"execute\"] as readonly InvariantBoundary[],\r\n },\r\n \"INV-020\": {\r\n id: \"INV-020\",\r\n description: \"Runtime capability declarations are truthful and non-negotiable\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-022\": {\r\n id: \"INV-022\",\r\n description: \"Every policy decision is derivable from the policy document and input signals\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-024\": {\r\n id: \"INV-024\",\r\n description: \"Decision values are semantically unambiguous strings\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-025\": {\r\n id: \"INV-025\",\r\n description: \"Schema version and runtime version are present in every ExecutionResult\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-030\": {\r\n id: \"INV-030\",\r\n description: \"Every attestation contains a runtime_hash binding it to a specific runtime version\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-031\": {\r\n id: \"INV-031\",\r\n description: \"Runtime manifest declares explicit supported_schema_versions and runtime_version\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-033\": {\r\n id: \"INV-033\",\r\n description: \"Governance properties (replay, audit, attestation) are structurally enforced — not configurable\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-034\": {\r\n id: \"INV-034\",\r\n description: \"Any verifier holding the correct public key can independently verify an attestation\",\r\n boundary: \"sign\",\r\n },\r\n \"INV-035\": {\r\n id: \"INV-035\",\r\n description: \"Verification is reproducible: same attestation + key produces identical outcome\",\r\n boundary: \"sign\",\r\n },\r\n \"INV-037\": {\r\n id: \"INV-037\",\r\n description: \"Signatures from different authority keys do not cross-verify — signing domains are isolated\",\r\n boundary: \"sign\",\r\n },\r\n \"INV-038\": {\r\n id: \"INV-038\",\r\n description: \"Cross-key verification failures are consistent: wrong-key always returns false\",\r\n boundary: \"sign\",\r\n },\r\n \"INV-040\": {\r\n id: \"INV-040\",\r\n description: \"AI output and governance enforcement are strictly separated — no AI field in execution scope\",\r\n boundary: \"validate\",\r\n },\r\n \"INV-041\": {\r\n id: \"INV-041\",\r\n description: \"Governance boundary is explicit: runtime manifest must declare runtime_version\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-047\": {\r\n id: \"INV-047\",\r\n description: \"Canonical serialization uses explicit UTF-8 encoding\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-048\": {\r\n id: \"INV-048\",\r\n description: \"Unicode normalization is stable across canonicalization calls\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-049\": {\r\n id: \"INV-049\",\r\n description: \"Canonical JSON sorts object keys recursively and preserves array order\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-050\": {\r\n id: \"INV-050\",\r\n description: \"Duplicate JSON keys must not appear in governance payloads (gap: documented)\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-051\": {\r\n id: \"INV-051\",\r\n description: \"Numeric values canonicalize identically regardless of trailing zeros\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-052\": {\r\n id: \"INV-052\",\r\n description: \"Object insertion order does not affect canonical form or content-address hash\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-053\": {\r\n id: \"INV-053\",\r\n description: \"Array element order is preserved through canonicalization\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-054\": {\r\n id: \"INV-054\",\r\n description: \"JSON type closure: NaN and Infinity serialize to null; undefined fields are omitted\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-057\": {\r\n id: \"INV-057\",\r\n description: \"Content-address (SHA-256) is stable for identical content across calls\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-059\": {\r\n id: \"INV-059\",\r\n description: \"Replay domain is explicit: every execution_id in the store was consumed by a real execution\",\r\n boundary: \"replay\",\r\n },\r\n \"INV-060\": {\r\n id: \"INV-060\",\r\n description: \"Attestation verification is idempotent: same inputs always produce identical results\",\r\n boundary: \"sign\",\r\n },\r\n \"INV-061\": {\r\n id: \"INV-061\",\r\n description: \"Runtime capability declarations are immutable after build\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-072\": {\r\n id: \"INV-072\",\r\n description: \"Dry-run path produces no side effects: no replay store write, no audit record, no signature\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-073\": {\r\n id: \"INV-073\",\r\n description: \"Canonical evaluation source files contain no network calls\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-074\": {\r\n id: \"INV-074\",\r\n description: \"Every governed executeDecision call produces exactly one audit record\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-075\": {\r\n id: \"INV-075\",\r\n description: \"Execution IDs (UUIDv4) are unique per issuance — governance identity is non-reusable\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-077\": {\r\n id: \"INV-077\",\r\n description: \"All failure modes are deterministic: same invalid input always produces the same error\",\r\n boundary: [\"verify\", \"replay\", \"execute\"] as readonly InvariantBoundary[],\r\n },\r\n \"INV-078\": {\r\n id: \"INV-078\",\r\n description: \"Operational metadata fields must not contaminate deterministic signing scope\",\r\n boundary: \"validate\",\r\n },\r\n \"INV-080\": {\r\n id: \"INV-080\",\r\n description: \"Unsupported schema and runtime versions fail explicitly with a descriptive error\",\r\n boundary: \"verify\",\r\n },\r\n \"META-001\": {\r\n id: \"META-001\",\r\n description: \"Every governed execution produces a signed, independently verifiable attestation\",\r\n boundary: \"sign\",\r\n },\r\n \"META-004\": {\r\n id: \"META-004\",\r\n description: \"Invariant violations always fail closed — no partial results are emitted on violation\",\r\n boundary: [\"verify\", \"replay\", \"execute\", \"sign\"] as readonly InvariantBoundary[],\r\n },\r\n} as const satisfies Record<string, InvariantEntry>;\r\n\r\nexport type InvariantId = keyof typeof INVARIANT_REGISTRY;\r\n","import * as crypto from \"node:crypto\";\r\n\r\n/**\r\n * Structured report emitted when a governance invariant is violated.\r\n *\r\n * Fields:\r\n * invariant_id — the invariant from INVARIANT_REGISTRY that was breached\r\n * boundary — pipeline stage where the violation was detected\r\n * reason — human-readable explanation of what failed\r\n * input_hash — SHA-256 of the canonical form of the input that triggered the violation\r\n * timestamp_seq — monotonically increasing sequence number within the process lifetime\r\n */\r\nexport interface ViolationReport {\r\n readonly invariant_id: string;\r\n readonly boundary: string;\r\n readonly reason: string;\r\n readonly input_hash: string;\r\n readonly timestamp_seq: number;\r\n}\r\n\r\nlet _seq = 0;\r\n\r\n/**\r\n * Thrown by every pipeline stage boundary when a governance invariant is violated.\r\n *\r\n * Carries a structured ViolationReport so downstream consumers can distinguish\r\n * invariant violations from unexpected runtime errors without string parsing.\r\n */\r\nexport class InvariantViolation extends Error {\r\n readonly report: ViolationReport;\r\n\r\n constructor(report: ViolationReport) {\r\n super(`[${report.invariant_id}@${report.boundary}] ${report.reason}`);\r\n this.name = \"InvariantViolation\";\r\n this.report = report;\r\n }\r\n}\r\n\r\n/**\r\n * Computes the SHA-256 hex digest of `value` for use as `input_hash` in a ViolationReport.\r\n * Accepts a string (used as-is) or any value (JSON-stringified before hashing).\r\n */\r\nexport function hashInput(value: unknown): string {\r\n const bytes =\r\n typeof value === \"string\"\r\n ? value\r\n : JSON.stringify(value) ?? \"\";\r\n\r\n return crypto\r\n .createHash(\"sha256\")\r\n .update(bytes, \"utf8\")\r\n .digest(\"hex\");\r\n}\r\n\r\n/**\r\n * Constructs and throws an InvariantViolation.\r\n * Never returns — the return type `never` enforces this at compile time.\r\n *\r\n * @param invariant_id - ID from INVARIANT_REGISTRY\r\n * @param boundary - Pipeline stage name\r\n * @param reason - Human-readable reason (must contain the legacy message substring for test compat)\r\n * @param input - The input that triggered the violation (hashed automatically)\r\n */\r\nexport function violate(\r\n invariant_id: string,\r\n boundary: string,\r\n reason: string,\r\n input: unknown\r\n): never {\r\n throw new InvariantViolation({\r\n invariant_id,\r\n boundary,\r\n reason,\r\n input_hash: hashInput(input),\r\n timestamp_seq: ++_seq,\r\n });\r\n}\r\n","/**\r\n * Sealed Execution VM — determinism enforcement for the governance execution scope.\r\n *\r\n * The execution stage (execute.ts, pipeline.ts) is forbidden from accessing:\r\n * - Date.now() — non-deterministic wall clock\r\n * - Math.random() — non-deterministic PRNG\r\n * - fs / network IO — external state that varies across environments\r\n *\r\n * Time is injected explicitly via governed_time in ExecutionContext.\r\n * The CI gate (scripts/ci-invariant-gate.ts) enforces these constraints statically.\r\n *\r\n * This module provides:\r\n * - governingTime() — derives execution time from injected governed_time or falls\r\n * back to the system clock (only acceptable outside execute.ts)\r\n * - FORBIDDEN_GLOBALS — the list of globals that must not appear in execution-scope files\r\n */\r\n\r\n/** Globals forbidden inside the sealed execution scope. */\r\nexport const FORBIDDEN_GLOBALS = [\r\n \"Date.now\",\r\n \"Math.random\",\r\n] as const;\r\n\r\n/**\r\n * Files in the execution package whose source must not reference FORBIDDEN_GLOBALS.\r\n * Enforced by the CI gate.\r\n */\r\nexport const SEALED_SCOPE_FILES = [\r\n \"packages/execution/src/execute.ts\",\r\n \"packages/execution/src/pipeline.ts\",\r\n \"packages/execution/src/canonical-signing.ts\",\r\n \"packages/bundle/src/canonicalize.ts\",\r\n \"packages/bundle/src/hash.ts\",\r\n] as const;\r\n\r\n/**\r\n * Returns the governing time for an execution.\r\n *\r\n * When `provided` is a non-empty ISO 8601 string it is returned as-is,\r\n * preserving determinism. When `provided` is absent or empty the current\r\n * system time is used — this fallback is intentionally limited to\r\n * non-execution-scope callers (audit.ts, dry-run.ts, tests).\r\n *\r\n * MUST NOT be called from execute.ts or pipeline.ts — those files must\r\n * receive governed_time from their caller and pass it through explicitly.\r\n */\r\nexport function governingTime(provided?: string): string {\r\n if (provided && provided.length > 0) {\r\n return provided;\r\n }\r\n return new Date().toISOString();\r\n}\r\n","import * as crypto from \"node:crypto\";\r\n\r\nimport { evaluatePolicy } from \"./evaluator.js\";\r\nimport { loadPolicy } from \"./load-policy.js\";\r\nimport { validateSignalsStrict } from \"./validate-signals.js\";\r\nimport { issueToken } from \"./issue-token.js\";\r\nimport { signExecutionToken } from \"./sign-token.js\";\r\nimport { getRuntimeManifest } from \"./runtime-manifest.js\";\r\nimport { executeWithRedis } from \"./execute-with-redis.js\";\r\nimport { canonicalize } from \"./canonical-json.js\";\r\n\r\nimport type { Signer } from \"./signer-interface.js\";\r\nimport type { Verifier } from \"./verifier-interface.js\";\r\nimport type { AsyncReplayStore } from \"./async-replay-store-interface.js\";\r\nimport type { DecisionResult } from \"./execution-result.js\";\r\n\r\nexport async function executeFromSignals(\r\n input: {\r\n policyId: string;\r\n policyVersion: string;\r\n signals: Record<string, unknown>;\r\n metadata?: Record<string, unknown>;\r\n },\r\n signer: Signer,\r\n verifier: Verifier,\r\n replayStore: AsyncReplayStore & {\r\n get?: (key: string) => Promise<string | null>;\r\n set?: (key: string, value: string) => Promise<void>;\r\n del?: (key: string) => Promise<void>;\r\n }\r\n) {\r\n try {\r\n\r\n // -----------------------------\r\n // 1. Load policy\r\n // -----------------------------\r\n const policy = loadPolicy(\r\n input.policyId,\r\n input.policyVersion\r\n );\r\n\r\n // -----------------------------\r\n // 2. Validate signals\r\n // -----------------------------\r\n validateSignalsStrict(input.signals, policy);\r\n\r\n // -----------------------------\r\n // 3. Evaluate policy\r\n // -----------------------------\r\n const decision: DecisionResult =\r\n evaluatePolicy(policy, input.signals);\r\n\r\n // -----------------------------\r\n // 4. Enforce invariants\r\n // -----------------------------\r\n if (decision.status !== \"decided\" || !decision.outcome) {\r\n throw new Error(\r\n \"[SYS-004] Invalid policy: execution must resolve to decided\"\r\n );\r\n }\r\n\r\n if (!decision.rule_id) {\r\n throw new Error(\r\n \"[SYS-005] Invalid decision: rule_id required\"\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // 5. Canonical signals\r\n // -----------------------------\r\n const canonicalSignals = canonicalize(input.signals);\r\n\r\n // -----------------------------\r\n // 6. Deterministic execution_id\r\n // -----------------------------\r\n const executionId = crypto\r\n .createHash(\"sha256\")\r\n .update(\r\n JSON.stringify({\r\n policyId: input.policyId,\r\n policyVersion: input.policyVersion,\r\n signals: canonicalSignals\r\n })\r\n )\r\n .digest(\"hex\");\r\n\r\n // -----------------------------\r\n // 7. Runtime manifest\r\n // -----------------------------\r\n const runtimeManifest = getRuntimeManifest();\r\n\r\n // -----------------------------\r\n // 8. Issue token\r\n // -----------------------------\r\n const token = issueToken({\r\n execution_id: executionId,\r\n policy_id: input.policyId,\r\n decision_payload: decision.outcome,\r\n schema_version: policy.schemaVersion,\r\n runtime_version: runtimeManifest.runtime_version\r\n });\r\n\r\n const tokenSignature =\r\n signExecutionToken(token, signer);\r\n\r\n // -----------------------------\r\n // 9. Runtime requirements\r\n // -----------------------------\r\n const runtimeRequirements = {\r\n required_capabilities: [],\r\n supported_runtime_versions: [\r\n runtimeManifest.runtime_version\r\n ],\r\n supported_schema_versions: [\r\n policy.schemaVersion\r\n ]\r\n };\r\n\r\n // -----------------------------\r\n // 10. Resolve execution state\r\n // -----------------------------\r\n const action = decision.outcome.action;\r\n const requiresOverride = decision.outcome.requires_override;\r\n\r\n let execution_state: \"completed\" | \"blocked\" | \"pending_override\";\r\n\r\n if (requiresOverride) {\r\n execution_state = \"pending_override\";\r\n } else {\r\n execution_state =\r\n action === \"approve\" ? \"completed\" : \"blocked\";\r\n }\r\n\r\n // -----------------------------\r\n // 11. Handle pending_override\r\n // -----------------------------\r\n if (execution_state === \"pending_override\") {\r\n\r\n if (!replayStore.set) {\r\n throw new Error(\r\n \"[SYS-020] Store does not support pending execution storage\"\r\n );\r\n }\r\n\r\n await replayStore.set(\r\n `pending:${executionId}`,\r\n JSON.stringify({\r\n token,\r\n token_signature: tokenSignature,\r\n runtime_manifest: runtimeManifest,\r\n runtime_requirements: runtimeRequirements\r\n })\r\n );\r\n\r\n return {\r\n status: \"pending_override\" as const,\r\n execution_id: executionId,\r\n decision,\r\n requires_override: true\r\n };\r\n }\r\n\r\n // -----------------------------\r\n // 12. Execute\r\n // -----------------------------\r\n let execution;\r\n\r\n try {\r\n execution = await executeWithRedis(\r\n {\r\n token,\r\n token_signature: tokenSignature,\r\n signer,\r\n verifier,\r\n runtime_manifest: runtimeManifest,\r\n runtime_requirements: runtimeRequirements\r\n },\r\n replayStore\r\n );\r\n\r\n } catch (err) {\r\n\r\n const message =\r\n err instanceof Error ? err.message : \"Unknown error\";\r\n\r\n // ✅ FINAL FIX: replay = idempotent success\r\n if (message.includes(\"Replay attack detected\")) {\r\n return {\r\n status: \"success\" as const,\r\n execution_id: executionId,\r\n decision,\r\n execution_state,\r\n requires_override: false,\r\n replay: true\r\n };\r\n }\r\n\r\n throw err;\r\n }\r\n\r\n // -----------------------------\r\n // SUCCESS\r\n // -----------------------------\r\n return {\r\n status: \"success\" as const,\r\n execution_id: executionId,\r\n decision,\r\n execution_state,\r\n requires_override: false,\r\n signature: execution.signature\r\n };\r\n\r\n } catch (err: unknown) {\r\n\r\n return {\r\n status: \"error\" as const,\r\n error: err instanceof Error ? err.message : \"Unknown error\"\r\n };\r\n }\r\n}\r\n","import type { ExecutionContext } from \"./execution-context.js\";\r\nimport type { ExecutionAttestation } from \"./execution-attestation.js\";\r\nimport type { AsyncReplayStore } from \"./async-replay-store-interface.js\";\r\n\r\nimport { MemoryReplayStore } from \"./memory-replay-store.js\";\r\nimport { executeDecision } from \"./execute.js\";\r\n\r\n/**\r\n * 🟢 ASYNC ADAPTER\r\n * Handles Redis, keeps core pure\r\n */\r\nexport async function executeWithRedis(\r\n context: ExecutionContext,\r\n redisStore: AsyncReplayStore\r\n): Promise<ExecutionAttestation> {\r\n\r\n // Distributed replay protection\r\n await redisStore.markExecuted(\r\n context.token.execution_id\r\n );\r\n\r\n // Deterministic execution (sync core)\r\n const memoryStore = new MemoryReplayStore();\r\n\r\n return executeDecision(context, memoryStore);\r\n}\r\n","export function canonicalize(value: any): string {\r\n return JSON.stringify(sortValue(value));\r\n}\r\n\r\nfunction sortValue(value: any): any {\r\n if (Array.isArray(value)) {\r\n return value.map(sortValue);\r\n }\r\n\r\n if (value && typeof value === \"object\") {\r\n const sorted: Record<string, any> = {};\r\n\r\n for (const key of Object.keys(value).sort()) {\r\n sorted[key] = sortValue(value[key]);\r\n }\r\n\r\n return sorted;\r\n }\r\n\r\n return value;\r\n}\r\n","import {\r\n executeFromSignals,\r\n} from \"./execute-from-signals.js\";\r\n\r\nimport type {\r\n Signer,\r\n} from \"./signer-interface.js\";\r\n\r\nimport type {\r\n Verifier,\r\n} from \"./verifier-interface.js\";\r\n\r\nimport type {\r\n AsyncReplayStore,\r\n} from \"./async-replay-store-interface.js\";\r\n\r\n\r\n/**\r\n * Executes multiple records sequentially.\r\n *\r\n * Each record is processed independently.\r\n * Errors are captured per-record (fail-isolated).\r\n */\r\nexport async function executeBatch(\r\n records: Array<{\r\n policyId: string;\r\n policyVersion: string;\r\n signals: Record<string, unknown>;\r\n governed_time: string;\r\n }>,\r\n signer: Signer,\r\n verifier: Verifier,\r\n replayStore: AsyncReplayStore\r\n) {\r\n\r\n const outputs = [];\r\n\r\n for (const record of records) {\r\n\r\n try {\r\n\r\n const output =\r\n await executeFromSignals(\r\n record,\r\n signer,\r\n verifier,\r\n replayStore\r\n );\r\n\r\n outputs.push({\r\n input: record,\r\n output\r\n });\r\n\r\n } catch (err: unknown) {\r\n\r\n outputs.push({\r\n input: record,\r\n output: {\r\n status: \"error\",\r\n error:\r\n err instanceof Error\r\n ? err.message\r\n : \"Unknown error\"\r\n }\r\n });\r\n\r\n }\r\n }\r\n\r\n return outputs;\r\n}\r\n","import Redis from \"ioredis\";\r\n\r\nimport type {\r\n Redis as RedisClient\r\n} from \"ioredis\";\r\n\r\nimport type {\r\n AsyncReplayStore\r\n} from \"./async-replay-store-interface.js\";\r\n\r\nexport class RedisReplayStore\r\n implements AsyncReplayStore {\r\n\r\n private client: RedisClient;\r\n\r\n constructor(\r\n url: string\r\n ) {\r\n\r\n this.client =\r\n new (Redis as any)(url);\r\n }\r\n\r\n async hasExecuted(\r\n executionId: string\r\n ): Promise<boolean> {\r\n\r\n const res =\r\n await this.client.exists(\r\n `exec:${executionId}`\r\n );\r\n\r\n return res === 1;\r\n }\r\n\r\n async markExecuted(\r\n executionId: string\r\n ): Promise<void> {\r\n\r\n const result =\r\n await this.client.set(\r\n `exec:${executionId}`,\r\n \"1\",\r\n \"NX\"\r\n );\r\n\r\n if (result !== \"OK\") {\r\n\r\n throw new Error(\r\n `[INV-013@replay] Replay detected: execution_id ${executionId} has already been consumed`\r\n );\r\n }\r\n }\r\n\r\n async get(\r\n key: string\r\n ): Promise<string | null> {\r\n\r\n return this.client.get(key);\r\n }\r\n\r\n async set(\r\n key: string,\r\n value: string\r\n ): Promise<void> {\r\n\r\n await this.client.set(\r\n key,\r\n value\r\n );\r\n }\r\n\r\n async del(\r\n key: string\r\n ): Promise<void> {\r\n\r\n await this.client.del(key);\r\n }\r\n\r\n async close(): Promise<void> {\r\n\r\n await this.client.quit();\r\n }\r\n}","import { executeWithRedis } from \"./execute-with-redis.js\";\r\n\r\nimport type { AsyncReplayStore } from \"./async-replay-store-interface.js\";\r\nimport type { Signer } from \"./signer-interface.js\";\r\nimport type { Verifier } from \"./verifier-interface.js\";\r\n\r\nexport async function resolveOverride(\r\n executionId: string,\r\n replayStore: AsyncReplayStore & {\r\n get: (key: string) => Promise<string | null>;\r\n del: (key: string) => Promise<void>;\r\n },\r\n signer: Signer,\r\n verifier: Verifier\r\n) {\r\n // -----------------------------\r\n // 1. Load pending execution\r\n // -----------------------------\r\n const raw = await replayStore.get(`pending:${executionId}`);\r\n\r\n if (!raw) {\r\n throw new Error(\r\n `[SYS-021] No pending execution found for ${executionId}`\r\n );\r\n }\r\n\r\n const stored = JSON.parse(raw);\r\n\r\n // -----------------------------\r\n // 2. Execute (same token)\r\n // -----------------------------\r\n const execution = await executeWithRedis(\r\n {\r\n token: stored.token,\r\n token_signature: stored.token_signature,\r\n signer,\r\n verifier,\r\n runtime_manifest: stored.runtime_manifest,\r\n runtime_requirements: stored.runtime_requirements\r\n },\r\n replayStore\r\n );\r\n\r\n // -----------------------------\r\n // 3. Remove pending state\r\n // -----------------------------\r\n await replayStore.del(`pending:${executionId}`);\r\n\r\n // -----------------------------\r\n // 4. Return result\r\n // -----------------------------\r\n return {\r\n status: \"success\" as const,\r\n execution_id: executionId,\r\n signature: execution.signature,\r\n resolved: true\r\n };\r\n}\r\n"],"mappings":";AAMO,SAAS,WAAW,OAMR;AAEjB,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,MAAI,CAAC,gBAAgB;AACnB,UAAM,IAAI,MAAM,uCAAuC;AAAA,EACzD;AAEA,MAAI,CAAC,iBAAiB;AACpB,UAAM,IAAI,MAAM,wCAAwC;AAAA,EAC1D;AAEA,QAAM,QAAwB;AAAA,IAC5B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,SAAO,aAAa,KAAK;AAC3B;AAKA,SAAS,aAAa,KAAe;AACnC,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,WAAO,IAAI,IAAI,YAAY;AAAA,EAC7B;AAEA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,WAAO,OAAO,KAAK,GAAG,EACnB,KAAK,EACL,OAAO,CAAC,KAAU,QAAQ;AACzB,UAAI,GAAG,IAAI,aAAa,IAAI,GAAG,CAAC;AAChC,aAAO;AAAA,IACT,GAAG,CAAC,CAAC;AAAA,EACT;AAEA,SAAO;AACT;;;AC3DA;AAAA,EACE,gBAAAA;AAAA,OACK;AAOA,SAAS,uBACd,OACQ;AAER,SAAOA,cAAa,KAAK;AAC3B;;;ACEO,SAAS,mBACd,OACA,QACQ;AAER,QAAM,YAAY,uBAAuB,KAAK;AAGhD,UAAQ,IAAI,eAAe,SAAS;AAElC,SAAO,OAAO,KAAK,SAAS;AAC9B;;;ACfO,SAAS,qBACd,OACA,WACA,UACS;AAET,QAAM,YAAY,uBAAuB,KAAK;AAG9C,UAAQ,IAAI,iBAAiB,SAAS;AAEtC,SAAO,SAAS;AAAA,IACd;AAAA,IACA;AAAA,EACF;AACF;;;AC3BA;AAAA,EACE;AAAA,OACK;AAQA,SAAS,oBACd,UACM;AACN,QAAM,QACJ;AAAA,IACE;AAAA,EACF;AAEF,MAAI,CAAC,OAAO;AACV,UAAM,IAAI;AAAA,MACR,2CAA2C,QAAQ;AAAA,IACrD;AAAA,EACF;AACF;;;ACAO,SAAS,wBACd,aAMQ;AAER,SAAO,KAAK;AAAA,IACVC;AAAA,MACE;AAAA,IACF;AAAA,EACF;AACF;AAKA,SAASA,cACP,KACK;AAEL,MAAI,MAAM,QAAQ,GAAG,GAAG;AAEtB,WAAO,IAAI;AAAA,MACTA;AAAA,IACF;AAAA,EACF;AAEA,MACE,QAAQ,QAER,OAAO,QAAQ,UACf;AAEA,WAAO,OACJ,KAAK,GAAG,EACR,KAAK,EACL;AAAA,MACC,CACE,KACA,QACG;AAEH,YAAI,GAAG,IACLA;AAAA,UACE,IAAI,GAAG;AAAA,QACT;AAEF,eAAO;AAAA,MACT;AAAA,MACA,CAAC;AAAA,IACH;AAAA,EACJ;AAEA,SAAO;AACT;;;AClEO,SAAS,YACd,OAEA,iBAEA,UAOA,kBAEA,sBACM;AAEN,QAAM,QACJ,SAAS;AAAA,IAEP,OAAO;AAAA,MACL;AAAA,QACE;AAAA,MACF;AAAA,IACF;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEF,MAAI,CAAC,OAAO;AAEV,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAMA,MACE,CAAC,sBAAsB,8BAEvB,CAAC,qBACE,2BACA;AAAA,IACC,iBAAiB;AAAA,EACnB,GACF;AAEA,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAMA,aACQ,OACH,sBACC,yBACC,CAAC,GACN;AAEA,QACE,CAAC,iBACE,aACA,SAAS,GAAG,GACf;AAEA,YAAM,IAAI;AAAA,QACR,gCAAgC,GAAG;AAAA,MACrC;AAAA,IACF;AAAA,EACF;AAMA,MACE,CAAC,sBAAsB,6BAEvB,CAAC,qBACE,0BACA;AAAA,IACC,MAAM;AAAA,EACR,GACF;AAEA,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACF;AAKO,SAAS,aACd,OACM;AAIR;AAKO,SAAS,UACd,SAmBA,QAMA,cACA;AAMA,QAAM,cAAc;AAAA,IAElB,cACE,QAAQ;AAAA,IAEV,UACE,QAAQ;AAAA,IAEV,iBACE,QAAQ;AAAA,IAEV;AAAA,EACF;AAMA,QAAM,YACJ;AAAA,IACE;AAAA,EACF;AAMF,QAAM,YACJ,OAAO;AAAA,IACL;AAAA,EACF;AAMF,SAAO;AAAA,IAEL,cACE,QAAQ;AAAA,IAEV,UACE,QAAQ;AAAA,IAEV,iBACE,QAAQ;AAAA,IAEV;AAAA,IAEA;AAAA,EACF;AACF;;;AChNO,IAAM,oBAAN,MAA+C;AAAA,EAA/C;AACL,SAAQ,QAAQ,oBAAI,IAAY;AAAA;AAAA,EAEhC,aAAa,cAA4B;AACvC,QAAI,KAAK,MAAM,IAAI,YAAY,GAAG;AAChC,YAAM,IAAI,MAAM,wBAAwB;AAAA,IAC1C;AAEA,SAAK,MAAM,IAAI,YAAY;AAAA,EAC7B;AACF;;;ACMO,SAAS,gBACd,SACA,aACsB;AAEtB,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAKJ;AAAA,IACE;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAKA,QAAM,QACJ,eACA,IAAI,kBAAkB;AAExB,MAAI,CAAC,QAAQ,WAAW;AAEtB,UAAM;AAAA,MACJ,MAAM;AAAA,IACR;AAAA,EACF;AAKA,eAAa,KAAK;AAKlB,QAAM,WACJ,MAAM;AAER,QAAM,kBAKJ,SAAS,oBACL,qBACA,SAAS,WAAW,YAClB,cACA;AAKR,SAAO;AAAA,IACL;AAAA,MACE,cACE,MAAM;AAAA,MAER;AAAA,MAEA;AAAA,IACF;AAAA,IACA;AAAA,IACA,iBAAiB;AAAA,EACnB;AACF;;;AChFO,SAAS,iBACd,OACA,WACA,UACS;AAET,SAAO,SAAS;AAAA,IACd,uBAAuB,KAAK;AAAA,IAC5B;AAAA,EACF;AACF;AASO,SAAS,mBAA4B;AAC1C,SAAO;AACT;;;ACtCA,YAAY,YAAY;AAExB;AAAA,EACE,gBAAAC;AAAA,OACK;AAOA,IAAM,4BAA4B;AAAA,EACvC,iBACE;AAAA,EAEF,2BAA2B;AAAA,IACzB;AAAA,EACF;AAAA,EAEA,cAAc;AAAA,IACZ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAOO,SAAS,cAAsB;AACpC,SACG;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACCA;AAAA,MACE;AAAA,IACF;AAAA,EACF,EACC;AAAA,IACC;AAAA,EACF;AACJ;;;ACbO,SAAS,qBAAsC;AAEpD,SAAO;AAAA,IACL,cACE,YAAY;AAAA,IACd,GAAG;AAAA,EACL;AACF;;;ACvCA;AAAA,EACE,gBAAAC;AAAA,OACK;AAeA,SAAS,oBACd,UACA,QACQ;AAER,SAAO,OAAO;AAAA,IACZA,cAAa,QAAQ;AAAA,EACvB;AACF;;;ACTO,SAAS,sBACd,UACA,WACA,UACS;AAET,SAAO,SAAS;AAAA,IACd,uBAAuB,QAAQ;AAAA,IAC/B;AAAA,EACF;AACF;;;AC1BA,OAAOC,aAAY;AAaZ,IAAM,cAAN,MACa;AAAA;AAAA;AAAA;AAAA,EAOlB,YACmB,YACjB;AADiB;AAGjB,UAAM,gBACJ,WACG,QAAQ,QAAQ,IAAI,EACpB,KAAK;AAEV,SAAK,YACHA,QAAO,iBAAiB;AAAA,MACtB,KAAK;AAAA,MACL,QAAQ;AAAA,IACV,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,KACE,SACQ;AAER,WAAOA,QACJ;AAAA,MACC;AAAA,MAEA,OAAO;AAAA,QACL;AAAA,QACA;AAAA,MACF;AAAA,MAEA,KAAK;AAAA,IACP,EAEC;AAAA,MACC;AAAA,IACF;AAAA,EACJ;AACF;;;AC7DA,YAAYC,aAAY;AAWjB,IAAM,gBAAN,MACe;AAAA;AAAA;AAAA;AAAA,EAKpB,YACmB,WACjB;AADiB;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMH,OACE,SACA,WACS;AAET,WAAc;AAAA,MACZ;AAAA,MAEA,OAAO;AAAA,QACL;AAAA,QACA;AAAA,MACF;AAAA,MAEA,KAAK;AAAA,MAEL,OAAO;AAAA,QACL;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;;;ACHA,SAAS,kBACP,WACA,SACS;AAET,MAAI,SAAS,WAAW;AACtB,WAAO,UAAU,IAAI,MAAM,OAAK,kBAAkB,GAAG,OAAO,CAAC;AAAA,EAC/D;AAEA,MAAI,SAAS,WAAW;AACtB,WAAO,UAAU,IAAI,KAAK,OAAK,kBAAkB,GAAG,OAAO,CAAC;AAAA,EAC9D;AAEA,QAAM,EAAE,QAAQ,QAAQ,cAAc,UAAU,IAAI;AAEpD,MAAI,EAAE,UAAU,UAAU;AACxB,UAAM,IAAI,MAAM,qBAAqB,MAAM,EAAE;AAAA,EAC/C;AAEA,QAAM,SAAS,QAAQ,MAAM;AAE7B,MAAI,WAAW,QAAW;AACxB,QAAI,OAAO,WAAW,OAAO,QAAQ;AACnC,YAAM,IAAI,MAAM,qBAAqB,MAAM,EAAE;AAAA,IAC/C;AACA,WAAO,WAAW;AAAA,EACpB;AAEA,MAAI,iBAAiB,QAAW;AAC9B,QAAI,OAAO,WAAW,UAAU;AAC9B,YAAM,IAAI,MAAM,uBAAuB,MAAM,EAAE;AAAA,IACjD;AACA,WAAO,SAAS;AAAA,EAClB;AAEA,MAAI,cAAc,QAAW;AAC3B,QAAI,OAAO,WAAW,UAAU;AAC9B,YAAM,IAAI,MAAM,uBAAuB,MAAM,EAAE;AAAA,IACjD;AACA,WAAO,SAAS;AAAA,EAClB;AAEA,SAAO;AACT;AAKA,SAAS,sBAAsB,QAA8B;AAC3D,QAAM,YAAY,CAAC,OAAO;AAE1B,MAAI,CAAC,UAAU,SAAS,OAAO,aAAa,GAAG;AAC7C,UAAM,IAAI;AAAA,MACR,+BAA+B,OAAO,aAAa;AAAA,IACrD;AAAA,EACF;AACF;AAKO,SAAS,eACd,QACA,SACgB;AAEhB,wBAAsB,MAAM;AAK5B,aAAW,QAAQ,OAAO,OAAO;AAE/B,UAAM,UAAU;AAAA,MACd,KAAK;AAAA,MACL;AAAA,IACF;AAEA,QAAI,SAAS;AACX,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,SAAS,KAAK;AAAA,QACd,SAAS,KAAK;AAAA,QACd,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAKA,QAAM,IAAI;AAAA,IACR;AAAA,EACF;AACF;;;ACzIA,YAAY,QAAQ;AACpB,YAAY,UAAU;AAIf,SAAS,WACd,UACA,eACA,WAAmB,QAAQ,IAAI,GACf;AAEhB,QAAM,aAAkB;AAAA,IACtB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,MAAI,CAAI,cAAW,UAAU,GAAG;AAC9B,UAAM,IAAI,MAAM,qBAAqB,UAAU,EAAE;AAAA,EACnD;AAEA,QAAM,MAAS,gBAAa,YAAY,MAAM;AAE9C,MAAI;AAEJ,MAAI;AACF,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,QAAQ;AACN,UAAM,IAAI;AAAA,MACR,qCAAqC,UAAU;AAAA,IACjD;AAAA,EACF;AAKA,MAAI,CAAC,UAAU,OAAO,WAAW,UAAU;AACzC,UAAM,IAAI;AAAA,MACR,sCAAsC,UAAU;AAAA,IAClD;AAAA,EACF;AAKA,MAAI,CAAC,OAAO,eAAe;AACzB,UAAM,IAAI;AAAA,MACR,6DAA6D,UAAU;AAAA,IACzE;AAAA,EACF;AAEA,MAAI,OAAO,gBAAgB;AACzB,UAAM,IAAI;AAAA,MACR,4DAA4D,UAAU;AAAA,IACxE;AAAA,EACF;AAKA,MAAI,CAAC,OAAO,eAAe;AACzB,UAAM,IAAI;AAAA,MACR,4CAA4C,UAAU;AAAA,IACxD;AAAA,EACF;AAEA,MAAI,OAAO,gBAAgB;AACzB,UAAM,IAAI;AAAA,MACR,4DAA4D,UAAU;AAAA,IACxE;AAAA,EACF;AAEA,SAAO;AACT;;;ACzDO,SAAS,sBACd,SACA,QACM;AAGN,QAAM,SAAS,OAAO;AAEtB,MAAI,CAAC,UAAU,OAAO,WAAW,UAAU;AACzC,UAAM,IAAI,MAAM,kDAAkD;AAAA,EACpE;AAEA,MAAI,CAAC,WAAW,OAAO,YAAY,UAAU;AAC3C,UAAM,IAAI,MAAM,oDAAoD;AAAA,EACtE;AAGA,aAAW,OAAO,OAAO,KAAK,OAAO,GAAG;AACtC,QAAI,CAAC,OAAO,UAAU,eAAe,KAAK,QAAQ,GAAG,GAAG;AACtD,YAAM,IAAI,MAAM,6BAA6B,GAAG,EAAE;AAAA,IACpD;AAAA,EACF;AAGA,aAAW,OAAO,OAAO,KAAK,MAAM,GAAG;AAErC,UAAM,MAAM,OAAO,GAAG;AACtB,UAAM,QAAQ,QAAQ,GAAG;AAEzB,UAAM,aAAa,IAAI,aAAa;AAEpC,QAAI,UAAU,QAAW;AACvB,UAAI,YAAY;AACd,cAAM,IAAI,MAAM,sCAAsC,GAAG,EAAE;AAAA,MAC7D;AACA;AAAA,IACF;AAEA,QAAI,CAAC,KAAK,MAAM;AACd,YAAM,IAAI,MAAM,wCAAwC,GAAG,EAAE;AAAA,IAC/D;AAEA,YAAQ,IAAI,MAAM;AAAA,MAEhB,KAAK;AACH,YAAI,OAAO,UAAU,WAAW;AAC9B,gBAAM,IAAI,MAAM,aAAa,GAAG,kBAAkB;AAAA,QACpD;AACA;AAAA,MAEF,KAAK;AACH,YAAI,OAAO,UAAU,YAAY,CAAC,OAAO,UAAU,KAAK,GAAG;AACzD,gBAAM,IAAI,MAAM,aAAa,GAAG,kBAAkB;AAAA,QACpD;AACA;AAAA,MAEF,KAAK;AACH,YAAI,OAAO,UAAU,UAAU;AAC7B,gBAAM,IAAI,MAAM,aAAa,GAAG,iBAAiB;AAAA,QACnD;AACA;AAAA,MAEF,KAAK;AACH,YAAI,OAAO,UAAU,UAAU;AAC7B,gBAAM,IAAI,MAAM,aAAa,GAAG,sBAAsB;AAAA,QACxD;AAEA,YAAI,CAAC,MAAM,QAAQ,IAAI,MAAM,KAAK,IAAI,OAAO,WAAW,GAAG;AACzD,gBAAM,IAAI,MAAM,aAAa,GAAG,sBAAsB;AAAA,QACxD;AAEA,YAAI,CAAC,IAAI,OAAO,SAAS,KAAK,GAAG;AAC/B,gBAAM,IAAI;AAAA,YACR,+BAA+B,GAAG,KAAK,KAAK;AAAA,UAC9C;AAAA,QACF;AACA;AAAA,MAEF;AACE,cAAM,IAAI,MAAM,sCAAsC,IAAI,IAAI,EAAE;AAAA,IACpE;AAAA,EACF;AACF;;;ACnEO,SAAS,eACd,UACA,eACA,SACA,iBAAgB,oBAAI,KAAK,GAAE,YAAY,GACzB;AAKd,QAAM,SACJ,WAAW,UAAU,aAAa;AAKpC,wBAAsB,SAAS,MAAM;AAKrC,QAAM,WACJ,eAAe,QAAQ,OAAO;AAKhC,SAAO;AAAA,IACL,WAAW;AAAA,IACX,gBAAgB;AAAA,IAChB,gBAAgB;AAAA,IAEhB;AAAA;AAAA,IAEA,YAAY,CAAC;AAAA,IAEb,UAAU;AAAA,IACV,SAAS;AAAA,IAET,cAAc;AAAA,EAChB;AACF;;;ACrDO,IAAM,qBAAqB;AAAA,EAChC,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU,CAAC,gBAAgB,SAAS;AAAA,EACtC;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU,CAAC,UAAU,UAAU,SAAS;AAAA,EAC1C;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU,CAAC,UAAU,UAAU,SAAS;AAAA,EAC1C;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,YAAY;AAAA,IACV,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,YAAY;AAAA,IACV,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU,CAAC,UAAU,UAAU,WAAW,MAAM;AAAA,EAClD;AACF;;;AChRA,YAAYC,aAAY;AAoBxB,IAAI,OAAO;AAQJ,IAAM,qBAAN,cAAiC,MAAM;AAAA,EAG5C,YAAY,QAAyB;AACnC,UAAM,IAAI,OAAO,YAAY,IAAI,OAAO,QAAQ,KAAK,OAAO,MAAM,EAAE;AACpE,SAAK,OAAO;AACZ,SAAK,SAAS;AAAA,EAChB;AACF;AAMO,SAAS,UAAU,OAAwB;AAChD,QAAM,QACJ,OAAO,UAAU,WACb,QACA,KAAK,UAAU,KAAK,KAAK;AAE/B,SACG,mBAAW,QAAQ,EACnB,OAAO,OAAO,MAAM,EACpB,OAAO,KAAK;AACjB;AAWO,SAAS,QACd,cACA,UACA,QACA,OACO;AACP,QAAM,IAAI,mBAAmB;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY,UAAU,KAAK;AAAA,IAC3B,eAAe,EAAE;AAAA,EACnB,CAAC;AACH;;;AC1DO,IAAM,oBAAoB;AAAA,EAC/B;AAAA,EACA;AACF;AAMO,IAAM,qBAAqB;AAAA,EAChC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAaO,SAAS,cAAc,UAA2B;AACvD,MAAI,YAAY,SAAS,SAAS,GAAG;AACnC,WAAO;AAAA,EACT;AACA,UAAO,oBAAI,KAAK,GAAE,YAAY;AAChC;;;ACnDA,YAAYC,aAAY;;;ACWxB,eAAsB,iBACpB,SACA,YAC+B;AAG/B,QAAM,WAAW;AAAA,IACf,QAAQ,MAAM;AAAA,EAChB;AAGA,QAAM,cAAc,IAAI,kBAAkB;AAE1C,SAAO,gBAAgB,SAAS,WAAW;AAC7C;;;ACzBO,SAASC,cAAa,OAAoB;AAC/C,SAAO,KAAK,UAAU,UAAU,KAAK,CAAC;AACxC;AAEA,SAAS,UAAU,OAAiB;AAClC,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,IAAI,SAAS;AAAA,EAC5B;AAEA,MAAI,SAAS,OAAO,UAAU,UAAU;AACtC,UAAM,SAA8B,CAAC;AAErC,eAAW,OAAO,OAAO,KAAK,KAAK,EAAE,KAAK,GAAG;AAC3C,aAAO,GAAG,IAAI,UAAU,MAAM,GAAG,CAAC;AAAA,IACpC;AAEA,WAAO;AAAA,EACT;AAEA,SAAO;AACT;;;AFJA,eAAsB,mBACpB,OAMA,QACA,UACA,aAKA;AACA,MAAI;AAKF,UAAM,SAAS;AAAA,MACb,MAAM;AAAA,MACN,MAAM;AAAA,IACR;AAKA,0BAAsB,MAAM,SAAS,MAAM;AAK3C,UAAM,WACJ,eAAe,QAAQ,MAAM,OAAO;AAKtC,QAAI,SAAS,WAAW,aAAa,CAAC,SAAS,SAAS;AACtD,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,SAAS,SAAS;AACrB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAKA,UAAM,mBAAmBC,cAAa,MAAM,OAAO;AAKnD,UAAM,cACH,mBAAW,QAAQ,EACnB;AAAA,MACC,KAAK,UAAU;AAAA,QACb,UAAU,MAAM;AAAA,QAChB,eAAe,MAAM;AAAA,QACrB,SAAS;AAAA,MACX,CAAC;AAAA,IACH,EACC,OAAO,KAAK;AAKf,UAAM,kBAAkB,mBAAmB;AAK3C,UAAM,QAAQ,WAAW;AAAA,MACvB,cAAc;AAAA,MACd,WAAW,MAAM;AAAA,MACjB,kBAAkB,SAAS;AAAA,MAC3B,gBAAgB,OAAO;AAAA,MACvB,iBAAiB,gBAAgB;AAAA,IACnC,CAAC;AAED,UAAM,iBACJ,mBAAmB,OAAO,MAAM;AAKlC,UAAM,sBAAsB;AAAA,MAC1B,uBAAuB,CAAC;AAAA,MACxB,4BAA4B;AAAA,QAC1B,gBAAgB;AAAA,MAClB;AAAA,MACA,2BAA2B;AAAA,QACzB,OAAO;AAAA,MACT;AAAA,IACF;AAKA,UAAM,SAAS,SAAS,QAAQ;AAChC,UAAM,mBAAmB,SAAS,QAAQ;AAE1C,QAAI;AAEJ,QAAI,kBAAkB;AACpB,wBAAkB;AAAA,IACpB,OAAO;AACL,wBACE,WAAW,YAAY,cAAc;AAAA,IACzC;AAKA,QAAI,oBAAoB,oBAAoB;AAE1C,UAAI,CAAC,YAAY,KAAK;AACpB,cAAM,IAAI;AAAA,UACR;AAAA,QACF;AAAA,MACF;AAEA,YAAM,YAAY;AAAA,QAChB,WAAW,WAAW;AAAA,QACtB,KAAK,UAAU;AAAA,UACb;AAAA,UACA,iBAAiB;AAAA,UACjB,kBAAkB;AAAA,UAClB,sBAAsB;AAAA,QACxB,CAAC;AAAA,MACH;AAEA,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,mBAAmB;AAAA,MACrB;AAAA,IACF;AAKA,QAAI;AAEJ,QAAI;AACF,kBAAY,MAAM;AAAA,QAChB;AAAA,UACE;AAAA,UACA,iBAAiB;AAAA,UACjB;AAAA,UACA;AAAA,UACA,kBAAkB;AAAA,UAClB,sBAAsB;AAAA,QACxB;AAAA,QACA;AAAA,MACF;AAAA,IAEF,SAAS,KAAK;AAEZ,YAAM,UACJ,eAAe,QAAQ,IAAI,UAAU;AAGvC,UAAI,QAAQ,SAAS,wBAAwB,GAAG;AAC9C,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,cAAc;AAAA,UACd;AAAA,UACA;AAAA,UACA,mBAAmB;AAAA,UACnB,QAAQ;AAAA,QACV;AAAA,MACF;AAEA,YAAM;AAAA,IACR;AAKA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,cAAc;AAAA,MACd;AAAA,MACA;AAAA,MACA,mBAAmB;AAAA,MACnB,WAAW,UAAU;AAAA,IACvB;AAAA,EAEF,SAAS,KAAc;AAErB,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,OAAO,eAAe,QAAQ,IAAI,UAAU;AAAA,IAC9C;AAAA,EACF;AACF;;;AGpMA,eAAsB,aACpB,SAMA,QACA,UACA,aACA;AAEA,QAAM,UAAU,CAAC;AAEjB,aAAW,UAAU,SAAS;AAE5B,QAAI;AAEF,YAAM,SACJ,MAAM;AAAA,QACJ;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEF,cAAQ,KAAK;AAAA,QACX,OAAO;AAAA,QACP;AAAA,MACF,CAAC;AAAA,IAEH,SAAS,KAAc;AAErB,cAAQ,KAAK;AAAA,QACX,OAAO;AAAA,QACP,QAAQ;AAAA,UACN,QAAQ;AAAA,UACR,OACE,eAAe,QACX,IAAI,UACJ;AAAA,QACR;AAAA,MACF,CAAC;AAAA,IAEH;AAAA,EACF;AAEA,SAAO;AACT;;;ACvEA,OAAO,WAAW;AAUX,IAAM,mBAAN,MACuB;AAAA,EAI5B,YACE,KACA;AAEA,SAAK,SACH,IAAK,MAAc,GAAG;AAAA,EAC1B;AAAA,EAEA,MAAM,YACJ,aACkB;AAElB,UAAM,MACJ,MAAM,KAAK,OAAO;AAAA,MAChB,QAAQ,WAAW;AAAA,IACrB;AAEF,WAAO,QAAQ;AAAA,EACjB;AAAA,EAEA,MAAM,aACJ,aACe;AAEf,UAAM,SACJ,MAAM,KAAK,OAAO;AAAA,MAChB,QAAQ,WAAW;AAAA,MACnB;AAAA,MACA;AAAA,IACF;AAEF,QAAI,WAAW,MAAM;AAEnB,YAAM,IAAI;AAAA,QACR,kDAAkD,WAAW;AAAA,MAC/D;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,IACJ,KACwB;AAExB,WAAO,KAAK,OAAO,IAAI,GAAG;AAAA,EAC5B;AAAA,EAEA,MAAM,IACJ,KACA,OACe;AAEf,UAAM,KAAK,OAAO;AAAA,MAChB;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,IACJ,KACe;AAEf,UAAM,KAAK,OAAO,IAAI,GAAG;AAAA,EAC3B;AAAA,EAEA,MAAM,QAAuB;AAE3B,UAAM,KAAK,OAAO,KAAK;AAAA,EACzB;AACF;;;AC7EA,eAAsB,gBACpB,aACA,aAIA,QACA,UACA;AAIA,QAAM,MAAM,MAAM,YAAY,IAAI,WAAW,WAAW,EAAE;AAE1D,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR,4CAA4C,WAAW;AAAA,IACzD;AAAA,EACF;AAEA,QAAM,SAAS,KAAK,MAAM,GAAG;AAK7B,QAAM,YAAY,MAAM;AAAA,IACtB;AAAA,MACE,OAAO,OAAO;AAAA,MACd,iBAAiB,OAAO;AAAA,MACxB;AAAA,MACA;AAAA,MACA,kBAAkB,OAAO;AAAA,MACzB,sBAAsB,OAAO;AAAA,IAC/B;AAAA,IACA;AAAA,EACF;AAKA,QAAM,YAAY,IAAI,WAAW,WAAW,EAAE;AAK9C,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,cAAc;AAAA,IACd,WAAW,UAAU;AAAA,IACrB,UAAU;AAAA,EACZ;AACF;","names":["canonicalize","canonicalize","canonicalize","canonicalize","crypto","crypto","crypto","crypto","canonicalize","canonicalize"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@parmanasystems/execution",
3
- "version": "1.0.19",
3
+ "version": "1.3.0",
4
4
  "private": false,
5
5
  "type": "module",
6
6
  "scripts": {
@@ -18,8 +18,8 @@
18
18
  ],
19
19
  "sideEffects": false,
20
20
  "dependencies": {
21
- "@parmanasystems/bundle": "^1.0.19",
22
- "@parmanasystems/governance": "^1.0.19",
21
+ "@parmanasystems/bundle": "^1.3.0",
22
+ "@parmanasystems/governance": "^1.3.0",
23
23
  "ioredis": "^5.10.1",
24
24
  "redis": "^5.12.1"
25
25
  },