npm - @parmanasystems/execution - Versions diffs - 1.22.0 → 1.24.0 - Mend

@parmanasystems/execution 1.22.0 → 1.24.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -75,6 +75,8 @@ interface ReplayStore {
 interface ExecutionAttestation {
     execution_id: string;
+    policy_id: string;
+    policy_version: string;
     decision: {
         action: "approve" | "reject";
         requires_override: boolean;
@@ -94,6 +96,8 @@ interface ExecutionAttestation {
  */
 declare function canonicalizeAttestation(attestation: {
     execution_id: string;
+    policy_id: string;
+    policy_version: string;
     decision: any;
     execution_state: string;
     runtime_hash: string;
@@ -598,6 +602,8 @@ declare function stageExecute(token: ExecutionToken): void;
  */
 declare function stageSign(payload: {
     execution_id: string;
+    policy_id: string;
+    policy_version: string;
     decision: {
         action: "approve" | "reject";
         requires_override: boolean;
@@ -608,6 +614,8 @@ declare function stageSign(payload: {
     sign: (payload: string) => string;
 }, runtime_hash: string): {
     execution_id: string;
+    policy_id: string;
+    policy_version: string;
     decision: {
         action: "approve" | "reject";
         requires_override: boolean;

package/dist/index.js CHANGED Viewed

@@ -148,6 +148,8 @@ function stageExecute(token) {
 function stageSign(payload, signer, runtime_hash) {
   const attestation = {
     execution_id: payload.execution_id,
+    policy_id: payload.policy_id,
+    policy_version: payload.policy_version,
     decision: payload.decision,
     execution_state: payload.execution_state,
     runtime_hash
@@ -160,6 +162,8 @@ function stageSign(payload, signer, runtime_hash) {
   );
   return {
     execution_id: payload.execution_id,
+    policy_id: payload.policy_id,
+    policy_version: payload.policy_version,
     decision: payload.decision,
     execution_state: payload.execution_state,
     signature,
@@ -209,6 +213,8 @@ function executeDecision(context, replayStore) {
   return stageSign(
     {
       execution_id: token.execution_id,
+      policy_id: token.policy_id,
+      policy_version: token.schema_version,
       decision,
       execution_state
     },
@@ -945,6 +951,8 @@ async function executeFromSignals(input, signer, verifier, replayStore) {
       );
       const attestation2 = {
         execution_id: executionId,
+        policy_id: input.policyId,
+        policy_version: input.policyVersion,
         decision: decision.outcome,
         execution_state: "pending_override",
         runtime_hash: runtimeManifest.runtime_hash,
@@ -989,6 +997,8 @@ async function executeFromSignals(input, signer, verifier, replayStore) {
     }
     const attestation = {
       execution_id: executionId,
+      policy_id: input.policyId,
+      policy_version: input.policyVersion,
       decision: decision.outcome,
       execution_state,
       runtime_hash: runtimeManifest.runtime_hash,

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/issue-token.ts","../src/canonical-signing.ts","../src/sign-token.ts","../src/verify-token.ts","../src/verify-runtime.ts","../src/execution-attestation.ts","../src/pipeline.ts","../src/memory-replay-store.ts","../src/execute.ts","../src/verify-audit.ts","../src/hash-runtime.ts","../src/runtime-manifest.ts","../src/sign-runtime-manifest.ts","../src/verify-runtime-manifest.ts","../src/local-signer.ts","../src/local-verifier.ts","../src/evaluator.ts","../src/load-policy.ts","../src/validate-signals.ts","../src/dry-run.ts","../src/invariant-registry.ts","../src/violation.ts","../src/sealed-vm.ts","../src/execute-from-signals.ts","../src/execute-with-redis.ts","../src/canonical-json.ts","../src/execute-batch.ts","../src/redis-replay-store.ts","../src/resolve-override.ts"],"sourcesContent":["import type { ExecutionToken } from \"./execution-token.js\";\r\n\r\n/*\r\n 🔐 Issue Execution Token (FINAL)\r\n * Fully deterministic — caller provides execution_id\r\n /\r\nexport function issueToken(input: {\r\n execution_id: string;\r\n policy_id: string;\r\n decision_payload: any;\r\n schema_version: string;\r\n runtime_version: string;\r\n}): ExecutionToken {\r\n\r\n const {\r\n execution_id,\r\n policy_id,\r\n decision_payload,\r\n schema_version,\r\n runtime_version\r\n } = input;\r\n\r\n if (!schema_version) {\r\n throw new Error(\"Invalid token: schema_version missing\");\r\n }\r\n\r\n if (!runtime_version) {\r\n throw new Error(\"Invalid token: runtime_version missing\");\r\n }\r\n\r\n const token: ExecutionToken = {\r\n execution_id,\r\n policy_id,\r\n decision_payload,\r\n schema_version,\r\n runtime_version\r\n };\r\n\r\n return canonicalize(token);\r\n}\r\n\r\n/\r\n 🔒 Local canonicalization\r\n /\r\nfunction canonicalize(obj: any): any {\r\n if (Array.isArray(obj)) {\r\n return obj.map(canonicalize);\r\n }\r\n\r\n if (obj !== null && typeof obj === \"object\") {\r\n return Object.keys(obj)\r\n .sort()\r\n .reduce((acc: any, key) => {\r\n acc[key] = canonicalize(obj[key]);\r\n return acc;\r\n }, {});\r\n }\r\n\r\n return obj;\r\n}\r\n","import {\r\n canonicalize,\r\n} from \"@parmanasystems/bundle\";\r\n\r\n/\r\n Returns the canonical JSON string for `value` as used by all signing and\r\n * verification operations in the execution package. Delegates to the bundle\r\n * package's `canonicalize` so the representation is consistent across packages.\r\n /\r\nexport function canonicalizeForSigning(\r\n value: unknown\r\n): string {\r\n\r\n return canonicalize(value);\r\n}\r\n\r\n\r\n\r\n\r\n","import {\r\n canonicalizeForSigning\r\n} from \"./canonical-signing.js\";\r\n\r\nimport type {\r\n ExecutionToken,\r\n} from \"./execution-token.js\";\r\n\r\nimport type {\r\n Signer,\r\n} from \"./signer-interface.js\";\r\n\r\n/\r\n Signs the canonical form of `token` with `signer` and returns a\r\n * base64-encoded Ed25519 signature.\r\n /\r\nexport function signExecutionToken(\r\n token: ExecutionToken,\r\n signer: Signer\r\n): string {\r\n\r\n const canonical = canonicalizeForSigning(token);\r\n\r\n // 🔍 DEBUG (temporary)\r\nconsole.log(\"SIGN TOKEN:\", canonical);\r\n\r\n return signer.sign(canonical);\r\n}\r\n","import {\r\n canonicalizeForSigning\r\n} from \"./canonical-signing.js\";\r\n\r\nimport type {\r\n ExecutionToken,\r\n} from \"./execution-token.js\";\r\n\r\nimport type {\r\n Verifier,\r\n} from \"./verifier-interface.js\";\r\n\r\nexport function verifyExecutionToken(\r\n token: ExecutionToken,\r\n signature: string,\r\n verifier: Verifier\r\n): boolean {\r\n\r\n const canonical = canonicalizeForSigning(token);\r\n\r\n // 🔍 DEBUG (temporary)\r\n console.log(\"VERIFY TOKEN:\", canonical);\r\n\r\n return verifier.verify(\r\n canonical,\r\n signature\r\n );\r\n}\r\n","import {\r\n validatePolicy,\r\n} from \"@parmanasystems/governance\";\r\n\r\n/\r\n Validates that `policyId` passes full bundle and signature verification.\r\n * Delegates to {@link validatePolicy} and throws if validation fails.\r\n \r\n @throws When the policy does not exist or any version fails verification.\r\n /\r\nexport function verifyRuntimePolicy(\r\n policyId: string\r\n): void {\r\n const valid =\r\n validatePolicy(\r\n policyId\r\n );\r\n\r\n if (!valid) {\r\n throw new Error(\r\n `Runtime verification failed for policy: ${policyId}`\r\n );\r\n }\r\n}\r\n\r\n\r\n\r\n\r\n","export interface ExecutionAttestation {\r\n execution_id: string;\r\n\r\n decision: {\r\n action: \"approve\" \| \"reject\";\r\n requires_override: boolean;\r\n reason?: string;\r\n };\r\n\r\n execution_state: \"completed\" \| \"blocked\" \| \"pending_override\";\r\n\r\n signature: string;\r\n runtime_hash: string;\r\n}\r\n\r\n/\r\n Deterministic attestation canonicalization\r\n \r\n Used for:\r\n * - attestation signing\r\n * - independent verification\r\n * - reproducibility proofs\r\n /\r\nexport function canonicalizeAttestation(\r\n attestation: {\r\n execution_id: string;\r\n decision: any;\r\n execution_state: string;\r\n runtime_hash: string;\r\n }\r\n): string {\r\n\r\n return JSON.stringify(\r\n canonicalize(\r\n attestation\r\n )\r\n );\r\n}\r\n\r\n/\r\n Deterministic recursive canonicalization\r\n /\r\nfunction canonicalize(\r\n obj: any\r\n): any {\r\n\r\n if (Array.isArray(obj)) {\r\n\r\n return obj.map(\r\n canonicalize\r\n );\r\n }\r\n\r\n if (\r\n obj !== null\r\n &&\r\n typeof obj === \"object\"\r\n ) {\r\n\r\n return Object\r\n .keys(obj)\r\n .sort()\r\n .reduce(\r\n (\r\n acc: any,\r\n key\r\n ) => {\r\n\r\n acc[key] =\r\n canonicalize(\r\n obj[key]\r\n );\r\n\r\n return acc;\r\n },\r\n {}\r\n );\r\n }\r\n\r\n return obj;\r\n}\r\n","import { canonicalizeForSigning }\r\n from \"./canonical-signing.js\";\r\n\r\nimport {\r\n canonicalizeAttestation\r\n} from \"./execution-attestation.js\";\r\n\r\nimport type {\r\n ExecutionToken\r\n} from \"./execution-token.js\";\r\n\r\n/\r\n 🔒 Stage 1 — Verification\r\n /\r\nexport function stageVerify(\r\n token: ExecutionToken,\r\n\r\n token_signature: string,\r\n\r\n verifier: {\r\n verify: (\r\n data: Uint8Array,\r\n sig: Uint8Array\r\n ) => boolean\r\n },\r\n\r\n runtime_manifest: any,\r\n\r\n runtime_requirements: any\r\n): void {\r\n\r\n const valid =\r\n verifier.verify(\r\n\r\n Buffer.from(\r\n canonicalizeForSigning(\r\n token\r\n )\r\n ),\r\n\r\n Buffer.from(\r\n token_signature,\r\n \"base64\"\r\n )\r\n );\r\n\r\n if (!valid) {\r\n\r\n throw new Error(\r\n \"Invalid token signature\"\r\n );\r\n }\r\n\r\n // --------------------------------------------------\r\n // Runtime version validation\r\n // --------------------------------------------------\r\n\r\n if (\r\n !runtime_requirements?.supported_runtime_versions\r\n \|\|\r\n !runtime_requirements\r\n .supported_runtime_versions\r\n .includes(\r\n runtime_manifest.runtime_version\r\n )\r\n ) {\r\n\r\n throw new Error(\r\n \"Unsupported runtime version\"\r\n );\r\n }\r\n\r\n // --------------------------------------------------\r\n // Capability validation\r\n // --------------------------------------------------\r\n\r\n for (\r\n const cap\r\n of runtime_requirements\r\n ?.required_capabilities\r\n \|\| []\r\n ) {\r\n\r\n if (\r\n !runtime_manifest\r\n .capabilities\r\n .includes(cap)\r\n ) {\r\n\r\n throw new Error(\r\n `Missing required capability: ${cap}`\r\n );\r\n }\r\n }\r\n\r\n // --------------------------------------------------\r\n // Schema version validation\r\n // --------------------------------------------------\r\n\r\n if (\r\n !runtime_requirements?.supported_schema_versions\r\n \|\|\r\n !runtime_requirements\r\n .supported_schema_versions\r\n .includes(\r\n token.schema_version\r\n )\r\n ) {\r\n\r\n throw new Error(\r\n \"Unsupported schema version\"\r\n );\r\n }\r\n}\r\n\r\n/\r\n 🔒 Stage 2 — Execution (ENFORCEMENT ONLY)\r\n /\r\nexport function stageExecute(\r\n token: ExecutionToken\r\n): void {\r\n\r\n // Deterministic enforcement only.\r\n // No decision generation here.\r\n}\r\n\r\n/\r\n 🔒 Stage 3 — Signing (DETERMINISTIC)\r\n /\r\nexport function stageSign(\r\n payload: {\r\n execution_id: string;\r\n\r\n decision: {\r\n action:\r\n \"approve\"\r\n \| \"reject\";\r\n\r\n requires_override: boolean;\r\n\r\n reason?: string;\r\n };\r\n\r\n execution_state:\r\n \"completed\"\r\n \| \"blocked\"\r\n \| \"pending_override\";\r\n },\r\n\r\n signer: {\r\n sign: (\r\n payload: string\r\n ) => string\r\n },\r\n\r\n runtime_hash: string\r\n) {\r\n\r\n // --------------------------------------------------\r\n // Deterministic attestation payload\r\n // --------------------------------------------------\r\n\r\n const attestation = {\r\n\r\n execution_id:\r\n payload.execution_id,\r\n\r\n decision:\r\n payload.decision,\r\n\r\n execution_state:\r\n payload.execution_state,\r\n\r\n runtime_hash\r\n };\r\n\r\n // --------------------------------------------------\r\n // Deterministic canonicalization\r\n // --------------------------------------------------\r\n\r\n const canonical =\r\n canonicalizeAttestation(\r\n attestation\r\n );\r\n\r\n // --------------------------------------------------\r\n // Deterministic signature\r\n // --------------------------------------------------\r\n\r\n const signature =\r\n signer.sign(\r\n canonical\r\n );\r\n\r\n // --------------------------------------------------\r\n // Final attestation\r\n // --------------------------------------------------\r\n\r\n return {\r\n\r\n execution_id:\r\n payload.execution_id,\r\n\r\n decision:\r\n payload.decision,\r\n\r\n execution_state:\r\n payload.execution_state,\r\n\r\n signature,\r\n\r\n runtime_hash\r\n };\r\n}\r\n","import type { ReplayStore } from \"./replay-store-interface.js\";\r\n\r\n/\r\n 🔒 In-memory replay protection\r\n /\r\nexport class MemoryReplayStore implements ReplayStore {\r\n private store = new Set<string>();\r\n\r\n markExecuted(execution_id: string): void {\r\n if (this.store.has(execution_id)) {\r\n throw new Error(\"Replay attack detected\");\r\n }\r\n\r\n this.store.add(execution_id);\r\n }\r\n}\r\n","import {\r\n stageVerify,\r\n stageExecute,\r\n stageSign\r\n} from \"./pipeline.js\";\r\n\r\nimport { MemoryReplayStore } from \"./memory-replay-store.js\";\r\n\r\nimport type { ExecutionContext } from \"./execution-context.js\";\r\nimport type { ReplayStore } from \"./replay-store-interface.js\";\r\nimport type { ExecutionAttestation } from \"./execution-attestation.js\";\r\n\r\n/\r\n 🔴 CORE EXECUTION (FULLY DETERMINISTIC)\r\n \r\n Principles:\r\n * - NO time dependency\r\n * - replay is enforced\r\n * - decision is precomputed (token-driven)\r\n * - execution is enforcement only\r\n /\r\nexport function executeDecision(\r\n context: ExecutionContext,\r\n replayStore: ReplayStore\r\n): ExecutionAttestation {\r\n\r\n const {\r\n token,\r\n token_signature,\r\n signer,\r\n verifier,\r\n runtime_manifest,\r\n runtime_requirements\r\n } = context;\r\n\r\n // -----------------------------\r\n // Stage 1 — Verification\r\n // -----------------------------\r\n stageVerify(\r\n token,\r\n token_signature,\r\n verifier,\r\n runtime_manifest,\r\n runtime_requirements\r\n );\r\n\r\n // -----------------------------\r\n // Replay protection\r\n // -----------------------------\r\n const store =\r\n replayStore ??\r\n new MemoryReplayStore();\r\n\r\n if (!context.auditMode) {\r\n\r\n store.markExecuted(\r\n token.execution_id\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // Stage 2 — Execution (side-effect / noop)\r\n // -----------------------------\r\n stageExecute(token);\r\n\r\n // -----------------------------\r\n // Derive decision + execution state\r\n // -----------------------------\r\n const decision =\r\n token.decision_payload;\r\n\r\n const execution_state:\r\n \"completed\" \|\r\n \"blocked\" \|\r\n \"pending_override\" =\r\n\r\n decision.requires_override\r\n ? \"pending_override\"\r\n : decision.action === \"approve\"\r\n ? \"completed\"\r\n : \"blocked\";\r\n\r\n // -----------------------------\r\n // Stage 3 — Signing (attestation)\r\n // -----------------------------\r\n return stageSign(\r\n {\r\n execution_id:\r\n token.execution_id,\r\n\r\n decision,\r\n\r\n execution_state\r\n },\r\n signer,\r\n runtime_manifest.runtime_hash\r\n );\r\n}\r\n","import {\r\n canonicalizeForSigning\r\n} from \"./canonical-signing.js\";\r\n\r\nimport type {\r\n Verifier,\r\n} from \"./verifier-interface.js\";\r\n\r\n/* A single audit log entry with arbitrary governance fields. /\r\nexport interface AuditEntry {\r\n [key: string]: unknown;\r\n}\r\n\r\n/\r\n Verifies that `signature` (base64 Ed25519) was produced over the canonical\r\n * form of `entry` by the authority whose key `verifier` holds.\r\n /\r\nexport function verifyAuditEntry(\r\n entry: AuditEntry,\r\n signature: string,\r\n verifier: Verifier\r\n): boolean {\r\n\r\n return verifier.verify(\r\n canonicalizeForSigning(entry),\r\n signature\r\n );\r\n}\r\n\r\n/\r\n Placeholder for full audit-chain integrity verification.\r\n * A complete implementation would re-hash every JSONL record and validate\r\n * the `previous_record_hash` linkage.\r\n \r\n @returns `true` — full chain verification is not yet implemented.\r\n /\r\nexport function verifyAuditChain(): boolean {\r\n return true;\r\n}\r\n\r\n\r\n\r\n\r\n","import as crypto from \"node:crypto\";\r\n\r\nimport {\r\n canonicalize,\r\n} from \"@parmanasystems/bundle\";\r\n\r\n/*\r\n The static portion of the runtime manifest (everything except `runtime_hash`).\r\n * Used both as the canonical source of capability declarations and as the input\r\n * to {@link hashRuntime}.\r\n /\r\nexport const runtimeManifestDefinition = {\r\n runtime_version:\r\n \"1.0.0\",\r\n\r\n supported_schema_versions: [\r\n \"1.0.0\",\r\n ],\r\n\r\n capabilities: [\r\n \"deterministic-evaluation\",\r\n \"attestation-signing\",\r\n \"replay-protection\",\r\n \"bundle-verification\",\r\n ],\r\n} as const;\r\n\r\n/\r\n Returns the SHA-256 hex digest of the canonicalized {@link runtimeManifestDefinition}.\r\n * This hash is embedded in every {@link ExecutionResult} as `runtime_hash`,\r\n * binding the result to a specific version of the runtime.\r\n /\r\nexport function hashRuntime(): string {\r\n return crypto\r\n .createHash(\r\n \"sha256\"\r\n )\r\n .update(\r\n canonicalize(\r\n runtimeManifestDefinition\r\n )\r\n )\r\n .digest(\r\n \"hex\"\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import {\r\n hashRuntime,\r\n runtimeManifestDefinition,\r\n} from \"./hash-runtime.js\";\r\n\r\n/\r\n Static description of the governance runtime's identity, capabilities, and\r\n * supported protocol versions.\r\n \r\n Included in every {@link ExecutionResult} so verifiers can confirm the\r\n * runtime environment without trusting the operator. The `runtime_hash`\r\n * field is a deterministic SHA-256 commitment over the manifest definition,\r\n * binding the result to a specific runtime build.\r\n /\r\nexport interface RuntimeManifest {\r\n /* Semantic version of the governance runtime (e.g. `\"1.0.0\"`). /\r\n runtime_version: string;\r\n\r\n /* SHA-256 hex hash of the canonical runtime manifest definition. /\r\n runtime_hash: string;\r\n\r\n /* Schema version strings that this runtime can process. /\r\n supported_schema_versions: readonly string[];\r\n\r\n /* Capability strings advertised by this runtime (e.g. `\"replay-protection\"`). /\r\n capabilities: readonly string[];\r\n}\r\n\r\n/\r\n Returns the active {@link RuntimeManifest} for the current process,\r\n * combining the static manifest definition with a freshly computed `runtime_hash`.\r\n /\r\nexport function getRuntimeManifest(): RuntimeManifest {\r\n\r\n return {\r\n runtime_hash:\r\n hashRuntime(),\r\n ...runtimeManifestDefinition,\r\n };\r\n}\r\n","import {\r\n canonicalize,\r\n} from \"@parmanasystems/bundle\";\r\n\r\nimport type {\r\n RuntimeManifest,\r\n} from \"./runtime-manifest.js\";\r\n\r\nimport type {\r\n Signer,\r\n} from \"./signer-interface.js\";\r\n\r\n/\r\n Signs the canonical form of `manifest` with `signer` and returns a\r\n * base64-encoded Ed25519 signature. Use this to produce a verifiable\r\n * attestation that a specific runtime version was active at a given time.\r\n /\r\nexport function signRuntimeManifest(\r\n manifest: RuntimeManifest,\r\n signer: Signer\r\n): string {\r\n\r\n return signer.sign(\r\n canonicalize(manifest)\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import {\r\n canonicalizeForSigning\r\n} from \"./canonical-signing.js\";\r\n\r\nimport type {\r\n RuntimeManifest,\r\n} from \"./runtime-manifest.js\";\r\n\r\nimport type {\r\n Verifier,\r\n} from \"./verifier-interface.js\";\r\n\r\n/\r\n Verifies that `signature` (base64 Ed25519) was produced over the canonical\r\n * form of `manifest` by the authority whose key `verifier` holds.\r\n /\r\nexport function verifyRuntimeManifest(\r\n manifest: RuntimeManifest,\r\n signature: string,\r\n verifier: Verifier\r\n): boolean {\r\n\r\n return verifier.verify(\r\n canonicalizeForSigning(manifest),\r\n signature\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import crypto from \"node:crypto\";\r\n\r\nimport type {\r\n Signer,\r\n} from \"./signer-interface.js\";\r\n\r\n/\r\n In-process Ed25519 {@link Signer} backed by Node.js `crypto`.\r\n \r\n Suitable for development and environments where the private key can be\r\n * securely injected at process start. For hardware-backed or remote signing\r\n * see {@link AwsKmsSigner}.\r\n /\r\nexport class LocalSigner\r\n implements Signer {\r\n\r\n private readonly keyObject: crypto.KeyObject;\r\n\r\n /\r\n @param privateKey - PEM-encoded Ed25519 private key (PKCS8 format).\r\n /\r\n constructor(\r\n private readonly privateKey: string\r\n ) {\r\n\r\n const normalizedKey =\r\n privateKey\r\n .replace(/\\\\n/g, \"\\n\")\r\n .trim();\r\n\r\n this.keyObject =\r\n crypto.createPrivateKey({\r\n key: normalizedKey,\r\n format: \"pem\",\r\n });\r\n }\r\n\r\n /\r\n Signs `payload` (UTF-8) with the Ed25519 private key and returns a\r\n * base64-encoded signature.\r\n /\r\n sign(\r\n payload: string\r\n ): string {\r\n\r\n return crypto\r\n .sign(\r\n null,\r\n\r\n Buffer.from(\r\n payload,\r\n \"utf8\"\r\n ),\r\n\r\n this.keyObject\r\n )\r\n\r\n .toString(\r\n \"base64\"\r\n );\r\n }\r\n}\r\n","import as crypto from \"node:crypto\";\r\n\r\nimport type {\r\n Verifier,\r\n} from \"./verifier-interface.js\";\r\n\r\n/*\r\n In-process Ed25519 {@link Verifier} backed by Node.js `crypto`.\r\n \r\n Paired with {@link LocalSigner}; both must use the same Ed25519 key pair.\r\n /\r\nexport class LocalVerifier\r\n implements Verifier {\r\n\r\n /\r\n @param publicKey - PEM-encoded Ed25519 public key (SPKI format).\r\n /\r\n constructor(\r\n private readonly publicKey: string\r\n ) {}\r\n\r\n /\r\n Verifies that `signature` (base64 Ed25519) was produced over the UTF-8\r\n * `payload` by the holder of the corresponding private key.\r\n /\r\n verify(\r\n payload: string,\r\n signature: string\r\n ): boolean {\r\n\r\n return crypto.verify(\r\n null,\r\n\r\n Buffer.from(\r\n payload,\r\n \"utf8\"\r\n ),\r\n\r\n this.publicKey,\r\n\r\n Buffer.from(\r\n signature,\r\n \"base64\"\r\n )\r\n );\r\n }\r\n}\r\n\r\n\r\n\r\n\r\n","import type { DecisionResult } from \"./execution-result.js\";\r\n// -----------------------------\r\n// Types\r\n// -----------------------------\r\ninterface BaseCondition {\r\n signal: string;\r\n equals?: unknown;\r\n greater_than?: number;\r\n less_than?: number;\r\n}\r\n\r\ninterface AllCondition {\r\n all: RuleCondition[];\r\n}\r\n\r\ninterface AnyCondition {\r\n any: RuleCondition[];\r\n}\r\n\r\ntype RuleCondition =\r\n \| BaseCondition\r\n \| AllCondition\r\n \| AnyCondition;\r\n\r\ninterface PolicyRule {\r\n id: string;\r\n condition: RuleCondition;\r\n outcome: {\r\n action: \"approve\" \| \"reject\";\r\n requires_override: boolean;\r\n reason?: string;\r\n };\r\n}\r\n\r\nexport interface PolicyDocument {\r\n schemaVersion: string;\r\n signalsSchema: Record<string, unknown>;\r\n rules: PolicyRule[];\r\n}\r\n\r\n// -----------------------------\r\n// Rule evaluation (PURE)\r\n// -----------------------------\r\nfunction evaluateCondition(\r\n condition: RuleCondition,\r\n signals: Record<string, unknown>\r\n): boolean {\r\n\r\n if (\"all\" in condition) {\r\n return condition.all.every(c => evaluateCondition(c, signals));\r\n }\r\n\r\n if (\"any\" in condition) {\r\n return condition.any.some(c => evaluateCondition(c, signals));\r\n }\r\n\r\n const { signal, equals, greater_than, less_than } = condition;\r\n\r\n if (!(signal in signals)) {\r\n throw new Error(`Signal not found: ${signal}`);\r\n }\r\n\r\n const actual = signals[signal];\r\n\r\n if (equals !== undefined) {\r\n if (typeof actual !== typeof equals) {\r\n throw new Error(`Type mismatch for ${signal}`);\r\n }\r\n return actual === equals;\r\n }\r\n\r\n if (greater_than !== undefined) {\r\n if (typeof actual !== \"number\") {\r\n throw new Error(`Expected number for ${signal}`);\r\n }\r\n return actual > greater_than;\r\n }\r\n\r\n if (less_than !== undefined) {\r\n if (typeof actual !== \"number\") {\r\n throw new Error(`Expected number for ${signal}`);\r\n }\r\n return actual < less_than;\r\n }\r\n\r\n return false;\r\n}\r\n\r\n// -----------------------------\r\n// Schema validation\r\n// -----------------------------\r\nfunction validateSchemaVersion(policy: PolicyDocument): void {\r\n const supported = [\"1.0.0\"];\r\n\r\n if (!supported.includes(policy.schemaVersion)) {\r\n throw new Error(\r\n `Unsupported schema version: ${policy.schemaVersion}`\r\n );\r\n }\r\n}\r\n\r\n// -----------------------------\r\n// MAIN EVALUATOR (DETERMINISTIC)\r\n// -----------------------------\r\nexport function evaluatePolicy(\r\n policy: PolicyDocument,\r\n signals: Record<string, unknown>\r\n): DecisionResult {\r\n\r\n validateSchemaVersion(policy);\r\n\r\n // -----------------------------\r\n // Evaluate rules in order\r\n // -----------------------------\r\n for (const rule of policy.rules) {\r\n\r\n const matched = evaluateCondition(\r\n rule.condition,\r\n signals\r\n );\r\n\r\n if (matched) {\r\n return {\r\n status: \"decided\",\r\n outcome: rule.outcome,\r\n rule_id: rule.id,\r\n source: \"rule_match\"\r\n };\r\n }\r\n }\r\n\r\n // -----------------------------\r\n // Fail closed (no match)\r\n // -----------------------------\r\n throw new Error(\r\n \"[SYS-006] No rule matched — policy must cover all cases\"\r\n );\r\n}\r\n","import as fs from \"node:fs\";\r\nimport * as path from \"node:path\";\r\n\r\nimport type { PolicyDocument } from \"./evaluator.js\";\r\n\r\nexport function loadPolicy(\r\n policyId: string,\r\n policyVersion: string,\r\n basePath: string = process.cwd()\r\n): PolicyDocument {\r\n\r\n const policyPath = path.resolve(\r\n basePath,\r\n \"policies\",\r\n policyId,\r\n policyVersion,\r\n \"policy.json\"\r\n );\r\n\r\n if (!fs.existsSync(policyPath)) {\r\n throw new Error(`Policy not found: ${policyPath}`);\r\n }\r\n\r\n const raw = fs.readFileSync(policyPath, \"utf8\");\r\n\r\n let parsed: any;\r\n\r\n try {\r\n parsed = JSON.parse(raw);\r\n } catch {\r\n throw new Error(\r\n `Invalid policy: malformed JSON in ${policyPath}`\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // Basic validation\r\n // -----------------------------\r\n if (!parsed \|\| typeof parsed !== \"object\") {\r\n throw new Error(\r\n `Invalid policy: expected object in ${policyPath}`\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // STRICT schemaVersion only\r\n // -----------------------------\r\n if (!parsed.schemaVersion) {\r\n throw new Error(\r\n `Invalid policy: missing schemaVersion (camelCase only) in ${policyPath}`\r\n );\r\n }\r\n\r\n if (parsed.schema_version) {\r\n throw new Error(\r\n `Invalid policy: use schemaVersion, not schema_version in ${policyPath}`\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // REQUIRED signalsSchema\r\n // -----------------------------\r\n if (!parsed.signalsSchema) {\r\n throw new Error(\r\n `Invalid policy: missing signalsSchema in ${policyPath}`\r\n );\r\n }\r\n\r\n if (parsed.signals_schema) {\r\n throw new Error(\r\n `Invalid policy: use signalsSchema, not signals_schema in ${policyPath}`\r\n );\r\n }\r\n\r\n return parsed as PolicyDocument;\r\n}\r\n","type SignalType =\r\n \| \"boolean\"\r\n \| \"integer\"\r\n \| \"string\"\r\n \| \"enum\";\r\n\r\ninterface SignalDefinition {\r\n type: SignalType;\r\n values?: string[];\r\n required?: boolean;\r\n}\r\n\r\ninterface PolicySignalsSchema {\r\n [key: string]: SignalDefinition;\r\n}\r\n\r\nimport type { PolicyDocument } from \"./evaluator.js\";\r\n\r\nexport function validateSignalsStrict(\r\n signals: Record<string, unknown>,\r\n policy: PolicyDocument\r\n): void {\r\n\r\n // ✅ FIXED: correct field\r\n const schema = policy.signalsSchema as PolicySignalsSchema;\r\n\r\n if (!schema \|\| typeof schema !== \"object\") {\r\n throw new Error(\"[VAL-001] Invalid policy: missing signals schema\");\r\n }\r\n\r\n if (!signals \|\| typeof signals !== \"object\") {\r\n throw new Error(\"[VAL-002] Invalid input: signals must be an object\");\r\n }\r\n\r\n // Reject unknown signals\r\n for (const key of Object.keys(signals)) {\r\n if (!Object.prototype.hasOwnProperty.call(schema, key)) {\r\n throw new Error(`[VAL-003] Unknown signal: ${key}`);\r\n }\r\n }\r\n\r\n // Validate required + type\r\n for (const key of Object.keys(schema)) {\r\n\r\n const def = schema[key];\r\n const value = signals[key];\r\n\r\n const isRequired = def.required !== false;\r\n\r\n if (value === undefined) {\r\n if (isRequired) {\r\n throw new Error(`[VAL-004] Missing required signal: ${key}`);\r\n }\r\n continue;\r\n }\r\n\r\n if (!def?.type) {\r\n throw new Error(`[VAL-005] Invalid schema for signal: ${key}`);\r\n }\r\n\r\n switch (def.type) {\r\n\r\n case \"boolean\":\r\n if (typeof value !== \"boolean\") {\r\n throw new Error(`[VAL-006] ${key} must be boolean`);\r\n }\r\n break;\r\n\r\n case \"integer\":\r\n if (typeof value !== \"number\" \|\| !Number.isInteger(value)) {\r\n throw new Error(`[VAL-007] ${key} must be integer`);\r\n }\r\n break;\r\n\r\n case \"string\":\r\n if (typeof value !== \"string\") {\r\n throw new Error(`[VAL-008] ${key} must be string`);\r\n }\r\n break;\r\n\r\n case \"enum\":\r\n if (typeof value !== \"string\") {\r\n throw new Error(`[VAL-009] ${key} must be enum string`);\r\n }\r\n\r\n if (!Array.isArray(def.values) \|\| def.values.length === 0) {\r\n throw new Error(`[VAL-010] ${key} enum values missing`);\r\n }\r\n\r\n if (!def.values.includes(value)) {\r\n throw new Error(\r\n `[VAL-011] Invalid value for ${key}: ${value}`\r\n );\r\n }\r\n break;\r\n\r\n default:\r\n throw new Error(`[VAL-012] Unsupported signal type: ${def.type}`);\r\n }\r\n }\r\n}\r\n","import {\r\n evaluatePolicy,\r\n} from \"./evaluator.js\";\r\n\r\nimport {\r\n loadPolicy,\r\n} from \"./load-policy.js\";\r\n\r\nimport {\r\n validateSignalsStrict,\r\n} from \"./validate-signals.js\";\r\n\r\nimport type {\r\n DecisionResult\r\n} from \"./execution-result.js\";\r\n\r\n\r\nexport interface DryRunResult {\r\n policy_id: string;\r\n policy_version: string;\r\n schema_version: string;\r\n\r\n decision: DecisionResult; // ✅ FIXED (not string)\r\n\r\n rule_trace: string[];\r\n\r\n governed: false;\r\n dry_run: true;\r\n\r\n evaluated_at: string;\r\n}\r\n\r\n\r\nexport function evaluateDryRun(\r\n policyId: string,\r\n policyVersion: string,\r\n signals: Record<string, unknown>,\r\n governed_time = new Date().toISOString()\r\n): DryRunResult {\r\n\r\n // -----------------------------\r\n // 1. Load policy\r\n // -----------------------------\r\n const policy =\r\n loadPolicy(policyId, policyVersion);\r\n\r\n // -----------------------------\r\n // 2. Validate signals\r\n // -----------------------------\r\n validateSignalsStrict(signals, policy);\r\n\r\n // -----------------------------\r\n // 3. Evaluate policy\r\n // -----------------------------\r\n const decision: DecisionResult =\r\n evaluatePolicy(policy, signals);\r\n\r\n // -----------------------------\r\n // 4. Return dry-run result\r\n // -----------------------------\r\n return {\r\n policy_id: policyId,\r\n policy_version: policyVersion,\r\n schema_version: \"1.0.0\",\r\n\r\n decision, // ✅ structured\r\n\r\n rule_trace: [],\r\n\r\n governed: false,\r\n dry_run: true,\r\n\r\n evaluated_at: governed_time,\r\n };\r\n}\r\n","export type InvariantBoundary =\r\n \| \"canonicalize\"\r\n \| \"validate\"\r\n \| \"verify\"\r\n \| \"replay\"\r\n \| \"execute\"\r\n \| \"sign\";\r\n\r\nexport interface InvariantEntry {\r\n readonly id: string;\r\n readonly description: string;\r\n readonly boundary: InvariantBoundary \| readonly InvariantBoundary[];\r\n}\r\n\r\n/*\r\n Single source of truth for all governance invariants.\r\n \r\n Every invariant_id that appears in ViolationReport, source comments,\r\n * or test coverage maps MUST have an entry here. The CI gate\r\n * (scripts/ci-invariant-gate.ts) enforces this at build time.\r\n /\r\nexport const INVARIANT_REGISTRY = {\r\n \"INV-001\": {\r\n id: \"INV-001\",\r\n description: \"Canonical serialization produces identical bytes for identical inputs\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-002\": {\r\n id: \"INV-002\",\r\n description: \"Input payload must be structurally valid\",\r\n boundary: \"validate\",\r\n },\r\n \"INV-003\": {\r\n id: \"INV-003\",\r\n description: \"Execution token signature must be cryptographically valid\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-004\": {\r\n id: \"INV-004\",\r\n description: \"Execution time is injected deterministically — no wall-clock reads inside the execution scope\",\r\n boundary: [\"canonicalize\", \"execute\"] as readonly InvariantBoundary[],\r\n },\r\n \"INV-005\": {\r\n id: \"INV-005\",\r\n description: \"Runtime version must be in the set of supported runtime versions\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-006\": {\r\n id: \"INV-006\",\r\n description: \"Schema version 1.0.0 must be supported by both runtime manifest and requirements\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-007\": {\r\n id: \"INV-007\",\r\n description: \"Execution token must not be expired at governed_time\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-008\": {\r\n id: \"INV-008\",\r\n description: \"The governed field is always in signature scope and equals literal true\",\r\n boundary: \"sign\",\r\n },\r\n \"INV-009\": {\r\n id: \"INV-009\",\r\n description: \"Signals hash must be a non-empty string binding execution to specific inputs\",\r\n boundary: \"validate\",\r\n },\r\n \"INV-010\": {\r\n id: \"INV-010\",\r\n description: \"Policy ID and policy version must be non-empty strings\",\r\n boundary: \"validate\",\r\n },\r\n \"INV-011\": {\r\n id: \"INV-011\",\r\n description: \"All required runtime capabilities must be present in the runtime manifest\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-013\": {\r\n id: \"INV-013\",\r\n description: \"Replay protection is always enforced — execution_id is single-use and non-configurable\",\r\n boundary: \"replay\",\r\n },\r\n \"INV-014\": {\r\n id: \"INV-014\",\r\n description: \"governed literal true structurally distinguishes ExecutionResult from DryRunResult\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-015\": {\r\n id: \"INV-015\",\r\n description: \"Audit record must be written before attestation is issued\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-016\": {\r\n id: \"INV-016\",\r\n description: \"Audit records are linearizable via SHA-256 hash chain\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-017\": {\r\n id: \"INV-017\",\r\n description: \"Any verification failure causes fail-closed execution — no partial results\",\r\n boundary: [\"verify\", \"replay\", \"execute\"] as readonly InvariantBoundary[],\r\n },\r\n \"INV-020\": {\r\n id: \"INV-020\",\r\n description: \"Runtime capability declarations are truthful and non-negotiable\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-022\": {\r\n id: \"INV-022\",\r\n description: \"Every policy decision is derivable from the policy document and input signals\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-024\": {\r\n id: \"INV-024\",\r\n description: \"Decision values are semantically unambiguous strings\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-025\": {\r\n id: \"INV-025\",\r\n description: \"Schema version and runtime version are present in every ExecutionResult\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-030\": {\r\n id: \"INV-030\",\r\n description: \"Every attestation contains a runtime_hash binding it to a specific runtime version\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-031\": {\r\n id: \"INV-031\",\r\n description: \"Runtime manifest declares explicit supported_schema_versions and runtime_version\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-033\": {\r\n id: \"INV-033\",\r\n description: \"Governance properties (replay, audit, attestation) are structurally enforced — not configurable\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-034\": {\r\n id: \"INV-034\",\r\n description: \"Any verifier holding the correct public key can independently verify an attestation\",\r\n boundary: \"sign\",\r\n },\r\n \"INV-035\": {\r\n id: \"INV-035\",\r\n description: \"Verification is reproducible: same attestation + key produces identical outcome\",\r\n boundary: \"sign\",\r\n },\r\n \"INV-037\": {\r\n id: \"INV-037\",\r\n description: \"Signatures from different authority keys do not cross-verify — signing domains are isolated\",\r\n boundary: \"sign\",\r\n },\r\n \"INV-038\": {\r\n id: \"INV-038\",\r\n description: \"Cross-key verification failures are consistent: wrong-key always returns false\",\r\n boundary: \"sign\",\r\n },\r\n \"INV-040\": {\r\n id: \"INV-040\",\r\n description: \"AI output and governance enforcement are strictly separated — no AI field in execution scope\",\r\n boundary: \"validate\",\r\n },\r\n \"INV-041\": {\r\n id: \"INV-041\",\r\n description: \"Governance boundary is explicit: runtime manifest must declare runtime_version\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-047\": {\r\n id: \"INV-047\",\r\n description: \"Canonical serialization uses explicit UTF-8 encoding\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-048\": {\r\n id: \"INV-048\",\r\n description: \"Unicode normalization is stable across canonicalization calls\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-049\": {\r\n id: \"INV-049\",\r\n description: \"Canonical JSON sorts object keys recursively and preserves array order\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-050\": {\r\n id: \"INV-050\",\r\n description: \"Duplicate JSON keys must not appear in governance payloads (gap: documented)\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-051\": {\r\n id: \"INV-051\",\r\n description: \"Numeric values canonicalize identically regardless of trailing zeros\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-052\": {\r\n id: \"INV-052\",\r\n description: \"Object insertion order does not affect canonical form or content-address hash\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-053\": {\r\n id: \"INV-053\",\r\n description: \"Array element order is preserved through canonicalization\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-054\": {\r\n id: \"INV-054\",\r\n description: \"JSON type closure: NaN and Infinity serialize to null; undefined fields are omitted\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-057\": {\r\n id: \"INV-057\",\r\n description: \"Content-address (SHA-256) is stable for identical content across calls\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-059\": {\r\n id: \"INV-059\",\r\n description: \"Replay domain is explicit: every execution_id in the store was consumed by a real execution\",\r\n boundary: \"replay\",\r\n },\r\n \"INV-060\": {\r\n id: \"INV-060\",\r\n description: \"Attestation verification is idempotent: same inputs always produce identical results\",\r\n boundary: \"sign\",\r\n },\r\n \"INV-061\": {\r\n id: \"INV-061\",\r\n description: \"Runtime capability declarations are immutable after build\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-072\": {\r\n id: \"INV-072\",\r\n description: \"Dry-run path produces no side effects: no replay store write, no audit record, no signature\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-073\": {\r\n id: \"INV-073\",\r\n description: \"Canonical evaluation source files contain no network calls\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-074\": {\r\n id: \"INV-074\",\r\n description: \"Every governed executeDecision call produces exactly one audit record\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-075\": {\r\n id: \"INV-075\",\r\n description: \"Execution IDs (UUIDv4) are unique per issuance — governance identity is non-reusable\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-077\": {\r\n id: \"INV-077\",\r\n description: \"All failure modes are deterministic: same invalid input always produces the same error\",\r\n boundary: [\"verify\", \"replay\", \"execute\"] as readonly InvariantBoundary[],\r\n },\r\n \"INV-078\": {\r\n id: \"INV-078\",\r\n description: \"Operational metadata fields must not contaminate deterministic signing scope\",\r\n boundary: \"validate\",\r\n },\r\n \"INV-080\": {\r\n id: \"INV-080\",\r\n description: \"Unsupported schema and runtime versions fail explicitly with a descriptive error\",\r\n boundary: \"verify\",\r\n },\r\n \"META-001\": {\r\n id: \"META-001\",\r\n description: \"Every governed execution produces a signed, independently verifiable attestation\",\r\n boundary: \"sign\",\r\n },\r\n \"META-004\": {\r\n id: \"META-004\",\r\n description: \"Invariant violations always fail closed — no partial results are emitted on violation\",\r\n boundary: [\"verify\", \"replay\", \"execute\", \"sign\"] as readonly InvariantBoundary[],\r\n },\r\n} as const satisfies Record<string, InvariantEntry>;\r\n\r\nexport type InvariantId = keyof typeof INVARIANT_REGISTRY;\r\n","import as crypto from \"node:crypto\";\r\n\r\n/*\r\n Structured report emitted when a governance invariant is violated.\r\n \r\n Fields:\r\n * invariant_id — the invariant from INVARIANT_REGISTRY that was breached\r\n * boundary — pipeline stage where the violation was detected\r\n * reason — human-readable explanation of what failed\r\n * input_hash — SHA-256 of the canonical form of the input that triggered the violation\r\n * timestamp_seq — monotonically increasing sequence number within the process lifetime\r\n /\r\nexport interface ViolationReport {\r\n readonly invariant_id: string;\r\n readonly boundary: string;\r\n readonly reason: string;\r\n readonly input_hash: string;\r\n readonly timestamp_seq: number;\r\n}\r\n\r\nlet _seq = 0;\r\n\r\n/\r\n Thrown by every pipeline stage boundary when a governance invariant is violated.\r\n \r\n Carries a structured ViolationReport so downstream consumers can distinguish\r\n * invariant violations from unexpected runtime errors without string parsing.\r\n /\r\nexport class InvariantViolation extends Error {\r\n readonly report: ViolationReport;\r\n\r\n constructor(report: ViolationReport) {\r\n super(`[${report.invariant_id}@${report.boundary}] ${report.reason}`);\r\n this.name = \"InvariantViolation\";\r\n this.report = report;\r\n }\r\n}\r\n\r\n/\r\n Computes the SHA-256 hex digest of `value` for use as `input_hash` in a ViolationReport.\r\n * Accepts a string (used as-is) or any value (JSON-stringified before hashing).\r\n /\r\nexport function hashInput(value: unknown): string {\r\n const bytes =\r\n typeof value === \"string\"\r\n ? value\r\n : JSON.stringify(value) ?? \"\";\r\n\r\n return crypto\r\n .createHash(\"sha256\")\r\n .update(bytes, \"utf8\")\r\n .digest(\"hex\");\r\n}\r\n\r\n/\r\n Constructs and throws an InvariantViolation.\r\n * Never returns — the return type `never` enforces this at compile time.\r\n \r\n @param invariant_id - ID from INVARIANT_REGISTRY\r\n * @param boundary - Pipeline stage name\r\n * @param reason - Human-readable reason (must contain the legacy message substring for test compat)\r\n * @param input - The input that triggered the violation (hashed automatically)\r\n /\r\nexport function violate(\r\n invariant_id: string,\r\n boundary: string,\r\n reason: string,\r\n input: unknown\r\n): never {\r\n throw new InvariantViolation({\r\n invariant_id,\r\n boundary,\r\n reason,\r\n input_hash: hashInput(input),\r\n timestamp_seq: ++_seq,\r\n });\r\n}\r\n","/\r\n Sealed Execution VM — determinism enforcement for the governance execution scope.\r\n \r\n The execution stage (execute.ts, pipeline.ts) is forbidden from accessing:\r\n * - Date.now() — non-deterministic wall clock\r\n * - Math.random() — non-deterministic PRNG\r\n * - fs / network IO — external state that varies across environments\r\n \r\n Time is injected explicitly via governed_time in ExecutionContext.\r\n * The CI gate (scripts/ci-invariant-gate.ts) enforces these constraints statically.\r\n \r\n This module provides:\r\n * - governingTime() — derives execution time from injected governed_time or falls\r\n * back to the system clock (only acceptable outside execute.ts)\r\n * - FORBIDDEN_GLOBALS — the list of globals that must not appear in execution-scope files\r\n /\r\n\r\n/* Globals forbidden inside the sealed execution scope. /\r\nexport const FORBIDDEN_GLOBALS = [\r\n \"Date.now\",\r\n \"Math.random\",\r\n] as const;\r\n\r\n/\r\n Files in the execution package whose source must not reference FORBIDDEN_GLOBALS.\r\n * Enforced by the CI gate.\r\n /\r\nexport const SEALED_SCOPE_FILES = [\r\n \"packages/execution/src/execute.ts\",\r\n \"packages/execution/src/pipeline.ts\",\r\n \"packages/execution/src/canonical-signing.ts\",\r\n \"packages/bundle/src/canonicalize.ts\",\r\n \"packages/bundle/src/hash.ts\",\r\n] as const;\r\n\r\n/\r\n Returns the governing time for an execution.\r\n \r\n When `provided` is a non-empty ISO 8601 string it is returned as-is,\r\n * preserving determinism. When `provided` is absent or empty the current\r\n * system time is used — this fallback is intentionally limited to\r\n * non-execution-scope callers (audit.ts, dry-run.ts, tests).\r\n \r\n MUST NOT be called from execute.ts or pipeline.ts — those files must\r\n * receive governed_time from their caller and pass it through explicitly.\r\n /\r\nexport function governingTime(provided?: string): string {\r\n if (provided && provided.length > 0) {\r\n return provided;\r\n }\r\n return new Date().toISOString();\r\n}\r\n","import type {\r\n ExecutionAttestation\r\n} from \"./execution-attestation.js\";\r\n\r\nimport as crypto from \"node:crypto\";\r\n\r\nimport { evaluatePolicy } from \"./evaluator.js\";\r\nimport { loadPolicy } from \"./load-policy.js\";\r\nimport { validateSignalsStrict } from \"./validate-signals.js\";\r\nimport { issueToken } from \"./issue-token.js\";\r\nimport { signExecutionToken } from \"./sign-token.js\";\r\nimport { getRuntimeManifest } from \"./runtime-manifest.js\";\r\nimport { executeWithRedis } from \"./execute-with-redis.js\";\r\nimport { canonicalize } from \"./canonical-json.js\";\r\n\r\nimport type { Signer } from \"./signer-interface.js\";\r\nimport type { Verifier } from \"./verifier-interface.js\";\r\nimport type { AsyncReplayStore } from \"./async-replay-store-interface.js\";\r\nimport type { DecisionResult } from \"./execution-result.js\";\r\n\r\nexport async function executeFromSignals(\r\n input: {\r\n policyId: string;\r\n policyVersion: string;\r\n signals: Record<string, unknown>;\r\n metadata?: Record<string, unknown>;\r\n },\r\n signer: Signer,\r\n verifier: Verifier,\r\n replayStore: AsyncReplayStore & {\r\n get?: (key: string) => Promise<string \| null>;\r\n set?: (key: string, value: string) => Promise<void>;\r\n del?: (key: string) => Promise<void>;\r\n }\r\n) {\r\n try {\r\n\r\n // -----------------------------\r\n // 1. Load policy\r\n // -----------------------------\r\n const policy = loadPolicy(\r\n input.policyId,\r\n input.policyVersion\r\n );\r\n\r\n // -----------------------------\r\n // 2. Validate signals\r\n // -----------------------------\r\n validateSignalsStrict(\r\n input.signals,\r\n policy\r\n );\r\n\r\n // -----------------------------\r\n // 3. Evaluate policy\r\n // -----------------------------\r\n const decision: DecisionResult =\r\n evaluatePolicy(\r\n policy,\r\n input.signals\r\n );\r\n\r\n // -----------------------------\r\n // 4. Enforce invariants\r\n // -----------------------------\r\n if (\r\n decision.status !== \"decided\" \|\|\r\n !decision.outcome\r\n ) {\r\n\r\n throw new Error(\r\n \"[SYS-004] Invalid policy: execution must resolve to decided\"\r\n );\r\n }\r\n\r\n if (!decision.rule_id) {\r\n\r\n throw new Error(\r\n \"[SYS-005] Invalid decision: rule_id required\"\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // 5. Canonical signals\r\n // -----------------------------\r\n const canonicalSignals =\r\n canonicalize(\r\n input.signals\r\n );\r\n\r\n // -----------------------------\r\n // 6. Deterministic execution_id\r\n // -----------------------------\r\n const executionId = crypto\r\n .createHash(\"sha256\")\r\n .update(\r\n JSON.stringify({\r\n policyId:\r\n input.policyId,\r\n\r\n policyVersion:\r\n input.policyVersion,\r\n\r\n signals:\r\n canonicalSignals\r\n })\r\n )\r\n .digest(\"hex\");\r\n\r\n // -----------------------------\r\n // 7. Runtime manifest\r\n // -----------------------------\r\n const runtimeManifest =\r\n getRuntimeManifest();\r\n\r\n // -----------------------------\r\n // 8. Issue token\r\n // -----------------------------\r\n const token = issueToken({\r\n\r\n execution_id:\r\n executionId,\r\n\r\n policy_id:\r\n input.policyId,\r\n\r\n decision_payload:\r\n decision.outcome,\r\n\r\n schema_version:\r\n policy.schemaVersion,\r\n\r\n runtime_version:\r\n runtimeManifest.runtime_version\r\n });\r\n\r\n const tokenSignature =\r\n signExecutionToken(\r\n token,\r\n signer\r\n );\r\n\r\n // -----------------------------\r\n // 9. Runtime requirements\r\n // -----------------------------\r\n const runtimeRequirements = {\r\n\r\n required_capabilities: [],\r\n\r\n supported_runtime_versions: [\r\n runtimeManifest.runtime_version\r\n ],\r\n\r\n supported_schema_versions: [\r\n policy.schemaVersion\r\n ]\r\n };\r\n\r\n // -----------------------------\r\n // 10. Resolve execution state\r\n // -----------------------------\r\n const action =\r\n decision.outcome.action;\r\n\r\n const requiresOverride =\r\n decision.outcome.requires_override;\r\n\r\n let execution_state:\r\n \"completed\" \|\r\n \"blocked\" \|\r\n \"pending_override\";\r\n\r\n if (requiresOverride) {\r\n\r\n execution_state =\r\n \"pending_override\";\r\n\r\n } else {\r\n\r\n execution_state =\r\n action === \"approve\"\r\n ? \"completed\"\r\n : \"blocked\";\r\n }\r\n\r\n // -----------------------------\r\n // 11. Handle pending_override\r\n // -----------------------------\r\n if (\r\n execution_state ===\r\n \"pending_override\"\r\n ) {\r\n\r\n if (!replayStore.set) {\r\n\r\n throw new Error(\r\n \"[SYS-020] Store does not support pending execution storage\"\r\n );\r\n }\r\n\r\n await replayStore.set(\r\n `pending:${executionId}`,\r\n\r\n JSON.stringify({\r\n\r\n token,\r\n\r\n token_signature:\r\n tokenSignature,\r\n\r\n runtime_manifest:\r\n runtimeManifest,\r\n\r\n runtime_requirements:\r\n runtimeRequirements\r\n })\r\n );\r\n\r\n const attestation:\r\n ExecutionAttestation = {\r\n\r\n execution_id:\r\n executionId,\r\n\r\n decision:\r\n decision.outcome,\r\n\r\n execution_state:\r\n \"pending_override\",\r\n\r\n runtime_hash:\r\n runtimeManifest.runtime_hash,\r\n\r\n signature:\r\n tokenSignature\r\n };\r\n\r\n return {\r\n\r\n status:\r\n \"pending_override\" as const,\r\n\r\n execution_id:\r\n executionId,\r\n\r\n decision,\r\n\r\n requires_override:\r\n true,\r\n\r\n attestation\r\n };\r\n }\r\n\r\n // -----------------------------\r\n // 12. Execute\r\n // -----------------------------\r\n let execution;\r\n\r\n try {\r\n\r\n execution =\r\n await executeWithRedis(\r\n {\r\n token,\r\n\r\n token_signature:\r\n tokenSignature,\r\n\r\n signer,\r\n\r\n verifier,\r\n\r\n runtime_manifest:\r\n runtimeManifest,\r\n\r\n runtime_requirements:\r\n runtimeRequirements\r\n },\r\n\r\n replayStore\r\n );\r\n\r\n } catch (err) {\r\n\r\n const message =\r\n err instanceof Error\r\n ? err.message\r\n : \"Unknown error\";\r\n\r\n // -----------------------------\r\n // Replay = idempotent success\r\n // -----------------------------\r\n if (\r\n message.includes(\r\n \"Replay attack detected\"\r\n )\r\n ) {\r\n\r\n return {\r\n\r\n status:\r\n \"success\" as const,\r\n\r\n execution_id:\r\n executionId,\r\n\r\n decision,\r\n\r\n execution_state,\r\n\r\n requires_override:\r\n false,\r\n\r\n replay:\r\n true\r\n };\r\n }\r\n\r\n throw err;\r\n }\r\n\r\n // -----------------------------\r\n // Success attestation\r\n // -----------------------------\r\n const attestation:\r\n ExecutionAttestation = {\r\n\r\n execution_id:\r\n executionId,\r\n\r\n decision:\r\n decision.outcome,\r\n\r\n execution_state,\r\n\r\n runtime_hash:\r\n runtimeManifest.runtime_hash,\r\n\r\n signature:\r\n execution.signature\r\n };\r\n\r\n // -----------------------------\r\n // SUCCESS\r\n // -----------------------------\r\n return {\r\n\r\n status:\r\n \"success\" as const,\r\n\r\n execution_id:\r\n executionId,\r\n\r\n decision,\r\n\r\n execution_state,\r\n\r\n requires_override:\r\n false,\r\n\r\n signature:\r\n execution.signature,\r\n\r\n attestation\r\n };\r\n\r\n } catch (err: unknown) {\r\n\r\n return {\r\n\r\n status:\r\n \"error\" as const,\r\n\r\n error:\r\n err instanceof Error\r\n ? err.message\r\n : \"Unknown error\"\r\n };\r\n }\r\n}","import type { ExecutionContext } from \"./execution-context.js\";\r\nimport type { ExecutionAttestation } from \"./execution-attestation.js\";\r\nimport type { AsyncReplayStore } from \"./async-replay-store-interface.js\";\r\n\r\nimport { MemoryReplayStore } from \"./memory-replay-store.js\";\r\nimport { executeDecision } from \"./execute.js\";\r\n\r\n/*\r\n 🟢 ASYNC ADAPTER\r\n * Handles Redis, keeps core pure\r\n /\r\nexport async function executeWithRedis(\r\n context: ExecutionContext,\r\n redisStore: AsyncReplayStore\r\n): Promise<ExecutionAttestation> {\r\n\r\n // Distributed replay protection\r\n await redisStore.markExecuted(\r\n context.token.execution_id\r\n );\r\n\r\n // Deterministic execution (sync core)\r\n const memoryStore = new MemoryReplayStore();\r\n\r\n return executeDecision(context, memoryStore);\r\n}\r\n","export function canonicalize(value: any): string {\r\n return JSON.stringify(sortValue(value));\r\n}\r\n\r\nfunction sortValue(value: any): any {\r\n if (Array.isArray(value)) {\r\n return value.map(sortValue);\r\n }\r\n\r\n if (value && typeof value === \"object\") {\r\n const sorted: Record<string, any> = {};\r\n\r\n for (const key of Object.keys(value).sort()) {\r\n sorted[key] = sortValue(value[key]);\r\n }\r\n\r\n return sorted;\r\n }\r\n\r\n return value;\r\n}\r\n","import {\r\n executeFromSignals,\r\n} from \"./execute-from-signals.js\";\r\n\r\nimport type {\r\n Signer,\r\n} from \"./signer-interface.js\";\r\n\r\nimport type {\r\n Verifier,\r\n} from \"./verifier-interface.js\";\r\n\r\nimport type {\r\n AsyncReplayStore,\r\n} from \"./async-replay-store-interface.js\";\r\n\r\n\r\n/\r\n Executes multiple records sequentially.\r\n \r\n Each record is processed independently.\r\n * Errors are captured per-record (fail-isolated).\r\n */\r\nexport async function executeBatch(\r\n records: Array<{\r\n policyId: string;\r\n policyVersion: string;\r\n signals: Record<string, unknown>;\r\n governed_time: string;\r\n }>,\r\n signer: Signer,\r\n verifier: Verifier,\r\n replayStore: AsyncReplayStore\r\n) {\r\n\r\n const outputs = [];\r\n\r\n for (const record of records) {\r\n\r\n try {\r\n\r\n const output =\r\n await executeFromSignals(\r\n record,\r\n signer,\r\n verifier,\r\n replayStore\r\n );\r\n\r\n outputs.push({\r\n input: record,\r\n output\r\n });\r\n\r\n } catch (err: unknown) {\r\n\r\n outputs.push({\r\n input: record,\r\n output: {\r\n status: \"error\",\r\n error:\r\n err instanceof Error\r\n ? err.message\r\n : \"Unknown error\"\r\n }\r\n });\r\n\r\n }\r\n }\r\n\r\n return outputs;\r\n}\r\n","import Redis from \"ioredis\";\r\n\r\nimport type {\r\n Redis as RedisClient\r\n} from \"ioredis\";\r\n\r\nimport type {\r\n AsyncReplayStore\r\n} from \"./async-replay-store-interface.js\";\r\n\r\nexport class RedisReplayStore\r\n implements AsyncReplayStore {\r\n\r\n private client: RedisClient;\r\n\r\n constructor(\r\n url: string\r\n ) {\r\n\r\n this.client =\r\n new (Redis as any)(url);\r\n }\r\n\r\n async hasExecuted(\r\n executionId: string\r\n ): Promise<boolean> {\r\n\r\n const res =\r\n await this.client.exists(\r\n `exec:${executionId}`\r\n );\r\n\r\n return res === 1;\r\n }\r\n\r\n async markExecuted(\r\n executionId: string\r\n ): Promise<void> {\r\n\r\n const result =\r\n await this.client.set(\r\n `exec:${executionId}`,\r\n \"1\",\r\n \"NX\"\r\n );\r\n\r\n if (result !== \"OK\") {\r\n\r\n throw new Error(\r\n `[INV-013@replay] Replay detected: execution_id ${executionId} has already been consumed`\r\n );\r\n }\r\n }\r\n\r\n async get(\r\n key: string\r\n ): Promise<string \| null> {\r\n\r\n return this.client.get(key);\r\n }\r\n\r\n async set(\r\n key: string,\r\n value: string\r\n ): Promise<void> {\r\n\r\n await this.client.set(\r\n key,\r\n value\r\n );\r\n }\r\n\r\n async del(\r\n key: string\r\n ): Promise<void> {\r\n\r\n await this.client.del(key);\r\n }\r\n\r\n async close(): Promise<void> {\r\n\r\n await this.client.quit();\r\n }\r\n}","import { executeWithRedis } from \"./execute-with-redis.js\";\r\n\r\nimport type { AsyncReplayStore } from \"./async-replay-store-interface.js\";\r\nimport type { Signer } from \"./signer-interface.js\";\r\nimport type { Verifier } from \"./verifier-interface.js\";\r\n\r\nexport async function resolveOverride(\r\n executionId: string,\r\n replayStore: AsyncReplayStore & {\r\n get: (key: string) => Promise<string \| null>;\r\n del: (key: string) => Promise<void>;\r\n },\r\n signer: Signer,\r\n verifier: Verifier\r\n) {\r\n // -----------------------------\r\n // 1. Load pending execution\r\n // -----------------------------\r\n const raw = await replayStore.get(`pending:${executionId}`);\r\n\r\n if (!raw) {\r\n throw new Error(\r\n `[SYS-021] No pending execution found for ${executionId}`\r\n );\r\n }\r\n\r\n const stored = JSON.parse(raw);\r\n\r\n // -----------------------------\r\n // 2. Execute (same token)\r\n // -----------------------------\r\n const execution = await executeWithRedis(\r\n {\r\n token: stored.token,\r\n token_signature: stored.token_signature,\r\n signer,\r\n verifier,\r\n runtime_manifest: stored.runtime_manifest,\r\n runtime_requirements: stored.runtime_requirements\r\n },\r\n replayStore\r\n );\r\n\r\n // -----------------------------\r\n // 3. Remove pending state\r\n // -----------------------------\r\n await replayStore.del(`pending:${executionId}`);\r\n\r\n // -----------------------------\r\n // 4. Return result\r\n // -----------------------------\r\n return {\r\n status: \"success\" as const,\r\n execution_id: executionId,\r\n signature: execution.signature,\r\n resolved: true\r\n };\r\n}\r\n"],"mappings":";AAMO,SAAS,WAAW,OAMR;AAEjB,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,MAAI,CAAC,gBAAgB;AACnB,UAAM,IAAI,MAAM,uCAAuC;AAAA,EACzD;AAEA,MAAI,CAAC,iBAAiB;AACpB,UAAM,IAAI,MAAM,wCAAwC;AAAA,EAC1D;AAEA,QAAM,QAAwB;AAAA,IAC5B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,SAAO,aAAa,KAAK;AAC3B;AAKA,SAAS,aAAa,KAAe;AACnC,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,WAAO,IAAI,IAAI,YAAY;AAAA,EAC7B;AAEA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,WAAO,OAAO,KAAK,GAAG,EACnB,KAAK,EACL,OAAO,CAAC,KAAU,QAAQ;AACzB,UAAI,GAAG,IAAI,aAAa,IAAI,GAAG,CAAC;AAChC,aAAO;AAAA,IACT,GAAG,CAAC,CAAC;AAAA,EACT;AAEA,SAAO;AACT;;;AC3DA;AAAA,EACE,gBAAAA;AAAA,OACK;AAOA,SAAS,uBACd,OACQ;AAER,SAAOA,cAAa,KAAK;AAC3B;;;ACEO,SAAS,mBACd,OACA,QACQ;AAER,QAAM,YAAY,uBAAuB,KAAK;AAGhD,UAAQ,IAAI,eAAe,SAAS;AAElC,SAAO,OAAO,KAAK,SAAS;AAC9B;;;ACfO,SAAS,qBACd,OACA,WACA,UACS;AAET,QAAM,YAAY,uBAAuB,KAAK;AAG9C,UAAQ,IAAI,iBAAiB,SAAS;AAEtC,SAAO,SAAS;AAAA,IACd;AAAA,IACA;AAAA,EACF;AACF;;;AC3BA;AAAA,EACE;AAAA,OACK;AAQA,SAAS,oBACd,UACM;AACN,QAAM,QACJ;AAAA,IACE;AAAA,EACF;AAEF,MAAI,CAAC,OAAO;AACV,UAAM,IAAI;AAAA,MACR,2CAA2C,QAAQ;AAAA,IACrD;AAAA,EACF;AACF;;;ACAO,SAAS,wBACd,aAMQ;AAER,SAAO,KAAK;AAAA,IACVC;AAAA,MACE;AAAA,IACF;AAAA,EACF;AACF;AAKA,SAASA,cACP,KACK;AAEL,MAAI,MAAM,QAAQ,GAAG,GAAG;AAEtB,WAAO,IAAI;AAAA,MACTA;AAAA,IACF;AAAA,EACF;AAEA,MACE,QAAQ,QAER,OAAO,QAAQ,UACf;AAEA,WAAO,OACJ,KAAK,GAAG,EACR,KAAK,EACL;AAAA,MACC,CACE,KACA,QACG;AAEH,YAAI,GAAG,IACLA;AAAA,UACE,IAAI,GAAG;AAAA,QACT;AAEF,eAAO;AAAA,MACT;AAAA,MACA,CAAC;AAAA,IACH;AAAA,EACJ;AAEA,SAAO;AACT;;;AClEO,SAAS,YACd,OAEA,iBAEA,UAOA,kBAEA,sBACM;AAEN,QAAM,QACJ,SAAS;AAAA,IAEP,OAAO;AAAA,MACL;AAAA,QACE;AAAA,MACF;AAAA,IACF;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEF,MAAI,CAAC,OAAO;AAEV,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAMA,MACE,CAAC,sBAAsB,8BAEvB,CAAC,qBACE,2BACA;AAAA,IACC,iBAAiB;AAAA,EACnB,GACF;AAEA,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAMA,aACQ,OACH,sBACC,yBACC,CAAC,GACN;AAEA,QACE,CAAC,iBACE,aACA,SAAS,GAAG,GACf;AAEA,YAAM,IAAI;AAAA,QACR,gCAAgC,GAAG;AAAA,MACrC;AAAA,IACF;AAAA,EACF;AAMA,MACE,CAAC,sBAAsB,6BAEvB,CAAC,qBACE,0BACA;AAAA,IACC,MAAM;AAAA,EACR,GACF;AAEA,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACF;AAKO,SAAS,aACd,OACM;AAIR;AAKO,SAAS,UACd,SAmBA,QAMA,cACA;AAMA,QAAM,cAAc;AAAA,IAElB,cACE,QAAQ;AAAA,IAEV,UACE,QAAQ;AAAA,IAEV,iBACE,QAAQ;AAAA,IAEV;AAAA,EACF;AAMA,QAAM,YACJ;AAAA,IACE;AAAA,EACF;AAMF,QAAM,YACJ,OAAO;AAAA,IACL;AAAA,EACF;AAMF,SAAO;AAAA,IAEL,cACE,QAAQ;AAAA,IAEV,UACE,QAAQ;AAAA,IAEV,iBACE,QAAQ;AAAA,IAEV;AAAA,IAEA;AAAA,EACF;AACF;;;AChNO,IAAM,oBAAN,MAA+C;AAAA,EAA/C;AACL,SAAQ,QAAQ,oBAAI,IAAY;AAAA;AAAA,EAEhC,aAAa,cAA4B;AACvC,QAAI,KAAK,MAAM,IAAI,YAAY,GAAG;AAChC,YAAM,IAAI,MAAM,wBAAwB;AAAA,IAC1C;AAEA,SAAK,MAAM,IAAI,YAAY;AAAA,EAC7B;AACF;;;ACMO,SAAS,gBACd,SACA,aACsB;AAEtB,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAKJ;AAAA,IACE;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAKA,QAAM,QACJ,eACA,IAAI,kBAAkB;AAExB,MAAI,CAAC,QAAQ,WAAW;AAEtB,UAAM;AAAA,MACJ,MAAM;AAAA,IACR;AAAA,EACF;AAKA,eAAa,KAAK;AAKlB,QAAM,WACJ,MAAM;AAER,QAAM,kBAKJ,SAAS,oBACL,qBACA,SAAS,WAAW,YAClB,cACA;AAKR,SAAO;AAAA,IACL;AAAA,MACE,cACE,MAAM;AAAA,MAER;AAAA,MAEA;AAAA,IACF;AAAA,IACA;AAAA,IACA,iBAAiB;AAAA,EACnB;AACF;;;AChFO,SAAS,iBACd,OACA,WACA,UACS;AAET,SAAO,SAAS;AAAA,IACd,uBAAuB,KAAK;AAAA,IAC5B;AAAA,EACF;AACF;AASO,SAAS,mBAA4B;AAC1C,SAAO;AACT;;;ACtCA,YAAY,YAAY;AAExB;AAAA,EACE,gBAAAC;AAAA,OACK;AAOA,IAAM,4BAA4B;AAAA,EACvC,iBACE;AAAA,EAEF,2BAA2B;AAAA,IACzB;AAAA,EACF;AAAA,EAEA,cAAc;AAAA,IACZ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAOO,SAAS,cAAsB;AACpC,SACG;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACCA;AAAA,MACE;AAAA,IACF;AAAA,EACF,EACC;AAAA,IACC;AAAA,EACF;AACJ;;;ACbO,SAAS,qBAAsC;AAEpD,SAAO;AAAA,IACL,cACE,YAAY;AAAA,IACd,GAAG;AAAA,EACL;AACF;;;ACvCA;AAAA,EACE,gBAAAC;AAAA,OACK;AAeA,SAAS,oBACd,UACA,QACQ;AAER,SAAO,OAAO;AAAA,IACZA,cAAa,QAAQ;AAAA,EACvB;AACF;;;ACTO,SAAS,sBACd,UACA,WACA,UACS;AAET,SAAO,SAAS;AAAA,IACd,uBAAuB,QAAQ;AAAA,IAC/B;AAAA,EACF;AACF;;;AC1BA,OAAOC,aAAY;AAaZ,IAAM,cAAN,MACa;AAAA;AAAA;AAAA;AAAA,EAOlB,YACmB,YACjB;AADiB;AAGjB,UAAM,gBACJ,WACG,QAAQ,QAAQ,IAAI,EACpB,KAAK;AAEV,SAAK,YACHA,QAAO,iBAAiB;AAAA,MACtB,KAAK;AAAA,MACL,QAAQ;AAAA,IACV,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,KACE,SACQ;AAER,WAAOA,QACJ;AAAA,MACC;AAAA,MAEA,OAAO;AAAA,QACL;AAAA,QACA;AAAA,MACF;AAAA,MAEA,KAAK;AAAA,IACP,EAEC;AAAA,MACC;AAAA,IACF;AAAA,EACJ;AACF;;;AC7DA,YAAYC,aAAY;AAWjB,IAAM,gBAAN,MACe;AAAA;AAAA;AAAA;AAAA,EAKpB,YACmB,WACjB;AADiB;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMH,OACE,SACA,WACS;AAET,WAAc;AAAA,MACZ;AAAA,MAEA,OAAO;AAAA,QACL;AAAA,QACA;AAAA,MACF;AAAA,MAEA,KAAK;AAAA,MAEL,OAAO;AAAA,QACL;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;;;ACHA,SAAS,kBACP,WACA,SACS;AAET,MAAI,SAAS,WAAW;AACtB,WAAO,UAAU,IAAI,MAAM,OAAK,kBAAkB,GAAG,OAAO,CAAC;AAAA,EAC/D;AAEA,MAAI,SAAS,WAAW;AACtB,WAAO,UAAU,IAAI,KAAK,OAAK,kBAAkB,GAAG,OAAO,CAAC;AAAA,EAC9D;AAEA,QAAM,EAAE,QAAQ,QAAQ,cAAc,UAAU,IAAI;AAEpD,MAAI,EAAE,UAAU,UAAU;AACxB,UAAM,IAAI,MAAM,qBAAqB,MAAM,EAAE;AAAA,EAC/C;AAEA,QAAM,SAAS,QAAQ,MAAM;AAE7B,MAAI,WAAW,QAAW;AACxB,QAAI,OAAO,WAAW,OAAO,QAAQ;AACnC,YAAM,IAAI,MAAM,qBAAqB,MAAM,EAAE;AAAA,IAC/C;AACA,WAAO,WAAW;AAAA,EACpB;AAEA,MAAI,iBAAiB,QAAW;AAC9B,QAAI,OAAO,WAAW,UAAU;AAC9B,YAAM,IAAI,MAAM,uBAAuB,MAAM,EAAE;AAAA,IACjD;AACA,WAAO,SAAS;AAAA,EAClB;AAEA,MAAI,cAAc,QAAW;AAC3B,QAAI,OAAO,WAAW,UAAU;AAC9B,YAAM,IAAI,MAAM,uBAAuB,MAAM,EAAE;AAAA,IACjD;AACA,WAAO,SAAS;AAAA,EAClB;AAEA,SAAO;AACT;AAKA,SAAS,sBAAsB,QAA8B;AAC3D,QAAM,YAAY,CAAC,OAAO;AAE1B,MAAI,CAAC,UAAU,SAAS,OAAO,aAAa,GAAG;AAC7C,UAAM,IAAI;AAAA,MACR,+BAA+B,OAAO,aAAa;AAAA,IACrD;AAAA,EACF;AACF;AAKO,SAAS,eACd,QACA,SACgB;AAEhB,wBAAsB,MAAM;AAK5B,aAAW,QAAQ,OAAO,OAAO;AAE/B,UAAM,UAAU;AAAA,MACd,KAAK;AAAA,MACL;AAAA,IACF;AAEA,QAAI,SAAS;AACX,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,SAAS,KAAK;AAAA,QACd,SAAS,KAAK;AAAA,QACd,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAKA,QAAM,IAAI;AAAA,IACR;AAAA,EACF;AACF;;;ACzIA,YAAY,QAAQ;AACpB,YAAY,UAAU;AAIf,SAAS,WACd,UACA,eACA,WAAmB,QAAQ,IAAI,GACf;AAEhB,QAAM,aAAkB;AAAA,IACtB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,MAAI,CAAI,cAAW,UAAU,GAAG;AAC9B,UAAM,IAAI,MAAM,qBAAqB,UAAU,EAAE;AAAA,EACnD;AAEA,QAAM,MAAS,gBAAa,YAAY,MAAM;AAE9C,MAAI;AAEJ,MAAI;AACF,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,QAAQ;AACN,UAAM,IAAI;AAAA,MACR,qCAAqC,UAAU;AAAA,IACjD;AAAA,EACF;AAKA,MAAI,CAAC,UAAU,OAAO,WAAW,UAAU;AACzC,UAAM,IAAI;AAAA,MACR,sCAAsC,UAAU;AAAA,IAClD;AAAA,EACF;AAKA,MAAI,CAAC,OAAO,eAAe;AACzB,UAAM,IAAI;AAAA,MACR,6DAA6D,UAAU;AAAA,IACzE;AAAA,EACF;AAEA,MAAI,OAAO,gBAAgB;AACzB,UAAM,IAAI;AAAA,MACR,4DAA4D,UAAU;AAAA,IACxE;AAAA,EACF;AAKA,MAAI,CAAC,OAAO,eAAe;AACzB,UAAM,IAAI;AAAA,MACR,4CAA4C,UAAU;AAAA,IACxD;AAAA,EACF;AAEA,MAAI,OAAO,gBAAgB;AACzB,UAAM,IAAI;AAAA,MACR,4DAA4D,UAAU;AAAA,IACxE;AAAA,EACF;AAEA,SAAO;AACT;;;ACzDO,SAAS,sBACd,SACA,QACM;AAGN,QAAM,SAAS,OAAO;AAEtB,MAAI,CAAC,UAAU,OAAO,WAAW,UAAU;AACzC,UAAM,IAAI,MAAM,kDAAkD;AAAA,EACpE;AAEA,MAAI,CAAC,WAAW,OAAO,YAAY,UAAU;AAC3C,UAAM,IAAI,MAAM,oDAAoD;AAAA,EACtE;AAGA,aAAW,OAAO,OAAO,KAAK,OAAO,GAAG;AACtC,QAAI,CAAC,OAAO,UAAU,eAAe,KAAK,QAAQ,GAAG,GAAG;AACtD,YAAM,IAAI,MAAM,6BAA6B,GAAG,EAAE;AAAA,IACpD;AAAA,EACF;AAGA,aAAW,OAAO,OAAO,KAAK,MAAM,GAAG;AAErC,UAAM,MAAM,OAAO,GAAG;AACtB,UAAM,QAAQ,QAAQ,GAAG;AAEzB,UAAM,aAAa,IAAI,aAAa;AAEpC,QAAI,UAAU,QAAW;AACvB,UAAI,YAAY;AACd,cAAM,IAAI,MAAM,sCAAsC,GAAG,EAAE;AAAA,MAC7D;AACA;AAAA,IACF;AAEA,QAAI,CAAC,KAAK,MAAM;AACd,YAAM,IAAI,MAAM,wCAAwC,GAAG,EAAE;AAAA,IAC/D;AAEA,YAAQ,IAAI,MAAM;AAAA,MAEhB,KAAK;AACH,YAAI,OAAO,UAAU,WAAW;AAC9B,gBAAM,IAAI,MAAM,aAAa,GAAG,kBAAkB;AAAA,QACpD;AACA;AAAA,MAEF,KAAK;AACH,YAAI,OAAO,UAAU,YAAY,CAAC,OAAO,UAAU,KAAK,GAAG;AACzD,gBAAM,IAAI,MAAM,aAAa,GAAG,kBAAkB;AAAA,QACpD;AACA;AAAA,MAEF,KAAK;AACH,YAAI,OAAO,UAAU,UAAU;AAC7B,gBAAM,IAAI,MAAM,aAAa,GAAG,iBAAiB;AAAA,QACnD;AACA;AAAA,MAEF,KAAK;AACH,YAAI,OAAO,UAAU,UAAU;AAC7B,gBAAM,IAAI,MAAM,aAAa,GAAG,sBAAsB;AAAA,QACxD;AAEA,YAAI,CAAC,MAAM,QAAQ,IAAI,MAAM,KAAK,IAAI,OAAO,WAAW,GAAG;AACzD,gBAAM,IAAI,MAAM,aAAa,GAAG,sBAAsB;AAAA,QACxD;AAEA,YAAI,CAAC,IAAI,OAAO,SAAS,KAAK,GAAG;AAC/B,gBAAM,IAAI;AAAA,YACR,+BAA+B,GAAG,KAAK,KAAK;AAAA,UAC9C;AAAA,QACF;AACA;AAAA,MAEF;AACE,cAAM,IAAI,MAAM,sCAAsC,IAAI,IAAI,EAAE;AAAA,IACpE;AAAA,EACF;AACF;;;ACnEO,SAAS,eACd,UACA,eACA,SACA,iBAAgB,oBAAI,KAAK,GAAE,YAAY,GACzB;AAKd,QAAM,SACJ,WAAW,UAAU,aAAa;AAKpC,wBAAsB,SAAS,MAAM;AAKrC,QAAM,WACJ,eAAe,QAAQ,OAAO;AAKhC,SAAO;AAAA,IACL,WAAW;AAAA,IACX,gBAAgB;AAAA,IAChB,gBAAgB;AAAA,IAEhB;AAAA;AAAA,IAEA,YAAY,CAAC;AAAA,IAEb,UAAU;AAAA,IACV,SAAS;AAAA,IAET,cAAc;AAAA,EAChB;AACF;;;ACrDO,IAAM,qBAAqB;AAAA,EAChC,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU,CAAC,gBAAgB,SAAS;AAAA,EACtC;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU,CAAC,UAAU,UAAU,SAAS;AAAA,EAC1C;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU,CAAC,UAAU,UAAU,SAAS;AAAA,EAC1C;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,YAAY;AAAA,IACV,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,YAAY;AAAA,IACV,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU,CAAC,UAAU,UAAU,WAAW,MAAM;AAAA,EAClD;AACF;;;AChRA,YAAYC,aAAY;AAoBxB,IAAI,OAAO;AAQJ,IAAM,qBAAN,cAAiC,MAAM;AAAA,EAG5C,YAAY,QAAyB;AACnC,UAAM,IAAI,OAAO,YAAY,IAAI,OAAO,QAAQ,KAAK,OAAO,MAAM,EAAE;AACpE,SAAK,OAAO;AACZ,SAAK,SAAS;AAAA,EAChB;AACF;AAMO,SAAS,UAAU,OAAwB;AAChD,QAAM,QACJ,OAAO,UAAU,WACb,QACA,KAAK,UAAU,KAAK,KAAK;AAE/B,SACG,mBAAW,QAAQ,EACnB,OAAO,OAAO,MAAM,EACpB,OAAO,KAAK;AACjB;AAWO,SAAS,QACd,cACA,UACA,QACA,OACO;AACP,QAAM,IAAI,mBAAmB;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY,UAAU,KAAK;AAAA,IAC3B,eAAe,EAAE;AAAA,EACnB,CAAC;AACH;;;AC1DO,IAAM,oBAAoB;AAAA,EAC/B;AAAA,EACA;AACF;AAMO,IAAM,qBAAqB;AAAA,EAChC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAaO,SAAS,cAAc,UAA2B;AACvD,MAAI,YAAY,SAAS,SAAS,GAAG;AACnC,WAAO;AAAA,EACT;AACA,UAAO,oBAAI,KAAK,GAAE,YAAY;AAChC;;;AC/CA,YAAYC,aAAY;;;ACOxB,eAAsB,iBACpB,SACA,YAC+B;AAG/B,QAAM,WAAW;AAAA,IACf,QAAQ,MAAM;AAAA,EAChB;AAGA,QAAM,cAAc,IAAI,kBAAkB;AAE1C,SAAO,gBAAgB,SAAS,WAAW;AAC7C;;;ACzBO,SAASC,cAAa,OAAoB;AAC/C,SAAO,KAAK,UAAU,UAAU,KAAK,CAAC;AACxC;AAEA,SAAS,UAAU,OAAiB;AAClC,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,IAAI,SAAS;AAAA,EAC5B;AAEA,MAAI,SAAS,OAAO,UAAU,UAAU;AACtC,UAAM,SAA8B,CAAC;AAErC,eAAW,OAAO,OAAO,KAAK,KAAK,EAAE,KAAK,GAAG;AAC3C,aAAO,GAAG,IAAI,UAAU,MAAM,GAAG,CAAC;AAAA,IACpC;AAEA,WAAO;AAAA,EACT;AAEA,SAAO;AACT;;;AFAA,eAAsB,mBACpB,OAMA,QACA,UACA,aAKA;AACA,MAAI;AAKF,UAAM,SAAS;AAAA,MACb,MAAM;AAAA,MACN,MAAM;AAAA,IACR;AAKA;AAAA,MACE,MAAM;AAAA,MACN;AAAA,IACF;AAKA,UAAM,WACJ;AAAA,MACE;AAAA,MACA,MAAM;AAAA,IACR;AAKF,QACE,SAAS,WAAW,aACpB,CAAC,SAAS,SACV;AAEA,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,SAAS,SAAS;AAErB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAKA,UAAM,mBACJC;AAAA,MACE,MAAM;AAAA,IACR;AAKF,UAAM,cACH,mBAAW,QAAQ,EACnB;AAAA,MACC,KAAK,UAAU;AAAA,QACb,UACE,MAAM;AAAA,QAER,eACE,MAAM;AAAA,QAER,SACE;AAAA,MACJ,CAAC;AAAA,IACH,EACC,OAAO,KAAK;AAKf,UAAM,kBACJ,mBAAmB;AAKrB,UAAM,QAAQ,WAAW;AAAA,MAEvB,cACE;AAAA,MAEF,WACE,MAAM;AAAA,MAER,kBACE,SAAS;AAAA,MAEX,gBACE,OAAO;AAAA,MAET,iBACE,gBAAgB;AAAA,IACpB,CAAC;AAED,UAAM,iBACJ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AAKF,UAAM,sBAAsB;AAAA,MAE1B,uBAAuB,CAAC;AAAA,MAExB,4BAA4B;AAAA,QAC1B,gBAAgB;AAAA,MAClB;AAAA,MAEA,2BAA2B;AAAA,QACzB,OAAO;AAAA,MACT;AAAA,IACF;AAKA,UAAM,SACJ,SAAS,QAAQ;AAEnB,UAAM,mBACJ,SAAS,QAAQ;AAEnB,QAAI;AAKJ,QAAI,kBAAkB;AAEpB,wBACE;AAAA,IAEJ,OAAO;AAEL,wBACE,WAAW,YACP,cACA;AAAA,IACR;AAKA,QACE,oBACA,oBACA;AAEA,UAAI,CAAC,YAAY,KAAK;AAEpB,cAAM,IAAI;AAAA,UACR;AAAA,QACF;AAAA,MACF;AAEA,YAAM,YAAY;AAAA,QAChB,WAAW,WAAW;AAAA,QAEtB,KAAK,UAAU;AAAA,UAEb;AAAA,UAEA,iBACE;AAAA,UAEF,kBACE;AAAA,UAEF,sBACE;AAAA,QACJ,CAAC;AAAA,MACH;AAEA,YAAMC,eACmB;AAAA,QAEvB,cACE;AAAA,QAEF,UACE,SAAS;AAAA,QAEX,iBACE;AAAA,QAEF,cACE,gBAAgB;AAAA,QAElB,WACE;AAAA,MACJ;AAEA,aAAO;AAAA,QAEL,QACE;AAAA,QAEF,cACE;AAAA,QAEF;AAAA,QAEA,mBACE;AAAA,QAEF,aAAAA;AAAA,MACF;AAAA,IACF;AAKA,QAAI;AAEJ,QAAI;AAEF,kBACE,MAAM;AAAA,QACJ;AAAA,UACE;AAAA,UAEA,iBACE;AAAA,UAEF;AAAA,UAEA;AAAA,UAEA,kBACE;AAAA,UAEF,sBACE;AAAA,QACJ;AAAA,QAEA;AAAA,MACF;AAAA,IAEJ,SAAS,KAAK;AAEZ,YAAM,UACJ,eAAe,QACX,IAAI,UACJ;AAKN,UACE,QAAQ;AAAA,QACN;AAAA,MACF,GACA;AAEA,eAAO;AAAA,UAEL,QACE;AAAA,UAEF,cACE;AAAA,UAEF;AAAA,UAEA;AAAA,UAEA,mBACE;AAAA,UAEF,QACE;AAAA,QACJ;AAAA,MACF;AAEA,YAAM;AAAA,IACR;AAKA,UAAM,cACmB;AAAA,MAEvB,cACE;AAAA,MAEF,UACE,SAAS;AAAA,MAEX;AAAA,MAEA,cACE,gBAAgB;AAAA,MAElB,WACE,UAAU;AAAA,IACd;AAKA,WAAO;AAAA,MAEL,QACE;AAAA,MAEF,cACE;AAAA,MAEF;AAAA,MAEA;AAAA,MAEA,mBACE;AAAA,MAEF,WACE,UAAU;AAAA,MAEZ;AAAA,IACF;AAAA,EAEF,SAAS,KAAc;AAErB,WAAO;AAAA,MAEL,QACE;AAAA,MAEF,OACE,eAAe,QACX,IAAI,UACJ;AAAA,IACR;AAAA,EACF;AACF;;;AGrWA,eAAsB,aACpB,SAMA,QACA,UACA,aACA;AAEA,QAAM,UAAU,CAAC;AAEjB,aAAW,UAAU,SAAS;AAE5B,QAAI;AAEF,YAAM,SACJ,MAAM;AAAA,QACJ;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEF,cAAQ,KAAK;AAAA,QACX,OAAO;AAAA,QACP;AAAA,MACF,CAAC;AAAA,IAEH,SAAS,KAAc;AAErB,cAAQ,KAAK;AAAA,QACX,OAAO;AAAA,QACP,QAAQ;AAAA,UACN,QAAQ;AAAA,UACR,OACE,eAAe,QACX,IAAI,UACJ;AAAA,QACR;AAAA,MACF,CAAC;AAAA,IAEH;AAAA,EACF;AAEA,SAAO;AACT;;;ACvEA,OAAO,WAAW;AAUX,IAAM,mBAAN,MACuB;AAAA,EAI5B,YACE,KACA;AAEA,SAAK,SACH,IAAK,MAAc,GAAG;AAAA,EAC1B;AAAA,EAEA,MAAM,YACJ,aACkB;AAElB,UAAM,MACJ,MAAM,KAAK,OAAO;AAAA,MAChB,QAAQ,WAAW;AAAA,IACrB;AAEF,WAAO,QAAQ;AAAA,EACjB;AAAA,EAEA,MAAM,aACJ,aACe;AAEf,UAAM,SACJ,MAAM,KAAK,OAAO;AAAA,MAChB,QAAQ,WAAW;AAAA,MACnB;AAAA,MACA;AAAA,IACF;AAEF,QAAI,WAAW,MAAM;AAEnB,YAAM,IAAI;AAAA,QACR,kDAAkD,WAAW;AAAA,MAC/D;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,IACJ,KACwB;AAExB,WAAO,KAAK,OAAO,IAAI,GAAG;AAAA,EAC5B;AAAA,EAEA,MAAM,IACJ,KACA,OACe;AAEf,UAAM,KAAK,OAAO;AAAA,MAChB;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,IACJ,KACe;AAEf,UAAM,KAAK,OAAO,IAAI,GAAG;AAAA,EAC3B;AAAA,EAEA,MAAM,QAAuB;AAE3B,UAAM,KAAK,OAAO,KAAK;AAAA,EACzB;AACF;;;AC7EA,eAAsB,gBACpB,aACA,aAIA,QACA,UACA;AAIA,QAAM,MAAM,MAAM,YAAY,IAAI,WAAW,WAAW,EAAE;AAE1D,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR,4CAA4C,WAAW;AAAA,IACzD;AAAA,EACF;AAEA,QAAM,SAAS,KAAK,MAAM,GAAG;AAK7B,QAAM,YAAY,MAAM;AAAA,IACtB;AAAA,MACE,OAAO,OAAO;AAAA,MACd,iBAAiB,OAAO;AAAA,MACxB;AAAA,MACA;AAAA,MACA,kBAAkB,OAAO;AAAA,MACzB,sBAAsB,OAAO;AAAA,IAC/B;AAAA,IACA;AAAA,EACF;AAKA,QAAM,YAAY,IAAI,WAAW,WAAW,EAAE;AAK9C,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,cAAc;AAAA,IACd,WAAW,UAAU;AAAA,IACrB,UAAU;AAAA,EACZ;AACF;","names":["canonicalize","canonicalize","canonicalize","canonicalize","crypto","crypto","crypto","crypto","canonicalize","canonicalize","attestation"]}
1	+ {"version":3,"sources":["../src/issue-token.ts","../src/canonical-signing.ts","../src/sign-token.ts","../src/verify-token.ts","../src/verify-runtime.ts","../src/execution-attestation.ts","../src/pipeline.ts","../src/memory-replay-store.ts","../src/execute.ts","../src/verify-audit.ts","../src/hash-runtime.ts","../src/runtime-manifest.ts","../src/sign-runtime-manifest.ts","../src/verify-runtime-manifest.ts","../src/local-signer.ts","../src/local-verifier.ts","../src/evaluator.ts","../src/load-policy.ts","../src/validate-signals.ts","../src/dry-run.ts","../src/invariant-registry.ts","../src/violation.ts","../src/sealed-vm.ts","../src/execute-from-signals.ts","../src/execute-with-redis.ts","../src/canonical-json.ts","../src/execute-batch.ts","../src/redis-replay-store.ts","../src/resolve-override.ts"],"sourcesContent":["import type { ExecutionToken } from \"./execution-token.js\";\r\n\r\n/*\r\n 🔐 Issue Execution Token (FINAL)\r\n * Fully deterministic — caller provides execution_id\r\n /\r\nexport function issueToken(input: {\r\n execution_id: string;\r\n policy_id: string;\r\n decision_payload: any;\r\n schema_version: string;\r\n runtime_version: string;\r\n}): ExecutionToken {\r\n\r\n const {\r\n execution_id,\r\n policy_id,\r\n decision_payload,\r\n schema_version,\r\n runtime_version\r\n } = input;\r\n\r\n if (!schema_version) {\r\n throw new Error(\"Invalid token: schema_version missing\");\r\n }\r\n\r\n if (!runtime_version) {\r\n throw new Error(\"Invalid token: runtime_version missing\");\r\n }\r\n\r\n const token: ExecutionToken = {\r\n execution_id,\r\n policy_id,\r\n decision_payload,\r\n schema_version,\r\n runtime_version\r\n };\r\n\r\n return canonicalize(token);\r\n}\r\n\r\n/\r\n 🔒 Local canonicalization\r\n /\r\nfunction canonicalize(obj: any): any {\r\n if (Array.isArray(obj)) {\r\n return obj.map(canonicalize);\r\n }\r\n\r\n if (obj !== null && typeof obj === \"object\") {\r\n return Object.keys(obj)\r\n .sort()\r\n .reduce((acc: any, key) => {\r\n acc[key] = canonicalize(obj[key]);\r\n return acc;\r\n }, {});\r\n }\r\n\r\n return obj;\r\n}\r\n","import {\r\n canonicalize,\r\n} from \"@parmanasystems/bundle\";\r\n\r\n/\r\n Returns the canonical JSON string for `value` as used by all signing and\r\n * verification operations in the execution package. Delegates to the bundle\r\n * package's `canonicalize` so the representation is consistent across packages.\r\n /\r\nexport function canonicalizeForSigning(\r\n value: unknown\r\n): string {\r\n\r\n return canonicalize(value);\r\n}\r\n\r\n\r\n\r\n\r\n","import {\r\n canonicalizeForSigning\r\n} from \"./canonical-signing.js\";\r\n\r\nimport type {\r\n ExecutionToken,\r\n} from \"./execution-token.js\";\r\n\r\nimport type {\r\n Signer,\r\n} from \"./signer-interface.js\";\r\n\r\n/\r\n Signs the canonical form of `token` with `signer` and returns a\r\n * base64-encoded Ed25519 signature.\r\n /\r\nexport function signExecutionToken(\r\n token: ExecutionToken,\r\n signer: Signer\r\n): string {\r\n\r\n const canonical = canonicalizeForSigning(token);\r\n\r\n // 🔍 DEBUG (temporary)\r\nconsole.log(\"SIGN TOKEN:\", canonical);\r\n\r\n return signer.sign(canonical);\r\n}\r\n","import {\r\n canonicalizeForSigning\r\n} from \"./canonical-signing.js\";\r\n\r\nimport type {\r\n ExecutionToken,\r\n} from \"./execution-token.js\";\r\n\r\nimport type {\r\n Verifier,\r\n} from \"./verifier-interface.js\";\r\n\r\nexport function verifyExecutionToken(\r\n token: ExecutionToken,\r\n signature: string,\r\n verifier: Verifier\r\n): boolean {\r\n\r\n const canonical = canonicalizeForSigning(token);\r\n\r\n // 🔍 DEBUG (temporary)\r\n console.log(\"VERIFY TOKEN:\", canonical);\r\n\r\n return verifier.verify(\r\n canonical,\r\n signature\r\n );\r\n}\r\n","import {\r\n validatePolicy,\r\n} from \"@parmanasystems/governance\";\r\n\r\n/\r\n Validates that `policyId` passes full bundle and signature verification.\r\n * Delegates to {@link validatePolicy} and throws if validation fails.\r\n \r\n @throws When the policy does not exist or any version fails verification.\r\n /\r\nexport function verifyRuntimePolicy(\r\n policyId: string\r\n): void {\r\n const valid =\r\n validatePolicy(\r\n policyId\r\n );\r\n\r\n if (!valid) {\r\n throw new Error(\r\n `Runtime verification failed for policy: ${policyId}`\r\n );\r\n }\r\n}\r\n\r\n\r\n\r\n\r\n","export interface ExecutionAttestation {\r\n\r\n execution_id: string;\r\n\r\n policy_id: string;\r\n\r\n policy_version: string;\r\n\r\n decision: {\r\n action: \"approve\" \| \"reject\";\r\n requires_override: boolean;\r\n reason?: string;\r\n };\r\n\r\n execution_state:\r\n \"completed\" \|\r\n \"blocked\" \|\r\n \"pending_override\";\r\n\r\n signature: string;\r\n\r\n runtime_hash: string;\r\n}\r\n\r\n/\r\n Deterministic attestation canonicalization\r\n \r\n Used for:\r\n * - attestation signing\r\n * - independent verification\r\n * - reproducibility proofs\r\n /\r\nexport function canonicalizeAttestation(\r\n attestation: {\r\n execution_id: string;\r\n policy_id: string;\r\n policy_version: string;\r\n decision: any;\r\n execution_state: string;\r\n runtime_hash: string;\r\n }\r\n): string {\r\n\r\n return JSON.stringify(\r\n canonicalize(\r\n attestation\r\n )\r\n );\r\n}\r\n\r\n/\r\n Deterministic recursive canonicalization\r\n /\r\nfunction canonicalize(\r\n obj: any\r\n): any {\r\n\r\n if (Array.isArray(obj)) {\r\n\r\n return obj.map(\r\n canonicalize\r\n );\r\n }\r\n\r\n if (\r\n obj !== null\r\n &&\r\n typeof obj === \"object\"\r\n ) {\r\n\r\n return Object\r\n .keys(obj)\r\n .sort()\r\n .reduce(\r\n (\r\n acc: any,\r\n key\r\n ) => {\r\n\r\n acc[key] =\r\n canonicalize(\r\n obj[key]\r\n );\r\n\r\n return acc;\r\n },\r\n {}\r\n );\r\n }\r\n\r\n return obj;\r\n}","import { canonicalizeForSigning }\r\n from \"./canonical-signing.js\";\r\n\r\nimport {\r\n canonicalizeAttestation\r\n} from \"./execution-attestation.js\";\r\n\r\nimport type {\r\n ExecutionToken\r\n} from \"./execution-token.js\";\r\n\r\n/\r\n 🔒 Stage 1 — Verification\r\n /\r\nexport function stageVerify(\r\n token: ExecutionToken,\r\n\r\n token_signature: string,\r\n\r\n verifier: {\r\n verify: (\r\n data: Uint8Array,\r\n sig: Uint8Array\r\n ) => boolean\r\n },\r\n\r\n runtime_manifest: any,\r\n\r\n runtime_requirements: any\r\n): void {\r\n\r\n const valid =\r\n verifier.verify(\r\n\r\n Buffer.from(\r\n canonicalizeForSigning(\r\n token\r\n )\r\n ),\r\n\r\n Buffer.from(\r\n token_signature,\r\n \"base64\"\r\n )\r\n );\r\n\r\n if (!valid) {\r\n\r\n throw new Error(\r\n \"Invalid token signature\"\r\n );\r\n }\r\n\r\n // --------------------------------------------------\r\n // Runtime version validation\r\n // --------------------------------------------------\r\n\r\n if (\r\n !runtime_requirements?.supported_runtime_versions\r\n \|\|\r\n !runtime_requirements\r\n .supported_runtime_versions\r\n .includes(\r\n runtime_manifest.runtime_version\r\n )\r\n ) {\r\n\r\n throw new Error(\r\n \"Unsupported runtime version\"\r\n );\r\n }\r\n\r\n // --------------------------------------------------\r\n // Capability validation\r\n // --------------------------------------------------\r\n\r\n for (\r\n const cap\r\n of runtime_requirements\r\n ?.required_capabilities\r\n \|\| []\r\n ) {\r\n\r\n if (\r\n !runtime_manifest\r\n .capabilities\r\n .includes(cap)\r\n ) {\r\n\r\n throw new Error(\r\n `Missing required capability: ${cap}`\r\n );\r\n }\r\n }\r\n\r\n // --------------------------------------------------\r\n // Schema version validation\r\n // --------------------------------------------------\r\n\r\n if (\r\n !runtime_requirements?.supported_schema_versions\r\n \|\|\r\n !runtime_requirements\r\n .supported_schema_versions\r\n .includes(\r\n token.schema_version\r\n )\r\n ) {\r\n\r\n throw new Error(\r\n \"Unsupported schema version\"\r\n );\r\n }\r\n}\r\n\r\n/\r\n 🔒 Stage 2 — Execution (ENFORCEMENT ONLY)\r\n /\r\nexport function stageExecute(\r\n token: ExecutionToken\r\n): void {\r\n\r\n // Deterministic enforcement only.\r\n // No decision generation here.\r\n}\r\n\r\n/\r\n 🔒 Stage 3 — Signing (DETERMINISTIC)\r\n /\r\nexport function stageSign(\r\n payload: {\r\n execution_id: string;\r\n\r\n policy_id: string;\r\n\r\n policy_version: string;\r\n\r\n decision: {\r\n action:\r\n \"approve\"\r\n \| \"reject\";\r\n\r\n requires_override: boolean;\r\n\r\n reason?: string;\r\n };\r\n\r\n execution_state:\r\n \"completed\"\r\n \| \"blocked\"\r\n \| \"pending_override\";\r\n },\r\n\r\n signer: {\r\n sign: (\r\n payload: string\r\n ) => string\r\n },\r\n\r\n runtime_hash: string\r\n) {\r\n\r\n // --------------------------------------------------\r\n // Deterministic attestation payload\r\n // --------------------------------------------------\r\n\r\n const attestation = {\r\n\r\n execution_id:\r\n payload.execution_id,\r\n\r\n policy_id:\r\n payload.policy_id,\r\n\r\n policy_version:\r\n payload.policy_version,\r\n\r\n decision:\r\n payload.decision,\r\n\r\n execution_state:\r\n payload.execution_state,\r\n\r\n runtime_hash\r\n };\r\n\r\n // --------------------------------------------------\r\n // Deterministic canonicalization\r\n // --------------------------------------------------\r\n\r\n const canonical =\r\n canonicalizeAttestation(\r\n attestation\r\n );\r\n\r\n // --------------------------------------------------\r\n // Deterministic signature\r\n // --------------------------------------------------\r\n\r\n const signature =\r\n signer.sign(\r\n canonical\r\n );\r\n\r\n // --------------------------------------------------\r\n // Final attestation\r\n // --------------------------------------------------\r\n\r\n return {\r\n\r\n execution_id:\r\n payload.execution_id,\r\n\r\n policy_id:\r\n payload.policy_id,\r\n\r\n policy_version:\r\n payload.policy_version,\r\n\r\n decision:\r\n payload.decision,\r\n\r\n execution_state:\r\n payload.execution_state,\r\n\r\n signature,\r\n\r\n runtime_hash\r\n };\r\n}","import type { ReplayStore } from \"./replay-store-interface.js\";\r\n\r\n/\r\n 🔒 In-memory replay protection\r\n /\r\nexport class MemoryReplayStore implements ReplayStore {\r\n private store = new Set<string>();\r\n\r\n markExecuted(execution_id: string): void {\r\n if (this.store.has(execution_id)) {\r\n throw new Error(\"Replay attack detected\");\r\n }\r\n\r\n this.store.add(execution_id);\r\n }\r\n}\r\n","import {\r\n stageVerify,\r\n stageExecute,\r\n stageSign\r\n} from \"./pipeline.js\";\r\n\r\nimport { MemoryReplayStore } from \"./memory-replay-store.js\";\r\n\r\nimport type { ExecutionContext } from \"./execution-context.js\";\r\nimport type { ReplayStore } from \"./replay-store-interface.js\";\r\nimport type { ExecutionAttestation } from \"./execution-attestation.js\";\r\n\r\n/\r\n 🔴 CORE EXECUTION (FULLY DETERMINISTIC)\r\n \r\n Principles:\r\n * - NO time dependency\r\n * - replay is enforced\r\n * - decision is precomputed (token-driven)\r\n * - execution is enforcement only\r\n /\r\nexport function executeDecision(\r\n context: ExecutionContext,\r\n replayStore: ReplayStore\r\n): ExecutionAttestation {\r\n\r\n const {\r\n token,\r\n token_signature,\r\n signer,\r\n verifier,\r\n runtime_manifest,\r\n runtime_requirements\r\n } = context;\r\n\r\n // -----------------------------\r\n // Stage 1 — Verification\r\n // -----------------------------\r\n stageVerify(\r\n token,\r\n token_signature,\r\n verifier,\r\n runtime_manifest,\r\n runtime_requirements\r\n );\r\n\r\n // -----------------------------\r\n // Replay protection\r\n // -----------------------------\r\n const store =\r\n replayStore ??\r\n new MemoryReplayStore();\r\n\r\n if (!context.auditMode) {\r\n\r\n store.markExecuted(\r\n token.execution_id\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // Stage 2 — Execution (side-effect / noop)\r\n // -----------------------------\r\n stageExecute(token);\r\n\r\n // -----------------------------\r\n // Derive decision + execution state\r\n // -----------------------------\r\n const decision =\r\n token.decision_payload;\r\n\r\n const execution_state:\r\n \"completed\" \|\r\n \"blocked\" \|\r\n \"pending_override\" =\r\n\r\n decision.requires_override\r\n ? \"pending_override\"\r\n : decision.action === \"approve\"\r\n ? \"completed\"\r\n : \"blocked\";\r\n\r\n // -----------------------------\r\n // Stage 3 — Signing (attestation)\r\n // -----------------------------\r\n return stageSign(\r\n {\r\n execution_id:\r\n token.execution_id,\r\n\r\n policy_id:\r\n token.policy_id,\r\n\r\n policy_version:\r\n token.schema_version,\r\n\r\n decision,\r\n\r\n execution_state\r\n },\r\n signer,\r\n runtime_manifest.runtime_hash\r\n );\r\n}","import {\r\n canonicalizeForSigning\r\n} from \"./canonical-signing.js\";\r\n\r\nimport type {\r\n Verifier,\r\n} from \"./verifier-interface.js\";\r\n\r\n/* A single audit log entry with arbitrary governance fields. /\r\nexport interface AuditEntry {\r\n [key: string]: unknown;\r\n}\r\n\r\n/\r\n Verifies that `signature` (base64 Ed25519) was produced over the canonical\r\n * form of `entry` by the authority whose key `verifier` holds.\r\n /\r\nexport function verifyAuditEntry(\r\n entry: AuditEntry,\r\n signature: string,\r\n verifier: Verifier\r\n): boolean {\r\n\r\n return verifier.verify(\r\n canonicalizeForSigning(entry),\r\n signature\r\n );\r\n}\r\n\r\n/\r\n Placeholder for full audit-chain integrity verification.\r\n * A complete implementation would re-hash every JSONL record and validate\r\n * the `previous_record_hash` linkage.\r\n \r\n @returns `true` — full chain verification is not yet implemented.\r\n /\r\nexport function verifyAuditChain(): boolean {\r\n return true;\r\n}\r\n\r\n\r\n\r\n\r\n","import as crypto from \"node:crypto\";\r\n\r\nimport {\r\n canonicalize,\r\n} from \"@parmanasystems/bundle\";\r\n\r\n/*\r\n The static portion of the runtime manifest (everything except `runtime_hash`).\r\n * Used both as the canonical source of capability declarations and as the input\r\n * to {@link hashRuntime}.\r\n /\r\nexport const runtimeManifestDefinition = {\r\n runtime_version:\r\n \"1.0.0\",\r\n\r\n supported_schema_versions: [\r\n \"1.0.0\",\r\n ],\r\n\r\n capabilities: [\r\n \"deterministic-evaluation\",\r\n \"attestation-signing\",\r\n \"replay-protection\",\r\n \"bundle-verification\",\r\n ],\r\n} as const;\r\n\r\n/\r\n Returns the SHA-256 hex digest of the canonicalized {@link runtimeManifestDefinition}.\r\n * This hash is embedded in every {@link ExecutionResult} as `runtime_hash`,\r\n * binding the result to a specific version of the runtime.\r\n /\r\nexport function hashRuntime(): string {\r\n return crypto\r\n .createHash(\r\n \"sha256\"\r\n )\r\n .update(\r\n canonicalize(\r\n runtimeManifestDefinition\r\n )\r\n )\r\n .digest(\r\n \"hex\"\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import {\r\n hashRuntime,\r\n runtimeManifestDefinition,\r\n} from \"./hash-runtime.js\";\r\n\r\n/\r\n Static description of the governance runtime's identity, capabilities, and\r\n * supported protocol versions.\r\n \r\n Included in every {@link ExecutionResult} so verifiers can confirm the\r\n * runtime environment without trusting the operator. The `runtime_hash`\r\n * field is a deterministic SHA-256 commitment over the manifest definition,\r\n * binding the result to a specific runtime build.\r\n /\r\nexport interface RuntimeManifest {\r\n /* Semantic version of the governance runtime (e.g. `\"1.0.0\"`). /\r\n runtime_version: string;\r\n\r\n /* SHA-256 hex hash of the canonical runtime manifest definition. /\r\n runtime_hash: string;\r\n\r\n /* Schema version strings that this runtime can process. /\r\n supported_schema_versions: readonly string[];\r\n\r\n /* Capability strings advertised by this runtime (e.g. `\"replay-protection\"`). /\r\n capabilities: readonly string[];\r\n}\r\n\r\n/\r\n Returns the active {@link RuntimeManifest} for the current process,\r\n * combining the static manifest definition with a freshly computed `runtime_hash`.\r\n /\r\nexport function getRuntimeManifest(): RuntimeManifest {\r\n\r\n return {\r\n runtime_hash:\r\n hashRuntime(),\r\n ...runtimeManifestDefinition,\r\n };\r\n}\r\n","import {\r\n canonicalize,\r\n} from \"@parmanasystems/bundle\";\r\n\r\nimport type {\r\n RuntimeManifest,\r\n} from \"./runtime-manifest.js\";\r\n\r\nimport type {\r\n Signer,\r\n} from \"./signer-interface.js\";\r\n\r\n/\r\n Signs the canonical form of `manifest` with `signer` and returns a\r\n * base64-encoded Ed25519 signature. Use this to produce a verifiable\r\n * attestation that a specific runtime version was active at a given time.\r\n /\r\nexport function signRuntimeManifest(\r\n manifest: RuntimeManifest,\r\n signer: Signer\r\n): string {\r\n\r\n return signer.sign(\r\n canonicalize(manifest)\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import {\r\n canonicalizeForSigning\r\n} from \"./canonical-signing.js\";\r\n\r\nimport type {\r\n RuntimeManifest,\r\n} from \"./runtime-manifest.js\";\r\n\r\nimport type {\r\n Verifier,\r\n} from \"./verifier-interface.js\";\r\n\r\n/\r\n Verifies that `signature` (base64 Ed25519) was produced over the canonical\r\n * form of `manifest` by the authority whose key `verifier` holds.\r\n /\r\nexport function verifyRuntimeManifest(\r\n manifest: RuntimeManifest,\r\n signature: string,\r\n verifier: Verifier\r\n): boolean {\r\n\r\n return verifier.verify(\r\n canonicalizeForSigning(manifest),\r\n signature\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import crypto from \"node:crypto\";\r\n\r\nimport type {\r\n Signer,\r\n} from \"./signer-interface.js\";\r\n\r\n/\r\n In-process Ed25519 {@link Signer} backed by Node.js `crypto`.\r\n \r\n Suitable for development and environments where the private key can be\r\n * securely injected at process start. For hardware-backed or remote signing\r\n * see {@link AwsKmsSigner}.\r\n /\r\nexport class LocalSigner\r\n implements Signer {\r\n\r\n private readonly keyObject: crypto.KeyObject;\r\n\r\n /\r\n @param privateKey - PEM-encoded Ed25519 private key (PKCS8 format).\r\n /\r\n constructor(\r\n private readonly privateKey: string\r\n ) {\r\n\r\n const normalizedKey =\r\n privateKey\r\n .replace(/\\\\n/g, \"\\n\")\r\n .trim();\r\n\r\n this.keyObject =\r\n crypto.createPrivateKey({\r\n key: normalizedKey,\r\n format: \"pem\",\r\n });\r\n }\r\n\r\n /\r\n Signs `payload` (UTF-8) with the Ed25519 private key and returns a\r\n * base64-encoded signature.\r\n /\r\n sign(\r\n payload: string\r\n ): string {\r\n\r\n return crypto\r\n .sign(\r\n null,\r\n\r\n Buffer.from(\r\n payload,\r\n \"utf8\"\r\n ),\r\n\r\n this.keyObject\r\n )\r\n\r\n .toString(\r\n \"base64\"\r\n );\r\n }\r\n}\r\n","import as crypto from \"node:crypto\";\r\n\r\nimport type {\r\n Verifier,\r\n} from \"./verifier-interface.js\";\r\n\r\n/*\r\n In-process Ed25519 {@link Verifier} backed by Node.js `crypto`.\r\n \r\n Paired with {@link LocalSigner}; both must use the same Ed25519 key pair.\r\n /\r\nexport class LocalVerifier\r\n implements Verifier {\r\n\r\n /\r\n @param publicKey - PEM-encoded Ed25519 public key (SPKI format).\r\n /\r\n constructor(\r\n private readonly publicKey: string\r\n ) {}\r\n\r\n /\r\n Verifies that `signature` (base64 Ed25519) was produced over the UTF-8\r\n * `payload` by the holder of the corresponding private key.\r\n /\r\n verify(\r\n payload: string,\r\n signature: string\r\n ): boolean {\r\n\r\n return crypto.verify(\r\n null,\r\n\r\n Buffer.from(\r\n payload,\r\n \"utf8\"\r\n ),\r\n\r\n this.publicKey,\r\n\r\n Buffer.from(\r\n signature,\r\n \"base64\"\r\n )\r\n );\r\n }\r\n}\r\n\r\n\r\n\r\n\r\n","import type { DecisionResult } from \"./execution-result.js\";\r\n// -----------------------------\r\n// Types\r\n// -----------------------------\r\ninterface BaseCondition {\r\n signal: string;\r\n equals?: unknown;\r\n greater_than?: number;\r\n less_than?: number;\r\n}\r\n\r\ninterface AllCondition {\r\n all: RuleCondition[];\r\n}\r\n\r\ninterface AnyCondition {\r\n any: RuleCondition[];\r\n}\r\n\r\ntype RuleCondition =\r\n \| BaseCondition\r\n \| AllCondition\r\n \| AnyCondition;\r\n\r\ninterface PolicyRule {\r\n id: string;\r\n condition: RuleCondition;\r\n outcome: {\r\n action: \"approve\" \| \"reject\";\r\n requires_override: boolean;\r\n reason?: string;\r\n };\r\n}\r\n\r\nexport interface PolicyDocument {\r\n schemaVersion: string;\r\n signalsSchema: Record<string, unknown>;\r\n rules: PolicyRule[];\r\n}\r\n\r\n// -----------------------------\r\n// Rule evaluation (PURE)\r\n// -----------------------------\r\nfunction evaluateCondition(\r\n condition: RuleCondition,\r\n signals: Record<string, unknown>\r\n): boolean {\r\n\r\n if (\"all\" in condition) {\r\n return condition.all.every(c => evaluateCondition(c, signals));\r\n }\r\n\r\n if (\"any\" in condition) {\r\n return condition.any.some(c => evaluateCondition(c, signals));\r\n }\r\n\r\n const { signal, equals, greater_than, less_than } = condition;\r\n\r\n if (!(signal in signals)) {\r\n throw new Error(`Signal not found: ${signal}`);\r\n }\r\n\r\n const actual = signals[signal];\r\n\r\n if (equals !== undefined) {\r\n if (typeof actual !== typeof equals) {\r\n throw new Error(`Type mismatch for ${signal}`);\r\n }\r\n return actual === equals;\r\n }\r\n\r\n if (greater_than !== undefined) {\r\n if (typeof actual !== \"number\") {\r\n throw new Error(`Expected number for ${signal}`);\r\n }\r\n return actual > greater_than;\r\n }\r\n\r\n if (less_than !== undefined) {\r\n if (typeof actual !== \"number\") {\r\n throw new Error(`Expected number for ${signal}`);\r\n }\r\n return actual < less_than;\r\n }\r\n\r\n return false;\r\n}\r\n\r\n// -----------------------------\r\n// Schema validation\r\n// -----------------------------\r\nfunction validateSchemaVersion(policy: PolicyDocument): void {\r\n const supported = [\"1.0.0\"];\r\n\r\n if (!supported.includes(policy.schemaVersion)) {\r\n throw new Error(\r\n `Unsupported schema version: ${policy.schemaVersion}`\r\n );\r\n }\r\n}\r\n\r\n// -----------------------------\r\n// MAIN EVALUATOR (DETERMINISTIC)\r\n// -----------------------------\r\nexport function evaluatePolicy(\r\n policy: PolicyDocument,\r\n signals: Record<string, unknown>\r\n): DecisionResult {\r\n\r\n validateSchemaVersion(policy);\r\n\r\n // -----------------------------\r\n // Evaluate rules in order\r\n // -----------------------------\r\n for (const rule of policy.rules) {\r\n\r\n const matched = evaluateCondition(\r\n rule.condition,\r\n signals\r\n );\r\n\r\n if (matched) {\r\n return {\r\n status: \"decided\",\r\n outcome: rule.outcome,\r\n rule_id: rule.id,\r\n source: \"rule_match\"\r\n };\r\n }\r\n }\r\n\r\n // -----------------------------\r\n // Fail closed (no match)\r\n // -----------------------------\r\n throw new Error(\r\n \"[SYS-006] No rule matched — policy must cover all cases\"\r\n );\r\n}\r\n","import as fs from \"node:fs\";\r\nimport * as path from \"node:path\";\r\n\r\nimport type { PolicyDocument } from \"./evaluator.js\";\r\n\r\nexport function loadPolicy(\r\n policyId: string,\r\n policyVersion: string,\r\n basePath: string = process.cwd()\r\n): PolicyDocument {\r\n\r\n const policyPath = path.resolve(\r\n basePath,\r\n \"policies\",\r\n policyId,\r\n policyVersion,\r\n \"policy.json\"\r\n );\r\n\r\n if (!fs.existsSync(policyPath)) {\r\n throw new Error(`Policy not found: ${policyPath}`);\r\n }\r\n\r\n const raw = fs.readFileSync(policyPath, \"utf8\");\r\n\r\n let parsed: any;\r\n\r\n try {\r\n parsed = JSON.parse(raw);\r\n } catch {\r\n throw new Error(\r\n `Invalid policy: malformed JSON in ${policyPath}`\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // Basic validation\r\n // -----------------------------\r\n if (!parsed \|\| typeof parsed !== \"object\") {\r\n throw new Error(\r\n `Invalid policy: expected object in ${policyPath}`\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // STRICT schemaVersion only\r\n // -----------------------------\r\n if (!parsed.schemaVersion) {\r\n throw new Error(\r\n `Invalid policy: missing schemaVersion (camelCase only) in ${policyPath}`\r\n );\r\n }\r\n\r\n if (parsed.schema_version) {\r\n throw new Error(\r\n `Invalid policy: use schemaVersion, not schema_version in ${policyPath}`\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // REQUIRED signalsSchema\r\n // -----------------------------\r\n if (!parsed.signalsSchema) {\r\n throw new Error(\r\n `Invalid policy: missing signalsSchema in ${policyPath}`\r\n );\r\n }\r\n\r\n if (parsed.signals_schema) {\r\n throw new Error(\r\n `Invalid policy: use signalsSchema, not signals_schema in ${policyPath}`\r\n );\r\n }\r\n\r\n return parsed as PolicyDocument;\r\n}\r\n","type SignalType =\r\n \| \"boolean\"\r\n \| \"integer\"\r\n \| \"string\"\r\n \| \"enum\";\r\n\r\ninterface SignalDefinition {\r\n type: SignalType;\r\n values?: string[];\r\n required?: boolean;\r\n}\r\n\r\ninterface PolicySignalsSchema {\r\n [key: string]: SignalDefinition;\r\n}\r\n\r\nimport type { PolicyDocument } from \"./evaluator.js\";\r\n\r\nexport function validateSignalsStrict(\r\n signals: Record<string, unknown>,\r\n policy: PolicyDocument\r\n): void {\r\n\r\n // ✅ FIXED: correct field\r\n const schema = policy.signalsSchema as PolicySignalsSchema;\r\n\r\n if (!schema \|\| typeof schema !== \"object\") {\r\n throw new Error(\"[VAL-001] Invalid policy: missing signals schema\");\r\n }\r\n\r\n if (!signals \|\| typeof signals !== \"object\") {\r\n throw new Error(\"[VAL-002] Invalid input: signals must be an object\");\r\n }\r\n\r\n // Reject unknown signals\r\n for (const key of Object.keys(signals)) {\r\n if (!Object.prototype.hasOwnProperty.call(schema, key)) {\r\n throw new Error(`[VAL-003] Unknown signal: ${key}`);\r\n }\r\n }\r\n\r\n // Validate required + type\r\n for (const key of Object.keys(schema)) {\r\n\r\n const def = schema[key];\r\n const value = signals[key];\r\n\r\n const isRequired = def.required !== false;\r\n\r\n if (value === undefined) {\r\n if (isRequired) {\r\n throw new Error(`[VAL-004] Missing required signal: ${key}`);\r\n }\r\n continue;\r\n }\r\n\r\n if (!def?.type) {\r\n throw new Error(`[VAL-005] Invalid schema for signal: ${key}`);\r\n }\r\n\r\n switch (def.type) {\r\n\r\n case \"boolean\":\r\n if (typeof value !== \"boolean\") {\r\n throw new Error(`[VAL-006] ${key} must be boolean`);\r\n }\r\n break;\r\n\r\n case \"integer\":\r\n if (typeof value !== \"number\" \|\| !Number.isInteger(value)) {\r\n throw new Error(`[VAL-007] ${key} must be integer`);\r\n }\r\n break;\r\n\r\n case \"string\":\r\n if (typeof value !== \"string\") {\r\n throw new Error(`[VAL-008] ${key} must be string`);\r\n }\r\n break;\r\n\r\n case \"enum\":\r\n if (typeof value !== \"string\") {\r\n throw new Error(`[VAL-009] ${key} must be enum string`);\r\n }\r\n\r\n if (!Array.isArray(def.values) \|\| def.values.length === 0) {\r\n throw new Error(`[VAL-010] ${key} enum values missing`);\r\n }\r\n\r\n if (!def.values.includes(value)) {\r\n throw new Error(\r\n `[VAL-011] Invalid value for ${key}: ${value}`\r\n );\r\n }\r\n break;\r\n\r\n default:\r\n throw new Error(`[VAL-012] Unsupported signal type: ${def.type}`);\r\n }\r\n }\r\n}\r\n","import {\r\n evaluatePolicy,\r\n} from \"./evaluator.js\";\r\n\r\nimport {\r\n loadPolicy,\r\n} from \"./load-policy.js\";\r\n\r\nimport {\r\n validateSignalsStrict,\r\n} from \"./validate-signals.js\";\r\n\r\nimport type {\r\n DecisionResult\r\n} from \"./execution-result.js\";\r\n\r\n\r\nexport interface DryRunResult {\r\n policy_id: string;\r\n policy_version: string;\r\n schema_version: string;\r\n\r\n decision: DecisionResult; // ✅ FIXED (not string)\r\n\r\n rule_trace: string[];\r\n\r\n governed: false;\r\n dry_run: true;\r\n\r\n evaluated_at: string;\r\n}\r\n\r\n\r\nexport function evaluateDryRun(\r\n policyId: string,\r\n policyVersion: string,\r\n signals: Record<string, unknown>,\r\n governed_time = new Date().toISOString()\r\n): DryRunResult {\r\n\r\n // -----------------------------\r\n // 1. Load policy\r\n // -----------------------------\r\n const policy =\r\n loadPolicy(policyId, policyVersion);\r\n\r\n // -----------------------------\r\n // 2. Validate signals\r\n // -----------------------------\r\n validateSignalsStrict(signals, policy);\r\n\r\n // -----------------------------\r\n // 3. Evaluate policy\r\n // -----------------------------\r\n const decision: DecisionResult =\r\n evaluatePolicy(policy, signals);\r\n\r\n // -----------------------------\r\n // 4. Return dry-run result\r\n // -----------------------------\r\n return {\r\n policy_id: policyId,\r\n policy_version: policyVersion,\r\n schema_version: \"1.0.0\",\r\n\r\n decision, // ✅ structured\r\n\r\n rule_trace: [],\r\n\r\n governed: false,\r\n dry_run: true,\r\n\r\n evaluated_at: governed_time,\r\n };\r\n}\r\n","export type InvariantBoundary =\r\n \| \"canonicalize\"\r\n \| \"validate\"\r\n \| \"verify\"\r\n \| \"replay\"\r\n \| \"execute\"\r\n \| \"sign\";\r\n\r\nexport interface InvariantEntry {\r\n readonly id: string;\r\n readonly description: string;\r\n readonly boundary: InvariantBoundary \| readonly InvariantBoundary[];\r\n}\r\n\r\n/*\r\n Single source of truth for all governance invariants.\r\n \r\n Every invariant_id that appears in ViolationReport, source comments,\r\n * or test coverage maps MUST have an entry here. The CI gate\r\n * (scripts/ci-invariant-gate.ts) enforces this at build time.\r\n /\r\nexport const INVARIANT_REGISTRY = {\r\n \"INV-001\": {\r\n id: \"INV-001\",\r\n description: \"Canonical serialization produces identical bytes for identical inputs\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-002\": {\r\n id: \"INV-002\",\r\n description: \"Input payload must be structurally valid\",\r\n boundary: \"validate\",\r\n },\r\n \"INV-003\": {\r\n id: \"INV-003\",\r\n description: \"Execution token signature must be cryptographically valid\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-004\": {\r\n id: \"INV-004\",\r\n description: \"Execution time is injected deterministically — no wall-clock reads inside the execution scope\",\r\n boundary: [\"canonicalize\", \"execute\"] as readonly InvariantBoundary[],\r\n },\r\n \"INV-005\": {\r\n id: \"INV-005\",\r\n description: \"Runtime version must be in the set of supported runtime versions\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-006\": {\r\n id: \"INV-006\",\r\n description: \"Schema version 1.0.0 must be supported by both runtime manifest and requirements\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-007\": {\r\n id: \"INV-007\",\r\n description: \"Execution token must not be expired at governed_time\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-008\": {\r\n id: \"INV-008\",\r\n description: \"The governed field is always in signature scope and equals literal true\",\r\n boundary: \"sign\",\r\n },\r\n \"INV-009\": {\r\n id: \"INV-009\",\r\n description: \"Signals hash must be a non-empty string binding execution to specific inputs\",\r\n boundary: \"validate\",\r\n },\r\n \"INV-010\": {\r\n id: \"INV-010\",\r\n description: \"Policy ID and policy version must be non-empty strings\",\r\n boundary: \"validate\",\r\n },\r\n \"INV-011\": {\r\n id: \"INV-011\",\r\n description: \"All required runtime capabilities must be present in the runtime manifest\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-013\": {\r\n id: \"INV-013\",\r\n description: \"Replay protection is always enforced — execution_id is single-use and non-configurable\",\r\n boundary: \"replay\",\r\n },\r\n \"INV-014\": {\r\n id: \"INV-014\",\r\n description: \"governed literal true structurally distinguishes ExecutionResult from DryRunResult\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-015\": {\r\n id: \"INV-015\",\r\n description: \"Audit record must be written before attestation is issued\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-016\": {\r\n id: \"INV-016\",\r\n description: \"Audit records are linearizable via SHA-256 hash chain\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-017\": {\r\n id: \"INV-017\",\r\n description: \"Any verification failure causes fail-closed execution — no partial results\",\r\n boundary: [\"verify\", \"replay\", \"execute\"] as readonly InvariantBoundary[],\r\n },\r\n \"INV-020\": {\r\n id: \"INV-020\",\r\n description: \"Runtime capability declarations are truthful and non-negotiable\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-022\": {\r\n id: \"INV-022\",\r\n description: \"Every policy decision is derivable from the policy document and input signals\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-024\": {\r\n id: \"INV-024\",\r\n description: \"Decision values are semantically unambiguous strings\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-025\": {\r\n id: \"INV-025\",\r\n description: \"Schema version and runtime version are present in every ExecutionResult\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-030\": {\r\n id: \"INV-030\",\r\n description: \"Every attestation contains a runtime_hash binding it to a specific runtime version\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-031\": {\r\n id: \"INV-031\",\r\n description: \"Runtime manifest declares explicit supported_schema_versions and runtime_version\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-033\": {\r\n id: \"INV-033\",\r\n description: \"Governance properties (replay, audit, attestation) are structurally enforced — not configurable\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-034\": {\r\n id: \"INV-034\",\r\n description: \"Any verifier holding the correct public key can independently verify an attestation\",\r\n boundary: \"sign\",\r\n },\r\n \"INV-035\": {\r\n id: \"INV-035\",\r\n description: \"Verification is reproducible: same attestation + key produces identical outcome\",\r\n boundary: \"sign\",\r\n },\r\n \"INV-037\": {\r\n id: \"INV-037\",\r\n description: \"Signatures from different authority keys do not cross-verify — signing domains are isolated\",\r\n boundary: \"sign\",\r\n },\r\n \"INV-038\": {\r\n id: \"INV-038\",\r\n description: \"Cross-key verification failures are consistent: wrong-key always returns false\",\r\n boundary: \"sign\",\r\n },\r\n \"INV-040\": {\r\n id: \"INV-040\",\r\n description: \"AI output and governance enforcement are strictly separated — no AI field in execution scope\",\r\n boundary: \"validate\",\r\n },\r\n \"INV-041\": {\r\n id: \"INV-041\",\r\n description: \"Governance boundary is explicit: runtime manifest must declare runtime_version\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-047\": {\r\n id: \"INV-047\",\r\n description: \"Canonical serialization uses explicit UTF-8 encoding\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-048\": {\r\n id: \"INV-048\",\r\n description: \"Unicode normalization is stable across canonicalization calls\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-049\": {\r\n id: \"INV-049\",\r\n description: \"Canonical JSON sorts object keys recursively and preserves array order\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-050\": {\r\n id: \"INV-050\",\r\n description: \"Duplicate JSON keys must not appear in governance payloads (gap: documented)\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-051\": {\r\n id: \"INV-051\",\r\n description: \"Numeric values canonicalize identically regardless of trailing zeros\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-052\": {\r\n id: \"INV-052\",\r\n description: \"Object insertion order does not affect canonical form or content-address hash\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-053\": {\r\n id: \"INV-053\",\r\n description: \"Array element order is preserved through canonicalization\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-054\": {\r\n id: \"INV-054\",\r\n description: \"JSON type closure: NaN and Infinity serialize to null; undefined fields are omitted\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-057\": {\r\n id: \"INV-057\",\r\n description: \"Content-address (SHA-256) is stable for identical content across calls\",\r\n boundary: \"canonicalize\",\r\n },\r\n \"INV-059\": {\r\n id: \"INV-059\",\r\n description: \"Replay domain is explicit: every execution_id in the store was consumed by a real execution\",\r\n boundary: \"replay\",\r\n },\r\n \"INV-060\": {\r\n id: \"INV-060\",\r\n description: \"Attestation verification is idempotent: same inputs always produce identical results\",\r\n boundary: \"sign\",\r\n },\r\n \"INV-061\": {\r\n id: \"INV-061\",\r\n description: \"Runtime capability declarations are immutable after build\",\r\n boundary: \"verify\",\r\n },\r\n \"INV-072\": {\r\n id: \"INV-072\",\r\n description: \"Dry-run path produces no side effects: no replay store write, no audit record, no signature\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-073\": {\r\n id: \"INV-073\",\r\n description: \"Canonical evaluation source files contain no network calls\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-074\": {\r\n id: \"INV-074\",\r\n description: \"Every governed executeDecision call produces exactly one audit record\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-075\": {\r\n id: \"INV-075\",\r\n description: \"Execution IDs (UUIDv4) are unique per issuance — governance identity is non-reusable\",\r\n boundary: \"execute\",\r\n },\r\n \"INV-077\": {\r\n id: \"INV-077\",\r\n description: \"All failure modes are deterministic: same invalid input always produces the same error\",\r\n boundary: [\"verify\", \"replay\", \"execute\"] as readonly InvariantBoundary[],\r\n },\r\n \"INV-078\": {\r\n id: \"INV-078\",\r\n description: \"Operational metadata fields must not contaminate deterministic signing scope\",\r\n boundary: \"validate\",\r\n },\r\n \"INV-080\": {\r\n id: \"INV-080\",\r\n description: \"Unsupported schema and runtime versions fail explicitly with a descriptive error\",\r\n boundary: \"verify\",\r\n },\r\n \"META-001\": {\r\n id: \"META-001\",\r\n description: \"Every governed execution produces a signed, independently verifiable attestation\",\r\n boundary: \"sign\",\r\n },\r\n \"META-004\": {\r\n id: \"META-004\",\r\n description: \"Invariant violations always fail closed — no partial results are emitted on violation\",\r\n boundary: [\"verify\", \"replay\", \"execute\", \"sign\"] as readonly InvariantBoundary[],\r\n },\r\n} as const satisfies Record<string, InvariantEntry>;\r\n\r\nexport type InvariantId = keyof typeof INVARIANT_REGISTRY;\r\n","import as crypto from \"node:crypto\";\r\n\r\n/*\r\n Structured report emitted when a governance invariant is violated.\r\n \r\n Fields:\r\n * invariant_id — the invariant from INVARIANT_REGISTRY that was breached\r\n * boundary — pipeline stage where the violation was detected\r\n * reason — human-readable explanation of what failed\r\n * input_hash — SHA-256 of the canonical form of the input that triggered the violation\r\n * timestamp_seq — monotonically increasing sequence number within the process lifetime\r\n /\r\nexport interface ViolationReport {\r\n readonly invariant_id: string;\r\n readonly boundary: string;\r\n readonly reason: string;\r\n readonly input_hash: string;\r\n readonly timestamp_seq: number;\r\n}\r\n\r\nlet _seq = 0;\r\n\r\n/\r\n Thrown by every pipeline stage boundary when a governance invariant is violated.\r\n \r\n Carries a structured ViolationReport so downstream consumers can distinguish\r\n * invariant violations from unexpected runtime errors without string parsing.\r\n /\r\nexport class InvariantViolation extends Error {\r\n readonly report: ViolationReport;\r\n\r\n constructor(report: ViolationReport) {\r\n super(`[${report.invariant_id}@${report.boundary}] ${report.reason}`);\r\n this.name = \"InvariantViolation\";\r\n this.report = report;\r\n }\r\n}\r\n\r\n/\r\n Computes the SHA-256 hex digest of `value` for use as `input_hash` in a ViolationReport.\r\n * Accepts a string (used as-is) or any value (JSON-stringified before hashing).\r\n /\r\nexport function hashInput(value: unknown): string {\r\n const bytes =\r\n typeof value === \"string\"\r\n ? value\r\n : JSON.stringify(value) ?? \"\";\r\n\r\n return crypto\r\n .createHash(\"sha256\")\r\n .update(bytes, \"utf8\")\r\n .digest(\"hex\");\r\n}\r\n\r\n/\r\n Constructs and throws an InvariantViolation.\r\n * Never returns — the return type `never` enforces this at compile time.\r\n \r\n @param invariant_id - ID from INVARIANT_REGISTRY\r\n * @param boundary - Pipeline stage name\r\n * @param reason - Human-readable reason (must contain the legacy message substring for test compat)\r\n * @param input - The input that triggered the violation (hashed automatically)\r\n /\r\nexport function violate(\r\n invariant_id: string,\r\n boundary: string,\r\n reason: string,\r\n input: unknown\r\n): never {\r\n throw new InvariantViolation({\r\n invariant_id,\r\n boundary,\r\n reason,\r\n input_hash: hashInput(input),\r\n timestamp_seq: ++_seq,\r\n });\r\n}\r\n","/\r\n Sealed Execution VM — determinism enforcement for the governance execution scope.\r\n \r\n The execution stage (execute.ts, pipeline.ts) is forbidden from accessing:\r\n * - Date.now() — non-deterministic wall clock\r\n * - Math.random() — non-deterministic PRNG\r\n * - fs / network IO — external state that varies across environments\r\n \r\n Time is injected explicitly via governed_time in ExecutionContext.\r\n * The CI gate (scripts/ci-invariant-gate.ts) enforces these constraints statically.\r\n \r\n This module provides:\r\n * - governingTime() — derives execution time from injected governed_time or falls\r\n * back to the system clock (only acceptable outside execute.ts)\r\n * - FORBIDDEN_GLOBALS — the list of globals that must not appear in execution-scope files\r\n /\r\n\r\n/* Globals forbidden inside the sealed execution scope. /\r\nexport const FORBIDDEN_GLOBALS = [\r\n \"Date.now\",\r\n \"Math.random\",\r\n] as const;\r\n\r\n/\r\n Files in the execution package whose source must not reference FORBIDDEN_GLOBALS.\r\n * Enforced by the CI gate.\r\n /\r\nexport const SEALED_SCOPE_FILES = [\r\n \"packages/execution/src/execute.ts\",\r\n \"packages/execution/src/pipeline.ts\",\r\n \"packages/execution/src/canonical-signing.ts\",\r\n \"packages/bundle/src/canonicalize.ts\",\r\n \"packages/bundle/src/hash.ts\",\r\n] as const;\r\n\r\n/\r\n Returns the governing time for an execution.\r\n \r\n When `provided` is a non-empty ISO 8601 string it is returned as-is,\r\n * preserving determinism. When `provided` is absent or empty the current\r\n * system time is used — this fallback is intentionally limited to\r\n * non-execution-scope callers (audit.ts, dry-run.ts, tests).\r\n \r\n MUST NOT be called from execute.ts or pipeline.ts — those files must\r\n * receive governed_time from their caller and pass it through explicitly.\r\n /\r\nexport function governingTime(provided?: string): string {\r\n if (provided && provided.length > 0) {\r\n return provided;\r\n }\r\n return new Date().toISOString();\r\n}\r\n","import type {\r\n ExecutionAttestation\r\n} from \"./execution-attestation.js\";\r\n\r\nimport as crypto from \"node:crypto\";\r\n\r\nimport { evaluatePolicy } from \"./evaluator.js\";\r\nimport { loadPolicy } from \"./load-policy.js\";\r\nimport { validateSignalsStrict } from \"./validate-signals.js\";\r\nimport { issueToken } from \"./issue-token.js\";\r\nimport { signExecutionToken } from \"./sign-token.js\";\r\nimport { getRuntimeManifest } from \"./runtime-manifest.js\";\r\nimport { executeWithRedis } from \"./execute-with-redis.js\";\r\nimport { canonicalize } from \"./canonical-json.js\";\r\n\r\nimport type { Signer } from \"./signer-interface.js\";\r\nimport type { Verifier } from \"./verifier-interface.js\";\r\nimport type { AsyncReplayStore } from \"./async-replay-store-interface.js\";\r\nimport type { DecisionResult } from \"./execution-result.js\";\r\n\r\nexport async function executeFromSignals(\r\n input: {\r\n policyId: string;\r\n policyVersion: string;\r\n signals: Record<string, unknown>;\r\n metadata?: Record<string, unknown>;\r\n },\r\n signer: Signer,\r\n verifier: Verifier,\r\n replayStore: AsyncReplayStore & {\r\n get?: (key: string) => Promise<string \| null>;\r\n set?: (key: string, value: string) => Promise<void>;\r\n del?: (key: string) => Promise<void>;\r\n }\r\n) {\r\n try {\r\n\r\n // -----------------------------\r\n // 1. Load policy\r\n // -----------------------------\r\n const policy = loadPolicy(\r\n input.policyId,\r\n input.policyVersion\r\n );\r\n\r\n // -----------------------------\r\n // 2. Validate signals\r\n // -----------------------------\r\n validateSignalsStrict(\r\n input.signals,\r\n policy\r\n );\r\n\r\n // -----------------------------\r\n // 3. Evaluate policy\r\n // -----------------------------\r\n const decision: DecisionResult =\r\n evaluatePolicy(\r\n policy,\r\n input.signals\r\n );\r\n\r\n // -----------------------------\r\n // 4. Enforce invariants\r\n // -----------------------------\r\n if (\r\n decision.status !== \"decided\" \|\|\r\n !decision.outcome\r\n ) {\r\n\r\n throw new Error(\r\n \"[SYS-004] Invalid policy: execution must resolve to decided\"\r\n );\r\n }\r\n\r\n if (!decision.rule_id) {\r\n\r\n throw new Error(\r\n \"[SYS-005] Invalid decision: rule_id required\"\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // 5. Canonical signals\r\n // -----------------------------\r\n const canonicalSignals =\r\n canonicalize(\r\n input.signals\r\n );\r\n\r\n // -----------------------------\r\n // 6. Deterministic execution_id\r\n // -----------------------------\r\n const executionId = crypto\r\n .createHash(\"sha256\")\r\n .update(\r\n JSON.stringify({\r\n policyId:\r\n input.policyId,\r\n\r\n policyVersion:\r\n input.policyVersion,\r\n\r\n signals:\r\n canonicalSignals\r\n })\r\n )\r\n .digest(\"hex\");\r\n\r\n // -----------------------------\r\n // 7. Runtime manifest\r\n // -----------------------------\r\n const runtimeManifest =\r\n getRuntimeManifest();\r\n\r\n // -----------------------------\r\n // 8. Issue token\r\n // -----------------------------\r\n const token = issueToken({\r\n\r\n execution_id:\r\n executionId,\r\n\r\n policy_id:\r\n input.policyId,\r\n\r\n decision_payload:\r\n decision.outcome,\r\n\r\n schema_version:\r\n policy.schemaVersion,\r\n\r\n runtime_version:\r\n runtimeManifest.runtime_version\r\n });\r\n\r\n const tokenSignature =\r\n signExecutionToken(\r\n token,\r\n signer\r\n );\r\n\r\n // -----------------------------\r\n // 9. Runtime requirements\r\n // -----------------------------\r\n const runtimeRequirements = {\r\n\r\n required_capabilities: [],\r\n\r\n supported_runtime_versions: [\r\n runtimeManifest.runtime_version\r\n ],\r\n\r\n supported_schema_versions: [\r\n policy.schemaVersion\r\n ]\r\n };\r\n\r\n // -----------------------------\r\n // 10. Resolve execution state\r\n // -----------------------------\r\n const action =\r\n decision.outcome.action;\r\n\r\n const requiresOverride =\r\n decision.outcome.requires_override;\r\n\r\n let execution_state:\r\n \"completed\" \|\r\n \"blocked\" \|\r\n \"pending_override\";\r\n\r\n if (requiresOverride) {\r\n\r\n execution_state =\r\n \"pending_override\";\r\n\r\n } else {\r\n\r\n execution_state =\r\n action === \"approve\"\r\n ? \"completed\"\r\n : \"blocked\";\r\n }\r\n\r\n // -----------------------------\r\n // 11. Handle pending_override\r\n // -----------------------------\r\n if (\r\n execution_state ===\r\n \"pending_override\"\r\n ) {\r\n\r\n if (!replayStore.set) {\r\n\r\n throw new Error(\r\n \"[SYS-020] Store does not support pending execution storage\"\r\n );\r\n }\r\n\r\n await replayStore.set(\r\n `pending:${executionId}`,\r\n\r\n JSON.stringify({\r\n\r\n token,\r\n\r\n token_signature:\r\n tokenSignature,\r\n\r\n runtime_manifest:\r\n runtimeManifest,\r\n\r\n runtime_requirements:\r\n runtimeRequirements\r\n })\r\n );\r\n\r\n const attestation:\r\n ExecutionAttestation = {\r\n\r\n execution_id:\r\n executionId,\r\n\r\n policy_id:\r\n input.policyId,\r\n\r\n policy_version:\r\n input.policyVersion,\r\n\r\n decision:\r\n decision.outcome,\r\n\r\n execution_state:\r\n \"pending_override\",\r\n\r\n runtime_hash:\r\n runtimeManifest.runtime_hash,\r\n\r\n signature:\r\n tokenSignature\r\n };\r\n\r\n return {\r\n\r\n status:\r\n \"pending_override\" as const,\r\n\r\n execution_id:\r\n executionId,\r\n\r\n decision,\r\n\r\n requires_override:\r\n true,\r\n\r\n attestation\r\n };\r\n }\r\n\r\n // -----------------------------\r\n // 12. Execute\r\n // -----------------------------\r\n let execution;\r\n\r\n try {\r\n\r\n execution =\r\n await executeWithRedis(\r\n {\r\n token,\r\n\r\n token_signature:\r\n tokenSignature,\r\n\r\n signer,\r\n\r\n verifier,\r\n\r\n runtime_manifest:\r\n runtimeManifest,\r\n\r\n runtime_requirements:\r\n runtimeRequirements\r\n },\r\n\r\n replayStore\r\n );\r\n\r\n } catch (err) {\r\n\r\n const message =\r\n err instanceof Error\r\n ? err.message\r\n : \"Unknown error\";\r\n\r\n // -----------------------------\r\n // Replay = idempotent success\r\n // -----------------------------\r\n if (\r\n message.includes(\r\n \"Replay attack detected\"\r\n )\r\n ) {\r\n\r\n return {\r\n\r\n status:\r\n \"success\" as const,\r\n\r\n execution_id:\r\n executionId,\r\n\r\n decision,\r\n\r\n execution_state,\r\n\r\n requires_override:\r\n false,\r\n\r\n replay:\r\n true\r\n };\r\n }\r\n\r\n throw err;\r\n }\r\n\r\n // -----------------------------\r\n // Success attestation\r\n // -----------------------------\r\n const attestation:\r\n ExecutionAttestation = {\r\n\r\n execution_id:\r\n executionId,\r\n policy_id:\r\n input.policyId,\r\n\r\n policy_version:\r\n input.policyVersion,\r\n\r\n decision:\r\n decision.outcome,\r\n\r\n execution_state,\r\n\r\n runtime_hash:\r\n runtimeManifest.runtime_hash,\r\n\r\n signature:\r\n execution.signature\r\n };\r\n\r\n // -----------------------------\r\n // SUCCESS\r\n // -----------------------------\r\n return {\r\n\r\n status:\r\n \"success\" as const,\r\n\r\n execution_id:\r\n executionId,\r\n\r\n decision,\r\n\r\n execution_state,\r\n\r\n requires_override:\r\n false,\r\n\r\n signature:\r\n execution.signature,\r\n\r\n attestation\r\n };\r\n\r\n } catch (err: unknown) {\r\n\r\n return {\r\n\r\n status:\r\n \"error\" as const,\r\n\r\n error:\r\n err instanceof Error\r\n ? err.message\r\n : \"Unknown error\"\r\n };\r\n }\r\n}","import type { ExecutionContext } from \"./execution-context.js\";\r\nimport type { ExecutionAttestation } from \"./execution-attestation.js\";\r\nimport type { AsyncReplayStore } from \"./async-replay-store-interface.js\";\r\n\r\nimport { MemoryReplayStore } from \"./memory-replay-store.js\";\r\nimport { executeDecision } from \"./execute.js\";\r\n\r\n/*\r\n 🟢 ASYNC ADAPTER\r\n * Handles Redis, keeps core pure\r\n /\r\nexport async function executeWithRedis(\r\n context: ExecutionContext,\r\n redisStore: AsyncReplayStore\r\n): Promise<ExecutionAttestation> {\r\n\r\n // Distributed replay protection\r\n await redisStore.markExecuted(\r\n context.token.execution_id\r\n );\r\n\r\n // Deterministic execution (sync core)\r\n const memoryStore = new MemoryReplayStore();\r\n\r\n return executeDecision(context, memoryStore);\r\n}\r\n","export function canonicalize(value: any): string {\r\n return JSON.stringify(sortValue(value));\r\n}\r\n\r\nfunction sortValue(value: any): any {\r\n if (Array.isArray(value)) {\r\n return value.map(sortValue);\r\n }\r\n\r\n if (value && typeof value === \"object\") {\r\n const sorted: Record<string, any> = {};\r\n\r\n for (const key of Object.keys(value).sort()) {\r\n sorted[key] = sortValue(value[key]);\r\n }\r\n\r\n return sorted;\r\n }\r\n\r\n return value;\r\n}\r\n","import {\r\n executeFromSignals,\r\n} from \"./execute-from-signals.js\";\r\n\r\nimport type {\r\n Signer,\r\n} from \"./signer-interface.js\";\r\n\r\nimport type {\r\n Verifier,\r\n} from \"./verifier-interface.js\";\r\n\r\nimport type {\r\n AsyncReplayStore,\r\n} from \"./async-replay-store-interface.js\";\r\n\r\n\r\n/\r\n Executes multiple records sequentially.\r\n \r\n Each record is processed independently.\r\n * Errors are captured per-record (fail-isolated).\r\n */\r\nexport async function executeBatch(\r\n records: Array<{\r\n policyId: string;\r\n policyVersion: string;\r\n signals: Record<string, unknown>;\r\n governed_time: string;\r\n }>,\r\n signer: Signer,\r\n verifier: Verifier,\r\n replayStore: AsyncReplayStore\r\n) {\r\n\r\n const outputs = [];\r\n\r\n for (const record of records) {\r\n\r\n try {\r\n\r\n const output =\r\n await executeFromSignals(\r\n record,\r\n signer,\r\n verifier,\r\n replayStore\r\n );\r\n\r\n outputs.push({\r\n input: record,\r\n output\r\n });\r\n\r\n } catch (err: unknown) {\r\n\r\n outputs.push({\r\n input: record,\r\n output: {\r\n status: \"error\",\r\n error:\r\n err instanceof Error\r\n ? err.message\r\n : \"Unknown error\"\r\n }\r\n });\r\n\r\n }\r\n }\r\n\r\n return outputs;\r\n}\r\n","import Redis from \"ioredis\";\r\n\r\nimport type {\r\n Redis as RedisClient\r\n} from \"ioredis\";\r\n\r\nimport type {\r\n AsyncReplayStore\r\n} from \"./async-replay-store-interface.js\";\r\n\r\nexport class RedisReplayStore\r\n implements AsyncReplayStore {\r\n\r\n private client: RedisClient;\r\n\r\n constructor(\r\n url: string\r\n ) {\r\n\r\n this.client =\r\n new (Redis as any)(url);\r\n }\r\n\r\n async hasExecuted(\r\n executionId: string\r\n ): Promise<boolean> {\r\n\r\n const res =\r\n await this.client.exists(\r\n `exec:${executionId}`\r\n );\r\n\r\n return res === 1;\r\n }\r\n\r\n async markExecuted(\r\n executionId: string\r\n ): Promise<void> {\r\n\r\n const result =\r\n await this.client.set(\r\n `exec:${executionId}`,\r\n \"1\",\r\n \"NX\"\r\n );\r\n\r\n if (result !== \"OK\") {\r\n\r\n throw new Error(\r\n `[INV-013@replay] Replay detected: execution_id ${executionId} has already been consumed`\r\n );\r\n }\r\n }\r\n\r\n async get(\r\n key: string\r\n ): Promise<string \| null> {\r\n\r\n return this.client.get(key);\r\n }\r\n\r\n async set(\r\n key: string,\r\n value: string\r\n ): Promise<void> {\r\n\r\n await this.client.set(\r\n key,\r\n value\r\n );\r\n }\r\n\r\n async del(\r\n key: string\r\n ): Promise<void> {\r\n\r\n await this.client.del(key);\r\n }\r\n\r\n async close(): Promise<void> {\r\n\r\n await this.client.quit();\r\n }\r\n}","import { executeWithRedis } from \"./execute-with-redis.js\";\r\n\r\nimport type { AsyncReplayStore } from \"./async-replay-store-interface.js\";\r\nimport type { Signer } from \"./signer-interface.js\";\r\nimport type { Verifier } from \"./verifier-interface.js\";\r\n\r\nexport async function resolveOverride(\r\n executionId: string,\r\n replayStore: AsyncReplayStore & {\r\n get: (key: string) => Promise<string \| null>;\r\n del: (key: string) => Promise<void>;\r\n },\r\n signer: Signer,\r\n verifier: Verifier\r\n) {\r\n // -----------------------------\r\n // 1. Load pending execution\r\n // -----------------------------\r\n const raw = await replayStore.get(`pending:${executionId}`);\r\n\r\n if (!raw) {\r\n throw new Error(\r\n `[SYS-021] No pending execution found for ${executionId}`\r\n );\r\n }\r\n\r\n const stored = JSON.parse(raw);\r\n\r\n // -----------------------------\r\n // 2. Execute (same token)\r\n // -----------------------------\r\n const execution = await executeWithRedis(\r\n {\r\n token: stored.token,\r\n token_signature: stored.token_signature,\r\n signer,\r\n verifier,\r\n runtime_manifest: stored.runtime_manifest,\r\n runtime_requirements: stored.runtime_requirements\r\n },\r\n replayStore\r\n );\r\n\r\n // -----------------------------\r\n // 3. Remove pending state\r\n // -----------------------------\r\n await replayStore.del(`pending:${executionId}`);\r\n\r\n // -----------------------------\r\n // 4. Return result\r\n // -----------------------------\r\n return {\r\n status: \"success\" as const,\r\n execution_id: executionId,\r\n signature: execution.signature,\r\n resolved: true\r\n };\r\n}\r\n"],"mappings":";AAMO,SAAS,WAAW,OAMR;AAEjB,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,MAAI,CAAC,gBAAgB;AACnB,UAAM,IAAI,MAAM,uCAAuC;AAAA,EACzD;AAEA,MAAI,CAAC,iBAAiB;AACpB,UAAM,IAAI,MAAM,wCAAwC;AAAA,EAC1D;AAEA,QAAM,QAAwB;AAAA,IAC5B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,SAAO,aAAa,KAAK;AAC3B;AAKA,SAAS,aAAa,KAAe;AACnC,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,WAAO,IAAI,IAAI,YAAY;AAAA,EAC7B;AAEA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,WAAO,OAAO,KAAK,GAAG,EACnB,KAAK,EACL,OAAO,CAAC,KAAU,QAAQ;AACzB,UAAI,GAAG,IAAI,aAAa,IAAI,GAAG,CAAC;AAChC,aAAO;AAAA,IACT,GAAG,CAAC,CAAC;AAAA,EACT;AAEA,SAAO;AACT;;;AC3DA;AAAA,EACE,gBAAAA;AAAA,OACK;AAOA,SAAS,uBACd,OACQ;AAER,SAAOA,cAAa,KAAK;AAC3B;;;ACEO,SAAS,mBACd,OACA,QACQ;AAER,QAAM,YAAY,uBAAuB,KAAK;AAGhD,UAAQ,IAAI,eAAe,SAAS;AAElC,SAAO,OAAO,KAAK,SAAS;AAC9B;;;ACfO,SAAS,qBACd,OACA,WACA,UACS;AAET,QAAM,YAAY,uBAAuB,KAAK;AAG9C,UAAQ,IAAI,iBAAiB,SAAS;AAEtC,SAAO,SAAS;AAAA,IACd;AAAA,IACA;AAAA,EACF;AACF;;;AC3BA;AAAA,EACE;AAAA,OACK;AAQA,SAAS,oBACd,UACM;AACN,QAAM,QACJ;AAAA,IACE;AAAA,EACF;AAEF,MAAI,CAAC,OAAO;AACV,UAAM,IAAI;AAAA,MACR,2CAA2C,QAAQ;AAAA,IACrD;AAAA,EACF;AACF;;;ACSO,SAAS,wBACd,aAQQ;AAER,SAAO,KAAK;AAAA,IACVC;AAAA,MACE;AAAA,IACF;AAAA,EACF;AACF;AAKA,SAASA,cACP,KACK;AAEL,MAAI,MAAM,QAAQ,GAAG,GAAG;AAEtB,WAAO,IAAI;AAAA,MACTA;AAAA,IACF;AAAA,EACF;AAEA,MACE,QAAQ,QAER,OAAO,QAAQ,UACf;AAEA,WAAO,OACJ,KAAK,GAAG,EACR,KAAK,EACL;AAAA,MACC,CACE,KACA,QACG;AAEH,YAAI,GAAG,IACLA;AAAA,UACE,IAAI,GAAG;AAAA,QACT;AAEF,eAAO;AAAA,MACT;AAAA,MACA,CAAC;AAAA,IACH;AAAA,EACJ;AAEA,SAAO;AACT;;;AC7EO,SAAS,YACd,OAEA,iBAEA,UAOA,kBAEA,sBACM;AAEN,QAAM,QACJ,SAAS;AAAA,IAEP,OAAO;AAAA,MACL;AAAA,QACE;AAAA,MACF;AAAA,IACF;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEF,MAAI,CAAC,OAAO;AAEV,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAMA,MACE,CAAC,sBAAsB,8BAEvB,CAAC,qBACE,2BACA;AAAA,IACC,iBAAiB;AAAA,EACnB,GACF;AAEA,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAMA,aACQ,OACH,sBACC,yBACC,CAAC,GACN;AAEA,QACE,CAAC,iBACE,aACA,SAAS,GAAG,GACf;AAEA,YAAM,IAAI;AAAA,QACR,gCAAgC,GAAG;AAAA,MACrC;AAAA,IACF;AAAA,EACF;AAMA,MACE,CAAC,sBAAsB,6BAEvB,CAAC,qBACE,0BACA;AAAA,IACC,MAAM;AAAA,EACR,GACF;AAEA,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACF;AAKO,SAAS,aACd,OACM;AAIR;AAKO,SAAS,UACd,SAuBA,QAMA,cACA;AAMA,QAAM,cAAc;AAAA,IAElB,cACE,QAAQ;AAAA,IAEV,WACE,QAAQ;AAAA,IAEV,gBACE,QAAQ;AAAA,IAEV,UACE,QAAQ;AAAA,IAEV,iBACE,QAAQ;AAAA,IAEV;AAAA,EACF;AAMA,QAAM,YACJ;AAAA,IACE;AAAA,EACF;AAMF,QAAM,YACJ,OAAO;AAAA,IACL;AAAA,EACF;AAMF,SAAO;AAAA,IAEL,cACE,QAAQ;AAAA,IAEV,WACE,QAAQ;AAAA,IAEV,gBACE,QAAQ;AAAA,IAEV,UACE,QAAQ;AAAA,IAEV,iBACE,QAAQ;AAAA,IAEV;AAAA,IAEA;AAAA,EACF;AACF;;;AChOO,IAAM,oBAAN,MAA+C;AAAA,EAA/C;AACL,SAAQ,QAAQ,oBAAI,IAAY;AAAA;AAAA,EAEhC,aAAa,cAA4B;AACvC,QAAI,KAAK,MAAM,IAAI,YAAY,GAAG;AAChC,YAAM,IAAI,MAAM,wBAAwB;AAAA,IAC1C;AAEA,SAAK,MAAM,IAAI,YAAY;AAAA,EAC7B;AACF;;;ACMO,SAAS,gBACd,SACA,aACsB;AAEtB,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAKJ;AAAA,IACE;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAKA,QAAM,QACJ,eACA,IAAI,kBAAkB;AAExB,MAAI,CAAC,QAAQ,WAAW;AAEtB,UAAM;AAAA,MACJ,MAAM;AAAA,IACR;AAAA,EACF;AAKA,eAAa,KAAK;AAKlB,QAAM,WACJ,MAAM;AAER,QAAM,kBAKJ,SAAS,oBACL,qBACA,SAAS,WAAW,YAClB,cACA;AAKR,SAAO;AAAA,IACL;AAAA,MACE,cACE,MAAM;AAAA,MAER,WACE,MAAM;AAAA,MAER,gBACE,MAAM;AAAA,MAER;AAAA,MAEA;AAAA,IACF;AAAA,IACA;AAAA,IACA,iBAAiB;AAAA,EACnB;AACF;;;ACtFO,SAAS,iBACd,OACA,WACA,UACS;AAET,SAAO,SAAS;AAAA,IACd,uBAAuB,KAAK;AAAA,IAC5B;AAAA,EACF;AACF;AASO,SAAS,mBAA4B;AAC1C,SAAO;AACT;;;ACtCA,YAAY,YAAY;AAExB;AAAA,EACE,gBAAAC;AAAA,OACK;AAOA,IAAM,4BAA4B;AAAA,EACvC,iBACE;AAAA,EAEF,2BAA2B;AAAA,IACzB;AAAA,EACF;AAAA,EAEA,cAAc;AAAA,IACZ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAOO,SAAS,cAAsB;AACpC,SACG;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACCA;AAAA,MACE;AAAA,IACF;AAAA,EACF,EACC;AAAA,IACC;AAAA,EACF;AACJ;;;ACbO,SAAS,qBAAsC;AAEpD,SAAO;AAAA,IACL,cACE,YAAY;AAAA,IACd,GAAG;AAAA,EACL;AACF;;;ACvCA;AAAA,EACE,gBAAAC;AAAA,OACK;AAeA,SAAS,oBACd,UACA,QACQ;AAER,SAAO,OAAO;AAAA,IACZA,cAAa,QAAQ;AAAA,EACvB;AACF;;;ACTO,SAAS,sBACd,UACA,WACA,UACS;AAET,SAAO,SAAS;AAAA,IACd,uBAAuB,QAAQ;AAAA,IAC/B;AAAA,EACF;AACF;;;AC1BA,OAAOC,aAAY;AAaZ,IAAM,cAAN,MACa;AAAA;AAAA;AAAA;AAAA,EAOlB,YACmB,YACjB;AADiB;AAGjB,UAAM,gBACJ,WACG,QAAQ,QAAQ,IAAI,EACpB,KAAK;AAEV,SAAK,YACHA,QAAO,iBAAiB;AAAA,MACtB,KAAK;AAAA,MACL,QAAQ;AAAA,IACV,CAAC;AAAA,EACL;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,KACE,SACQ;AAER,WAAOA,QACJ;AAAA,MACC;AAAA,MAEA,OAAO;AAAA,QACL;AAAA,QACA;AAAA,MACF;AAAA,MAEA,KAAK;AAAA,IACP,EAEC;AAAA,MACC;AAAA,IACF;AAAA,EACJ;AACF;;;AC7DA,YAAYC,aAAY;AAWjB,IAAM,gBAAN,MACe;AAAA;AAAA;AAAA;AAAA,EAKpB,YACmB,WACjB;AADiB;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMH,OACE,SACA,WACS;AAET,WAAc;AAAA,MACZ;AAAA,MAEA,OAAO;AAAA,QACL;AAAA,QACA;AAAA,MACF;AAAA,MAEA,KAAK;AAAA,MAEL,OAAO;AAAA,QACL;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;;;ACHA,SAAS,kBACP,WACA,SACS;AAET,MAAI,SAAS,WAAW;AACtB,WAAO,UAAU,IAAI,MAAM,OAAK,kBAAkB,GAAG,OAAO,CAAC;AAAA,EAC/D;AAEA,MAAI,SAAS,WAAW;AACtB,WAAO,UAAU,IAAI,KAAK,OAAK,kBAAkB,GAAG,OAAO,CAAC;AAAA,EAC9D;AAEA,QAAM,EAAE,QAAQ,QAAQ,cAAc,UAAU,IAAI;AAEpD,MAAI,EAAE,UAAU,UAAU;AACxB,UAAM,IAAI,MAAM,qBAAqB,MAAM,EAAE;AAAA,EAC/C;AAEA,QAAM,SAAS,QAAQ,MAAM;AAE7B,MAAI,WAAW,QAAW;AACxB,QAAI,OAAO,WAAW,OAAO,QAAQ;AACnC,YAAM,IAAI,MAAM,qBAAqB,MAAM,EAAE;AAAA,IAC/C;AACA,WAAO,WAAW;AAAA,EACpB;AAEA,MAAI,iBAAiB,QAAW;AAC9B,QAAI,OAAO,WAAW,UAAU;AAC9B,YAAM,IAAI,MAAM,uBAAuB,MAAM,EAAE;AAAA,IACjD;AACA,WAAO,SAAS;AAAA,EAClB;AAEA,MAAI,cAAc,QAAW;AAC3B,QAAI,OAAO,WAAW,UAAU;AAC9B,YAAM,IAAI,MAAM,uBAAuB,MAAM,EAAE;AAAA,IACjD;AACA,WAAO,SAAS;AAAA,EAClB;AAEA,SAAO;AACT;AAKA,SAAS,sBAAsB,QAA8B;AAC3D,QAAM,YAAY,CAAC,OAAO;AAE1B,MAAI,CAAC,UAAU,SAAS,OAAO,aAAa,GAAG;AAC7C,UAAM,IAAI;AAAA,MACR,+BAA+B,OAAO,aAAa;AAAA,IACrD;AAAA,EACF;AACF;AAKO,SAAS,eACd,QACA,SACgB;AAEhB,wBAAsB,MAAM;AAK5B,aAAW,QAAQ,OAAO,OAAO;AAE/B,UAAM,UAAU;AAAA,MACd,KAAK;AAAA,MACL;AAAA,IACF;AAEA,QAAI,SAAS;AACX,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,SAAS,KAAK;AAAA,QACd,SAAS,KAAK;AAAA,QACd,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAKA,QAAM,IAAI;AAAA,IACR;AAAA,EACF;AACF;;;ACzIA,YAAY,QAAQ;AACpB,YAAY,UAAU;AAIf,SAAS,WACd,UACA,eACA,WAAmB,QAAQ,IAAI,GACf;AAEhB,QAAM,aAAkB;AAAA,IACtB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,MAAI,CAAI,cAAW,UAAU,GAAG;AAC9B,UAAM,IAAI,MAAM,qBAAqB,UAAU,EAAE;AAAA,EACnD;AAEA,QAAM,MAAS,gBAAa,YAAY,MAAM;AAE9C,MAAI;AAEJ,MAAI;AACF,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,QAAQ;AACN,UAAM,IAAI;AAAA,MACR,qCAAqC,UAAU;AAAA,IACjD;AAAA,EACF;AAKA,MAAI,CAAC,UAAU,OAAO,WAAW,UAAU;AACzC,UAAM,IAAI;AAAA,MACR,sCAAsC,UAAU;AAAA,IAClD;AAAA,EACF;AAKA,MAAI,CAAC,OAAO,eAAe;AACzB,UAAM,IAAI;AAAA,MACR,6DAA6D,UAAU;AAAA,IACzE;AAAA,EACF;AAEA,MAAI,OAAO,gBAAgB;AACzB,UAAM,IAAI;AAAA,MACR,4DAA4D,UAAU;AAAA,IACxE;AAAA,EACF;AAKA,MAAI,CAAC,OAAO,eAAe;AACzB,UAAM,IAAI;AAAA,MACR,4CAA4C,UAAU;AAAA,IACxD;AAAA,EACF;AAEA,MAAI,OAAO,gBAAgB;AACzB,UAAM,IAAI;AAAA,MACR,4DAA4D,UAAU;AAAA,IACxE;AAAA,EACF;AAEA,SAAO;AACT;;;ACzDO,SAAS,sBACd,SACA,QACM;AAGN,QAAM,SAAS,OAAO;AAEtB,MAAI,CAAC,UAAU,OAAO,WAAW,UAAU;AACzC,UAAM,IAAI,MAAM,kDAAkD;AAAA,EACpE;AAEA,MAAI,CAAC,WAAW,OAAO,YAAY,UAAU;AAC3C,UAAM,IAAI,MAAM,oDAAoD;AAAA,EACtE;AAGA,aAAW,OAAO,OAAO,KAAK,OAAO,GAAG;AACtC,QAAI,CAAC,OAAO,UAAU,eAAe,KAAK,QAAQ,GAAG,GAAG;AACtD,YAAM,IAAI,MAAM,6BAA6B,GAAG,EAAE;AAAA,IACpD;AAAA,EACF;AAGA,aAAW,OAAO,OAAO,KAAK,MAAM,GAAG;AAErC,UAAM,MAAM,OAAO,GAAG;AACtB,UAAM,QAAQ,QAAQ,GAAG;AAEzB,UAAM,aAAa,IAAI,aAAa;AAEpC,QAAI,UAAU,QAAW;AACvB,UAAI,YAAY;AACd,cAAM,IAAI,MAAM,sCAAsC,GAAG,EAAE;AAAA,MAC7D;AACA;AAAA,IACF;AAEA,QAAI,CAAC,KAAK,MAAM;AACd,YAAM,IAAI,MAAM,wCAAwC,GAAG,EAAE;AAAA,IAC/D;AAEA,YAAQ,IAAI,MAAM;AAAA,MAEhB,KAAK;AACH,YAAI,OAAO,UAAU,WAAW;AAC9B,gBAAM,IAAI,MAAM,aAAa,GAAG,kBAAkB;AAAA,QACpD;AACA;AAAA,MAEF,KAAK;AACH,YAAI,OAAO,UAAU,YAAY,CAAC,OAAO,UAAU,KAAK,GAAG;AACzD,gBAAM,IAAI,MAAM,aAAa,GAAG,kBAAkB;AAAA,QACpD;AACA;AAAA,MAEF,KAAK;AACH,YAAI,OAAO,UAAU,UAAU;AAC7B,gBAAM,IAAI,MAAM,aAAa,GAAG,iBAAiB;AAAA,QACnD;AACA;AAAA,MAEF,KAAK;AACH,YAAI,OAAO,UAAU,UAAU;AAC7B,gBAAM,IAAI,MAAM,aAAa,GAAG,sBAAsB;AAAA,QACxD;AAEA,YAAI,CAAC,MAAM,QAAQ,IAAI,MAAM,KAAK,IAAI,OAAO,WAAW,GAAG;AACzD,gBAAM,IAAI,MAAM,aAAa,GAAG,sBAAsB;AAAA,QACxD;AAEA,YAAI,CAAC,IAAI,OAAO,SAAS,KAAK,GAAG;AAC/B,gBAAM,IAAI;AAAA,YACR,+BAA+B,GAAG,KAAK,KAAK;AAAA,UAC9C;AAAA,QACF;AACA;AAAA,MAEF;AACE,cAAM,IAAI,MAAM,sCAAsC,IAAI,IAAI,EAAE;AAAA,IACpE;AAAA,EACF;AACF;;;ACnEO,SAAS,eACd,UACA,eACA,SACA,iBAAgB,oBAAI,KAAK,GAAE,YAAY,GACzB;AAKd,QAAM,SACJ,WAAW,UAAU,aAAa;AAKpC,wBAAsB,SAAS,MAAM;AAKrC,QAAM,WACJ,eAAe,QAAQ,OAAO;AAKhC,SAAO;AAAA,IACL,WAAW;AAAA,IACX,gBAAgB;AAAA,IAChB,gBAAgB;AAAA,IAEhB;AAAA;AAAA,IAEA,YAAY,CAAC;AAAA,IAEb,UAAU;AAAA,IACV,SAAS;AAAA,IAET,cAAc;AAAA,EAChB;AACF;;;ACrDO,IAAM,qBAAqB;AAAA,EAChC,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU,CAAC,gBAAgB,SAAS;AAAA,EACtC;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU,CAAC,UAAU,UAAU,SAAS;AAAA,EAC1C;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU,CAAC,UAAU,UAAU,SAAS;AAAA,EAC1C;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,WAAW;AAAA,IACT,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,YAAY;AAAA,IACV,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU;AAAA,EACZ;AAAA,EACA,YAAY;AAAA,IACV,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,UAAU,CAAC,UAAU,UAAU,WAAW,MAAM;AAAA,EAClD;AACF;;;AChRA,YAAYC,aAAY;AAoBxB,IAAI,OAAO;AAQJ,IAAM,qBAAN,cAAiC,MAAM;AAAA,EAG5C,YAAY,QAAyB;AACnC,UAAM,IAAI,OAAO,YAAY,IAAI,OAAO,QAAQ,KAAK,OAAO,MAAM,EAAE;AACpE,SAAK,OAAO;AACZ,SAAK,SAAS;AAAA,EAChB;AACF;AAMO,SAAS,UAAU,OAAwB;AAChD,QAAM,QACJ,OAAO,UAAU,WACb,QACA,KAAK,UAAU,KAAK,KAAK;AAE/B,SACG,mBAAW,QAAQ,EACnB,OAAO,OAAO,MAAM,EACpB,OAAO,KAAK;AACjB;AAWO,SAAS,QACd,cACA,UACA,QACA,OACO;AACP,QAAM,IAAI,mBAAmB;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY,UAAU,KAAK;AAAA,IAC3B,eAAe,EAAE;AAAA,EACnB,CAAC;AACH;;;AC1DO,IAAM,oBAAoB;AAAA,EAC/B;AAAA,EACA;AACF;AAMO,IAAM,qBAAqB;AAAA,EAChC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAaO,SAAS,cAAc,UAA2B;AACvD,MAAI,YAAY,SAAS,SAAS,GAAG;AACnC,WAAO;AAAA,EACT;AACA,UAAO,oBAAI,KAAK,GAAE,YAAY;AAChC;;;AC/CA,YAAYC,aAAY;;;ACOxB,eAAsB,iBACpB,SACA,YAC+B;AAG/B,QAAM,WAAW;AAAA,IACf,QAAQ,MAAM;AAAA,EAChB;AAGA,QAAM,cAAc,IAAI,kBAAkB;AAE1C,SAAO,gBAAgB,SAAS,WAAW;AAC7C;;;ACzBO,SAASC,cAAa,OAAoB;AAC/C,SAAO,KAAK,UAAU,UAAU,KAAK,CAAC;AACxC;AAEA,SAAS,UAAU,OAAiB;AAClC,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,IAAI,SAAS;AAAA,EAC5B;AAEA,MAAI,SAAS,OAAO,UAAU,UAAU;AACtC,UAAM,SAA8B,CAAC;AAErC,eAAW,OAAO,OAAO,KAAK,KAAK,EAAE,KAAK,GAAG;AAC3C,aAAO,GAAG,IAAI,UAAU,MAAM,GAAG,CAAC;AAAA,IACpC;AAEA,WAAO;AAAA,EACT;AAEA,SAAO;AACT;;;AFAA,eAAsB,mBACpB,OAMA,QACA,UACA,aAKA;AACA,MAAI;AAKF,UAAM,SAAS;AAAA,MACb,MAAM;AAAA,MACN,MAAM;AAAA,IACR;AAKA;AAAA,MACE,MAAM;AAAA,MACN;AAAA,IACF;AAKA,UAAM,WACJ;AAAA,MACE;AAAA,MACA,MAAM;AAAA,IACR;AAKF,QACE,SAAS,WAAW,aACpB,CAAC,SAAS,SACV;AAEA,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,SAAS,SAAS;AAErB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAKA,UAAM,mBACJC;AAAA,MACE,MAAM;AAAA,IACR;AAKF,UAAM,cACH,mBAAW,QAAQ,EACnB;AAAA,MACC,KAAK,UAAU;AAAA,QACb,UACE,MAAM;AAAA,QAER,eACE,MAAM;AAAA,QAER,SACE;AAAA,MACJ,CAAC;AAAA,IACH,EACC,OAAO,KAAK;AAKf,UAAM,kBACJ,mBAAmB;AAKrB,UAAM,QAAQ,WAAW;AAAA,MAEvB,cACE;AAAA,MAEF,WACE,MAAM;AAAA,MAER,kBACE,SAAS;AAAA,MAEX,gBACE,OAAO;AAAA,MAET,iBACE,gBAAgB;AAAA,IACpB,CAAC;AAED,UAAM,iBACJ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AAKF,UAAM,sBAAsB;AAAA,MAE1B,uBAAuB,CAAC;AAAA,MAExB,4BAA4B;AAAA,QAC1B,gBAAgB;AAAA,MAClB;AAAA,MAEA,2BAA2B;AAAA,QACzB,OAAO;AAAA,MACT;AAAA,IACF;AAKA,UAAM,SACJ,SAAS,QAAQ;AAEnB,UAAM,mBACJ,SAAS,QAAQ;AAEnB,QAAI;AAKJ,QAAI,kBAAkB;AAEpB,wBACE;AAAA,IAEJ,OAAO;AAEL,wBACE,WAAW,YACP,cACA;AAAA,IACR;AAKA,QACE,oBACA,oBACA;AAEA,UAAI,CAAC,YAAY,KAAK;AAEpB,cAAM,IAAI;AAAA,UACR;AAAA,QACF;AAAA,MACF;AAEA,YAAM,YAAY;AAAA,QAChB,WAAW,WAAW;AAAA,QAEtB,KAAK,UAAU;AAAA,UAEb;AAAA,UAEA,iBACE;AAAA,UAEF,kBACE;AAAA,UAEF,sBACE;AAAA,QACJ,CAAC;AAAA,MACH;AAEA,YAAMC,eACmB;AAAA,QAEvB,cACE;AAAA,QAEH,WACH,MAAM;AAAA,QAER,gBACE,MAAM;AAAA,QAEF,UACE,SAAS;AAAA,QAEX,iBACE;AAAA,QAEF,cACE,gBAAgB;AAAA,QAElB,WACE;AAAA,MACJ;AAEA,aAAO;AAAA,QAEL,QACE;AAAA,QAEF,cACE;AAAA,QAEF;AAAA,QAEA,mBACE;AAAA,QAEF,aAAAA;AAAA,MACF;AAAA,IACF;AAKA,QAAI;AAEJ,QAAI;AAEF,kBACE,MAAM;AAAA,QACJ;AAAA,UACE;AAAA,UAEA,iBACE;AAAA,UAEF;AAAA,UAEA;AAAA,UAEA,kBACE;AAAA,UAEF,sBACE;AAAA,QACJ;AAAA,QAEA;AAAA,MACF;AAAA,IAEJ,SAAS,KAAK;AAEZ,YAAM,UACJ,eAAe,QACX,IAAI,UACJ;AAKN,UACE,QAAQ;AAAA,QACN;AAAA,MACF,GACA;AAEA,eAAO;AAAA,UAEL,QACE;AAAA,UAEF,cACE;AAAA,UAEF;AAAA,UAEA;AAAA,UAEA,mBACE;AAAA,UAEF,QACE;AAAA,QACJ;AAAA,MACF;AAEA,YAAM;AAAA,IACR;AAKA,UAAM,cACmB;AAAA,MAEvB,cACE;AAAA,MACH,WACD,MAAM;AAAA,MAER,gBACE,MAAM;AAAA,MAEJ,UACE,SAAS;AAAA,MAEX;AAAA,MAEA,cACE,gBAAgB;AAAA,MAElB,WACE,UAAU;AAAA,IACd;AAKA,WAAO;AAAA,MAEL,QACE;AAAA,MAEF,cACE;AAAA,MAEF;AAAA,MAEA;AAAA,MAEA,mBACE;AAAA,MAEF,WACE,UAAU;AAAA,MAEZ;AAAA,IACF;AAAA,EAEF,SAAS,KAAc;AAErB,WAAO;AAAA,MAEL,QACE;AAAA,MAEF,OACE,eAAe,QACX,IAAI,UACJ;AAAA,IACR;AAAA,EACF;AACF;;;AGhXA,eAAsB,aACpB,SAMA,QACA,UACA,aACA;AAEA,QAAM,UAAU,CAAC;AAEjB,aAAW,UAAU,SAAS;AAE5B,QAAI;AAEF,YAAM,SACJ,MAAM;AAAA,QACJ;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEF,cAAQ,KAAK;AAAA,QACX,OAAO;AAAA,QACP;AAAA,MACF,CAAC;AAAA,IAEH,SAAS,KAAc;AAErB,cAAQ,KAAK;AAAA,QACX,OAAO;AAAA,QACP,QAAQ;AAAA,UACN,QAAQ;AAAA,UACR,OACE,eAAe,QACX,IAAI,UACJ;AAAA,QACR;AAAA,MACF,CAAC;AAAA,IAEH;AAAA,EACF;AAEA,SAAO;AACT;;;ACvEA,OAAO,WAAW;AAUX,IAAM,mBAAN,MACuB;AAAA,EAI5B,YACE,KACA;AAEA,SAAK,SACH,IAAK,MAAc,GAAG;AAAA,EAC1B;AAAA,EAEA,MAAM,YACJ,aACkB;AAElB,UAAM,MACJ,MAAM,KAAK,OAAO;AAAA,MAChB,QAAQ,WAAW;AAAA,IACrB;AAEF,WAAO,QAAQ;AAAA,EACjB;AAAA,EAEA,MAAM,aACJ,aACe;AAEf,UAAM,SACJ,MAAM,KAAK,OAAO;AAAA,MAChB,QAAQ,WAAW;AAAA,MACnB;AAAA,MACA;AAAA,IACF;AAEF,QAAI,WAAW,MAAM;AAEnB,YAAM,IAAI;AAAA,QACR,kDAAkD,WAAW;AAAA,MAC/D;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,IACJ,KACwB;AAExB,WAAO,KAAK,OAAO,IAAI,GAAG;AAAA,EAC5B;AAAA,EAEA,MAAM,IACJ,KACA,OACe;AAEf,UAAM,KAAK,OAAO;AAAA,MAChB;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,IACJ,KACe;AAEf,UAAM,KAAK,OAAO,IAAI,GAAG;AAAA,EAC3B;AAAA,EAEA,MAAM,QAAuB;AAE3B,UAAM,KAAK,OAAO,KAAK;AAAA,EACzB;AACF;;;AC7EA,eAAsB,gBACpB,aACA,aAIA,QACA,UACA;AAIA,QAAM,MAAM,MAAM,YAAY,IAAI,WAAW,WAAW,EAAE;AAE1D,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR,4CAA4C,WAAW;AAAA,IACzD;AAAA,EACF;AAEA,QAAM,SAAS,KAAK,MAAM,GAAG;AAK7B,QAAM,YAAY,MAAM;AAAA,IACtB;AAAA,MACE,OAAO,OAAO;AAAA,MACd,iBAAiB,OAAO;AAAA,MACxB;AAAA,MACA;AAAA,MACA,kBAAkB,OAAO;AAAA,MACzB,sBAAsB,OAAO;AAAA,IAC/B;AAAA,IACA;AAAA,EACF;AAKA,QAAM,YAAY,IAAI,WAAW,WAAW,EAAE;AAK9C,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,cAAc;AAAA,IACd,WAAW,UAAU;AAAA,IACrB,UAAU;AAAA,EACZ;AACF;","names":["canonicalize","canonicalize","canonicalize","canonicalize","crypto","crypto","crypto","crypto","canonicalize","canonicalize","attestation"]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@parmanasystems/execution",
-  "version": "1.22.0",
+  "version": "1.24.0",
   "private": false,
   "type": "module",
   "scripts": {
@@ -18,8 +18,8 @@
   ],
   "sideEffects": false,
   "dependencies": {
-    "@parmanasystems/bundle": "^1.22.0",
-    "@parmanasystems/governance": "^1.22.0",
+    "@parmanasystems/bundle": "^1.24.0",
+    "@parmanasystems/governance": "^1.24.0",
     "ioredis": "^5.10.1",
     "redis": "^5.12.1"
   },