@peac/audit 0.10.9

package/dist/verification-report.js

@@ -0,0 +1,556 @@
+"use strict";
+/**
+ * Verification Report (v0.9.30+)
+ *
+ * Deterministic verification of dispute bundles with JCS-canonicalized reports.
+ * The report_hash enables cross-language parity: TS and Go implementations
+ * must produce identical hashes for the same bundle verification.
+ *
+ * Key design principles:
+ * 1. Real Ed25519 signature verification using @peac/crypto
+ * 2. No timestamps in deterministic output
+ * 3. All arrays sorted by stable keys for reproducibility
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyBundle = verifyBundle;
+exports.serializeReport = serializeReport;
+exports.formatReportText = formatReportText;
+const node_crypto_1 = require("node:crypto");
+const crypto_1 = require("@peac/crypto");
+const dispute_bundle_js_1 = require("./dispute-bundle.js");
+const dispute_bundle_js_2 = require("./dispute-bundle.js");
+const dispute_bundle_types_js_1 = require("./dispute-bundle-types.js");
+/**
+ * Compute SHA-256 hash of data with self-describing format.
+ * Returns `sha256:<64 lowercase hex chars>` format.
+ */
+function sha256Hex(data) {
+    const hash = (0, node_crypto_1.createHash)('sha256');
+    hash.update(data);
+    return `sha256:${hash.digest('hex')}`;
+}
+/** Decode base64url to Buffer */
+function base64urlDecode(str) {
+    const padded = str + '='.repeat((4 - (str.length % 4)) % 4);
+    const base64 = padded.replace(/-/g, '+').replace(/_/g, '/');
+    return Buffer.from(base64, 'base64');
+}
+/** Parse JWS to extract header and payload */
+function parseJws(jws) {
+    const parts = jws.split('.');
+    if (parts.length !== 3) {
+        return null;
+    }
+    try {
+        const headerJson = base64urlDecode(parts[0]).toString('utf8');
+        const payloadJson = base64urlDecode(parts[1]).toString('utf8');
+        return {
+            header: JSON.parse(headerJson),
+            payload: JSON.parse(payloadJson),
+            signature: parts[2],
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/** Create a bundle error */
+function bundleError(code, message, details) {
+    return { code, message, details };
+}
+/**
+ * Strip undefined values from an object recursively.
+ * JCS canonicalization cannot handle undefined values.
+ */
+function stripUndefined(obj) {
+    if (obj === null || obj === undefined) {
+        return obj;
+    }
+    if (Array.isArray(obj)) {
+        return obj.map(stripUndefined);
+    }
+    if (typeof obj === 'object') {
+        const result = {};
+        for (const [key, value] of Object.entries(obj)) {
+            if (value !== undefined) {
+                result[key] = stripUndefined(value);
+            }
+        }
+        return result;
+    }
+    return obj;
+}
+/**
+ * Verify receipt claims (basic validation without cryptographic signature check).
+ *
+ * This validates:
+ * - Required claims are present (jti, iss, iat)
+ * - Timestamps are valid (not expired, not in future)
+ *
+ * Note: Signature verification requires access to the signing key and is
+ * handled separately. This function focuses on claim validation.
+ */
+function verifyReceiptClaims(payload, now) {
+    const errors = [];
+    const nowSec = Math.floor(now.getTime() / 1000);
+    // Required claims
+    if (!payload.jti) {
+        errors.push('E_RECEIPT_MISSING_JTI');
+    }
+    if (!payload.iss) {
+        errors.push('E_RECEIPT_MISSING_ISS');
+    }
+    if (payload.iat === undefined) {
+        errors.push('E_RECEIPT_MISSING_IAT');
+    }
+    else {
+        const iat = typeof payload.iat === 'number' ? payload.iat : NaN;
+        if (isNaN(iat)) {
+            errors.push('E_RECEIPT_INVALID_IAT');
+        }
+        else if (iat > nowSec + 300) {
+            // Allow 5 min clock skew
+            errors.push('E_RECEIPT_NOT_YET_VALID');
+        }
+    }
+    // Check expiry if present
+    if (payload.exp !== undefined) {
+        const exp = typeof payload.exp === 'number' ? payload.exp : NaN;
+        if (isNaN(exp)) {
+            errors.push('E_RECEIPT_INVALID_EXP');
+        }
+        else if (exp < nowSec) {
+            errors.push('E_RECEIPT_EXPIRED');
+        }
+    }
+    return {
+        valid: errors.length === 0,
+        errors,
+    };
+}
+/**
+ * Find the key ID used to sign a receipt.
+ */
+function getReceiptKeyId(header) {
+    return typeof header.kid === 'string' ? header.kid : undefined;
+}
+/**
+ * Convert JWK to raw Ed25519 public key bytes (32 bytes).
+ * Returns null if the JWK is not a valid Ed25519 key.
+ */
+function jwkToPublicKeyBytes(jwk) {
+    if (jwk.kty !== 'OKP' || jwk.crv !== 'Ed25519' || !jwk.x) {
+        return null;
+    }
+    // Decode base64url to bytes
+    const padded = jwk.x + '='.repeat((4 - (jwk.x.length % 4)) % 4);
+    const base64 = padded.replace(/-/g, '+').replace(/_/g, '/');
+    const bytes = Buffer.from(base64, 'base64');
+    if (bytes.length !== 32) {
+        return null;
+    }
+    return new Uint8Array(bytes);
+}
+/**
+ * Find a key by kid in the bundle's JWKS.
+ */
+function findKey(keys, kid) {
+    return keys.find((k) => k.kid === kid);
+}
+/**
+ * Verify a single receipt with real Ed25519 signature verification.
+ *
+ * In offline mode, we use only the keys bundled in the JWKS.
+ * All signature verification is cryptographic - not just key presence.
+ */
+async function verifyReceipt(receiptId, jws, bundleContents, options) {
+    const parsed = parseJws(jws);
+    if (!parsed) {
+        return {
+            receipt_id: receiptId,
+            signature_valid: false,
+            claims_valid: false,
+            errors: ['E_RECEIPT_INVALID_FORMAT'],
+        };
+    }
+    const { header, payload } = parsed;
+    const keyId = getReceiptKeyId(header);
+    const errors = [];
+    // Check key ID presence
+    if (!keyId) {
+        return {
+            receipt_id: receiptId,
+            signature_valid: false,
+            claims_valid: false,
+            errors: ['E_RECEIPT_MISSING_KID'],
+        };
+    }
+    // Find the key in the bundle's JWKS
+    const jwk = findKey(bundleContents.keys.keys, keyId);
+    if (!jwk) {
+        // Key not found - in offline mode this is fatal
+        if (options.offline) {
+            return {
+                receipt_id: receiptId,
+                signature_valid: false,
+                claims_valid: false,
+                key_id: keyId,
+                errors: [dispute_bundle_js_2.BundleErrorCodes.KEY_MISSING],
+            };
+        }
+        // In online mode, we could try to fetch the key, but for now fail
+        return {
+            receipt_id: receiptId,
+            signature_valid: false,
+            claims_valid: false,
+            key_id: keyId,
+            errors: [dispute_bundle_js_2.BundleErrorCodes.KEY_MISSING],
+        };
+    }
+    // Convert JWK to raw public key bytes
+    const publicKeyBytes = jwkToPublicKeyBytes(jwk);
+    if (!publicKeyBytes) {
+        return {
+            receipt_id: receiptId,
+            signature_valid: false,
+            claims_valid: false,
+            key_id: keyId,
+            errors: ['E_RECEIPT_INVALID_KEY_FORMAT'],
+        };
+    }
+    // Perform real Ed25519 signature verification
+    let signatureValid = false;
+    try {
+        const result = await (0, crypto_1.verify)(jws, publicKeyBytes);
+        signatureValid = result.valid;
+        if (!signatureValid) {
+            errors.push('E_RECEIPT_SIGNATURE_INVALID');
+        }
+    }
+    catch (err) {
+        // Handle crypto errors
+        if (err instanceof crypto_1.CryptoError) {
+            errors.push(`E_RECEIPT_CRYPTO_ERROR:${err.code}`);
+        }
+        else {
+            errors.push('E_RECEIPT_SIGNATURE_INVALID');
+        }
+        signatureValid = false;
+    }
+    // Validate claims
+    const claimsResult = verifyReceiptClaims(payload, options.now ?? new Date());
+    errors.push(...claimsResult.errors);
+    return {
+        receipt_id: receiptId,
+        signature_valid: signatureValid,
+        claims_valid: claimsResult.valid,
+        key_id: keyId,
+        errors,
+        claims: signatureValid && claimsResult.valid && errors.length === 0 ? payload : undefined,
+    };
+}
+/**
+ * Build key usage tracking.
+ */
+function buildKeyUsage(results) {
+    const usage = new Map();
+    for (const result of results) {
+        if (result.key_id) {
+            const existing = usage.get(result.key_id) ?? [];
+            existing.push(result.receipt_id);
+            usage.set(result.key_id, existing);
+        }
+    }
+    const entries = [];
+    for (const [kid, receiptIds] of usage) {
+        entries.push({
+            kid,
+            receipts_signed: receiptIds.length,
+            receipt_ids: receiptIds.sort(),
+        });
+    }
+    // Sort by kid for determinism
+    return entries.sort((a, b) => a.kid.localeCompare(b.kid));
+}
+/**
+ * Generate auditor-friendly summary.
+ */
+function generateAuditorSummary(totalReceipts, validCount, invalidCount, results) {
+    const headline = `${validCount}/${totalReceipts} receipts valid`;
+    const issues = [];
+    for (const result of results) {
+        if (!result.signature_valid || !result.claims_valid) {
+            const errorSummary = result.errors.length > 0 ? result.errors.join(', ') : 'validation failed';
+            issues.push(`Receipt ${result.receipt_id}: ${errorSummary}`);
+        }
+    }
+    // Sort issues for determinism
+    issues.sort();
+    let recommendation;
+    if (invalidCount === 0) {
+        recommendation = 'valid';
+    }
+    else if (invalidCount === totalReceipts) {
+        recommendation = 'invalid';
+    }
+    else {
+        recommendation = 'needs_review';
+    }
+    return {
+        headline,
+        issues,
+        recommendation,
+    };
+}
+/**
+ * Verify the bundle.sig if present.
+ * The bundle.sig is a JWS over { content_hash: "..." } signed with a key from the JWKS.
+ */
+async function verifyBundleSignature(bundleContents) {
+    const { bundle_sig, keys, manifest } = bundleContents;
+    // No bundle.sig present
+    if (!bundle_sig) {
+        return { present: false };
+    }
+    // Parse the JWS to get the key ID
+    const parsed = parseJws(bundle_sig);
+    if (!parsed) {
+        return {
+            present: true,
+            valid: false,
+            error: 'E_BUNDLE_SIGNATURE_INVALID_FORMAT',
+        };
+    }
+    const keyId = typeof parsed.header.kid === 'string' ? parsed.header.kid : undefined;
+    if (!keyId) {
+        return {
+            present: true,
+            valid: false,
+            error: 'E_BUNDLE_SIGNATURE_MISSING_KID',
+        };
+    }
+    // Find the key in JWKS
+    const jwk = keys.keys.find((k) => k.kid === keyId);
+    if (!jwk) {
+        return {
+            present: true,
+            valid: false,
+            key_id: keyId,
+            error: dispute_bundle_js_2.BundleErrorCodes.KEY_MISSING,
+        };
+    }
+    // Convert JWK to raw public key bytes
+    const publicKeyBytes = jwkToPublicKeyBytes(jwk);
+    if (!publicKeyBytes) {
+        return {
+            present: true,
+            valid: false,
+            key_id: keyId,
+            error: 'E_BUNDLE_SIGNATURE_INVALID_KEY_FORMAT',
+        };
+    }
+    // Verify the signature
+    try {
+        const result = await (0, crypto_1.verify)(bundle_sig, publicKeyBytes);
+        if (!result.valid) {
+            return {
+                present: true,
+                valid: false,
+                key_id: keyId,
+                error: dispute_bundle_js_2.BundleErrorCodes.SIGNATURE_INVALID,
+            };
+        }
+        // Verify the content_hash in the payload matches the manifest
+        if (result.payload.content_hash !== manifest.content_hash) {
+            return {
+                present: true,
+                valid: false,
+                key_id: keyId,
+                error: 'E_BUNDLE_SIGNATURE_CONTENT_MISMATCH',
+            };
+        }
+        return {
+            present: true,
+            valid: true,
+            key_id: keyId,
+        };
+    }
+    catch (err) {
+        const errorMsg = err instanceof crypto_1.CryptoError
+            ? `E_BUNDLE_SIGNATURE_CRYPTO_ERROR:${err.code}`
+            : dispute_bundle_js_2.BundleErrorCodes.SIGNATURE_INVALID;
+        return {
+            present: true,
+            valid: false,
+            key_id: keyId,
+            error: errorMsg,
+        };
+    }
+}
+/**
+ * Verify all receipts in a dispute bundle and generate a deterministic report.
+ *
+ * @param zipBuffer - Buffer containing the ZIP archive
+ * @param options - Verification options
+ * @returns Promise resolving to a deterministic verification report
+ *
+ * @example
+ * ```typescript
+ * const zipData = fs.readFileSync('dispute-bundle.zip');
+ * const result = await verifyBundle(zipData, { offline: true });
+ *
+ * if (result.ok) {
+ *   console.log('Report hash:', result.value.report_hash);
+ *   console.log('Summary:', result.value.auditor_summary.headline);
+ * }
+ * ```
+ */
+async function verifyBundle(zipBuffer, options) {
+    // Read and parse the bundle
+    const readResult = await (0, dispute_bundle_js_1.readDisputeBundle)(zipBuffer);
+    if (!readResult.ok) {
+        return readResult;
+    }
+    const bundleContents = readResult.value;
+    const { manifest, receipts } = bundleContents;
+    // Verify bundle.sig if present (authenticity)
+    const bundleSignature = await verifyBundleSignature(bundleContents);
+    // Verify each receipt with real Ed25519 signature verification
+    const results = [];
+    for (const receiptEntry of manifest.receipts) {
+        const jws = receipts.get(receiptEntry.receipt_id);
+        if (!jws) {
+            results.push({
+                receipt_id: receiptEntry.receipt_id,
+                signature_valid: false,
+                claims_valid: false,
+                errors: ['E_BUNDLE_RECEIPT_NOT_FOUND'],
+            });
+            continue;
+        }
+        const result = await verifyReceipt(receiptEntry.receipt_id, jws, bundleContents, options);
+        results.push(result);
+    }
+    // Sort results by receipt_id for determinism
+    results.sort((a, b) => a.receipt_id.localeCompare(b.receipt_id));
+    // Count valid/invalid
+    const validCount = results.filter((r) => r.signature_valid && r.claims_valid && r.errors.length === 0).length;
+    const invalidCount = results.length - validCount;
+    // Build key usage
+    const keysUsed = buildKeyUsage(results);
+    // Generate auditor summary
+    const auditorSummary = generateAuditorSummary(results.length, validCount, invalidCount, results);
+    // Build report without report_hash
+    const reportWithoutHash = {
+        version: dispute_bundle_types_js_1.VERIFICATION_REPORT_VERSION,
+        bundle_content_hash: manifest.content_hash,
+        bundle_signature: bundleSignature,
+        summary: {
+            total_receipts: results.length,
+            valid: validCount,
+            invalid: invalidCount,
+        },
+        receipts: results,
+        keys_used: keysUsed,
+        auditor_summary: auditorSummary,
+    };
+    // Compute report_hash = SHA-256 of JCS(report without report_hash)
+    // Strip undefined values first since JCS cannot handle them
+    const cleanedReport = stripUndefined(reportWithoutHash);
+    const reportHash = sha256Hex((0, crypto_1.canonicalize)(cleanedReport));
+    const report = {
+        ...reportWithoutHash,
+        report_hash: reportHash,
+    };
+    return {
+        ok: true,
+        value: report,
+    };
+}
+/**
+ * Serialize a verification report to JSON.
+ *
+ * @param report - Verification report
+ * @param pretty - Pretty print (default: false)
+ * @returns JSON string
+ */
+function serializeReport(report, pretty = false) {
+    if (pretty) {
+        return JSON.stringify(report, null, 2);
+    }
+    return JSON.stringify(report);
+}
+/**
+ * Format verification report as human-readable text.
+ *
+ * @param report - Verification report
+ * @returns Human-readable text summary
+ */
+function formatReportText(report) {
+    const lines = [];
+    lines.push('PEAC Dispute Bundle Verification Report');
+    lines.push('========================================');
+    lines.push('');
+    lines.push(`Bundle content hash: ${report.bundle_content_hash}`);
+    lines.push(`Report hash: ${report.report_hash}`);
+    lines.push('');
+    // Bundle signature status
+    lines.push('Bundle Signature');
+    lines.push('----------------');
+    if (!report.bundle_signature.present) {
+        lines.push('  Status: NOT SIGNED');
+    }
+    else if (report.bundle_signature.valid) {
+        lines.push('  Status: VALID');
+        lines.push(`  Key ID: ${report.bundle_signature.key_id}`);
+    }
+    else {
+        lines.push('  Status: INVALID');
+        if (report.bundle_signature.key_id) {
+            lines.push(`  Key ID: ${report.bundle_signature.key_id}`);
+        }
+        if (report.bundle_signature.error) {
+            lines.push(`  Error: ${report.bundle_signature.error}`);
+        }
+    }
+    lines.push('');
+    lines.push('Summary');
+    lines.push('-------');
+    lines.push(`Total receipts: ${report.summary.total_receipts}`);
+    lines.push(`Valid: ${report.summary.valid}`);
+    lines.push(`Invalid: ${report.summary.invalid}`);
+    lines.push('');
+    lines.push(`Recommendation: ${report.auditor_summary.recommendation.toUpperCase()}`);
+    lines.push(`Headline: ${report.auditor_summary.headline}`);
+    lines.push('');
+    if (report.auditor_summary.issues.length > 0) {
+        lines.push('Issues');
+        lines.push('------');
+        for (const issue of report.auditor_summary.issues) {
+            lines.push(`  - ${issue}`);
+        }
+        lines.push('');
+    }
+    if (report.keys_used.length > 0) {
+        lines.push('Keys Used');
+        lines.push('---------');
+        for (const keyUsage of report.keys_used) {
+            lines.push(`  ${keyUsage.kid}: ${keyUsage.receipts_signed} receipt(s)`);
+        }
+        lines.push('');
+    }
+    lines.push('Receipt Details');
+    lines.push('---------------');
+    for (const receipt of report.receipts) {
+        const status = receipt.signature_valid && receipt.claims_valid ? 'VALID' : 'INVALID';
+        lines.push(`  ${receipt.receipt_id}: ${status}`);
+        if (receipt.key_id) {
+            lines.push(`    Key: ${receipt.key_id}`);
+        }
+        if (receipt.errors.length > 0) {
+            lines.push(`    Errors: ${receipt.errors.join(', ')}`);
+        }
+    }
+    return lines.join('\n');
+}
+//# sourceMappingURL=verification-report.js.map

package/dist/verification-report.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verification-report.js","sourceRoot":"","sources":["../src/verification-report.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAkdH,oCA+EC;AASD,0CAKC;AAQD,4CAuEC;AA5nBD,6CAAyC;AACzC,yCAA8E;AAE9E,2DAAwD;AACxD,2DAAuD;AAavD,uEAAwE;AAExE;;;GAGG;AACH,SAAS,SAAS,CAAC,IAAqB;IACtC,MAAM,IAAI,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC;IAClC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAClB,OAAO,UAAU,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;AACxC,CAAC;AAED,iCAAiC;AACjC,SAAS,eAAe,CAAC,GAAW;IAClC,MAAM,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC5D,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED,8CAA8C;AAC9C,SAAS,QAAQ,CAAC,GAAW;IAK3B,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC9D,MAAM,WAAW,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC/D,OAAO;YACL,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,CAA4B;YACzD,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,CAA4B;YAC3D,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC;SACpB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,4BAA4B;AAC5B,SAAS,WAAW,CAClB,IAAY,EACZ,OAAe,EACf,OAAiC;IAEjC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AACpC,CAAC;AAED;;;GAGG;AACH,SAAS,cAAc,CAAI,GAAM;IAC/B,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtC,OAAO,GAAG,CAAC;IACb,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,GAAG,CAAC,GAAG,CAAC,cAAc,CAAM,CAAC;IACtC,CAAC;IACD,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,MAAM,GAA4B,EAAE,CAAC;QAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAA8B,CAAC,EAAE,CAAC;YAC1E,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACxB,MAAM,CAAC,GAAG,CAAC,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;QACD,OAAO,MAAW,CAAC;IACrB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,mBAAmB,CAC1B,OAAgC,EAChC,GAAS;IAET,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IAEhD,kBAAkB;IAClB,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;QACjB,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACvC,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;QACjB,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACvC,CAAC;IAED,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACvC,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;QAChE,IAAI,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACvC,CAAC;aAAM,IAAI,GAAG,GAAG,MAAM,GAAG,GAAG,EAAE,CAAC;YAC9B,yBAAyB;YACzB,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IAED,0BAA0B;IAC1B,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;QAChE,IAAI,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACvC,CAAC;aAAM,IAAI,GAAG,GAAG,MAAM,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;QAC1B,MAAM;KACP,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,MAA+B;IACtD,OAAO,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;AACjE,CAAC;AAED;;;GAGG;AACH,SAAS,mBAAmB,CAAC,GAAe;IAC1C,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACzD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,4BAA4B;IAC5B,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAChE,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC5D,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC5C,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;AAC/B,CAAC;AAED;;GAEG;AACH,SAAS,OAAO,CAAC,IAAkB,EAAE,GAAW;IAC9C,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;AACzC,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,aAAa,CAC1B,SAAiB,EACjB,GAAW,EACX,cAAqC,EACrC,OAA4B;IAE5B,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAE7B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO;YACL,UAAU,EAAE,SAAS;YACrB,eAAe,EAAE,KAAK;YACtB,YAAY,EAAE,KAAK;YACnB,MAAM,EAAE,CAAC,0BAA0B,CAAC;SACrC,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC;IACnC,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,wBAAwB;IACxB,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,UAAU,EAAE,SAAS;YACrB,eAAe,EAAE,KAAK;YACtB,YAAY,EAAE,KAAK;YACnB,MAAM,EAAE,CAAC,uBAAuB,CAAC;SAClC,CAAC;IACJ,CAAC;IAED,oCAAoC;IACpC,MAAM,GAAG,GAAG,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACrD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,gDAAgD;QAChD,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO;gBACL,UAAU,EAAE,SAAS;gBACrB,eAAe,EAAE,KAAK;gBACtB,YAAY,EAAE,KAAK;gBACnB,MAAM,EAAE,KAAK;gBACb,MAAM,EAAE,CAAC,oCAAgB,CAAC,WAAW,CAAC;aACvC,CAAC;QACJ,CAAC;QACD,kEAAkE;QAClE,OAAO;YACL,UAAU,EAAE,SAAS;YACrB,eAAe,EAAE,KAAK;YACtB,YAAY,EAAE,KAAK;YACnB,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,CAAC,oCAAgB,CAAC,WAAW,CAAC;SACvC,CAAC;IACJ,CAAC;IAED,sCAAsC;IACtC,MAAM,cAAc,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;IAChD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO;YACL,UAAU,EAAE,SAAS;YACrB,eAAe,EAAE,KAAK;YACtB,YAAY,EAAE,KAAK;YACnB,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,CAAC,8BAA8B,CAAC;SACzC,CAAC;IACJ,CAAC;IAED,8CAA8C;IAC9C,IAAI,cAAc,GAAG,KAAK,CAAC;IAC3B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAA,eAAS,EAAC,GAAG,EAAE,cAAc,CAAC,CAAC;QACpD,cAAc,GAAG,MAAM,CAAC,KAAK,CAAC;QAC9B,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,uBAAuB;QACvB,IAAI,GAAG,YAAY,oBAAW,EAAE,CAAC;YAC/B,MAAM,CAAC,IAAI,CAAC,0BAA0B,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;QACpD,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;QAC7C,CAAC;QACD,cAAc,GAAG,KAAK,CAAC;IACzB,CAAC;IAED,kBAAkB;IAClB,MAAM,YAAY,GAAG,mBAAmB,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC;IAC7E,MAAM,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IAEpC,OAAO;QACL,UAAU,EAAE,SAAS;QACrB,eAAe,EAAE,cAAc;QAC/B,YAAY,EAAE,YAAY,CAAC,KAAK;QAChC,MAAM,EAAE,KAAK;QACb,MAAM;QACN,MAAM,EAAE,cAAc,IAAI,YAAY,CAAC,KAAK,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;KAC1F,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,OAAoC;IACzD,MAAM,KAAK,GAAG,IAAI,GAAG,EAAoB,CAAC;IAE1C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAChD,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YACjC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAoB,EAAE,CAAC;IACpC,KAAK,MAAM,CAAC,GAAG,EAAE,UAAU,CAAC,IAAI,KAAK,EAAE,CAAC;QACtC,OAAO,CAAC,IAAI,CAAC;YACX,GAAG;YACH,eAAe,EAAE,UAAU,CAAC,MAAM;YAClC,WAAW,EAAE,UAAU,CAAC,IAAI,EAAE;SAC/B,CAAC,CAAC;IACL,CAAC;IAED,8BAA8B;IAC9B,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAC7B,aAAqB,EACrB,UAAkB,EAClB,YAAoB,EACpB,OAAoC;IAEpC,MAAM,QAAQ,GAAG,GAAG,UAAU,IAAI,aAAa,iBAAiB,CAAC;IAEjE,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,CAAC,MAAM,CAAC,eAAe,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YACpD,MAAM,YAAY,GAChB,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,mBAAmB,CAAC;YAC5E,MAAM,CAAC,IAAI,CAAC,WAAW,MAAM,CAAC,UAAU,KAAK,YAAY,EAAE,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IAED,8BAA8B;IAC9B,MAAM,CAAC,IAAI,EAAE,CAAC;IAEd,IAAI,cAAgD,CAAC;IACrD,IAAI,YAAY,KAAK,CAAC,EAAE,CAAC;QACvB,cAAc,GAAG,OAAO,CAAC;IAC3B,CAAC;SAAM,IAAI,YAAY,KAAK,aAAa,EAAE,CAAC;QAC1C,cAAc,GAAG,SAAS,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,cAAc,GAAG,cAAc,CAAC;IAClC,CAAC;IAED,OAAO;QACL,QAAQ;QACR,MAAM;QACN,cAAc;KACf,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,qBAAqB,CAClC,cAAqC;IAErC,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,cAAc,CAAC;IAEtD,wBAAwB;IACxB,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC5B,CAAC;IAED,kCAAkC;IAClC,MAAM,MAAM,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC;IACpC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO;YACL,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,mCAAmC;SAC3C,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,MAAM,CAAC,MAAM,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IACpF,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,gCAAgC;SACxC,CAAC;IACJ,CAAC;IAED,uBAAuB;IACvB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,KAAK,CAAC,CAAC;IACnD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO;YACL,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,KAAK;YACb,KAAK,EAAE,oCAAgB,CAAC,WAAW;SACpC,CAAC;IACJ,CAAC;IAED,sCAAsC;IACtC,MAAM,cAAc,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;IAChD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO;YACL,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,KAAK;YACb,KAAK,EAAE,uCAAuC;SAC/C,CAAC;IACJ,CAAC;IAED,uBAAuB;IACvB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAA,eAAS,EAA2B,UAAU,EAAE,cAAc,CAAC,CAAC;QAErF,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,KAAK;gBACb,KAAK,EAAE,oCAAgB,CAAC,iBAAiB;aAC1C,CAAC;QACJ,CAAC;QAED,8DAA8D;QAC9D,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,KAAK,QAAQ,CAAC,YAAY,EAAE,CAAC;YAC1D,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,KAAK;gBACb,KAAK,EAAE,qCAAqC;aAC7C,CAAC;QACJ,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,IAAI;YACX,MAAM,EAAE,KAAK;SACd,CAAC;IACJ,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,QAAQ,GACZ,GAAG,YAAY,oBAAW;YACxB,CAAC,CAAC,mCAAmC,GAAG,CAAC,IAAI,EAAE;YAC/C,CAAC,CAAC,oCAAgB,CAAC,iBAAiB,CAAC;QAEzC,OAAO;YACL,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,KAAK;YACb,KAAK,EAAE,QAAQ;SAChB,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACI,KAAK,UAAU,YAAY,CAChC,SAAiB,EACjB,OAA4B;IAE5B,4BAA4B;IAC5B,MAAM,UAAU,GAAG,MAAM,IAAA,qCAAiB,EAAC,SAAS,CAAC,CAAC;IACtD,IAAI,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC;QACnB,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,MAAM,cAAc,GAAG,UAAU,CAAC,KAAK,CAAC;IACxC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,cAAc,CAAC;IAE9C,8CAA8C;IAC9C,MAAM,eAAe,GAAG,MAAM,qBAAqB,CAAC,cAAc,CAAC,CAAC;IAEpE,+DAA+D;IAC/D,MAAM,OAAO,GAAgC,EAAE,CAAC;IAEhD,KAAK,MAAM,YAAY,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAC7C,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;QAClD,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,CAAC,IAAI,CAAC;gBACX,UAAU,EAAE,YAAY,CAAC,UAAU;gBACnC,eAAe,EAAE,KAAK;gBACtB,YAAY,EAAE,KAAK;gBACnB,MAAM,EAAE,CAAC,4BAA4B,CAAC;aACvC,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,YAAY,CAAC,UAAU,EAAE,GAAG,EAAE,cAAc,EAAE,OAAO,CAAC,CAAC;QAC1F,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACvB,CAAC;IAED,6CAA6C;IAC7C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC;IAEjE,sBAAsB;IACtB,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAC/B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe,IAAI,CAAC,CAAC,YAAY,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,CACpE,CAAC,MAAM,CAAC;IACT,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,GAAG,UAAU,CAAC;IAEjD,kBAAkB;IAClB,MAAM,QAAQ,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IAExC,2BAA2B;IAC3B,MAAM,cAAc,GAAG,sBAAsB,CAAC,OAAO,CAAC,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,OAAO,CAAC,CAAC;IAEjG,mCAAmC;IACnC,MAAM,iBAAiB,GAA4C;QACjE,OAAO,EAAE,qDAA2B;QACpC,mBAAmB,EAAE,QAAQ,CAAC,YAAY;QAC1C,gBAAgB,EAAE,eAAe;QACjC,OAAO,EAAE;YACP,cAAc,EAAE,OAAO,CAAC,MAAM;YAC9B,KAAK,EAAE,UAAU;YACjB,OAAO,EAAE,YAAY;SACtB;QACD,QAAQ,EAAE,OAAO;QACjB,SAAS,EAAE,QAAQ;QACnB,eAAe,EAAE,cAAc;KAChC,CAAC;IAEF,mEAAmE;IACnE,4DAA4D;IAC5D,MAAM,aAAa,GAAG,cAAc,CAAC,iBAAiB,CAAC,CAAC;IACxD,MAAM,UAAU,GAAG,SAAS,CAAC,IAAA,qBAAY,EAAC,aAAa,CAAC,CAAC,CAAC;IAE1D,MAAM,MAAM,GAAuB;QACjC,GAAG,iBAAiB;QACpB,WAAW,EAAE,UAAU;KACxB,CAAC;IAEF,OAAO;QACL,EAAE,EAAE,IAAI;QACR,KAAK,EAAE,MAAM;KACd,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,eAAe,CAAC,MAA0B,EAAE,SAAkB,KAAK;IACjF,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED;;;;;GAKG;AACH,SAAgB,gBAAgB,CAAC,MAA0B;IACzD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;IACtD,KAAK,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;IACvD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,wBAAwB,MAAM,CAAC,mBAAmB,EAAE,CAAC,CAAC;IACjE,KAAK,CAAC,IAAI,CAAC,gBAAgB,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IACjD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,0BAA0B;IAC1B,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC/B,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC/B,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,CAAC;QACrC,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACrC,CAAC;SAAM,IAAI,MAAM,CAAC,gBAAgB,CAAC,KAAK,EAAE,CAAC;QACzC,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAC9B,KAAK,CAAC,IAAI,CAAC,aAAa,MAAM,CAAC,gBAAgB,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5D,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;QAChC,IAAI,MAAM,CAAC,gBAAgB,CAAC,MAAM,EAAE,CAAC;YACnC,KAAK,CAAC,IAAI,CAAC,aAAa,MAAM,CAAC,gBAAgB,CAAC,MAAM,EAAE,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,MAAM,CAAC,gBAAgB,CAAC,KAAK,EAAE,CAAC;YAClC,KAAK,CAAC,IAAI,CAAC,YAAY,MAAM,CAAC,gBAAgB,CAAC,KAAK,EAAE,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACtB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACtB,KAAK,CAAC,IAAI,CAAC,mBAAmB,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,UAAU,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;IAC7C,KAAK,CAAC,IAAI,CAAC,YAAY,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IACjD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,mBAAmB,MAAM,CAAC,eAAe,CAAC,cAAc,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IACrF,KAAK,CAAC,IAAI,CAAC,aAAa,MAAM,CAAC,eAAe,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC3D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7C,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACrB,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACrB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,CAAC;YAClD,KAAK,CAAC,IAAI,CAAC,OAAO,KAAK,EAAE,CAAC,CAAC;QAC7B,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,IAAI,MAAM,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACxB,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACxB,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACxC,KAAK,CAAC,IAAI,CAAC,KAAK,QAAQ,CAAC,GAAG,KAAK,QAAQ,CAAC,eAAe,aAAa,CAAC,CAAC;QAC1E,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAC9B,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAC9B,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACtC,MAAM,MAAM,GAAG,OAAO,CAAC,eAAe,IAAI,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;QACrF,KAAK,CAAC,IAAI,CAAC,KAAK,OAAO,CAAC,UAAU,KAAK,MAAM,EAAE,CAAC,CAAC;QACjD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,KAAK,CAAC,IAAI,CAAC,YAAY,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QAC3C,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9B,KAAK,CAAC,IAAI,CAAC,eAAe,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/workflow-dag.d.ts

@@ -0,0 +1,112 @@
+/**
+ * Workflow DAG Verification (v0.10.1+)
+ *
+ * Verifies the structural integrity of workflow DAGs by checking:
+ * - ID format validity (workflow_id, step_id)
+ * - Unique step IDs
+ * - Consistent workflow IDs
+ * - Parent existence (no dangling references)
+ * - No self-parenting
+ * - Acyclicity (no cycles in the DAG)
+ * - Limits enforcement (node count, parent count, depth, edges)
+ *
+ * Each violation maps to a specific E_WORKFLOW_* error code for structured
+ * error handling and audit trails.
+ */
+import type { WorkflowContext } from '@peac/schema';
+import { ERROR_CODES } from '@peac/kernel';
+/**
+ * DAG verification limits (DoS protection for full DAG analysis)
+ */
+export declare const DAG_LIMITS: {
+    /** Maximum steps in a workflow DAG */
+    readonly maxSteps: 10000;
+    /** Maximum depth (longest path from root) */
+    readonly maxDepth: 100;
+    /** Maximum total edges (sum of all parent references) */
+    readonly maxTotalEdges: 100000;
+};
+/**
+ * Workflow error category for structured violations
+ */
+export type WorkflowErrorCode = typeof ERROR_CODES.E_WORKFLOW_ID_INVALID | typeof ERROR_CODES.E_WORKFLOW_STEP_ID_INVALID | typeof ERROR_CODES.E_WORKFLOW_DAG_INVALID | typeof ERROR_CODES.E_WORKFLOW_CYCLE_DETECTED | typeof ERROR_CODES.E_WORKFLOW_PARENT_NOT_FOUND | typeof ERROR_CODES.E_WORKFLOW_LIMIT_EXCEEDED;
+/**
+ * DAG violation details
+ */
+export interface DagViolation {
+    /** Error code from E_WORKFLOW_* family */
+    code: WorkflowErrorCode;
+    /** Human-readable message */
+    message: string;
+    /** Structured details for debugging/audit */
+    details: {
+        /** Specific reason for the violation */
+        reason: string;
+        /** Step ID involved (if applicable) */
+        step_id?: string;
+        /** Parent step ID involved (if applicable) */
+        parent_step_id?: string;
+        /** Workflow ID involved (if applicable) */
+        workflow_id?: string;
+        /** Limit that was exceeded (if applicable) */
+        limit?: string;
+        /** Current value (if applicable) */
+        value?: number;
+        /** Maximum allowed value (if applicable) */
+        max?: number;
+        /** Cycle path (if applicable) */
+        cycle_path?: string[];
+    };
+}
+/**
+ * Result of DAG verification
+ */
+export interface DagVerificationResult {
+    /** Whether the DAG is valid */
+    valid: boolean;
+    /** List of violations (empty if valid) */
+    violations: DagViolation[];
+    /** DAG statistics (computed during verification) */
+    stats: {
+        /** Number of steps */
+        stepCount: number;
+        /** Number of root steps (no parents) */
+        rootCount: number;
+        /** Maximum depth reached */
+        maxDepth: number;
+        /** Total edge count */
+        totalEdges: number;
+        /** Number of unique workflow IDs (should be 1) */
+        uniqueWorkflowIds: number;
+    };
+}
+/**
+ * Verify a workflow DAG for structural integrity
+ *
+ * @param contexts - Array of WorkflowContext objects representing the DAG
+ * @returns DagVerificationResult with violations and statistics
+ *
+ * @example
+ * ```typescript
+ * import { verifyWorkflowDag } from '@peac/audit';
+ *
+ * const result = verifyWorkflowDag(contexts);
+ * if (!result.valid) {
+ *   for (const v of result.violations) {
+ *     console.error(`${v.code}: ${v.message}`);
+ *   }
+ * }
+ * ```
+ */
+export declare function verifyWorkflowDag(contexts: WorkflowContext[]): DagVerificationResult;
+/**
+ * Extract a specific violation by reason
+ *
+ * Utility for tests and error handling
+ */
+export declare function findViolationByReason(result: DagVerificationResult, reason: string): DagViolation | undefined;
+/**
+ * Check if result has a specific violation code
+ */
+export declare function hasViolationCode(result: DagVerificationResult, code: WorkflowErrorCode): boolean;
+//# sourceMappingURL=workflow-dag.d.ts.map