@peac/protocol 0.10.8 → 0.10.10

package/dist/verifier-types.js

@@ -1,161 +0,0 @@
-"use strict";
-/**
- * PEAC Verifier Types
- *
- * Types for verification policy, trust pinning, and verification reports
- * per VERIFIER-SECURITY-MODEL.md, TRUST-PINNING-POLICY.md, and
- * VERIFICATION-REPORT-FORMAT.md
- *
- * @packageDocumentation
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.NON_DETERMINISTIC_ARTIFACT_KEYS = exports.CHECK_IDS = exports.DEFAULT_NETWORK_SECURITY = exports.DEFAULT_VERIFIER_LIMITS = void 0;
-exports.createDefaultPolicy = createDefaultPolicy;
-exports.createDigest = createDigest;
-exports.createEmptyReport = createEmptyReport;
-exports.ssrfErrorToReasonCode = ssrfErrorToReasonCode;
-exports.reasonCodeToSeverity = reasonCodeToSeverity;
-exports.reasonCodeToErrorCode = reasonCodeToErrorCode;
-const kernel_1 = require("@peac/kernel");
-/**
- * Default verifier limits from VERIFIER-SECURITY-MODEL.md
- */
-exports.DEFAULT_VERIFIER_LIMITS = {
-    max_receipt_bytes: kernel_1.VERIFIER_LIMITS.maxReceiptBytes,
-    max_jwks_bytes: kernel_1.VERIFIER_LIMITS.maxJwksBytes,
-    max_jwks_keys: kernel_1.VERIFIER_LIMITS.maxJwksKeys,
-    max_redirects: kernel_1.VERIFIER_LIMITS.maxRedirects,
-    fetch_timeout_ms: kernel_1.VERIFIER_LIMITS.fetchTimeoutMs,
-    max_extension_bytes: kernel_1.VERIFIER_LIMITS.maxExtensionBytes,
-};
-/**
- * Default network security settings from VERIFIER-SECURITY-MODEL.md
- */
-exports.DEFAULT_NETWORK_SECURITY = {
-    https_only: kernel_1.VERIFIER_NETWORK.httpsOnly,
-    block_private_ips: kernel_1.VERIFIER_NETWORK.blockPrivateIps,
-    allow_redirects: kernel_1.VERIFIER_NETWORK.allowRedirects,
-    allow_cross_origin_redirects: true, // Allow for CDN compatibility
-    dns_failure_behavior: 'block', // Fail-closed by default
-};
-/**
- * Create a default verifier policy
- */
-function createDefaultPolicy(mode) {
-    return {
-        policy_version: kernel_1.VERIFIER_POLICY_VERSION,
-        mode,
-        limits: { ...exports.DEFAULT_VERIFIER_LIMITS },
-        network: { ...exports.DEFAULT_NETWORK_SECURITY },
-    };
-}
-/**
- * Standard check IDs per VERIFIER-SECURITY-MODEL.md (in order)
- */
-exports.CHECK_IDS = [
-    'jws.parse',
-    'limits.receipt_bytes',
-    'jws.protected_header',
-    'claims.schema_unverified',
-    'issuer.trust_policy',
-    'issuer.discovery',
-    'key.resolve',
-    'jws.signature',
-    'claims.time_window',
-    'extensions.limits',
-    'transport.profile_binding',
-];
-/**
- * Keys of artifacts that are non-deterministic (depend on runtime state)
- */
-exports.NON_DETERMINISTIC_ARTIFACT_KEYS = [
-    'issuer_jwks_digest',
-];
-// ---------------------------------------------------------------------------
-// Report Builder Utilities
-// ---------------------------------------------------------------------------
-/**
- * Create a digest object from a hex string
- */
-function createDigest(hexValue) {
-    return {
-        alg: 'sha-256',
-        value: hexValue.toLowerCase(),
-    };
-}
-/**
- * Create an empty verification report structure
- */
-function createEmptyReport(policy) {
-    return {
-        report_version: kernel_1.VERIFICATION_REPORT_VERSION,
-        policy,
-    };
-}
-/**
- * Map SSRF fetch error reason to verification reason code
- */
-function ssrfErrorToReasonCode(ssrfReason, fetchType) {
-    const prefix = fetchType === 'key' ? 'key_fetch' : 'pointer_fetch';
-    switch (ssrfReason) {
-        case 'not_https':
-        case 'private_ip':
-        case 'loopback':
-        case 'link_local':
-        case 'cross_origin_redirect':
-        case 'dns_failure':
-            return `${prefix}_blocked`;
-        case 'timeout':
-            return `${prefix}_timeout`;
-        case 'response_too_large':
-            return fetchType === 'pointer' ? 'pointer_fetch_too_large' : 'jwks_too_large';
-        case 'jwks_too_many_keys':
-            return 'jwks_too_many_keys';
-        case 'too_many_redirects':
-        case 'scheme_downgrade':
-        case 'network_error':
-        case 'invalid_url':
-        default:
-            return `${prefix}_failed`;
-    }
-}
-/**
- * Map reason code to severity
- */
-function reasonCodeToSeverity(reason) {
-    if (reason === 'ok')
-        return 'info';
-    return 'error';
-}
-/**
- * Map reason code to error code
- */
-function reasonCodeToErrorCode(reason) {
-    const mapping = {
-        ok: '',
-        receipt_too_large: 'E_VERIFY_RECEIPT_TOO_LARGE',
-        malformed_receipt: 'E_VERIFY_MALFORMED_RECEIPT',
-        signature_invalid: 'E_VERIFY_SIGNATURE_INVALID',
-        issuer_not_allowed: 'E_VERIFY_ISSUER_NOT_ALLOWED',
-        key_not_found: 'E_VERIFY_KEY_NOT_FOUND',
-        key_fetch_blocked: 'E_VERIFY_KEY_FETCH_BLOCKED',
-        key_fetch_failed: 'E_VERIFY_KEY_FETCH_FAILED',
-        key_fetch_timeout: 'E_VERIFY_KEY_FETCH_TIMEOUT',
-        pointer_fetch_blocked: 'E_VERIFY_POINTER_FETCH_BLOCKED',
-        pointer_fetch_failed: 'E_VERIFY_POINTER_FETCH_FAILED',
-        pointer_fetch_timeout: 'E_VERIFY_POINTER_FETCH_TIMEOUT',
-        pointer_fetch_too_large: 'E_VERIFY_POINTER_FETCH_TOO_LARGE',
-        pointer_digest_mismatch: 'E_VERIFY_POINTER_DIGEST_MISMATCH',
-        jwks_too_large: 'E_VERIFY_JWKS_TOO_LARGE',
-        jwks_too_many_keys: 'E_VERIFY_JWKS_TOO_MANY_KEYS',
-        expired: 'E_VERIFY_EXPIRED',
-        not_yet_valid: 'E_VERIFY_NOT_YET_VALID',
-        audience_mismatch: 'E_VERIFY_AUDIENCE_MISMATCH',
-        schema_invalid: 'E_VERIFY_SCHEMA_INVALID',
-        policy_violation: 'E_VERIFY_POLICY_VIOLATION',
-        extension_too_large: 'E_VERIFY_EXTENSION_TOO_LARGE',
-        invalid_transport: 'E_VERIFY_INVALID_TRANSPORT',
-    };
-    return mapping[reason] || 'E_VERIFY_POLICY_VIOLATION';
-}
-//# sourceMappingURL=verifier-types.js.map

package/dist/verifier-types.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"verifier-types.js","sourceRoot":"","sources":["../src/verifier-types.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAsKH,kDAOC;AA4QD,oCAKC;AAKD,8CAOC;AAKD,sDA2BC;AAKD,oDAGC;AAKD,sDA2BC;AAhhBD,yCAKsB;AAgFtB;;GAEG;AACU,QAAA,uBAAuB,GAAmB;IACrD,iBAAiB,EAAE,wBAAe,CAAC,eAAe;IAClD,cAAc,EAAE,wBAAe,CAAC,YAAY;IAC5C,aAAa,EAAE,wBAAe,CAAC,WAAW;IAC1C,aAAa,EAAE,wBAAe,CAAC,YAAY;IAC3C,gBAAgB,EAAE,wBAAe,CAAC,cAAc;IAChD,mBAAmB,EAAE,wBAAe,CAAC,iBAAiB;CACvD,CAAC;AA8BF;;GAEG;AACU,QAAA,wBAAwB,GAAoB;IACvD,UAAU,EAAE,yBAAgB,CAAC,SAAS;IACtC,iBAAiB,EAAE,yBAAgB,CAAC,eAAe;IACnD,eAAe,EAAE,yBAAgB,CAAC,cAAc;IAChD,4BAA4B,EAAE,IAAI,EAAE,8BAA8B;IAClE,oBAAoB,EAAE,OAAO,EAAE,yBAAyB;CACzD,CAAC;AA2BF;;GAEG;AACH,SAAgB,mBAAmB,CAAC,IAAsB;IACxD,OAAO;QACL,cAAc,EAAE,gCAAuB;QACvC,IAAI;QACJ,MAAM,EAAE,EAAE,GAAG,+BAAuB,EAAE;QACtC,OAAO,EAAE,EAAE,GAAG,gCAAwB,EAAE;KACzC,CAAC;AACJ,CAAC;AAWD;;GAEG;AACU,QAAA,SAAS,GAAG;IACvB,WAAW;IACX,sBAAsB;IACtB,sBAAsB;IACtB,0BAA0B;IAC1B,qBAAqB;IACrB,kBAAkB;IAClB,aAAa;IACb,eAAe;IACf,oBAAoB;IACpB,mBAAmB;IACnB,2BAA2B;CACnB,CAAC;AA8KX;;GAEG;AACU,QAAA,+BAA+B,GAAoC;IAC9E,oBAAoB;CACrB,CAAC;AAwDF,8EAA8E;AAC9E,2BAA2B;AAC3B,8EAA8E;AAE9E;;GAEG;AACH,SAAgB,YAAY,CAAC,QAAgB;IAC3C,OAAO;QACL,GAAG,EAAE,SAAS;QACd,KAAK,EAAE,QAAQ,CAAC,WAAW,EAAE;KAC9B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAC/B,MAAsB;IAEtB,OAAO;QACL,cAAc,EAAE,oCAA2B;QAC3C,MAAM;KACP,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CACnC,UAAkB,EAClB,SAA4B;IAE5B,MAAM,MAAM,GAAG,SAAS,KAAK,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,eAAe,CAAC;IAEnE,QAAQ,UAAU,EAAE,CAAC;QACnB,KAAK,WAAW,CAAC;QACjB,KAAK,YAAY,CAAC;QAClB,KAAK,UAAU,CAAC;QAChB,KAAK,YAAY,CAAC;QAClB,KAAK,uBAAuB,CAAC;QAC7B,KAAK,aAAa;YAChB,OAAO,GAAG,MAAM,UAAwB,CAAC;QAC3C,KAAK,SAAS;YACZ,OAAO,GAAG,MAAM,UAAwB,CAAC;QAC3C,KAAK,oBAAoB;YACvB,OAAO,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC,CAAC,gBAAgB,CAAC;QAChF,KAAK,oBAAoB;YACvB,OAAO,oBAAoB,CAAC;QAC9B,KAAK,oBAAoB,CAAC;QAC1B,KAAK,kBAAkB,CAAC;QACxB,KAAK,eAAe,CAAC;QACrB,KAAK,aAAa,CAAC;QACnB;YACE,OAAO,GAAG,MAAM,SAAuB,CAAC;IAC5C,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAAC,MAAkB;IACrD,IAAI,MAAM,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IACnC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CAAC,MAAkB;IACtD,MAAM,OAAO,GAA+B;QAC1C,EAAE,EAAE,EAAE;QACN,iBAAiB,EAAE,4BAA4B;QAC/C,iBAAiB,EAAE,4BAA4B;QAC/C,iBAAiB,EAAE,4BAA4B;QAC/C,kBAAkB,EAAE,6BAA6B;QACjD,aAAa,EAAE,wBAAwB;QACvC,iBAAiB,EAAE,4BAA4B;QAC/C,gBAAgB,EAAE,2BAA2B;QAC7C,iBAAiB,EAAE,4BAA4B;QAC/C,qBAAqB,EAAE,gCAAgC;QACvD,oBAAoB,EAAE,+BAA+B;QACrD,qBAAqB,EAAE,gCAAgC;QACvD,uBAAuB,EAAE,kCAAkC;QAC3D,uBAAuB,EAAE,kCAAkC;QAC3D,cAAc,EAAE,yBAAyB;QACzC,kBAAkB,EAAE,6BAA6B;QACjD,OAAO,EAAE,kBAAkB;QAC3B,aAAa,EAAE,wBAAwB;QACvC,iBAAiB,EAAE,4BAA4B;QAC/C,cAAc,EAAE,yBAAyB;QACzC,gBAAgB,EAAE,2BAA2B;QAC7C,mBAAmB,EAAE,8BAA8B;QACnD,iBAAiB,EAAE,4BAA4B;KAChD,CAAC;IACF,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,2BAA2B,CAAC;AACxD,CAAC"}

package/dist/verify-local.js

@@ -1,189 +0,0 @@
-"use strict";
-/**
- * Local receipt verification with schema validation
- *
- * Use this for verifying receipts when you have the public key locally,
- * without JWKS discovery.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.verifyLocal = verifyLocal;
-const crypto_1 = require("@peac/crypto");
-const schema_1 = require("@peac/schema");
-/**
- * Structural check for CryptoError
- * More robust than instanceof across module boundaries (ESM/CJS, duplicate packages)
- */
-function isCryptoError(err) {
-    return (err !== null &&
-        typeof err === 'object' &&
-        'name' in err &&
-        err.name === 'CryptoError' &&
-        'code' in err &&
-        typeof err.code === 'string' &&
-        err.code.startsWith('CRYPTO_') &&
-        'message' in err &&
-        typeof err.message === 'string');
-}
-/**
- * Crypto error codes that indicate format/validation issues
- * These are CRYPTO_* internal codes from @peac/crypto, mapped to canonical E_* codes
- */
-const FORMAT_ERROR_CODES = new Set([
-    'CRYPTO_INVALID_JWS_FORMAT',
-    'CRYPTO_INVALID_TYP',
-    'CRYPTO_INVALID_ALG',
-    'CRYPTO_INVALID_KEY_LENGTH',
-]);
-/**
- * Verify a PEAC receipt locally with a known public key
- *
- * This function:
- * 1. Verifies the Ed25519 signature and header (typ, alg)
- * 2. Validates the receipt schema with Zod
- * 3. Checks issuer/audience/subject binding (if options provided)
- * 4. Checks time validity (exp/iat with clock skew tolerance)
- *
- * Use this when you have the issuer's public key and don't need JWKS discovery.
- * For JWKS-based verification, use `verifyReceipt()` instead.
- *
- * @param jws - JWS compact serialization
- * @param publicKey - Ed25519 public key (32 bytes)
- * @param options - Optional verification options (issuer, audience, subject, clock skew)
- * @returns Typed verification result
- *
- * @example
- * ```typescript
- * const result = await verifyLocal(jws, publicKey, {
- *   issuer: 'https://api.example.com',
- *   audience: 'https://client.example.com',
- *   subjectUri: 'https://api.example.com/inference/v1',
- * });
- * if (result.valid) {
- *   console.log('Issuer:', result.claims.iss);
- *   console.log('Amount:', result.claims.amt, result.claims.cur);
- *   console.log('Key ID:', result.kid);
- * } else {
- *   console.error('Verification failed:', result.code, result.message);
- * }
- * ```
- */
-async function verifyLocal(jws, publicKey, options = {}) {
-    const { issuer, audience, subjectUri, rid, requireExp = false, maxClockSkew = 300 } = options;
-    const now = options.now ?? Math.floor(Date.now() / 1000);
-    try {
-        // 1. Verify signature and header (typ, alg validated by @peac/crypto)
-        const result = await (0, crypto_1.verify)(jws, publicKey);
-        if (!result.valid) {
-            return {
-                valid: false,
-                code: 'E_INVALID_SIGNATURE',
-                message: 'Ed25519 signature verification failed',
-            };
-        }
-        // 2. Validate schema
-        const parseResult = schema_1.ReceiptClaimsSchema.safeParse(result.payload);
-        if (!parseResult.success) {
-            const firstIssue = parseResult.error.issues[0];
-            return {
-                valid: false,
-                code: 'E_INVALID_FORMAT',
-                message: `Receipt schema validation failed: ${firstIssue?.message ?? 'unknown error'}`,
-            };
-        }
-        const claims = parseResult.data;
-        // 3. Check issuer binding
-        if (issuer !== undefined && claims.iss !== issuer) {
-            return {
-                valid: false,
-                code: 'E_INVALID_ISSUER',
-                message: `Issuer mismatch: expected "${issuer}", got "${claims.iss}"`,
-            };
-        }
-        // 4. Check audience binding
-        if (audience !== undefined && claims.aud !== audience) {
-            return {
-                valid: false,
-                code: 'E_INVALID_AUDIENCE',
-                message: `Audience mismatch: expected "${audience}", got "${claims.aud}"`,
-            };
-        }
-        // 5. Check subject binding
-        if (subjectUri !== undefined) {
-            const actualSubjectUri = claims.subject?.uri;
-            if (actualSubjectUri !== subjectUri) {
-                return {
-                    valid: false,
-                    code: 'E_INVALID_SUBJECT',
-                    message: `Subject mismatch: expected "${subjectUri}", got "${actualSubjectUri ?? 'undefined'}"`,
-                };
-            }
-        }
-        // 6. Check receipt ID binding
-        if (rid !== undefined && claims.rid !== rid) {
-            return {
-                valid: false,
-                code: 'E_INVALID_RECEIPT_ID',
-                message: `Receipt ID mismatch: expected "${rid}", got "${claims.rid}"`,
-            };
-        }
-        // 7. Check requireExp
-        if (requireExp && claims.exp === undefined) {
-            return {
-                valid: false,
-                code: 'E_MISSING_EXP',
-                message: 'Receipt missing required exp claim',
-            };
-        }
-        // 8. Check not-yet-valid (iat with clock skew)
-        if (claims.iat > now + maxClockSkew) {
-            return {
-                valid: false,
-                code: 'E_NOT_YET_VALID',
-                message: `Receipt not yet valid: issued at ${new Date(claims.iat * 1000).toISOString()}, now is ${new Date(now * 1000).toISOString()}`,
-            };
-        }
-        // 9. Check expiry (with clock skew tolerance)
-        if (claims.exp !== undefined && claims.exp < now - maxClockSkew) {
-            return {
-                valid: false,
-                code: 'E_EXPIRED',
-                message: `Receipt expired at ${new Date(claims.exp * 1000).toISOString()}`,
-            };
-        }
-        return {
-            valid: true,
-            claims,
-            kid: result.header.kid,
-        };
-    }
-    catch (err) {
-        // Handle typed CryptoError from @peac/crypto
-        // Use structural check instead of instanceof for robustness across ESM/CJS boundaries
-        // Map internal CRYPTO_* codes to canonical E_* codes
-        if (isCryptoError(err)) {
-            if (FORMAT_ERROR_CODES.has(err.code)) {
-                return {
-                    valid: false,
-                    code: 'E_INVALID_FORMAT',
-                    message: err.message,
-                };
-            }
-            if (err.code === 'CRYPTO_INVALID_SIGNATURE') {
-                return {
-                    valid: false,
-                    code: 'E_INVALID_SIGNATURE',
-                    message: err.message,
-                };
-            }
-        }
-        // All other errors (JSON parse, unexpected) -> E_INTERNAL
-        // No message parsing - code-based mapping only
-        const message = err instanceof Error ? err.message : String(err);
-        return {
-            valid: false,
-            code: 'E_INTERNAL',
-            message: `Unexpected verification error: ${message}`,
-        };
-    }
-}
-//# sourceMappingURL=verify-local.js.map

package/dist/verify-local.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"verify-local.js","sourceRoot":"","sources":["../src/verify-local.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAyLH,kCAuIC;AA9TD,yCAAmD;AACnD,yCAA2E;AAY3E;;;GAGG;AACH,SAAS,aAAa,CAAC,GAAY;IACjC,OAAO,CACL,GAAG,KAAK,IAAI;QACZ,OAAO,GAAG,KAAK,QAAQ;QACvB,MAAM,IAAI,GAAG;QACb,GAAG,CAAC,IAAI,KAAK,aAAa;QAC1B,MAAM,IAAI,GAAG;QACb,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ;QAC5B,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;QAC9B,SAAS,IAAI,GAAG;QAChB,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,CAChC,CAAC;AACJ,CAAC;AA8GD;;;GAGG;AACH,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,2BAA2B;IAC3B,oBAAoB;IACpB,oBAAoB;IACpB,2BAA2B;CAC5B,CAAC,CAAC;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACI,KAAK,UAAU,WAAW,CAC/B,GAAW,EACX,SAAqB,EACrB,UAA8B,EAAE;IAEhC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU,GAAG,KAAK,EAAE,YAAY,GAAG,GAAG,EAAE,GAAG,OAAO,CAAC;IAC9F,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAEzD,IAAI,CAAC;QACH,sEAAsE;QACtE,MAAM,MAAM,GAAG,MAAM,IAAA,eAAS,EAAU,GAAG,EAAE,SAAS,CAAC,CAAC;QAExD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,qBAAqB;gBAC3B,OAAO,EAAE,uCAAuC;aACjD,CAAC;QACJ,CAAC;QAED,qBAAqB;QACrB,MAAM,WAAW,GAAG,4BAAmB,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAElE,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;YACzB,MAAM,UAAU,GAAG,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC/C,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE,qCAAqC,UAAU,EAAE,OAAO,IAAI,eAAe,EAAE;aACvF,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC;QAEhC,0BAA0B;QAC1B,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM,EAAE,CAAC;YAClD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE,8BAA8B,MAAM,WAAW,MAAM,CAAC,GAAG,GAAG;aACtE,CAAC;QACJ,CAAC;QAED,4BAA4B;QAC5B,IAAI,QAAQ,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YACtD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,gCAAgC,QAAQ,WAAW,MAAM,CAAC,GAAG,GAAG;aAC1E,CAAC;QACJ,CAAC;QAED,2BAA2B;QAC3B,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,gBAAgB,GAAG,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC;YAC7C,IAAI,gBAAgB,KAAK,UAAU,EAAE,CAAC;gBACpC,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,IAAI,EAAE,mBAAmB;oBACzB,OAAO,EAAE,+BAA+B,UAAU,WAAW,gBAAgB,IAAI,WAAW,GAAG;iBAChG,CAAC;YACJ,CAAC;QACH,CAAC;QAED,8BAA8B;QAC9B,IAAI,GAAG,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,KAAK,GAAG,EAAE,CAAC;YAC5C,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,sBAAsB;gBAC5B,OAAO,EAAE,kCAAkC,GAAG,WAAW,MAAM,CAAC,GAAG,GAAG;aACvE,CAAC;QACJ,CAAC;QAED,sBAAsB;QACtB,IAAI,UAAU,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAC3C,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,oCAAoC;aAC9C,CAAC;QACJ,CAAC;QAED,+CAA+C;QAC/C,IAAI,MAAM,CAAC,GAAG,GAAG,GAAG,GAAG,YAAY,EAAE,CAAC;YACpC,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,iBAAiB;gBACvB,OAAO,EAAE,oCAAoC,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,YAAY,IAAI,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE;aACvI,CAAC;QACJ,CAAC;QAED,8CAA8C;QAC9C,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,GAAG,GAAG,GAAG,YAAY,EAAE,CAAC;YAChE,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,WAAW;gBACjB,OAAO,EAAE,sBAAsB,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE;aAC3E,CAAC;QACJ,CAAC;QAED,OAAO;YACL,KAAK,EAAE,IAAI;YACX,MAAM;YACN,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG;SACvB,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,6CAA6C;QAC7C,sFAAsF;QACtF,qDAAqD;QACrD,IAAI,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,IAAI,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,IAAI,EAAE,kBAAkB;oBACxB,OAAO,EAAE,GAAG,CAAC,OAAO;iBACrB,CAAC;YACJ,CAAC;YACD,IAAI,GAAG,CAAC,IAAI,KAAK,0BAA0B,EAAE,CAAC;gBAC5C,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,IAAI,EAAE,qBAAqB;oBAC3B,OAAO,EAAE,GAAG,CAAC,OAAO;iBACrB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,0DAA0D;QAC1D,+CAA+C;QAC/C,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,IAAI,EAAE,YAAY;YAClB,OAAO,EAAE,kCAAkC,OAAO,EAAE;SACrD,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/verify.js

@@ -1,202 +0,0 @@
-"use strict";
-/**
- * Receipt verification with JWKS fetching and caching
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.verifyReceipt = verifyReceipt;
-const crypto_1 = require("@peac/crypto");
-const schema_1 = require("@peac/schema");
-const telemetry_1 = require("@peac/telemetry");
-const telemetry_js_1 = require("./telemetry.js");
-/**
- * In-memory JWKS cache
- * Maps issuer URL to { keys, expiresAt }
- */
-const jwksCache = new Map();
-/**
- * Cache TTL (5 minutes)
- */
-const CACHE_TTL_MS = 5 * 60 * 1000;
-/**
- * Fetch JWKS from issuer (SSRF-safe)
- */
-async function fetchJWKS(issuerUrl) {
-    // SSRF protection: only allow https://
-    if (!issuerUrl.startsWith('https://')) {
-        throw new Error('Issuer URL must be https://');
-    }
-    // Construct JWKS URL from discovery
-    const discoveryUrl = `${issuerUrl}/.well-known/peac.txt`;
-    try {
-        const discoveryResp = await fetch(discoveryUrl, {
-            headers: { Accept: 'text/plain' },
-            // Timeout after 5 seconds
-            signal: AbortSignal.timeout(5000),
-        });
-        if (!discoveryResp.ok) {
-            throw new Error(`Discovery fetch failed: ${discoveryResp.status}`);
-        }
-        const discoveryText = await discoveryResp.text();
-        // Parse YAML-like discovery (simple key: value parsing)
-        const jwksLine = discoveryText.split('\n').find((line) => line.startsWith('jwks:'));
-        if (!jwksLine) {
-            throw new Error('No jwks field in discovery');
-        }
-        const jwksUrl = jwksLine.replace('jwks:', '').trim();
-        // SSRF protection: verify JWKS URL is also https://
-        if (!jwksUrl.startsWith('https://')) {
-            throw new Error('JWKS URL must be https://');
-        }
-        // Fetch JWKS
-        const jwksResp = await fetch(jwksUrl, {
-            headers: { Accept: 'application/json' },
-            signal: AbortSignal.timeout(5000),
-        });
-        if (!jwksResp.ok) {
-            throw new Error(`JWKS fetch failed: ${jwksResp.status}`);
-        }
-        const jwks = (await jwksResp.json());
-        return jwks;
-    }
-    catch (err) {
-        throw new Error(`JWKS fetch failed: ${err instanceof Error ? err.message : String(err)}`);
-    }
-}
-/**
- * Get JWKS (from cache or fetch)
- */
-async function getJWKS(issuerUrl) {
-    const now = Date.now();
-    // Check cache
-    const cached = jwksCache.get(issuerUrl);
-    if (cached && cached.expiresAt > now) {
-        return { jwks: cached.keys, fromCache: true };
-    }
-    // Fetch fresh JWKS
-    const jwks = await fetchJWKS(issuerUrl);
-    // Cache it
-    jwksCache.set(issuerUrl, {
-        keys: jwks,
-        expiresAt: now + CACHE_TTL_MS,
-    });
-    return { jwks, fromCache: false };
-}
-/**
- * Convert JWK x coordinate to Ed25519 public key
- */
-function jwkToPublicKey(jwk) {
-    if (jwk.kty !== 'OKP' || jwk.crv !== 'Ed25519') {
-        throw new Error('Only Ed25519 keys (OKP/Ed25519) are supported');
-    }
-    // Decode base64url x coordinate
-    const xBytes = Buffer.from(jwk.x, 'base64url');
-    if (xBytes.length !== 32) {
-        throw new Error('Ed25519 public key must be 32 bytes');
-    }
-    return new Uint8Array(xBytes);
-}
-/**
- * Emit verification telemetry (no-throw guard)
- */
-function emitVerifyTelemetry(receiptJws, valid, reasonCode, issuer, kid, durationMs) {
-    const p = telemetry_1.providerRef.current;
-    if (p) {
-        try {
-            p.onReceiptVerified({
-                receiptHash: (0, telemetry_js_1.hashReceipt)(receiptJws),
-                valid,
-                reasonCode,
-                issuer,
-                kid,
-                durationMs,
-            });
-        }
-        catch {
-            // Telemetry MUST NOT break core flow
-        }
-    }
-}
-/**
- * Verify a PEAC receipt JWS
- *
- * @param optionsOrJws - Verify options or JWS compact serialization (for backwards compatibility)
- * @returns Verification result or failure
- */
-async function verifyReceipt(optionsOrJws) {
-    // Support both old (string) and new (options) signatures for backwards compatibility
-    const receiptJws = typeof optionsOrJws === 'string' ? optionsOrJws : optionsOrJws.receiptJws;
-    const inputSnapshot = typeof optionsOrJws === 'string' ? undefined : optionsOrJws.subject_snapshot;
-    const startTime = performance.now();
-    let jwksFetchTime;
-    try {
-        // Decode JWS to get issuer
-        const { header, payload } = (0, crypto_1.decode)(receiptJws);
-        // Validate claims structure
-        schema_1.ReceiptClaims.parse(payload);
-        // Check expiry
-        if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
-            const durationMs = performance.now() - startTime;
-            emitVerifyTelemetry(receiptJws, false, 'expired', payload.iss, header.kid, durationMs);
-            return {
-                ok: false,
-                reason: 'expired',
-                details: `Receipt expired at ${new Date(payload.exp * 1000).toISOString()}`,
-            };
-        }
-        // Fetch JWKS
-        const jwksFetchStart = performance.now();
-        const { jwks, fromCache } = await getJWKS(payload.iss);
-        if (!fromCache) {
-            jwksFetchTime = performance.now() - jwksFetchStart;
-        }
-        // Find key by kid
-        const jwk = jwks.keys.find((k) => k.kid === header.kid);
-        if (!jwk) {
-            const durationMs = performance.now() - startTime;
-            emitVerifyTelemetry(receiptJws, false, 'unknown_key', payload.iss, header.kid, durationMs);
-            return {
-                ok: false,
-                reason: 'unknown_key',
-                details: `No key found with kid=${header.kid}`,
-            };
-        }
-        // Convert JWK to public key
-        const publicKey = jwkToPublicKey(jwk);
-        // Verify signature
-        const result = await (0, crypto_1.verify)(receiptJws, publicKey);
-        if (!result.valid) {
-            const durationMs = performance.now() - startTime;
-            emitVerifyTelemetry(receiptJws, false, 'invalid_signature', payload.iss, header.kid, durationMs);
-            return {
-                ok: false,
-                reason: 'invalid_signature',
-                details: 'Ed25519 signature verification failed',
-            };
-        }
-        // Validate subject_snapshot if provided (v0.9.17+)
-        // This validates schema and logs advisory PII warning if applicable
-        const validatedSnapshot = (0, schema_1.validateSubjectSnapshot)(inputSnapshot);
-        const verifyTime = performance.now() - startTime;
-        // Emit success telemetry
-        emitVerifyTelemetry(receiptJws, true, undefined, payload.iss, header.kid, verifyTime);
-        return {
-            ok: true,
-            claims: payload,
-            ...(validatedSnapshot && { subject_snapshot: validatedSnapshot }),
-            perf: {
-                verify_ms: verifyTime,
-                ...(jwksFetchTime && { jwks_fetch_ms: jwksFetchTime }),
-            },
-        };
-    }
-    catch (err) {
-        const durationMs = performance.now() - startTime;
-        emitVerifyTelemetry(receiptJws, false, 'verification_error', undefined, undefined, durationMs);
-        return {
-            ok: false,
-            reason: 'verification_error',
-            details: err instanceof Error ? err.message : String(err),
-        };
-    }
-}
-//# sourceMappingURL=verify.js.map

package/dist/verify.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"verify.js","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":";AAAA;;GAEG;;AAwNH,sCAiGC;AAvTD,yCAA2D;AAC3D,yCAKsB;AACtB,+CAA8C;AAC9C,iDAA6C;AAmB7C;;;GAGG;AACH,MAAM,SAAS,GAAG,IAAI,GAAG,EAA6C,CAAC;AAEvE;;GAEG;AACH,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAoCnC;;GAEG;AACH,KAAK,UAAU,SAAS,CAAC,SAAiB;IACxC,uCAAuC;IACvC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IAED,oCAAoC;IACpC,MAAM,YAAY,GAAG,GAAG,SAAS,uBAAuB,CAAC;IAEzD,IAAI,CAAC;QACH,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,YAAY,EAAE;YAC9C,OAAO,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE;YACjC,0BAA0B;YAC1B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,2BAA2B,aAAa,CAAC,MAAM,EAAE,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,aAAa,GAAG,MAAM,aAAa,CAAC,IAAI,EAAE,CAAC;QAEjD,wDAAwD;QACxD,MAAM,QAAQ,GAAG,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC;QACpF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAErD,oDAAoD;QACpD,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QAED,aAAa;QACb,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;YACpC,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,sBAAsB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC3D,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAS,CAAC;QAE7C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,sBAAsB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC5F,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,OAAO,CAAC,SAAiB;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEvB,cAAc;IACd,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACxC,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;QACrC,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAChD,CAAC;IAED,mBAAmB;IACnB,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;IAExC,WAAW;IACX,SAAS,CAAC,GAAG,CAAC,SAAS,EAAE;QACvB,IAAI,EAAE,IAAI;QACV,SAAS,EAAE,GAAG,GAAG,YAAY;KAC9B,CAAC,CAAC;IAEH,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,GAAQ;IAC9B,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IAED,gCAAgC;IAChC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;IAC/C,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAaD;;GAEG;AACH,SAAS,mBAAmB,CAC1B,UAAkB,EAClB,KAAc,EACd,UAA8B,EAC9B,MAA0B,EAC1B,GAAuB,EACvB,UAAkB;IAElB,MAAM,CAAC,GAAG,uBAAW,CAAC,OAAO,CAAC;IAC9B,IAAI,CAAC,EAAE,CAAC;QACN,IAAI,CAAC;YACH,CAAC,CAAC,iBAAiB,CAAC;gBAClB,WAAW,EAAE,IAAA,0BAAW,EAAC,UAAU,CAAC;gBACpC,KAAK;gBACL,UAAU;gBACV,MAAM;gBACN,GAAG;gBACH,UAAU;aACX,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,qCAAqC;QACvC,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,aAAa,CACjC,YAAoC;IAEpC,qFAAqF;IACrF,MAAM,UAAU,GAAG,OAAO,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,UAAU,CAAC;IAC7F,MAAM,aAAa,GACjB,OAAO,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,gBAAgB,CAAC;IAC/E,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IACpC,IAAI,aAAiC,CAAC;IAEtC,IAAI,CAAC;QACH,2BAA2B;QAC3B,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,IAAA,eAAM,EAAoB,UAAU,CAAC,CAAC;QAElE,4BAA4B;QAC5B,sBAAa,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAE7B,eAAe;QACf,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;YAC/D,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YACjD,mBAAmB,CAAC,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;YACvF,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,SAAS;gBACjB,OAAO,EAAE,sBAAsB,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE;aAC5E,CAAC;QACJ,CAAC;QAED,aAAa;QACb,MAAM,cAAc,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QACzC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACvD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,aAAa,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,cAAc,CAAC;QACrD,CAAC;QAED,kBAAkB;QAClB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,MAAM,CAAC,GAAG,CAAC,CAAC;QACxD,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YACjD,mBAAmB,CAAC,UAAU,EAAE,KAAK,EAAE,aAAa,EAAE,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;YAC3F,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,aAAa;gBACrB,OAAO,EAAE,yBAAyB,MAAM,CAAC,GAAG,EAAE;aAC/C,CAAC;QACJ,CAAC;QAED,4BAA4B;QAC5B,MAAM,SAAS,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;QAEtC,mBAAmB;QACnB,MAAM,MAAM,GAAG,MAAM,IAAA,eAAS,EAAoB,UAAU,EAAE,SAAS,CAAC,CAAC;QAEzE,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YACjD,mBAAmB,CACjB,UAAU,EACV,KAAK,EACL,mBAAmB,EACnB,OAAO,CAAC,GAAG,EACX,MAAM,CAAC,GAAG,EACV,UAAU,CACX,CAAC;YACF,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,mBAAmB;gBAC3B,OAAO,EAAE,uCAAuC;aACjD,CAAC;QACJ,CAAC;QAED,mDAAmD;QACnD,oEAAoE;QACpE,MAAM,iBAAiB,GAAG,IAAA,gCAAuB,EAAC,aAAa,CAAC,CAAC;QAEjE,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAEjD,yBAAyB;QACzB,mBAAmB,CAAC,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;QAEtF,OAAO;YACL,EAAE,EAAE,IAAI;YACR,MAAM,EAAE,OAAO;YACf,GAAG,CAAC,iBAAiB,IAAI,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,CAAC;YACjE,IAAI,EAAE;gBACJ,SAAS,EAAE,UAAU;gBACrB,GAAG,CAAC,aAAa,IAAI,EAAE,aAAa,EAAE,aAAa,EAAE,CAAC;aACvD;SACF,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QACjD,mBAAmB,CAAC,UAAU,EAAE,KAAK,EAAE,oBAAoB,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;QAC/F,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,oBAAoB;YAC5B,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SAC1D,CAAC;IACJ,CAAC;AACH,CAAC"}