npm - @peac/protocol - Versions diffs - 0.10.9 → 0.10.10 - Mend

@peac/protocol 0.10.9 → 0.10.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/LICENSE +1 -1
package/dist/discovery.d.ts.map +1 -1
package/dist/index.cjs +2694 -0
package/dist/index.cjs.map +1 -0
package/dist/index.mjs +2612 -0
package/dist/index.mjs.map +1 -0
package/dist/verification-report.d.ts.map +1 -1
package/dist/verifier-types.d.ts +42 -2
package/dist/verifier-types.d.ts.map +1 -1
package/dist/verify-local.cjs +164 -0
package/dist/verify-local.cjs.map +1 -0
package/dist/verify-local.d.ts +15 -0
package/dist/verify-local.d.ts.map +1 -1
package/dist/verify-local.mjs +160 -0
package/dist/verify-local.mjs.map +1 -0
package/dist/verify.d.ts.map +1 -1
package/package.json +20 -13
package/dist/crypto-utils.js +0 -21
package/dist/crypto-utils.js.map +0 -1
package/dist/discovery.js +0 -405
package/dist/discovery.js.map +0 -1
package/dist/headers.js +0 -110
package/dist/headers.js.map +0 -1
package/dist/index.js +0 -44
package/dist/index.js.map +0 -1
package/dist/issue.js +0 -198
package/dist/issue.js.map +0 -1
package/dist/pointer-fetch.js +0 -305
package/dist/pointer-fetch.js.map +0 -1
package/dist/ssrf-safe-fetch.js +0 -671
package/dist/ssrf-safe-fetch.js.map +0 -1
package/dist/telemetry.js +0 -43
package/dist/telemetry.js.map +0 -1
package/dist/transport-profiles.js +0 -424
package/dist/transport-profiles.js.map +0 -1
package/dist/verification-report.js +0 -322
package/dist/verification-report.js.map +0 -1
package/dist/verifier-core.js +0 -578
package/dist/verifier-core.js.map +0 -1
package/dist/verifier-types.js +0 -161
package/dist/verifier-types.js.map +0 -1
package/dist/verify-local.js +0 -230
package/dist/verify-local.js.map +0 -1
package/dist/verify.js +0 -213
package/dist/verify.js.map +0 -1

package/dist/verifier-core.js DELETED Viewed

@@ -1,578 +0,0 @@
-"use strict";
-/**
- * PEAC Verifier Core
- *
- * Implements the verification flow per VERIFIER-SECURITY-MODEL.md with:
- * - Ordered checks with short-circuit behavior
- * - Trust pinning (issuer allowlist + RFC 7638 thumbprints)
- * - SSRF-safe network fetches
- * - Deterministic verification reports
- *
- * @packageDocumentation
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.verifyReceiptCore = verifyReceiptCore;
-exports.clearJWKSCache = clearJWKSCache;
-exports.getJWKSCacheSize = getJWKSCacheSize;
-const crypto_1 = require("@peac/crypto");
-const kernel_1 = require("@peac/kernel");
-const schema_1 = require("@peac/schema");
-const ssrf_safe_fetch_js_1 = require("./ssrf-safe-fetch.js");
-const verification_report_js_1 = require("./verification-report.js");
-const verifier_types_js_1 = require("./verifier-types.js");
-/**
- * In-memory JWKS cache (5 minute TTL)
- */
-const jwksCache = new Map();
-const CACHE_TTL_MS = 5 * 60 * 1000;
-// ---------------------------------------------------------------------------
-// Helper Functions
-// ---------------------------------------------------------------------------
-/**
- * Normalize issuer to origin format (https://host[:port])
- */
-function normalizeIssuer(issuer) {
-    try {
-        const url = new URL(issuer);
-        // Include port only if non-standard for HTTPS
-        if (url.port && url.port !== '443') {
-            return `${url.protocol}//${url.hostname}:${url.port}`;
-        }
-        return `${url.protocol}//${url.hostname}`;
-    }
-    catch {
-        return issuer;
-    }
-}
-/**
- * Check if issuer is in the allowlist
- */
-function isIssuerAllowed(issuer, allowlist) {
-    if (!allowlist || allowlist.length === 0) {
-        // No allowlist means all issuers are allowed
-        return true;
-    }
-    const normalized = normalizeIssuer(issuer);
-    return allowlist.some((allowed) => normalizeIssuer(allowed) === normalized);
-}
-/**
- * Find pinned key for issuer and kid
- */
-function findPinnedKey(issuer, kid, pinnedKeys) {
-    if (!pinnedKeys || pinnedKeys.length === 0) {
-        return undefined;
-    }
-    const normalizedIssuer = normalizeIssuer(issuer);
-    return pinnedKeys.find((pk) => normalizeIssuer(pk.issuer) === normalizedIssuer && pk.kid === kid);
-}
-/**
- * Fetch issuer configuration
- */
-async function fetchIssuerConfig(issuerOrigin) {
-    const configUrl = `${issuerOrigin}/.well-known/peac-issuer.json`;
-    const result = await (0, ssrf_safe_fetch_js_1.ssrfSafeFetch)(configUrl, {
-        maxBytes: 65536, // 64 KB
-        headers: { Accept: 'application/json' },
-    });
-    if (!result.ok) {
-        return null;
-    }
-    try {
-        return JSON.parse(result.body);
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * Fetch JWKS from issuer
- */
-async function fetchIssuerJWKS(issuerOrigin) {
-    const now = Date.now();
-    // Check cache
-    const cached = jwksCache.get(issuerOrigin);
-    if (cached && cached.expiresAt > now) {
-        return { jwks: cached.jwks, fromCache: true };
-    }
-    // Fetch issuer config first
-    const config = await fetchIssuerConfig(issuerOrigin);
-    if (!config?.jwks_uri) {
-        // Fallback to well-known JWKS path
-        const fallbackUrl = `${issuerOrigin}/.well-known/jwks.json`;
-        const result = await (0, ssrf_safe_fetch_js_1.fetchJWKSSafe)(fallbackUrl);
-        if (!result.ok) {
-            return { error: result };
-        }
-        try {
-            const jwks = JSON.parse(result.body);
-            jwksCache.set(issuerOrigin, { jwks, expiresAt: now + CACHE_TTL_MS });
-            return { jwks, fromCache: false, rawBytes: result.rawBytes };
-        }
-        catch {
-            return {
-                error: {
-                    ok: false,
-                    reason: 'network_error',
-                    message: 'Invalid JWKS JSON',
-                },
-            };
-        }
-    }
-    // Fetch JWKS from discovered URI
-    const result = await (0, ssrf_safe_fetch_js_1.fetchJWKSSafe)(config.jwks_uri);
-    if (!result.ok) {
-        return { error: result };
-    }
-    try {
-        const jwks = JSON.parse(result.body);
-        // Validate JWKS limits
-        if (jwks.keys.length > kernel_1.VERIFIER_LIMITS.maxJwksKeys) {
-            return {
-                error: {
-                    ok: false,
-                    reason: 'jwks_too_many_keys',
-                    message: `JWKS has too many keys: ${jwks.keys.length} > ${kernel_1.VERIFIER_LIMITS.maxJwksKeys}`,
-                },
-            };
-        }
-        jwksCache.set(issuerOrigin, { jwks, expiresAt: now + CACHE_TTL_MS });
-        return { jwks, fromCache: false, rawBytes: result.rawBytes };
-    }
-    catch {
-        return {
-            error: {
-                ok: false,
-                reason: 'network_error',
-                message: 'Invalid JWKS JSON',
-            },
-        };
-    }
-}
-// ---------------------------------------------------------------------------
-// Main Verification Function
-// ---------------------------------------------------------------------------
-/**
- * Verify a PEAC receipt with full security checks and report emission
- *
- * Implements the verification flow per VERIFIER-SECURITY-MODEL.md:
- * 1. jws.parse - Parse JWS structure
- * 2. limits.receipt_bytes - Check receipt size
- * 3. jws.protected_header - Validate protected header
- * 4. claims.schema_unverified - Pre-signature schema check
- * 5. issuer.trust_policy - Check issuer allowlist/pins
- * 6. issuer.discovery - Fetch JWKS (if network mode)
- * 7. key.resolve - Resolve signing key by kid
- * 8. jws.signature - Verify signature
- * 9. claims.time_window - Check iat/exp
- * 10. extensions.limits - Check extension sizes
- */
-async function verifyReceiptCore(options) {
-    const { receipt, policy = (0, verifier_types_js_1.createDefaultPolicy)('offline_preferred'), referenceTime, includeMeta = false, } = options;
-    // Convert receipt to string if needed
-    const receiptJws = typeof receipt === 'string' ? receipt : new TextDecoder().decode(receipt);
-    const receiptBytes = typeof receipt === 'string' ? new TextEncoder().encode(receipt) : receipt;
-    // Compute receipt digest for report
-    const receiptDigestHex = await (0, crypto_1.sha256Hex)(receiptBytes);
-    // Start building report
-    const builder = (0, verification_report_js_1.createReportBuilder)(policy);
-    builder.setInputWithDigest(receiptDigestHex);
-    // Current time (or reference time for deterministic verification)
-    const nowSeconds = referenceTime ?? Math.floor(Date.now() / 1000);
-    // Track issuer and kid for result
-    let issuer;
-    let kid;
-    let parsedClaims;
-    // ---------------------------------------------------------------------------
-    // Check 1: jws.parse - Parse JWS structure
-    // ---------------------------------------------------------------------------
-    let header;
-    let payload;
-    try {
-        const decoded = (0, crypto_1.decode)(receiptJws);
-        header = decoded.header;
-        payload = decoded.payload;
-        builder.pass('jws.parse');
-    }
-    catch (err) {
-        builder.fail('jws.parse', 'E_VERIFY_MALFORMED_RECEIPT', {
-            error: err instanceof Error ? err.message : String(err),
-        });
-        builder.failure('malformed_receipt');
-        return { valid: false, report: includeMeta ? builder.addTimestamp().build() : builder.build() };
-    }
-    // ---------------------------------------------------------------------------
-    // Check 2: limits.receipt_bytes - Check receipt size
-    // ---------------------------------------------------------------------------
-    if (receiptBytes.length > policy.limits.max_receipt_bytes) {
-        builder.fail('limits.receipt_bytes', 'E_VERIFY_RECEIPT_TOO_LARGE', {
-            size: receiptBytes.length,
-            limit: policy.limits.max_receipt_bytes,
-        });
-        builder.failure('receipt_too_large');
-        return { valid: false, report: includeMeta ? builder.addTimestamp().build() : builder.build() };
-    }
-    builder.pass('limits.receipt_bytes', { size: receiptBytes.length });
-    // ---------------------------------------------------------------------------
-    // Check 3: jws.protected_header - Validate protected header
-    // ---------------------------------------------------------------------------
-    if (header.alg !== 'EdDSA') {
-        builder.fail('jws.protected_header', 'E_VERIFY_MALFORMED_RECEIPT', {
-            expected_alg: 'EdDSA',
-            actual_alg: header.alg,
-        });
-        builder.failure('malformed_receipt');
-        return { valid: false, report: includeMeta ? builder.addTimestamp().build() : builder.build() };
-    }
-    if (header.typ !== kernel_1.WIRE_TYPE) {
-        builder.fail('jws.protected_header', 'E_VERIFY_MALFORMED_RECEIPT', {
-            expected_typ: kernel_1.WIRE_TYPE,
-            actual_typ: header.typ,
-        });
-        builder.failure('malformed_receipt');
-        return { valid: false, report: includeMeta ? builder.addTimestamp().build() : builder.build() };
-    }
-    if (!header.kid) {
-        builder.fail('jws.protected_header', 'E_VERIFY_MALFORMED_RECEIPT', {
-            error: 'Missing kid in protected header',
-        });
-        builder.failure('malformed_receipt');
-        return { valid: false, report: includeMeta ? builder.addTimestamp().build() : builder.build() };
-    }
-    kid = header.kid;
-    builder.pass('jws.protected_header', { alg: header.alg, typ: header.typ, kid: header.kid });
-    // ---------------------------------------------------------------------------
-    // Check 4: claims.schema_unverified - Pre-signature schema check
-    // ---------------------------------------------------------------------------
-    try {
-        schema_1.ReceiptClaims.parse(payload);
-        issuer = payload.iss;
-        builder.pass('claims.schema_unverified');
-    }
-    catch (err) {
-        builder.fail('claims.schema_unverified', 'E_VERIFY_SCHEMA_INVALID', {
-            error: err instanceof Error ? err.message : String(err),
-        });
-        builder.failure('schema_invalid');
-        return { valid: false, report: includeMeta ? builder.addTimestamp().build() : builder.build() };
-    }
-    // ---------------------------------------------------------------------------
-    // Check 5: issuer.trust_policy - Check issuer allowlist/pins
-    // ---------------------------------------------------------------------------
-    const normalizedIssuer = normalizeIssuer(issuer);
-    if (!isIssuerAllowed(issuer, policy.issuer_allowlist)) {
-        builder.fail('issuer.trust_policy', 'E_VERIFY_ISSUER_NOT_ALLOWED', {
-            issuer: normalizedIssuer,
-            allowlist: policy.issuer_allowlist,
-        });
-        builder.failure('issuer_not_allowed', normalizedIssuer, kid);
-        return { valid: false, report: includeMeta ? builder.addTimestamp().build() : builder.build() };
-    }
-    builder.pass('issuer.trust_policy', { issuer: normalizedIssuer });
-    // ---------------------------------------------------------------------------
-    // Check 6: issuer.discovery - Fetch JWKS (if network mode)
-    // Check 7: key.resolve - Resolve signing key by kid
-    // ---------------------------------------------------------------------------
-    let publicKey;
-    let keySource;
-    let keyThumbprint;
-    let jwksRawBytes;
-    // Check for pinned key first
-    const pinnedKey = findPinnedKey(issuer, kid, policy.pinned_keys);
-    if (pinnedKey) {
-        // Use pinned key - skip discovery
-        builder.skip('issuer.discovery', { reason: 'pinned_key_available' });
-        // Check if pinned key has key material for offline verification
-        if (pinnedKey.jwk) {
-            // Full JWK provided - verify thumbprint and use directly
-            const actualThumbprint = await (0, crypto_1.computeJwkThumbprint)(pinnedKey.jwk);
-            if (actualThumbprint !== pinnedKey.jwk_thumbprint_sha256) {
-                builder.fail('key.resolve', 'E_VERIFY_POLICY_VIOLATION', {
-                    error: 'Pinned JWK thumbprint does not match declared thumbprint',
-                    expected: pinnedKey.jwk_thumbprint_sha256,
-                    actual: actualThumbprint,
-                });
-                builder.failure('policy_violation', normalizedIssuer, kid);
-                return {
-                    valid: false,
-                    report: includeMeta ? builder.addTimestamp().build() : builder.build(),
-                };
-            }
-            publicKey = (0, crypto_1.jwkToPublicKeyBytes)(pinnedKey.jwk);
-            keySource = 'pinned_keys';
-            keyThumbprint = actualThumbprint;
-            builder.pass('key.resolve', {
-                source: keySource,
-                kid,
-                thumbprint_verified: true,
-                offline: true,
-            });
-        }
-        else if (pinnedKey.public_key) {
-            // Raw public key bytes provided (base64url, 32 bytes for Ed25519)
-            try {
-                publicKey = (0, crypto_1.base64urlDecode)(pinnedKey.public_key);
-                if (publicKey.length !== 32) {
-                    throw new Error(`Expected 32 bytes, got ${publicKey.length}`);
-                }
-                keySource = 'pinned_keys';
-                // Note: We can't compute thumbprint from raw key bytes alone
-                // The thumbprint is computed from canonical JWK JSON
-                // Use the declared thumbprint from the pinned key entry
-                keyThumbprint = pinnedKey.jwk_thumbprint_sha256;
-                builder.pass('key.resolve', {
-                    source: keySource,
-                    kid,
-                    offline: true,
-                    thumbprint_verified: false,
-                });
-            }
-            catch (err) {
-                builder.fail('key.resolve', 'E_VERIFY_KEY_NOT_FOUND', {
-                    error: `Invalid pinned public_key: ${err instanceof Error ? err.message : String(err)}`,
-                });
-                builder.failure('key_not_found', normalizedIssuer, kid);
-                return {
-                    valid: false,
-                    report: includeMeta ? builder.addTimestamp().build() : builder.build(),
-                };
-            }
-        }
-        else if (policy.mode === 'offline_only') {
-            // Offline mode but pinned key has no key material - fail
-            builder.fail('key.resolve', 'E_VERIFY_KEY_NOT_FOUND', {
-                error: 'Offline mode requires key material (jwk or public_key) in pinned_keys',
-            });
-            builder.failure('key_not_found', normalizedIssuer, kid);
-            return {
-                valid: false,
-                report: includeMeta ? builder.addTimestamp().build() : builder.build(),
-            };
-        }
-        else {
-            // Network mode - fetch JWKS and verify thumbprint
-            const jwksResult = await fetchIssuerJWKS(normalizedIssuer);
-            if ('error' in jwksResult) {
-                const reason = (0, verifier_types_js_1.ssrfErrorToReasonCode)(jwksResult.error.reason, 'key');
-                builder.fail('issuer.discovery', (0, verifier_types_js_1.reasonCodeToErrorCode)(reason), {
-                    error: jwksResult.error.message,
-                    url: jwksResult.error.blockedUrl,
-                });
-                builder.failure(reason, normalizedIssuer, kid);
-                return {
-                    valid: false,
-                    report: includeMeta ? builder.addTimestamp().build() : builder.build(),
-                };
-            }
-            // Store raw bytes for digest computation (only when not from cache)
-            if (jwksResult.rawBytes) {
-                jwksRawBytes = jwksResult.rawBytes;
-            }
-            builder.pass('issuer.discovery', {
-                from_cache: jwksResult.fromCache,
-                keys_count: jwksResult.jwks.keys.length,
-            });
-            // Find the key
-            const jwk = jwksResult.jwks.keys.find((k) => k.kid === kid);
-            if (!jwk) {
-                builder.fail('key.resolve', 'E_VERIFY_KEY_NOT_FOUND', {
-                    kid,
-                    available_kids: jwksResult.jwks.keys.map((k) => k.kid),
-                });
-                builder.failure('key_not_found', normalizedIssuer, kid);
-                return {
-                    valid: false,
-                    report: includeMeta ? builder.addTimestamp().build() : builder.build(),
-                };
-            }
-            // Verify thumbprint matches
-            const actualThumbprint = await (0, crypto_1.computeJwkThumbprint)(jwk);
-            if (actualThumbprint !== pinnedKey.jwk_thumbprint_sha256) {
-                builder.fail('key.resolve', 'E_VERIFY_POLICY_VIOLATION', {
-                    error: 'JWK thumbprint does not match pinned key',
-                    expected: pinnedKey.jwk_thumbprint_sha256,
-                    actual: actualThumbprint,
-                });
-                builder.failure('policy_violation', normalizedIssuer, kid);
-                return {
-                    valid: false,
-                    report: includeMeta ? builder.addTimestamp().build() : builder.build(),
-                };
-            }
-            publicKey = (0, crypto_1.jwkToPublicKeyBytes)(jwk);
-            keySource = 'pinned_keys';
-            keyThumbprint = actualThumbprint;
-            builder.pass('key.resolve', { source: keySource, kid, thumbprint_verified: true });
-        }
-    }
-    else {
-        // No pinned key - need to discover
-        if (policy.mode === 'offline_only') {
-            builder.fail('issuer.discovery', 'E_VERIFY_KEY_NOT_FOUND', {
-                error: 'Offline mode requires pinned keys',
-            });
-            builder.failure('key_not_found', normalizedIssuer, kid);
-            return {
-                valid: false,
-                report: includeMeta ? builder.addTimestamp().build() : builder.build(),
-            };
-        }
-        const jwksResult = await fetchIssuerJWKS(normalizedIssuer);
-        if ('error' in jwksResult) {
-            const reason = (0, verifier_types_js_1.ssrfErrorToReasonCode)(jwksResult.error.reason, 'key');
-            builder.fail('issuer.discovery', (0, verifier_types_js_1.reasonCodeToErrorCode)(reason), {
-                error: jwksResult.error.message,
-                url: jwksResult.error.blockedUrl,
-            });
-            builder.failure(reason, normalizedIssuer, kid);
-            return {
-                valid: false,
-                report: includeMeta ? builder.addTimestamp().build() : builder.build(),
-            };
-        }
-        // Store raw bytes for digest computation (only when not from cache)
-        if (jwksResult.rawBytes) {
-            jwksRawBytes = jwksResult.rawBytes;
-        }
-        builder.pass('issuer.discovery', {
-            from_cache: jwksResult.fromCache,
-            keys_count: jwksResult.jwks.keys.length,
-        });
-        // Find the key
-        const jwk = jwksResult.jwks.keys.find((k) => k.kid === kid);
-        if (!jwk) {
-            builder.fail('key.resolve', 'E_VERIFY_KEY_NOT_FOUND', {
-                kid,
-                available_kids: jwksResult.jwks.keys.map((k) => k.kid),
-            });
-            builder.failure('key_not_found', normalizedIssuer, kid);
-            return {
-                valid: false,
-                report: includeMeta ? builder.addTimestamp().build() : builder.build(),
-            };
-        }
-        publicKey = (0, crypto_1.jwkToPublicKeyBytes)(jwk);
-        keySource = 'jwks_discovery';
-        keyThumbprint = await (0, crypto_1.computeJwkThumbprint)(jwk);
-        builder.pass('key.resolve', { source: keySource, kid, thumbprint: keyThumbprint });
-    }
-    // ---------------------------------------------------------------------------
-    // Check 8: jws.signature - Verify signature
-    // ---------------------------------------------------------------------------
-    try {
-        const result = await (0, crypto_1.verify)(receiptJws, publicKey);
-        if (!result.valid) {
-            builder.fail('jws.signature', 'E_VERIFY_SIGNATURE_INVALID', {
-                error: 'Ed25519 signature verification failed',
-            });
-            builder.failure('signature_invalid', normalizedIssuer, kid);
-            return {
-                valid: false,
-                report: includeMeta ? builder.addTimestamp().build() : builder.build(),
-            };
-        }
-        parsedClaims = result.payload;
-        builder.pass('jws.signature');
-    }
-    catch (err) {
-        builder.fail('jws.signature', 'E_VERIFY_SIGNATURE_INVALID', {
-            error: err instanceof Error ? err.message : String(err),
-        });
-        builder.failure('signature_invalid', normalizedIssuer, kid);
-        return { valid: false, report: includeMeta ? builder.addTimestamp().build() : builder.build() };
-    }
-    // ---------------------------------------------------------------------------
-    // Check 9: claims.time_window - Check iat/exp
-    // ---------------------------------------------------------------------------
-    const iatTolerance = 60; // 60 seconds tolerance for future iat
-    // Check iat (issued at) - required field per schema
-    if (parsedClaims.iat > nowSeconds + iatTolerance) {
-        builder.fail('claims.time_window', 'E_VERIFY_NOT_YET_VALID', {
-            error: 'Receipt issued in the future',
-            iat: parsedClaims.iat,
-            now: nowSeconds,
-            tolerance: iatTolerance,
-        });
-        builder.failure('not_yet_valid', normalizedIssuer, kid);
-        return { valid: false, report: includeMeta ? builder.addTimestamp().build() : builder.build() };
-    }
-    // Check exp (expiration) - no tolerance
-    if (parsedClaims.exp) {
-        if (parsedClaims.exp < nowSeconds) {
-            builder.fail('claims.time_window', 'E_VERIFY_EXPIRED', {
-                error: 'Receipt expired',
-                exp: parsedClaims.exp,
-                now: nowSeconds,
-            });
-            builder.failure('expired', normalizedIssuer, kid);
-            return {
-                valid: false,
-                report: includeMeta ? builder.addTimestamp().build() : builder.build(),
-            };
-        }
-    }
-    builder.pass('claims.time_window', {
-        iat: parsedClaims.iat,
-        exp: parsedClaims.exp,
-        now: nowSeconds,
-    });
-    // ---------------------------------------------------------------------------
-    // Check 10: extensions.limits - Check extension sizes
-    // ---------------------------------------------------------------------------
-    // Check for oversized extensions in ext object
-    if (parsedClaims.ext) {
-        for (const [extKey, extValue] of Object.entries(parsedClaims.ext)) {
-            if (extValue !== undefined) {
-                const extJson = JSON.stringify(extValue);
-                if (extJson.length > policy.limits.max_extension_bytes) {
-                    builder.fail('extensions.limits', 'E_VERIFY_EXTENSION_TOO_LARGE', {
-                        extension: extKey,
-                        size: extJson.length,
-                        limit: policy.limits.max_extension_bytes,
-                    });
-                    builder.failure('extension_too_large', normalizedIssuer, kid);
-                    return {
-                        valid: false,
-                        report: includeMeta ? builder.addTimestamp().build() : builder.build(),
-                    };
-                }
-            }
-        }
-    }
-    builder.pass('extensions.limits');
-    // ---------------------------------------------------------------------------
-    // Success!
-    // ---------------------------------------------------------------------------
-    builder.success(normalizedIssuer, kid);
-    // Add JWKS artifacts for enterprise debuggability
-    // Map internal key source to artifact format
-    const artifactKeySource = keySource === 'pinned_keys' ? 'pinned' : 'jwks_fetch';
-    builder.addArtifact('issuer_key_source', artifactKeySource);
-    if (keyThumbprint) {
-        builder.addArtifact('issuer_key_thumbprint', keyThumbprint);
-    }
-    // Add JWKS digest when fetched (not from cache)
-    // Computed over raw bytes to avoid encoding round-trip issues
-    if (jwksRawBytes) {
-        const jwksDigestHex = await (0, crypto_1.sha256Hex)(jwksRawBytes);
-        builder.addArtifact('issuer_jwks_digest', (0, verifier_types_js_1.createDigest)(jwksDigestHex));
-    }
-    const report = includeMeta ? builder.addTimestamp().build() : builder.build();
-    return {
-        valid: true,
-        report,
-        claims: parsedClaims,
-    };
-}
-/**
- * Clear the JWKS cache
- */
-function clearJWKSCache() {
-    jwksCache.clear();
-}
-/**
- * Get JWKS cache size (for testing)
- */
-function getJWKSCacheSize() {
-    return jwksCache.size;
-}
-//# sourceMappingURL=verifier-core.js.map

package/dist/verifier-core.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"verifier-core.js","sourceRoot":"","sources":["../src/verifier-core.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;AA8QH,8CAobC;AAKD,wCAEC;AAKD,4CAEC;AA9sBD,yCAOsB;AACtB,yCAA0D;AAC1D,yCAAgE;AAEhE,6DAAoE;AACpE,qEAA+D;AAE/D,2DAK6B;AAqE7B;;GAEG;AACH,MAAM,SAAS,GAAG,IAAI,GAAG,EAA0B,CAAC;AACpD,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEnC,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E;;GAEG;AACH,SAAS,eAAe,CAAC,MAAc;IACrC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC5B,8CAA8C;QAC9C,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;YACnC,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;QACxD,CAAC;QACD,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,MAAM,CAAC;IAChB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,MAAc,EAAE,SAAoB;IAC3D,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,6CAA6C;QAC7C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,UAAU,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IAC3C,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,eAAe,CAAC,OAAO,CAAC,KAAK,UAAU,CAAC,CAAC;AAC9E,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CACpB,MAAc,EACd,GAAW,EACX,UAAwB;IAExB,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3C,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,gBAAgB,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IACjD,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,eAAe,CAAC,EAAE,CAAC,MAAM,CAAC,KAAK,gBAAgB,IAAI,EAAE,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;AACpG,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,iBAAiB,CAAC,YAAoB;IACnD,MAAM,SAAS,GAAG,GAAG,YAAY,+BAA+B,CAAC;IAEjE,MAAM,MAAM,GAAG,MAAM,IAAA,kCAAa,EAAC,SAAS,EAAE;QAC5C,QAAQ,EAAE,KAAK,EAAE,QAAQ;QACzB,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;KACxC,CAAC,CAAC;IAEH,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACf,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAiB,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAYD;;GAEG;AACH,KAAK,UAAU,eAAe,CAC5B,YAAoB;IAEpB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEvB,cAAc;IACd,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAC3C,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;QACrC,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAChD,CAAC;IAED,4BAA4B;IAC5B,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,YAAY,CAAC,CAAC;IACrD,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,CAAC;QACtB,mCAAmC;QACnC,MAAM,WAAW,GAAG,GAAG,YAAY,wBAAwB,CAAC;QAC5D,MAAM,MAAM,GAAG,MAAM,IAAA,kCAAa,EAAC,WAAW,CAAC,CAAC;QAEhD,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;YACf,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAC3B,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAS,CAAC;YAC7C,SAAS,CAAC,GAAG,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,GAAG,YAAY,EAAE,CAAC,CAAC;YACrE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC/D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;gBACL,KAAK,EAAE;oBACL,EAAE,EAAE,KAAK;oBACT,MAAM,EAAE,eAAe;oBACvB,OAAO,EAAE,mBAAmB;iBACX;aACpB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,iCAAiC;IACjC,MAAM,MAAM,GAAG,MAAM,IAAA,kCAAa,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAEpD,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACf,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IAC3B,CAAC;IAED,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAS,CAAC;QAE7C,uBAAuB;QACvB,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,wBAAe,CAAC,WAAW,EAAE,CAAC;YACnD,OAAO;gBACL,KAAK,EAAE;oBACL,EAAE,EAAE,KAAK;oBACT,MAAM,EAAE,oBAAoB;oBAC5B,OAAO,EAAE,2BAA2B,IAAI,CAAC,IAAI,CAAC,MAAM,MAAM,wBAAe,CAAC,WAAW,EAAE;iBACtE;aACpB,CAAC;QACJ,CAAC;QAED,SAAS,CAAC,GAAG,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,GAAG,YAAY,EAAE,CAAC,CAAC;QACrE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC;IAC/D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,KAAK,EAAE;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,eAAe;gBACvB,OAAO,EAAE,mBAAmB;aACX;SACpB,CAAC;IACJ,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,6BAA6B;AAC7B,8EAA8E;AAE9E;;;;;;;;;;;;;;GAcG;AACI,KAAK,UAAU,iBAAiB,CAAC,OAA0B;IAChE,MAAM,EACJ,OAAO,EACP,MAAM,GAAG,IAAA,uCAAmB,EAAC,mBAAmB,CAAC,EACjD,aAAa,EACb,WAAW,GAAG,KAAK,GACpB,GAAG,OAAO,CAAC;IAEZ,sCAAsC;IACtC,MAAM,UAAU,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC7F,MAAM,YAAY,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IAE/F,oCAAoC;IACpC,MAAM,gBAAgB,GAAG,MAAM,IAAA,kBAAS,EAAC,YAAY,CAAC,CAAC;IAEvD,wBAAwB;IACxB,MAAM,OAAO,GAAG,IAAA,4CAAmB,EAAC,MAAM,CAAC,CAAC;IAC5C,OAAO,CAAC,kBAAkB,CAAC,gBAAgB,CAAC,CAAC;IAE7C,kEAAkE;IAClE,MAAM,UAAU,GAAG,aAAa,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAElE,kCAAkC;IAClC,IAAI,MAA0B,CAAC;IAC/B,IAAI,GAAuB,CAAC;IAC5B,IAAI,YAA2C,CAAC;IAEhD,8EAA8E;IAC9E,2CAA2C;IAC3C,8EAA8E;IAC9E,IAAI,MAAiD,CAAC;IACtD,IAAI,OAA0B,CAAC;IAE/B,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAA,eAAM,EAAoB,UAAU,CAAC,CAAC;QACtD,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QACxB,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAC1B,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC5B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,4BAA4B,EAAE;YACtD,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SACxD,CAAC,CAAC;QACH,OAAO,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QACrC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;IAClG,CAAC;IAED,8EAA8E;IAC9E,qDAAqD;IACrD,8EAA8E;IAC9E,IAAI,YAAY,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,iBAAiB,EAAE,CAAC;QAC1D,OAAO,CAAC,IAAI,CAAC,sBAAsB,EAAE,4BAA4B,EAAE;YACjE,IAAI,EAAE,YAAY,CAAC,MAAM;YACzB,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,iBAAiB;SACvC,CAAC,CAAC;QACH,OAAO,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QACrC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;IAClG,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,sBAAsB,EAAE,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC;IAEpE,8EAA8E;IAC9E,4DAA4D;IAC5D,8EAA8E;IAC9E,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;QAC3B,OAAO,CAAC,IAAI,CAAC,sBAAsB,EAAE,4BAA4B,EAAE;YACjE,YAAY,EAAE,OAAO;YACrB,UAAU,EAAE,MAAM,CAAC,GAAG;SACvB,CAAC,CAAC;QACH,OAAO,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QACrC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;IAClG,CAAC;IACD,IAAI,MAAM,CAAC,GAAG,KAAK,kBAAS,EAAE,CAAC;QAC7B,OAAO,CAAC,IAAI,CAAC,sBAAsB,EAAE,4BAA4B,EAAE;YACjE,YAAY,EAAE,kBAAS;YACvB,UAAU,EAAE,MAAM,CAAC,GAAG;SACvB,CAAC,CAAC;QACH,OAAO,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QACrC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;IAClG,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QAChB,OAAO,CAAC,IAAI,CAAC,sBAAsB,EAAE,4BAA4B,EAAE;YACjE,KAAK,EAAE,iCAAiC;SACzC,CAAC,CAAC;QACH,OAAO,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QACrC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;IAClG,CAAC;IACD,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;IACjB,OAAO,CAAC,IAAI,CAAC,sBAAsB,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;IAE5F,8EAA8E;IAC9E,iEAAiE;IACjE,8EAA8E;IAC9E,IAAI,CAAC;QACH,sBAAa,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC7B,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC;QACrB,OAAO,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC,0BAA0B,EAAE,yBAAyB,EAAE;YAClE,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SACxD,CAAC,CAAC;QACH,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QAClC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;IAClG,CAAC;IAED,8EAA8E;IAC9E,6DAA6D;IAC7D,8EAA8E;IAC9E,MAAM,gBAAgB,GAAG,eAAe,CAAC,MAAO,CAAC,CAAC;IAElD,IAAI,CAAC,eAAe,CAAC,MAAO,EAAE,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACvD,OAAO,CAAC,IAAI,CAAC,qBAAqB,EAAE,6BAA6B,EAAE;YACjE,MAAM,EAAE,gBAAgB;YACxB,SAAS,EAAE,MAAM,CAAC,gBAAgB;SACnC,CAAC,CAAC;QACH,OAAO,CAAC,OAAO,CAAC,oBAAoB,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAC;QAC7D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;IAClG,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,qBAAqB,EAAE,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC,CAAC;IAElE,8EAA8E;IAC9E,2DAA2D;IAC3D,oDAAoD;IACpD,8EAA8E;IAC9E,IAAI,SAAqB,CAAC;IAC1B,IAAI,SAA2C,CAAC;IAChD,IAAI,aAAiC,CAAC;IACtC,IAAI,YAAoC,CAAC;IAEzC,6BAA6B;IAC7B,MAAM,SAAS,GAAG,aAAa,CAAC,MAAO,EAAE,GAAI,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;IAEnE,IAAI,SAAS,EAAE,CAAC;QACd,kCAAkC;QAClC,OAAO,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC,CAAC;QAErE,gEAAgE;QAChE,IAAI,SAAS,CAAC,GAAG,EAAE,CAAC;YAClB,yDAAyD;YACzD,MAAM,gBAAgB,GAAG,MAAM,IAAA,6BAAoB,EAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnE,IAAI,gBAAgB,KAAK,SAAS,CAAC,qBAAqB,EAAE,CAAC;gBACzD,OAAO,CAAC,IAAI,CAAC,aAAa,EAAE,2BAA2B,EAAE;oBACvD,KAAK,EAAE,0DAA0D;oBACjE,QAAQ,EAAE,SAAS,CAAC,qBAAqB;oBACzC,MAAM,EAAE,gBAAgB;iBACzB,CAAC,CAAC;gBACH,OAAO,CAAC,OAAO,CAAC,kBAAkB,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAC;gBAC3D,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE;iBACvE,CAAC;YACJ,CAAC;YACD,SAAS,GAAG,IAAA,4BAAmB,EAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YAC/C,SAAS,GAAG,aAAa,CAAC;YAC1B,aAAa,GAAG,gBAAgB,CAAC;YACjC,OAAO,CAAC,IAAI,CAAC,aAAa,EAAE;gBAC1B,MAAM,EAAE,SAAS;gBACjB,GAAG;gBACH,mBAAmB,EAAE,IAAI;gBACzB,OAAO,EAAE,IAAI;aACd,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,SAAS,CAAC,UAAU,EAAE,CAAC;YAChC,kEAAkE;YAClE,IAAI,CAAC;gBACH,SAAS,GAAG,IAAA,wBAAe,EAAC,SAAS,CAAC,UAAU,CAAC,CAAC;gBAClD,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;oBAC5B,MAAM,IAAI,KAAK,CAAC,0BAA0B,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;gBAChE,CAAC;gBACD,SAAS,GAAG,aAAa,CAAC;gBAC1B,6DAA6D;gBAC7D,qDAAqD;gBACrD,wDAAwD;gBACxD,aAAa,GAAG,SAAS,CAAC,qBAAqB,CAAC;gBAChD,OAAO,CAAC,IAAI,CAAC,aAAa,EAAE;oBAC1B,MAAM,EAAE,SAAS;oBACjB,GAAG;oBACH,OAAO,EAAE,IAAI;oBACb,mBAAmB,EAAE,KAAK;iBAC3B,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,IAAI,CAAC,aAAa,EAAE,wBAAwB,EAAE;oBACpD,KAAK,EAAE,8BAA8B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;iBACxF,CAAC,CAAC;gBACH,OAAO,CAAC,OAAO,CAAC,eAAe,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAC;gBACxD,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE;iBACvE,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,IAAI,MAAM,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;YAC1C,yDAAyD;YACzD,OAAO,CAAC,IAAI,CAAC,aAAa,EAAE,wBAAwB,EAAE;gBACpD,KAAK,EAAE,uEAAuE;aAC/E,CAAC,CAAC;YACH,OAAO,CAAC,OAAO,CAAC,eAAe,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAC;YACxD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE;aACvE,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,kDAAkD;YAClD,MAAM,UAAU,GAAG,MAAM,eAAe,CAAC,gBAAgB,CAAC,CAAC;YAE3D,IAAI,OAAO,IAAI,UAAU,EAAE,CAAC;gBAC1B,MAAM,MAAM,GAAG,IAAA,yCAAqB,EAAC,UAAU,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;gBACrE,OAAO,CAAC,IAAI,CAAC,kBAAkB,EAAE,IAAA,yCAAqB,EAAC,MAAM,CAAC,EAAE;oBAC9D,KAAK,EAAE,UAAU,CAAC,KAAK,CAAC,OAAO;oBAC/B,GAAG,EAAE,UAAU,CAAC,KAAK,CAAC,UAAU;iBACjC,CAAC,CAAC;gBACH,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAC;gBAC/C,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE;iBACvE,CAAC;YACJ,CAAC;YAED,oEAAoE;YACpE,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;gBACxB,YAAY,GAAG,UAAU,CAAC,QAAQ,CAAC;YACrC,CAAC;YAED,OAAO,CAAC,IAAI,CAAC,kBAAkB,EAAE;gBAC/B,UAAU,EAAE,UAAU,CAAC,SAAS;gBAChC,UAAU,EAAE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM;aACxC,CAAC,CAAC;YAEH,eAAe;YACf,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;YAC5D,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,OAAO,CAAC,IAAI,CAAC,aAAa,EAAE,wBAAwB,EAAE;oBACpD,GAAG;oBACH,cAAc,EAAE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;iBACvD,CAAC,CAAC;gBACH,OAAO,CAAC,OAAO,CAAC,eAAe,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAC;gBACxD,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE;iBACvE,CAAC;YACJ,CAAC;YAED,4BAA4B;YAC5B,MAAM,gBAAgB,GAAG,MAAM,IAAA,6BAAoB,EAAC,GAAG,CAAC,CAAC;YACzD,IAAI,gBAAgB,KAAK,SAAS,CAAC,qBAAqB,EAAE,CAAC;gBACzD,OAAO,CAAC,IAAI,CAAC,aAAa,EAAE,2BAA2B,EAAE;oBACvD,KAAK,EAAE,0CAA0C;oBACjD,QAAQ,EAAE,SAAS,CAAC,qBAAqB;oBACzC,MAAM,EAAE,gBAAgB;iBACzB,CAAC,CAAC;gBACH,OAAO,CAAC,OAAO,CAAC,kBAAkB,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAC;gBAC3D,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE;iBACvE,CAAC;YACJ,CAAC;YAED,SAAS,GAAG,IAAA,4BAAmB,EAAC,GAAG,CAAC,CAAC;YACrC,SAAS,GAAG,aAAa,CAAC;YAC1B,aAAa,GAAG,gBAAgB,CAAC;YACjC,OAAO,CAAC,IAAI,CAAC,aAAa,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,EAAE,mBAAmB,EAAE,IAAI,EAAE,CAAC,CAAC;QACrF,CAAC;IACH,CAAC;SAAM,CAAC;QACN,mCAAmC;QACnC,IAAI,MAAM,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;YACnC,OAAO,CAAC,IAAI,CAAC,kBAAkB,EAAE,wBAAwB,EAAE;gBACzD,KAAK,EAAE,mCAAmC;aAC3C,CAAC,CAAC;YACH,OAAO,CAAC,OAAO,CAAC,eAAe,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAC;YACxD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE;aACvE,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,eAAe,CAAC,gBAAgB,CAAC,CAAC;QAE3D,IAAI,OAAO,IAAI,UAAU,EAAE,CAAC;YAC1B,MAAM,MAAM,GAAG,IAAA,yCAAqB,EAAC,UAAU,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;YACrE,OAAO,CAAC,IAAI,CAAC,kBAAkB,EAAE,IAAA,yCAAqB,EAAC,MAAM,CAAC,EAAE;gBAC9D,KAAK,EAAE,UAAU,CAAC,KAAK,CAAC,OAAO;gBAC/B,GAAG,EAAE,UAAU,CAAC,KAAK,CAAC,UAAU;aACjC,CAAC,CAAC;YACH,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAC;YAC/C,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE;aACvE,CAAC;QACJ,CAAC;QAED,oEAAoE;QACpE,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;YACxB,YAAY,GAAG,UAAU,CAAC,QAAQ,CAAC;QACrC,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,kBAAkB,EAAE;YAC/B,UAAU,EAAE,UAAU,CAAC,SAAS;YAChC,UAAU,EAAE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM;SACxC,CAAC,CAAC;QAEH,eAAe;QACf,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;QAC5D,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,CAAC,IAAI,CAAC,aAAa,EAAE,wBAAwB,EAAE;gBACpD,GAAG;gBACH,cAAc,EAAE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;aACvD,CAAC,CAAC;YACH,OAAO,CAAC,OAAO,CAAC,eAAe,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAC;YACxD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE;aACvE,CAAC;QACJ,CAAC;QAED,SAAS,GAAG,IAAA,4BAAmB,EAAC,GAAG,CAAC,CAAC;QACrC,SAAS,GAAG,gBAAgB,CAAC;QAC7B,aAAa,GAAG,MAAM,IAAA,6BAAoB,EAAC,GAAG,CAAC,CAAC;QAChD,OAAO,CAAC,IAAI,CAAC,aAAa,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,EAAE,UAAU,EAAE,aAAa,EAAE,CAAC,CAAC;IACrF,CAAC;IAED,8EAA8E;IAC9E,4CAA4C;IAC5C,8EAA8E;IAC9E,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAA,eAAS,EAAoB,UAAU,EAAE,SAAS,CAAC,CAAC;QAEzE,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,CAAC,IAAI,CAAC,eAAe,EAAE,4BAA4B,EAAE;gBAC1D,KAAK,EAAE,uCAAuC;aAC/C,CAAC,CAAC;YACH,OAAO,CAAC,OAAO,CAAC,mBAAmB,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAC;YAC5D,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE;aACvE,CAAC;QACJ,CAAC;QAED,YAAY,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAChC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC,eAAe,EAAE,4BAA4B,EAAE;YAC1D,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SACxD,CAAC,CAAC;QACH,OAAO,CAAC,OAAO,CAAC,mBAAmB,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAC;QAC5D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;IAClG,CAAC;IAED,8EAA8E;IAC9E,8CAA8C;IAC9C,8EAA8E;IAC9E,MAAM,YAAY,GAAG,EAAE,CAAC,CAAC,sCAAsC;IAE/D,oDAAoD;IACpD,IAAI,YAAa,CAAC,GAAG,GAAG,UAAU,GAAG,YAAY,EAAE,CAAC;QAClD,OAAO,CAAC,IAAI,CAAC,oBAAoB,EAAE,wBAAwB,EAAE;YAC3D,KAAK,EAAE,8BAA8B;YACrC,GAAG,EAAE,YAAa,CAAC,GAAG;YACtB,GAAG,EAAE,UAAU;YACf,SAAS,EAAE,YAAY;SACxB,CAAC,CAAC;QACH,OAAO,CAAC,OAAO,CAAC,eAAe,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAC;QACxD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;IAClG,CAAC;IAED,wCAAwC;IACxC,IAAI,YAAa,CAAC,GAAG,EAAE,CAAC;QACtB,IAAI,YAAa,CAAC,GAAG,GAAG,UAAU,EAAE,CAAC;YACnC,OAAO,CAAC,IAAI,CAAC,oBAAoB,EAAE,kBAAkB,EAAE;gBACrD,KAAK,EAAE,iBAAiB;gBACxB,GAAG,EAAE,YAAa,CAAC,GAAG;gBACtB,GAAG,EAAE,UAAU;aAChB,CAAC,CAAC;YACH,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAC;YAClD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE;aACvE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,CAAC,IAAI,CAAC,oBAAoB,EAAE;QACjC,GAAG,EAAE,YAAa,CAAC,GAAG;QACtB,GAAG,EAAE,YAAa,CAAC,GAAG;QACtB,GAAG,EAAE,UAAU;KAChB,CAAC,CAAC;IAEH,8EAA8E;IAC9E,sDAAsD;IACtD,8EAA8E;IAC9E,+CAA+C;IAC/C,IAAI,YAAa,CAAC,GAAG,EAAE,CAAC;QACtB,KAAK,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAa,CAAC,GAAG,CAAC,EAAE,CAAC;YACnE,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;gBACzC,IAAI,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,mBAAmB,EAAE,CAAC;oBACvD,OAAO,CAAC,IAAI,CAAC,mBAAmB,EAAE,8BAA8B,EAAE;wBAChE,SAAS,EAAE,MAAM;wBACjB,IAAI,EAAE,OAAO,CAAC,MAAM;wBACpB,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,mBAAmB;qBACzC,CAAC,CAAC;oBACH,OAAO,CAAC,OAAO,CAAC,qBAAqB,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAC;oBAC9D,OAAO;wBACL,KAAK,EAAE,KAAK;wBACZ,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE;qBACvE,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAElC,8EAA8E;IAC9E,WAAW;IACX,8EAA8E;IAC9E,OAAO,CAAC,OAAO,CAAC,gBAAgB,EAAE,GAAI,CAAC,CAAC;IAExC,kDAAkD;IAClD,6CAA6C;IAC7C,MAAM,iBAAiB,GAAG,SAAS,KAAK,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC;IAChF,OAAO,CAAC,WAAW,CAAC,mBAAmB,EAAE,iBAAiB,CAAC,CAAC;IAE5D,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,CAAC,WAAW,CAAC,uBAAuB,EAAE,aAAa,CAAC,CAAC;IAC9D,CAAC;IAED,gDAAgD;IAChD,8DAA8D;IAC9D,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,aAAa,GAAG,MAAM,IAAA,kBAAS,EAAC,YAAY,CAAC,CAAC;QACpD,OAAO,CAAC,WAAW,CAAC,oBAAoB,EAAE,IAAA,gCAAY,EAAC,aAAa,CAAC,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IAE9E,OAAO;QACL,KAAK,EAAE,IAAI;QACX,MAAM;QACN,MAAM,EAAE,YAAY;KACrB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc;IAC5B,SAAS,CAAC,KAAK,EAAE,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB;IAC9B,OAAO,SAAS,CAAC,IAAI,CAAC;AACxB,CAAC"}