@peac/protocol 0.10.9 → 0.10.11

package/dist/verifier-types.js

@@ -1,161 +0,0 @@
-"use strict";
-/**
- * PEAC Verifier Types
- *
- * Types for verification policy, trust pinning, and verification reports
- * per VERIFIER-SECURITY-MODEL.md, TRUST-PINNING-POLICY.md, and
- * VERIFICATION-REPORT-FORMAT.md
- *
- * @packageDocumentation
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.NON_DETERMINISTIC_ARTIFACT_KEYS = exports.CHECK_IDS = exports.DEFAULT_NETWORK_SECURITY = exports.DEFAULT_VERIFIER_LIMITS = void 0;
-exports.createDefaultPolicy = createDefaultPolicy;
-exports.createDigest = createDigest;
-exports.createEmptyReport = createEmptyReport;
-exports.ssrfErrorToReasonCode = ssrfErrorToReasonCode;
-exports.reasonCodeToSeverity = reasonCodeToSeverity;
-exports.reasonCodeToErrorCode = reasonCodeToErrorCode;
-const kernel_1 = require("@peac/kernel");
-/**
- * Default verifier limits from VERIFIER-SECURITY-MODEL.md
- */
-exports.DEFAULT_VERIFIER_LIMITS = {
-    max_receipt_bytes: kernel_1.VERIFIER_LIMITS.maxReceiptBytes,
-    max_jwks_bytes: kernel_1.VERIFIER_LIMITS.maxJwksBytes,
-    max_jwks_keys: kernel_1.VERIFIER_LIMITS.maxJwksKeys,
-    max_redirects: kernel_1.VERIFIER_LIMITS.maxRedirects,
-    fetch_timeout_ms: kernel_1.VERIFIER_LIMITS.fetchTimeoutMs,
-    max_extension_bytes: kernel_1.VERIFIER_LIMITS.maxExtensionBytes,
-};
-/**
- * Default network security settings from VERIFIER-SECURITY-MODEL.md
- */
-exports.DEFAULT_NETWORK_SECURITY = {
-    https_only: kernel_1.VERIFIER_NETWORK.httpsOnly,
-    block_private_ips: kernel_1.VERIFIER_NETWORK.blockPrivateIps,
-    allow_redirects: kernel_1.VERIFIER_NETWORK.allowRedirects,
-    allow_cross_origin_redirects: true, // Allow for CDN compatibility
-    dns_failure_behavior: 'block', // Fail-closed by default
-};
-/**
- * Create a default verifier policy
- */
-function createDefaultPolicy(mode) {
-    return {
-        policy_version: kernel_1.VERIFIER_POLICY_VERSION,
-        mode,
-        limits: { ...exports.DEFAULT_VERIFIER_LIMITS },
-        network: { ...exports.DEFAULT_NETWORK_SECURITY },
-    };
-}
-/**
- * Standard check IDs per VERIFIER-SECURITY-MODEL.md (in order)
- */
-exports.CHECK_IDS = [
-    'jws.parse',
-    'limits.receipt_bytes',
-    'jws.protected_header',
-    'claims.schema_unverified',
-    'issuer.trust_policy',
-    'issuer.discovery',
-    'key.resolve',
-    'jws.signature',
-    'claims.time_window',
-    'extensions.limits',
-    'transport.profile_binding',
-];
-/**
- * Keys of artifacts that are non-deterministic (depend on runtime state)
- */
-exports.NON_DETERMINISTIC_ARTIFACT_KEYS = [
-    'issuer_jwks_digest',
-];
-// ---------------------------------------------------------------------------
-// Report Builder Utilities
-// ---------------------------------------------------------------------------
-/**
- * Create a digest object from a hex string
- */
-function createDigest(hexValue) {
-    return {
-        alg: 'sha-256',
-        value: hexValue.toLowerCase(),
-    };
-}
-/**
- * Create an empty verification report structure
- */
-function createEmptyReport(policy) {
-    return {
-        report_version: kernel_1.VERIFICATION_REPORT_VERSION,
-        policy,
-    };
-}
-/**
- * Map SSRF fetch error reason to verification reason code
- */
-function ssrfErrorToReasonCode(ssrfReason, fetchType) {
-    const prefix = fetchType === 'key' ? 'key_fetch' : 'pointer_fetch';
-    switch (ssrfReason) {
-        case 'not_https':
-        case 'private_ip':
-        case 'loopback':
-        case 'link_local':
-        case 'cross_origin_redirect':
-        case 'dns_failure':
-            return `${prefix}_blocked`;
-        case 'timeout':
-            return `${prefix}_timeout`;
-        case 'response_too_large':
-            return fetchType === 'pointer' ? 'pointer_fetch_too_large' : 'jwks_too_large';
-        case 'jwks_too_many_keys':
-            return 'jwks_too_many_keys';
-        case 'too_many_redirects':
-        case 'scheme_downgrade':
-        case 'network_error':
-        case 'invalid_url':
-        default:
-            return `${prefix}_failed`;
-    }
-}
-/**
- * Map reason code to severity
- */
-function reasonCodeToSeverity(reason) {
-    if (reason === 'ok')
-        return 'info';
-    return 'error';
-}
-/**
- * Map reason code to error code
- */
-function reasonCodeToErrorCode(reason) {
-    const mapping = {
-        ok: '',
-        receipt_too_large: 'E_VERIFY_RECEIPT_TOO_LARGE',
-        malformed_receipt: 'E_VERIFY_MALFORMED_RECEIPT',
-        signature_invalid: 'E_VERIFY_SIGNATURE_INVALID',
-        issuer_not_allowed: 'E_VERIFY_ISSUER_NOT_ALLOWED',
-        key_not_found: 'E_VERIFY_KEY_NOT_FOUND',
-        key_fetch_blocked: 'E_VERIFY_KEY_FETCH_BLOCKED',
-        key_fetch_failed: 'E_VERIFY_KEY_FETCH_FAILED',
-        key_fetch_timeout: 'E_VERIFY_KEY_FETCH_TIMEOUT',
-        pointer_fetch_blocked: 'E_VERIFY_POINTER_FETCH_BLOCKED',
-        pointer_fetch_failed: 'E_VERIFY_POINTER_FETCH_FAILED',
-        pointer_fetch_timeout: 'E_VERIFY_POINTER_FETCH_TIMEOUT',
-        pointer_fetch_too_large: 'E_VERIFY_POINTER_FETCH_TOO_LARGE',
-        pointer_digest_mismatch: 'E_VERIFY_POINTER_DIGEST_MISMATCH',
-        jwks_too_large: 'E_VERIFY_JWKS_TOO_LARGE',
-        jwks_too_many_keys: 'E_VERIFY_JWKS_TOO_MANY_KEYS',
-        expired: 'E_VERIFY_EXPIRED',
-        not_yet_valid: 'E_VERIFY_NOT_YET_VALID',
-        audience_mismatch: 'E_VERIFY_AUDIENCE_MISMATCH',
-        schema_invalid: 'E_VERIFY_SCHEMA_INVALID',
-        policy_violation: 'E_VERIFY_POLICY_VIOLATION',
-        extension_too_large: 'E_VERIFY_EXTENSION_TOO_LARGE',
-        invalid_transport: 'E_VERIFY_INVALID_TRANSPORT',
-    };
-    return mapping[reason] || 'E_VERIFY_POLICY_VIOLATION';
-}
-//# sourceMappingURL=verifier-types.js.map

package/dist/verifier-types.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"verifier-types.js","sourceRoot":"","sources":["../src/verifier-types.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAsKH,kDAOC;AA4QD,oCAKC;AAKD,8CAOC;AAKD,sDA2BC;AAKD,oDAGC;AAKD,sDA2BC;AAhhBD,yCAKsB;AAgFtB;;GAEG;AACU,QAAA,uBAAuB,GAAmB;IACrD,iBAAiB,EAAE,wBAAe,CAAC,eAAe;IAClD,cAAc,EAAE,wBAAe,CAAC,YAAY;IAC5C,aAAa,EAAE,wBAAe,CAAC,WAAW;IAC1C,aAAa,EAAE,wBAAe,CAAC,YAAY;IAC3C,gBAAgB,EAAE,wBAAe,CAAC,cAAc;IAChD,mBAAmB,EAAE,wBAAe,CAAC,iBAAiB;CACvD,CAAC;AA8BF;;GAEG;AACU,QAAA,wBAAwB,GAAoB;IACvD,UAAU,EAAE,yBAAgB,CAAC,SAAS;IACtC,iBAAiB,EAAE,yBAAgB,CAAC,eAAe;IACnD,eAAe,EAAE,yBAAgB,CAAC,cAAc;IAChD,4BAA4B,EAAE,IAAI,EAAE,8BAA8B;IAClE,oBAAoB,EAAE,OAAO,EAAE,yBAAyB;CACzD,CAAC;AA2BF;;GAEG;AACH,SAAgB,mBAAmB,CAAC,IAAsB;IACxD,OAAO;QACL,cAAc,EAAE,gCAAuB;QACvC,IAAI;QACJ,MAAM,EAAE,EAAE,GAAG,+BAAuB,EAAE;QACtC,OAAO,EAAE,EAAE,GAAG,gCAAwB,EAAE;KACzC,CAAC;AACJ,CAAC;AAWD;;GAEG;AACU,QAAA,SAAS,GAAG;IACvB,WAAW;IACX,sBAAsB;IACtB,sBAAsB;IACtB,0BAA0B;IAC1B,qBAAqB;IACrB,kBAAkB;IAClB,aAAa;IACb,eAAe;IACf,oBAAoB;IACpB,mBAAmB;IACnB,2BAA2B;CACnB,CAAC;AA8KX;;GAEG;AACU,QAAA,+BAA+B,GAAoC;IAC9E,oBAAoB;CACrB,CAAC;AAwDF,8EAA8E;AAC9E,2BAA2B;AAC3B,8EAA8E;AAE9E;;GAEG;AACH,SAAgB,YAAY,CAAC,QAAgB;IAC3C,OAAO;QACL,GAAG,EAAE,SAAS;QACd,KAAK,EAAE,QAAQ,CAAC,WAAW,EAAE;KAC9B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAC/B,MAAsB;IAEtB,OAAO;QACL,cAAc,EAAE,oCAA2B;QAC3C,MAAM;KACP,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CACnC,UAAkB,EAClB,SAA4B;IAE5B,MAAM,MAAM,GAAG,SAAS,KAAK,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,eAAe,CAAC;IAEnE,QAAQ,UAAU,EAAE,CAAC;QACnB,KAAK,WAAW,CAAC;QACjB,KAAK,YAAY,CAAC;QAClB,KAAK,UAAU,CAAC;QAChB,KAAK,YAAY,CAAC;QAClB,KAAK,uBAAuB,CAAC;QAC7B,KAAK,aAAa;YAChB,OAAO,GAAG,MAAM,UAAwB,CAAC;QAC3C,KAAK,SAAS;YACZ,OAAO,GAAG,MAAM,UAAwB,CAAC;QAC3C,KAAK,oBAAoB;YACvB,OAAO,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC,CAAC,gBAAgB,CAAC;QAChF,KAAK,oBAAoB;YACvB,OAAO,oBAAoB,CAAC;QAC9B,KAAK,oBAAoB,CAAC;QAC1B,KAAK,kBAAkB,CAAC;QACxB,KAAK,eAAe,CAAC;QACrB,KAAK,aAAa,CAAC;QACnB;YACE,OAAO,GAAG,MAAM,SAAuB,CAAC;IAC5C,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAAC,MAAkB;IACrD,IAAI,MAAM,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IACnC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CAAC,MAAkB;IACtD,MAAM,OAAO,GAA+B;QAC1C,EAAE,EAAE,EAAE;QACN,iBAAiB,EAAE,4BAA4B;QAC/C,iBAAiB,EAAE,4BAA4B;QAC/C,iBAAiB,EAAE,4BAA4B;QAC/C,kBAAkB,EAAE,6BAA6B;QACjD,aAAa,EAAE,wBAAwB;QACvC,iBAAiB,EAAE,4BAA4B;QAC/C,gBAAgB,EAAE,2BAA2B;QAC7C,iBAAiB,EAAE,4BAA4B;QAC/C,qBAAqB,EAAE,gCAAgC;QACvD,oBAAoB,EAAE,+BAA+B;QACrD,qBAAqB,EAAE,gCAAgC;QACvD,uBAAuB,EAAE,kCAAkC;QAC3D,uBAAuB,EAAE,kCAAkC;QAC3D,cAAc,EAAE,yBAAyB;QACzC,kBAAkB,EAAE,6BAA6B;QACjD,OAAO,EAAE,kBAAkB;QAC3B,aAAa,EAAE,wBAAwB;QACvC,iBAAiB,EAAE,4BAA4B;QAC/C,cAAc,EAAE,yBAAyB;QACzC,gBAAgB,EAAE,2BAA2B;QAC7C,mBAAmB,EAAE,8BAA8B;QACnD,iBAAiB,EAAE,4BAA4B;KAChD,CAAC;IACF,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,2BAA2B,CAAC;AACxD,CAAC"}

package/dist/verify-local.js

@@ -1,230 +0,0 @@
-"use strict";
-/**
- * Local receipt verification with schema validation
- *
- * Use this for verifying receipts when you have the public key locally,
- * without JWKS discovery.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.verifyLocal = verifyLocal;
-exports.isCommerceResult = isCommerceResult;
-exports.isAttestationResult = isAttestationResult;
-const crypto_1 = require("@peac/crypto");
-const schema_1 = require("@peac/schema");
-/**
- * Structural check for CryptoError
- * More robust than instanceof across module boundaries (ESM/CJS, duplicate packages)
- */
-function isCryptoError(err) {
-    return (err !== null &&
-        typeof err === 'object' &&
-        'name' in err &&
-        err.name === 'CryptoError' &&
-        'code' in err &&
-        typeof err.code === 'string' &&
-        err.code.startsWith('CRYPTO_') &&
-        'message' in err &&
-        typeof err.message === 'string');
-}
-/**
- * Crypto error codes that indicate format/validation issues
- * These are CRYPTO_* internal codes from @peac/crypto, mapped to canonical E_* codes
- */
-const FORMAT_ERROR_CODES = new Set([
-    'CRYPTO_INVALID_JWS_FORMAT',
-    'CRYPTO_INVALID_TYP',
-    'CRYPTO_INVALID_ALG',
-    'CRYPTO_INVALID_KEY_LENGTH',
-]);
-/** Max parse issues to include in details (prevents log bloat) */
-const MAX_PARSE_ISSUES = 25;
-/**
- * Sanitize Zod issues into a bounded, stable structure.
- * Avoids exposing raw Zod internals or unbounded arrays in the public API.
- */
-function sanitizeParseIssues(issues) {
-    if (!Array.isArray(issues))
-        return undefined;
-    return issues.slice(0, MAX_PARSE_ISSUES).map((issue) => ({
-        path: Array.isArray(issue?.path) ? issue.path.join('.') : '',
-        message: typeof issue?.message === 'string' ? issue.message : String(issue),
-    }));
-}
-/**
- * Verify a PEAC receipt locally with a known public key
- *
- * This function:
- * 1. Verifies the Ed25519 signature and header (typ, alg)
- * 2. Validates the receipt schema with Zod
- * 3. Checks issuer/audience/subject binding (if options provided)
- * 4. Checks time validity (exp/iat with clock skew tolerance)
- *
- * Use this when you have the issuer's public key and don't need JWKS discovery.
- * For JWKS-based verification, use `verifyReceipt()` instead.
- *
- * @param jws - JWS compact serialization
- * @param publicKey - Ed25519 public key (32 bytes)
- * @param options - Optional verification options (issuer, audience, subject, clock skew)
- * @returns Typed verification result
- *
- * @example
- * ```typescript
- * const result = await verifyLocal(jws, publicKey, {
- *   issuer: 'https://api.example.com',
- *   audience: 'https://client.example.com',
- *   subjectUri: 'https://api.example.com/inference/v1',
- * });
- * if (result.valid) {
- *   console.log('Issuer:', result.claims.iss);
- *   console.log('Amount:', result.claims.amt, result.claims.cur);
- *   console.log('Key ID:', result.kid);
- * } else {
- *   console.error('Verification failed:', result.code, result.message);
- * }
- * ```
- */
-async function verifyLocal(jws, publicKey, options = {}) {
-    const { issuer, audience, subjectUri, rid, requireExp = false, maxClockSkew = 300 } = options;
-    const now = options.now ?? Math.floor(Date.now() / 1000);
-    try {
-        // 1. Verify signature and header (typ, alg validated by @peac/crypto)
-        const result = await (0, crypto_1.verify)(jws, publicKey);
-        if (!result.valid) {
-            return {
-                valid: false,
-                code: 'E_INVALID_SIGNATURE',
-                message: 'Ed25519 signature verification failed',
-            };
-        }
-        // 2. Validate schema (unified parser supports both commerce and attestation)
-        const pr = (0, schema_1.parseReceiptClaims)(result.payload);
-        if (!pr.ok) {
-            return {
-                valid: false,
-                code: 'E_INVALID_FORMAT',
-                message: `Receipt schema validation failed: ${pr.error.message}`,
-                details: { parse_code: pr.error.code, issues: sanitizeParseIssues(pr.error.issues) },
-            };
-        }
-        // Shared binding checks (iss, aud, rid, iat, exp exist on both receipt types)
-        // 3. Check issuer binding
-        if (issuer !== undefined && pr.claims.iss !== issuer) {
-            return {
-                valid: false,
-                code: 'E_INVALID_ISSUER',
-                message: `Issuer mismatch: expected "${issuer}", got "${pr.claims.iss}"`,
-            };
-        }
-        // 4. Check audience binding
-        if (audience !== undefined && pr.claims.aud !== audience) {
-            return {
-                valid: false,
-                code: 'E_INVALID_AUDIENCE',
-                message: `Audience mismatch: expected "${audience}", got "${pr.claims.aud}"`,
-            };
-        }
-        // 5. Check receipt ID binding
-        if (rid !== undefined && pr.claims.rid !== rid) {
-            return {
-                valid: false,
-                code: 'E_INVALID_RECEIPT_ID',
-                message: `Receipt ID mismatch: expected "${rid}", got "${pr.claims.rid}"`,
-            };
-        }
-        // 6. Check requireExp
-        if (requireExp && pr.claims.exp === undefined) {
-            return {
-                valid: false,
-                code: 'E_MISSING_EXP',
-                message: 'Receipt missing required exp claim',
-            };
-        }
-        // 7. Check not-yet-valid (iat with clock skew)
-        if (pr.claims.iat > now + maxClockSkew) {
-            return {
-                valid: false,
-                code: 'E_NOT_YET_VALID',
-                message: `Receipt not yet valid: issued at ${new Date(pr.claims.iat * 1000).toISOString()}, now is ${new Date(now * 1000).toISOString()}`,
-            };
-        }
-        // 8. Check expiry (with clock skew tolerance)
-        if (pr.claims.exp !== undefined && pr.claims.exp < now - maxClockSkew) {
-            return {
-                valid: false,
-                code: 'E_EXPIRED',
-                message: `Receipt expired at ${new Date(pr.claims.exp * 1000).toISOString()}`,
-            };
-        }
-        // 9. Subject binding + typed return (variant-branched, no unsafe casts)
-        if (pr.variant === 'commerce') {
-            const claims = pr.claims;
-            if (subjectUri !== undefined && claims.subject?.uri !== subjectUri) {
-                return {
-                    valid: false,
-                    code: 'E_INVALID_SUBJECT',
-                    message: `Subject mismatch: expected "${subjectUri}", got "${claims.subject?.uri ?? 'undefined'}"`,
-                };
-            }
-            return { valid: true, variant: 'commerce', claims, kid: result.header.kid };
-        }
-        else {
-            const claims = pr.claims;
-            if (subjectUri !== undefined && claims.sub !== subjectUri) {
-                return {
-                    valid: false,
-                    code: 'E_INVALID_SUBJECT',
-                    message: `Subject mismatch: expected "${subjectUri}", got "${claims.sub ?? 'undefined'}"`,
-                };
-            }
-            return { valid: true, variant: 'attestation', claims, kid: result.header.kid };
-        }
-    }
-    catch (err) {
-        // Handle typed CryptoError from @peac/crypto
-        // Use structural check instead of instanceof for robustness across ESM/CJS boundaries
-        // Map internal CRYPTO_* codes to canonical E_* codes
-        if (isCryptoError(err)) {
-            if (FORMAT_ERROR_CODES.has(err.code)) {
-                return {
-                    valid: false,
-                    code: 'E_INVALID_FORMAT',
-                    message: err.message,
-                };
-            }
-            if (err.code === 'CRYPTO_INVALID_SIGNATURE') {
-                return {
-                    valid: false,
-                    code: 'E_INVALID_SIGNATURE',
-                    message: err.message,
-                };
-            }
-        }
-        // All other errors (JSON parse, unexpected) -> E_INTERNAL
-        // No message parsing - code-based mapping only
-        const message = err instanceof Error ? err.message : String(err);
-        return {
-            valid: false,
-            code: 'E_INTERNAL',
-            message: `Unexpected verification error: ${message}`,
-        };
-    }
-}
-/**
- * Type guard: narrows a VerifyLocalResult to a commerce success.
- *
- * Use instead of manual `result.valid && result.variant === 'commerce'` checks
- * to get proper claims narrowing to ReceiptClaimsType.
- */
-function isCommerceResult(r) {
-    return r.valid === true && r.variant === 'commerce';
-}
-/**
- * Type guard: narrows a VerifyLocalResult to an attestation success.
- *
- * Use instead of manual `result.valid && result.variant === 'attestation'` checks
- * to get proper claims narrowing to AttestationReceiptClaims.
- */
-function isAttestationResult(r) {
-    return r.valid === true && r.variant === 'attestation';
-}
-//# sourceMappingURL=verify-local.js.map

package/dist/verify-local.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"verify-local.js","sourceRoot":"","sources":["../src/verify-local.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAoOH,kCA2IC;AAQD,4CAIC;AAQD,kDAIC;AArYD,yCAAmD;AACnD,yCAIsB;AAYtB;;;GAGG;AACH,SAAS,aAAa,CAAC,GAAY;IACjC,OAAO,CACL,GAAG,KAAK,IAAI;QACZ,OAAO,GAAG,KAAK,QAAQ;QACvB,MAAM,IAAI,GAAG;QACb,GAAG,CAAC,IAAI,KAAK,aAAa;QAC1B,MAAM,IAAI,GAAG;QACb,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ;QAC5B,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;QAC9B,SAAS,IAAI,GAAG;QAChB,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,CAChC,CAAC;AACJ,CAAC;AAoID;;;GAGG;AACH,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,2BAA2B;IAC3B,oBAAoB;IACpB,oBAAoB;IACpB,2BAA2B;CAC5B,CAAC,CAAC;AAEH,kEAAkE;AAClE,MAAM,gBAAgB,GAAG,EAAE,CAAC;AAE5B;;;GAGG;AACH,SAAS,mBAAmB,CAC1B,MAAe;IAEf,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QAAE,OAAO,SAAS,CAAC;IAC7C,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,gBAAgB,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACvD,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE;QAC5D,OAAO,EAAE,OAAO,KAAK,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;KAC5E,CAAC,CAAC,CAAC;AACN,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACI,KAAK,UAAU,WAAW,CAC/B,GAAW,EACX,SAAqB,EACrB,UAA8B,EAAE;IAEhC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU,GAAG,KAAK,EAAE,YAAY,GAAG,GAAG,EAAE,GAAG,OAAO,CAAC;IAC9F,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAEzD,IAAI,CAAC;QACH,sEAAsE;QACtE,MAAM,MAAM,GAAG,MAAM,IAAA,eAAS,EAAU,GAAG,EAAE,SAAS,CAAC,CAAC;QAExD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,qBAAqB;gBAC3B,OAAO,EAAE,uCAAuC;aACjD,CAAC;QACJ,CAAC;QAED,6EAA6E;QAC7E,MAAM,EAAE,GAAG,IAAA,2BAAkB,EAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAE9C,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YACX,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE,qCAAqC,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE;gBAChE,OAAO,EAAE,EAAE,UAAU,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,mBAAmB,CAAC,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE;aACrF,CAAC;QACJ,CAAC;QAED,8EAA8E;QAC9E,0BAA0B;QAC1B,IAAI,MAAM,KAAK,SAAS,IAAI,EAAE,CAAC,MAAM,CAAC,GAAG,KAAK,MAAM,EAAE,CAAC;YACrD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE,8BAA8B,MAAM,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,GAAG;aACzE,CAAC;QACJ,CAAC;QAED,4BAA4B;QAC5B,IAAI,QAAQ,KAAK,SAAS,IAAI,EAAE,CAAC,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YACzD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,gCAAgC,QAAQ,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,GAAG;aAC7E,CAAC;QACJ,CAAC;QAED,8BAA8B;QAC9B,IAAI,GAAG,KAAK,SAAS,IAAI,EAAE,CAAC,MAAM,CAAC,GAAG,KAAK,GAAG,EAAE,CAAC;YAC/C,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,sBAAsB;gBAC5B,OAAO,EAAE,kCAAkC,GAAG,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,GAAG;aAC1E,CAAC;QACJ,CAAC;QAED,sBAAsB;QACtB,IAAI,UAAU,IAAI,EAAE,CAAC,MAAM,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAC9C,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,oCAAoC;aAC9C,CAAC;QACJ,CAAC;QAED,+CAA+C;QAC/C,IAAI,EAAE,CAAC,MAAM,CAAC,GAAG,GAAG,GAAG,GAAG,YAAY,EAAE,CAAC;YACvC,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,iBAAiB;gBACvB,OAAO,EAAE,oCAAoC,IAAI,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,YAAY,IAAI,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE;aAC1I,CAAC;QACJ,CAAC;QAED,8CAA8C;QAC9C,IAAI,EAAE,CAAC,MAAM,CAAC,GAAG,KAAK,SAAS,IAAI,EAAE,CAAC,MAAM,CAAC,GAAG,GAAG,GAAG,GAAG,YAAY,EAAE,CAAC;YACtE,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,WAAW;gBACjB,OAAO,EAAE,sBAAsB,IAAI,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE;aAC9E,CAAC;QACJ,CAAC;QAED,wEAAwE;QACxE,IAAI,EAAE,CAAC,OAAO,KAAK,UAAU,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,EAAE,CAAC,MAA2B,CAAC;YAC9C,IAAI,UAAU,KAAK,SAAS,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,KAAK,UAAU,EAAE,CAAC;gBACnE,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,IAAI,EAAE,mBAAmB;oBACzB,OAAO,EAAE,+BAA+B,UAAU,WAAW,MAAM,CAAC,OAAO,EAAE,GAAG,IAAI,WAAW,GAAG;iBACnG,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QAC9E,CAAC;aAAM,CAAC;YACN,MAAM,MAAM,GAAG,EAAE,CAAC,MAAkC,CAAC;YACrD,IAAI,UAAU,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;gBAC1D,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,IAAI,EAAE,mBAAmB;oBACzB,OAAO,EAAE,+BAA+B,UAAU,WAAW,MAAM,CAAC,GAAG,IAAI,WAAW,GAAG;iBAC1F,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QACjF,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,6CAA6C;QAC7C,sFAAsF;QACtF,qDAAqD;QACrD,IAAI,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,IAAI,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,IAAI,EAAE,kBAAkB;oBACxB,OAAO,EAAE,GAAG,CAAC,OAAO;iBACrB,CAAC;YACJ,CAAC;YACD,IAAI,GAAG,CAAC,IAAI,KAAK,0BAA0B,EAAE,CAAC;gBAC5C,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,IAAI,EAAE,qBAAqB;oBAC3B,OAAO,EAAE,GAAG,CAAC,OAAO;iBACrB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,0DAA0D;QAC1D,+CAA+C;QAC/C,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,IAAI,EAAE,YAAY;YAClB,OAAO,EAAE,kCAAkC,OAAO,EAAE;SACrD,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAgB,gBAAgB,CAC9B,CAAoB;IAEpB,OAAO,CAAC,CAAC,KAAK,KAAK,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,UAAU,CAAC;AACtD,CAAC;AAED;;;;;GAKG;AACH,SAAgB,mBAAmB,CACjC,CAAoB;IAEpB,OAAO,CAAC,CAAC,KAAK,KAAK,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,aAAa,CAAC;AACzD,CAAC"}

package/dist/verify.js

@@ -1,213 +0,0 @@
-"use strict";
-/**
- * Receipt verification with JWKS fetching and caching
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.verifyReceipt = verifyReceipt;
-const crypto_1 = require("@peac/crypto");
-const schema_1 = require("@peac/schema");
-const telemetry_js_1 = require("./telemetry.js");
-/**
- * In-memory JWKS cache
- * Maps issuer URL to { keys, expiresAt }
- */
-const jwksCache = new Map();
-/**
- * Cache TTL (5 minutes)
- */
-const CACHE_TTL_MS = 5 * 60 * 1000;
-/**
- * Fetch JWKS from issuer (SSRF-safe)
- */
-async function fetchJWKS(issuerUrl) {
-    // SSRF protection: only allow https://
-    if (!issuerUrl.startsWith('https://')) {
-        throw new Error('Issuer URL must be https://');
-    }
-    // Construct JWKS URL from discovery
-    const discoveryUrl = `${issuerUrl}/.well-known/peac.txt`;
-    try {
-        const discoveryResp = await fetch(discoveryUrl, {
-            headers: { Accept: 'text/plain' },
-            // Timeout after 5 seconds
-            signal: AbortSignal.timeout(5000),
-        });
-        if (!discoveryResp.ok) {
-            throw new Error(`Discovery fetch failed: ${discoveryResp.status}`);
-        }
-        const discoveryText = await discoveryResp.text();
-        // Parse YAML-like discovery (simple key: value parsing)
-        const jwksLine = discoveryText.split('\n').find((line) => line.startsWith('jwks:'));
-        if (!jwksLine) {
-            throw new Error('No jwks field in discovery');
-        }
-        const jwksUrl = jwksLine.replace('jwks:', '').trim();
-        // SSRF protection: verify JWKS URL is also https://
-        if (!jwksUrl.startsWith('https://')) {
-            throw new Error('JWKS URL must be https://');
-        }
-        // Fetch JWKS
-        const jwksResp = await fetch(jwksUrl, {
-            headers: { Accept: 'application/json' },
-            signal: AbortSignal.timeout(5000),
-        });
-        if (!jwksResp.ok) {
-            throw new Error(`JWKS fetch failed: ${jwksResp.status}`);
-        }
-        const jwks = (await jwksResp.json());
-        return jwks;
-    }
-    catch (err) {
-        throw new Error(`JWKS fetch failed: ${err instanceof Error ? err.message : String(err)}`);
-    }
-}
-/**
- * Get JWKS (from cache or fetch)
- */
-async function getJWKS(issuerUrl) {
-    const now = Date.now();
-    // Check cache
-    const cached = jwksCache.get(issuerUrl);
-    if (cached && cached.expiresAt > now) {
-        return { jwks: cached.keys, fromCache: true };
-    }
-    // Fetch fresh JWKS
-    const jwks = await fetchJWKS(issuerUrl);
-    // Cache it
-    jwksCache.set(issuerUrl, {
-        keys: jwks,
-        expiresAt: now + CACHE_TTL_MS,
-    });
-    return { jwks, fromCache: false };
-}
-/**
- * Convert JWK x coordinate to Ed25519 public key
- */
-function jwkToPublicKey(jwk) {
-    if (jwk.kty !== 'OKP' || jwk.crv !== 'Ed25519') {
-        throw new Error('Only Ed25519 keys (OKP/Ed25519) are supported');
-    }
-    // Decode base64url x coordinate
-    const xBytes = Buffer.from(jwk.x, 'base64url');
-    if (xBytes.length !== 32) {
-        throw new Error('Ed25519 public key must be 32 bytes');
-    }
-    return new Uint8Array(xBytes);
-}
-/**
- * Verify a PEAC receipt JWS
- *
- * @param optionsOrJws - Verify options or JWS compact serialization (for backwards compatibility)
- * @returns Verification result or failure
- */
-async function verifyReceipt(optionsOrJws) {
-    // Support both old (string) and new (options) signatures for backwards compatibility
-    const receiptJws = typeof optionsOrJws === 'string' ? optionsOrJws : optionsOrJws.receiptJws;
-    const inputSnapshot = typeof optionsOrJws === 'string' ? undefined : optionsOrJws.subject_snapshot;
-    const telemetry = typeof optionsOrJws === 'string' ? undefined : optionsOrJws.telemetry;
-    const startTime = performance.now();
-    let jwksFetchTime;
-    try {
-        // Decode JWS to get issuer
-        const { header, payload } = (0, crypto_1.decode)(receiptJws);
-        // Validate claims structure
-        schema_1.ReceiptClaims.parse(payload);
-        // Check expiry
-        if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
-            const durationMs = performance.now() - startTime;
-            (0, telemetry_js_1.fireTelemetryHook)(telemetry?.onReceiptVerified, {
-                receiptHash: (0, telemetry_js_1.hashReceipt)(receiptJws),
-                valid: false,
-                reasonCode: 'expired',
-                issuer: payload.iss,
-                kid: header.kid,
-                durationMs,
-            });
-            return {
-                ok: false,
-                reason: 'expired',
-                details: `Receipt expired at ${new Date(payload.exp * 1000).toISOString()}`,
-            };
-        }
-        // Fetch JWKS
-        const jwksFetchStart = performance.now();
-        const { jwks, fromCache } = await getJWKS(payload.iss);
-        if (!fromCache) {
-            jwksFetchTime = performance.now() - jwksFetchStart;
-        }
-        // Find key by kid
-        const jwk = jwks.keys.find((k) => k.kid === header.kid);
-        if (!jwk) {
-            const durationMs = performance.now() - startTime;
-            (0, telemetry_js_1.fireTelemetryHook)(telemetry?.onReceiptVerified, {
-                receiptHash: (0, telemetry_js_1.hashReceipt)(receiptJws),
-                valid: false,
-                reasonCode: 'unknown_key',
-                issuer: payload.iss,
-                kid: header.kid,
-                durationMs,
-            });
-            return {
-                ok: false,
-                reason: 'unknown_key',
-                details: `No key found with kid=${header.kid}`,
-            };
-        }
-        // Convert JWK to public key
-        const publicKey = jwkToPublicKey(jwk);
-        // Verify signature
-        const result = await (0, crypto_1.verify)(receiptJws, publicKey);
-        if (!result.valid) {
-            const durationMs = performance.now() - startTime;
-            (0, telemetry_js_1.fireTelemetryHook)(telemetry?.onReceiptVerified, {
-                receiptHash: (0, telemetry_js_1.hashReceipt)(receiptJws),
-                valid: false,
-                reasonCode: 'invalid_signature',
-                issuer: payload.iss,
-                kid: header.kid,
-                durationMs,
-            });
-            return {
-                ok: false,
-                reason: 'invalid_signature',
-                details: 'Ed25519 signature verification failed',
-            };
-        }
-        // Validate subject_snapshot if provided (v0.9.17+)
-        // This validates schema and logs advisory PII warning if applicable
-        const validatedSnapshot = (0, schema_1.validateSubjectSnapshot)(inputSnapshot);
-        const verifyTime = performance.now() - startTime;
-        // Emit success telemetry (fire-and-forget, guarded)
-        (0, telemetry_js_1.fireTelemetryHook)(telemetry?.onReceiptVerified, {
-            receiptHash: (0, telemetry_js_1.hashReceipt)(receiptJws),
-            valid: true,
-            issuer: payload.iss,
-            kid: header.kid,
-            durationMs: verifyTime,
-        });
-        return {
-            ok: true,
-            claims: payload,
-            ...(validatedSnapshot && { subject_snapshot: validatedSnapshot }),
-            perf: {
-                verify_ms: verifyTime,
-                ...(jwksFetchTime && { jwks_fetch_ms: jwksFetchTime }),
-            },
-        };
-    }
-    catch (err) {
-        const durationMs = performance.now() - startTime;
-        (0, telemetry_js_1.fireTelemetryHook)(telemetry?.onReceiptVerified, {
-            receiptHash: (0, telemetry_js_1.hashReceipt)(receiptJws),
-            valid: false,
-            reasonCode: 'verification_error',
-            durationMs,
-        });
-        return {
-            ok: false,
-            reason: 'verification_error',
-            details: err instanceof Error ? err.message : String(err),
-        };
-    }
-}
-//# sourceMappingURL=verify.js.map

package/dist/verify.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"verify.js","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":";AAAA;;GAEG;;AA8LH,sCA2HC;AAvTD,yCAA2D;AAC3D,yCAKsB;AACtB,iDAAoF;AAmBpF;;;GAGG;AACH,MAAM,SAAS,GAAG,IAAI,GAAG,EAA6C,CAAC;AAEvE;;GAEG;AACH,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAoCnC;;GAEG;AACH,KAAK,UAAU,SAAS,CAAC,SAAiB;IACxC,uCAAuC;IACvC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IAED,oCAAoC;IACpC,MAAM,YAAY,GAAG,GAAG,SAAS,uBAAuB,CAAC;IAEzD,IAAI,CAAC;QACH,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,YAAY,EAAE;YAC9C,OAAO,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE;YACjC,0BAA0B;YAC1B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,2BAA2B,aAAa,CAAC,MAAM,EAAE,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,aAAa,GAAG,MAAM,aAAa,CAAC,IAAI,EAAE,CAAC;QAEjD,wDAAwD;QACxD,MAAM,QAAQ,GAAG,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC;QACpF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAErD,oDAAoD;QACpD,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QAED,aAAa;QACb,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;YACpC,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,sBAAsB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC3D,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAS,CAAC;QAE7C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,sBAAsB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC5F,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,OAAO,CAAC,SAAiB;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEvB,cAAc;IACd,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACxC,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;QACrC,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAChD,CAAC;IAED,mBAAmB;IACnB,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;IAExC,WAAW;IACX,SAAS,CAAC,GAAG,CAAC,SAAS,EAAE;QACvB,IAAI,EAAE,IAAI;QACV,SAAS,EAAE,GAAG,GAAG,YAAY;KAC9B,CAAC,CAAC;IAEH,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,GAAQ;IAC9B,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IAED,gCAAgC;IAChC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;IAC/C,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAgBD;;;;;GAKG;AACI,KAAK,UAAU,aAAa,CACjC,YAAoC;IAEpC,qFAAqF;IACrF,MAAM,UAAU,GAAG,OAAO,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,UAAU,CAAC;IAC7F,MAAM,aAAa,GACjB,OAAO,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,gBAAgB,CAAC;IAC/E,MAAM,SAAS,GAAG,OAAO,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,SAAS,CAAC;IACxF,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IACpC,IAAI,aAAiC,CAAC;IAEtC,IAAI,CAAC;QACH,2BAA2B;QAC3B,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,IAAA,eAAM,EAAoB,UAAU,CAAC,CAAC;QAElE,4BAA4B;QAC5B,sBAAa,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAE7B,eAAe;QACf,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;YAC/D,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YACjD,IAAA,gCAAiB,EAAC,SAAS,EAAE,iBAAiB,EAAE;gBAC9C,WAAW,EAAE,IAAA,0BAAW,EAAC,UAAU,CAAC;gBACpC,KAAK,EAAE,KAAK;gBACZ,UAAU,EAAE,SAAS;gBACrB,MAAM,EAAE,OAAO,CAAC,GAAG;gBACnB,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,UAAU;aACX,CAAC,CAAC;YACH,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,SAAS;gBACjB,OAAO,EAAE,sBAAsB,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE;aAC5E,CAAC;QACJ,CAAC;QAED,aAAa;QACb,MAAM,cAAc,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QACzC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACvD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,aAAa,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,cAAc,CAAC;QACrD,CAAC;QAED,kBAAkB;QAClB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,MAAM,CAAC,GAAG,CAAC,CAAC;QACxD,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YACjD,IAAA,gCAAiB,EAAC,SAAS,EAAE,iBAAiB,EAAE;gBAC9C,WAAW,EAAE,IAAA,0BAAW,EAAC,UAAU,CAAC;gBACpC,KAAK,EAAE,KAAK;gBACZ,UAAU,EAAE,aAAa;gBACzB,MAAM,EAAE,OAAO,CAAC,GAAG;gBACnB,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,UAAU;aACX,CAAC,CAAC;YACH,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,aAAa;gBACrB,OAAO,EAAE,yBAAyB,MAAM,CAAC,GAAG,EAAE;aAC/C,CAAC;QACJ,CAAC;QAED,4BAA4B;QAC5B,MAAM,SAAS,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;QAEtC,mBAAmB;QACnB,MAAM,MAAM,GAAG,MAAM,IAAA,eAAS,EAAoB,UAAU,EAAE,SAAS,CAAC,CAAC;QAEzE,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YACjD,IAAA,gCAAiB,EAAC,SAAS,EAAE,iBAAiB,EAAE;gBAC9C,WAAW,EAAE,IAAA,0BAAW,EAAC,UAAU,CAAC;gBACpC,KAAK,EAAE,KAAK;gBACZ,UAAU,EAAE,mBAAmB;gBAC/B,MAAM,EAAE,OAAO,CAAC,GAAG;gBACnB,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,UAAU;aACX,CAAC,CAAC;YACH,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,mBAAmB;gBAC3B,OAAO,EAAE,uCAAuC;aACjD,CAAC;QACJ,CAAC;QAED,mDAAmD;QACnD,oEAAoE;QACpE,MAAM,iBAAiB,GAAG,IAAA,gCAAuB,EAAC,aAAa,CAAC,CAAC;QAEjE,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAEjD,oDAAoD;QACpD,IAAA,gCAAiB,EAAC,SAAS,EAAE,iBAAiB,EAAE;YAC9C,WAAW,EAAE,IAAA,0BAAW,EAAC,UAAU,CAAC;YACpC,KAAK,EAAE,IAAI;YACX,MAAM,EAAE,OAAO,CAAC,GAAG;YACnB,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,UAAU,EAAE,UAAU;SACvB,CAAC,CAAC;QAEH,OAAO;YACL,EAAE,EAAE,IAAI;YACR,MAAM,EAAE,OAAO;YACf,GAAG,CAAC,iBAAiB,IAAI,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,CAAC;YACjE,IAAI,EAAE;gBACJ,SAAS,EAAE,UAAU;gBACrB,GAAG,CAAC,aAAa,IAAI,EAAE,aAAa,EAAE,aAAa,EAAE,CAAC;aACvD;SACF,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QACjD,IAAA,gCAAiB,EAAC,SAAS,EAAE,iBAAiB,EAAE;YAC9C,WAAW,EAAE,IAAA,0BAAW,EAAC,UAAU,CAAC;YACpC,KAAK,EAAE,KAAK;YACZ,UAAU,EAAE,oBAAoB;YAChC,UAAU;SACX,CAAC,CAAC;QACH,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,oBAAoB;YAC5B,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SAC1D,CAAC;IACJ,CAAC;AACH,CAAC"}