@primust/verifier 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (49) hide show
  1. package/dist/chunk-LTWQK3HT.js +432 -0
  2. package/dist/chunk-NOADQWB6.js +3012 -0
  3. package/dist/cli.d.ts +3 -2
  4. package/dist/cli.js +309 -361
  5. package/dist/index.d.ts +335 -13
  6. package/dist/index.js +1181 -13
  7. package/dist/tsa-chain-7KSQ5LAH.js +235 -0
  8. package/dist/v29-envelope-GFVVA2S6.js +42 -0
  9. package/package.json +7 -8
  10. package/dist/bounded-trace.d.ts +0 -46
  11. package/dist/bounded-trace.d.ts.map +0 -1
  12. package/dist/bounded-trace.js +0 -558
  13. package/dist/bounded-trace.js.map +0 -1
  14. package/dist/cli.d.ts.map +0 -1
  15. package/dist/cli.js.map +0 -1
  16. package/dist/index.d.ts.map +0 -1
  17. package/dist/index.js.map +0 -1
  18. package/dist/key-cache.d.ts +0 -20
  19. package/dist/key-cache.d.ts.map +0 -1
  20. package/dist/key-cache.js +0 -68
  21. package/dist/key-cache.js.map +0 -1
  22. package/dist/scoped.d.ts +0 -35
  23. package/dist/scoped.d.ts.map +0 -1
  24. package/dist/scoped.js +0 -582
  25. package/dist/scoped.js.map +0 -1
  26. package/dist/types.d.ts +0 -60
  27. package/dist/types.d.ts.map +0 -1
  28. package/dist/types.js +0 -5
  29. package/dist/types.js.map +0 -1
  30. package/dist/upstream_resolver.d.ts +0 -60
  31. package/dist/upstream_resolver.d.ts.map +0 -1
  32. package/dist/upstream_resolver.js +0 -126
  33. package/dist/upstream_resolver.js.map +0 -1
  34. package/dist/v29-envelope.d.ts +0 -55
  35. package/dist/v29-envelope.d.ts.map +0 -1
  36. package/dist/v29-envelope.js +0 -450
  37. package/dist/v29-envelope.js.map +0 -1
  38. package/dist/verifier.d.ts +0 -36
  39. package/dist/verifier.d.ts.map +0 -1
  40. package/dist/verifier.js +0 -1235
  41. package/dist/verifier.js.map +0 -1
  42. package/dist/verifier.test.d.ts +0 -2
  43. package/dist/verifier.test.d.ts.map +0 -1
  44. package/dist/verifier.test.js +0 -395
  45. package/dist/verifier.test.js.map +0 -1
  46. package/dist/verify-html-template.d.ts +0 -45
  47. package/dist/verify-html-template.d.ts.map +0 -1
  48. package/dist/verify-html-template.js +0 -182
  49. package/dist/verify-html-template.js.map +0 -1
package/dist/v29-envelope.js DELETED
@@ -1,450 +0,0 @@
1
- /**
2
- * v29 ProofCheck envelope + manifest + runtime-binding conformance.
3
- *
4
- * Mirror of packages/verifier-py/src/primust_verify/v29_envelope.py.
5
- * The Py↔TS parity contract: canonicalJson(x) MUST produce byte-identical
6
- * output for identical inputs across both languages, and every reproduction
7
- * function MUST return the same value.
8
- *
9
- * Per docs/v29-draft/PROOFCHECK_ENVELOPE_SPEC_v0_1.md, AGENT_MANIFEST_SPEC,
10
- * HARNESS_MANIFEST_SPEC, RUNTIME_BINDING_SPEC.
11
- *
12
- * Pure functions only. No DB, no network, no KMS.
13
- */
14
- import { createHash, createPublicKey, verify as cryptoVerify } from "node:crypto";
15
- export const ENVELOPE_VERSION = "v0.1";
16
- export const ALLOWED_KINDS = new Set([
17
- "governance_check",
18
- "outbound_action",
19
- "token_authority_snapshot",
20
- "workspace_observation",
21
- "contention_event",
22
- "scope_claim_lifecycle",
23
- "scope_claim_emitted",
24
- "turn_context",
25
- "tool_execution",
26
- ]);
27
- export const ALLOWED_TRUST_EDGES = new Set(["A2T", "A2M", "A2H", "A2A", "A2S", "A2D"]);
28
- export const PROOF_TIER_HIERARCHY = [
29
- "attestation",
30
- "witnessed",
31
- "execution",
32
- "operator_bound",
33
- "verifiable_inference",
34
- "mathematical",
35
- ];
36
- const TIER_INDEX = Object.fromEntries(PROOF_TIER_HIERARCHY.map((t, i) => [t, i]));
37
- export const v29Pass = () => ({ ok: true, reasonCode: null });
38
- export const v29Fail = (code, detail = "") => ({
39
- ok: false,
40
- reasonCode: code,
41
- detail,
42
- });
43
- // ── Canonical JSON ────────────────────────────────────────────────────
44
- //
45
- // Must byte-identical with verifier-py canonical_json. Python uses
46
- // `json.dumps(value, sort_keys=True, separators=(",", ":"), default=str)`.
47
- // We replicate by:
48
- // - sorting object keys recursively
49
- // - omitting whitespace
50
- // - rendering nullish / Date / Buffer the same way Python's str() does
51
- // for the values that pass through (in practice envelope values are
52
- // primitives + arrays + plain dicts).
53
- function sortValue(v) {
54
- if (v === null || typeof v !== "object")
55
- return v;
56
- if (Array.isArray(v))
57
- return v.map(sortValue);
58
- // Plain object — sort keys.
59
- const out = {};
60
- for (const k of Object.keys(v).sort()) {
61
- out[k] = sortValue(v[k]);
62
- }
63
- return out;
64
- }
65
- export function canonicalJson(value) {
66
- return JSON.stringify(sortValue(value));
67
- }
68
- export function canonicalHash(value) {
69
- return "sha256:" + createHash("sha256").update(canonicalJson(value)).digest("hex");
70
- }
71
- // ── Envelope shape ────────────────────────────────────────────────────
72
- export function validateEnvelopeShape(envelope) {
73
- if (typeof envelope !== "object" || envelope === null) {
74
- return v29Fail("envelope_not_object");
75
- }
76
- const e = envelope;
77
- if (e.envelope_version !== ENVELOPE_VERSION) {
78
- return v29Fail("envelope_version_mismatch", `expected ${ENVELOPE_VERSION}, got ${JSON.stringify(e.envelope_version)}`);
79
- }
80
- for (const k of ["run_header", "records", "aggregations"]) {
81
- if (!(k in e))
82
- return v29Fail("envelope_missing_key", k);
83
- }
84
- const header = e.run_header;
85
- if (typeof header !== "object" || header === null) {
86
- return v29Fail("run_header_not_object");
87
- }
88
- for (const k of ["run_id", "org_id", "opened_at", "target_environment"]) {
89
- if (!(k in header))
90
- return v29Fail("run_header_missing_key", k);
91
- }
92
- const records = e.records;
93
- if (!Array.isArray(records))
94
- return v29Fail("records_not_array");
95
- for (let i = 0; i < records.length; i++) {
96
- const r = records[i];
97
- if (typeof r !== "object" || r === null) {
98
- return v29Fail("record_not_object", `records[${i}]`);
99
- }
100
- if (!ALLOWED_KINDS.has(String(r.kind))) {
101
- return v29Fail("record_kind_unknown", `records[${i}].kind=${JSON.stringify(r.kind)}`);
102
- }
103
- if (r.trust_edge != null && !ALLOWED_TRUST_EDGES.has(String(r.trust_edge))) {
104
- return v29Fail("record_trust_edge_unknown", `records[${i}].trust_edge=${JSON.stringify(r.trust_edge)}`);
105
- }
106
- }
107
- return v29Pass();
108
- }
109
- // ── Aggregation reproduction ──────────────────────────────────────────
110
- export function reproduceAggregations(records) {
111
- const proofMix = {};
112
- for (const t of PROOF_TIER_HIERARCHY)
113
- proofMix[t] = 0;
114
- const trustEdges = {};
115
- let floorIdx = null;
116
- let proven = 0;
117
- let totalWithTier = 0;
118
- for (const r of records) {
119
- const tier = r.tier_computed;
120
- if (typeof tier === "string" && tier in proofMix) {
121
- proofMix[tier] += 1;
122
- totalWithTier += 1;
123
- const idx = TIER_INDEX[tier];
124
- if (floorIdx === null || idx < floorIdx)
125
- floorIdx = idx;
126
- if (idx > 0)
127
- proven += 1;
128
- }
129
- const edge = r.trust_edge;
130
- if (typeof edge === "string" && ALLOWED_TRUST_EDGES.has(edge)) {
131
- const slot = trustEdges[edge] ?? { count: 0, tier_floor: null };
132
- slot.count += 1;
133
- if (typeof tier === "string" && tier in TIER_INDEX) {
134
- if (slot.tier_floor === null || TIER_INDEX[tier] < TIER_INDEX[slot.tier_floor]) {
135
- slot.tier_floor = tier;
136
- }
137
- }
138
- trustEdges[edge] = slot;
139
- }
140
- }
141
- // Round provable_surface to 4 dp, matching Python's round(...,4) which
142
- // banker-rounds — but the inputs we expect are clean fractions, so we
143
- // use the JS-native math here. Cross-language tests pin known values.
144
- const provableSurface = totalWithTier > 0 ? Math.round((proven / totalWithTier) * 10000) / 10000 : 0.0;
145
- return {
146
- trust_edges_observed: trustEdges,
147
- proof_mix: proofMix,
148
- proof_level_floor: floorIdx === null ? null : PROOF_TIER_HIERARCHY[floorIdx],
149
- provable_surface: provableSurface,
150
- provable_surface_breakdown: {
151
- records_with_tier: totalWithTier,
152
- records_proven_above_attestation: proven,
153
- },
154
- };
155
- }
156
- export function validateAggregations(envelope) {
157
- const stated = envelope.aggregations ?? {};
158
- const expected = reproduceAggregations(envelope.records ?? []);
159
- if (canonicalJson(stated) !== canonicalJson(expected)) {
160
- return v29Fail("aggregation_reproduction_mismatch", "stated aggregations differ from per-record reproduction");
161
- }
162
- return v29Pass();
163
- }
164
- // ── Harness tier-ceiling reproduction ─────────────────────────────────
165
- function decodeJsonb(v) {
166
- if (v == null)
167
- return null;
168
- if (typeof v === "string") {
169
- try {
170
- return JSON.parse(v);
171
- }
172
- catch {
173
- return null;
174
- }
175
- }
176
- return v;
177
- }
178
- // F24 — reproduce returns the CEILING TIER (string) on downgrade, or
179
- // null on no-downgrade. Mirror of verifier-py reproduce_tier_ceiling.
180
- export function reproduceTierCeiling(harnessManifest, surface, tierClaimed) {
181
- const ceilings = (decodeJsonb(harnessManifest.surface_tier_ceilings) ?? {});
182
- const ceiling = ceilings[surface];
183
- if (ceiling == null) {
184
- return { effective_tier: tierClaimed, tier_ceiling_applied: null };
185
- }
186
- const claimIdx = TIER_INDEX[tierClaimed] ?? -1;
187
- const ceilIdx = TIER_INDEX[ceiling] ?? -1;
188
- if (claimIdx <= ceilIdx || claimIdx === -1) {
189
- return { effective_tier: tierClaimed, tier_ceiling_applied: null };
190
- }
191
- return { effective_tier: ceiling, tier_ceiling_applied: ceiling };
192
- }
193
- export function validateRecordsAgainstHarness(records, harnessManifest) {
194
- if (!harnessManifest)
195
- return v29Pass();
196
- for (let i = 0; i < records.length; i++) {
197
- const r = records[i];
198
- const tierClaimed = r.tier_claimed;
199
- const surface = r.surface;
200
- let stored = r.tier_ceiling_applied;
201
- if (typeof stored === "string" && stored.length === 0)
202
- stored = null;
203
- if (typeof tierClaimed !== "string" || typeof surface !== "string")
204
- continue;
205
- const reproduced = reproduceTierCeiling(harnessManifest, surface, tierClaimed);
206
- if (reproduced.tier_ceiling_applied !== (stored ?? null)) {
207
- return v29Fail("harness_tier_ceiling_reproduction_mismatch", `records[${i}] surface=${surface} tier_claimed=${tierClaimed}`);
208
- }
209
- }
210
- return v29Pass();
211
- }
212
- // ── Runtime binding hash ──────────────────────────────────────────────
213
- export function validateRuntimeBindingHash(binding) {
214
- const stored = binding.binding_body_canonical_hash;
215
- let body = binding.binding_body_canonical_json;
216
- if (!body || typeof stored !== "string") {
217
- return v29Fail("runtime_binding_missing_body_or_hash");
218
- }
219
- if (typeof body === "string") {
220
- try {
221
- body = JSON.parse(body);
222
- }
223
- catch {
224
- return v29Fail("runtime_binding_body_not_json");
225
- }
226
- }
227
- const reproduced = canonicalHash(body);
228
- if (reproduced !== stored) {
229
- return v29Fail("runtime_binding_hash_reproduction_mismatch", `stored=${stored.slice(0, 24)}… reproduced=${reproduced.slice(0, 24)}…`);
230
- }
231
- return v29Pass();
232
- }
233
- // ── Manifest canonical hash ───────────────────────────────────────────
234
- export function reproduceManifestCanonicalHash(manifest, manifestKind) {
235
- let body;
236
- if (manifestKind === "agent") {
237
- body = {
238
- agent_manifest_id: manifest.agent_manifest_id,
239
- manifest_version: manifest.manifest_version,
240
- org_id: manifest.org_id,
241
- issuer_id: manifest.issuer_id,
242
- agent_name: manifest.agent_name,
243
- agent_kind: manifest.agent_kind,
244
- agent_vendor: manifest.agent_vendor,
245
- capability_grants: decodeJsonb(manifest.capability_grants),
246
- scope_expressions: decodeJsonb(manifest.scope_expressions),
247
- reversibility_overrides: decodeJsonb(manifest.reversibility_overrides) ?? {},
248
- model_profile_id: manifest.model_profile_id ?? null,
249
- agent_behavior_profile_id: manifest.agent_behavior_profile_id ?? null,
250
- applicable_action_profiles: decodeJsonb(manifest.applicable_action_profiles) ?? [],
251
- issued_at: manifest.issued_at,
252
- expires_at: manifest.expires_at,
253
- };
254
- }
255
- else {
256
- body = {
257
- harness_manifest_id: manifest.harness_manifest_id,
258
- manifest_version: manifest.manifest_version,
259
- org_id: manifest.org_id,
260
- issuer_id: manifest.issuer_id,
261
- harness_name: manifest.harness_name,
262
- harness_bundle_version: manifest.harness_bundle_version,
263
- config_hash: manifest.config_hash,
264
- native_config_hashes: decodeJsonb(manifest.native_config_hashes) ?? {},
265
- surface_tier_ceilings: decodeJsonb(manifest.surface_tier_ceilings),
266
- declared_blind_spots: decodeJsonb(manifest.declared_blind_spots) ?? [],
267
- detector_posture: decodeJsonb(manifest.detector_posture) ?? {},
268
- active_check_classes: decodeJsonb(manifest.active_check_classes) ?? [],
269
- issued_at: manifest.issued_at,
270
- expires_at: manifest.expires_at,
271
- };
272
- }
273
- return canonicalHash(body);
274
- }
275
- export function validateManifestCanonicalHash(manifest, manifestKind) {
276
- const stated = manifest.canonical_json_hash;
277
- if (typeof stated !== "string")
278
- return v29Fail("manifest_missing_canonical_hash");
279
- const reproduced = reproduceManifestCanonicalHash(manifest, manifestKind);
280
- if (reproduced !== stated) {
281
- return v29Fail("manifest_canonical_hash_reproduction_mismatch", `${manifestKind}: stored=${stated.slice(0, 24)}… reproduced=${reproduced.slice(0, 24)}…`);
282
- }
283
- return v29Pass();
284
- }
285
- // ── Top-level verify ──────────────────────────────────────────────────
286
- // ── Ed25519 signature validation (F3) ─────────────────────────────────
287
- function canonicalBodyBytes(body) {
288
- return Buffer.from(canonicalJson(body), "utf-8");
289
- }
290
- function decodeBase64Tolerant(s) {
291
- const normalized = s.replace(/-/g, "+").replace(/_/g, "/");
292
- const padded = normalized + "=".repeat((4 - (normalized.length % 4)) % 4);
293
- return Buffer.from(padded, "base64");
294
- }
295
- function verifyEd25519(bodyCanonicalBytes, signatureB64, publicKeyBytes) {
296
- if (!bodyCanonicalBytes.length || !signatureB64 || publicKeyBytes.length !== 32) {
297
- return false;
298
- }
299
- try {
300
- const sigBytes = decodeBase64Tolerant(signatureB64);
301
- // Wrap raw 32-byte ed25519 pubkey in a SubjectPublicKeyInfo via DER.
302
- // Node accepts raw key via createPublicKey({ key, format, type, namedCurve })
303
- // for ed25519 with type='spki' and DER bytes; the simpler path is to
304
- // build SPKI ourselves so we never depend on a higher-level format.
305
- const der = Buffer.concat([
306
- Buffer.from([0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03, 0x21, 0x00]),
307
- Buffer.from(publicKeyBytes),
308
- ]);
309
- const keyObj = createPublicKey({ key: der, format: "der", type: "spki" });
310
- return cryptoVerify(null, bodyCanonicalBytes, keyObj, sigBytes);
311
- }
312
- catch {
313
- return false;
314
- }
315
- }
316
- function manifestCanonicalBody(manifest, kind) {
317
- if (kind === "agent") {
318
- return {
319
- agent_manifest_id: manifest.agent_manifest_id ?? null,
320
- manifest_version: manifest.manifest_version ?? null,
321
- org_id: manifest.org_id ?? null,
322
- issuer_id: manifest.issuer_id ?? null,
323
- agent_name: manifest.agent_name ?? null,
324
- agent_kind: manifest.agent_kind ?? null,
325
- agent_vendor: manifest.agent_vendor ?? null,
326
- capability_grants: decodeJsonb(manifest.capability_grants) ?? null,
327
- scope_expressions: decodeJsonb(manifest.scope_expressions) ?? null,
328
- reversibility_overrides: decodeJsonb(manifest.reversibility_overrides) ?? {},
329
- model_profile_id: manifest.model_profile_id ?? null,
330
- agent_behavior_profile_id: manifest.agent_behavior_profile_id ?? null,
331
- applicable_action_profiles: decodeJsonb(manifest.applicable_action_profiles) ?? [],
332
- issued_at: manifest.issued_at ?? null,
333
- expires_at: manifest.expires_at ?? null,
334
- };
335
- }
336
- return {
337
- harness_manifest_id: manifest.harness_manifest_id ?? null,
338
- manifest_version: manifest.manifest_version ?? null,
339
- org_id: manifest.org_id ?? null,
340
- issuer_id: manifest.issuer_id ?? null,
341
- harness_name: manifest.harness_name ?? null,
342
- harness_bundle_version: manifest.harness_bundle_version ?? null,
343
- config_hash: manifest.config_hash ?? null,
344
- native_config_hashes: decodeJsonb(manifest.native_config_hashes) ?? {},
345
- surface_tier_ceilings: decodeJsonb(manifest.surface_tier_ceilings) ?? {},
346
- declared_blind_spots: decodeJsonb(manifest.declared_blind_spots) ?? [],
347
- detector_posture: decodeJsonb(manifest.detector_posture) ?? {},
348
- active_check_classes: decodeJsonb(manifest.active_check_classes) ?? [],
349
- issued_at: manifest.issued_at ?? null,
350
- expires_at: manifest.expires_at ?? null,
351
- };
352
- }
353
- export function validateRuntimeBindingSignature(binding, pubkeyResolver) {
354
- if (!pubkeyResolver)
355
- return v29Pass();
356
- const sig = binding.signature;
357
- const kid = binding.kms_kid;
358
- let body = binding.binding_body_canonical_json;
359
- if (!body || typeof sig !== "string" || typeof kid !== "string") {
360
- return v29Fail("runtime_binding_signature_missing", `body=${!!body} sig=${!!sig} kid=${!!kid}`);
361
- }
362
- if (typeof body === "string") {
363
- try {
364
- body = JSON.parse(body);
365
- }
366
- catch {
367
- return v29Fail("runtime_binding_body_not_json");
368
- }
369
- }
370
- let pubkey;
371
- try {
372
- pubkey = pubkeyResolver(kid);
373
- }
374
- catch (e) {
375
- return v29Fail("runtime_binding_pubkey_unresolvable", `kid=${kid}: ${e}`);
376
- }
377
- if (!verifyEd25519(canonicalBodyBytes(body), sig, pubkey)) {
378
- return v29Fail("runtime_binding_signature_invalid");
379
- }
380
- return v29Pass();
381
- }
382
- export function validateManifestSignature(manifest, manifestKind, pubkeyResolver) {
383
- if (!pubkeyResolver)
384
- return v29Pass();
385
- const sig = manifest.signature;
386
- const kid = manifest.kms_kid;
387
- if (typeof sig !== "string" || typeof kid !== "string") {
388
- return v29Fail(`${manifestKind}_manifest_signature_missing`, `sig=${!!sig} kid=${!!kid}`);
389
- }
390
- let pubkey;
391
- try {
392
- pubkey = pubkeyResolver(kid);
393
- }
394
- catch (e) {
395
- return v29Fail(`${manifestKind}_manifest_pubkey_unresolvable`, `kid=${kid}: ${e}`);
396
- }
397
- const body = manifestCanonicalBody(manifest, manifestKind);
398
- if (!verifyEd25519(canonicalBodyBytes(body), sig, pubkey)) {
399
- return v29Fail(`${manifestKind}_manifest_signature_invalid`);
400
- }
401
- return v29Pass();
402
- }
403
- export function verifyV29(opts) {
404
- if (opts.requireSignatures && !opts.pubkeyResolver) {
405
- return v29Fail("signature_resolver_required", "requireSignatures=true but no pubkeyResolver was provided");
406
- }
407
- let res = validateEnvelopeShape(opts.envelope);
408
- if (!res.ok)
409
- return res;
410
- res = validateAggregations(opts.envelope);
411
- if (!res.ok)
412
- return res;
413
- // F2 — pull bound manifests from envelope.run_header so an offline
414
- // verifier reconstructs ceiling/sig context without DB access.
415
- const rh = opts.envelope.run_header ?? {};
416
- const bound = rh.bound_manifests ?? {};
417
- const harnessBlock = opts.harnessManifest ?? bound.harness;
418
- const agentBlock = opts.agentManifest ?? bound.agent;
419
- const resolver = opts.pubkeyResolver ?? null;
420
- res = validateRecordsAgainstHarness(opts.envelope.records ?? [], harnessBlock ?? null);
421
- if (!res.ok)
422
- return res;
423
- if (opts.runtimeBinding) {
424
- res = validateRuntimeBindingHash(opts.runtimeBinding);
425
- if (!res.ok)
426
- return res;
427
- // F3
428
- res = validateRuntimeBindingSignature(opts.runtimeBinding, resolver);
429
- if (!res.ok)
430
- return res;
431
- }
432
- if (agentBlock) {
433
- res = validateManifestCanonicalHash(agentBlock, "agent");
434
- if (!res.ok)
435
- return res;
436
- res = validateManifestSignature(agentBlock, "agent", resolver);
437
- if (!res.ok)
438
- return res;
439
- }
440
- if (harnessBlock) {
441
- res = validateManifestCanonicalHash(harnessBlock, "harness");
442
- if (!res.ok)
443
- return res;
444
- res = validateManifestSignature(harnessBlock, "harness", resolver);
445
- if (!res.ok)
446
- return res;
447
- }
448
- return v29Pass();
449
- }
450
- //# sourceMappingURL=v29-envelope.js.map
package/dist/v29-envelope.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"v29-envelope.js","sourceRoot":"","sources":["../src/v29-envelope.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,IAAI,YAAY,EAAE,MAAM,aAAa,CAAC;AASlF,MAAM,CAAC,MAAM,gBAAgB,GAAG,MAAM,CAAC;AAEvC,MAAM,CAAC,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;IACnC,kBAAkB;IAClB,iBAAiB;IACjB,0BAA0B;IAC1B,uBAAuB;IACvB,kBAAkB;IAClB,uBAAuB;IACvB,qBAAqB;IACrB,cAAc;IACd,gBAAgB;CACjB,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;AAEvF,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC,aAAa;IACb,WAAW;IACX,WAAW;IACX,gBAAgB;IAChB,sBAAsB;IACtB,cAAc;CACN,CAAC;AAIX,MAAM,UAAU,GAA2B,MAAM,CAAC,WAAW,CAC3D,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAC3C,CAAC;AAQF,MAAM,CAAC,MAAM,OAAO,GAAG,GAAoB,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;AAC/E,MAAM,CAAC,MAAM,OAAO,GAAG,CAAC,IAAY,EAAE,MAAM,GAAG,EAAE,EAAmB,EAAE,CAAC,CAAC;IACtE,EAAE,EAAE,KAAK;IACT,UAAU,EAAE,IAAI;IAChB,MAAM;CACP,CAAC,CAAC;AAEH,yEAAyE;AACzE,EAAE;AACF,mEAAmE;AACnE,2EAA2E;AAC3E,mBAAmB;AACnB,sCAAsC;AACtC,0BAA0B;AAC1B,yEAAyE;AACzE,wEAAwE;AACxE,0CAA0C;AAE1C,SAAS,SAAS,CAAC,CAAU;IAC3B,IAAI,CAAC,KAAK,IAAI,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAC;IAClD,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAAE,OAAO,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC9C,4BAA4B;IAC5B,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,CAA4B,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;QACjE,GAAG,CAAC,CAAC,CAAC,GAAG,SAAS,CAAE,CAA6B,CAAC,CAAC,CAAC,CAAC,CAAC;IACxD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAc;IAC1C,OAAO,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAc;IAC1C,OAAO,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACrF,CAAC;AAED,yEAAyE;AAEzE,MAAM,UAAU,qBAAqB,CAAC,QAAiB;IACrD,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtD,OAAO,OAAO,CAAC,qBAAqB,CAAC,CAAC;IACxC,CAAC;IACD,MAAM,CAAC,GAAG,QAAmC,CAAC;IAC9C,IAAI,CAAC,CAAC,gBAAgB,KAAK,gBAAgB,EAAE,CAAC;QAC5C,OAAO,OAAO,CACZ,2BAA2B,EAC3B,YAAY,gBAAgB,SAAS,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,gBAAgB,CAAC,EAAE,CAC1E,CAAC;IACJ,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,SAAS,EAAE,cAAc,CAAC,EAAE,CAAC;QAC1D,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YAAE,OAAO,OAAO,CAAC,sBAAsB,EAAE,CAAC,CAAC,CAAC;IAC3D,CAAC;IACD,MAAM,MAAM,GAAG,CAAC,CAAC,UAA4C,CAAC;IAC9D,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QAClD,OAAO,OAAO,CAAC,uBAAuB,CAAC,CAAC;IAC1C,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,oBAAoB,CAAC,EAAE,CAAC;QACxE,IAAI,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;YAAE,OAAO,OAAO,CAAC,wBAAwB,EAAE,CAAC,CAAC,CAAC;IAClE,CAAC;IACD,MAAM,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC;IAC1B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;QAAE,OAAO,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACjE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAmC,CAAC;QACvD,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;YACxC,OAAO,OAAO,CAAC,mBAAmB,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC;QACvD,CAAC;QACD,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YACvC,OAAO,OAAO,CAAC,qBAAqB,EAAE,WAAW,CAAC,UAAU,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACxF,CAAC;QACD,IAAI,CAAC,CAAC,UAAU,IAAI,IAAI,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YAC3E,OAAO,OAAO,CACZ,2BAA2B,EAC3B,WAAW,CAAC,gBAAgB,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC,EAAE,CAC3D,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC;AAED,yEAAyE;AAEzE,MAAM,UAAU,qBAAqB,CACnC,OAAuC;IAEvC,MAAM,QAAQ,GAA2B,EAAE,CAAC;IAC5C,KAAK,MAAM,CAAC,IAAI,oBAAoB;QAAE,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACtD,MAAM,UAAU,GAAiE,EAAE,CAAC;IACpF,IAAI,QAAQ,GAAkB,IAAI,CAAC;IACnC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,IAAI,aAAa,GAAG,CAAC,CAAC;IAEtB,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,IAAI,GAAG,CAAC,CAAC,aAAa,CAAC;QAC7B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,IAAI,QAAQ,EAAE,CAAC;YACjD,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpB,aAAa,IAAI,CAAC,CAAC;YACnB,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;YAC7B,IAAI,QAAQ,KAAK,IAAI,IAAI,GAAG,GAAG,QAAQ;gBAAE,QAAQ,GAAG,GAAG,CAAC;YACxD,IAAI,GAAG,GAAG,CAAC;gBAAE,MAAM,IAAI,CAAC,CAAC;QAC3B,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,CAAC,UAAU,CAAC;QAC1B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;YAChE,IAAI,CAAC,KAAK,IAAI,CAAC,CAAC;YAChB,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,IAAI,UAAU,EAAE,CAAC;gBACnD,IAAI,IAAI,CAAC,UAAU,KAAK,IAAI,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;oBAC/E,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;gBACzB,CAAC;YACH,CAAC;YACD,UAAU,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,uEAAuE;IACvE,sEAAsE;IACtE,sEAAsE;IACtE,MAAM,eAAe,GACnB,aAAa,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,aAAa,CAAC,GAAG,KAAK,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC;IAEjF,OAAO;QACL,oBAAoB,EAAE,UAAU;QAChC,SAAS,EAAE,QAAQ;QACnB,iBAAiB,EAAE,QAAQ,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,oBAAoB,CAAC,QAAQ,CAAC;QAC5E,gBAAgB,EAAE,eAAe;QACjC,0BAA0B,EAAE;YAC1B,iBAAiB,EAAE,aAAa;YAChC,gCAAgC,EAAE,MAAM;SACzC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,QAAiC;IACpE,MAAM,MAAM,GAAI,QAAQ,CAAC,YAAwC,IAAI,EAAE,CAAC;IACxE,MAAM,QAAQ,GAAG,qBAAqB,CACnC,QAAQ,CAAC,OAA0C,IAAI,EAAE,CAC3D,CAAC;IACF,IAAI,aAAa,CAAC,MAAM,CAAC,KAAK,aAAa,CAAC,QAAQ,CAAC,EAAE,CAAC;QACtD,OAAO,OAAO,CACZ,mCAAmC,EACnC,yDAAyD,CAC1D,CAAC;IACJ,CAAC;IACD,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC;AAED,yEAAyE;AAEzE,SAAS,WAAW,CAAC,CAAU;IAC7B,IAAI,CAAC,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC;IAC3B,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,qEAAqE;AACrE,sEAAsE;AACtE,MAAM,UAAU,oBAAoB,CAClC,eAAwC,EACxC,OAAe,EACf,WAAmB;IAEnB,MAAM,QAAQ,GAAG,CAAC,WAAW,CAAC,eAAe,CAAC,qBAAqB,CAAC,IAAI,EAAE,CAGzE,CAAC;IACF,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;IAClC,IAAI,OAAO,IAAI,IAAI,EAAE,CAAC;QACpB,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,oBAAoB,EAAE,IAAI,EAAE,CAAC;IACrE,CAAC;IACD,MAAM,QAAQ,GAAG,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;IAC/C,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IAC1C,IAAI,QAAQ,IAAI,OAAO,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;QAC3C,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,oBAAoB,EAAE,IAAI,EAAE,CAAC;IACrE,CAAC;IACD,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,oBAAoB,EAAE,OAAO,EAAE,CAAC;AACpE,CAAC;AAED,MAAM,UAAU,6BAA6B,CAC3C,OAAuC,EACvC,eAA+C;IAE/C,IAAI,CAAC,eAAe;QAAE,OAAO,OAAO,EAAE,CAAC;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QACrB,MAAM,WAAW,GAAG,CAAC,CAAC,YAAY,CAAC;QACnC,MAAM,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC;QAC1B,IAAI,MAAM,GAAG,CAAC,CAAC,oBAAoB,CAAC;QACpC,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,MAAM,GAAG,IAAI,CAAC;QACrE,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,OAAO,OAAO,KAAK,QAAQ;YAAE,SAAS;QAC7E,MAAM,UAAU,GAAG,oBAAoB,CAAC,eAAe,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;QAC/E,IAAI,UAAU,CAAC,oBAAoB,KAAK,CAAC,MAAM,IAAI,IAAI,CAAC,EAAE,CAAC;YACzD,OAAO,OAAO,CACZ,4CAA4C,EAC5C,WAAW,CAAC,aAAa,OAAO,iBAAiB,WAAW,EAAE,CAC/D,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC;AAED,yEAAyE;AAEzE,MAAM,UAAU,0BAA0B,CACxC,OAAgC;IAEhC,MAAM,MAAM,GAAG,OAAO,CAAC,2BAA2B,CAAC;IACnD,IAAI,IAAI,GAAG,OAAO,CAAC,2BAA2B,CAAC;IAC/C,IAAI,CAAC,IAAI,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,OAAO,CAAC,sCAAsC,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,OAAO,CAAC,+BAA+B,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IACD,MAAM,UAAU,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;IACvC,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;QAC1B,OAAO,OAAO,CACZ,4CAA4C,EAC5C,UAAU,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CACxE,CAAC;IACJ,CAAC;IACD,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC;AAED,yEAAyE;AAEzE,MAAM,UAAU,8BAA8B,CAC5C,QAAiC,EACjC,YAAiC;IAEjC,IAAI,IAA6B,CAAC;IAClC,IAAI,YAAY,KAAK,OAAO,EAAE,CAAC;QAC7B,IAAI,GAAG;YACL,iBAAiB,EAAE,QAAQ,CAAC,iBAAiB;YAC7C,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB;YAC3C,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,YAAY,EAAE,QAAQ,CAAC,YAAY;YACnC,iBAAiB,EAAE,WAAW,CAAC,QAAQ,CAAC,iBAAiB,CAAC;YAC1D,iBAAiB,EAAE,WAAW,CAAC,QAAQ,CAAC,iBAAiB,CAAC;YAC1D,uBAAuB,EAAE,WAAW,CAAC,QAAQ,CAAC,uBAAuB,CAAC,IAAI,EAAE;YAC5E,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB,IAAI,IAAI;YACnD,yBAAyB,EAAE,QAAQ,CAAC,yBAAyB,IAAI,IAAI;YACrE,0BAA0B,EAAE,WAAW,CAAC,QAAQ,CAAC,0BAA0B,CAAC,IAAI,EAAE;YAClF,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,UAAU,EAAE,QAAQ,CAAC,UAAU;SAChC,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,IAAI,GAAG;YACL,mBAAmB,EAAE,QAAQ,CAAC,mBAAmB;YACjD,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB;YAC3C,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,YAAY,EAAE,QAAQ,CAAC,YAAY;YACnC,sBAAsB,EAAE,QAAQ,CAAC,sBAAsB;YACvD,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,oBAAoB,EAAE,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,EAAE;YACtE,qBAAqB,EAAE,WAAW,CAAC,QAAQ,CAAC,qBAAqB,CAAC;YAClE,oBAAoB,EAAE,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,EAAE;YACtE,gBAAgB,EAAE,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,EAAE;YAC9D,oBAAoB,EAAE,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,EAAE;YACtE,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,UAAU,EAAE,QAAQ,CAAC,UAAU;SAChC,CAAC;IACJ,CAAC;IACD,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,6BAA6B,CAC3C,QAAiC,EACjC,YAAiC;IAEjC,MAAM,MAAM,GAAG,QAAQ,CAAC,mBAAmB,CAAC;IAC5C,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,OAAO,CAAC,iCAAiC,CAAC,CAAC;IAClF,MAAM,UAAU,GAAG,8BAA8B,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;IAC1E,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;QAC1B,OAAO,OAAO,CACZ,+CAA+C,EAC/C,GAAG,YAAY,YAAY,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CACzF,CAAC;IACJ,CAAC;IACD,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC;AAED,yEAAyE;AAEzE,yEAAyE;AAEzE,SAAS,kBAAkB,CAAC,IAA6B;IACvD,OAAO,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,oBAAoB,CAAC,CAAS;IACrC,MAAM,UAAU,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1E,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED,SAAS,aAAa,CACpB,kBAA0B,EAC1B,YAAoB,EACpB,cAA0B;IAE1B,IAAI,CAAC,kBAAkB,CAAC,MAAM,IAAI,CAAC,YAAY,IAAI,cAAc,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAChF,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC;QACpD,qEAAqE;QACrE,8EAA8E;QAC9E,qEAAqE;QACrE,oEAAoE;QACpE,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;YACrF,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC;SAC5B,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,eAAe,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;QAC1E,OAAO,YAAY,CAAC,IAAI,EAAE,kBAAkB,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAC5B,QAAiC,EACjC,IAAyB;IAEzB,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;QACrB,OAAO;YACL,iBAAiB,EAAE,QAAQ,CAAC,iBAAiB,IAAI,IAAI;YACrD,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB,IAAI,IAAI;YACnD,MAAM,EAAE,QAAQ,CAAC,MAAM,IAAI,IAAI;YAC/B,SAAS,EAAE,QAAQ,CAAC,SAAS,IAAI,IAAI;YACrC,UAAU,EAAE,QAAQ,CAAC,UAAU,IAAI,IAAI;YACvC,UAAU,EAAE,QAAQ,CAAC,UAAU,IAAI,IAAI;YACvC,YAAY,EAAE,QAAQ,CAAC,YAAY,IAAI,IAAI;YAC3C,iBAAiB,EAAE,WAAW,CAAC,QAAQ,CAAC,iBAAiB,CAAC,IAAI,IAAI;YAClE,iBAAiB,EAAE,WAAW,CAAC,QAAQ,CAAC,iBAAiB,CAAC,IAAI,IAAI;YAClE,uBAAuB,EAAE,WAAW,CAAC,QAAQ,CAAC,uBAAuB,CAAC,IAAI,EAAE;YAC5E,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB,IAAI,IAAI;YACnD,yBAAyB,EAAE,QAAQ,CAAC,yBAAyB,IAAI,IAAI;YACrE,0BAA0B,EAAE,WAAW,CAAC,QAAQ,CAAC,0BAA0B,CAAC,IAAI,EAAE;YAClF,SAAS,EAAE,QAAQ,CAAC,SAAS,IAAI,IAAI;YACrC,UAAU,EAAE,QAAQ,CAAC,UAAU,IAAI,IAAI;SACxC,CAAC;IACJ,CAAC;IACD,OAAO;QACL,mBAAmB,EAAE,QAAQ,CAAC,mBAAmB,IAAI,IAAI;QACzD,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB,IAAI,IAAI;QACnD,MAAM,EAAE,QAAQ,CAAC,MAAM,IAAI,IAAI;QAC/B,SAAS,EAAE,QAAQ,CAAC,SAAS,IAAI,IAAI;QACrC,YAAY,EAAE,QAAQ,CAAC,YAAY,IAAI,IAAI;QAC3C,sBAAsB,EAAE,QAAQ,CAAC,sBAAsB,IAAI,IAAI;QAC/D,WAAW,EAAE,QAAQ,CAAC,WAAW,IAAI,IAAI;QACzC,oBAAoB,EAAE,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,EAAE;QACtE,qBAAqB,EAAE,WAAW,CAAC,QAAQ,CAAC,qBAAqB,CAAC,IAAI,EAAE;QACxE,oBAAoB,EAAE,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,EAAE;QACtE,gBAAgB,EAAE,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,EAAE;QAC9D,oBAAoB,EAAE,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,EAAE;QACtE,SAAS,EAAE,QAAQ,CAAC,SAAS,IAAI,IAAI;QACrC,UAAU,EAAE,QAAQ,CAAC,UAAU,IAAI,IAAI;KACxC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,+BAA+B,CAC7C,OAAgC,EAChC,cAAqC;IAErC,IAAI,CAAC,cAAc;QAAE,OAAO,OAAO,EAAE,CAAC;IACtC,MAAM,GAAG,GAAG,OAAO,CAAC,SAAS,CAAC;IAC9B,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC;IAC5B,IAAI,IAAI,GAAG,OAAO,CAAC,2BAA2B,CAAC;IAC/C,IAAI,CAAC,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAChE,OAAO,OAAO,CACZ,mCAAmC,EACnC,QAAQ,CAAC,CAAC,IAAI,QAAQ,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC,GAAG,EAAE,CAC3C,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,OAAO,CAAC,+BAA+B,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IACD,IAAI,MAAkB,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,OAAO,CAAC,qCAAqC,EAAE,OAAO,GAAG,KAAK,CAAC,EAAE,CAAC,CAAC;IAC5E,CAAC;IACD,IAAI,CAAC,aAAa,CAAC,kBAAkB,CAAC,IAA+B,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,CAAC;QACrF,OAAO,OAAO,CAAC,mCAAmC,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,QAAiC,EACjC,YAAiC,EACjC,cAAqC;IAErC,IAAI,CAAC,cAAc;QAAE,OAAO,OAAO,EAAE,CAAC;IACtC,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,CAAC;IAC/B,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC;IAC7B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACvD,OAAO,OAAO,CACZ,GAAG,YAAY,6BAA6B,EAC5C,OAAO,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC,GAAG,EAAE,CAC5B,CAAC;IACJ,CAAC;IACD,IAAI,MAAkB,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,OAAO,CAAC,GAAG,YAAY,+BAA+B,EAAE,OAAO,GAAG,KAAK,CAAC,EAAE,CAAC,CAAC;IACrF,CAAC;IACD,MAAM,IAAI,GAAG,qBAAqB,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;IAC3D,IAAI,CAAC,aAAa,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,CAAC;QAC1D,OAAO,OAAO,CAAC,GAAG,YAAY,6BAA6B,CAAC,CAAC;IAC/D,CAAC;IACD,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,IAOzB;IACC,IAAI,IAAI,CAAC,iBAAiB,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;QACnD,OAAO,OAAO,CACZ,6BAA6B,EAC7B,2DAA2D,CAC5D,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,GAAG,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC/C,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,GAAG,CAAC;IACxB,GAAG,GAAG,oBAAoB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC1C,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,GAAG,CAAC;IAExB,mEAAmE;IACnE,+DAA+D;IAC/D,MAAM,EAAE,GAAI,IAAI,CAAC,QAAQ,CAAC,UAAsC,IAAI,EAAE,CAAC;IACvE,MAAM,KAAK,GAAI,EAAE,CAAC,eAA2C,IAAI,EAAE,CAAC;IACpE,MAAM,YAAY,GAChB,IAAI,CAAC,eAAe,IAAK,KAAK,CAAC,OAAmC,CAAC;IACrE,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,IAAK,KAAK,CAAC,KAAiC,CAAC;IAClF,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC;IAE7C,GAAG,GAAG,6BAA6B,CAChC,IAAI,CAAC,QAAQ,CAAC,OAA0C,IAAI,EAAE,EAC/D,YAAY,IAAI,IAAI,CACrB,CAAC;IACF,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,GAAG,CAAC;IACxB,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;QACxB,GAAG,GAAG,0BAA0B,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACtD,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,GAAG,CAAC;QACxB,KAAK;QACL,GAAG,GAAG,+BAA+B,CAAC,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC;QACrE,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,GAAG,CAAC;IAC1B,CAAC;IACD,IAAI,UAAU,EAAE,CAAC;QACf,GAAG,GAAG,6BAA6B,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACzD,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,GAAG,CAAC;QACxB,GAAG,GAAG,yBAAyB,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC/D,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,GAAG,CAAC;IAC1B,CAAC;IACD,IAAI,YAAY,EAAE,CAAC;QACjB,GAAG,GAAG,6BAA6B,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QAC7D,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,GAAG,CAAC;QACxB,GAAG,GAAG,yBAAyB,CAAC,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;QACnE,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,GAAG,CAAC;IAC1B,CAAC;IACD,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC"}
package/dist/verifier.d.ts DELETED
@@ -1,36 +0,0 @@
1
- /**
2
- * primust-verify — Offline VPEC artifact verifier.
3
- *
4
- * ZERO runtime dependencies on Primust infrastructure after initial
5
- * public key fetch. Must verify a VPEC produced today in 10 years.
6
- *
7
- * Verification steps (in order):
8
- * 1. Schema validation
9
- * 2. SHA-256 integrity + Ed25519 signature (combined)
10
- * 3. Kid resolution
11
- * 4. Signer status check (Rekor — stubbed in v1)
12
- * 5. RFC 3161 timestamp verification (stubbed in v1)
13
- * 6. Proof level integrity
14
- * 7. Manifest hash audit
15
- * 8. ZK proof verification (stubbed in v1)
16
- * 9. test_mode check
17
- */
18
- import type { VerifyOptions, VerificationResult, UpstreamRootResolver } from './types.js';
19
- /**
20
- * Verify a VPEC artifact.
21
- *
22
- * @param artifact - Parsed artifact JSON (Record<string, unknown>)
23
- * @param options - Verification options
24
- * @param upstreamRootResolver - Optional synchronous resolver returning
25
- * the PARENT VPEC's `commitment_root_poseidon2` for a given upstream
26
- * VPEC envelope ID. When provided, governance_upstream_vpec_inclusion
27
- * proofs are anchored to `Poseidon2(lineage_commitment(child_run_id,
28
- * upstream_vpec_ids), parentRoot)` — the same reduction
29
- * `PolicySnapshotService.openRun` performs at issuance. When omitted,
30
- * the verifier falls back to anchoring against the artifact's own
31
- * `commitment_root_poseidon2` (legacy behavior — preserves backward
32
- * compat for callers that lack upstream-store context).
33
- * @returns VerificationResult with errors/warnings
34
- */
35
- export declare function verify(artifact: Record<string, unknown>, options?: VerifyOptions, upstreamRootResolver?: UpstreamRootResolver): Promise<VerificationResult>;
36
- //# sourceMappingURL=verifier.d.ts.map
package/dist/verifier.d.ts.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../src/verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAcH,OAAO,KAAK,EACV,aAAa,EACb,kBAAkB,EAElB,oBAAoB,EACrB,MAAM,YAAY,CAAC;AA0EpB;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,MAAM,CAC1B,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,OAAO,GAAE,aAAkB,EAC3B,oBAAoB,CAAC,EAAE,oBAAoB,GAC1C,OAAO,CAAC,kBAAkB,CAAC,CA6X7B"}