@primust/verifier 1.0.0

package/dist/cli.js

@@ -0,0 +1,391 @@
+#!/usr/bin/env node
+/**
+ * primust-verify CLI
+ *
+ * Usage:
+ *   primust-verify vpec_<id>.json
+ *   primust-verify vpec_<id>.json --production
+ *   primust-verify vpec_<id>.json --trust-root ./my-pubkey.pem
+ *   primust-verify vpec_<id>.json --skip-network
+ *   primust-verify vpec_<id>.json --json
+ *
+ * Exit codes:
+ *   0 = valid (production)
+ *   1 = invalid / tampered
+ *   2 = valid but sandbox-only (or system error)
+ */
+import { readFileSync } from 'node:fs';
+import { parseArgs } from 'node:util';
+import { verify } from './verifier.js';
+import { createUpstreamRootResolver } from './upstream_resolver.js';
+const PROOF_LEVEL_DISPLAY = {
+    mathematical: 'mathematical',
+    verifiable_inference: 'verifiable_inference',
+    operator_bound: 'operator_bound',
+    execution: 'execution',
+    witnessed: 'witnessed',
+    attestation: 'attestation',
+};
+function formatProofLevel(level) {
+    return PROOF_LEVEL_DISPLAY[level] ?? level;
+}
+function formatDistribution(dist) {
+    const levels = ['mathematical', 'verifiable_inference', 'operator_bound', 'execution', 'witnessed', 'attestation'];
+    return levels
+        .filter((l) => typeof dist[l] === 'number' && dist[l] > 0)
+        .map((l) => `${formatProofLevel(l)}: ${dist[l]}`)
+        .join('  ');
+}
+function formatGapsSummary(gaps) {
+    if (gaps.length === 0)
+        return '0';
+    const counts = {};
+    for (const g of gaps) {
+        counts[g.severity] = (counts[g.severity] ?? 0) + 1;
+    }
+    const parts = Object.entries(counts).map(([sev, n]) => `${n} ${sev}`);
+    return `${gaps.length} (${parts.join(', ')})`;
+}
+function formatTimestamp(result) {
+    let ts = result.signed_at;
+    if (result.timestamp_anchor_valid === true) {
+        ts += ' (RFC 3161 \u2713)';
+    }
+    return ts;
+}
+/* ── V23-2: --format human — relying-party readable certificate ── */
+function formatHumanCertificate(artifact, result) {
+    const sig = result.valid ? 'VALID \u2713' : 'INVALID \u2717';
+    const env = artifact.environment === 'sandbox'
+        ? 'SANDBOX \u2014 not audit-acceptable'
+        : 'PRODUCTION';
+    const lines = [];
+    lines.push(`GOVERNANCE CREDENTIAL${' '.repeat(28)}${sig}`);
+    lines.push('\u2500'.repeat(56));
+    lines.push('');
+    lines.push(`Credential ID:    ${result.vpec_id}`);
+    lines.push(`System:           ${result.workflow_id}`);
+    lines.push(`Environment:      ${env}`);
+    const started = artifact.started_at ?? '';
+    const closed = artifact.closed_at ?? '';
+    if (started || closed) {
+        lines.push(`Run:              ${started} \u2192 ${closed}`);
+    }
+    lines.push('');
+    lines.push('SIGNATURE');
+    lines.push(`  Status:         ${sig}`);
+    lines.push(`  Signed by:      Primust, Inc.`);
+    lines.push(`  Timestamp:      ${result.timestamp_anchor_valid ? 'DigiCert RFC 3161' : 'unsigned'}`);
+    lines.push(`  Issued:         ${result.signed_at}`);
+    lines.push('');
+    lines.push('GOVERNANCE PROOF');
+    const ps = artifact.provable_surface;
+    lines.push(`  Provable surface: ${ps != null ? `${(ps * 100).toFixed(1)}%` : '\u2014'}`);
+    const records = artifact.records ?? [];
+    lines.push(`  Checks run:     ${records.length}`);
+    lines.push(`  Open gaps:      ${result.gaps.length}`);
+    // Action coverage (v23)
+    const ac = artifact.action_coverage;
+    if (ac) {
+        lines.push('');
+        lines.push('ACTION COVERAGE');
+        const total = ac.total_actions;
+        const gov = ac.governed_actions;
+        const ungov = ac.ungoverned_actions;
+        const cov = ac.coverage_pct ?? 0;
+        lines.push(`  Actions taken:  ${total}`);
+        lines.push(`  Governed:       ${gov}  (${(cov * 100).toFixed(1)}%)`);
+        lines.push(`  Ungoverned:     ${ungov}  (${((1 - cov) * 100).toFixed(1)}%)`);
+        // Rich mode — per-action detail
+        const ungovList = ac.ungoverned;
+        if (ungovList && ungovList.length > 0) {
+            lines.push('');
+            const cu = ac.consequential_ungoverned ?? {};
+            const cuIndices = cu.sequence_indices ?? [];
+            for (const u of ungovList) {
+                const idx = u.sequence_index ?? '?';
+                const atype = u.action_type ?? 'unknown';
+                const tname = u.tool_name;
+                let label = `  #${idx}   ${atype}`;
+                if (tname)
+                    label += `: ${tname}`;
+                label += cuIndices.includes(idx)
+                    ? '     \u26A0 consequential \u2014 no check ran'
+                    : '     \u2014 no check ran';
+                lines.push(label);
+            }
+        }
+        // Strict mode — indices only
+        const ungovIndices = ac.ungoverned_sequence_indices;
+        if (ungovIndices && ungovIndices.length > 0 && !ungovList) {
+            lines.push('');
+            lines.push(`  Ungoverned at indices: ${JSON.stringify(ungovIndices)}`);
+            const cuCount = ac.consequential_ungoverned_count;
+            if (cuCount)
+                lines.push(`  ${cuCount} consequential`);
+            lines.push('');
+            lines.push('  Per-action detail available via:');
+            lines.push('    primust verify-activity vpec.json activity_export.json');
+        }
+    }
+    // Check summaries with evidence_metadata (rich mode)
+    const metadataMode = artifact.metadata_mode;
+    if (records.length > 0 && metadataMode === 'rich') {
+        lines.push('');
+        lines.push('GOVERNANCE CHECKS');
+        const shown = records.slice(0, 10);
+        for (const r of shown) {
+            let checkId = r.manifest_id ?? r.check_id ?? 'unknown';
+            if (checkId.includes('@'))
+                checkId = checkId.split('@')[0];
+            const checkResult = r.check_result ?? 'unknown';
+            const em = r.evidence_metadata;
+            let line = `  ${checkId}: ${checkResult}`;
+            if (em) {
+                const details = [];
+                if ('entity_count' in em)
+                    details.push(`${em.entity_count} entities`);
+                if ('risk_score' in em)
+                    details.push(`risk ${em.risk_score}`);
+                if ('action_taken' in em)
+                    details.push(em.action_taken);
+                if (details.length > 0)
+                    line += `  (${details.join(', ')})`;
+            }
+            lines.push(line);
+        }
+        if (records.length > 10) {
+            lines.push(`  ... and ${records.length - 10} more checks`);
+        }
+    }
+    lines.push('');
+    lines.push('WHAT THIS PROVES');
+    lines.push('  Governance checks ran on the actions listed in this credential');
+    lines.push('  at the stated proof levels. This credential was issued at the');
+    lines.push('  time of the governed run and has not been altered since.');
+    lines.push('');
+    lines.push('WHAT THIS DOES NOT PROVE');
+    lines.push('  That the checks run constitute sufficient evidence for any');
+    lines.push('  specific regulatory requirement. That determination belongs');
+    lines.push('  to the customer, their compliance function, and their auditors.');
+    lines.push('');
+    lines.push('VERIFY INDEPENDENTLY');
+    lines.push(`  verify.primust.com/${result.vpec_id}`);
+    lines.push(`  primust verify ${result.vpec_id}.json`);
+    lines.push('\u2500'.repeat(56));
+    return lines.join('\n');
+}
+function printHumanResult(result) {
+    const dist = result.proof_distribution;
+    const cov = result.coverage;
+    if (result.valid) {
+        console.log(`\n  \u2713 VPEC ${result.vpec_id} \u2014 VALID`);
+    }
+    else {
+        console.log(`\n  \u2717 VPEC ${result.vpec_id} \u2014 INVALID`);
+        for (const err of result.errors) {
+            console.log(`    Error: ${err}`);
+        }
+    }
+    const distStr = formatDistribution(dist);
+    if (distStr) {
+        console.log(`    Distribution:  ${distStr}`);
+    }
+    console.log(`    Workflow:      ${result.workflow_id}`);
+    console.log(`    Org:           ${result.org_id}`);
+    console.log(`    Signed:        ${formatTimestamp(result)}`);
+    console.log(`    Signer:        ${result.signer_id} / kid: ${result.kid}`);
+    console.log(`    Rekor:         ${result.rekor_status}`);
+    if (cov && typeof cov.policy_coverage_pct === 'number') {
+        let covStr = `${cov.policy_coverage_pct}% policy`;
+        if (typeof cov.instrumentation_surface_pct === 'number') {
+            covStr += ` | ${cov.instrumentation_surface_pct}% instrumentation surface`;
+        }
+        console.log(`    Coverage:      ${covStr}`);
+    }
+    console.log(`    Gaps:          ${formatGapsSummary(result.gaps)}`);
+    if (result.process_context_hash) {
+        console.log(`    Process hash:  ${result.process_context_hash}`);
+    }
+    console.log(`    Test mode:     ${result.test_mode}`);
+    if (result.test_mode && result.valid) {
+        console.log(`    \u26A0 TEST CREDENTIAL \u2014 not for production use`);
+    }
+    if (result.warnings.length > 0) {
+        for (const w of result.warnings) {
+            console.log(`    Warning: ${w}`);
+        }
+    }
+    console.log('');
+}
+export async function main(args) {
+    let parsed;
+    try {
+        parsed = parseArgs({
+            args: args ?? process.argv.slice(2),
+            options: {
+                production: { type: 'boolean', default: false },
+                'skip-network': { type: 'boolean', default: false },
+                'trust-root': { type: 'string' },
+                json: { type: 'boolean', default: false },
+                format: { type: 'string' },
+                human: { type: 'boolean', default: false },
+                help: { type: 'boolean', short: 'h', default: false },
+                // Follow-6 #79: parent-root upstream-VPEC anchor check. When the
+                // local SqliteStore (or an envelope file) contains the parent
+                // VPEC's commitment_root, the verifier upgrades the legacy
+                // "unanchored" warning to a cryptographic equality check.
+                'upstream-db': { type: 'string' },
+                'upstream-envelope': { type: 'string', multiple: true },
+            },
+            allowPositionals: true,
+        });
+    }
+    catch (err) {
+        console.error(`Error: ${err.message}`);
+        return 2;
+    }
+    if (parsed.values.help || parsed.positionals.length === 0) {
+        console.log('Usage: primust-verify [format] <artifact.json> [options]');
+        console.log('');
+        console.log('Formats: vpec, pack, w3c-vc, dsse, scitt, receipt, all');
+        console.log('If format omitted, auto-detects from file contents.');
+        console.log('');
+        console.log('Options:');
+        console.log('  --production      Require production environment');
+        console.log('  --skip-network    Skip online checks');
+        console.log('  --trust-root      Custom public key path');
+        console.log('  --json            Output as JSON');
+        console.log('  --format human    Human-readable certificate for non-technical relying parties');
+        console.log('  --human           Shorthand for --format human');
+        console.log('  --upstream-db <path>          SqliteStore with cached parent VPEC roots');
+        console.log('                                (defaults to PRIMUST_RUNTIME_DB_PATH or');
+        console.log('                                 ~/.primust/runtime.db when present).');
+        console.log('  --upstream-envelope <path>    JSON envelope file mapping');
+        console.log('                                upstream_vpec_id → commitment_root_poseidon2');
+        console.log('                                (repeatable; merged with --upstream-db).');
+        return parsed.values.help ? 0 : 2;
+    }
+    // Support subcommand: primust verify vpec artifact.json
+    const FORMATS = new Set(['vpec', 'pack', 'w3c-vc', 'dsse', 'scitt', 'receipt', 'all']);
+    let format = null;
+    let filePath;
+    if (parsed.positionals.length >= 2 && FORMATS.has(parsed.positionals[0])) {
+        format = parsed.positionals[0];
+        filePath = parsed.positionals[1];
+    }
+    else {
+        filePath = parsed.positionals[0];
+    }
+    const jsonOutput = parsed.values.json ?? false;
+    const humanCert = parsed.values.human || parsed.values.format === 'human';
+    // Read artifact file
+    let rawJson;
+    try {
+        rawJson = readFileSync(filePath, 'utf-8');
+    }
+    catch {
+        const msg = `Error: file not found: ${filePath}`;
+        if (jsonOutput) {
+            console.error(msg);
+        }
+        else {
+            console.error(msg);
+        }
+        return 2;
+    }
+    let artifact;
+    try {
+        artifact = JSON.parse(rawJson);
+    }
+    catch {
+        const msg = `Error: invalid JSON in ${filePath}`;
+        if (jsonOutput) {
+            console.error(msg);
+        }
+        else {
+            console.error(msg);
+        }
+        return 2;
+    }
+    // ── Follow-6 #79: build upstream-root resolver ──
+    // The CLI wires the parent-VPEC anchor check whenever the caller
+    // passes --upstream-db (or --upstream-envelope). When neither flag
+    // is supplied we leave the resolver undefined so legacy callers
+    // keep the existing "unanchored" warning behavior — strict backward
+    // compat for tests / scripts that don't know about the flag.
+    let resolver;
+    const dbPath = parsed.values['upstream-db'];
+    const envelopePaths = parsed.values['upstream-envelope'] ?? [];
+    if (dbPath || envelopePaths.length > 0) {
+        const envelopes = new Map();
+        for (const ep of envelopePaths) {
+            try {
+                const env = JSON.parse(readFileSync(ep, 'utf-8'));
+                // Two accepted shapes:
+                //  - { vpec_id: 'vpec_xxx', commitment_root_poseidon2: 'poseidon2:…' }
+                //  - { '<vpec_id>': '<root>', ... } (flat map)
+                if (typeof env.vpec_id === 'string' && typeof env.commitment_root_poseidon2 === 'string') {
+                    envelopes.set(env.vpec_id, env.commitment_root_poseidon2);
+                }
+                else {
+                    for (const [k, v] of Object.entries(env)) {
+                        if (typeof v === 'string')
+                            envelopes.set(k, v);
+                    }
+                }
+            }
+            catch (err) {
+                const msg = `Error: cannot read upstream envelope ${ep}: ${err.message}`;
+                console.error(msg);
+                return 2;
+            }
+        }
+        resolver = createUpstreamRootResolver({
+            dbPath,
+            envelopes: envelopes.size > 0 ? envelopes : undefined,
+        });
+    }
+    // Run verification
+    let result;
+    try {
+        result = await verify(artifact, {
+            production: parsed.values.production,
+            skip_network: parsed.values['skip-network'],
+            trust_root: parsed.values['trust-root'],
+        }, resolver);
+    }
+    catch (err) {
+        const msg = `Error: verification failed: ${err.message}`;
+        if (jsonOutput) {
+            console.error(msg);
+        }
+        else {
+            console.error(msg);
+        }
+        return 2;
+    }
+    // Output
+    if (jsonOutput) {
+        console.log(JSON.stringify(result, null, 2));
+    }
+    else if (humanCert) {
+        console.log(formatHumanCertificate(artifact, result));
+    }
+    else {
+        printHumanResult(result);
+    }
+    if (result.valid && artifact.environment === 'sandbox') {
+        console.log('\nSANDBOX — not audit-acceptable.');
+        console.log('Change key to pk_live_xxx for production.\n');
+        return 2;
+    }
+    return result.valid ? 0 : 1;
+}
+// Run if invoked directly
+const isDirectRun = process.argv[1] && (process.argv[1].endsWith('/cli.js') ||
+    process.argv[1].endsWith('/cli.ts'));
+if (isDirectRun) {
+    main().then((code) => process.exit(code));
+}
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AAEvC,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAEpE,MAAM,mBAAmB,GAA2B;IAClD,YAAY,EAAE,cAAc;IAC5B,oBAAoB,EAAE,sBAAsB;IAC5C,cAAc,EAAE,gBAAgB;IAChC,SAAS,EAAE,WAAW;IACtB,SAAS,EAAE,WAAW;IACtB,WAAW,EAAE,aAAa;CAC3B,CAAC;AAEF,SAAS,gBAAgB,CAAC,KAAa;IACrC,OAAO,mBAAmB,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;AAC7C,CAAC;AAED,SAAS,kBAAkB,CAAC,IAA6B;IACvD,MAAM,MAAM,GAAG,CAAC,cAAc,EAAE,sBAAsB,EAAE,gBAAgB,EAAE,WAAW,EAAE,WAAW,EAAE,aAAa,CAAC,CAAC;IACnH,OAAO,MAAM;SACV,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAK,IAAI,CAAC,CAAC,CAAY,GAAG,CAAC,CAAC;SACrE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,gBAAgB,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;SAChD,IAAI,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAiC;IAC1D,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,GAAG,CAAC;IAClC,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACrD,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,CAAC,CAAC;IACtE,OAAO,GAAG,IAAI,CAAC,MAAM,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;AAChD,CAAC;AAED,SAAS,eAAe,CAAC,MAA0B;IACjD,IAAI,EAAE,GAAG,MAAM,CAAC,SAAS,CAAC;IAC1B,IAAI,MAAM,CAAC,sBAAsB,KAAK,IAAI,EAAE,CAAC;QAC3C,EAAE,IAAI,oBAAoB,CAAC;IAC7B,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,sEAAsE;AAEtE,SAAS,sBAAsB,CAAC,QAAiC,EAAE,MAA0B;IAC3F,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,gBAAgB,CAAC;IAC7D,MAAM,GAAG,GAAG,QAAQ,CAAC,WAAW,KAAK,SAAS;QAC5C,CAAC,CAAC,qCAAqC;QACvC,CAAC,CAAC,YAAY,CAAC;IAEjB,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,wBAAwB,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC;IAC3D,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IAChC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,qBAAqB,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IAClD,KAAK,CAAC,IAAI,CAAC,qBAAqB,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IACtD,KAAK,CAAC,IAAI,CAAC,qBAAqB,GAAG,EAAE,CAAC,CAAC;IAEvC,MAAM,OAAO,GAAI,QAAQ,CAAC,UAAqB,IAAI,EAAE,CAAC;IACtD,MAAM,MAAM,GAAI,QAAQ,CAAC,SAAoB,IAAI,EAAE,CAAC;IACpD,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;QACtB,KAAK,CAAC,IAAI,CAAC,qBAAqB,OAAO,WAAW,MAAM,EAAE,CAAC,CAAC;IAC9D,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACxB,KAAK,CAAC,IAAI,CAAC,qBAAqB,GAAG,EAAE,CAAC,CAAC;IACvC,KAAK,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;IAC9C,KAAK,CAAC,IAAI,CAAC,qBAAqB,MAAM,CAAC,sBAAsB,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC;IACpG,KAAK,CAAC,IAAI,CAAC,qBAAqB,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;IACpD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC/B,MAAM,EAAE,GAAI,QAAQ,CAAC,gBAA8C,CAAC;IACpE,KAAK,CAAC,IAAI,CAAC,uBAAuB,EAAE,IAAI,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;IACzF,MAAM,OAAO,GAAI,QAAQ,CAAC,OAA0C,IAAI,EAAE,CAAC;IAC3E,KAAK,CAAC,IAAI,CAAC,qBAAqB,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAClD,KAAK,CAAC,IAAI,CAAC,qBAAqB,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAEtD,wBAAwB;IACxB,MAAM,EAAE,GAAG,QAAQ,CAAC,eAA6D,CAAC;IAClF,IAAI,EAAE,EAAE,CAAC;QACP,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAC9B,MAAM,KAAK,GAAG,EAAE,CAAC,aAAuB,CAAC;QACzC,MAAM,GAAG,GAAG,EAAE,CAAC,gBAA0B,CAAC;QAC1C,MAAM,KAAK,GAAG,EAAE,CAAC,kBAA4B,CAAC;QAC9C,MAAM,GAAG,GAAI,EAAE,CAAC,YAAuB,IAAI,CAAC,CAAC;QAC7C,KAAK,CAAC,IAAI,CAAC,qBAAqB,KAAK,EAAE,CAAC,CAAC;QACzC,KAAK,CAAC,IAAI,CAAC,qBAAqB,GAAG,MAAM,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACrE,KAAK,CAAC,IAAI,CAAC,qBAAqB,KAAK,MAAM,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAE7E,gCAAgC;QAChC,MAAM,SAAS,GAAG,EAAE,CAAC,UAAwD,CAAC;QAC9E,IAAI,SAAS,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACf,MAAM,EAAE,GAAI,EAAE,CAAC,wBAAoD,IAAI,EAAE,CAAC;YAC1E,MAAM,SAAS,GAAI,EAAE,CAAC,gBAA6B,IAAI,EAAE,CAAC;YAC1D,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;gBAC1B,MAAM,GAAG,GAAG,CAAC,CAAC,cAAc,IAAI,GAAG,CAAC;gBACpC,MAAM,KAAK,GAAG,CAAC,CAAC,WAAW,IAAI,SAAS,CAAC;gBACzC,MAAM,KAAK,GAAG,CAAC,CAAC,SAA+B,CAAC;gBAChD,IAAI,KAAK,GAAG,MAAM,GAAG,MAAM,KAAK,EAAE,CAAC;gBACnC,IAAI,KAAK;oBAAE,KAAK,IAAI,KAAK,KAAK,EAAE,CAAC;gBACjC,KAAK,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAa,CAAC;oBACxC,CAAC,CAAC,+CAA+C;oBACjD,CAAC,CAAC,0BAA0B,CAAC;gBAC/B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACpB,CAAC;QACH,CAAC;QAED,6BAA6B;QAC7B,MAAM,YAAY,GAAG,EAAE,CAAC,2BAAmD,CAAC;QAC5E,IAAI,YAAY,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YAC1D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACf,KAAK,CAAC,IAAI,CAAC,4BAA4B,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;YACvE,MAAM,OAAO,GAAG,EAAE,CAAC,8BAAoD,CAAC;YACxE,IAAI,OAAO;gBAAE,KAAK,CAAC,IAAI,CAAC,KAAK,OAAO,gBAAgB,CAAC,CAAC;YACtD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACf,KAAK,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;YACjD,KAAK,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;QAC3E,CAAC;IACH,CAAC;IAED,qDAAqD;IACrD,MAAM,YAAY,GAAG,QAAQ,CAAC,aAAmC,CAAC;IAClE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,YAAY,KAAK,MAAM,EAAE,CAAC;QAClD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;QAChC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACnC,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,IAAI,OAAO,GAAI,CAAC,CAAC,WAAsB,IAAK,CAAC,CAAC,QAAmB,IAAI,SAAS,CAAC;YAC/E,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAAE,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC3D,MAAM,WAAW,GAAG,CAAC,CAAC,YAAY,IAAI,SAAS,CAAC;YAChD,MAAM,EAAE,GAAG,CAAC,CAAC,iBAAwD,CAAC;YAEtE,IAAI,IAAI,GAAG,KAAK,OAAO,KAAK,WAAW,EAAE,CAAC;YAC1C,IAAI,EAAE,EAAE,CAAC;gBACP,MAAM,OAAO,GAAa,EAAE,CAAC;gBAC7B,IAAI,cAAc,IAAI,EAAE;oBAAE,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,YAAY,WAAW,CAAC,CAAC;gBACtE,IAAI,YAAY,IAAI,EAAE;oBAAE,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,UAAU,EAAE,CAAC,CAAC;gBAC9D,IAAI,cAAc,IAAI,EAAE;oBAAE,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,YAAsB,CAAC,CAAC;gBAClE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;oBAAE,IAAI,IAAI,MAAM,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;YAC9D,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnB,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YACxB,KAAK,CAAC,IAAI,CAAC,aAAa,OAAO,CAAC,MAAM,GAAG,EAAE,cAAc,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC/B,KAAK,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;IAC/E,KAAK,CAAC,IAAI,CAAC,iEAAiE,CAAC,CAAC;IAC9E,KAAK,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;IACzE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IACvC,KAAK,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;IAC3E,KAAK,CAAC,IAAI,CAAC,+DAA+D,CAAC,CAAC;IAC5E,KAAK,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;IAChF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACnC,KAAK,CAAC,IAAI,CAAC,wBAAwB,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IACrD,KAAK,CAAC,IAAI,CAAC,oBAAoB,MAAM,CAAC,OAAO,OAAO,CAAC,CAAC;IACtD,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IAEhC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,gBAAgB,CAAC,MAA0B;IAClD,MAAM,IAAI,GAAG,MAAM,CAAC,kBAA6C,CAAC;IAClE,MAAM,GAAG,GAAG,MAAM,CAAC,QAAmC,CAAC;IAEvD,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,OAAO,CAAC,GAAG,CAAC,mBAAmB,MAAM,CAAC,OAAO,eAAe,CAAC,CAAC;IAChE,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,mBAAmB,MAAM,CAAC,OAAO,iBAAiB,CAAC,CAAC;QAChE,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAChC,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,EAAE,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;IACzC,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,CAAC,GAAG,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IACxD,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IACnD,OAAO,CAAC,GAAG,CAAC,sBAAsB,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC7D,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,SAAS,WAAW,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;IAC3E,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,YAAY,EAAE,CAAC,CAAC;IAEzD,IAAI,GAAG,IAAI,OAAO,GAAG,CAAC,mBAAmB,KAAK,QAAQ,EAAE,CAAC;QACvD,IAAI,MAAM,GAAG,GAAG,GAAG,CAAC,mBAAmB,UAAU,CAAC;QAClD,IAAI,OAAO,GAAG,CAAC,2BAA2B,KAAK,QAAQ,EAAE,CAAC;YACxD,MAAM,IAAI,MAAM,GAAG,CAAC,2BAA2B,2BAA2B,CAAC;QAC7E,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,iBAAiB,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEpE,IAAI,MAAM,CAAC,oBAAoB,EAAE,CAAC;QAChC,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,oBAAoB,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;IAEtD,IAAI,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,0DAA0D,CAAC,CAAC;IAC1E,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YAChC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,IAAI,CAAC,IAAe;IACxC,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,SAAS,CAAC;YACjB,IAAI,EAAE,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;YACnC,OAAO,EAAE;gBACP,UAAU,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE;gBAC/C,cAAc,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE;gBACnD,YAAY,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;gBAChC,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE;gBACzC,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;gBAC1B,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE;gBAC1C,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE;gBACrD,iEAAiE;gBACjE,8DAA8D;gBAC9D,2DAA2D;gBAC3D,0DAA0D;gBAC1D,aAAa,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;gBACjC,mBAAmB,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE;aACxD;YACD,gBAAgB,EAAE,IAAI;SACvB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,UAAW,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAClD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,0DAA0D,CAAC,CAAC;QACxE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAC;QACtE,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;QACnE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;QACtD,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;QAClD,OAAO,CAAC,GAAG,CAAC,kFAAkF,CAAC,CAAC;QAChG,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;QAChE,OAAO,CAAC,GAAG,CAAC,2EAA2E,CAAC,CAAC;QACzF,OAAO,CAAC,GAAG,CAAC,yEAAyE,CAAC,CAAC;QACvF,OAAO,CAAC,GAAG,CAAC,uEAAuE,CAAC,CAAC;QACrF,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,8EAA8E,CAAC,CAAC;QAC5F,OAAO,CAAC,GAAG,CAAC,0EAA0E,CAAC,CAAC;QACxF,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACpC,CAAC;IAED,wDAAwD;IACxD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC;IACvF,IAAI,MAAM,GAAkB,IAAI,CAAC;IACjC,IAAI,QAAgB,CAAC;IACrB,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,IAAI,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACzE,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;QAC/B,QAAQ,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;SAAM,CAAC;QACN,QAAQ,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,IAAI,KAAK,CAAC;IAC/C,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,KAAK,OAAO,CAAC;IAE1E,qBAAqB;IACrB,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,GAAG,GAAG,0BAA0B,QAAQ,EAAE,CAAC;QACjD,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACrB,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACrB,CAAC;QACD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,QAAiC,CAAC;IACtC,IAAI,CAAC;QACH,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,GAAG,GAAG,0BAA0B,QAAQ,EAAE,CAAC;QACjD,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACrB,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACrB,CAAC;QACD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,mDAAmD;IACnD,iEAAiE;IACjE,mEAAmE;IACnE,gEAAgE;IAChE,oEAAoE;IACpE,6DAA6D;IAC7D,IAAI,QAA0C,CAAC;IAC/C,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,aAAa,CAAuB,CAAC;IAClE,MAAM,aAAa,GAAI,MAAM,CAAC,MAAM,CAAC,mBAAmB,CAA0B,IAAI,EAAE,CAAC;IACzF,IAAI,MAAM,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAkB,CAAC;QAC5C,KAAK,MAAM,EAAE,IAAI,aAAa,EAAE,CAAC;YAC/B,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,EAAE,EAAE,OAAO,CAAC,CAA4B,CAAC;gBAC7E,uBAAuB;gBACvB,uEAAuE;gBACvE,+CAA+C;gBAC/C,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,IAAI,OAAO,GAAG,CAAC,yBAAyB,KAAK,QAAQ,EAAE,CAAC;oBACzF,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,yBAAyB,CAAC,CAAC;gBAC5D,CAAC;qBAAM,CAAC;oBACN,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;wBACzC,IAAI,OAAO,CAAC,KAAK,QAAQ;4BAAE,SAAS,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;oBACjD,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,GAAG,GAAG,wCAAwC,EAAE,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC;gBACpF,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBACnB,OAAO,CAAC,CAAC;YACX,CAAC;QACH,CAAC;QACD,QAAQ,GAAG,0BAA0B,CAAC;YACpC,MAAM;YACN,SAAS,EAAE,SAAS,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;SACtD,CAAC,CAAC;IACL,CAAC;IAED,mBAAmB;IACnB,IAAI,MAA0B,CAAC;IAC/B,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,MAAM,CACnB,QAAQ,EACR;YACE,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU;YACpC,YAAY,EAAE,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC;YAC3C,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC;SACxC,EACD,QAAQ,CACT,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,+BAAgC,GAAa,CAAC,OAAO,EAAE,CAAC;QACpE,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACrB,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACrB,CAAC;QACD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,SAAS;IACT,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC/C,CAAC;SAAM,IAAI,SAAS,EAAE,CAAC;QACrB,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;IACxD,CAAC;SAAM,CAAC;QACN,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC3B,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,IAAI,QAAQ,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;QACvD,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;QACjD,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;QAC3D,OAAO,CAAC,CAAC;IACX,CAAC;IAED,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC9B,CAAC;AAED,0BAA0B;AAC1B,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CACrC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC;IACnC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CACpC,CAAC;AAEF,IAAI,WAAW,EAAE,CAAC;IAChB,IAAI,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AAC5C,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,13 @@
+export { verify } from './verifier';
+export type { UpstreamRootResolver, VerifyOptions, VerificationResult, RekorStatus, } from './types';
+export { generateVerifyHtml } from './verify-html-template';
+export { seedKeyCache } from './key-cache';
+export { REASONS, buildMerkleRoot, canonicalJson, canonicalJsonString, canonicalNumber, verifyBoundedTrace, } from './bounded-trace';
+export type { BoundedTraceResult, ReasonCode } from './bounded-trace';
+export { SCOPED_REASONS, verifyScopedCertificates, } from './scoped';
+export type { ScopedCertificatesResult, ScopedReason } from './scoped';
+export { createUpstreamRootResolver, closeResolver, } from './upstream_resolver';
+export type { UpstreamResolverOptions } from './upstream_resolver';
+export { ENVELOPE_VERSION, ALLOWED_KINDS, ALLOWED_TRUST_EDGES, PROOF_TIER_HIERARCHY, canonicalJson as canonicalJsonV29, canonicalHash as canonicalHashV29, validateEnvelopeShape, reproduceAggregations, validateAggregations, reproduceTierCeiling, validateRecordsAgainstHarness, validateRuntimeBindingHash, reproduceManifestCanonicalHash, validateManifestCanonicalHash, verifyV29, } from './v29-envelope';
+export type { V29VerifyResult, ProofTier } from './v29-envelope';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,YAAY,CAAC;AACpC,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,kBAAkB,EAClB,WAAW,GACZ,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EACL,OAAO,EACP,eAAe,EACf,aAAa,EACb,mBAAmB,EACnB,eAAe,EACf,kBAAkB,GACnB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACtE,OAAO,EACL,cAAc,EACd,wBAAwB,GACzB,MAAM,UAAU,CAAC;AAClB,YAAY,EAAE,wBAAwB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAKvE,OAAO,EACL,0BAA0B,EAC1B,aAAa,GACd,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AAInE,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,mBAAmB,EACnB,oBAAoB,EACpB,aAAa,IAAI,gBAAgB,EACjC,aAAa,IAAI,gBAAgB,EACjC,qBAAqB,EACrB,qBAAqB,EACrB,oBAAoB,EACpB,oBAAoB,EACpB,6BAA6B,EAC7B,0BAA0B,EAC1B,8BAA8B,EAC9B,6BAA6B,EAC7B,SAAS,GACV,MAAM,gBAAgB,CAAC;AACxB,YAAY,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/index.js

@@ -0,0 +1,13 @@
+export { verify } from './verifier';
+export { generateVerifyHtml } from './verify-html-template';
+export { seedKeyCache } from './key-cache';
+export { REASONS, buildMerkleRoot, canonicalJson, canonicalJsonString, canonicalNumber, verifyBoundedTrace, } from './bounded-trace';
+export { SCOPED_REASONS, verifyScopedCertificates, } from './scoped';
+// Cross-org upstream-VPEC resolver (Follow-7)
+// UpstreamRootResolver type is canonical from ./types (Follow-6); we
+// only re-export the resolver factory + its options here.
+export { createUpstreamRootResolver, closeResolver, } from './upstream_resolver';
+// v29 Layer 1 — ProofCheck envelope + manifest + runtime-binding
+// conformance. Mirror of packages/verifier-py/.../v29_envelope.py.
+export { ENVELOPE_VERSION, ALLOWED_KINDS, ALLOWED_TRUST_EDGES, PROOF_TIER_HIERARCHY, canonicalJson as canonicalJsonV29, canonicalHash as canonicalHashV29, validateEnvelopeShape, reproduceAggregations, validateAggregations, reproduceTierCeiling, validateRecordsAgainstHarness, validateRuntimeBindingHash, reproduceManifestCanonicalHash, validateManifestCanonicalHash, verifyV29, } from './v29-envelope';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,YAAY,CAAC;AAOpC,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EACL,OAAO,EACP,eAAe,EACf,aAAa,EACb,mBAAmB,EACnB,eAAe,EACf,kBAAkB,GACnB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,cAAc,EACd,wBAAwB,GACzB,MAAM,UAAU,CAAC;AAGlB,8CAA8C;AAC9C,qEAAqE;AACrE,0DAA0D;AAC1D,OAAO,EACL,0BAA0B,EAC1B,aAAa,GACd,MAAM,qBAAqB,CAAC;AAG7B,iEAAiE;AACjE,mEAAmE;AACnE,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,mBAAmB,EACnB,oBAAoB,EACpB,aAAa,IAAI,gBAAgB,EACjC,aAAa,IAAI,gBAAgB,EACjC,qBAAqB,EACrB,qBAAqB,EACrB,oBAAoB,EACpB,oBAAoB,EACpB,6BAA6B,EAC7B,0BAA0B,EAC1B,8BAA8B,EAC9B,6BAA6B,EAC7B,SAAS,GACV,MAAM,gBAAgB,CAAC"}

package/dist/key-cache.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Public key cache for VPEC signature verification.
+ *
+ * Fetches public keys from trust anchor URLs and caches by key ID.
+ * Supports pinned trust roots for offline/air-gapped verification.
+ */
+/**
+ * Resolve a public key by key ID.
+ *
+ * @param kid - Key identifier from VPEC signature field
+ * @param publicKeyUrl - URL to fetch the PEM/base64url key
+ * @param trustRoot - Optional local PEM file path or content for offline mode
+ */
+/**
+ * Pre-seed the in-memory key cache. Used by evidence-pack assembler
+ * to inject the signer's public key before verification runs.
+ */
+export declare function seedKeyCache(kid: string, publicKey: string): void;
+export declare function getKey(kid: string, publicKeyUrl: string, trustRoot?: string): Promise<string>;
+//# sourceMappingURL=key-cache.d.ts.map

package/dist/key-cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-cache.d.ts","sourceRoot":"","sources":["../src/key-cache.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAOH;;;;;;GAMG;AACH;;;GAGG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,CAEjE;AAED,wBAAsB,MAAM,CAC1B,GAAG,EAAE,MAAM,EACX,YAAY,EAAE,MAAM,EACpB,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,CAgDjB"}

package/dist/key-cache.js

@@ -0,0 +1,68 @@
+/**
+ * Public key cache for VPEC signature verification.
+ *
+ * Fetches public keys from trust anchor URLs and caches by key ID.
+ * Supports pinned trust roots for offline/air-gapped verification.
+ */
+import { readFileSync, existsSync } from 'node:fs';
+// In-memory cache: kid → base64url public key
+const cache = new Map();
+/**
+ * Resolve a public key by key ID.
+ *
+ * @param kid - Key identifier from VPEC signature field
+ * @param publicKeyUrl - URL to fetch the PEM/base64url key
+ * @param trustRoot - Optional local PEM file path or content for offline mode
+ */
+/**
+ * Pre-seed the in-memory key cache. Used by evidence-pack assembler
+ * to inject the signer's public key before verification runs.
+ */
+export function seedKeyCache(kid, publicKey) {
+    cache.set(kid, publicKey);
+}
+export async function getKey(kid, publicKeyUrl, trustRoot) {
+    // Pinned trust root — zero network calls
+    if (trustRoot) {
+        // If it looks like a file path, read it
+        if (existsSync(trustRoot)) {
+            return readFileSync(trustRoot, 'utf-8').trim();
+        }
+        // Otherwise treat as inline key content
+        return trustRoot.trim();
+    }
+    // Check cache
+    const cached = cache.get(kid);
+    if (cached)
+        return cached;
+    // Fetch from URL with retries
+    if (!publicKeyUrl) {
+        throw new Error(`No public_key_url for kid=${kid}`);
+    }
+    let lastError = null;
+    for (let attempt = 0; attempt < 3; attempt++) {
+        try {
+            const resp = await fetch(publicKeyUrl, {
+                headers: { Accept: 'application/x-pem-file' },
+                signal: AbortSignal.timeout(10_000),
+            });
+            if (!resp.ok) {
+                throw new Error(`HTTP ${resp.status}`);
+            }
+            const pem = (await resp.text()).trim();
+            if (!pem) {
+                throw new Error('Empty response');
+            }
+            cache.set(kid, pem);
+            return pem;
+        }
+        catch (e) {
+            lastError = e instanceof Error ? e : new Error(String(e));
+            if (attempt < 2) {
+                await new Promise(r => setTimeout(r, 500 * (attempt + 1)));
+            }
+        }
+    }
+    throw new Error(`Failed to fetch key from ${publicKeyUrl} after 3 attempts: ${lastError?.message}`);
+}
+//# sourceMappingURL=key-cache.js.map

package/dist/key-cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-cache.js","sourceRoot":"","sources":["../src/key-cache.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAEnD,8CAA8C;AAC9C,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;AAExC;;;;;;GAMG;AACH;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,GAAW,EAAE,SAAiB;IACzD,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;AAC5B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,GAAW,EACX,YAAoB,EACpB,SAAkB;IAElB,yCAAyC;IACzC,IAAI,SAAS,EAAE,CAAC;QACd,wCAAwC;QACxC,IAAI,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC1B,OAAO,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QACjD,CAAC;QACD,wCAAwC;QACxC,OAAO,SAAS,CAAC,IAAI,EAAE,CAAC;IAC1B,CAAC;IAED,cAAc;IACd,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,8BAA8B;IAC9B,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,6BAA6B,GAAG,EAAE,CAAC,CAAC;IACtD,CAAC;IAED,IAAI,SAAS,GAAiB,IAAI,CAAC;IACnC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,CAAC,EAAE,OAAO,EAAE,EAAE,CAAC;QAC7C,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,YAAY,EAAE;gBACrC,OAAO,EAAE,EAAE,MAAM,EAAE,wBAAwB,EAAE;gBAC7C,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;aACpC,CAAC,CAAC;YAEH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CAAC,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;YACzC,CAAC;YAED,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACvC,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;YACpC,CAAC;YAED,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YACpB,OAAO,GAAG,CAAC;QACb,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,SAAS,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1D,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;gBAChB,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,GAAG,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,4BAA4B,YAAY,sBAAsB,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;AACtG,CAAC"}

package/dist/scoped.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Reference TypeScript verifier for the `scoped_certificates` VPEC section.
+ *
+ * Ported from verifier-py/src/primust_verify/scoped.py. Validates the
+ * top-level `scoped_certificates` array + matching
+ * `scoped_certificates_commitment` emitted by the SDK's
+ * `primust.scoped.bundle` module (SCOPED_CERT_SPEC_v27 §14).
+ *
+ * Trust-chain scope:
+ *   1. Every entry carries a known `certificate_type` discriminator.
+ *   2. Every entry has the required structural fields for its type.
+ *   3. The array is in canonical order: lexicographic by
+ *      (certificate_type, canonical_sha256(payload)).
+ *   4. The declared commitment byte-matches the recomputed Merkle root
+ *      over the ordered canonical-JSON leaves. Empty bundle uses the
+ *      well-known `sha256(canonical({scoped_certificates: []}))`.
+ *
+ * SI-3 (VPEC verifiability): this module's output MUST agree with the
+ * Python reference (`primust_verify.scoped`) byte-for-byte across the
+ * shared fixture corpus at
+ * packages/verifier-py/tests/fixtures/scoped_v1/. The conformance runner
+ * in scripts/scoped_conformance.py gates that in CI.
+ */
+import { buildMerkleRoot, canonicalJson, canonicalJsonString } from "./bounded-trace";
+export declare const SCOPED_REASONS: readonly ["ok", "missing_section", "malformed_section", "missing_commitment", "malformed_commitment", "missing_discriminator", "unknown_certificate_type", "schema_validation_failed", "ordering_violation", "commitment_mismatch"];
+export type ScopedReason = (typeof SCOPED_REASONS)[number];
+export interface ScopedCertificatesResult {
+    valid: boolean;
+    reason: ScopedReason;
+    entry_count: number;
+    details: Record<string, unknown>;
+}
+export declare function verifyScopedCertificates(vpecLike: Record<string, unknown>): ScopedCertificatesResult;
+export { canonicalJson, canonicalJsonString, buildMerkleRoot };
+//# sourceMappingURL=scoped.d.ts.map

package/dist/scoped.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoped.d.ts","sourceRoot":"","sources":["../src/scoped.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAIH,OAAO,EACL,eAAe,EACf,aAAa,EACb,mBAAmB,EACpB,MAAM,iBAAiB,CAAC;AAmazB,eAAO,MAAM,cAAc,qOAWjB,CAAC;AAEX,MAAM,MAAM,YAAY,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC;AAE3D,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,YAAY,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AA+DD,wBAAgB,wBAAwB,CACtC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,wBAAwB,CA8F1B;AAGD,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,eAAe,EAAE,CAAC"}