@primust/verifier 1.0.0

package/dist/v29-envelope.js

@@ -0,0 +1,450 @@
+/**
+ * v29 ProofCheck envelope + manifest + runtime-binding conformance.
+ *
+ * Mirror of packages/verifier-py/src/primust_verify/v29_envelope.py.
+ * The Py↔TS parity contract: canonicalJson(x) MUST produce byte-identical
+ * output for identical inputs across both languages, and every reproduction
+ * function MUST return the same value.
+ *
+ * Per docs/v29-draft/PROOFCHECK_ENVELOPE_SPEC_v0_1.md, AGENT_MANIFEST_SPEC,
+ * HARNESS_MANIFEST_SPEC, RUNTIME_BINDING_SPEC.
+ *
+ * Pure functions only. No DB, no network, no KMS.
+ */
+import { createHash, createPublicKey, verify as cryptoVerify } from "node:crypto";
+export const ENVELOPE_VERSION = "v0.1";
+export const ALLOWED_KINDS = new Set([
+    "governance_check",
+    "outbound_action",
+    "token_authority_snapshot",
+    "workspace_observation",
+    "contention_event",
+    "scope_claim_lifecycle",
+    "scope_claim_emitted",
+    "turn_context",
+    "tool_execution",
+]);
+export const ALLOWED_TRUST_EDGES = new Set(["A2T", "A2M", "A2H", "A2A", "A2S", "A2D"]);
+export const PROOF_TIER_HIERARCHY = [
+    "attestation",
+    "witnessed",
+    "execution",
+    "operator_bound",
+    "verifiable_inference",
+    "mathematical",
+];
+const TIER_INDEX = Object.fromEntries(PROOF_TIER_HIERARCHY.map((t, i) => [t, i]));
+export const v29Pass = () => ({ ok: true, reasonCode: null });
+export const v29Fail = (code, detail = "") => ({
+    ok: false,
+    reasonCode: code,
+    detail,
+});
+// ── Canonical JSON ────────────────────────────────────────────────────
+//
+// Must byte-identical with verifier-py canonical_json. Python uses
+// `json.dumps(value, sort_keys=True, separators=(",", ":"), default=str)`.
+// We replicate by:
+//   - sorting object keys recursively
+//   - omitting whitespace
+//   - rendering nullish / Date / Buffer the same way Python's str() does
+//     for the values that pass through (in practice envelope values are
+//     primitives + arrays + plain dicts).
+function sortValue(v) {
+    if (v === null || typeof v !== "object")
+        return v;
+    if (Array.isArray(v))
+        return v.map(sortValue);
+    // Plain object — sort keys.
+    const out = {};
+    for (const k of Object.keys(v).sort()) {
+        out[k] = sortValue(v[k]);
+    }
+    return out;
+}
+export function canonicalJson(value) {
+    return JSON.stringify(sortValue(value));
+}
+export function canonicalHash(value) {
+    return "sha256:" + createHash("sha256").update(canonicalJson(value)).digest("hex");
+}
+// ── Envelope shape ────────────────────────────────────────────────────
+export function validateEnvelopeShape(envelope) {
+    if (typeof envelope !== "object" || envelope === null) {
+        return v29Fail("envelope_not_object");
+    }
+    const e = envelope;
+    if (e.envelope_version !== ENVELOPE_VERSION) {
+        return v29Fail("envelope_version_mismatch", `expected ${ENVELOPE_VERSION}, got ${JSON.stringify(e.envelope_version)}`);
+    }
+    for (const k of ["run_header", "records", "aggregations"]) {
+        if (!(k in e))
+            return v29Fail("envelope_missing_key", k);
+    }
+    const header = e.run_header;
+    if (typeof header !== "object" || header === null) {
+        return v29Fail("run_header_not_object");
+    }
+    for (const k of ["run_id", "org_id", "opened_at", "target_environment"]) {
+        if (!(k in header))
+            return v29Fail("run_header_missing_key", k);
+    }
+    const records = e.records;
+    if (!Array.isArray(records))
+        return v29Fail("records_not_array");
+    for (let i = 0; i < records.length; i++) {
+        const r = records[i];
+        if (typeof r !== "object" || r === null) {
+            return v29Fail("record_not_object", `records[${i}]`);
+        }
+        if (!ALLOWED_KINDS.has(String(r.kind))) {
+            return v29Fail("record_kind_unknown", `records[${i}].kind=${JSON.stringify(r.kind)}`);
+        }
+        if (r.trust_edge != null && !ALLOWED_TRUST_EDGES.has(String(r.trust_edge))) {
+            return v29Fail("record_trust_edge_unknown", `records[${i}].trust_edge=${JSON.stringify(r.trust_edge)}`);
+        }
+    }
+    return v29Pass();
+}
+// ── Aggregation reproduction ──────────────────────────────────────────
+export function reproduceAggregations(records) {
+    const proofMix = {};
+    for (const t of PROOF_TIER_HIERARCHY)
+        proofMix[t] = 0;
+    const trustEdges = {};
+    let floorIdx = null;
+    let proven = 0;
+    let totalWithTier = 0;
+    for (const r of records) {
+        const tier = r.tier_computed;
+        if (typeof tier === "string" && tier in proofMix) {
+            proofMix[tier] += 1;
+            totalWithTier += 1;
+            const idx = TIER_INDEX[tier];
+            if (floorIdx === null || idx < floorIdx)
+                floorIdx = idx;
+            if (idx > 0)
+                proven += 1;
+        }
+        const edge = r.trust_edge;
+        if (typeof edge === "string" && ALLOWED_TRUST_EDGES.has(edge)) {
+            const slot = trustEdges[edge] ?? { count: 0, tier_floor: null };
+            slot.count += 1;
+            if (typeof tier === "string" && tier in TIER_INDEX) {
+                if (slot.tier_floor === null || TIER_INDEX[tier] < TIER_INDEX[slot.tier_floor]) {
+                    slot.tier_floor = tier;
+                }
+            }
+            trustEdges[edge] = slot;
+        }
+    }
+    // Round provable_surface to 4 dp, matching Python's round(...,4) which
+    // banker-rounds — but the inputs we expect are clean fractions, so we
+    // use the JS-native math here. Cross-language tests pin known values.
+    const provableSurface = totalWithTier > 0 ? Math.round((proven / totalWithTier) * 10000) / 10000 : 0.0;
+    return {
+        trust_edges_observed: trustEdges,
+        proof_mix: proofMix,
+        proof_level_floor: floorIdx === null ? null : PROOF_TIER_HIERARCHY[floorIdx],
+        provable_surface: provableSurface,
+        provable_surface_breakdown: {
+            records_with_tier: totalWithTier,
+            records_proven_above_attestation: proven,
+        },
+    };
+}
+export function validateAggregations(envelope) {
+    const stated = envelope.aggregations ?? {};
+    const expected = reproduceAggregations(envelope.records ?? []);
+    if (canonicalJson(stated) !== canonicalJson(expected)) {
+        return v29Fail("aggregation_reproduction_mismatch", "stated aggregations differ from per-record reproduction");
+    }
+    return v29Pass();
+}
+// ── Harness tier-ceiling reproduction ─────────────────────────────────
+function decodeJsonb(v) {
+    if (v == null)
+        return null;
+    if (typeof v === "string") {
+        try {
+            return JSON.parse(v);
+        }
+        catch {
+            return null;
+        }
+    }
+    return v;
+}
+// F24 — reproduce returns the CEILING TIER (string) on downgrade, or
+// null on no-downgrade. Mirror of verifier-py reproduce_tier_ceiling.
+export function reproduceTierCeiling(harnessManifest, surface, tierClaimed) {
+    const ceilings = (decodeJsonb(harnessManifest.surface_tier_ceilings) ?? {});
+    const ceiling = ceilings[surface];
+    if (ceiling == null) {
+        return { effective_tier: tierClaimed, tier_ceiling_applied: null };
+    }
+    const claimIdx = TIER_INDEX[tierClaimed] ?? -1;
+    const ceilIdx = TIER_INDEX[ceiling] ?? -1;
+    if (claimIdx <= ceilIdx || claimIdx === -1) {
+        return { effective_tier: tierClaimed, tier_ceiling_applied: null };
+    }
+    return { effective_tier: ceiling, tier_ceiling_applied: ceiling };
+}
+export function validateRecordsAgainstHarness(records, harnessManifest) {
+    if (!harnessManifest)
+        return v29Pass();
+    for (let i = 0; i < records.length; i++) {
+        const r = records[i];
+        const tierClaimed = r.tier_claimed;
+        const surface = r.surface;
+        let stored = r.tier_ceiling_applied;
+        if (typeof stored === "string" && stored.length === 0)
+            stored = null;
+        if (typeof tierClaimed !== "string" || typeof surface !== "string")
+            continue;
+        const reproduced = reproduceTierCeiling(harnessManifest, surface, tierClaimed);
+        if (reproduced.tier_ceiling_applied !== (stored ?? null)) {
+            return v29Fail("harness_tier_ceiling_reproduction_mismatch", `records[${i}] surface=${surface} tier_claimed=${tierClaimed}`);
+        }
+    }
+    return v29Pass();
+}
+// ── Runtime binding hash ──────────────────────────────────────────────
+export function validateRuntimeBindingHash(binding) {
+    const stored = binding.binding_body_canonical_hash;
+    let body = binding.binding_body_canonical_json;
+    if (!body || typeof stored !== "string") {
+        return v29Fail("runtime_binding_missing_body_or_hash");
+    }
+    if (typeof body === "string") {
+        try {
+            body = JSON.parse(body);
+        }
+        catch {
+            return v29Fail("runtime_binding_body_not_json");
+        }
+    }
+    const reproduced = canonicalHash(body);
+    if (reproduced !== stored) {
+        return v29Fail("runtime_binding_hash_reproduction_mismatch", `stored=${stored.slice(0, 24)}… reproduced=${reproduced.slice(0, 24)}…`);
+    }
+    return v29Pass();
+}
+// ── Manifest canonical hash ───────────────────────────────────────────
+export function reproduceManifestCanonicalHash(manifest, manifestKind) {
+    let body;
+    if (manifestKind === "agent") {
+        body = {
+            agent_manifest_id: manifest.agent_manifest_id,
+            manifest_version: manifest.manifest_version,
+            org_id: manifest.org_id,
+            issuer_id: manifest.issuer_id,
+            agent_name: manifest.agent_name,
+            agent_kind: manifest.agent_kind,
+            agent_vendor: manifest.agent_vendor,
+            capability_grants: decodeJsonb(manifest.capability_grants),
+            scope_expressions: decodeJsonb(manifest.scope_expressions),
+            reversibility_overrides: decodeJsonb(manifest.reversibility_overrides) ?? {},
+            model_profile_id: manifest.model_profile_id ?? null,
+            agent_behavior_profile_id: manifest.agent_behavior_profile_id ?? null,
+            applicable_action_profiles: decodeJsonb(manifest.applicable_action_profiles) ?? [],
+            issued_at: manifest.issued_at,
+            expires_at: manifest.expires_at,
+        };
+    }
+    else {
+        body = {
+            harness_manifest_id: manifest.harness_manifest_id,
+            manifest_version: manifest.manifest_version,
+            org_id: manifest.org_id,
+            issuer_id: manifest.issuer_id,
+            harness_name: manifest.harness_name,
+            harness_bundle_version: manifest.harness_bundle_version,
+            config_hash: manifest.config_hash,
+            native_config_hashes: decodeJsonb(manifest.native_config_hashes) ?? {},
+            surface_tier_ceilings: decodeJsonb(manifest.surface_tier_ceilings),
+            declared_blind_spots: decodeJsonb(manifest.declared_blind_spots) ?? [],
+            detector_posture: decodeJsonb(manifest.detector_posture) ?? {},
+            active_check_classes: decodeJsonb(manifest.active_check_classes) ?? [],
+            issued_at: manifest.issued_at,
+            expires_at: manifest.expires_at,
+        };
+    }
+    return canonicalHash(body);
+}
+export function validateManifestCanonicalHash(manifest, manifestKind) {
+    const stated = manifest.canonical_json_hash;
+    if (typeof stated !== "string")
+        return v29Fail("manifest_missing_canonical_hash");
+    const reproduced = reproduceManifestCanonicalHash(manifest, manifestKind);
+    if (reproduced !== stated) {
+        return v29Fail("manifest_canonical_hash_reproduction_mismatch", `${manifestKind}: stored=${stated.slice(0, 24)}… reproduced=${reproduced.slice(0, 24)}…`);
+    }
+    return v29Pass();
+}
+// ── Top-level verify ──────────────────────────────────────────────────
+// ── Ed25519 signature validation (F3) ─────────────────────────────────
+function canonicalBodyBytes(body) {
+    return Buffer.from(canonicalJson(body), "utf-8");
+}
+function decodeBase64Tolerant(s) {
+    const normalized = s.replace(/-/g, "+").replace(/_/g, "/");
+    const padded = normalized + "=".repeat((4 - (normalized.length % 4)) % 4);
+    return Buffer.from(padded, "base64");
+}
+function verifyEd25519(bodyCanonicalBytes, signatureB64, publicKeyBytes) {
+    if (!bodyCanonicalBytes.length || !signatureB64 || publicKeyBytes.length !== 32) {
+        return false;
+    }
+    try {
+        const sigBytes = decodeBase64Tolerant(signatureB64);
+        // Wrap raw 32-byte ed25519 pubkey in a SubjectPublicKeyInfo via DER.
+        // Node accepts raw key via createPublicKey({ key, format, type, namedCurve })
+        // for ed25519 with type='spki' and DER bytes; the simpler path is to
+        // build SPKI ourselves so we never depend on a higher-level format.
+        const der = Buffer.concat([
+            Buffer.from([0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03, 0x21, 0x00]),
+            Buffer.from(publicKeyBytes),
+        ]);
+        const keyObj = createPublicKey({ key: der, format: "der", type: "spki" });
+        return cryptoVerify(null, bodyCanonicalBytes, keyObj, sigBytes);
+    }
+    catch {
+        return false;
+    }
+}
+function manifestCanonicalBody(manifest, kind) {
+    if (kind === "agent") {
+        return {
+            agent_manifest_id: manifest.agent_manifest_id ?? null,
+            manifest_version: manifest.manifest_version ?? null,
+            org_id: manifest.org_id ?? null,
+            issuer_id: manifest.issuer_id ?? null,
+            agent_name: manifest.agent_name ?? null,
+            agent_kind: manifest.agent_kind ?? null,
+            agent_vendor: manifest.agent_vendor ?? null,
+            capability_grants: decodeJsonb(manifest.capability_grants) ?? null,
+            scope_expressions: decodeJsonb(manifest.scope_expressions) ?? null,
+            reversibility_overrides: decodeJsonb(manifest.reversibility_overrides) ?? {},
+            model_profile_id: manifest.model_profile_id ?? null,
+            agent_behavior_profile_id: manifest.agent_behavior_profile_id ?? null,
+            applicable_action_profiles: decodeJsonb(manifest.applicable_action_profiles) ?? [],
+            issued_at: manifest.issued_at ?? null,
+            expires_at: manifest.expires_at ?? null,
+        };
+    }
+    return {
+        harness_manifest_id: manifest.harness_manifest_id ?? null,
+        manifest_version: manifest.manifest_version ?? null,
+        org_id: manifest.org_id ?? null,
+        issuer_id: manifest.issuer_id ?? null,
+        harness_name: manifest.harness_name ?? null,
+        harness_bundle_version: manifest.harness_bundle_version ?? null,
+        config_hash: manifest.config_hash ?? null,
+        native_config_hashes: decodeJsonb(manifest.native_config_hashes) ?? {},
+        surface_tier_ceilings: decodeJsonb(manifest.surface_tier_ceilings) ?? {},
+        declared_blind_spots: decodeJsonb(manifest.declared_blind_spots) ?? [],
+        detector_posture: decodeJsonb(manifest.detector_posture) ?? {},
+        active_check_classes: decodeJsonb(manifest.active_check_classes) ?? [],
+        issued_at: manifest.issued_at ?? null,
+        expires_at: manifest.expires_at ?? null,
+    };
+}
+export function validateRuntimeBindingSignature(binding, pubkeyResolver) {
+    if (!pubkeyResolver)
+        return v29Pass();
+    const sig = binding.signature;
+    const kid = binding.kms_kid;
+    let body = binding.binding_body_canonical_json;
+    if (!body || typeof sig !== "string" || typeof kid !== "string") {
+        return v29Fail("runtime_binding_signature_missing", `body=${!!body} sig=${!!sig} kid=${!!kid}`);
+    }
+    if (typeof body === "string") {
+        try {
+            body = JSON.parse(body);
+        }
+        catch {
+            return v29Fail("runtime_binding_body_not_json");
+        }
+    }
+    let pubkey;
+    try {
+        pubkey = pubkeyResolver(kid);
+    }
+    catch (e) {
+        return v29Fail("runtime_binding_pubkey_unresolvable", `kid=${kid}: ${e}`);
+    }
+    if (!verifyEd25519(canonicalBodyBytes(body), sig, pubkey)) {
+        return v29Fail("runtime_binding_signature_invalid");
+    }
+    return v29Pass();
+}
+export function validateManifestSignature(manifest, manifestKind, pubkeyResolver) {
+    if (!pubkeyResolver)
+        return v29Pass();
+    const sig = manifest.signature;
+    const kid = manifest.kms_kid;
+    if (typeof sig !== "string" || typeof kid !== "string") {
+        return v29Fail(`${manifestKind}_manifest_signature_missing`, `sig=${!!sig} kid=${!!kid}`);
+    }
+    let pubkey;
+    try {
+        pubkey = pubkeyResolver(kid);
+    }
+    catch (e) {
+        return v29Fail(`${manifestKind}_manifest_pubkey_unresolvable`, `kid=${kid}: ${e}`);
+    }
+    const body = manifestCanonicalBody(manifest, manifestKind);
+    if (!verifyEd25519(canonicalBodyBytes(body), sig, pubkey)) {
+        return v29Fail(`${manifestKind}_manifest_signature_invalid`);
+    }
+    return v29Pass();
+}
+export function verifyV29(opts) {
+    if (opts.requireSignatures && !opts.pubkeyResolver) {
+        return v29Fail("signature_resolver_required", "requireSignatures=true but no pubkeyResolver was provided");
+    }
+    let res = validateEnvelopeShape(opts.envelope);
+    if (!res.ok)
+        return res;
+    res = validateAggregations(opts.envelope);
+    if (!res.ok)
+        return res;
+    // F2 — pull bound manifests from envelope.run_header so an offline
+    // verifier reconstructs ceiling/sig context without DB access.
+    const rh = opts.envelope.run_header ?? {};
+    const bound = rh.bound_manifests ?? {};
+    const harnessBlock = opts.harnessManifest ?? bound.harness;
+    const agentBlock = opts.agentManifest ?? bound.agent;
+    const resolver = opts.pubkeyResolver ?? null;
+    res = validateRecordsAgainstHarness(opts.envelope.records ?? [], harnessBlock ?? null);
+    if (!res.ok)
+        return res;
+    if (opts.runtimeBinding) {
+        res = validateRuntimeBindingHash(opts.runtimeBinding);
+        if (!res.ok)
+            return res;
+        // F3
+        res = validateRuntimeBindingSignature(opts.runtimeBinding, resolver);
+        if (!res.ok)
+            return res;
+    }
+    if (agentBlock) {
+        res = validateManifestCanonicalHash(agentBlock, "agent");
+        if (!res.ok)
+            return res;
+        res = validateManifestSignature(agentBlock, "agent", resolver);
+        if (!res.ok)
+            return res;
+    }
+    if (harnessBlock) {
+        res = validateManifestCanonicalHash(harnessBlock, "harness");
+        if (!res.ok)
+            return res;
+        res = validateManifestSignature(harnessBlock, "harness", resolver);
+        if (!res.ok)
+            return res;
+    }
+    return v29Pass();
+}
+//# sourceMappingURL=v29-envelope.js.map

package/dist/v29-envelope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"v29-envelope.js","sourceRoot":"","sources":["../src/v29-envelope.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,IAAI,YAAY,EAAE,MAAM,aAAa,CAAC;AASlF,MAAM,CAAC,MAAM,gBAAgB,GAAG,MAAM,CAAC;AAEvC,MAAM,CAAC,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;IACnC,kBAAkB;IAClB,iBAAiB;IACjB,0BAA0B;IAC1B,uBAAuB;IACvB,kBAAkB;IAClB,uBAAuB;IACvB,qBAAqB;IACrB,cAAc;IACd,gBAAgB;CACjB,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;AAEvF,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC,aAAa;IACb,WAAW;IACX,WAAW;IACX,gBAAgB;IAChB,sBAAsB;IACtB,cAAc;CACN,CAAC;AAIX,MAAM,UAAU,GAA2B,MAAM,CAAC,WAAW,CAC3D,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAC3C,CAAC;AAQF,MAAM,CAAC,MAAM,OAAO,GAAG,GAAoB,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;AAC/E,MAAM,CAAC,MAAM,OAAO,GAAG,CAAC,IAAY,EAAE,MAAM,GAAG,EAAE,EAAmB,EAAE,CAAC,CAAC;IACtE,EAAE,EAAE,KAAK;IACT,UAAU,EAAE,IAAI;IAChB,MAAM;CACP,CAAC,CAAC;AAEH,yEAAyE;AACzE,EAAE;AACF,mEAAmE;AACnE,2EAA2E;AAC3E,mBAAmB;AACnB,sCAAsC;AACtC,0BAA0B;AAC1B,yEAAyE;AACzE,wEAAwE;AACxE,0CAA0C;AAE1C,SAAS,SAAS,CAAC,CAAU;IAC3B,IAAI,CAAC,KAAK,IAAI,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAC;IAClD,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAAE,OAAO,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC9C,4BAA4B;IAC5B,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,CAA4B,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;QACjE,GAAG,CAAC,CAAC,CAAC,GAAG,SAAS,CAAE,CAA6B,CAAC,CAAC,CAAC,CAAC,CAAC;IACxD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAc;IAC1C,OAAO,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAc;IAC1C,OAAO,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACrF,CAAC;AAED,yEAAyE;AAEzE,MAAM,UAAU,qBAAqB,CAAC,QAAiB;IACrD,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtD,OAAO,OAAO,CAAC,qBAAqB,CAAC,CAAC;IACxC,CAAC;IACD,MAAM,CAAC,GAAG,QAAmC,CAAC;IAC9C,IAAI,CAAC,CAAC,gBAAgB,KAAK,gBAAgB,EAAE,CAAC;QAC5C,OAAO,OAAO,CACZ,2BAA2B,EAC3B,YAAY,gBAAgB,SAAS,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,gBAAgB,CAAC,EAAE,CAC1E,CAAC;IACJ,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,SAAS,EAAE,cAAc,CAAC,EAAE,CAAC;QAC1D,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YAAE,OAAO,OAAO,CAAC,sBAAsB,EAAE,CAAC,CAAC,CAAC;IAC3D,CAAC;IACD,MAAM,MAAM,GAAG,CAAC,CAAC,UAA4C,CAAC;IAC9D,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QAClD,OAAO,OAAO,CAAC,uBAAuB,CAAC,CAAC;IAC1C,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,oBAAoB,CAAC,EAAE,CAAC;QACxE,IAAI,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;YAAE,OAAO,OAAO,CAAC,wBAAwB,EAAE,CAAC,CAAC,CAAC;IAClE,CAAC;IACD,MAAM,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC;IAC1B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;QAAE,OAAO,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACjE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAmC,CAAC;QACvD,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;YACxC,OAAO,OAAO,CAAC,mBAAmB,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC;QACvD,CAAC;QACD,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YACvC,OAAO,OAAO,CAAC,qBAAqB,EAAE,WAAW,CAAC,UAAU,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACxF,CAAC;QACD,IAAI,CAAC,CAAC,UAAU,IAAI,IAAI,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YAC3E,OAAO,OAAO,CACZ,2BAA2B,EAC3B,WAAW,CAAC,gBAAgB,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC,EAAE,CAC3D,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC;AAED,yEAAyE;AAEzE,MAAM,UAAU,qBAAqB,CACnC,OAAuC;IAEvC,MAAM,QAAQ,GAA2B,EAAE,CAAC;IAC5C,KAAK,MAAM,CAAC,IAAI,oBAAoB;QAAE,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACtD,MAAM,UAAU,GAAiE,EAAE,CAAC;IACpF,IAAI,QAAQ,GAAkB,IAAI,CAAC;IACnC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,IAAI,aAAa,GAAG,CAAC,CAAC;IAEtB,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,IAAI,GAAG,CAAC,CAAC,aAAa,CAAC;QAC7B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,IAAI,QAAQ,EAAE,CAAC;YACjD,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpB,aAAa,IAAI,CAAC,CAAC;YACnB,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;YAC7B,IAAI,QAAQ,KAAK,IAAI,IAAI,GAAG,GAAG,QAAQ;gBAAE,QAAQ,GAAG,GAAG,CAAC;YACxD,IAAI,GAAG,GAAG,CAAC;gBAAE,MAAM,IAAI,CAAC,CAAC;QAC3B,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,CAAC,UAAU,CAAC;QAC1B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;YAChE,IAAI,CAAC,KAAK,IAAI,CAAC,CAAC;YAChB,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,IAAI,UAAU,EAAE,CAAC;gBACnD,IAAI,IAAI,CAAC,UAAU,KAAK,IAAI,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;oBAC/E,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;gBACzB,CAAC;YACH,CAAC;YACD,UAAU,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,uEAAuE;IACvE,sEAAsE;IACtE,sEAAsE;IACtE,MAAM,eAAe,GACnB,aAAa,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,aAAa,CAAC,GAAG,KAAK,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC;IAEjF,OAAO;QACL,oBAAoB,EAAE,UAAU;QAChC,SAAS,EAAE,QAAQ;QACnB,iBAAiB,EAAE,QAAQ,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,oBAAoB,CAAC,QAAQ,CAAC;QAC5E,gBAAgB,EAAE,eAAe;QACjC,0BAA0B,EAAE;YAC1B,iBAAiB,EAAE,aAAa;YAChC,gCAAgC,EAAE,MAAM;SACzC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,QAAiC;IACpE,MAAM,MAAM,GAAI,QAAQ,CAAC,YAAwC,IAAI,EAAE,CAAC;IACxE,MAAM,QAAQ,GAAG,qBAAqB,CACnC,QAAQ,CAAC,OAA0C,IAAI,EAAE,CAC3D,CAAC;IACF,IAAI,aAAa,CAAC,MAAM,CAAC,KAAK,aAAa,CAAC,QAAQ,CAAC,EAAE,CAAC;QACtD,OAAO,OAAO,CACZ,mCAAmC,EACnC,yDAAyD,CAC1D,CAAC;IACJ,CAAC;IACD,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC;AAED,yEAAyE;AAEzE,SAAS,WAAW,CAAC,CAAU;IAC7B,IAAI,CAAC,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC;IAC3B,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,qEAAqE;AACrE,sEAAsE;AACtE,MAAM,UAAU,oBAAoB,CAClC,eAAwC,EACxC,OAAe,EACf,WAAmB;IAEnB,MAAM,QAAQ,GAAG,CAAC,WAAW,CAAC,eAAe,CAAC,qBAAqB,CAAC,IAAI,EAAE,CAGzE,CAAC;IACF,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;IAClC,IAAI,OAAO,IAAI,IAAI,EAAE,CAAC;QACpB,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,oBAAoB,EAAE,IAAI,EAAE,CAAC;IACrE,CAAC;IACD,MAAM,QAAQ,GAAG,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;IAC/C,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IAC1C,IAAI,QAAQ,IAAI,OAAO,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;QAC3C,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,oBAAoB,EAAE,IAAI,EAAE,CAAC;IACrE,CAAC;IACD,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,oBAAoB,EAAE,OAAO,EAAE,CAAC;AACpE,CAAC;AAED,MAAM,UAAU,6BAA6B,CAC3C,OAAuC,EACvC,eAA+C;IAE/C,IAAI,CAAC,eAAe;QAAE,OAAO,OAAO,EAAE,CAAC;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QACrB,MAAM,WAAW,GAAG,CAAC,CAAC,YAAY,CAAC;QACnC,MAAM,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC;QAC1B,IAAI,MAAM,GAAG,CAAC,CAAC,oBAAoB,CAAC;QACpC,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,MAAM,GAAG,IAAI,CAAC;QACrE,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,OAAO,OAAO,KAAK,QAAQ;YAAE,SAAS;QAC7E,MAAM,UAAU,GAAG,oBAAoB,CAAC,eAAe,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;QAC/E,IAAI,UAAU,CAAC,oBAAoB,KAAK,CAAC,MAAM,IAAI,IAAI,CAAC,EAAE,CAAC;YACzD,OAAO,OAAO,CACZ,4CAA4C,EAC5C,WAAW,CAAC,aAAa,OAAO,iBAAiB,WAAW,EAAE,CAC/D,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC;AAED,yEAAyE;AAEzE,MAAM,UAAU,0BAA0B,CACxC,OAAgC;IAEhC,MAAM,MAAM,GAAG,OAAO,CAAC,2BAA2B,CAAC;IACnD,IAAI,IAAI,GAAG,OAAO,CAAC,2BAA2B,CAAC;IAC/C,IAAI,CAAC,IAAI,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,OAAO,CAAC,sCAAsC,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,OAAO,CAAC,+BAA+B,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IACD,MAAM,UAAU,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;IACvC,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;QAC1B,OAAO,OAAO,CACZ,4CAA4C,EAC5C,UAAU,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CACxE,CAAC;IACJ,CAAC;IACD,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC;AAED,yEAAyE;AAEzE,MAAM,UAAU,8BAA8B,CAC5C,QAAiC,EACjC,YAAiC;IAEjC,IAAI,IAA6B,CAAC;IAClC,IAAI,YAAY,KAAK,OAAO,EAAE,CAAC;QAC7B,IAAI,GAAG;YACL,iBAAiB,EAAE,QAAQ,CAAC,iBAAiB;YAC7C,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB;YAC3C,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,YAAY,EAAE,QAAQ,CAAC,YAAY;YACnC,iBAAiB,EAAE,WAAW,CAAC,QAAQ,CAAC,iBAAiB,CAAC;YAC1D,iBAAiB,EAAE,WAAW,CAAC,QAAQ,CAAC,iBAAiB,CAAC;YAC1D,uBAAuB,EAAE,WAAW,CAAC,QAAQ,CAAC,uBAAuB,CAAC,IAAI,EAAE;YAC5E,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB,IAAI,IAAI;YACnD,yBAAyB,EAAE,QAAQ,CAAC,yBAAyB,IAAI,IAAI;YACrE,0BAA0B,EAAE,WAAW,CAAC,QAAQ,CAAC,0BAA0B,CAAC,IAAI,EAAE;YAClF,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,UAAU,EAAE,QAAQ,CAAC,UAAU;SAChC,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,IAAI,GAAG;YACL,mBAAmB,EAAE,QAAQ,CAAC,mBAAmB;YACjD,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB;YAC3C,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,YAAY,EAAE,QAAQ,CAAC,YAAY;YACnC,sBAAsB,EAAE,QAAQ,CAAC,sBAAsB;YACvD,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,oBAAoB,EAAE,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,EAAE;YACtE,qBAAqB,EAAE,WAAW,CAAC,QAAQ,CAAC,qBAAqB,CAAC;YAClE,oBAAoB,EAAE,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,EAAE;YACtE,gBAAgB,EAAE,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,EAAE;YAC9D,oBAAoB,EAAE,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,EAAE;YACtE,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,UAAU,EAAE,QAAQ,CAAC,UAAU;SAChC,CAAC;IACJ,CAAC;IACD,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,6BAA6B,CAC3C,QAAiC,EACjC,YAAiC;IAEjC,MAAM,MAAM,GAAG,QAAQ,CAAC,mBAAmB,CAAC;IAC5C,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,OAAO,CAAC,iCAAiC,CAAC,CAAC;IAClF,MAAM,UAAU,GAAG,8BAA8B,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;IAC1E,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;QAC1B,OAAO,OAAO,CACZ,+CAA+C,EAC/C,GAAG,YAAY,YAAY,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CACzF,CAAC;IACJ,CAAC;IACD,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC;AAED,yEAAyE;AAEzE,yEAAyE;AAEzE,SAAS,kBAAkB,CAAC,IAA6B;IACvD,OAAO,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,oBAAoB,CAAC,CAAS;IACrC,MAAM,UAAU,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1E,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED,SAAS,aAAa,CACpB,kBAA0B,EAC1B,YAAoB,EACpB,cAA0B;IAE1B,IAAI,CAAC,kBAAkB,CAAC,MAAM,IAAI,CAAC,YAAY,IAAI,cAAc,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAChF,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC;QACpD,qEAAqE;QACrE,8EAA8E;QAC9E,qEAAqE;QACrE,oEAAoE;QACpE,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;YACrF,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC;SAC5B,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,eAAe,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;QAC1E,OAAO,YAAY,CAAC,IAAI,EAAE,kBAAkB,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAC5B,QAAiC,EACjC,IAAyB;IAEzB,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;QACrB,OAAO;YACL,iBAAiB,EAAE,QAAQ,CAAC,iBAAiB,IAAI,IAAI;YACrD,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB,IAAI,IAAI;YACnD,MAAM,EAAE,QAAQ,CAAC,MAAM,IAAI,IAAI;YAC/B,SAAS,EAAE,QAAQ,CAAC,SAAS,IAAI,IAAI;YACrC,UAAU,EAAE,QAAQ,CAAC,UAAU,IAAI,IAAI;YACvC,UAAU,EAAE,QAAQ,CAAC,UAAU,IAAI,IAAI;YACvC,YAAY,EAAE,QAAQ,CAAC,YAAY,IAAI,IAAI;YAC3C,iBAAiB,EAAE,WAAW,CAAC,QAAQ,CAAC,iBAAiB,CAAC,IAAI,IAAI;YAClE,iBAAiB,EAAE,WAAW,CAAC,QAAQ,CAAC,iBAAiB,CAAC,IAAI,IAAI;YAClE,uBAAuB,EAAE,WAAW,CAAC,QAAQ,CAAC,uBAAuB,CAAC,IAAI,EAAE;YAC5E,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB,IAAI,IAAI;YACnD,yBAAyB,EAAE,QAAQ,CAAC,yBAAyB,IAAI,IAAI;YACrE,0BAA0B,EAAE,WAAW,CAAC,QAAQ,CAAC,0BAA0B,CAAC,IAAI,EAAE;YAClF,SAAS,EAAE,QAAQ,CAAC,SAAS,IAAI,IAAI;YACrC,UAAU,EAAE,QAAQ,CAAC,UAAU,IAAI,IAAI;SACxC,CAAC;IACJ,CAAC;IACD,OAAO;QACL,mBAAmB,EAAE,QAAQ,CAAC,mBAAmB,IAAI,IAAI;QACzD,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB,IAAI,IAAI;QACnD,MAAM,EAAE,QAAQ,CAAC,MAAM,IAAI,IAAI;QAC/B,SAAS,EAAE,QAAQ,CAAC,SAAS,IAAI,IAAI;QACrC,YAAY,EAAE,QAAQ,CAAC,YAAY,IAAI,IAAI;QAC3C,sBAAsB,EAAE,QAAQ,CAAC,sBAAsB,IAAI,IAAI;QAC/D,WAAW,EAAE,QAAQ,CAAC,WAAW,IAAI,IAAI;QACzC,oBAAoB,EAAE,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,EAAE;QACtE,qBAAqB,EAAE,WAAW,CAAC,QAAQ,CAAC,qBAAqB,CAAC,IAAI,EAAE;QACxE,oBAAoB,EAAE,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,EAAE;QACtE,gBAAgB,EAAE,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,EAAE;QAC9D,oBAAoB,EAAE,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,EAAE;QACtE,SAAS,EAAE,QAAQ,CAAC,SAAS,IAAI,IAAI;QACrC,UAAU,EAAE,QAAQ,CAAC,UAAU,IAAI,IAAI;KACxC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,+BAA+B,CAC7C,OAAgC,EAChC,cAAqC;IAErC,IAAI,CAAC,cAAc;QAAE,OAAO,OAAO,EAAE,CAAC;IACtC,MAAM,GAAG,GAAG,OAAO,CAAC,SAAS,CAAC;IAC9B,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC;IAC5B,IAAI,IAAI,GAAG,OAAO,CAAC,2BAA2B,CAAC;IAC/C,IAAI,CAAC,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAChE,OAAO,OAAO,CACZ,mCAAmC,EACnC,QAAQ,CAAC,CAAC,IAAI,QAAQ,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC,GAAG,EAAE,CAC3C,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,OAAO,CAAC,+BAA+B,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IACD,IAAI,MAAkB,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,OAAO,CAAC,qCAAqC,EAAE,OAAO,GAAG,KAAK,CAAC,EAAE,CAAC,CAAC;IAC5E,CAAC;IACD,IAAI,CAAC,aAAa,CAAC,kBAAkB,CAAC,IAA+B,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,CAAC;QACrF,OAAO,OAAO,CAAC,mCAAmC,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,QAAiC,EACjC,YAAiC,EACjC,cAAqC;IAErC,IAAI,CAAC,cAAc;QAAE,OAAO,OAAO,EAAE,CAAC;IACtC,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,CAAC;IAC/B,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC;IAC7B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACvD,OAAO,OAAO,CACZ,GAAG,YAAY,6BAA6B,EAC5C,OAAO,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC,GAAG,EAAE,CAC5B,CAAC;IACJ,CAAC;IACD,IAAI,MAAkB,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,OAAO,CAAC,GAAG,YAAY,+BAA+B,EAAE,OAAO,GAAG,KAAK,CAAC,EAAE,CAAC,CAAC;IACrF,CAAC;IACD,MAAM,IAAI,GAAG,qBAAqB,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;IAC3D,IAAI,CAAC,aAAa,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,CAAC;QAC1D,OAAO,OAAO,CAAC,GAAG,YAAY,6BAA6B,CAAC,CAAC;IAC/D,CAAC;IACD,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,IAOzB;IACC,IAAI,IAAI,CAAC,iBAAiB,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;QACnD,OAAO,OAAO,CACZ,6BAA6B,EAC7B,2DAA2D,CAC5D,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,GAAG,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC/C,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,GAAG,CAAC;IACxB,GAAG,GAAG,oBAAoB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC1C,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,GAAG,CAAC;IAExB,mEAAmE;IACnE,+DAA+D;IAC/D,MAAM,EAAE,GAAI,IAAI,CAAC,QAAQ,CAAC,UAAsC,IAAI,EAAE,CAAC;IACvE,MAAM,KAAK,GAAI,EAAE,CAAC,eAA2C,IAAI,EAAE,CAAC;IACpE,MAAM,YAAY,GAChB,IAAI,CAAC,eAAe,IAAK,KAAK,CAAC,OAAmC,CAAC;IACrE,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,IAAK,KAAK,CAAC,KAAiC,CAAC;IAClF,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC;IAE7C,GAAG,GAAG,6BAA6B,CAChC,IAAI,CAAC,QAAQ,CAAC,OAA0C,IAAI,EAAE,EAC/D,YAAY,IAAI,IAAI,CACrB,CAAC;IACF,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,GAAG,CAAC;IACxB,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;QACxB,GAAG,GAAG,0BAA0B,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACtD,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,GAAG,CAAC;QACxB,KAAK;QACL,GAAG,GAAG,+BAA+B,CAAC,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC;QACrE,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,GAAG,CAAC;IAC1B,CAAC;IACD,IAAI,UAAU,EAAE,CAAC;QACf,GAAG,GAAG,6BAA6B,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACzD,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,GAAG,CAAC;QACxB,GAAG,GAAG,yBAAyB,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC/D,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,GAAG,CAAC;IAC1B,CAAC;IACD,IAAI,YAAY,EAAE,CAAC;QACjB,GAAG,GAAG,6BAA6B,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QAC7D,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,GAAG,CAAC;QACxB,GAAG,GAAG,yBAAyB,CAAC,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;QACnE,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,GAAG,CAAC;IAC1B,CAAC;IACD,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC"}

package/dist/verifier.d.ts

@@ -0,0 +1,36 @@
+/**
+ * primust-verify — Offline VPEC artifact verifier.
+ *
+ * ZERO runtime dependencies on Primust infrastructure after initial
+ * public key fetch. Must verify a VPEC produced today in 10 years.
+ *
+ * Verification steps (in order):
+ * 1. Schema validation
+ * 2. SHA-256 integrity + Ed25519 signature (combined)
+ * 3. Kid resolution
+ * 4. Signer status check (Rekor — stubbed in v1)
+ * 5. RFC 3161 timestamp verification (stubbed in v1)
+ * 6. Proof level integrity
+ * 7. Manifest hash audit
+ * 8. ZK proof verification (stubbed in v1)
+ * 9. test_mode check
+ */
+import type { VerifyOptions, VerificationResult, UpstreamRootResolver } from './types.js';
+/**
+ * Verify a VPEC artifact.
+ *
+ * @param artifact               - Parsed artifact JSON (Record<string, unknown>)
+ * @param options                - Verification options
+ * @param upstreamRootResolver   - Optional synchronous resolver returning
+ *   the PARENT VPEC's `commitment_root_poseidon2` for a given upstream
+ *   VPEC envelope ID. When provided, governance_upstream_vpec_inclusion
+ *   proofs are anchored to `Poseidon2(lineage_commitment(child_run_id,
+ *   upstream_vpec_ids), parentRoot)` — the same reduction
+ *   `PolicySnapshotService.openRun` performs at issuance. When omitted,
+ *   the verifier falls back to anchoring against the artifact's own
+ *   `commitment_root_poseidon2` (legacy behavior — preserves backward
+ *   compat for callers that lack upstream-store context).
+ * @returns VerificationResult with errors/warnings
+ */
+export declare function verify(artifact: Record<string, unknown>, options?: VerifyOptions, upstreamRootResolver?: UpstreamRootResolver): Promise<VerificationResult>;
+//# sourceMappingURL=verifier.d.ts.map

package/dist/verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../src/verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAcH,OAAO,KAAK,EACV,aAAa,EACb,kBAAkB,EAElB,oBAAoB,EACrB,MAAM,YAAY,CAAC;AA0EpB;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,MAAM,CAC1B,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,OAAO,GAAE,aAAkB,EAC3B,oBAAoB,CAAC,EAAE,oBAAoB,GAC1C,OAAO,CAAC,kBAAkB,CAAC,CA6X7B"}