@qlever-llc/trellis 0.5.1 → 0.6.0

package/README.md

@@ -3,7 +3,21 @@
 JavaScript Trellis client runtime. Provides contract-driven client helpers and runtime error types.
 
 ```typescript
-const client = contract.createClient(nc, auth, opts);
+import { defineContract } from "@qlever-llc/trellis";
+import { auth } from "@qlever-llc/trellis/sdk/auth";
+
+const app = defineContract({
+  id: "example.app@v1",
+  displayName: "Example App",
+  description: "Example Trellis browser client.",
+  kind: "app",
+  uses: {
+    auth: auth.useDefaults(),
+  },
+});
+
+const client = app.createClient(nc, authSession, opts);
+const me = await client.requestOrThrow("Auth.Me", {});
 ```
 
-Server connection helpers live in `@qlever-llc/trellis-server` to keep this package browser-safe.
+Server connection helpers live in `@qlever-llc/trellis/server*` to keep the root package browser-safe.

package/esm/_dnt.polyfills.d.ts

@@ -4,4 +4,15 @@ declare global {
     }
 }
 export {};
+declare global {
+    interface Object {
+        /**
+         * Determines whether an object has a property with the specified name.
+         * @param o An object.
+         * @param v A property name.
+         */
+        hasOwn(o: object, v: PropertyKey): boolean;
+    }
+}
+export {};
 //# sourceMappingURL=_dnt.polyfills.d.ts.map

package/esm/_dnt.polyfills.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"_dnt.polyfills.d.ts","sourceRoot":"","sources":["../src/_dnt.polyfills.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,KAAK;QACb,KAAK,CAAC,EAAE,OAAO,CAAC;KACjB;CACF;AAED,OAAO,EAAE,CAAC"}
+{"version":3,"file":"_dnt.polyfills.d.ts","sourceRoot":"","sources":["../src/_dnt.polyfills.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,KAAK;QACb,KAAK,CAAC,EAAE,OAAO,CAAC;KACjB;CACF;AAED,OAAO,EAAE,CAAC;AAgBV,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,MAAM;QACd;;;;WAIG;QACH,MAAM,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC;KAC5C;CACF;AAED,OAAO,EAAE,CAAC"}

package/esm/_dnt.polyfills.js

@@ -1 +1,15 @@
+// https://github.com/tc39/proposal-accessible-object-hasownproperty/blob/main/polyfill.js
+if (!Object.hasOwn) {
+    Object.defineProperty(Object, "hasOwn", {
+        value: function (object, property) {
+            if (object == null) {
+                throw new TypeError("Cannot convert undefined or null to object");
+            }
+            return Object.prototype.hasOwnProperty.call(Object(object), property);
+        },
+        configurable: true,
+        enumerable: false,
+        writable: true,
+    });
+}
 export {};

package/esm/_dnt.shims.d.ts

@@ -0,0 +1,6 @@
+import { Deno } from "@deno/shim-deno";
+export { Deno } from "@deno/shim-deno";
+export declare const dntGlobalThis: Omit<typeof globalThis, "Deno"> & {
+    Deno: typeof Deno;
+};
+//# sourceMappingURL=_dnt.shims.d.ts.map

package/esm/_dnt.shims.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"_dnt.shims.d.ts","sourceRoot":"","sources":["../src/_dnt.shims.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AAKvC,eAAO,MAAM,aAAa;;CAA2C,CAAC"}

package/esm/_dnt.shims.js

@@ -0,0 +1,61 @@
+import { Deno } from "@deno/shim-deno";
+export { Deno } from "@deno/shim-deno";
+const dntGlobals = {
+    Deno,
+};
+export const dntGlobalThis = createMergeProxy(globalThis, dntGlobals);
+function createMergeProxy(baseObj, extObj) {
+    return new Proxy(baseObj, {
+        get(_target, prop, _receiver) {
+            if (prop in extObj) {
+                return extObj[prop];
+            }
+            else {
+                return baseObj[prop];
+            }
+        },
+        set(_target, prop, value) {
+            if (prop in extObj) {
+                delete extObj[prop];
+            }
+            baseObj[prop] = value;
+            return true;
+        },
+        deleteProperty(_target, prop) {
+            let success = false;
+            if (prop in extObj) {
+                delete extObj[prop];
+                success = true;
+            }
+            if (prop in baseObj) {
+                delete baseObj[prop];
+                success = true;
+            }
+            return success;
+        },
+        ownKeys(_target) {
+            const baseKeys = Reflect.ownKeys(baseObj);
+            const extKeys = Reflect.ownKeys(extObj);
+            const extKeysSet = new Set(extKeys);
+            return [...baseKeys.filter((k) => !extKeysSet.has(k)), ...extKeys];
+        },
+        defineProperty(_target, prop, desc) {
+            if (prop in extObj) {
+                delete extObj[prop];
+            }
+            Reflect.defineProperty(baseObj, prop, desc);
+            return true;
+        },
+        getOwnPropertyDescriptor(_target, prop) {
+            if (prop in extObj) {
+                return Reflect.getOwnPropertyDescriptor(extObj, prop);
+            }
+            else {
+                return Reflect.getOwnPropertyDescriptor(baseObj, prop);
+            }
+        },
+        has(_target, prop) {
+            return prop in extObj || prop in baseObj;
+        },
+    });
+}

package/esm/auth/browser/login.d.ts

@@ -0,0 +1,27 @@
+import { type BindResponse, type BindSuccessResponse } from "../schemas.js";
+import type { SessionKeyHandle } from "./session.js";
+export type { BindResponse, BindSuccessResponse, ContractApproval, SentinelCreds, } from "../schemas.js";
+export type AuthConfig = {
+    authUrl: string;
+};
+export declare function buildLoginUrl(config: AuthConfig, provider: string | undefined, redirectTo: string, handle: SessionKeyHandle, contract: Record<string, unknown>, context?: unknown): Promise<string>;
+export declare function buildLoginUrl(args: {
+    authUrl: string;
+    provider?: string;
+    redirectTo: string;
+    handle: SessionKeyHandle;
+    contract: Record<string, unknown>;
+    context?: unknown;
+}): Promise<string>;
+export declare function buildLoginUrl(args: {
+    config: AuthConfig;
+    provider?: string;
+    redirectTo: string;
+    handle: SessionKeyHandle;
+    contract: Record<string, unknown>;
+    context?: unknown;
+}): Promise<string>;
+export declare function isBindSuccessResponse(response: BindResponse): response is BindSuccessResponse;
+export declare function bindFlow(config: AuthConfig, handle: SessionKeyHandle, flowId: string): Promise<BindResponse>;
+export declare function bindSession(config: AuthConfig, handle: SessionKeyHandle, authToken: string): Promise<BindResponse>;
+//# sourceMappingURL=login.d.ts.map

package/esm/auth/browser/login.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../../src/auth/browser/login.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,KAAK,YAAY,EAEjB,KAAK,mBAAmB,EAEzB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGrD,YAAY,EACV,YAAY,EACZ,mBAAmB,EACnB,gBAAgB,EAChB,aAAa,GACd,MAAM,eAAe,CAAC;AAEvB,MAAM,MAAM,UAAU,GAAG;IACvB,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AA4BF,wBAAsB,aAAa,CACjC,MAAM,EAAE,UAAU,EAClB,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,gBAAgB,EACxB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,OAAO,CAAC,EAAE,OAAO,GAChB,OAAO,CAAC,MAAM,CAAC,CAAC;AACnB,wBAAsB,aAAa,CACjC,IAAI,EAAE;IACJ,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,gBAAgB,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GACA,OAAO,CAAC,MAAM,CAAC,CAAC;AACnB,wBAAsB,aAAa,CACjC,IAAI,EAAE;IACJ,MAAM,EAAE,UAAU,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,gBAAgB,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GACA,OAAO,CAAC,MAAM,CAAC,CAAC;AAwEnB,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,YAAY,GAAG,QAAQ,IAAI,mBAAmB,CAE7F;AAED,wBAAsB,QAAQ,CAC5B,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,YAAY,CAAC,CAmBvB;AAED,wBAAsB,WAAW,CAC/B,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,gBAAgB,EACxB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,YAAY,CAAC,CAoBvB"}

package/esm/auth/browser/login.js

@@ -0,0 +1,94 @@
+import { canonicalizeJsonValue } from "../utils.js";
+import { Value } from "typebox/value";
+import { BindResponseSchema, } from "../schemas.js";
+import { bindFlowSig, bindSig, getPublicSessionKey, oauthInitSig } from "./session.js";
+function encodeJsonForQuery(value) {
+    const json = canonicalizeJsonValue(value);
+    const bytes = new TextEncoder().encode(json);
+    let binary = "";
+    for (const byte of bytes)
+        binary += String.fromCharCode(byte);
+    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+export async function buildLoginUrl(argsOrConfig, provider, redirectTo, handle, contract, context) {
+    const resolved = isNestedBuildLoginUrlArgs(argsOrConfig)
+        ? argsOrConfig
+        : isFlatBuildLoginUrlArgs(argsOrConfig)
+            ? {
+                config: { authUrl: argsOrConfig.authUrl },
+                provider: argsOrConfig.provider,
+                redirectTo: argsOrConfig.redirectTo,
+                handle: argsOrConfig.handle,
+                contract: argsOrConfig.contract,
+                context: argsOrConfig.context,
+            }
+            : buildLoginUrlArgsFromPositional(argsOrConfig, provider, redirectTo, handle, contract, context);
+    const sessionKey = getPublicSessionKey(resolved.handle);
+    const sig = await oauthInitSig(resolved.handle, resolved.redirectTo, resolved.context);
+    const url = new URL(`${resolved.config.authUrl}/auth/login`);
+    url.searchParams.set("redirectTo", resolved.redirectTo);
+    url.searchParams.set("sessionKey", sessionKey);
+    url.searchParams.set("sig", sig);
+    url.searchParams.set("contract", encodeJsonForQuery(resolved.contract));
+    if (resolved.provider) {
+        url.searchParams.set("provider", resolved.provider);
+    }
+    if (resolved.context !== undefined) {
+        url.searchParams.set("context", encodeJsonForQuery(resolved.context));
+    }
+    return url.href;
+}
+function buildLoginUrlArgsFromPositional(config, provider, redirectTo, handle, contract, context) {
+    if (redirectTo === undefined || handle === undefined || contract === undefined) {
+        throw new TypeError("buildLoginUrl requires redirectTo, handle, and contract");
+    }
+    return {
+        config,
+        provider,
+        redirectTo,
+        handle,
+        contract,
+        context,
+    };
+}
+function isNestedBuildLoginUrlArgs(value) {
+    return "config" in value;
+}
+function isFlatBuildLoginUrlArgs(value) {
+    return "authUrl" in value && "redirectTo" in value && "handle" in value && "contract" in value;
+}
+export function isBindSuccessResponse(response) {
+    return response.status === "bound";
+}
+export async function bindFlow(config, handle, flowId) {
+    const sessionKey = getPublicSessionKey(handle);
+    const sig = await bindFlowSig(handle, flowId);
+    const response = await fetch(`${config.authUrl}/auth/flow/${encodeURIComponent(flowId)}/bind`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ sessionKey, sig }),
+    });
+    if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`Bind failed: ${response.status} ${text}`);
+    }
+    return Value.Parse(BindResponseSchema, await response.json());
+}
+export async function bindSession(config, handle, authToken) {
+    const sessionKey = getPublicSessionKey(handle);
+    const sig = await bindSig(handle, authToken);
+    const response = await fetch(`${config.authUrl}/auth/bind`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+            authToken,
+            sessionKey,
+            sig,
+        }),
+    });
+    if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`Bind failed: ${response.status} ${text}`);
+    }
+    return Value.Parse(BindResponseSchema, await response.json());
+}

package/esm/auth/browser/portal.d.ts

@@ -0,0 +1,11 @@
+import { type PortalFlowState } from "../protocol.js";
+import type { ApprovalDecision } from "../schemas.js";
+import type { AuthConfig } from "./login.js";
+export type { PortalFlowState } from "../protocol.js";
+export type { ApprovalDecision } from "../schemas.js";
+export declare function portalFlowIdFromUrl(url: URL): string | null;
+export declare function fetchPortalFlowState(config: AuthConfig, flowId: string): Promise<PortalFlowState>;
+export declare function portalProviderLoginUrl(config: AuthConfig, providerId: string, flowId: string): string;
+export declare function submitPortalApproval(config: AuthConfig, flowId: string, decision: ApprovalDecision): Promise<PortalFlowState>;
+export declare function portalRedirectLocation(state: PortalFlowState | null): string | null;
+//# sourceMappingURL=portal.d.ts.map

package/esm/auth/browser/portal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"portal.d.ts","sourceRoot":"","sources":["../../../src/auth/browser/portal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,eAAe,EAAyB,MAAM,gBAAgB,CAAC;AAC7E,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAG7C,YAAY,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACtD,YAAY,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAMtD,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,GAAG,GAAG,MAAM,GAAG,IAAI,CAE3D;AAED,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,eAAe,CAAC,CAO1B;AAED,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,GACb,MAAM,CAGR;AAED,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,gBAAgB,GACzB,OAAO,CAAC,eAAe,CAAC,CAe1B;AAED,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,eAAe,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAEnF"}

package/esm/auth/browser/portal.js

@@ -0,0 +1,33 @@
+import { PortalFlowStateSchema } from "../protocol.js";
+import { Value } from "typebox/value";
+function authBaseUrl(config) {
+    return config.authUrl.replace(/\/$/, "");
+}
+export function portalFlowIdFromUrl(url) {
+    return url.searchParams.get("flowId");
+}
+export async function fetchPortalFlowState(config, flowId) {
+    const response = await fetch(`${authBaseUrl(config)}/auth/flow/${encodeURIComponent(flowId)}`);
+    if (!response.ok) {
+        throw new Error(`Failed to load portal flow (${response.status})`);
+    }
+    return Value.Parse(PortalFlowStateSchema, await response.json());
+}
+export function portalProviderLoginUrl(config, providerId, flowId) {
+    const base = `${authBaseUrl(config)}/auth/login/${encodeURIComponent(providerId)}`;
+    return `${base}?flowId=${encodeURIComponent(flowId)}`;
+}
+export async function submitPortalApproval(config, flowId, decision) {
+    const response = await fetch(`${authBaseUrl(config)}/auth/flow/${encodeURIComponent(flowId)}/approval`, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ decision }),
+    });
+    if (!response.ok) {
+        throw new Error(`Approval request failed (${response.status})`);
+    }
+    return Value.Parse(PortalFlowStateSchema, await response.json());
+}
+export function portalRedirectLocation(state) {
+    return state?.status === "redirect" ? state.location : null;
+}

package/esm/auth/browser/session.d.ts

@@ -0,0 +1,19 @@
+export type SessionKeyHandle = {
+    privateKey: CryptoKey;
+    publicKey: CryptoKey;
+    publicKeyRaw: Uint8Array;
+    sessionKey: string;
+};
+export declare function generateSessionKey(): Promise<SessionKeyHandle>;
+export declare function loadSessionKey(): Promise<SessionKeyHandle | null>;
+export declare function getOrCreateSessionKey(): Promise<SessionKeyHandle>;
+export declare function signBytes(handle: SessionKeyHandle, data: Uint8Array): Promise<Uint8Array>;
+export declare function getPublicSessionKey(handle: SessionKeyHandle): string;
+export declare function oauthInitSig(handle: SessionKeyHandle, redirectTo: string, context?: unknown): Promise<string>;
+export declare function bindSig(handle: SessionKeyHandle, authToken: string): Promise<string>;
+export declare function bindFlowSig(handle: SessionKeyHandle, flowId: string): Promise<string>;
+export declare function natsConnectSigForBindingToken(handle: SessionKeyHandle, bindingToken: string): Promise<string>;
+export declare function createRpcProof(handle: SessionKeyHandle, subject: string, payload: Uint8Array): Promise<string>;
+export declare function clearSessionKey(): Promise<void>;
+export declare function hasSessionKey(): Promise<boolean>;
+//# sourceMappingURL=session.d.ts.map

package/esm/auth/browser/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../../src/auth/browser/session.ts"],"names":[],"mappings":"AAIA,MAAM,MAAM,gBAAgB,GAAG;IAC7B,UAAU,EAAE,SAAS,CAAC;IACtB,SAAS,EAAE,SAAS,CAAC;IACrB,YAAY,EAAE,UAAU,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,gBAAgB,CAAC,CAapE;AAED,wBAAsB,cAAc,IAAI,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CASvE;AAED,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,gBAAgB,CAAC,CAIvE;AAED,wBAAsB,SAAS,CAAC,MAAM,EAAE,gBAAgB,EAAE,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAO/F;AAED,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAEpE;AAED,wBAAsB,YAAY,CAChC,MAAM,EAAE,gBAAgB,EACxB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,OAAO,GAChB,OAAO,CAAC,MAAM,CAAC,CAKjB;AAED,wBAAsB,OAAO,CAAC,MAAM,EAAE,gBAAgB,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAI1F;AAED,wBAAsB,WAAW,CAAC,MAAM,EAAE,gBAAgB,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAI3F;AAED,wBAAsB,6BAA6B,CACjD,MAAM,EAAE,gBAAgB,EACxB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,CAAC,CAIjB;AAED,wBAAsB,cAAc,CAClC,MAAM,EAAE,gBAAgB,EACxB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,MAAM,CAAC,CAGjB;AAED,wBAAsB,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,CAErD;AAED,wBAAsB,aAAa,IAAI,OAAO,CAAC,OAAO,CAAC,CAEtD"}

package/esm/auth/browser/session.js

@@ -0,0 +1,65 @@
+import { base64urlEncode, canonicalizeJsonValue, sha256, toArrayBuffer, utf8 } from "../utils.js";
+import { createProof } from "../proof.js";
+import { deleteKeyPair, hasKeyPair, loadKeyPair, storeKeyPair } from "./storage.js";
+export async function generateSessionKey() {
+    const keyPair = await crypto.subtle.generateKey({ name: "Ed25519" }, false, ["sign", "verify"]);
+    const publicKeyRaw = new Uint8Array(await crypto.subtle.exportKey("raw", keyPair.publicKey));
+    const sessionKey = base64urlEncode(publicKeyRaw);
+    await storeKeyPair(keyPair, publicKeyRaw);
+    return { privateKey: keyPair.privateKey, publicKey: keyPair.publicKey, publicKeyRaw, sessionKey };
+}
+export async function loadSessionKey() {
+    const stored = await loadKeyPair();
+    if (!stored)
+        return null;
+    return {
+        privateKey: stored.privateKey,
+        publicKey: stored.publicKey,
+        publicKeyRaw: stored.publicKeyRaw,
+        sessionKey: base64urlEncode(stored.publicKeyRaw),
+    };
+}
+export async function getOrCreateSessionKey() {
+    const existing = await loadSessionKey();
+    if (existing)
+        return existing;
+    return await generateSessionKey();
+}
+export async function signBytes(handle, data) {
+    const sig = await crypto.subtle.sign({ name: "Ed25519" }, handle.privateKey, toArrayBuffer(data));
+    return new Uint8Array(sig);
+}
+export function getPublicSessionKey(handle) {
+    return handle.sessionKey;
+}
+export async function oauthInitSig(handle, redirectTo, context) {
+    const canonicalContext = canonicalizeJsonValue(context ?? null);
+    const digest = await sha256(utf8(`oauth-init:${redirectTo}:${canonicalContext}`));
+    const sig = await signBytes(handle, digest);
+    return base64urlEncode(sig);
+}
+export async function bindSig(handle, authToken) {
+    const digest = await sha256(utf8(`bind:${authToken}`));
+    const sig = await signBytes(handle, digest);
+    return base64urlEncode(sig);
+}
+export async function bindFlowSig(handle, flowId) {
+    const digest = await sha256(utf8(`bind-flow:${flowId}`));
+    const sig = await signBytes(handle, digest);
+    return base64urlEncode(sig);
+}
+export async function natsConnectSigForBindingToken(handle, bindingToken) {
+    const digest = await sha256(utf8(`nats-connect:${bindingToken}`));
+    const sig = await signBytes(handle, digest);
+    return base64urlEncode(sig);
+}
+export async function createRpcProof(handle, subject, payload) {
+    const payloadHash = await sha256(payload);
+    return await createProof(handle.privateKey, { sessionKey: handle.sessionKey, subject, payloadHash });
+}
+export async function clearSessionKey() {
+    await deleteKeyPair();
+}
+export async function hasSessionKey() {
+    return await hasKeyPair();
+}

package/esm/auth/browser/storage.d.ts

@@ -0,0 +1,12 @@
+export type StoredKeyPair = {
+    id: string;
+    privateKey: CryptoKey;
+    publicKey: CryptoKey;
+    publicKeyRaw: Uint8Array;
+    createdAt: number;
+};
+export declare function storeKeyPair(keyPair: CryptoKeyPair, publicKeyRaw: Uint8Array): Promise<void>;
+export declare function loadKeyPair(): Promise<StoredKeyPair | null>;
+export declare function deleteKeyPair(): Promise<void>;
+export declare function hasKeyPair(): Promise<boolean>;
+//# sourceMappingURL=storage.d.ts.map

package/esm/auth/browser/storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../../src/auth/browser/storage.ts"],"names":[],"mappings":"AAqBA,MAAM,MAAM,aAAa,GAAG;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,SAAS,CAAC;IACtB,SAAS,EAAE,SAAS,CAAC;IACrB,YAAY,EAAE,UAAU,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,wBAAsB,YAAY,CAAC,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAoBlG;AAED,wBAAsB,WAAW,IAAI,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAYjE;AAED,wBAAsB,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CAYnD;AAED,wBAAsB,UAAU,IAAI,OAAO,CAAC,OAAO,CAAC,CAGnD"}

package/esm/auth/browser/storage.js

@@ -0,0 +1,61 @@
+const DB_NAME = "trellis-auth";
+const DB_VERSION = 1;
+const STORE_NAME = "keys";
+const KEY_ID = "trellis-session-key";
+function openDB() {
+    return new Promise((resolve, reject) => {
+        const request = indexedDB.open(DB_NAME, DB_VERSION);
+        request.onerror = () => reject(request.error);
+        request.onsuccess = () => resolve(request.result);
+        request.onupgradeneeded = () => {
+            const db = request.result;
+            if (!db.objectStoreNames.contains(STORE_NAME)) {
+                db.createObjectStore(STORE_NAME, { keyPath: "id" });
+            }
+        };
+    });
+}
+export async function storeKeyPair(keyPair, publicKeyRaw) {
+    const db = await openDB();
+    return new Promise((resolve, reject) => {
+        const tx = db.transaction(STORE_NAME, "readwrite");
+        const store = tx.objectStore(STORE_NAME);
+        const record = {
+            id: KEY_ID,
+            privateKey: keyPair.privateKey,
+            publicKey: keyPair.publicKey,
+            publicKeyRaw,
+            createdAt: Date.now(),
+        };
+        const request = store.put(record);
+        request.onerror = () => reject(request.error);
+        request.onsuccess = () => resolve();
+        tx.oncomplete = () => db.close();
+    });
+}
+export async function loadKeyPair() {
+    const db = await openDB();
+    return new Promise((resolve, reject) => {
+        const tx = db.transaction(STORE_NAME, "readonly");
+        const store = tx.objectStore(STORE_NAME);
+        const request = store.get(KEY_ID);
+        request.onerror = () => reject(request.error);
+        request.onsuccess = () => resolve(request.result ?? null);
+        tx.oncomplete = () => db.close();
+    });
+}
+export async function deleteKeyPair() {
+    const db = await openDB();
+    return new Promise((resolve, reject) => {
+        const tx = db.transaction(STORE_NAME, "readwrite");
+        const store = tx.objectStore(STORE_NAME);
+        const request = store.delete(KEY_ID);
+        request.onerror = () => reject(request.error);
+        request.onsuccess = () => resolve();
+        tx.oncomplete = () => db.close();
+    });
+}
+export async function hasKeyPair() {
+    const keyPair = await loadKeyPair();
+    return keyPair !== null;
+}

package/esm/auth/browser.d.ts

@@ -0,0 +1,13 @@
+/**
+ * @module
+ * Browser-based authentication utilities for session-key based authentication.
+ * Uses WebCrypto API and IndexedDB for secure key storage.
+ */
+export { type AuthConfig, type BindResponse, type BindSuccessResponse, bindFlow, bindSession, buildLoginUrl, isBindSuccessResponse, type SentinelCreds, } from "./browser/login.js";
+export { fetchPortalFlowState, portalFlowIdFromUrl, portalProviderLoginUrl, portalRedirectLocation, submitPortalApproval, type ApprovalDecision, type PortalFlowState as BrowserPortalFlowState, } from "./browser/portal.js";
+export { bindFlowSig, clearSessionKey, createRpcProof, generateSessionKey, getOrCreateSessionKey, getPublicSessionKey, hasSessionKey, loadSessionKey, natsConnectSigForBindingToken, type SessionKeyHandle, signBytes, } from "./browser/session.js";
+export { deleteKeyPair, hasKeyPair } from "./browser/storage.js";
+export { type BindResponse as BindResponseData, BindResponseSchema, type BindSuccessResponse as BindSuccessResponseData, BindSuccessResponseSchema, type ContractApproval as ContractApprovalData, ContractApprovalSchema, type NatsAuthTokenV1 as NatsAuthTokenV1Data, NatsAuthTokenV1Schema, type ApprovalDecision as ApprovalDecisionData, ApprovalDecisionSchema, type SentinelCreds as SentinelCredsData, SentinelCredsSchema, } from "./schemas.js";
+export type { NatsAuthTokenV1 } from "./types.js";
+export { base64urlDecode, base64urlEncode, sha256, toArrayBuffer, utf8, } from "./utils.js";
+//# sourceMappingURL=browser.d.ts.map

package/esm/auth/browser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser.d.ts","sourceRoot":"","sources":["../../src/auth/browser.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EACL,KAAK,UAAU,EACf,KAAK,YAAY,EACjB,KAAK,mBAAmB,EACxB,QAAQ,EACR,WAAW,EACX,aAAa,EACb,qBAAqB,EACrB,KAAK,aAAa,GACnB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,sBAAsB,EACtB,oBAAoB,EACpB,KAAK,gBAAgB,EACrB,KAAK,eAAe,IAAI,sBAAsB,GAC/C,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,WAAW,EACX,eAAe,EACf,cAAc,EACd,kBAAkB,EAClB,qBAAqB,EACrB,mBAAmB,EACnB,aAAa,EACb,cAAc,EACd,6BAA6B,EAC7B,KAAK,gBAAgB,EACrB,SAAS,GACV,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AACjE,OAAO,EACL,KAAK,YAAY,IAAI,gBAAgB,EACrC,kBAAkB,EAClB,KAAK,mBAAmB,IAAI,uBAAuB,EACnD,yBAAyB,EACzB,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,sBAAsB,EACtB,KAAK,eAAe,IAAI,mBAAmB,EAC3C,qBAAqB,EACrB,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,sBAAsB,EACtB,KAAK,aAAa,IAAI,iBAAiB,EACvC,mBAAmB,GACpB,MAAM,cAAc,CAAC;AAEtB,YAAY,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EACL,eAAe,EACf,eAAe,EACf,MAAM,EACN,aAAa,EACb,IAAI,GACL,MAAM,YAAY,CAAC"}

package/esm/auth/browser.js

@@ -0,0 +1,11 @@
+/**
+ * @module
+ * Browser-based authentication utilities for session-key based authentication.
+ * Uses WebCrypto API and IndexedDB for secure key storage.
+ */
+export { bindFlow, bindSession, buildLoginUrl, isBindSuccessResponse, } from "./browser/login.js";
+export { fetchPortalFlowState, portalFlowIdFromUrl, portalProviderLoginUrl, portalRedirectLocation, submitPortalApproval, } from "./browser/portal.js";
+export { bindFlowSig, clearSessionKey, createRpcProof, generateSessionKey, getOrCreateSessionKey, getPublicSessionKey, hasSessionKey, loadSessionKey, natsConnectSigForBindingToken, signBytes, } from "./browser/session.js";
+export { deleteKeyPair, hasKeyPair } from "./browser/storage.js";
+export { BindResponseSchema, BindSuccessResponseSchema, ContractApprovalSchema, NatsAuthTokenV1Schema, ApprovalDecisionSchema, SentinelCredsSchema, } from "./schemas.js";
+export { base64urlDecode, base64urlEncode, sha256, toArrayBuffer, utf8, } from "./utils.js";

package/esm/auth/keys.d.ts

@@ -0,0 +1,5 @@
+export declare function pkcs8FromEd25519Seed(seed32: Uint8Array): Uint8Array;
+export declare function importEd25519PrivateKeyFromSeedBase64url(seedBase64url: string): Promise<CryptoKey>;
+export declare function publicKeyBase64urlFromPrivateKey(privateKey: CryptoKey): Promise<string>;
+export declare function importEd25519PublicKeyFromBase64url(publicKeyBase64url: string): Promise<CryptoKey>;
+//# sourceMappingURL=keys.d.ts.map

package/esm/auth/keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../../src/auth/keys.ts"],"names":[],"mappings":"AAqBA,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,UAAU,GAAG,UAAU,CAQnE;AAED,wBAAsB,wCAAwC,CAC5D,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,SAAS,CAAC,CAapB;AAED,wBAAsB,gCAAgC,CACpD,UAAU,EAAE,SAAS,GACpB,OAAO,CAAC,MAAM,CAAC,CAMjB;AAED,wBAAsB,mCAAmC,CACvD,kBAAkB,EAAE,MAAM,GACzB,OAAO,CAAC,SAAS,CAAC,CAYpB"}

package/esm/auth/keys.js

@@ -0,0 +1,50 @@
+import { base64urlDecode, toArrayBuffer } from "./utils.js";
+const ED25519_PKCS8_PREFIX = Uint8Array.from([
+    0x30,
+    0x2e,
+    0x02,
+    0x01,
+    0x00,
+    0x30,
+    0x05,
+    0x06,
+    0x03,
+    0x2b,
+    0x65,
+    0x70,
+    0x04,
+    0x22,
+    0x04,
+    0x20,
+]);
+export function pkcs8FromEd25519Seed(seed32) {
+    if (seed32.length !== 32) {
+        throw new Error(`Invalid Ed25519 seed length: ${seed32.length} (expected 32)`);
+    }
+    const pkcs8 = new Uint8Array(ED25519_PKCS8_PREFIX.length + seed32.length);
+    pkcs8.set(ED25519_PKCS8_PREFIX, 0);
+    pkcs8.set(seed32, ED25519_PKCS8_PREFIX.length);
+    return pkcs8;
+}
+export async function importEd25519PrivateKeyFromSeedBase64url(seedBase64url) {
+    const seed = base64urlDecode(seedBase64url);
+    if (seed.length !== 32) {
+        throw new Error(`Invalid Ed25519 seed length: ${seed.length} (expected 32)`);
+    }
+    const pkcs8 = pkcs8FromEd25519Seed(seed);
+    return await crypto.subtle.importKey("pkcs8", toArrayBuffer(pkcs8), { name: "Ed25519" }, true, ["sign"]);
+}
+export async function publicKeyBase64urlFromPrivateKey(privateKey) {
+    const jwk = await crypto.subtle.exportKey("jwk", privateKey);
+    if (typeof jwk.x !== "string" || jwk.x.length === 0) {
+        throw new Error("Failed to derive Ed25519 public key (missing JWK.x)");
+    }
+    return jwk.x;
+}
+export async function importEd25519PublicKeyFromBase64url(publicKeyBase64url) {
+    const raw = base64urlDecode(publicKeyBase64url);
+    if (raw.length !== 32) {
+        throw new Error(`Invalid Ed25519 public key length: ${raw.length} (expected 32)`);
+    }
+    return await crypto.subtle.importKey("raw", toArrayBuffer(raw), { name: "Ed25519" }, true, ["verify"]);
+}

package/esm/auth/mod.d.ts

@@ -0,0 +1,18 @@
+/**
+ * @module
+ *
+ * Trellis server-side authentication library for session-key based authentication.
+ *
+ * - Session keys are Ed25519 keys represented as base64url (32-byte raw public key).
+ * - Proofs are Ed25519 signatures over SHA-256(buildProofInput(...)).
+ * - Services load their session key seed from `TRELLIS_SESSION_KEY_SEED`.
+ */
+export { buildWorkloadActivationPayload, buildWorkloadActivationUrl, buildWorkloadWaitProofInput, createWorkloadNatsAuthToken, createWorkloadActivationClient, deriveWorkloadConfirmationCode, deriveWorkloadIdentity, deriveWorkloadQrMac, encodeWorkloadActivationPayload, getWorkloadConnectInfo, parseWorkloadActivationPayload, signWorkloadWaitRequest, verifyWorkloadConfirmationCode, verifyWorkloadWaitSignature, waitForWorkloadActivation, type AuthActivateWorkloadInput, type AuthActivateWorkloadOutput, type AuthListWorkloadActivationsInput, type AuthListWorkloadActivationsOutput, type AuthRevokeWorkloadActivationInput, type AuthRevokeWorkloadActivationResponse, type GetWorkloadConnectInfoInput, type GetWorkloadConnectInfoOutput, type WaitForWorkloadActivationResponse, type WorkloadActivationPayload, type WorkloadActivationTransport, type WorkloadActivationWaitRequest, type WorkloadIdentity, } from "./workload_activation.js";
+export { type AuthConfig, bindFlow, bindSession, buildLoginUrl, clearSessionKey, createRpcProof, fetchPortalFlowState, generateSessionKey, getOrCreateSessionKey, getPublicSessionKey, hasSessionKey, isBindSuccessResponse, loadSessionKey, natsConnectSigForBindingToken, portalFlowIdFromUrl, portalProviderLoginUrl, portalRedirectLocation, type SessionKeyHandle, signBytes, submitPortalApproval, } from "./browser.js";
+export { buildProofInput, createProof, type ProofParams, verifyProof, } from "./proof.js";
+export { ApprovalRecordViewSchema, AuthActivateWorkloadResponseSchema, AuthActivateWorkloadSchema, AuthClearLoginPortalSelectionResponseSchema, AuthClearLoginPortalSelectionSchema, AuthClearWorkloadPortalSelectionResponseSchema, AuthClearWorkloadPortalSelectionSchema, AuthCreatePortalResponseSchema, AuthCreatePortalSchema, AuthCreateWorkloadProfileResponseSchema, AuthCreateWorkloadProfileSchema, type PortalFlowApp, type PortalFlowApproval, type PortalFlowApprovalDeniedState, type PortalFlowApprovalRequiredState, type PortalFlowChooseProviderState, type PortalFlowExpiredState, type PortalFlowInsufficientCapabilitiesState, type PortalFlowProvider, type PortalFlowRedirectState, type PortalFlowState, type PortalFlowUser, AuthDisablePortalResponseSchema, AuthDisablePortalSchema, AuthGetLoginPortalDefaultResponseSchema, AuthGetLoginPortalDefaultSchema, AuthDisableWorkloadInstanceResponseSchema, AuthDisableWorkloadInstanceSchema, AuthDisableWorkloadProfileResponseSchema, AuthDisableWorkloadProfileSchema, AuthGetWorkloadConnectInfoResponseSchema, AuthGetWorkloadConnectInfoSchema, AuthGetWorkloadPortalDefaultResponseSchema, AuthGetWorkloadPortalDefaultSchema, AuthListLoginPortalSelectionsResponseSchema, AuthListLoginPortalSelectionsSchema, AuthListPortalsResponseSchema, AuthListPortalsSchema, AuthListWorkloadPortalSelectionsResponseSchema, AuthListWorkloadPortalSelectionsSchema, AuthListWorkloadActivationReviewsResponseSchema, AuthListWorkloadActivationReviewsSchema, AuthListWorkloadActivationsResponseSchema, AuthListWorkloadActivationsSchema, AuthGetWorkloadActivationStatusResponseSchema, AuthGetWorkloadActivationStatusSchema, AuthListWorkloadInstancesResponseSchema, AuthListWorkloadInstancesSchema, AuthListWorkloadProfilesResponseSchema, AuthListWorkloadProfilesSchema, AuthProvisionWorkloadInstanceResponseSchema, AuthProvisionWorkloadInstanceSchema, AuthDecideWorkloadActivationReviewResponseSchema, AuthDecideWorkloadActivationReviewSchema, AuthWorkloadActivationReviewRequestedEventSchema, AuthRevokeWorkloadActivationResponseSchema, AuthRevokeWorkloadActivationSchema, AuthSetLoginPortalDefaultResponseSchema, AuthSetLoginPortalDefaultSchema, AuthSetLoginPortalSelectionResponseSchema, AuthSetLoginPortalSelectionSchema, AuthSetWorkloadPortalDefaultResponseSchema, AuthSetWorkloadPortalDefaultSchema, AuthSetWorkloadPortalSelectionResponseSchema, AuthSetWorkloadPortalSelectionSchema, AuthGetInstalledContractResponseSchema, AuthGetInstalledContractSchema, AuthInstallServiceResponseSchema, AuthInstallServiceSchema, AuthListApprovalsResponseSchema, AuthListApprovalsSchema, AuthListInstalledContractsResponseSchema, AuthListInstalledContractsSchema, AuthListServicesResponseSchema, AuthListServicesSchema, AuthListUsersResponseSchema, AuthListUsersSchema, AuthMeResponseSchema, AuthMeSchema, type AuthMeResponse, AuthRevokeApprovalResponseSchema, AuthRevokeApprovalSchema, AuthUpdateUserResponseSchema, AuthUpdateUserSchema, AuthUpgradeServiceContractResponseSchema, AuthUpgradeServiceContractSchema, AuthValidateRequestResponseSchema, AuthValidateRequestSchema, type AuthenticatedService, type AuthenticatedUser, type AuthenticatedWorkload, AuthenticatedWorkloadSchema, CallerViewSchema, ContractAnalysisSchema, ContractAnalysisSummarySchema, DigestSchema, InstalledContractDetailSchema, InstalledContractSchema, LoginPortalDefaultSchema, LoginPortalSelectionSchema, OpenObjectSchema, PortalSchema, PortalFlowStateSchema, ServiceViewSchema, UserViewSchema, WaitForWorkloadActivationResponseSchema, WorkloadActivationReviewSchema, WorkloadPortalDefaultSchema, WorkloadPortalSelectionSchema, WorkloadActivationRecordSchema, type WorkloadActivationRecord, WorkloadConnectInfoSchema, WorkloadProfileSchema, WorkloadSchema, } from "./protocol.js";
+export { type ApprovalDecision, ApprovalDecisionSchema, type BindRequest, BindRequestSchema, type BindResponse, BindResponseSchema, type BindSuccessResponse, BindSuccessResponseSchema, type ContractApproval, ContractApprovalSchema, type LoginQuery, LoginQuerySchema, type NatsAuthTokenV1, NatsAuthTokenV1Schema, type SentinelCreds, SentinelCredsSchema, } from "./schemas.js";
+export { createAuth, type NatsConnectOptions, type TrellisAuth, } from "./session_auth.js";
+export { trellisIdFromOriginId } from "./trellis_id.js";
+export { base64urlDecode, base64urlEncode, canonicalizeJsonValue, sha256, toArrayBuffer, utf8, } from "./utils.js";
+//# sourceMappingURL=mod.d.ts.map

package/esm/auth/mod.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../src/auth/mod.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EACL,8BAA8B,EAC9B,0BAA0B,EAC1B,2BAA2B,EAC3B,2BAA2B,EAC3B,8BAA8B,EAC9B,8BAA8B,EAC9B,sBAAsB,EACtB,mBAAmB,EACnB,+BAA+B,EAC/B,sBAAsB,EACtB,8BAA8B,EAC9B,uBAAuB,EACvB,8BAA8B,EAC9B,2BAA2B,EAC3B,yBAAyB,EACzB,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,EAC/B,KAAK,gCAAgC,EACrC,KAAK,iCAAiC,EACtC,KAAK,iCAAiC,EACtC,KAAK,oCAAoC,EACzC,KAAK,2BAA2B,EAChC,KAAK,4BAA4B,EACjC,KAAK,iCAAiC,EACtC,KAAK,yBAAyB,EAC9B,KAAK,2BAA2B,EAChC,KAAK,6BAA6B,EAClC,KAAK,gBAAgB,GACtB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,KAAK,UAAU,EACf,QAAQ,EACR,WAAW,EACX,aAAa,EACb,eAAe,EACf,cAAc,EACd,oBAAoB,EACpB,kBAAkB,EAClB,qBAAqB,EACrB,mBAAmB,EACnB,aAAa,EACb,qBAAqB,EACrB,cAAc,EACd,6BAA6B,EAC7B,mBAAmB,EACnB,sBAAsB,EACtB,sBAAsB,EACtB,KAAK,gBAAgB,EACrB,SAAS,EACT,oBAAoB,GACrB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,eAAe,EACf,WAAW,EACX,KAAK,WAAW,EAChB,WAAW,GACZ,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,wBAAwB,EACxB,kCAAkC,EAClC,0BAA0B,EAC1B,2CAA2C,EAC3C,mCAAmC,EACnC,8CAA8C,EAC9C,sCAAsC,EACtC,8BAA8B,EAC9B,sBAAsB,EACtB,uCAAuC,EACvC,+BAA+B,EAC/B,KAAK,aAAa,EAClB,KAAK,kBAAkB,EACvB,KAAK,6BAA6B,EAClC,KAAK,+BAA+B,EACpC,KAAK,6BAA6B,EAClC,KAAK,sBAAsB,EAC3B,KAAK,uCAAuC,EAC5C,KAAK,kBAAkB,EACvB,KAAK,uBAAuB,EAC5B,KAAK,eAAe,EACpB,KAAK,cAAc,EACnB,+BAA+B,EAC/B,uBAAuB,EACvB,uCAAuC,EACvC,+BAA+B,EAC/B,yCAAyC,EACzC,iCAAiC,EACjC,wCAAwC,EACxC,gCAAgC,EAChC,wCAAwC,EACxC,gCAAgC,EAChC,0CAA0C,EAC1C,kCAAkC,EAClC,2CAA2C,EAC3C,mCAAmC,EACnC,6BAA6B,EAC7B,qBAAqB,EACpB,8CAA8C,EAC9C,sCAAsC,EACtC,+CAA+C,EAC/C,uCAAuC,EACvC,yCAAyC,EACzC,iCAAiC,EACjC,6CAA6C,EAC7C,qCAAqC,EACrC,uCAAuC,EACvC,+BAA+B,EAC/B,sCAAsC,EACtC,8BAA8B,EAC9B,2CAA2C,EAC3C,mCAAmC,EACpC,gDAAgD,EAChD,wCAAwC,EACxC,gDAAgD,EAChD,0CAA0C,EACzC,kCAAkC,EACnC,uCAAuC,EACvC,+BAA+B,EAC/B,yCAAyC,EACzC,iCAAiC,EACjC,0CAA0C,EAC1C,kCAAkC,EAClC,4CAA4C,EAC5C,oCAAoC,EACpC,sCAAsC,EACtC,8BAA8B,EAC9B,gCAAgC,EAChC,wBAAwB,EACxB,+BAA+B,EAC/B,uBAAuB,EACvB,wCAAwC,EACxC,gCAAgC,EAChC,8BAA8B,EAC9B,sBAAsB,EACtB,2BAA2B,EAC3B,mBAAmB,EACnB,oBAAoB,EACpB,YAAY,EACZ,KAAK,cAAc,EACnB,gCAAgC,EAChC,wBAAwB,EACxB,4BAA4B,EAC5B,oBAAoB,EACpB,wCAAwC,EACxC,gCAAgC,EAChC,iCAAiC,EACjC,yBAAyB,EACzB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,EACtB,KAAK,qBAAqB,EAC1B,2BAA2B,EAC3B,gBAAgB,EAChB,sBAAsB,EACtB,6BAA6B,EAC7B,YAAY,EACZ,6BAA6B,EAC7B,uBAAuB,EACvB,wBAAwB,EACxB,0BAA0B,EAC1B,gBAAgB,EAChB,YAAY,EACZ,qBAAqB,EACrB,iBAAiB,EACjB,cAAc,EACb,uCAAuC,EACxC,8BAA8B,EAC9B,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,KAAK,wBAAwB,EAC7B,yBAAyB,EACzB,qBAAqB,EACrB,cAAc,GACf,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,KAAK,gBAAgB,EACrB,sBAAsB,EACtB,KAAK,WAAW,EAChB,iBAAiB,EACjB,KAAK,YAAY,EACjB,kBAAkB,EAClB,KAAK,mBAAmB,EACxB,yBAAyB,EACzB,KAAK,gBAAgB,EACrB,sBAAsB,EACtB,KAAK,UAAU,EACf,gBAAgB,EAChB,KAAK,eAAe,EACpB,qBAAqB,EACrB,KAAK,aAAa,EAClB,mBAAmB,GACpB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,UAAU,EACV,KAAK,kBAAkB,EACvB,KAAK,WAAW,GACjB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,EACL,eAAe,EACf,eAAe,EACf,qBAAqB,EACrB,MAAM,EACN,aAAa,EACb,IAAI,GACL,MAAM,YAAY,CAAC"}