npm - @r4security/sdk - Versions diffs - 0.0.2 → 0.0.5 - Mend

@r4security/sdk 0.0.2 → 0.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md CHANGED Viewed

@@ -57,12 +57,18 @@ When both `dev` and `baseUrl` are provided, `baseUrl` wins.
 1. Authenticates with an AGENT-scoped API key
 2. Registers the runtime's public key through `POST /api/v1/machine/vault/public-key`
-3. Lists accessible vaults through the machine API
-4. Fetches each vault's wrapped DEK and signed org user-key directory plus transparency proof
-5. Verifies the signed org directory, checks the append-only transparency proof, and continuity-pins the signer in the local trust store
-6. Verifies wrapped-DEK signatures against that authenticated signer set
-7. Unwraps the DEK locally with the agent private key
-8. Verifies signed vault summary/detail checkpoints, then decrypts field ciphertext locally into a flat `SCREAMING_SNAKE_CASE` env map
+3. Becomes eligible for vault-backed access grants after that first registration
+4. Lists accessible vaults through the machine API
+5. Fetches each vault's wrapped DEK and signed org user-key directory plus transparency proof
+6. Verifies the signed org directory, checks the append-only transparency proof, and continuity-pins the signer in the local trust store
+7. Verifies wrapped-DEK signatures against that authenticated signer set
+8. Unwraps the DEK locally with the agent private key
+9. Verifies signed vault summary/detail checkpoints, then decrypts field ciphertext locally into a flat `SCREAMING_SNAKE_CASE` env map
+Operationally, the runtime should complete that first public-key registration
+before operators assign security-group, project, or direct vault access to the
+agent. Re-registering the same key is safe, but rotating to a different key is
+currently blocked while vault-backed access still exists.
 ## Trust Store
@@ -83,13 +89,21 @@ directory returned by the machine API.
 The remaining gap is that the public witness still lives in the same AWS
 account, so this is stronger than API-only TOFU but not yet a fully independent
 external auditor or gossip network.
+Development hosts such as `https://dev.r4.dev` skip the public witness anchor
+and fall back to local trust pins so non-production environments do not depend
+on the public witness bucket.
 By default the SDK stores this beside the private key as `<privateKeyPath>.trust.json`,
 or in `./.r4-trust-store.json` when the private key is passed inline.
 ## Development
 ```bash
-pnpm run test     # Run mocked zero-trust SDK tests
+pnpm run test     # Run mocked zero-trust SDK tests from test/
+pnpm run test:pack # Verify npm publish excludes src/ and test/
 pnpm run build    # Build with tsup
 pnpm run clean    # Remove lib/
 ```
+The published SDK is controlled by the `files` allowlist in `package.json`, so
+only `lib/` is shipped. Package-local tests live in `test/` and are validated
+with `npm pack --dry-run` through `pnpm run test:pack`.

package/lib/index.cjs CHANGED Viewed

@@ -61,7 +61,8 @@ var R4Client = class {
     if (!response.ok) {
       const errorBody = await response.json().catch(() => ({}));
       const errorMessage = typeof errorBody.error?.message === "string" ? errorBody.error.message : `HTTP ${response.status}: ${response.statusText}`;
-      throw new Error(`R4 API Error: ${errorMessage}`);
+      const errorCode = typeof errorBody.error?.code === "string" ? ` [${errorBody.error.code}]` : "";
+      throw new Error(`R4 API Error${errorCode}: ${errorMessage}`);
     }
     if (response.status === 204) {
       return void 0;
@@ -165,7 +166,22 @@ var buildOrgUserKeyDirectoryWitnessPayload = (orgId, head) => [
 ].join(":");
 var buildOrgUserKeyDirectoryWitnessPath = (orgId) => `v1/orgs/${orgId}/user-key-directory-head.json`;
 var buildTransparencyWitnessUrl = (baseUrl, path4) => `${baseUrl.replace(/\/+$/, "")}/${path4.replace(/^\/+/, "")}`;
-var shouldUseDefaultTransparencyWitness = (apiBaseUrl) => /(^https?:\/\/)?([^.]+\.)?r4\.dev(?::\d+)?(\/|$)/i.test(apiBaseUrl.trim());
+function parseHostname(apiBaseUrl) {
+  const trimmed = apiBaseUrl.trim();
+  if (!trimmed) {
+    return null;
+  }
+  try {
+    const normalized = trimmed.includes("://") ? trimmed : `https://${trimmed}`;
+    return new URL(normalized).hostname.toLowerCase();
+  } catch {
+    return null;
+  }
+}
+var shouldUseDefaultTransparencyWitness = (apiBaseUrl) => {
+  const hostname = parseHostname(apiBaseUrl);
+  return hostname === "r4.dev" || hostname === "api.r4.dev";
+};
 // src/crypto.ts
 var RSA_OAEP_CONFIG = {
@@ -581,7 +597,9 @@ async function fetchWitnessArtifact(pathName) {
     }
   );
   if (!response.ok) {
-    throw new Error(`Failed to fetch public transparency witness artifact (${response.status}).`);
+    throw new Error(
+      `Failed to fetch public transparency witness artifact (${response.status}). Production first-trust bootstrapping needs access to https://transparency.r4.dev. If this is a dev environment, re-run with --dev or set R4_DEV=1. If this is production, verify outbound access to transparency.r4.dev and retry.`
+    );
   }
   return response.json();
 }

package/lib/index.cjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/index.ts","../src/client.ts","../src/crypto.ts","../src/transparency.ts","../src/trust-store.ts"],"sourcesContent":["import path from 'node:path'\nimport { R4Client } from './client'\nimport {\n decryptStoredFieldValue,\n derivePublicKey,\n loadPrivateKey,\n unwrapDEKWithPrivateKey,\n verifyVaultItemDetailCheckpoint,\n verifyVaultSummaryCheckpoint,\n verifyWrappedDekSignature,\n} from './crypto'\nimport {\n assertAndPinCheckpointVersion,\n getPublicOrgWitnessHead,\n getSinglePinnedTransparencyHead,\n verifyAndPinVaultUserPublicKeys,\n} from './trust-store'\nimport type {\n ListMachineVaultItemsResponse,\n MachineVaultItemDetailResponse,\n R4Config,\n R4Env,\n VaultItemDetailCheckpoint,\n VaultSummaryCheckpoint,\n} from './types'\n\nexport type { R4Config, R4Env } from './types'\n\nconst R4_DEFAULT_API_BASE_URL = 'https://r4.dev'\nconst R4_DEV_API_BASE_URL = 'https://dev.r4.dev'\n\nfunction toScreamingSnakeCase(input: string): string {\n return input\n .replace(/[^a-zA-Z0-9]/g, '_')\n .replace(/_+/g, '_')\n .replace(/^_\|_$/g, '')\n .toUpperCase()\n}\n\nfunction resolveTrustStorePath(config: R4Config): string {\n if (config.trustStorePath) {\n return path.resolve(config.trustStorePath)\n }\n\n if (config.privateKeyPath) {\n return `${path.resolve(config.privateKeyPath)}.trust.json`\n }\n\n return path.resolve(process.cwd(), '.r4-trust-store.json')\n}\n\nfunction resolveApiBaseUrl(config: R4Config): string {\n if (config.baseUrl) {\n return config.baseUrl\n }\n\n return config.dev ? R4_DEV_API_BASE_URL : R4_DEFAULT_API_BASE_URL\n}\n\nfunction buildVaultSummaryCheckpointFromListResponse(\n response: ListMachineVaultItemsResponse,\n version: number,\n): VaultSummaryCheckpoint {\n return {\n vaultId: response.vaultId,\n version,\n name: response.vaultName,\n dataClassification: response.dataClassification ?? null,\n currentDekVersion: response.currentDekVersion ?? null,\n items: response.items.map((item) => ({\n id: item.id,\n name: item.name,\n type: item.type ?? null,\n websites: item.websites ?? [],\n groupId: item.groupId ?? null,\n })),\n groups: response.vaultItemGroups.map((group) => ({\n id: group.id,\n name: group.name,\n parentId: group.parentId ?? null,\n })),\n }\n}\n\nfunction buildVaultItemDetailCheckpointFromResponse(\n item: MachineVaultItemDetailResponse,\n version: number,\n): VaultItemDetailCheckpoint {\n return {\n vaultItemId: item.id,\n vaultId: item.vaultId,\n version,\n name: item.name,\n type: item.type ?? null,\n websites: item.websites ?? [],\n groupId: item.groupId ?? null,\n fields: item.fields.map((field, index) => ({\n id: field.id,\n name: field.name,\n type: field.type,\n order: field.order ?? index,\n fieldInstanceIds: field.fieldInstanceIds ?? [],\n assetIds: field.assetIds ?? [],\n })),\n }\n}\n\n/*\n R4 SDK — zero-trust Node.js SDK for machine agents.\n \n The runtime keeps its private key locally, registers only the matching public\n * key with the machine API, verifies wrapped-DEK signatures against a pinned\n * signer directory, unwraps each vault DEK locally, and decrypts env values\n * without trusting the backend to see or transform plaintext.\n /\nexport class R4 {\n private readonly client: R4Client\n private readonly baseUrl: string\n private readonly projectId?: string\n private readonly privateKeyPem: string\n private readonly publicKeyPem: string\n private readonly trustStorePath: string\n private _env: R4Env \| null = null\n\n constructor(config: R4Config) {\n if (!config.apiKey) {\n throw new Error('R4 SDK: apiKey is required')\n }\n\n if (!config.privateKey && !config.privateKeyPath) {\n throw new Error(\n 'R4 SDK: privateKey or privateKeyPath is required for zero-trust local decryption.',\n )\n }\n\n const baseUrl = resolveApiBaseUrl(config)\n this.baseUrl = baseUrl\n this.client = new R4Client(config.apiKey, baseUrl)\n this.projectId = config.projectId\n this.privateKeyPem = config.privateKey ?? loadPrivateKey(config.privateKeyPath!)\n this.publicKeyPem = derivePublicKey(this.privateKeyPem)\n this.trustStorePath = resolveTrustStorePath(config)\n }\n\n /\n Static factory method that creates and initializes an R4 instance.\n /\n static async create(config: R4Config): Promise<R4> {\n const instance = new R4(config)\n await instance.init()\n return instance\n }\n\n /\n Initializes the SDK by registering the agent public key (idempotent) and\n * decrypting all accessible vault values locally into a flat env map.\n /\n async init(): Promise<void> {\n this._env = await this.fetchEnv()\n }\n\n /\n Returns the locally decrypted env map.\n /\n get env(): R4Env {\n if (!this._env) {\n throw new Error(\n 'R4 SDK: env is not initialized. Call await r4.init() first, or use R4.create() for automatic initialization.',\n )\n }\n return this._env\n }\n\n /\n Re-fetches and locally re-decrypts the current vault view.\n /\n async refresh(): Promise<void> {\n this._env = await this.fetchEnv()\n }\n\n /\n Registers the local agent public key, loads all accessible vaults, verifies\n * wrapped-DEK signatures against pinned signer keys, unwraps each vault DEK,\n * and builds a flat SCREAMING_SNAKE_CASE env map from decrypted field values.\n /\n private async fetchEnv(): Promise<R4Env> {\n try {\n await this.client.registerAgentPublicKey({\n publicKey: this.publicKeyPem,\n })\n } catch (error) {\n throw new Error(\n `R4 SDK: failed to register the local agent public key. The zero-trust SDK requires an AGENT-scoped API key and a matching local private key. ${\n error instanceof Error ? error.message : String(error)\n }`,\n )\n }\n\n const { vaults } = await this.client.listVaults(this.projectId)\n const envEntries = await Promise.all(vaults.map((vault) => this.fetchVaultEnv(vault.id)))\n\n return Object.assign({}, ...envEntries)\n }\n\n /\n Fetches a single vault's wrapped DEK, verifies it against the pinned signer\n * directory, unwraps the DEK locally, then decrypts every field value in that\n * vault item-by-item.\n /\n private async fetchVaultEnv(vaultId: string): Promise<R4Env> {\n const pinnedTransparencyHead = getSinglePinnedTransparencyHead(this.trustStorePath)\n const [wrappedKey, itemsResponse, initialPublicKeyDirectory] = await Promise.all([\n this.client.getAgentWrappedKey(vaultId),\n this.client.listVaultItems(vaultId),\n this.client.getVaultUserKeyDirectory(\n vaultId,\n pinnedTransparencyHead\n ? {\n knownTransparencyVersion: pinnedTransparencyHead.version,\n knownTransparencyHash: pinnedTransparencyHead.hash,\n }\n : undefined,\n ),\n ])\n\n let publicKeyDirectory = initialPublicKeyDirectory\n let witnessAnchorHead: { version: number; hash: string } \| null = null\n\n if (!pinnedTransparencyHead) {\n const orgId = initialPublicKeyDirectory.directoryCheckpoint?.checkpoint.orgId ?? null\n\n if (\n orgId &&\n initialPublicKeyDirectory.directoryCheckpoint &&\n initialPublicKeyDirectory.transparency\n ) {\n witnessAnchorHead = await getPublicOrgWitnessHead(this.baseUrl, orgId)\n\n if (witnessAnchorHead) {\n if (initialPublicKeyDirectory.transparency.head.version < witnessAnchorHead.version) {\n throw new Error(`R4 SDK: public transparency witness head is ahead of the server response for org ${orgId}.`)\n }\n\n if (initialPublicKeyDirectory.transparency.head.version === witnessAnchorHead.version) {\n if (initialPublicKeyDirectory.transparency.head.hash !== witnessAnchorHead.hash) {\n throw new Error(`R4 SDK: public transparency witness head fork detected for org ${orgId}.`)\n }\n } else {\n publicKeyDirectory = await this.client.getVaultUserKeyDirectory(vaultId, {\n knownTransparencyVersion: witnessAnchorHead.version,\n knownTransparencyHash: witnessAnchorHead.hash,\n })\n }\n }\n }\n }\n\n const trustedPublicKeys = await verifyAndPinVaultUserPublicKeys(\n this.trustStorePath,\n publicKeyDirectory,\n witnessAnchorHead,\n )\n\n const signerKey = trustedPublicKeys.find(\n (publicKey) => publicKey.userKeyPairId === wrappedKey.signerUserKeyPairId,\n )\n\n if (!signerKey) {\n throw new Error(\n `R4 SDK: wrapped DEK for vault ${vaultId} was signed by unknown user key ${wrappedKey.signerUserKeyPairId}.`,\n )\n }\n\n const signatureVerified = verifyWrappedDekSignature(\n vaultId,\n wrappedKey.encryptionKeyId,\n wrappedKey.signerUserKeyPairId,\n wrappedKey.dekVersion,\n wrappedKey.wrappedDek,\n wrappedKey.wrappedDekSignature,\n signerKey.publicKey,\n )\n\n if (!signatureVerified) {\n throw new Error(`R4 SDK: wrapped DEK signature verification failed for vault ${vaultId}.`)\n }\n\n const dek = unwrapDEKWithPrivateKey(wrappedKey.wrappedDek, this.privateKeyPem)\n\n if (!itemsResponse.summaryCheckpoint) {\n throw new Error(`R4 SDK: vault ${vaultId} is missing a signed summary checkpoint.`)\n }\n\n const summarySignerKey = trustedPublicKeys.find(\n (publicKey) => publicKey.userKeyPairId === itemsResponse.summaryCheckpoint!.signerUserKeyPairId,\n )\n\n if (!summarySignerKey) {\n throw new Error(\n `R4 SDK: vault ${vaultId} summary checkpoint was signed by unknown user key ${itemsResponse.summaryCheckpoint.signerUserKeyPairId}.`,\n )\n }\n\n const expectedSummaryCheckpoint = buildVaultSummaryCheckpointFromListResponse(\n itemsResponse,\n itemsResponse.summaryCheckpoint.checkpoint.version,\n )\n const summaryVerified = verifyVaultSummaryCheckpoint(\n expectedSummaryCheckpoint,\n itemsResponse.summaryCheckpoint.signature,\n summarySignerKey.publicKey,\n )\n\n if (!summaryVerified) {\n throw new Error(`R4 SDK: vault summary checkpoint verification failed for vault ${vaultId}.`)\n }\n\n assertAndPinCheckpointVersion(\n this.trustStorePath,\n `summary:${vaultId}`,\n expectedSummaryCheckpoint.version,\n )\n\n const itemDetails = await Promise.all(\n itemsResponse.items.map((item) => this.client.getVaultItemDetail(vaultId, item.id)),\n )\n\n const env: R4Env = {}\n\n for (const item of itemDetails) {\n if (!item.detailCheckpoint) {\n throw new Error(`R4 SDK: vault item ${item.id} is missing a signed detail checkpoint.`)\n }\n\n const detailSignerKey = trustedPublicKeys.find(\n (publicKey) => publicKey.userKeyPairId === item.detailCheckpoint!.signerUserKeyPairId,\n )\n\n if (!detailSignerKey) {\n throw new Error(\n `R4 SDK: vault item ${item.id} checkpoint was signed by unknown user key ${item.detailCheckpoint.signerUserKeyPairId}.`,\n )\n }\n\n const expectedDetailCheckpoint = buildVaultItemDetailCheckpointFromResponse(\n item,\n item.detailCheckpoint.checkpoint.version,\n )\n const detailVerified = verifyVaultItemDetailCheckpoint(\n expectedDetailCheckpoint,\n item.detailCheckpoint.signature,\n detailSignerKey.publicKey,\n )\n\n if (!detailVerified) {\n throw new Error(`R4 SDK: vault item checkpoint verification failed for item ${item.id}.`)\n }\n\n assertAndPinCheckpointVersion(\n this.trustStorePath,\n `detail:${item.id}`,\n expectedDetailCheckpoint.version,\n )\n\n for (const field of item.fields) {\n if (field.value === null) {\n continue\n }\n\n env[toScreamingSnakeCase(`${item.name}_${field.name}`)] = decryptStoredFieldValue(\n field.value,\n dek,\n )\n }\n }\n\n return env\n }\n}\n\nexport default R4\n","import type {\n ListMachineVaultItemsResponse,\n ListMachineVaultsResponse,\n MachineAgentPublicKeyResponse,\n MachineVaultItemDetailResponse,\n MachineVaultUserKeyDirectoryResponse,\n MachineWrappedKeyResponse,\n RegisterMachinePublicKeyRequest,\n} from './types'\n\ntype ApiErrorBody = {\n error?: {\n message?: unknown\n }\n}\n\n/\n Minimal machine-API client used by the zero-trust Node SDK.\n * Agents authenticate with an AGENT-scoped API key, register their local public\n * key, then fetch wrapped vault DEKs and ciphertext for local decryption.\n /\nexport class R4Client {\n private readonly apiKey: string\n private readonly baseUrl: string\n\n constructor(apiKey: string, baseUrl: string) {\n this.apiKey = apiKey\n this.baseUrl = baseUrl.replace(/\\/$/, '')\n }\n\n private buildHeaders(): Record<string, string> {\n return {\n 'X-API-Key': this.apiKey,\n 'Content-Type': 'application/json',\n }\n }\n\n private async request<T>(path: string, init: RequestInit): Promise<T> {\n const response = await fetch(`${this.baseUrl}${path}`, {\n ...init,\n headers: {\n ...this.buildHeaders(),\n ...(init.headers ?? {}),\n },\n })\n\n if (!response.ok) {\n const errorBody = (await response.json().catch(() => ({}))) as ApiErrorBody\n const errorMessage =\n typeof errorBody.error?.message === 'string'\n ? errorBody.error.message\n : `HTTP ${response.status}: ${response.statusText}`\n throw new Error(`R4 API Error: ${errorMessage}`)\n }\n\n if (response.status === 204) {\n return undefined as T\n }\n\n return response.json() as Promise<T>\n }\n\n /\n Registers or re-confirms the agent runtime's local RSA public key.\n /\n async registerAgentPublicKey(\n body: RegisterMachinePublicKeyRequest,\n ): Promise<MachineAgentPublicKeyResponse> {\n return this.request<MachineAgentPublicKeyResponse>('/api/v1/machine/vault/public-key', {\n method: 'POST',\n body: JSON.stringify(body),\n })\n }\n\n /\n Lists all accessible non-hidden vaults. When `projectId` is provided, the\n * backend additionally filters to vaults associated with that project.\n /\n async listVaults(projectId?: string): Promise<ListMachineVaultsResponse> {\n const search = projectId\n ? `?projectId=${encodeURIComponent(projectId)}`\n : ''\n return this.request<ListMachineVaultsResponse>(`/api/v1/machine/vault${search}`, {\n method: 'GET',\n })\n }\n\n /\n Retrieves the active wrapped DEK for the authenticated agent on a vault.\n /\n async getAgentWrappedKey(vaultId: string): Promise<MachineWrappedKeyResponse> {\n return this.request<MachineWrappedKeyResponse>(\n `/api/v1/machine/vault/${encodeURIComponent(vaultId)}/wrapped-key`,\n { method: 'GET' },\n )\n }\n\n /\n Retrieves the trusted user-key directory for a vault so the runtime can\n * verify wrapped-DEK signatures locally.\n /\n async getVaultUserKeyDirectory(\n vaultId: string,\n params?: {\n knownTransparencyVersion?: number\n knownTransparencyHash?: string\n },\n ): Promise<MachineVaultUserKeyDirectoryResponse> {\n const searchParams = new URLSearchParams()\n if (params?.knownTransparencyVersion !== undefined) {\n searchParams.set('knownTransparencyVersion', String(params.knownTransparencyVersion))\n }\n if (params?.knownTransparencyHash) {\n searchParams.set('knownTransparencyHash', params.knownTransparencyHash)\n }\n const search = searchParams.size > 0 ? `?${searchParams.toString()}` : ''\n\n return this.request<MachineVaultUserKeyDirectoryResponse>(\n `/api/v1/machine/vault/${encodeURIComponent(vaultId)}/public-keys${search}`,\n { method: 'GET' },\n )\n }\n\n /\n Lists all items in a vault with lightweight metadata.\n /\n async listVaultItems(vaultId: string): Promise<ListMachineVaultItemsResponse> {\n return this.request<ListMachineVaultItemsResponse>(\n `/api/v1/machine/vault/${encodeURIComponent(vaultId)}/items`,\n { method: 'GET' },\n )\n }\n\n /\n Retrieves the full field payloads for a vault item.\n /\n async getVaultItemDetail(\n vaultId: string,\n itemId: string,\n ): Promise<MachineVaultItemDetailResponse> {\n return this.request<MachineVaultItemDetailResponse>(\n `/api/v1/machine/vault/${encodeURIComponent(vaultId)}/items/${encodeURIComponent(itemId)}`,\n { method: 'GET' },\n )\n }\n}\n","import crypto from 'node:crypto'\nimport fs from 'node:fs'\nimport path from 'node:path'\nimport {\n buildAgentPublicKeyWitnessPayload,\n buildOrgUserKeyDirectoryWitnessPayload,\n type AgentPublicKeyWitnessArtifact,\n type OrgUserKeyDirectoryWitnessArtifact,\n} from './transparency'\nimport type {\n UserKeyDirectoryCheckpoint,\n UserKeyDirectoryTransparencyEntry,\n UserKeyDirectoryTransparencyHead,\n UserKeyDirectoryTransparencyProof,\n VaultItemDetailCheckpoint,\n VaultSummaryCheckpoint,\n} from './types'\n\nconst RSA_OAEP_CONFIG = {\n padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,\n oaepHash: 'sha256',\n} as const\n\nconst RSA_PSS_SIGN_CONFIG = {\n padding: crypto.constants.RSA_PKCS1_PSS_PADDING,\n saltLength: 32,\n} as const\n\nconst USER_KEY_ROTATION_PREFIX = 'r4-user-key-rotation-v1'\nconst USER_KEY_DIRECTORY_CHECKPOINT_PREFIX = 'r4-user-key-directory-checkpoint-v1'\nconst USER_KEY_DIRECTORY_TRANSPARENCY_ENTRY_PREFIX = 'r4-user-key-directory-transparency-entry-v1'\nconst WRAPPED_DEK_SIGNATURE_PREFIX = 'r4-wrapped-dek-signature-v1'\nconst VAULT_SUMMARY_CHECKPOINT_PREFIX = 'r4-vault-summary-checkpoint-v1'\nconst VAULT_ITEM_DETAIL_CHECKPOINT_PREFIX = 'r4-vault-item-detail-checkpoint-v1'\n\ntype VaultEnvelope = {\n v: 3\n iv: string\n t: string\n d: string\n}\n\nfunction pemToDer(pem: string, beginLabel: string, endLabel: string): Buffer {\n const derBase64 = pem\n .replace(beginLabel, '')\n .replace(endLabel, '')\n .replace(/\\s/g, '')\n\n return Buffer.from(derBase64, 'base64')\n}\n\nfunction getWrappedDekFingerprint(wrappedDek: string): string {\n return crypto.createHash('sha256').update(Buffer.from(wrappedDek, 'base64')).digest('hex')\n}\n\nfunction getCheckpointFingerprint(prefix: string, canonicalJson: string): string {\n return `${prefix}:${crypto.createHash('sha256').update(canonicalJson, 'utf8').digest('hex')}`\n}\n\n/\n Loads a PEM-encoded private key from the provided path.\n /\nexport function loadPrivateKey(privateKeyPath: string): string {\n return fs.readFileSync(path.resolve(privateKeyPath), 'utf8').trim()\n}\n\n/\n Derives the matching PEM-encoded public key from a PEM private key.\n /\nexport function derivePublicKey(privateKeyPem: string): string {\n return crypto.createPublicKey(privateKeyPem).export({\n type: 'spki',\n format: 'pem',\n }).toString()\n}\n\n/\n Compute a stable SHA-256 fingerprint for a PEM-encoded public key.\n * The fingerprint uses the DER bytes so PEM formatting differences do not matter.\n /\nexport function getPublicKeyFingerprint(publicKeyPem: string): string {\n const derBytes = pemToDer(publicKeyPem, '-----BEGIN PUBLIC KEY-----', '-----END PUBLIC KEY-----')\n return crypto.createHash('sha256').update(derBytes).digest('hex')\n}\n\nfunction buildUserKeyRotationPayload(previousUserKeyPairId: string, newPublicKeyFingerprint: string): string {\n return `${USER_KEY_ROTATION_PREFIX}:${previousUserKeyPairId}:${newPublicKeyFingerprint}`\n}\n\n/\n Signs a new key fingerprint with the previous private key to prove continuity.\n /\nexport function signUserKeyRotation(\n previousUserKeyPairId: string,\n newPublicKeyPem: string,\n previousPrivateKeyPem: string,\n): string {\n const payload = buildUserKeyRotationPayload(\n previousUserKeyPairId,\n getPublicKeyFingerprint(newPublicKeyPem),\n )\n\n return crypto.sign(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: previousPrivateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\n/\n Verifies continuity for a rotated signer key.\n /\nexport function verifyUserKeyRotation(\n previousUserKeyPairId: string,\n newPublicKeyPem: string,\n rotationSignature: string,\n previousPublicKeyPem: string,\n): boolean {\n const payload = buildUserKeyRotationPayload(\n previousUserKeyPairId,\n getPublicKeyFingerprint(newPublicKeyPem),\n )\n\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: previousPublicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(rotationSignature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function verifyTransparencyWitnessPayload(\n payload: string,\n signature: string,\n publicKeyPem: string,\n): boolean {\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: publicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(signature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function verifyOrgUserKeyDirectoryWitnessArtifact(\n artifact: OrgUserKeyDirectoryWitnessArtifact,\n publicKeyPem: string,\n): boolean {\n return verifyTransparencyWitnessPayload(\n buildOrgUserKeyDirectoryWitnessPayload(artifact.orgId, artifact.head),\n artifact.signature,\n publicKeyPem,\n )\n}\n\nexport function verifyAgentPublicKeyWitnessArtifact(\n artifact: AgentPublicKeyWitnessArtifact,\n publicKeyPem: string,\n): boolean {\n return verifyTransparencyWitnessPayload(\n buildAgentPublicKeyWitnessPayload(artifact.agentId, artifact.head),\n artifact.signature,\n publicKeyPem,\n )\n}\n\nexport function normalizeUserKeyDirectoryCheckpoint(\n checkpoint: UserKeyDirectoryCheckpoint,\n): UserKeyDirectoryCheckpoint {\n return {\n orgId: checkpoint.orgId,\n version: checkpoint.version,\n entries: [...checkpoint.entries]\n .map((entry) => ({\n userKeyPairId: entry.userKeyPairId,\n orgUserId: entry.orgUserId,\n fingerprint: entry.fingerprint,\n previousUserKeyPairId: entry.previousUserKeyPairId ?? null,\n rotationSignature: entry.rotationSignature ?? null,\n }))\n .sort((left, right) => left.userKeyPairId.localeCompare(right.userKeyPairId)),\n }\n}\n\nexport function canonicalizeUserKeyDirectoryCheckpoint(\n checkpoint: UserKeyDirectoryCheckpoint,\n): string {\n return JSON.stringify(normalizeUserKeyDirectoryCheckpoint(checkpoint))\n}\n\nexport function buildUserKeyDirectoryCheckpointPayload(\n checkpoint: UserKeyDirectoryCheckpoint,\n): string {\n return getCheckpointFingerprint(\n USER_KEY_DIRECTORY_CHECKPOINT_PREFIX,\n canonicalizeUserKeyDirectoryCheckpoint(checkpoint),\n )\n}\n\nexport function signUserKeyDirectoryCheckpoint(\n checkpoint: UserKeyDirectoryCheckpoint,\n privateKeyPem: string,\n): string {\n return crypto.sign(\n 'sha256',\n Buffer.from(buildUserKeyDirectoryCheckpointPayload(checkpoint), 'utf8'),\n {\n key: privateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\nexport function verifyUserKeyDirectoryCheckpoint(\n checkpoint: UserKeyDirectoryCheckpoint,\n signature: string,\n publicKeyPem: string,\n): boolean {\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(buildUserKeyDirectoryCheckpointPayload(checkpoint), 'utf8'),\n {\n key: publicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(signature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function buildUserKeyDirectoryTransparencyEntryHash(\n entry: Omit<UserKeyDirectoryTransparencyEntry, 'entryHash'>,\n): string {\n return getCheckpointFingerprint(\n USER_KEY_DIRECTORY_TRANSPARENCY_ENTRY_PREFIX,\n JSON.stringify({\n orgId: entry.orgId,\n version: entry.version,\n directoryCheckpointPayload: entry.directoryCheckpointPayload,\n signerUserKeyPairId: entry.signerUserKeyPairId,\n signerOrgUserId: entry.signerOrgUserId,\n signerFingerprint: entry.signerFingerprint,\n signature: entry.signature,\n previousEntryHash: entry.previousEntryHash ?? null,\n }),\n )\n}\n\nexport function buildUserKeyDirectoryTransparencyEntry(params: {\n checkpoint: UserKeyDirectoryCheckpoint\n signerUserKeyPairId: string\n signerOrgUserId: string\n signerPublicKey: string\n signature: string\n previousEntryHash: string \| null\n}): UserKeyDirectoryTransparencyEntry {\n const entryWithoutHash = {\n orgId: params.checkpoint.orgId,\n version: params.checkpoint.version,\n directoryCheckpointPayload: buildUserKeyDirectoryCheckpointPayload(params.checkpoint),\n signerUserKeyPairId: params.signerUserKeyPairId,\n signerOrgUserId: params.signerOrgUserId,\n signerFingerprint: getPublicKeyFingerprint(params.signerPublicKey),\n signature: params.signature,\n previousEntryHash: params.previousEntryHash ?? null,\n }\n\n return {\n ...entryWithoutHash,\n entryHash: buildUserKeyDirectoryTransparencyEntryHash(entryWithoutHash),\n }\n}\n\nexport function verifyUserKeyDirectoryTransparencyProof(params: {\n currentEntry: UserKeyDirectoryTransparencyEntry\n proof: UserKeyDirectoryTransparencyProof\n previousHead: UserKeyDirectoryTransparencyHead \| null\n}): boolean {\n if (\n params.proof.head.version !== params.currentEntry.version \|\|\n params.proof.head.hash !== params.currentEntry.entryHash\n ) {\n return false\n }\n\n if (!params.previousHead) {\n if (params.proof.entries.length === 0) {\n return false\n }\n\n for (let index = 0; index < params.proof.entries.length; index++) {\n const entry = params.proof.entries[index]\n if (!entry) {\n return false\n }\n\n const expectedHash = buildUserKeyDirectoryTransparencyEntryHash({\n orgId: entry.orgId,\n version: entry.version,\n directoryCheckpointPayload: entry.directoryCheckpointPayload,\n signerUserKeyPairId: entry.signerUserKeyPairId,\n signerOrgUserId: entry.signerOrgUserId,\n signerFingerprint: entry.signerFingerprint,\n signature: entry.signature,\n previousEntryHash: entry.previousEntryHash,\n })\n\n if (expectedHash !== entry.entryHash) {\n return false\n }\n\n if (index === 0) {\n continue\n }\n\n const previousEntry = params.proof.entries[index - 1]\n if (!previousEntry) {\n return false\n }\n\n if (entry.previousEntryHash !== previousEntry.entryHash \|\| entry.version !== previousEntry.version + 1) {\n return false\n }\n }\n\n const lastEntry = params.proof.entries[params.proof.entries.length - 1]\n return lastEntry?.entryHash === params.currentEntry.entryHash && lastEntry.version === params.currentEntry.version\n }\n\n if (params.currentEntry.version < params.previousHead.version) {\n return false\n }\n\n if (params.currentEntry.version === params.previousHead.version) {\n return params.currentEntry.entryHash === params.previousHead.hash && params.proof.entries.length === 0\n }\n\n if (params.proof.entries.length === 0) {\n return false\n }\n\n let previousVersion = params.previousHead.version\n let previousHash = params.previousHead.hash\n\n for (const entry of params.proof.entries) {\n const expectedHash = buildUserKeyDirectoryTransparencyEntryHash({\n orgId: entry.orgId,\n version: entry.version,\n directoryCheckpointPayload: entry.directoryCheckpointPayload,\n signerUserKeyPairId: entry.signerUserKeyPairId,\n signerOrgUserId: entry.signerOrgUserId,\n signerFingerprint: entry.signerFingerprint,\n signature: entry.signature,\n previousEntryHash: entry.previousEntryHash,\n })\n\n if (\n expectedHash !== entry.entryHash \|\|\n entry.previousEntryHash !== previousHash \|\|\n entry.version !== previousVersion + 1\n ) {\n return false\n }\n\n previousVersion = entry.version\n previousHash = entry.entryHash\n }\n\n return previousHash === params.currentEntry.entryHash && previousVersion === params.currentEntry.version\n}\n\nfunction buildWrappedDekSignaturePayload(\n vaultId: string,\n recipientKeyId: string,\n signerUserKeyPairId: string,\n dekVersion: number,\n wrappedDek: string,\n): string {\n return [\n WRAPPED_DEK_SIGNATURE_PREFIX,\n vaultId,\n recipientKeyId,\n signerUserKeyPairId,\n String(dekVersion),\n getWrappedDekFingerprint(wrappedDek),\n ].join(':')\n}\n\n/\n Signs a wrapped-DEK payload with the signer's private key.\n /\nexport function signWrappedDek(\n vaultId: string,\n recipientKeyId: string,\n signerUserKeyPairId: string,\n dekVersion: number,\n wrappedDek: string,\n signerPrivateKeyPem: string,\n): string {\n const payload = buildWrappedDekSignaturePayload(\n vaultId,\n recipientKeyId,\n signerUserKeyPairId,\n dekVersion,\n wrappedDek,\n )\n\n return crypto.sign(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: signerPrivateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\n/\n Verifies a wrapped vault DEK signature using the signer's public key.\n /\nexport function verifyWrappedDekSignature(\n vaultId: string,\n recipientKeyId: string,\n signerUserKeyPairId: string,\n dekVersion: number,\n wrappedDek: string,\n wrappedDekSignature: string,\n signerPublicKeyPem: string,\n): boolean {\n const payload = buildWrappedDekSignaturePayload(\n vaultId,\n recipientKeyId,\n signerUserKeyPairId,\n dekVersion,\n wrappedDek,\n )\n\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: signerPublicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(wrappedDekSignature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function normalizeVaultSummaryCheckpoint(\n checkpoint: VaultSummaryCheckpoint,\n): VaultSummaryCheckpoint {\n return {\n vaultId: checkpoint.vaultId,\n version: checkpoint.version,\n name: checkpoint.name,\n dataClassification: checkpoint.dataClassification ?? null,\n currentDekVersion: checkpoint.currentDekVersion ?? null,\n items: [...checkpoint.items]\n .map((item) => ({\n id: item.id,\n name: item.name,\n type: item.type ?? null,\n websites: [...item.websites],\n groupId: item.groupId ?? null,\n }))\n .sort((left, right) => left.id.localeCompare(right.id)),\n groups: [...checkpoint.groups]\n .map((group) => ({\n id: group.id,\n name: group.name,\n parentId: group.parentId ?? null,\n }))\n .sort((left, right) => left.id.localeCompare(right.id)),\n }\n}\n\nexport function canonicalizeVaultSummaryCheckpoint(\n checkpoint: VaultSummaryCheckpoint,\n): string {\n return JSON.stringify(normalizeVaultSummaryCheckpoint(checkpoint))\n}\n\nexport function buildVaultSummaryCheckpointPayload(\n checkpoint: VaultSummaryCheckpoint,\n): string {\n return getCheckpointFingerprint(\n VAULT_SUMMARY_CHECKPOINT_PREFIX,\n canonicalizeVaultSummaryCheckpoint(checkpoint),\n )\n}\n\nexport function verifyVaultSummaryCheckpoint(\n checkpoint: VaultSummaryCheckpoint,\n signature: string,\n publicKeyPem: string,\n): boolean {\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(buildVaultSummaryCheckpointPayload(checkpoint), 'utf8'),\n {\n key: publicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(signature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function signVaultSummaryCheckpoint(\n checkpoint: VaultSummaryCheckpoint,\n privateKeyPem: string,\n): string {\n return crypto.sign(\n 'sha256',\n Buffer.from(buildVaultSummaryCheckpointPayload(checkpoint), 'utf8'),\n {\n key: privateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\nexport function normalizeVaultItemDetailCheckpoint(\n checkpoint: VaultItemDetailCheckpoint,\n): VaultItemDetailCheckpoint {\n return {\n vaultItemId: checkpoint.vaultItemId,\n vaultId: checkpoint.vaultId,\n version: checkpoint.version,\n name: checkpoint.name,\n type: checkpoint.type ?? null,\n websites: [...checkpoint.websites],\n groupId: checkpoint.groupId ?? null,\n fields: [...checkpoint.fields]\n .map((field) => ({\n id: field.id,\n name: field.name,\n type: field.type,\n order: field.order,\n fieldInstanceIds: [...field.fieldInstanceIds].sort(),\n assetIds: [...field.assetIds].sort(),\n }))\n .sort((left, right) => left.order - right.order \|\| left.id.localeCompare(right.id)),\n }\n}\n\nexport function canonicalizeVaultItemDetailCheckpoint(\n checkpoint: VaultItemDetailCheckpoint,\n): string {\n return JSON.stringify(normalizeVaultItemDetailCheckpoint(checkpoint))\n}\n\nexport function buildVaultItemDetailCheckpointPayload(\n checkpoint: VaultItemDetailCheckpoint,\n): string {\n return getCheckpointFingerprint(\n VAULT_ITEM_DETAIL_CHECKPOINT_PREFIX,\n canonicalizeVaultItemDetailCheckpoint(checkpoint),\n )\n}\n\nexport function verifyVaultItemDetailCheckpoint(\n checkpoint: VaultItemDetailCheckpoint,\n signature: string,\n publicKeyPem: string,\n): boolean {\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(buildVaultItemDetailCheckpointPayload(checkpoint), 'utf8'),\n {\n key: publicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(signature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function signVaultItemDetailCheckpoint(\n checkpoint: VaultItemDetailCheckpoint,\n privateKeyPem: string,\n): string {\n return crypto.sign(\n 'sha256',\n Buffer.from(buildVaultItemDetailCheckpointPayload(checkpoint), 'utf8'),\n {\n key: privateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\n/\n Checks whether a stored field value is a v3 vault envelope.\n /\nexport function isVaultEnvelope(value: string): boolean {\n if (!value.startsWith('{')) {\n return false\n }\n\n try {\n const parsed = JSON.parse(value) as { v?: number }\n return parsed.v === 3\n } catch {\n return false\n }\n}\n\n/\n Decrypts a v3 vault envelope with the provided 32-byte AES vault DEK.\n /\nexport function decryptWithVaultDEK(encryptedValue: string, dek: Buffer): string {\n if (!isVaultEnvelope(encryptedValue)) {\n throw new Error('Invalid encrypted value: expected v3 vault envelope format')\n }\n\n const envelope = JSON.parse(encryptedValue) as VaultEnvelope\n const decipher = crypto.createDecipheriv('aes-256-gcm', dek, Buffer.from(envelope.iv, 'base64'))\n decipher.setAuthTag(Buffer.from(envelope.t, 'base64'))\n const decrypted = Buffer.concat([\n decipher.update(Buffer.from(envelope.d, 'base64')),\n decipher.final(),\n ])\n return decrypted.toString('utf8')\n}\n\n/\n Returns plaintext for a field value. Plain strings are returned as-is, while\n * v3 envelopes are decrypted with the provided vault DEK.\n /\nexport function decryptStoredFieldValue(value: string, dek: Buffer): string {\n return isVaultEnvelope(value) ? decryptWithVaultDEK(value, dek) : value\n}\n\n/\n Encrypts a plaintext field value into a v3 vault envelope. Used by tests.\n /\nexport function encryptWithVaultDEK(value: string, dek: Buffer): string {\n const iv = crypto.randomBytes(12)\n const cipher = crypto.createCipheriv('aes-256-gcm', dek, iv)\n const ciphertext = Buffer.concat([cipher.update(value, 'utf8'), cipher.final()])\n const tag = cipher.getAuthTag()\n\n return JSON.stringify({\n v: 3,\n iv: iv.toString('base64'),\n t: tag.toString('base64'),\n d: ciphertext.toString('base64'),\n } satisfies VaultEnvelope)\n}\n\n/\n Unwraps a vault DEK using the agent runtime's local private key.\n /\nexport function unwrapDEKWithPrivateKey(wrappedDek: string, privateKeyPem: string): Buffer {\n return crypto.privateDecrypt(\n { key: privateKeyPem, ...RSA_OAEP_CONFIG },\n Buffer.from(wrappedDek, 'base64'),\n )\n}\n","/\n Minimal transparency witness helpers vendored into the public Node SDK so the\n * published package does not depend on unpublished internal workspace packages.\n /\n\nconst TRANSPARENCY_WITNESS_PAYLOAD_PREFIX = 'r4-transparency-witness-v1'\n\nexport const DEFAULT_TRANSPARENCY_WITNESS_URL = 'https://transparency.r4.dev'\n\nexport const TRANSPARENCY_WITNESS_ROOT_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA18JhILFiS/BOWR9laubW\ng2vepQy26BXAlnrscZZVQUzBBaCM4hWobpt3Nh77vxP0gqVAJXP1hVhPPwxGQnOF\n4Qg/RK4iEETjMdmh3KMqFX9MeE9tP4cTOGtsgWsedNpu6TvMT+2vu+0ltmr7p4Xv\nH0ID48Q8JLeNksc/RekrsfzQ9DVtXFS7z1FF2VQgzamdJsW9hGMiM7Q+0iXei7PW\n3PsLd1aNtqJ3lIj3t12qFiJiYyKF0hEq0//Abgb9SgDv/WOlRG1Ianf1/fnP2jer\nZYiZSylXqQdun0Db2d0+FDm/znV2AGAmBEXm6qnCogEHu77LoLyCyJOlB9WNtRwh\nKnbzTmE2Mw/43jxvCcR7pE5kik/tdeMvqGFZfg3ozUG9eM0q0TURH6g9b9J4sBnR\ndxz2PbF4cl/AeL4ANPmLz3kUQaDA6wR0veVk5jV+Uqr55TYz/zEbY1rtJbmnc53Q\nihPS6xtSiexrqnOgqm/AVbiRhxjPqfg3/VJM3zR5Blnu02AqVR9kCT0WkyEWRz5X\n6HU8DEocJIPz8UwBMKQ7rnjMPv/Fjpuav/EIad5vOdfxCZkjyTYoQg8vLUyfXvgD\nmBWFgKIN8GTRyM+LjZIgznjN58dZ8ZvsGd14oKnH7WgAh9FVh8ri7gNmsdJeRTn/\n2zDkTlx+FQxAxqFaYV7qCvcCAwEAAQ==\n-----END PUBLIC KEY-----`\n\nexport type TransparencyWitnessHead = {\n version: number\n hash: string\n}\n\nexport type OrgUserKeyDirectoryWitnessArtifact = {\n version: 1\n kind: 'org-user-key-directory'\n orgId: string\n head: TransparencyWitnessHead\n signature: string\n keyId: string\n publishedAt: string\n}\n\nexport type AgentPublicKeyWitnessArtifact = {\n version: 1\n kind: 'agent-public-key'\n agentId: string\n head: TransparencyWitnessHead\n signature: string\n keyId: string\n publishedAt: string\n}\n\nexport const buildOrgUserKeyDirectoryWitnessPayload = (\n orgId: string,\n head: TransparencyWitnessHead,\n): string =>\n [\n TRANSPARENCY_WITNESS_PAYLOAD_PREFIX,\n 'org-user-key-directory',\n orgId,\n String(head.version),\n head.hash,\n ].join(':')\n\nexport const buildAgentPublicKeyWitnessPayload = (\n agentId: string,\n head: TransparencyWitnessHead,\n): string =>\n [\n TRANSPARENCY_WITNESS_PAYLOAD_PREFIX,\n 'agent-public-key',\n agentId,\n String(head.version),\n head.hash,\n ].join(':')\n\nexport const buildOrgUserKeyDirectoryWitnessPath = (orgId: string): string =>\n `v1/orgs/${orgId}/user-key-directory-head.json`\n\nexport const buildTransparencyWitnessUrl = (baseUrl: string, path: string): string =>\n `${baseUrl.replace(/\\/+$/, '')}/${path.replace(/^\\/+/, '')}`\n\nexport const shouldUseDefaultTransparencyWitness = (apiBaseUrl: string): boolean =>\n /(^https?:\\/\\/)?([^.]+\\.)?r4\\.dev(?::\\d+)?(\\/\|$)/i.test(apiBaseUrl.trim())\n","import fs from 'node:fs'\nimport path from 'node:path'\nimport {\n DEFAULT_TRANSPARENCY_WITNESS_URL,\n TRANSPARENCY_WITNESS_ROOT_PUBLIC_KEY_PEM,\n buildOrgUserKeyDirectoryWitnessPath,\n buildTransparencyWitnessUrl,\n shouldUseDefaultTransparencyWitness,\n type OrgUserKeyDirectoryWitnessArtifact,\n} from './transparency'\nimport {\n buildUserKeyDirectoryTransparencyEntry,\n getPublicKeyFingerprint,\n verifyOrgUserKeyDirectoryWitnessArtifact,\n verifyUserKeyDirectoryCheckpoint,\n verifyUserKeyDirectoryTransparencyProof,\n verifyUserKeyRotation,\n} from './crypto'\nimport type {\n MachineVaultUserKeyDirectoryResponse,\n MachineVaultUserPublicKey,\n} from './types'\n\ntype PublicKeyPinRecord = {\n keyPairId: string\n fingerprint: string\n publicKey: string\n pinnedAt: string\n verifiedAt: string\n}\n\ntype TrustStore = {\n version: 1\n userKeyPins: Record<string, PublicKeyPinRecord>\n checkpointVersionPins: Record<string, number>\n transparencyHeadPins: Record<string, { version: number; hash: string }>\n}\n\nfunction loadTrustStore(trustStorePath: string): TrustStore {\n try {\n const raw = fs.readFileSync(trustStorePath, 'utf8')\n const parsed = JSON.parse(raw) as Partial<TrustStore>\n return {\n version: 1,\n userKeyPins: parsed.userKeyPins ?? {},\n checkpointVersionPins: parsed.checkpointVersionPins ?? {},\n transparencyHeadPins: parsed.transparencyHeadPins ?? {},\n }\n } catch {\n return {\n version: 1,\n userKeyPins: {},\n checkpointVersionPins: {},\n transparencyHeadPins: {},\n }\n }\n}\n\nfunction saveTrustStore(trustStorePath: string, store: TrustStore): void {\n fs.mkdirSync(path.dirname(trustStorePath), { recursive: true })\n fs.writeFileSync(trustStorePath, JSON.stringify(store, null, 2) + '\\n', 'utf8')\n}\n\nfunction getPinStorageKey(orgId: string, orgUserId: string): string {\n return `${orgId}:${orgUserId}`\n}\n\nfunction getDirectoryPinStorageKey(orgId: string): string {\n return `org:${orgId}`\n}\n\nasync function fetchWitnessArtifact<T>(pathName: string): Promise<T> {\n const response = await fetch(\n buildTransparencyWitnessUrl(DEFAULT_TRANSPARENCY_WITNESS_URL, pathName),\n {\n cache: 'no-store',\n },\n )\n\n if (!response.ok) {\n throw new Error(`Failed to fetch public transparency witness artifact (${response.status}).`)\n }\n\n return response.json() as Promise<T>\n}\n\nexport function getPinnedTransparencyHead(\n trustStorePath: string,\n orgId: string,\n): { version: number; hash: string } \| null {\n const store = loadTrustStore(trustStorePath)\n return store.transparencyHeadPins[getDirectoryPinStorageKey(orgId)] ?? null\n}\n\nexport function getSinglePinnedTransparencyHead(\n trustStorePath: string,\n): { version: number; hash: string } \| null {\n const store = loadTrustStore(trustStorePath)\n const heads = Object.values(store.transparencyHeadPins)\n return heads.length === 1 ? heads[0]! : null\n}\n\nexport async function getPublicOrgWitnessHead(\n apiBaseUrl: string,\n orgId: string,\n): Promise<{ version: number; hash: string } \| null> {\n if (!shouldUseDefaultTransparencyWitness(apiBaseUrl)) {\n return null\n }\n\n const artifact = await fetchWitnessArtifact<OrgUserKeyDirectoryWitnessArtifact>(\n buildOrgUserKeyDirectoryWitnessPath(orgId),\n )\n\n if (\n artifact.kind !== 'org-user-key-directory' \|\|\n artifact.orgId !== orgId \|\|\n !verifyOrgUserKeyDirectoryWitnessArtifact(\n artifact,\n TRANSPARENCY_WITNESS_ROOT_PUBLIC_KEY_PEM,\n )\n ) {\n throw new Error(`Public transparency witness verification failed for org ${orgId}.`)\n }\n\n return artifact.head\n}\n\nasync function pinVaultUserPublicKeys(\n trustStorePath: string,\n orgId: string,\n publicKeys: MachineVaultUserPublicKey[],\n): Promise<MachineVaultUserPublicKey[]> {\n const store = loadTrustStore(trustStorePath)\n let changed = false\n\n for (const key of publicKeys) {\n const storageKey = getPinStorageKey(orgId, key.orgUserId)\n const computedFingerprint = getPublicKeyFingerprint(key.publicKey)\n\n if (computedFingerprint !== key.fingerprint) {\n throw new Error(`Server returned a mismatched fingerprint for user ${key.orgUserId}.`)\n }\n\n const existing = store.userKeyPins[storageKey]\n const verifiedAt = new Date().toISOString()\n\n if (!existing) {\n store.userKeyPins[storageKey] = {\n keyPairId: key.userKeyPairId,\n fingerprint: key.fingerprint,\n publicKey: key.publicKey,\n pinnedAt: verifiedAt,\n verifiedAt,\n }\n changed = true\n continue\n }\n\n if (existing.keyPairId === key.userKeyPairId) {\n if (existing.fingerprint !== key.fingerprint \|\| existing.publicKey !== key.publicKey) {\n throw new Error(\n `Pinned public key ${key.userKeyPairId} changed unexpectedly for user ${key.orgUserId}.`,\n )\n }\n\n if (existing.verifiedAt !== verifiedAt) {\n store.userKeyPins[storageKey] = {\n ...existing,\n verifiedAt,\n }\n changed = true\n }\n continue\n }\n\n if (!key.previousUserKeyPairId \|\| key.previousUserKeyPairId !== existing.keyPairId \|\| !key.rotationSignature) {\n throw new Error(`Public key rotation for user ${key.orgUserId} is missing a trusted continuity proof.`)\n }\n\n const rotationVerified = verifyUserKeyRotation(\n existing.keyPairId,\n key.publicKey,\n key.rotationSignature,\n existing.publicKey,\n )\n\n if (!rotationVerified) {\n throw new Error(`Public key rotation for user ${key.orgUserId} failed signature verification.`)\n }\n\n store.userKeyPins[storageKey] = {\n keyPairId: key.userKeyPairId,\n fingerprint: key.fingerprint,\n publicKey: key.publicKey,\n pinnedAt: existing.pinnedAt,\n verifiedAt,\n }\n changed = true\n }\n\n if (changed) {\n saveTrustStore(trustStorePath, store)\n }\n\n return publicKeys\n}\n\nasync function verifySignedUserKeyDirectory(\n trustStorePath: string,\n directory: MachineVaultUserKeyDirectoryResponse,\n anchorHead?: { version: number; hash: string } \| null,\n): Promise<string \| null> {\n if (!directory.directoryCheckpoint) {\n if (directory.publicKeys.length > 0) {\n throw new Error('Server omitted the user-key directory checkpoint for a non-empty vault signer directory.')\n }\n return null\n }\n\n const { directoryCheckpoint } = directory\n const orgId = directoryCheckpoint.checkpoint.orgId\n\n if (!directoryCheckpoint.signerOrgUserId \|\| !directoryCheckpoint.signerPublicKey) {\n throw new Error('Server returned an incomplete user-key directory signer payload.')\n }\n\n const signerFingerprint = getPublicKeyFingerprint(directoryCheckpoint.signerPublicKey)\n const signerEntry = directoryCheckpoint.checkpoint.entries.find(\n (entry) =>\n entry.userKeyPairId === directoryCheckpoint.signerUserKeyPairId &&\n entry.orgUserId === directoryCheckpoint.signerOrgUserId,\n )\n const signerKey: MachineVaultUserPublicKey = {\n userKeyPairId: directoryCheckpoint.signerUserKeyPairId,\n orgUserId: directoryCheckpoint.signerOrgUserId,\n publicKey: directoryCheckpoint.signerPublicKey,\n fingerprint: signerFingerprint,\n previousUserKeyPairId: signerEntry?.previousUserKeyPairId ?? null,\n rotationSignature: signerEntry?.rotationSignature ?? null,\n }\n const storeBeforeVerification = loadTrustStore(trustStorePath)\n\n try {\n await pinVaultUserPublicKeys(trustStorePath, orgId, [signerKey])\n\n const verified = verifyUserKeyDirectoryCheckpoint(\n directoryCheckpoint.checkpoint,\n directoryCheckpoint.signature,\n directoryCheckpoint.signerPublicKey,\n )\n\n if (!verified) {\n throw new Error(`User-key directory signature verification failed for org ${orgId}.`)\n }\n if (!directory.transparency) {\n throw new Error(`Server omitted the user-key directory transparency proof for org ${orgId}.`)\n }\n\n const store = loadTrustStore(trustStorePath)\n const pinnedTransparencyHead = store.transparencyHeadPins[getDirectoryPinStorageKey(orgId)] ?? null\n const trustedPreviousHead = anchorHead ?? pinnedTransparencyHead\n const legacyPinnedVersion = store.checkpointVersionPins[getDirectoryPinStorageKey(orgId)] ?? null\n\n if (!trustedPreviousHead && legacyPinnedVersion !== null && directory.transparency.head.version < legacyPinnedVersion) {\n throw new Error(`User-key transparency head rolled back unexpectedly for org ${orgId}.`)\n }\n\n if (!trustedPreviousHead && directory.transparency.entries.length === 0) {\n throw new Error(`Server omitted the current transparency entry for org ${orgId}.`)\n }\n\n if (directory.transparency.entries.length > 0) {\n const currentProofEntry = directory.transparency.entries[directory.transparency.entries.length - 1]\n if (!currentProofEntry) {\n throw new Error(`Server returned an empty transparency proof for org ${orgId}.`)\n }\n\n const expectedCurrentEntry = buildUserKeyDirectoryTransparencyEntry({\n checkpoint: directoryCheckpoint.checkpoint,\n signerUserKeyPairId: directoryCheckpoint.signerUserKeyPairId,\n signerOrgUserId: directoryCheckpoint.signerOrgUserId,\n signerPublicKey: directoryCheckpoint.signerPublicKey,\n signature: directoryCheckpoint.signature,\n previousEntryHash: currentProofEntry.previousEntryHash ?? null,\n })\n\n if (expectedCurrentEntry.entryHash !== currentProofEntry.entryHash) {\n throw new Error(`User-key transparency entry does not match the signed directory for org ${orgId}.`)\n }\n\n if (anchorHead && directory.transparency.head.version === anchorHead.version) {\n if (directory.transparency.head.hash !== anchorHead.hash) {\n throw new Error(`Public transparency witness head fork detected for org ${orgId}.`)\n }\n\n if (\n currentProofEntry.entryHash !== anchorHead.hash \|\|\n expectedCurrentEntry.entryHash !== anchorHead.hash\n ) {\n throw new Error(`User-key transparency witness anchor mismatch for org ${orgId}.`)\n }\n } else if (\n !verifyUserKeyDirectoryTransparencyProof({\n currentEntry: expectedCurrentEntry,\n proof: directory.transparency,\n previousHead: trustedPreviousHead,\n })\n ) {\n throw new Error(`User-key transparency proof verification failed for org ${orgId}.`)\n }\n } else if (\n anchorHead &&\n directory.transparency.head.version === anchorHead.version\n ) {\n throw new Error(`Server omitted the current transparency entry required to verify org ${orgId} against the public witness.`)\n } else if (\n !trustedPreviousHead \|\|\n trustedPreviousHead.version !== directory.transparency.head.version \|\|\n trustedPreviousHead.hash !== directory.transparency.head.hash\n ) {\n throw new Error(`Server returned an incomplete user-key transparency proof for org ${orgId}.`)\n }\n\n assertAndPinTransparencyHead(trustStorePath, orgId, directory.transparency.head)\n\n const checkpointEntries = new Map(\n directoryCheckpoint.checkpoint.entries.map((entry) => [entry.userKeyPairId, entry]),\n )\n\n for (const key of directory.publicKeys) {\n const entry = checkpointEntries.get(key.userKeyPairId)\n\n if (!entry) {\n throw new Error(`User key ${key.userKeyPairId} is missing from the signed org directory.`)\n }\n\n if (\n entry.orgUserId !== key.orgUserId \|\|\n entry.fingerprint !== key.fingerprint \|\|\n entry.previousUserKeyPairId !== key.previousUserKeyPairId \|\|\n entry.rotationSignature !== key.rotationSignature\n ) {\n throw new Error(`User key ${key.userKeyPairId} does not match the signed org directory.`)\n }\n }\n\n return orgId\n } catch (error) {\n saveTrustStore(trustStorePath, storeBeforeVerification)\n throw error\n }\n}\n\n/\n Verifies the signed org directory first, then advances local per-user pins\n * only for the vault principals covered by that trusted directory.\n /\nexport async function verifyAndPinVaultUserPublicKeys(\n trustStorePath: string,\n directory: MachineVaultUserKeyDirectoryResponse,\n anchorHead?: { version: number; hash: string } \| null,\n): Promise<MachineVaultUserPublicKey[]> {\n const orgId = await verifySignedUserKeyDirectory(trustStorePath, directory, anchorHead)\n if (!orgId) {\n return directory.publicKeys\n }\n return pinVaultUserPublicKeys(trustStorePath, orgId, directory.publicKeys)\n}\n\n/\n Rejects rollbacked checkpoint versions and persists the newest version so\n * subsequent SDK runs continue to enforce monotonic metadata history.\n */\nexport function assertAndPinCheckpointVersion(\n trustStorePath: string,\n storageKey: string,\n version: number,\n): void {\n const store = loadTrustStore(trustStorePath)\n const pinnedVersion = store.checkpointVersionPins[storageKey]\n\n if (pinnedVersion !== undefined && version < pinnedVersion) {\n throw new Error(`Checkpoint version rolled back unexpectedly for ${storageKey}.`)\n }\n\n if (pinnedVersion === undefined \|\| version > pinnedVersion) {\n store.checkpointVersionPins[storageKey] = version\n saveTrustStore(trustStorePath, store)\n }\n}\n\nfunction assertAndPinTransparencyHead(\n trustStorePath: string,\n orgId: string,\n head: { version: number; hash: string },\n): void {\n const store = loadTrustStore(trustStorePath)\n const storageKey = getDirectoryPinStorageKey(orgId)\n const pinnedHead = store.transparencyHeadPins[storageKey]\n\n if (pinnedHead) {\n if (head.version < pinnedHead.version) {\n throw new Error(`User-key transparency head rolled back unexpectedly for org ${orgId}.`)\n }\n\n if (head.version === pinnedHead.version && head.hash !== pinnedHead.hash) {\n throw new Error(`User-key transparency head fork detected for org ${orgId}.`)\n }\n }\n\n if (!pinnedHead \|\| head.version > pinnedHead.version) {\n store.transparencyHeadPins[storageKey] = head\n saveTrustStore(trustStorePath, store)\n }\n\n assertAndPinCheckpointVersion(trustStorePath, storageKey, head.version)\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAAAA,oBAAiB;;;ACqBV,IAAM,WAAN,MAAe;AAAA,EACH;AAAA,EACA;AAAA,EAEjB,YAAY,QAAgB,SAAiB;AAC3C,SAAK,SAAS;AACd,SAAK,UAAU,QAAQ,QAAQ,OAAO,EAAE;AAAA,EAC1C;AAAA,EAEQ,eAAuC;AAC7C,WAAO;AAAA,MACL,aAAa,KAAK;AAAA,MAClB,gBAAgB;AAAA,IAClB;AAAA,EACF;AAAA,EAEA,MAAc,QAAWC,OAAc,MAA+B;AACpE,UAAM,WAAW,MAAM,MAAM,GAAG,KAAK,OAAO,GAAGA,KAAI,IAAI;AAAA,MACrD,GAAG;AAAA,MACH,SAAS;AAAA,QACP,GAAG,KAAK,aAAa;AAAA,QACrB,GAAI,KAAK,WAAW,CAAC;AAAA,MACvB;AAAA,IACF,CAAC;AAED,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,YAAa,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACzD,YAAM,eACJ,OAAO,UAAU,OAAO,YAAY,WAChC,UAAU,MAAM,UAChB,QAAQ,SAAS,MAAM,KAAK,SAAS,UAAU;AACrD,YAAM,IAAI,MAAM,iBAAiB,YAAY,EAAE;AAAA,IACjD;AAEA,QAAI,SAAS,WAAW,KAAK;AAC3B,aAAO;AAAA,IACT;AAEA,WAAO,SAAS,KAAK;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,uBACJ,MACwC;AACxC,WAAO,KAAK,QAAuC,oCAAoC;AAAA,MACrF,QAAQ;AAAA,MACR,MAAM,KAAK,UAAU,IAAI;AAAA,IAC3B,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,WAAW,WAAwD;AACvE,UAAM,SAAS,YACX,cAAc,mBAAmB,SAAS,CAAC,KAC3C;AACJ,WAAO,KAAK,QAAmC,wBAAwB,MAAM,IAAI;AAAA,MAC/E,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,mBAAmB,SAAqD;AAC5E,WAAO,KAAK;AAAA,MACV,yBAAyB,mBAAmB,OAAO,CAAC;AAAA,MACpD,EAAE,QAAQ,MAAM;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,yBACJ,SACA,QAI+C;AAC/C,UAAM,eAAe,IAAI,gBAAgB;AACzC,QAAI,QAAQ,6BAA6B,QAAW;AAClD,mBAAa,IAAI,4BAA4B,OAAO,OAAO,wBAAwB,CAAC;AAAA,IACtF;AACA,QAAI,QAAQ,uBAAuB;AACjC,mBAAa,IAAI,yBAAyB,OAAO,qBAAqB;AAAA,IACxE;AACA,UAAM,SAAS,aAAa,OAAO,IAAI,IAAI,aAAa,SAAS,CAAC,KAAK;AAEvE,WAAO,KAAK;AAAA,MACV,yBAAyB,mBAAmB,OAAO,CAAC,eAAe,MAAM;AAAA,MACzE,EAAE,QAAQ,MAAM;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,eAAe,SAAyD;AAC5E,WAAO,KAAK;AAAA,MACV,yBAAyB,mBAAmB,OAAO,CAAC;AAAA,MACpD,EAAE,QAAQ,MAAM;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,mBACJ,SACA,QACyC;AACzC,WAAO,KAAK;AAAA,MACV,yBAAyB,mBAAmB,OAAO,CAAC,UAAU,mBAAmB,MAAM,CAAC;AAAA,MACxF,EAAE,QAAQ,MAAM;AAAA,IAClB;AAAA,EACF;AACF;;;ACjJA,yBAAmB;AACnB,qBAAe;AACf,uBAAiB;;;ACGjB,IAAM,sCAAsC;AAErC,IAAM,mCAAmC;AAEzC,IAAM,2CAA2C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAwCjD,IAAM,yCAAyC,CACpD,OACA,SAEA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA,OAAO,KAAK,OAAO;AAAA,EACnB,KAAK;AACP,EAAE,KAAK,GAAG;AAcL,IAAM,sCAAsC,CAAC,UAClD,WAAW,KAAK;AAEX,IAAM,8BAA8B,CAAC,SAAiBC,UAC3D,GAAG,QAAQ,QAAQ,QAAQ,EAAE,CAAC,IAAIA,MAAK,QAAQ,QAAQ,EAAE,CAAC;AAErD,IAAM,sCAAsC,CAAC,eAClD,mDAAmD,KAAK,WAAW,KAAK,CAAC;;;AD9D3E,IAAM,kBAAkB;AAAA,EACtB,SAAS,mBAAAC,QAAO,UAAU;AAAA,EAC1B,UAAU;AACZ;AAEA,IAAM,sBAAsB;AAAA,EAC1B,SAAS,mBAAAA,QAAO,UAAU;AAAA,EAC1B,YAAY;AACd;AAEA,IAAM,2BAA2B;AACjC,IAAM,uCAAuC;AAC7C,IAAM,+CAA+C;AACrD,IAAM,+BAA+B;AACrC,IAAM,kCAAkC;AACxC,IAAM,sCAAsC;AAS5C,SAAS,SAAS,KAAa,YAAoB,UAA0B;AAC3E,QAAM,YAAY,IACf,QAAQ,YAAY,EAAE,EACtB,QAAQ,UAAU,EAAE,EACpB,QAAQ,OAAO,EAAE;AAEpB,SAAO,OAAO,KAAK,WAAW,QAAQ;AACxC;AAEA,SAAS,yBAAyB,YAA4B;AAC5D,SAAO,mBAAAA,QAAO,WAAW,QAAQ,EAAE,OAAO,OAAO,KAAK,YAAY,QAAQ,CAAC,EAAE,OAAO,KAAK;AAC3F;AAEA,SAAS,yBAAyB,QAAgB,eAA+B;AAC/E,SAAO,GAAG,MAAM,IAAI,mBAAAA,QAAO,WAAW,QAAQ,EAAE,OAAO,eAAe,MAAM,EAAE,OAAO,KAAK,CAAC;AAC7F;AAKO,SAAS,eAAe,gBAAgC;AAC7D,SAAO,eAAAC,QAAG,aAAa,iBAAAC,QAAK,QAAQ,cAAc,GAAG,MAAM,EAAE,KAAK;AACpE;AAKO,SAAS,gBAAgB,eAA+B;AAC7D,SAAO,mBAAAF,QAAO,gBAAgB,aAAa,EAAE,OAAO;AAAA,IAClD,MAAM;AAAA,IACN,QAAQ;AAAA,EACV,CAAC,EAAE,SAAS;AACd;AAMO,SAAS,wBAAwB,cAA8B;AACpE,QAAM,WAAW,SAAS,cAAc,8BAA8B,0BAA0B;AAChG,SAAO,mBAAAA,QAAO,WAAW,QAAQ,EAAE,OAAO,QAAQ,EAAE,OAAO,KAAK;AAClE;AAEA,SAAS,4BAA4B,uBAA+B,yBAAyC;AAC3G,SAAO,GAAG,wBAAwB,IAAI,qBAAqB,IAAI,uBAAuB;AACxF;AA4BO,SAAS,sBACd,uBACA,iBACA,mBACA,sBACS;AACT,QAAM,UAAU;AAAA,IACd;AAAA,IACA,wBAAwB,eAAe;AAAA,EACzC;AAEA,MAAI;AACF,WAAO,mBAAAG,QAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,SAAS,MAAM;AAAA,MAC3B;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,mBAAmB,QAAQ;AAAA,IACzC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,iCACd,SACA,WACA,cACS;AACT,MAAI;AACF,WAAO,mBAAAA,QAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,SAAS,MAAM;AAAA,MAC3B;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,WAAW,QAAQ;AAAA,IACjC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,yCACd,UACA,cACS;AACT,SAAO;AAAA,IACL,uCAAuC,SAAS,OAAO,SAAS,IAAI;AAAA,IACpE,SAAS;AAAA,IACT;AAAA,EACF;AACF;AAaO,SAAS,oCACd,YAC4B;AAC5B,SAAO;AAAA,IACL,OAAO,WAAW;AAAA,IAClB,SAAS,WAAW;AAAA,IACpB,SAAS,CAAC,GAAG,WAAW,OAAO,EAC5B,IAAI,CAAC,WAAW;AAAA,MACf,eAAe,MAAM;AAAA,MACrB,WAAW,MAAM;AAAA,MACjB,aAAa,MAAM;AAAA,MACnB,uBAAuB,MAAM,yBAAyB;AAAA,MACtD,mBAAmB,MAAM,qBAAqB;AAAA,IAChD,EAAE,EACD,KAAK,CAAC,MAAM,UAAU,KAAK,cAAc,cAAc,MAAM,aAAa,CAAC;AAAA,EAChF;AACF;AAEO,SAAS,uCACd,YACQ;AACR,SAAO,KAAK,UAAU,oCAAoC,UAAU,CAAC;AACvE;AAEO,SAAS,uCACd,YACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA,uCAAuC,UAAU;AAAA,EACnD;AACF;AAgBO,SAAS,iCACd,YACA,WACA,cACS;AACT,MAAI;AACF,WAAO,mBAAAC,QAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,uCAAuC,UAAU,GAAG,MAAM;AAAA,MACtE;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,WAAW,QAAQ;AAAA,IACjC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,2CACd,OACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA,KAAK,UAAU;AAAA,MACb,OAAO,MAAM;AAAA,MACb,SAAS,MAAM;AAAA,MACf,4BAA4B,MAAM;AAAA,MAClC,qBAAqB,MAAM;AAAA,MAC3B,iBAAiB,MAAM;AAAA,MACvB,mBAAmB,MAAM;AAAA,MACzB,WAAW,MAAM;AAAA,MACjB,mBAAmB,MAAM,qBAAqB;AAAA,IAChD,CAAC;AAAA,EACH;AACF;AAEO,SAAS,uCAAuC,QAOjB;AACpC,QAAM,mBAAmB;AAAA,IACvB,OAAO,OAAO,WAAW;AAAA,IACzB,SAAS,OAAO,WAAW;AAAA,IAC3B,4BAA4B,uCAAuC,OAAO,UAAU;AAAA,IACpF,qBAAqB,OAAO;AAAA,IAC5B,iBAAiB,OAAO;AAAA,IACxB,mBAAmB,wBAAwB,OAAO,eAAe;AAAA,IACjE,WAAW,OAAO;AAAA,IAClB,mBAAmB,OAAO,qBAAqB;AAAA,EACjD;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,IACH,WAAW,2CAA2C,gBAAgB;AAAA,EACxE;AACF;AAEO,SAAS,wCAAwC,QAI5C;AACV,MACE,OAAO,MAAM,KAAK,YAAY,OAAO,aAAa,WAClD,OAAO,MAAM,KAAK,SAAS,OAAO,aAAa,WAC/C;AACA,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,OAAO,cAAc;AACxB,QAAI,OAAO,MAAM,QAAQ,WAAW,GAAG;AACrC,aAAO;AAAA,IACT;AAEA,aAAS,QAAQ,GAAG,QAAQ,OAAO,MAAM,QAAQ,QAAQ,SAAS;AAChE,YAAM,QAAQ,OAAO,MAAM,QAAQ,KAAK;AACxC,UAAI,CAAC,OAAO;AACV,eAAO;AAAA,MACT;AAEA,YAAM,eAAe,2CAA2C;AAAA,QAC9D,OAAO,MAAM;AAAA,QACb,SAAS,MAAM;AAAA,QACf,4BAA4B,MAAM;AAAA,QAClC,qBAAqB,MAAM;AAAA,QAC3B,iBAAiB,MAAM;AAAA,QACvB,mBAAmB,MAAM;AAAA,QACzB,WAAW,MAAM;AAAA,QACjB,mBAAmB,MAAM;AAAA,MAC3B,CAAC;AAED,UAAI,iBAAiB,MAAM,WAAW;AACpC,eAAO;AAAA,MACT;AAEA,UAAI,UAAU,GAAG;AACf;AAAA,MACF;AAEA,YAAM,gBAAgB,OAAO,MAAM,QAAQ,QAAQ,CAAC;AACpD,UAAI,CAAC,eAAe;AAClB,eAAO;AAAA,MACT;AAEA,UAAI,MAAM,sBAAsB,cAAc,aAAa,MAAM,YAAY,cAAc,UAAU,GAAG;AACtG,eAAO;AAAA,MACT;AAAA,IACF;AAEA,UAAM,YAAY,OAAO,MAAM,QAAQ,OAAO,MAAM,QAAQ,SAAS,CAAC;AACtE,WAAO,WAAW,cAAc,OAAO,aAAa,aAAa,UAAU,YAAY,OAAO,aAAa;AAAA,EAC7G;AAEA,MAAI,OAAO,aAAa,UAAU,OAAO,aAAa,SAAS;AAC7D,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,aAAa,YAAY,OAAO,aAAa,SAAS;AAC/D,WAAO,OAAO,aAAa,cAAc,OAAO,aAAa,QAAQ,OAAO,MAAM,QAAQ,WAAW;AAAA,EACvG;AAEA,MAAI,OAAO,MAAM,QAAQ,WAAW,GAAG;AACrC,WAAO;AAAA,EACT;AAEA,MAAI,kBAAkB,OAAO,aAAa;AAC1C,MAAI,eAAe,OAAO,aAAa;AAEvC,aAAW,SAAS,OAAO,MAAM,SAAS;AACxC,UAAM,eAAe,2CAA2C;AAAA,MAC9D,OAAO,MAAM;AAAA,MACb,SAAS,MAAM;AAAA,MACf,4BAA4B,MAAM;AAAA,MAClC,qBAAqB,MAAM;AAAA,MAC3B,iBAAiB,MAAM;AAAA,MACvB,mBAAmB,MAAM;AAAA,MACzB,WAAW,MAAM;AAAA,MACjB,mBAAmB,MAAM;AAAA,IAC3B,CAAC;AAED,QACE,iBAAiB,MAAM,aACvB,MAAM,sBAAsB,gBAC5B,MAAM,YAAY,kBAAkB,GACpC;AACA,aAAO;AAAA,IACT;AAEA,sBAAkB,MAAM;AACxB,mBAAe,MAAM;AAAA,EACvB;AAEA,SAAO,iBAAiB,OAAO,aAAa,aAAa,oBAAoB,OAAO,aAAa;AACnG;AAEA,SAAS,gCACP,SACA,gBACA,qBACA,YACA,YACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO,UAAU;AAAA,IACjB,yBAAyB,UAAU;AAAA,EACrC,EAAE,KAAK,GAAG;AACZ;AAkCO,SAAS,0BACd,SACA,gBACA,qBACA,YACA,YACA,qBACA,oBACS;AACT,QAAM,UAAU;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,MAAI;AACF,WAAO,mBAAAC,QAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,SAAS,MAAM;AAAA,MAC3B;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,qBAAqB,QAAQ;AAAA,IAC3C;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,gCACd,YACwB;AACxB,SAAO;AAAA,IACL,SAAS,WAAW;AAAA,IACpB,SAAS,WAAW;AAAA,IACpB,MAAM,WAAW;AAAA,IACjB,oBAAoB,WAAW,sBAAsB;AAAA,IACrD,mBAAmB,WAAW,qBAAqB;AAAA,IACnD,OAAO,CAAC,GAAG,WAAW,KAAK,EACxB,IAAI,CAAC,UAAU;AAAA,MACd,IAAI,KAAK;AAAA,MACT,MAAM,KAAK;AAAA,MACX,MAAM,KAAK,QAAQ;AAAA,MACnB,UAAU,CAAC,GAAG,KAAK,QAAQ;AAAA,MAC3B,SAAS,KAAK,WAAW;AAAA,IAC3B,EAAE,EACD,KAAK,CAAC,MAAM,UAAU,KAAK,GAAG,cAAc,MAAM,EAAE,CAAC;AAAA,IACxD,QAAQ,CAAC,GAAG,WAAW,MAAM,EAC1B,IAAI,CAAC,WAAW;AAAA,MACf,IAAI,MAAM;AAAA,MACV,MAAM,MAAM;AAAA,MACZ,UAAU,MAAM,YAAY;AAAA,IAC9B,EAAE,EACD,KAAK,CAAC,MAAM,UAAU,KAAK,GAAG,cAAc,MAAM,EAAE,CAAC;AAAA,EAC1D;AACF;AAEO,SAAS,mCACd,YACQ;AACR,SAAO,KAAK,UAAU,gCAAgC,UAAU,CAAC;AACnE;AAEO,SAAS,mCACd,YACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA,mCAAmC,UAAU;AAAA,EAC/C;AACF;AAEO,SAAS,6BACd,YACA,WACA,cACS;AACT,MAAI;AACF,WAAO,mBAAAA,QAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,mCAAmC,UAAU,GAAG,MAAM;AAAA,MAClE;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,WAAW,QAAQ;AAAA,IACjC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAgBO,SAAS,mCACd,YAC2B;AAC3B,SAAO;AAAA,IACL,aAAa,WAAW;AAAA,IACxB,SAAS,WAAW;AAAA,IACpB,SAAS,WAAW;AAAA,IACpB,MAAM,WAAW;AAAA,IACjB,MAAM,WAAW,QAAQ;AAAA,IACzB,UAAU,CAAC,GAAG,WAAW,QAAQ;AAAA,IACjC,SAAS,WAAW,WAAW;AAAA,IAC/B,QAAQ,CAAC,GAAG,WAAW,MAAM,EAC1B,IAAI,CAAC,WAAW;AAAA,MACf,IAAI,MAAM;AAAA,MACV,MAAM,MAAM;AAAA,MACZ,MAAM,MAAM;AAAA,MACZ,OAAO,MAAM;AAAA,MACb,kBAAkB,CAAC,GAAG,MAAM,gBAAgB,EAAE,KAAK;AAAA,MACnD,UAAU,CAAC,GAAG,MAAM,QAAQ,EAAE,KAAK;AAAA,IACrC,EAAE,EACD,KAAK,CAAC,MAAM,UAAU,KAAK,QAAQ,MAAM,SAAS,KAAK,GAAG,cAAc,MAAM,EAAE,CAAC;AAAA,EACtF;AACF;AAEO,SAAS,sCACd,YACQ;AACR,SAAO,KAAK,UAAU,mCAAmC,UAAU,CAAC;AACtE;AAEO,SAAS,sCACd,YACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA,sCAAsC,UAAU;AAAA,EAClD;AACF;AAEO,SAAS,gCACd,YACA,WACA,cACS;AACT,MAAI;AACF,WAAO,mBAAAC,QAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,sCAAsC,UAAU,GAAG,MAAM;AAAA,MACrE;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,WAAW,QAAQ;AAAA,IACjC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAmBO,SAAS,gBAAgB,OAAwB;AACtD,MAAI,CAAC,MAAM,WAAW,GAAG,GAAG;AAC1B,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,KAAK;AAC/B,WAAO,OAAO,MAAM;AAAA,EACtB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAKO,SAAS,oBAAoB,gBAAwB,KAAqB;AAC/E,MAAI,CAAC,gBAAgB,cAAc,GAAG;AACpC,UAAM,IAAI,MAAM,4DAA4D;AAAA,EAC9E;AAEA,QAAM,WAAW,KAAK,MAAM,cAAc;AAC1C,QAAM,WAAW,mBAAAC,QAAO,iBAAiB,eAAe,KAAK,OAAO,KAAK,SAAS,IAAI,QAAQ,CAAC;AAC/F,WAAS,WAAW,OAAO,KAAK,SAAS,GAAG,QAAQ,CAAC;AACrD,QAAM,YAAY,OAAO,OAAO;AAAA,IAC9B,SAAS,OAAO,OAAO,KAAK,SAAS,GAAG,QAAQ,CAAC;AAAA,IACjD,SAAS,MAAM;AAAA,EACjB,CAAC;AACD,SAAO,UAAU,SAAS,MAAM;AAClC;AAMO,SAAS,wBAAwB,OAAe,KAAqB;AAC1E,SAAO,gBAAgB,KAAK,IAAI,oBAAoB,OAAO,GAAG,IAAI;AACpE;AAsBO,SAAS,wBAAwB,YAAoB,eAA+B;AACzF,SAAO,mBAAAC,QAAO;AAAA,IACZ,EAAE,KAAK,eAAe,GAAG,gBAAgB;AAAA,IACzC,OAAO,KAAK,YAAY,QAAQ;AAAA,EAClC;AACF;;;AEjrBA,IAAAC,kBAAe;AACf,IAAAC,oBAAiB;AAqCjB,SAAS,eAAe,gBAAoC;AAC1D,MAAI;AACF,UAAM,MAAM,gBAAAC,QAAG,aAAa,gBAAgB,MAAM;AAClD,UAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,WAAO;AAAA,MACL,SAAS;AAAA,MACT,aAAa,OAAO,eAAe,CAAC;AAAA,MACpC,uBAAuB,OAAO,yBAAyB,CAAC;AAAA,MACxD,sBAAsB,OAAO,wBAAwB,CAAC;AAAA,IACxD;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,MACL,SAAS;AAAA,MACT,aAAa,CAAC;AAAA,MACd,uBAAuB,CAAC;AAAA,MACxB,sBAAsB,CAAC;AAAA,IACzB;AAAA,EACF;AACF;AAEA,SAAS,eAAe,gBAAwB,OAAyB;AACvE,kBAAAA,QAAG,UAAU,kBAAAC,QAAK,QAAQ,cAAc,GAAG,EAAE,WAAW,KAAK,CAAC;AAC9D,kBAAAD,QAAG,cAAc,gBAAgB,KAAK,UAAU,OAAO,MAAM,CAAC,IAAI,MAAM,MAAM;AAChF;AAEA,SAAS,iBAAiB,OAAe,WAA2B;AAClE,SAAO,GAAG,KAAK,IAAI,SAAS;AAC9B;AAEA,SAAS,0BAA0B,OAAuB;AACxD,SAAO,OAAO,KAAK;AACrB;AAEA,eAAe,qBAAwB,UAA8B;AACnE,QAAM,WAAW,MAAM;AAAA,IACrB,4BAA4B,kCAAkC,QAAQ;AAAA,IACtE;AAAA,MACE,OAAO;AAAA,IACT;AAAA,EACF;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAI,MAAM,yDAAyD,SAAS,MAAM,IAAI;AAAA,EAC9F;AAEA,SAAO,SAAS,KAAK;AACvB;AAUO,SAAS,gCACd,gBAC0C;AAC1C,QAAM,QAAQ,eAAe,cAAc;AAC3C,QAAM,QAAQ,OAAO,OAAO,MAAM,oBAAoB;AACtD,SAAO,MAAM,WAAW,IAAI,MAAM,CAAC,IAAK;AAC1C;AAEA,eAAsB,wBACpB,YACA,OACmD;AACnD,MAAI,CAAC,oCAAoC,UAAU,GAAG;AACpD,WAAO;AAAA,EACT;AAEA,QAAM,WAAW,MAAM;AAAA,IACrB,oCAAoC,KAAK;AAAA,EAC3C;AAEA,MACE,SAAS,SAAS,4BAClB,SAAS,UAAU,SACnB,CAAC;AAAA,IACC;AAAA,IACA;AAAA,EACF,GACA;AACA,UAAM,IAAI,MAAM,2DAA2D,KAAK,GAAG;AAAA,EACrF;AAEA,SAAO,SAAS;AAClB;AAEA,eAAe,uBACb,gBACA,OACA,YACsC;AACtC,QAAM,QAAQ,eAAe,cAAc;AAC3C,MAAI,UAAU;AAEd,aAAW,OAAO,YAAY;AAC5B,UAAM,aAAa,iBAAiB,OAAO,IAAI,SAAS;AACxD,UAAM,sBAAsB,wBAAwB,IAAI,SAAS;AAEjE,QAAI,wBAAwB,IAAI,aAAa;AAC3C,YAAM,IAAI,MAAM,qDAAqD,IAAI,SAAS,GAAG;AAAA,IACvF;AAEA,UAAM,WAAW,MAAM,YAAY,UAAU;AAC7C,UAAM,cAAa,oBAAI,KAAK,GAAE,YAAY;AAE1C,QAAI,CAAC,UAAU;AACb,YAAM,YAAY,UAAU,IAAI;AAAA,QAC9B,WAAW,IAAI;AAAA,QACf,aAAa,IAAI;AAAA,QACjB,WAAW,IAAI;AAAA,QACf,UAAU;AAAA,QACV;AAAA,MACF;AACA,gBAAU;AACV;AAAA,IACF;AAEA,QAAI,SAAS,cAAc,IAAI,eAAe;AAC5C,UAAI,SAAS,gBAAgB,IAAI,eAAe,SAAS,cAAc,IAAI,WAAW;AACpF,cAAM,IAAI;AAAA,UACR,qBAAqB,IAAI,aAAa,kCAAkC,IAAI,SAAS;AAAA,QACvF;AAAA,MACF;AAEA,UAAI,SAAS,eAAe,YAAY;AACtC,cAAM,YAAY,UAAU,IAAI;AAAA,UAC9B,GAAG;AAAA,UACH;AAAA,QACF;AACA,kBAAU;AAAA,MACZ;AACA;AAAA,IACF;AAEA,QAAI,CAAC,IAAI,yBAAyB,IAAI,0BAA0B,SAAS,aAAa,CAAC,IAAI,mBAAmB;AAC5G,YAAM,IAAI,MAAM,gCAAgC,IAAI,SAAS,yCAAyC;AAAA,IACxG;AAEA,UAAM,mBAAmB;AAAA,MACvB,SAAS;AAAA,MACT,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ,SAAS;AAAA,IACX;AAEA,QAAI,CAAC,kBAAkB;AACrB,YAAM,IAAI,MAAM,gCAAgC,IAAI,SAAS,iCAAiC;AAAA,IAChG;AAEA,UAAM,YAAY,UAAU,IAAI;AAAA,MAC9B,WAAW,IAAI;AAAA,MACf,aAAa,IAAI;AAAA,MACjB,WAAW,IAAI;AAAA,MACf,UAAU,SAAS;AAAA,MACnB;AAAA,IACF;AACA,cAAU;AAAA,EACZ;AAEA,MAAI,SAAS;AACX,mBAAe,gBAAgB,KAAK;AAAA,EACtC;AAEA,SAAO;AACT;AAEA,eAAe,6BACb,gBACA,WACA,YACwB;AACxB,MAAI,CAAC,UAAU,qBAAqB;AAClC,QAAI,UAAU,WAAW,SAAS,GAAG;AACnC,YAAM,IAAI,MAAM,0FAA0F;AAAA,IAC5G;AACA,WAAO;AAAA,EACT;AAEA,QAAM,EAAE,oBAAoB,IAAI;AAChC,QAAM,QAAQ,oBAAoB,WAAW;AAE7C,MAAI,CAAC,oBAAoB,mBAAmB,CAAC,oBAAoB,iBAAiB;AAChF,UAAM,IAAI,MAAM,kEAAkE;AAAA,EACpF;AAEA,QAAM,oBAAoB,wBAAwB,oBAAoB,eAAe;AACrF,QAAM,cAAc,oBAAoB,WAAW,QAAQ;AAAA,IACzD,CAAC,UACC,MAAM,kBAAkB,oBAAoB,uBAC5C,MAAM,cAAc,oBAAoB;AAAA,EAC5C;AACA,QAAM,YAAuC;AAAA,IAC3C,eAAe,oBAAoB;AAAA,IACnC,WAAW,oBAAoB;AAAA,IAC/B,WAAW,oBAAoB;AAAA,IAC/B,aAAa;AAAA,IACb,uBAAuB,aAAa,yBAAyB;AAAA,IAC7D,mBAAmB,aAAa,qBAAqB;AAAA,EACvD;AACA,QAAM,0BAA0B,eAAe,cAAc;AAE7D,MAAI;AACF,UAAM,uBAAuB,gBAAgB,OAAO,CAAC,SAAS,CAAC;AAE/D,UAAM,WAAW;AAAA,MACf,oBAAoB;AAAA,MACpB,oBAAoB;AAAA,MACpB,oBAAoB;AAAA,IACtB;AAEA,QAAI,CAAC,UAAU;AACb,YAAM,IAAI,MAAM,4DAA4D,KAAK,GAAG;AAAA,IACtF;AACA,QAAI,CAAC,UAAU,cAAc;AAC3B,YAAM,IAAI,MAAM,oEAAoE,KAAK,GAAG;AAAA,IAC9F;AAEA,UAAM,QAAQ,eAAe,cAAc;AAC3C,UAAM,yBAAyB,MAAM,qBAAqB,0BAA0B,KAAK,CAAC,KAAK;AAC/F,UAAM,sBAAsB,cAAc;AAC1C,UAAM,sBAAsB,MAAM,sBAAsB,0BAA0B,KAAK,CAAC,KAAK;AAE7F,QAAI,CAAC,uBAAuB,wBAAwB,QAAQ,UAAU,aAAa,KAAK,UAAU,qBAAqB;AACrH,YAAM,IAAI,MAAM,+DAA+D,KAAK,GAAG;AAAA,IACzF;AAEA,QAAI,CAAC,uBAAuB,UAAU,aAAa,QAAQ,WAAW,GAAG;AACvE,YAAM,IAAI,MAAM,yDAAyD,KAAK,GAAG;AAAA,IACnF;AAEA,QAAI,UAAU,aAAa,QAAQ,SAAS,GAAG;AAC7C,YAAM,oBAAoB,UAAU,aAAa,QAAQ,UAAU,aAAa,QAAQ,SAAS,CAAC;AAClG,UAAI,CAAC,mBAAmB;AACtB,cAAM,IAAI,MAAM,uDAAuD,KAAK,GAAG;AAAA,MACjF;AAEA,YAAM,uBAAuB,uCAAuC;AAAA,QAClE,YAAY,oBAAoB;AAAA,QAChC,qBAAqB,oBAAoB;AAAA,QACzC,iBAAiB,oBAAoB;AAAA,QACrC,iBAAiB,oBAAoB;AAAA,QACrC,WAAW,oBAAoB;AAAA,QAC/B,mBAAmB,kBAAkB,qBAAqB;AAAA,MAC5D,CAAC;AAED,UAAI,qBAAqB,cAAc,kBAAkB,WAAW;AAClE,cAAM,IAAI,MAAM,2EAA2E,KAAK,GAAG;AAAA,MACrG;AAEA,UAAI,cAAc,UAAU,aAAa,KAAK,YAAY,WAAW,SAAS;AAC5E,YAAI,UAAU,aAAa,KAAK,SAAS,WAAW,MAAM;AACxD,gBAAM,IAAI,MAAM,0DAA0D,KAAK,GAAG;AAAA,QACpF;AAEA,YACE,kBAAkB,cAAc,WAAW,QAC3C,qBAAqB,cAAc,WAAW,MAC9C;AACA,gBAAM,IAAI,MAAM,yDAAyD,KAAK,GAAG;AAAA,QACnF;AAAA,MACF,WACE,CAAC,wCAAwC;AAAA,QACvC,cAAc;AAAA,QACd,OAAO,UAAU;AAAA,QACjB,cAAc;AAAA,MAChB,CAAC,GACD;AACA,cAAM,IAAI,MAAM,2DAA2D,KAAK,GAAG;AAAA,MACrF;AAAA,IACF,WACE,cACA,UAAU,aAAa,KAAK,YAAY,WAAW,SACnD;AACA,YAAM,IAAI,MAAM,wEAAwE,KAAK,8BAA8B;AAAA,IAC7H,WACE,CAAC,uBACD,oBAAoB,YAAY,UAAU,aAAa,KAAK,WAC5D,oBAAoB,SAAS,UAAU,aAAa,KAAK,MACzD;AACA,YAAM,IAAI,MAAM,qEAAqE,KAAK,GAAG;AAAA,IAC/F;AAEA,iCAA6B,gBAAgB,OAAO,UAAU,aAAa,IAAI;AAE/E,UAAM,oBAAoB,IAAI;AAAA,MAC5B,oBAAoB,WAAW,QAAQ,IAAI,CAAC,UAAU,CAAC,MAAM,eAAe,KAAK,CAAC;AAAA,IACpF;AAEA,eAAW,OAAO,UAAU,YAAY;AACtC,YAAM,QAAQ,kBAAkB,IAAI,IAAI,aAAa;AAErD,UAAI,CAAC,OAAO;AACV,cAAM,IAAI,MAAM,YAAY,IAAI,aAAa,4CAA4C;AAAA,MAC3F;AAEA,UACE,MAAM,cAAc,IAAI,aACxB,MAAM,gBAAgB,IAAI,eAC1B,MAAM,0BAA0B,IAAI,yBACpC,MAAM,sBAAsB,IAAI,mBAChC;AACA,cAAM,IAAI,MAAM,YAAY,IAAI,aAAa,2CAA2C;AAAA,MAC1F;AAAA,IACF;AAEA,WAAO;AAAA,EACT,SAAS,OAAO;AACd,mBAAe,gBAAgB,uBAAuB;AACtD,UAAM;AAAA,EACR;AACF;AAMA,eAAsB,gCACpB,gBACA,WACA,YACsC;AACtC,QAAM,QAAQ,MAAM,6BAA6B,gBAAgB,WAAW,UAAU;AACtF,MAAI,CAAC,OAAO;AACV,WAAO,UAAU;AAAA,EACnB;AACA,SAAO,uBAAuB,gBAAgB,OAAO,UAAU,UAAU;AAC3E;AAMO,SAAS,8BACd,gBACA,YACA,SACM;AACN,QAAM,QAAQ,eAAe,cAAc;AAC3C,QAAM,gBAAgB,MAAM,sBAAsB,UAAU;AAE5D,MAAI,kBAAkB,UAAa,UAAU,eAAe;AAC1D,UAAM,IAAI,MAAM,mDAAmD,UAAU,GAAG;AAAA,EAClF;AAEA,MAAI,kBAAkB,UAAa,UAAU,eAAe;AAC1D,UAAM,sBAAsB,UAAU,IAAI;AAC1C,mBAAe,gBAAgB,KAAK;AAAA,EACtC;AACF;AAEA,SAAS,6BACP,gBACA,OACA,MACM;AACN,QAAM,QAAQ,eAAe,cAAc;AAC3C,QAAM,aAAa,0BAA0B,KAAK;AAClD,QAAM,aAAa,MAAM,qBAAqB,UAAU;AAExD,MAAI,YAAY;AACd,QAAI,KAAK,UAAU,WAAW,SAAS;AACrC,YAAM,IAAI,MAAM,+DAA+D,KAAK,GAAG;AAAA,IACzF;AAEA,QAAI,KAAK,YAAY,WAAW,WAAW,KAAK,SAAS,WAAW,MAAM;AACxE,YAAM,IAAI,MAAM,oDAAoD,KAAK,GAAG;AAAA,IAC9E;AAAA,EACF;AAEA,MAAI,CAAC,cAAc,KAAK,UAAU,WAAW,SAAS;AACpD,UAAM,qBAAqB,UAAU,IAAI;AACzC,mBAAe,gBAAgB,KAAK;AAAA,EACtC;AAEA,gCAA8B,gBAAgB,YAAY,KAAK,OAAO;AACxE;;;AJrYA,IAAM,0BAA0B;AAChC,IAAM,sBAAsB;AAE5B,SAAS,qBAAqB,OAAuB;AACnD,SAAO,MACJ,QAAQ,iBAAiB,GAAG,EAC5B,QAAQ,OAAO,GAAG,EAClB,QAAQ,UAAU,EAAE,EACpB,YAAY;AACjB;AAEA,SAAS,sBAAsB,QAA0B;AACvD,MAAI,OAAO,gBAAgB;AACzB,WAAO,kBAAAE,QAAK,QAAQ,OAAO,cAAc;AAAA,EAC3C;AAEA,MAAI,OAAO,gBAAgB;AACzB,WAAO,GAAG,kBAAAA,QAAK,QAAQ,OAAO,cAAc,CAAC;AAAA,EAC/C;AAEA,SAAO,kBAAAA,QAAK,QAAQ,QAAQ,IAAI,GAAG,sBAAsB;AAC3D;AAEA,SAAS,kBAAkB,QAA0B;AACnD,MAAI,OAAO,SAAS;AAClB,WAAO,OAAO;AAAA,EAChB;AAEA,SAAO,OAAO,MAAM,sBAAsB;AAC5C;AAEA,SAAS,4CACP,UACA,SACwB;AACxB,SAAO;AAAA,IACL,SAAS,SAAS;AAAA,IAClB;AAAA,IACA,MAAM,SAAS;AAAA,IACf,oBAAoB,SAAS,sBAAsB;AAAA,IACnD,mBAAmB,SAAS,qBAAqB;AAAA,IACjD,OAAO,SAAS,MAAM,IAAI,CAAC,UAAU;AAAA,MACnC,IAAI,KAAK;AAAA,MACT,MAAM,KAAK;AAAA,MACX,MAAM,KAAK,QAAQ;AAAA,MACnB,UAAU,KAAK,YAAY,CAAC;AAAA,MAC5B,SAAS,KAAK,WAAW;AAAA,IAC3B,EAAE;AAAA,IACF,QAAQ,SAAS,gBAAgB,IAAI,CAAC,WAAW;AAAA,MAC/C,IAAI,MAAM;AAAA,MACV,MAAM,MAAM;AAAA,MACZ,UAAU,MAAM,YAAY;AAAA,IAC9B,EAAE;AAAA,EACJ;AACF;AAEA,SAAS,2CACP,MACA,SAC2B;AAC3B,SAAO;AAAA,IACL,aAAa,KAAK;AAAA,IAClB,SAAS,KAAK;AAAA,IACd;AAAA,IACA,MAAM,KAAK;AAAA,IACX,MAAM,KAAK,QAAQ;AAAA,IACnB,UAAU,KAAK,YAAY,CAAC;AAAA,IAC5B,SAAS,KAAK,WAAW;AAAA,IACzB,QAAQ,KAAK,OAAO,IAAI,CAAC,OAAO,WAAW;AAAA,MACzC,IAAI,MAAM;AAAA,MACV,MAAM,MAAM;AAAA,MACZ,MAAM,MAAM;AAAA,MACZ,OAAO,MAAM,SAAS;AAAA,MACtB,kBAAkB,MAAM,oBAAoB,CAAC;AAAA,MAC7C,UAAU,MAAM,YAAY,CAAC;AAAA,IAC/B,EAAE;AAAA,EACJ;AACF;AAUO,IAAM,KAAN,MAAM,IAAG;AAAA,EACG;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACT,OAAqB;AAAA,EAE7B,YAAY,QAAkB;AAC5B,QAAI,CAAC,OAAO,QAAQ;AAClB,YAAM,IAAI,MAAM,4BAA4B;AAAA,IAC9C;AAEA,QAAI,CAAC,OAAO,cAAc,CAAC,OAAO,gBAAgB;AAChD,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,UAAM,UAAU,kBAAkB,MAAM;AACxC,SAAK,UAAU;AACf,SAAK,SAAS,IAAI,SAAS,OAAO,QAAQ,OAAO;AACjD,SAAK,YAAY,OAAO;AACxB,SAAK,gBAAgB,OAAO,cAAc,eAAe,OAAO,cAAe;AAC/E,SAAK,eAAe,gBAAgB,KAAK,aAAa;AACtD,SAAK,iBAAiB,sBAAsB,MAAM;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,OAAO,QAA+B;AACjD,UAAM,WAAW,IAAI,IAAG,MAAM;AAC9B,UAAM,SAAS,KAAK;AACpB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAsB;AAC1B,SAAK,OAAO,MAAM,KAAK,SAAS;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,MAAa;AACf,QAAI,CAAC,KAAK,MAAM;AACd,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,UAAyB;AAC7B,SAAK,OAAO,MAAM,KAAK,SAAS;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,WAA2B;AACvC,QAAI;AACF,YAAM,KAAK,OAAO,uBAAuB;AAAA,QACvC,WAAW,KAAK;AAAA,MAClB,CAAC;AAAA,IACH,SAAS,OAAO;AACd,YAAM,IAAI;AAAA,QACR,gJACE,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CACvD;AAAA,MACF;AAAA,IACF;AAEA,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,OAAO,WAAW,KAAK,SAAS;AAC9D,UAAM,aAAa,MAAM,QAAQ,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,cAAc,MAAM,EAAE,CAAC,CAAC;AAExF,WAAO,OAAO,OAAO,CAAC,GAAG,GAAG,UAAU;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,cAAc,SAAiC;AAC3D,UAAM,yBAAyB,gCAAgC,KAAK,cAAc;AAClF,UAAM,CAAC,YAAY,eAAe,yBAAyB,IAAI,MAAM,QAAQ,IAAI;AAAA,MAC/E,KAAK,OAAO,mBAAmB,OAAO;AAAA,MACtC,KAAK,OAAO,eAAe,OAAO;AAAA,MAClC,KAAK,OAAO;AAAA,QACV;AAAA,QACA,yBACI;AAAA,UACE,0BAA0B,uBAAuB;AAAA,UACjD,uBAAuB,uBAAuB;AAAA,QAChD,IACA;AAAA,MACN;AAAA,IACF,CAAC;AAED,QAAI,qBAAqB;AACzB,QAAI,oBAA8D;AAElE,QAAI,CAAC,wBAAwB;AAC3B,YAAM,QAAQ,0BAA0B,qBAAqB,WAAW,SAAS;AAEjF,UACE,SACA,0BAA0B,uBAC1B,0BAA0B,cAC1B;AACA,4BAAoB,MAAM,wBAAwB,KAAK,SAAS,KAAK;AAErE,YAAI,mBAAmB;AACrB,cAAI,0BAA0B,aAAa,KAAK,UAAU,kBAAkB,SAAS;AACnF,kBAAM,IAAI,MAAM,oFAAoF,KAAK,GAAG;AAAA,UAC9G;AAEA,cAAI,0BAA0B,aAAa,KAAK,YAAY,kBAAkB,SAAS;AACrF,gBAAI,0BAA0B,aAAa,KAAK,SAAS,kBAAkB,MAAM;AAC/E,oBAAM,IAAI,MAAM,kEAAkE,KAAK,GAAG;AAAA,YAC5F;AAAA,UACF,OAAO;AACL,iCAAqB,MAAM,KAAK,OAAO,yBAAyB,SAAS;AAAA,cACvE,0BAA0B,kBAAkB;AAAA,cAC5C,uBAAuB,kBAAkB;AAAA,YAC3C,CAAC;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,UAAM,oBAAoB,MAAM;AAAA,MAC9B,KAAK;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAEA,UAAM,YAAY,kBAAkB;AAAA,MAClC,CAAC,cAAc,UAAU,kBAAkB,WAAW;AAAA,IACxD;AAEA,QAAI,CAAC,WAAW;AACd,YAAM,IAAI;AAAA,QACR,iCAAiC,OAAO,mCAAmC,WAAW,mBAAmB;AAAA,MAC3G;AAAA,IACF;AAEA,UAAM,oBAAoB;AAAA,MACxB;AAAA,MACA,WAAW;AAAA,MACX,WAAW;AAAA,MACX,WAAW;AAAA,MACX,WAAW;AAAA,MACX,WAAW;AAAA,MACX,UAAU;AAAA,IACZ;AAEA,QAAI,CAAC,mBAAmB;AACtB,YAAM,IAAI,MAAM,+DAA+D,OAAO,GAAG;AAAA,IAC3F;AAEA,UAAM,MAAM,wBAAwB,WAAW,YAAY,KAAK,aAAa;AAE7E,QAAI,CAAC,cAAc,mBAAmB;AACpC,YAAM,IAAI,MAAM,iBAAiB,OAAO,0CAA0C;AAAA,IACpF;AAEA,UAAM,mBAAmB,kBAAkB;AAAA,MACzC,CAAC,cAAc,UAAU,kBAAkB,cAAc,kBAAmB;AAAA,IAC9E;AAEA,QAAI,CAAC,kBAAkB;AACrB,YAAM,IAAI;AAAA,QACR,iBAAiB,OAAO,sDAAsD,cAAc,kBAAkB,mBAAmB;AAAA,MACnI;AAAA,IACF;AAEA,UAAM,4BAA4B;AAAA,MAChC;AAAA,MACA,cAAc,kBAAkB,WAAW;AAAA,IAC7C;AACA,UAAM,kBAAkB;AAAA,MACtB;AAAA,MACA,cAAc,kBAAkB;AAAA,MAChC,iBAAiB;AAAA,IACnB;AAEA,QAAI,CAAC,iBAAiB;AACpB,YAAM,IAAI,MAAM,kEAAkE,OAAO,GAAG;AAAA,IAC9F;AAEA;AAAA,MACE,KAAK;AAAA,MACL,WAAW,OAAO;AAAA,MAClB,0BAA0B;AAAA,IAC5B;AAEA,UAAM,cAAc,MAAM,QAAQ;AAAA,MAChC,cAAc,MAAM,IAAI,CAAC,SAAS,KAAK,OAAO,mBAAmB,SAAS,KAAK,EAAE,CAAC;AAAA,IACpF;AAEA,UAAM,MAAa,CAAC;AAEpB,eAAW,QAAQ,aAAa;AAC9B,UAAI,CAAC,KAAK,kBAAkB;AAC1B,cAAM,IAAI,MAAM,sBAAsB,KAAK,EAAE,yCAAyC;AAAA,MACxF;AAEA,YAAM,kBAAkB,kBAAkB;AAAA,QACxC,CAAC,cAAc,UAAU,kBAAkB,KAAK,iBAAkB;AAAA,MACpE;AAEA,UAAI,CAAC,iBAAiB;AACpB,cAAM,IAAI;AAAA,UACR,sBAAsB,KAAK,EAAE,8CAA8C,KAAK,iBAAiB,mBAAmB;AAAA,QACtH;AAAA,MACF;AAEA,YAAM,2BAA2B;AAAA,QAC/B;AAAA,QACA,KAAK,iBAAiB,WAAW;AAAA,MACnC;AACA,YAAM,iBAAiB;AAAA,QACrB;AAAA,QACA,KAAK,iBAAiB;AAAA,QACtB,gBAAgB;AAAA,MAClB;AAEA,UAAI,CAAC,gBAAgB;AACnB,cAAM,IAAI,MAAM,8DAA8D,KAAK,EAAE,GAAG;AAAA,MAC1F;AAEA;AAAA,QACE,KAAK;AAAA,QACL,UAAU,KAAK,EAAE;AAAA,QACjB,yBAAyB;AAAA,MAC3B;AAEA,iBAAW,SAAS,KAAK,QAAQ;AAC/B,YAAI,MAAM,UAAU,MAAM;AACxB;AAAA,QACF;AAEA,YAAI,qBAAqB,GAAG,KAAK,IAAI,IAAI,MAAM,IAAI,EAAE,CAAC,IAAI;AAAA,UACxD,MAAM;AAAA,UACN;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;AAEA,IAAO,cAAQ;","names":["import_node_path","path","path","crypto","fs","path","crypto","crypto","crypto","crypto","crypto","crypto","import_node_fs","import_node_path","fs","path","path"]}
1	+ {"version":3,"sources":["../src/index.ts","../src/client.ts","../src/crypto.ts","../src/transparency.ts","../src/trust-store.ts"],"sourcesContent":["import path from 'node:path'\nimport { R4Client } from './client'\nimport {\n decryptStoredFieldValue,\n derivePublicKey,\n loadPrivateKey,\n unwrapDEKWithPrivateKey,\n verifyVaultItemDetailCheckpoint,\n verifyVaultSummaryCheckpoint,\n verifyWrappedDekSignature,\n} from './crypto'\nimport {\n assertAndPinCheckpointVersion,\n getPublicOrgWitnessHead,\n getSinglePinnedTransparencyHead,\n verifyAndPinVaultUserPublicKeys,\n} from './trust-store'\nimport type {\n ListMachineVaultItemsResponse,\n MachineVaultItemDetailResponse,\n R4Config,\n R4Env,\n VaultItemDetailCheckpoint,\n VaultSummaryCheckpoint,\n} from './types'\n\nexport type { R4Config, R4Env } from './types'\n\nconst R4_DEFAULT_API_BASE_URL = 'https://r4.dev'\nconst R4_DEV_API_BASE_URL = 'https://dev.r4.dev'\n\nfunction toScreamingSnakeCase(input: string): string {\n return input\n .replace(/[^a-zA-Z0-9]/g, '_')\n .replace(/_+/g, '_')\n .replace(/^_\|_$/g, '')\n .toUpperCase()\n}\n\nfunction resolveTrustStorePath(config: R4Config): string {\n if (config.trustStorePath) {\n return path.resolve(config.trustStorePath)\n }\n\n if (config.privateKeyPath) {\n return `${path.resolve(config.privateKeyPath)}.trust.json`\n }\n\n return path.resolve(process.cwd(), '.r4-trust-store.json')\n}\n\nfunction resolveApiBaseUrl(config: R4Config): string {\n if (config.baseUrl) {\n return config.baseUrl\n }\n\n return config.dev ? R4_DEV_API_BASE_URL : R4_DEFAULT_API_BASE_URL\n}\n\nfunction buildVaultSummaryCheckpointFromListResponse(\n response: ListMachineVaultItemsResponse,\n version: number,\n): VaultSummaryCheckpoint {\n return {\n vaultId: response.vaultId,\n version,\n name: response.vaultName,\n dataClassification: response.dataClassification ?? null,\n currentDekVersion: response.currentDekVersion ?? null,\n items: response.items.map((item) => ({\n id: item.id,\n name: item.name,\n type: item.type ?? null,\n websites: item.websites ?? [],\n groupId: item.groupId ?? null,\n })),\n groups: response.vaultItemGroups.map((group) => ({\n id: group.id,\n name: group.name,\n parentId: group.parentId ?? null,\n })),\n }\n}\n\nfunction buildVaultItemDetailCheckpointFromResponse(\n item: MachineVaultItemDetailResponse,\n version: number,\n): VaultItemDetailCheckpoint {\n return {\n vaultItemId: item.id,\n vaultId: item.vaultId,\n version,\n name: item.name,\n type: item.type ?? null,\n websites: item.websites ?? [],\n groupId: item.groupId ?? null,\n fields: item.fields.map((field, index) => ({\n id: field.id,\n name: field.name,\n type: field.type,\n order: field.order ?? index,\n fieldInstanceIds: field.fieldInstanceIds ?? [],\n assetIds: field.assetIds ?? [],\n })),\n }\n}\n\n/*\n R4 SDK — zero-trust Node.js SDK for machine agents.\n \n The runtime keeps its private key locally, registers only the matching public\n * key with the machine API, verifies wrapped-DEK signatures against a pinned\n * signer directory, unwraps each vault DEK locally, and decrypts env values\n * without trusting the backend to see or transform plaintext.\n /\nexport class R4 {\n private readonly client: R4Client\n private readonly baseUrl: string\n private readonly projectId?: string\n private readonly privateKeyPem: string\n private readonly publicKeyPem: string\n private readonly trustStorePath: string\n private _env: R4Env \| null = null\n\n constructor(config: R4Config) {\n if (!config.apiKey) {\n throw new Error('R4 SDK: apiKey is required')\n }\n\n if (!config.privateKey && !config.privateKeyPath) {\n throw new Error(\n 'R4 SDK: privateKey or privateKeyPath is required for zero-trust local decryption.',\n )\n }\n\n const baseUrl = resolveApiBaseUrl(config)\n this.baseUrl = baseUrl\n this.client = new R4Client(config.apiKey, baseUrl)\n this.projectId = config.projectId\n this.privateKeyPem = config.privateKey ?? loadPrivateKey(config.privateKeyPath!)\n this.publicKeyPem = derivePublicKey(this.privateKeyPem)\n this.trustStorePath = resolveTrustStorePath(config)\n }\n\n /\n Static factory method that creates and initializes an R4 instance.\n /\n static async create(config: R4Config): Promise<R4> {\n const instance = new R4(config)\n await instance.init()\n return instance\n }\n\n /\n Initializes the SDK by registering the agent public key (idempotent) and\n * decrypting all accessible vault values locally into a flat env map.\n /\n async init(): Promise<void> {\n this._env = await this.fetchEnv()\n }\n\n /\n Returns the locally decrypted env map.\n /\n get env(): R4Env {\n if (!this._env) {\n throw new Error(\n 'R4 SDK: env is not initialized. Call await r4.init() first, or use R4.create() for automatic initialization.',\n )\n }\n return this._env\n }\n\n /\n Re-fetches and locally re-decrypts the current vault view.\n /\n async refresh(): Promise<void> {\n this._env = await this.fetchEnv()\n }\n\n /\n Registers the local agent public key, loads all accessible vaults, verifies\n * wrapped-DEK signatures against pinned signer keys, unwraps each vault DEK,\n * and builds a flat SCREAMING_SNAKE_CASE env map from decrypted field values.\n /\n private async fetchEnv(): Promise<R4Env> {\n try {\n await this.client.registerAgentPublicKey({\n publicKey: this.publicKeyPem,\n })\n } catch (error) {\n throw new Error(\n `R4 SDK: failed to register the local agent public key. The zero-trust SDK requires an AGENT-scoped API key and a matching local private key. ${\n error instanceof Error ? error.message : String(error)\n }`,\n )\n }\n\n const { vaults } = await this.client.listVaults(this.projectId)\n const envEntries = await Promise.all(vaults.map((vault) => this.fetchVaultEnv(vault.id)))\n\n return Object.assign({}, ...envEntries)\n }\n\n /\n Fetches a single vault's wrapped DEK, verifies it against the pinned signer\n * directory, unwraps the DEK locally, then decrypts every field value in that\n * vault item-by-item.\n /\n private async fetchVaultEnv(vaultId: string): Promise<R4Env> {\n const pinnedTransparencyHead = getSinglePinnedTransparencyHead(this.trustStorePath)\n const [wrappedKey, itemsResponse, initialPublicKeyDirectory] = await Promise.all([\n this.client.getAgentWrappedKey(vaultId),\n this.client.listVaultItems(vaultId),\n this.client.getVaultUserKeyDirectory(\n vaultId,\n pinnedTransparencyHead\n ? {\n knownTransparencyVersion: pinnedTransparencyHead.version,\n knownTransparencyHash: pinnedTransparencyHead.hash,\n }\n : undefined,\n ),\n ])\n\n let publicKeyDirectory = initialPublicKeyDirectory\n let witnessAnchorHead: { version: number; hash: string } \| null = null\n\n if (!pinnedTransparencyHead) {\n const orgId = initialPublicKeyDirectory.directoryCheckpoint?.checkpoint.orgId ?? null\n\n if (\n orgId &&\n initialPublicKeyDirectory.directoryCheckpoint &&\n initialPublicKeyDirectory.transparency\n ) {\n witnessAnchorHead = await getPublicOrgWitnessHead(this.baseUrl, orgId)\n\n if (witnessAnchorHead) {\n if (initialPublicKeyDirectory.transparency.head.version < witnessAnchorHead.version) {\n throw new Error(`R4 SDK: public transparency witness head is ahead of the server response for org ${orgId}.`)\n }\n\n if (initialPublicKeyDirectory.transparency.head.version === witnessAnchorHead.version) {\n if (initialPublicKeyDirectory.transparency.head.hash !== witnessAnchorHead.hash) {\n throw new Error(`R4 SDK: public transparency witness head fork detected for org ${orgId}.`)\n }\n } else {\n publicKeyDirectory = await this.client.getVaultUserKeyDirectory(vaultId, {\n knownTransparencyVersion: witnessAnchorHead.version,\n knownTransparencyHash: witnessAnchorHead.hash,\n })\n }\n }\n }\n }\n\n const trustedPublicKeys = await verifyAndPinVaultUserPublicKeys(\n this.trustStorePath,\n publicKeyDirectory,\n witnessAnchorHead,\n )\n\n const signerKey = trustedPublicKeys.find(\n (publicKey) => publicKey.userKeyPairId === wrappedKey.signerUserKeyPairId,\n )\n\n if (!signerKey) {\n throw new Error(\n `R4 SDK: wrapped DEK for vault ${vaultId} was signed by unknown user key ${wrappedKey.signerUserKeyPairId}.`,\n )\n }\n\n const signatureVerified = verifyWrappedDekSignature(\n vaultId,\n wrappedKey.encryptionKeyId,\n wrappedKey.signerUserKeyPairId,\n wrappedKey.dekVersion,\n wrappedKey.wrappedDek,\n wrappedKey.wrappedDekSignature,\n signerKey.publicKey,\n )\n\n if (!signatureVerified) {\n throw new Error(`R4 SDK: wrapped DEK signature verification failed for vault ${vaultId}.`)\n }\n\n const dek = unwrapDEKWithPrivateKey(wrappedKey.wrappedDek, this.privateKeyPem)\n\n if (!itemsResponse.summaryCheckpoint) {\n throw new Error(`R4 SDK: vault ${vaultId} is missing a signed summary checkpoint.`)\n }\n\n const summarySignerKey = trustedPublicKeys.find(\n (publicKey) => publicKey.userKeyPairId === itemsResponse.summaryCheckpoint!.signerUserKeyPairId,\n )\n\n if (!summarySignerKey) {\n throw new Error(\n `R4 SDK: vault ${vaultId} summary checkpoint was signed by unknown user key ${itemsResponse.summaryCheckpoint.signerUserKeyPairId}.`,\n )\n }\n\n const expectedSummaryCheckpoint = buildVaultSummaryCheckpointFromListResponse(\n itemsResponse,\n itemsResponse.summaryCheckpoint.checkpoint.version,\n )\n const summaryVerified = verifyVaultSummaryCheckpoint(\n expectedSummaryCheckpoint,\n itemsResponse.summaryCheckpoint.signature,\n summarySignerKey.publicKey,\n )\n\n if (!summaryVerified) {\n throw new Error(`R4 SDK: vault summary checkpoint verification failed for vault ${vaultId}.`)\n }\n\n assertAndPinCheckpointVersion(\n this.trustStorePath,\n `summary:${vaultId}`,\n expectedSummaryCheckpoint.version,\n )\n\n const itemDetails = await Promise.all(\n itemsResponse.items.map((item) => this.client.getVaultItemDetail(vaultId, item.id)),\n )\n\n const env: R4Env = {}\n\n for (const item of itemDetails) {\n if (!item.detailCheckpoint) {\n throw new Error(`R4 SDK: vault item ${item.id} is missing a signed detail checkpoint.`)\n }\n\n const detailSignerKey = trustedPublicKeys.find(\n (publicKey) => publicKey.userKeyPairId === item.detailCheckpoint!.signerUserKeyPairId,\n )\n\n if (!detailSignerKey) {\n throw new Error(\n `R4 SDK: vault item ${item.id} checkpoint was signed by unknown user key ${item.detailCheckpoint.signerUserKeyPairId}.`,\n )\n }\n\n const expectedDetailCheckpoint = buildVaultItemDetailCheckpointFromResponse(\n item,\n item.detailCheckpoint.checkpoint.version,\n )\n const detailVerified = verifyVaultItemDetailCheckpoint(\n expectedDetailCheckpoint,\n item.detailCheckpoint.signature,\n detailSignerKey.publicKey,\n )\n\n if (!detailVerified) {\n throw new Error(`R4 SDK: vault item checkpoint verification failed for item ${item.id}.`)\n }\n\n assertAndPinCheckpointVersion(\n this.trustStorePath,\n `detail:${item.id}`,\n expectedDetailCheckpoint.version,\n )\n\n for (const field of item.fields) {\n if (field.value === null) {\n continue\n }\n\n env[toScreamingSnakeCase(`${item.name}_${field.name}`)] = decryptStoredFieldValue(\n field.value,\n dek,\n )\n }\n }\n\n return env\n }\n}\n\nexport default R4\n","import type {\n ListMachineVaultItemsResponse,\n ListMachineVaultsResponse,\n MachineAgentPublicKeyResponse,\n MachineVaultItemDetailResponse,\n MachineVaultUserKeyDirectoryResponse,\n MachineWrappedKeyResponse,\n RegisterMachinePublicKeyRequest,\n} from './types'\n\ntype ApiErrorBody = {\n error?: {\n code?: unknown\n message?: unknown\n }\n}\n\n/\n Minimal machine-API client used by the zero-trust Node SDK.\n * Agents authenticate with an AGENT-scoped API key, register their local public\n * key, then fetch wrapped vault DEKs and ciphertext for local decryption.\n /\nexport class R4Client {\n private readonly apiKey: string\n private readonly baseUrl: string\n\n constructor(apiKey: string, baseUrl: string) {\n this.apiKey = apiKey\n this.baseUrl = baseUrl.replace(/\\/$/, '')\n }\n\n private buildHeaders(): Record<string, string> {\n return {\n 'X-API-Key': this.apiKey,\n 'Content-Type': 'application/json',\n }\n }\n\n private async request<T>(path: string, init: RequestInit): Promise<T> {\n const response = await fetch(`${this.baseUrl}${path}`, {\n ...init,\n headers: {\n ...this.buildHeaders(),\n ...(init.headers ?? {}),\n },\n })\n\n if (!response.ok) {\n const errorBody = (await response.json().catch(() => ({}))) as ApiErrorBody\n const errorMessage =\n typeof errorBody.error?.message === 'string'\n ? errorBody.error.message\n : `HTTP ${response.status}: ${response.statusText}`\n const errorCode =\n typeof errorBody.error?.code === 'string'\n ? ` [${errorBody.error.code}]`\n : ''\n throw new Error(`R4 API Error${errorCode}: ${errorMessage}`)\n }\n\n if (response.status === 204) {\n return undefined as T\n }\n\n return response.json() as Promise<T>\n }\n\n /\n Registers or re-confirms the agent runtime's local RSA public key.\n /\n async registerAgentPublicKey(\n body: RegisterMachinePublicKeyRequest,\n ): Promise<MachineAgentPublicKeyResponse> {\n return this.request<MachineAgentPublicKeyResponse>('/api/v1/machine/vault/public-key', {\n method: 'POST',\n body: JSON.stringify(body),\n })\n }\n\n /\n Lists all accessible non-hidden vaults. When `projectId` is provided, the\n * backend additionally filters to vaults associated with that project.\n /\n async listVaults(projectId?: string): Promise<ListMachineVaultsResponse> {\n const search = projectId\n ? `?projectId=${encodeURIComponent(projectId)}`\n : ''\n return this.request<ListMachineVaultsResponse>(`/api/v1/machine/vault${search}`, {\n method: 'GET',\n })\n }\n\n /\n Retrieves the active wrapped DEK for the authenticated agent on a vault.\n /\n async getAgentWrappedKey(vaultId: string): Promise<MachineWrappedKeyResponse> {\n return this.request<MachineWrappedKeyResponse>(\n `/api/v1/machine/vault/${encodeURIComponent(vaultId)}/wrapped-key`,\n { method: 'GET' },\n )\n }\n\n /\n Retrieves the trusted user-key directory for a vault so the runtime can\n * verify wrapped-DEK signatures locally.\n /\n async getVaultUserKeyDirectory(\n vaultId: string,\n params?: {\n knownTransparencyVersion?: number\n knownTransparencyHash?: string\n },\n ): Promise<MachineVaultUserKeyDirectoryResponse> {\n const searchParams = new URLSearchParams()\n if (params?.knownTransparencyVersion !== undefined) {\n searchParams.set('knownTransparencyVersion', String(params.knownTransparencyVersion))\n }\n if (params?.knownTransparencyHash) {\n searchParams.set('knownTransparencyHash', params.knownTransparencyHash)\n }\n const search = searchParams.size > 0 ? `?${searchParams.toString()}` : ''\n\n return this.request<MachineVaultUserKeyDirectoryResponse>(\n `/api/v1/machine/vault/${encodeURIComponent(vaultId)}/public-keys${search}`,\n { method: 'GET' },\n )\n }\n\n /\n Lists all items in a vault with lightweight metadata.\n /\n async listVaultItems(vaultId: string): Promise<ListMachineVaultItemsResponse> {\n return this.request<ListMachineVaultItemsResponse>(\n `/api/v1/machine/vault/${encodeURIComponent(vaultId)}/items`,\n { method: 'GET' },\n )\n }\n\n /\n Retrieves the full field payloads for a vault item.\n /\n async getVaultItemDetail(\n vaultId: string,\n itemId: string,\n ): Promise<MachineVaultItemDetailResponse> {\n return this.request<MachineVaultItemDetailResponse>(\n `/api/v1/machine/vault/${encodeURIComponent(vaultId)}/items/${encodeURIComponent(itemId)}`,\n { method: 'GET' },\n )\n }\n}\n","import crypto from 'node:crypto'\nimport fs from 'node:fs'\nimport path from 'node:path'\nimport {\n buildAgentPublicKeyWitnessPayload,\n buildOrgUserKeyDirectoryWitnessPayload,\n type AgentPublicKeyWitnessArtifact,\n type OrgUserKeyDirectoryWitnessArtifact,\n} from './transparency'\nimport type {\n UserKeyDirectoryCheckpoint,\n UserKeyDirectoryTransparencyEntry,\n UserKeyDirectoryTransparencyHead,\n UserKeyDirectoryTransparencyProof,\n VaultItemDetailCheckpoint,\n VaultSummaryCheckpoint,\n} from './types'\n\nconst RSA_OAEP_CONFIG = {\n padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,\n oaepHash: 'sha256',\n} as const\n\nconst RSA_PSS_SIGN_CONFIG = {\n padding: crypto.constants.RSA_PKCS1_PSS_PADDING,\n saltLength: 32,\n} as const\n\nconst USER_KEY_ROTATION_PREFIX = 'r4-user-key-rotation-v1'\nconst USER_KEY_DIRECTORY_CHECKPOINT_PREFIX = 'r4-user-key-directory-checkpoint-v1'\nconst USER_KEY_DIRECTORY_TRANSPARENCY_ENTRY_PREFIX = 'r4-user-key-directory-transparency-entry-v1'\nconst WRAPPED_DEK_SIGNATURE_PREFIX = 'r4-wrapped-dek-signature-v1'\nconst VAULT_SUMMARY_CHECKPOINT_PREFIX = 'r4-vault-summary-checkpoint-v1'\nconst VAULT_ITEM_DETAIL_CHECKPOINT_PREFIX = 'r4-vault-item-detail-checkpoint-v1'\n\ntype VaultEnvelope = {\n v: 3\n iv: string\n t: string\n d: string\n}\n\nfunction pemToDer(pem: string, beginLabel: string, endLabel: string): Buffer {\n const derBase64 = pem\n .replace(beginLabel, '')\n .replace(endLabel, '')\n .replace(/\\s/g, '')\n\n return Buffer.from(derBase64, 'base64')\n}\n\nfunction getWrappedDekFingerprint(wrappedDek: string): string {\n return crypto.createHash('sha256').update(Buffer.from(wrappedDek, 'base64')).digest('hex')\n}\n\nfunction getCheckpointFingerprint(prefix: string, canonicalJson: string): string {\n return `${prefix}:${crypto.createHash('sha256').update(canonicalJson, 'utf8').digest('hex')}`\n}\n\n/\n Loads a PEM-encoded private key from the provided path.\n /\nexport function loadPrivateKey(privateKeyPath: string): string {\n return fs.readFileSync(path.resolve(privateKeyPath), 'utf8').trim()\n}\n\n/\n Derives the matching PEM-encoded public key from a PEM private key.\n /\nexport function derivePublicKey(privateKeyPem: string): string {\n return crypto.createPublicKey(privateKeyPem).export({\n type: 'spki',\n format: 'pem',\n }).toString()\n}\n\n/\n Compute a stable SHA-256 fingerprint for a PEM-encoded public key.\n * The fingerprint uses the DER bytes so PEM formatting differences do not matter.\n /\nexport function getPublicKeyFingerprint(publicKeyPem: string): string {\n const derBytes = pemToDer(publicKeyPem, '-----BEGIN PUBLIC KEY-----', '-----END PUBLIC KEY-----')\n return crypto.createHash('sha256').update(derBytes).digest('hex')\n}\n\nfunction buildUserKeyRotationPayload(previousUserKeyPairId: string, newPublicKeyFingerprint: string): string {\n return `${USER_KEY_ROTATION_PREFIX}:${previousUserKeyPairId}:${newPublicKeyFingerprint}`\n}\n\n/\n Signs a new key fingerprint with the previous private key to prove continuity.\n /\nexport function signUserKeyRotation(\n previousUserKeyPairId: string,\n newPublicKeyPem: string,\n previousPrivateKeyPem: string,\n): string {\n const payload = buildUserKeyRotationPayload(\n previousUserKeyPairId,\n getPublicKeyFingerprint(newPublicKeyPem),\n )\n\n return crypto.sign(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: previousPrivateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\n/\n Verifies continuity for a rotated signer key.\n /\nexport function verifyUserKeyRotation(\n previousUserKeyPairId: string,\n newPublicKeyPem: string,\n rotationSignature: string,\n previousPublicKeyPem: string,\n): boolean {\n const payload = buildUserKeyRotationPayload(\n previousUserKeyPairId,\n getPublicKeyFingerprint(newPublicKeyPem),\n )\n\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: previousPublicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(rotationSignature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function verifyTransparencyWitnessPayload(\n payload: string,\n signature: string,\n publicKeyPem: string,\n): boolean {\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: publicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(signature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function verifyOrgUserKeyDirectoryWitnessArtifact(\n artifact: OrgUserKeyDirectoryWitnessArtifact,\n publicKeyPem: string,\n): boolean {\n return verifyTransparencyWitnessPayload(\n buildOrgUserKeyDirectoryWitnessPayload(artifact.orgId, artifact.head),\n artifact.signature,\n publicKeyPem,\n )\n}\n\nexport function verifyAgentPublicKeyWitnessArtifact(\n artifact: AgentPublicKeyWitnessArtifact,\n publicKeyPem: string,\n): boolean {\n return verifyTransparencyWitnessPayload(\n buildAgentPublicKeyWitnessPayload(artifact.agentId, artifact.head),\n artifact.signature,\n publicKeyPem,\n )\n}\n\nexport function normalizeUserKeyDirectoryCheckpoint(\n checkpoint: UserKeyDirectoryCheckpoint,\n): UserKeyDirectoryCheckpoint {\n return {\n orgId: checkpoint.orgId,\n version: checkpoint.version,\n entries: [...checkpoint.entries]\n .map((entry) => ({\n userKeyPairId: entry.userKeyPairId,\n orgUserId: entry.orgUserId,\n fingerprint: entry.fingerprint,\n previousUserKeyPairId: entry.previousUserKeyPairId ?? null,\n rotationSignature: entry.rotationSignature ?? null,\n }))\n .sort((left, right) => left.userKeyPairId.localeCompare(right.userKeyPairId)),\n }\n}\n\nexport function canonicalizeUserKeyDirectoryCheckpoint(\n checkpoint: UserKeyDirectoryCheckpoint,\n): string {\n return JSON.stringify(normalizeUserKeyDirectoryCheckpoint(checkpoint))\n}\n\nexport function buildUserKeyDirectoryCheckpointPayload(\n checkpoint: UserKeyDirectoryCheckpoint,\n): string {\n return getCheckpointFingerprint(\n USER_KEY_DIRECTORY_CHECKPOINT_PREFIX,\n canonicalizeUserKeyDirectoryCheckpoint(checkpoint),\n )\n}\n\nexport function signUserKeyDirectoryCheckpoint(\n checkpoint: UserKeyDirectoryCheckpoint,\n privateKeyPem: string,\n): string {\n return crypto.sign(\n 'sha256',\n Buffer.from(buildUserKeyDirectoryCheckpointPayload(checkpoint), 'utf8'),\n {\n key: privateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\nexport function verifyUserKeyDirectoryCheckpoint(\n checkpoint: UserKeyDirectoryCheckpoint,\n signature: string,\n publicKeyPem: string,\n): boolean {\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(buildUserKeyDirectoryCheckpointPayload(checkpoint), 'utf8'),\n {\n key: publicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(signature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function buildUserKeyDirectoryTransparencyEntryHash(\n entry: Omit<UserKeyDirectoryTransparencyEntry, 'entryHash'>,\n): string {\n return getCheckpointFingerprint(\n USER_KEY_DIRECTORY_TRANSPARENCY_ENTRY_PREFIX,\n JSON.stringify({\n orgId: entry.orgId,\n version: entry.version,\n directoryCheckpointPayload: entry.directoryCheckpointPayload,\n signerUserKeyPairId: entry.signerUserKeyPairId,\n signerOrgUserId: entry.signerOrgUserId,\n signerFingerprint: entry.signerFingerprint,\n signature: entry.signature,\n previousEntryHash: entry.previousEntryHash ?? null,\n }),\n )\n}\n\nexport function buildUserKeyDirectoryTransparencyEntry(params: {\n checkpoint: UserKeyDirectoryCheckpoint\n signerUserKeyPairId: string\n signerOrgUserId: string\n signerPublicKey: string\n signature: string\n previousEntryHash: string \| null\n}): UserKeyDirectoryTransparencyEntry {\n const entryWithoutHash = {\n orgId: params.checkpoint.orgId,\n version: params.checkpoint.version,\n directoryCheckpointPayload: buildUserKeyDirectoryCheckpointPayload(params.checkpoint),\n signerUserKeyPairId: params.signerUserKeyPairId,\n signerOrgUserId: params.signerOrgUserId,\n signerFingerprint: getPublicKeyFingerprint(params.signerPublicKey),\n signature: params.signature,\n previousEntryHash: params.previousEntryHash ?? null,\n }\n\n return {\n ...entryWithoutHash,\n entryHash: buildUserKeyDirectoryTransparencyEntryHash(entryWithoutHash),\n }\n}\n\nexport function verifyUserKeyDirectoryTransparencyProof(params: {\n currentEntry: UserKeyDirectoryTransparencyEntry\n proof: UserKeyDirectoryTransparencyProof\n previousHead: UserKeyDirectoryTransparencyHead \| null\n}): boolean {\n if (\n params.proof.head.version !== params.currentEntry.version \|\|\n params.proof.head.hash !== params.currentEntry.entryHash\n ) {\n return false\n }\n\n if (!params.previousHead) {\n if (params.proof.entries.length === 0) {\n return false\n }\n\n for (let index = 0; index < params.proof.entries.length; index++) {\n const entry = params.proof.entries[index]\n if (!entry) {\n return false\n }\n\n const expectedHash = buildUserKeyDirectoryTransparencyEntryHash({\n orgId: entry.orgId,\n version: entry.version,\n directoryCheckpointPayload: entry.directoryCheckpointPayload,\n signerUserKeyPairId: entry.signerUserKeyPairId,\n signerOrgUserId: entry.signerOrgUserId,\n signerFingerprint: entry.signerFingerprint,\n signature: entry.signature,\n previousEntryHash: entry.previousEntryHash,\n })\n\n if (expectedHash !== entry.entryHash) {\n return false\n }\n\n if (index === 0) {\n continue\n }\n\n const previousEntry = params.proof.entries[index - 1]\n if (!previousEntry) {\n return false\n }\n\n if (entry.previousEntryHash !== previousEntry.entryHash \|\| entry.version !== previousEntry.version + 1) {\n return false\n }\n }\n\n const lastEntry = params.proof.entries[params.proof.entries.length - 1]\n return lastEntry?.entryHash === params.currentEntry.entryHash && lastEntry.version === params.currentEntry.version\n }\n\n if (params.currentEntry.version < params.previousHead.version) {\n return false\n }\n\n if (params.currentEntry.version === params.previousHead.version) {\n return params.currentEntry.entryHash === params.previousHead.hash && params.proof.entries.length === 0\n }\n\n if (params.proof.entries.length === 0) {\n return false\n }\n\n let previousVersion = params.previousHead.version\n let previousHash = params.previousHead.hash\n\n for (const entry of params.proof.entries) {\n const expectedHash = buildUserKeyDirectoryTransparencyEntryHash({\n orgId: entry.orgId,\n version: entry.version,\n directoryCheckpointPayload: entry.directoryCheckpointPayload,\n signerUserKeyPairId: entry.signerUserKeyPairId,\n signerOrgUserId: entry.signerOrgUserId,\n signerFingerprint: entry.signerFingerprint,\n signature: entry.signature,\n previousEntryHash: entry.previousEntryHash,\n })\n\n if (\n expectedHash !== entry.entryHash \|\|\n entry.previousEntryHash !== previousHash \|\|\n entry.version !== previousVersion + 1\n ) {\n return false\n }\n\n previousVersion = entry.version\n previousHash = entry.entryHash\n }\n\n return previousHash === params.currentEntry.entryHash && previousVersion === params.currentEntry.version\n}\n\nfunction buildWrappedDekSignaturePayload(\n vaultId: string,\n recipientKeyId: string,\n signerUserKeyPairId: string,\n dekVersion: number,\n wrappedDek: string,\n): string {\n return [\n WRAPPED_DEK_SIGNATURE_PREFIX,\n vaultId,\n recipientKeyId,\n signerUserKeyPairId,\n String(dekVersion),\n getWrappedDekFingerprint(wrappedDek),\n ].join(':')\n}\n\n/\n Signs a wrapped-DEK payload with the signer's private key.\n /\nexport function signWrappedDek(\n vaultId: string,\n recipientKeyId: string,\n signerUserKeyPairId: string,\n dekVersion: number,\n wrappedDek: string,\n signerPrivateKeyPem: string,\n): string {\n const payload = buildWrappedDekSignaturePayload(\n vaultId,\n recipientKeyId,\n signerUserKeyPairId,\n dekVersion,\n wrappedDek,\n )\n\n return crypto.sign(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: signerPrivateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\n/\n Verifies a wrapped vault DEK signature using the signer's public key.\n /\nexport function verifyWrappedDekSignature(\n vaultId: string,\n recipientKeyId: string,\n signerUserKeyPairId: string,\n dekVersion: number,\n wrappedDek: string,\n wrappedDekSignature: string,\n signerPublicKeyPem: string,\n): boolean {\n const payload = buildWrappedDekSignaturePayload(\n vaultId,\n recipientKeyId,\n signerUserKeyPairId,\n dekVersion,\n wrappedDek,\n )\n\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: signerPublicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(wrappedDekSignature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function normalizeVaultSummaryCheckpoint(\n checkpoint: VaultSummaryCheckpoint,\n): VaultSummaryCheckpoint {\n return {\n vaultId: checkpoint.vaultId,\n version: checkpoint.version,\n name: checkpoint.name,\n dataClassification: checkpoint.dataClassification ?? null,\n currentDekVersion: checkpoint.currentDekVersion ?? null,\n items: [...checkpoint.items]\n .map((item) => ({\n id: item.id,\n name: item.name,\n type: item.type ?? null,\n websites: [...item.websites],\n groupId: item.groupId ?? null,\n }))\n .sort((left, right) => left.id.localeCompare(right.id)),\n groups: [...checkpoint.groups]\n .map((group) => ({\n id: group.id,\n name: group.name,\n parentId: group.parentId ?? null,\n }))\n .sort((left, right) => left.id.localeCompare(right.id)),\n }\n}\n\nexport function canonicalizeVaultSummaryCheckpoint(\n checkpoint: VaultSummaryCheckpoint,\n): string {\n return JSON.stringify(normalizeVaultSummaryCheckpoint(checkpoint))\n}\n\nexport function buildVaultSummaryCheckpointPayload(\n checkpoint: VaultSummaryCheckpoint,\n): string {\n return getCheckpointFingerprint(\n VAULT_SUMMARY_CHECKPOINT_PREFIX,\n canonicalizeVaultSummaryCheckpoint(checkpoint),\n )\n}\n\nexport function verifyVaultSummaryCheckpoint(\n checkpoint: VaultSummaryCheckpoint,\n signature: string,\n publicKeyPem: string,\n): boolean {\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(buildVaultSummaryCheckpointPayload(checkpoint), 'utf8'),\n {\n key: publicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(signature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function signVaultSummaryCheckpoint(\n checkpoint: VaultSummaryCheckpoint,\n privateKeyPem: string,\n): string {\n return crypto.sign(\n 'sha256',\n Buffer.from(buildVaultSummaryCheckpointPayload(checkpoint), 'utf8'),\n {\n key: privateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\nexport function normalizeVaultItemDetailCheckpoint(\n checkpoint: VaultItemDetailCheckpoint,\n): VaultItemDetailCheckpoint {\n return {\n vaultItemId: checkpoint.vaultItemId,\n vaultId: checkpoint.vaultId,\n version: checkpoint.version,\n name: checkpoint.name,\n type: checkpoint.type ?? null,\n websites: [...checkpoint.websites],\n groupId: checkpoint.groupId ?? null,\n fields: [...checkpoint.fields]\n .map((field) => ({\n id: field.id,\n name: field.name,\n type: field.type,\n order: field.order,\n fieldInstanceIds: [...field.fieldInstanceIds].sort(),\n assetIds: [...field.assetIds].sort(),\n }))\n .sort((left, right) => left.order - right.order \|\| left.id.localeCompare(right.id)),\n }\n}\n\nexport function canonicalizeVaultItemDetailCheckpoint(\n checkpoint: VaultItemDetailCheckpoint,\n): string {\n return JSON.stringify(normalizeVaultItemDetailCheckpoint(checkpoint))\n}\n\nexport function buildVaultItemDetailCheckpointPayload(\n checkpoint: VaultItemDetailCheckpoint,\n): string {\n return getCheckpointFingerprint(\n VAULT_ITEM_DETAIL_CHECKPOINT_PREFIX,\n canonicalizeVaultItemDetailCheckpoint(checkpoint),\n )\n}\n\nexport function verifyVaultItemDetailCheckpoint(\n checkpoint: VaultItemDetailCheckpoint,\n signature: string,\n publicKeyPem: string,\n): boolean {\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(buildVaultItemDetailCheckpointPayload(checkpoint), 'utf8'),\n {\n key: publicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(signature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function signVaultItemDetailCheckpoint(\n checkpoint: VaultItemDetailCheckpoint,\n privateKeyPem: string,\n): string {\n return crypto.sign(\n 'sha256',\n Buffer.from(buildVaultItemDetailCheckpointPayload(checkpoint), 'utf8'),\n {\n key: privateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\n/\n Checks whether a stored field value is a v3 vault envelope.\n /\nexport function isVaultEnvelope(value: string): boolean {\n if (!value.startsWith('{')) {\n return false\n }\n\n try {\n const parsed = JSON.parse(value) as { v?: number }\n return parsed.v === 3\n } catch {\n return false\n }\n}\n\n/\n Decrypts a v3 vault envelope with the provided 32-byte AES vault DEK.\n /\nexport function decryptWithVaultDEK(encryptedValue: string, dek: Buffer): string {\n if (!isVaultEnvelope(encryptedValue)) {\n throw new Error('Invalid encrypted value: expected v3 vault envelope format')\n }\n\n const envelope = JSON.parse(encryptedValue) as VaultEnvelope\n const decipher = crypto.createDecipheriv('aes-256-gcm', dek, Buffer.from(envelope.iv, 'base64'))\n decipher.setAuthTag(Buffer.from(envelope.t, 'base64'))\n const decrypted = Buffer.concat([\n decipher.update(Buffer.from(envelope.d, 'base64')),\n decipher.final(),\n ])\n return decrypted.toString('utf8')\n}\n\n/\n Returns plaintext for a field value. Plain strings are returned as-is, while\n * v3 envelopes are decrypted with the provided vault DEK.\n /\nexport function decryptStoredFieldValue(value: string, dek: Buffer): string {\n return isVaultEnvelope(value) ? decryptWithVaultDEK(value, dek) : value\n}\n\n/\n Encrypts a plaintext field value into a v3 vault envelope. Used by tests.\n /\nexport function encryptWithVaultDEK(value: string, dek: Buffer): string {\n const iv = crypto.randomBytes(12)\n const cipher = crypto.createCipheriv('aes-256-gcm', dek, iv)\n const ciphertext = Buffer.concat([cipher.update(value, 'utf8'), cipher.final()])\n const tag = cipher.getAuthTag()\n\n return JSON.stringify({\n v: 3,\n iv: iv.toString('base64'),\n t: tag.toString('base64'),\n d: ciphertext.toString('base64'),\n } satisfies VaultEnvelope)\n}\n\n/\n Unwraps a vault DEK using the agent runtime's local private key.\n /\nexport function unwrapDEKWithPrivateKey(wrappedDek: string, privateKeyPem: string): Buffer {\n return crypto.privateDecrypt(\n { key: privateKeyPem, ...RSA_OAEP_CONFIG },\n Buffer.from(wrappedDek, 'base64'),\n )\n}\n","/\n Minimal transparency witness helpers vendored into the public Node SDK so the\n * published package does not depend on unpublished internal workspace packages.\n /\n\nconst TRANSPARENCY_WITNESS_PAYLOAD_PREFIX = 'r4-transparency-witness-v1'\n\nexport const DEFAULT_TRANSPARENCY_WITNESS_URL = 'https://transparency.r4.dev'\n\nexport const TRANSPARENCY_WITNESS_ROOT_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA18JhILFiS/BOWR9laubW\ng2vepQy26BXAlnrscZZVQUzBBaCM4hWobpt3Nh77vxP0gqVAJXP1hVhPPwxGQnOF\n4Qg/RK4iEETjMdmh3KMqFX9MeE9tP4cTOGtsgWsedNpu6TvMT+2vu+0ltmr7p4Xv\nH0ID48Q8JLeNksc/RekrsfzQ9DVtXFS7z1FF2VQgzamdJsW9hGMiM7Q+0iXei7PW\n3PsLd1aNtqJ3lIj3t12qFiJiYyKF0hEq0//Abgb9SgDv/WOlRG1Ianf1/fnP2jer\nZYiZSylXqQdun0Db2d0+FDm/znV2AGAmBEXm6qnCogEHu77LoLyCyJOlB9WNtRwh\nKnbzTmE2Mw/43jxvCcR7pE5kik/tdeMvqGFZfg3ozUG9eM0q0TURH6g9b9J4sBnR\ndxz2PbF4cl/AeL4ANPmLz3kUQaDA6wR0veVk5jV+Uqr55TYz/zEbY1rtJbmnc53Q\nihPS6xtSiexrqnOgqm/AVbiRhxjPqfg3/VJM3zR5Blnu02AqVR9kCT0WkyEWRz5X\n6HU8DEocJIPz8UwBMKQ7rnjMPv/Fjpuav/EIad5vOdfxCZkjyTYoQg8vLUyfXvgD\nmBWFgKIN8GTRyM+LjZIgznjN58dZ8ZvsGd14oKnH7WgAh9FVh8ri7gNmsdJeRTn/\n2zDkTlx+FQxAxqFaYV7qCvcCAwEAAQ==\n-----END PUBLIC KEY-----`\n\nexport type TransparencyWitnessHead = {\n version: number\n hash: string\n}\n\nexport type OrgUserKeyDirectoryWitnessArtifact = {\n version: 1\n kind: 'org-user-key-directory'\n orgId: string\n head: TransparencyWitnessHead\n signature: string\n keyId: string\n publishedAt: string\n}\n\nexport type AgentPublicKeyWitnessArtifact = {\n version: 1\n kind: 'agent-public-key'\n agentId: string\n head: TransparencyWitnessHead\n signature: string\n keyId: string\n publishedAt: string\n}\n\nexport const buildOrgUserKeyDirectoryWitnessPayload = (\n orgId: string,\n head: TransparencyWitnessHead,\n): string =>\n [\n TRANSPARENCY_WITNESS_PAYLOAD_PREFIX,\n 'org-user-key-directory',\n orgId,\n String(head.version),\n head.hash,\n ].join(':')\n\nexport const buildAgentPublicKeyWitnessPayload = (\n agentId: string,\n head: TransparencyWitnessHead,\n): string =>\n [\n TRANSPARENCY_WITNESS_PAYLOAD_PREFIX,\n 'agent-public-key',\n agentId,\n String(head.version),\n head.hash,\n ].join(':')\n\nexport const buildOrgUserKeyDirectoryWitnessPath = (orgId: string): string =>\n `v1/orgs/${orgId}/user-key-directory-head.json`\n\nexport const buildTransparencyWitnessUrl = (baseUrl: string, path: string): string =>\n `${baseUrl.replace(/\\/+$/, '')}/${path.replace(/^\\/+/, '')}`\n\nfunction parseHostname(apiBaseUrl: string): string \| null {\n const trimmed = apiBaseUrl.trim()\n if (!trimmed) {\n return null\n }\n\n try {\n const normalized = trimmed.includes('://') ? trimmed : `https://${trimmed}`\n return new URL(normalized).hostname.toLowerCase()\n } catch {\n return null\n }\n}\n\nexport const shouldUseDefaultTransparencyWitness = (apiBaseUrl: string): boolean => {\n const hostname = parseHostname(apiBaseUrl)\n return hostname === 'r4.dev' \|\| hostname === 'api.r4.dev'\n}\n","import fs from 'node:fs'\nimport path from 'node:path'\nimport {\n DEFAULT_TRANSPARENCY_WITNESS_URL,\n TRANSPARENCY_WITNESS_ROOT_PUBLIC_KEY_PEM,\n buildOrgUserKeyDirectoryWitnessPath,\n buildTransparencyWitnessUrl,\n shouldUseDefaultTransparencyWitness,\n type OrgUserKeyDirectoryWitnessArtifact,\n} from './transparency'\nimport {\n buildUserKeyDirectoryTransparencyEntry,\n getPublicKeyFingerprint,\n verifyOrgUserKeyDirectoryWitnessArtifact,\n verifyUserKeyDirectoryCheckpoint,\n verifyUserKeyDirectoryTransparencyProof,\n verifyUserKeyRotation,\n} from './crypto'\nimport type {\n MachineVaultUserKeyDirectoryResponse,\n MachineVaultUserPublicKey,\n} from './types'\n\ntype PublicKeyPinRecord = {\n keyPairId: string\n fingerprint: string\n publicKey: string\n pinnedAt: string\n verifiedAt: string\n}\n\ntype TrustStore = {\n version: 1\n userKeyPins: Record<string, PublicKeyPinRecord>\n checkpointVersionPins: Record<string, number>\n transparencyHeadPins: Record<string, { version: number; hash: string }>\n}\n\nfunction loadTrustStore(trustStorePath: string): TrustStore {\n try {\n const raw = fs.readFileSync(trustStorePath, 'utf8')\n const parsed = JSON.parse(raw) as Partial<TrustStore>\n return {\n version: 1,\n userKeyPins: parsed.userKeyPins ?? {},\n checkpointVersionPins: parsed.checkpointVersionPins ?? {},\n transparencyHeadPins: parsed.transparencyHeadPins ?? {},\n }\n } catch {\n return {\n version: 1,\n userKeyPins: {},\n checkpointVersionPins: {},\n transparencyHeadPins: {},\n }\n }\n}\n\nfunction saveTrustStore(trustStorePath: string, store: TrustStore): void {\n fs.mkdirSync(path.dirname(trustStorePath), { recursive: true })\n fs.writeFileSync(trustStorePath, JSON.stringify(store, null, 2) + '\\n', 'utf8')\n}\n\nfunction getPinStorageKey(orgId: string, orgUserId: string): string {\n return `${orgId}:${orgUserId}`\n}\n\nfunction getDirectoryPinStorageKey(orgId: string): string {\n return `org:${orgId}`\n}\n\nasync function fetchWitnessArtifact<T>(pathName: string): Promise<T> {\n const response = await fetch(\n buildTransparencyWitnessUrl(DEFAULT_TRANSPARENCY_WITNESS_URL, pathName),\n {\n cache: 'no-store',\n },\n )\n\n if (!response.ok) {\n throw new Error(\n `Failed to fetch public transparency witness artifact (${response.status}). ` +\n 'Production first-trust bootstrapping needs access to https://transparency.r4.dev. ' +\n 'If this is a dev environment, re-run with --dev or set R4_DEV=1. ' +\n 'If this is production, verify outbound access to transparency.r4.dev and retry.',\n )\n }\n\n return response.json() as Promise<T>\n}\n\nexport function getPinnedTransparencyHead(\n trustStorePath: string,\n orgId: string,\n): { version: number; hash: string } \| null {\n const store = loadTrustStore(trustStorePath)\n return store.transparencyHeadPins[getDirectoryPinStorageKey(orgId)] ?? null\n}\n\nexport function getSinglePinnedTransparencyHead(\n trustStorePath: string,\n): { version: number; hash: string } \| null {\n const store = loadTrustStore(trustStorePath)\n const heads = Object.values(store.transparencyHeadPins)\n return heads.length === 1 ? heads[0]! : null\n}\n\nexport async function getPublicOrgWitnessHead(\n apiBaseUrl: string,\n orgId: string,\n): Promise<{ version: number; hash: string } \| null> {\n if (!shouldUseDefaultTransparencyWitness(apiBaseUrl)) {\n return null\n }\n\n const artifact = await fetchWitnessArtifact<OrgUserKeyDirectoryWitnessArtifact>(\n buildOrgUserKeyDirectoryWitnessPath(orgId),\n )\n\n if (\n artifact.kind !== 'org-user-key-directory' \|\|\n artifact.orgId !== orgId \|\|\n !verifyOrgUserKeyDirectoryWitnessArtifact(\n artifact,\n TRANSPARENCY_WITNESS_ROOT_PUBLIC_KEY_PEM,\n )\n ) {\n throw new Error(`Public transparency witness verification failed for org ${orgId}.`)\n }\n\n return artifact.head\n}\n\nasync function pinVaultUserPublicKeys(\n trustStorePath: string,\n orgId: string,\n publicKeys: MachineVaultUserPublicKey[],\n): Promise<MachineVaultUserPublicKey[]> {\n const store = loadTrustStore(trustStorePath)\n let changed = false\n\n for (const key of publicKeys) {\n const storageKey = getPinStorageKey(orgId, key.orgUserId)\n const computedFingerprint = getPublicKeyFingerprint(key.publicKey)\n\n if (computedFingerprint !== key.fingerprint) {\n throw new Error(`Server returned a mismatched fingerprint for user ${key.orgUserId}.`)\n }\n\n const existing = store.userKeyPins[storageKey]\n const verifiedAt = new Date().toISOString()\n\n if (!existing) {\n store.userKeyPins[storageKey] = {\n keyPairId: key.userKeyPairId,\n fingerprint: key.fingerprint,\n publicKey: key.publicKey,\n pinnedAt: verifiedAt,\n verifiedAt,\n }\n changed = true\n continue\n }\n\n if (existing.keyPairId === key.userKeyPairId) {\n if (existing.fingerprint !== key.fingerprint \|\| existing.publicKey !== key.publicKey) {\n throw new Error(\n `Pinned public key ${key.userKeyPairId} changed unexpectedly for user ${key.orgUserId}.`,\n )\n }\n\n if (existing.verifiedAt !== verifiedAt) {\n store.userKeyPins[storageKey] = {\n ...existing,\n verifiedAt,\n }\n changed = true\n }\n continue\n }\n\n if (!key.previousUserKeyPairId \|\| key.previousUserKeyPairId !== existing.keyPairId \|\| !key.rotationSignature) {\n throw new Error(`Public key rotation for user ${key.orgUserId} is missing a trusted continuity proof.`)\n }\n\n const rotationVerified = verifyUserKeyRotation(\n existing.keyPairId,\n key.publicKey,\n key.rotationSignature,\n existing.publicKey,\n )\n\n if (!rotationVerified) {\n throw new Error(`Public key rotation for user ${key.orgUserId} failed signature verification.`)\n }\n\n store.userKeyPins[storageKey] = {\n keyPairId: key.userKeyPairId,\n fingerprint: key.fingerprint,\n publicKey: key.publicKey,\n pinnedAt: existing.pinnedAt,\n verifiedAt,\n }\n changed = true\n }\n\n if (changed) {\n saveTrustStore(trustStorePath, store)\n }\n\n return publicKeys\n}\n\nasync function verifySignedUserKeyDirectory(\n trustStorePath: string,\n directory: MachineVaultUserKeyDirectoryResponse,\n anchorHead?: { version: number; hash: string } \| null,\n): Promise<string \| null> {\n if (!directory.directoryCheckpoint) {\n if (directory.publicKeys.length > 0) {\n throw new Error('Server omitted the user-key directory checkpoint for a non-empty vault signer directory.')\n }\n return null\n }\n\n const { directoryCheckpoint } = directory\n const orgId = directoryCheckpoint.checkpoint.orgId\n\n if (!directoryCheckpoint.signerOrgUserId \|\| !directoryCheckpoint.signerPublicKey) {\n throw new Error('Server returned an incomplete user-key directory signer payload.')\n }\n\n const signerFingerprint = getPublicKeyFingerprint(directoryCheckpoint.signerPublicKey)\n const signerEntry = directoryCheckpoint.checkpoint.entries.find(\n (entry) =>\n entry.userKeyPairId === directoryCheckpoint.signerUserKeyPairId &&\n entry.orgUserId === directoryCheckpoint.signerOrgUserId,\n )\n const signerKey: MachineVaultUserPublicKey = {\n userKeyPairId: directoryCheckpoint.signerUserKeyPairId,\n orgUserId: directoryCheckpoint.signerOrgUserId,\n publicKey: directoryCheckpoint.signerPublicKey,\n fingerprint: signerFingerprint,\n previousUserKeyPairId: signerEntry?.previousUserKeyPairId ?? null,\n rotationSignature: signerEntry?.rotationSignature ?? null,\n }\n const storeBeforeVerification = loadTrustStore(trustStorePath)\n\n try {\n await pinVaultUserPublicKeys(trustStorePath, orgId, [signerKey])\n\n const verified = verifyUserKeyDirectoryCheckpoint(\n directoryCheckpoint.checkpoint,\n directoryCheckpoint.signature,\n directoryCheckpoint.signerPublicKey,\n )\n\n if (!verified) {\n throw new Error(`User-key directory signature verification failed for org ${orgId}.`)\n }\n if (!directory.transparency) {\n throw new Error(`Server omitted the user-key directory transparency proof for org ${orgId}.`)\n }\n\n const store = loadTrustStore(trustStorePath)\n const pinnedTransparencyHead = store.transparencyHeadPins[getDirectoryPinStorageKey(orgId)] ?? null\n const trustedPreviousHead = anchorHead ?? pinnedTransparencyHead\n const legacyPinnedVersion = store.checkpointVersionPins[getDirectoryPinStorageKey(orgId)] ?? null\n\n if (!trustedPreviousHead && legacyPinnedVersion !== null && directory.transparency.head.version < legacyPinnedVersion) {\n throw new Error(`User-key transparency head rolled back unexpectedly for org ${orgId}.`)\n }\n\n if (!trustedPreviousHead && directory.transparency.entries.length === 0) {\n throw new Error(`Server omitted the current transparency entry for org ${orgId}.`)\n }\n\n if (directory.transparency.entries.length > 0) {\n const currentProofEntry = directory.transparency.entries[directory.transparency.entries.length - 1]\n if (!currentProofEntry) {\n throw new Error(`Server returned an empty transparency proof for org ${orgId}.`)\n }\n\n const expectedCurrentEntry = buildUserKeyDirectoryTransparencyEntry({\n checkpoint: directoryCheckpoint.checkpoint,\n signerUserKeyPairId: directoryCheckpoint.signerUserKeyPairId,\n signerOrgUserId: directoryCheckpoint.signerOrgUserId,\n signerPublicKey: directoryCheckpoint.signerPublicKey,\n signature: directoryCheckpoint.signature,\n previousEntryHash: currentProofEntry.previousEntryHash ?? null,\n })\n\n if (expectedCurrentEntry.entryHash !== currentProofEntry.entryHash) {\n throw new Error(`User-key transparency entry does not match the signed directory for org ${orgId}.`)\n }\n\n if (anchorHead && directory.transparency.head.version === anchorHead.version) {\n if (directory.transparency.head.hash !== anchorHead.hash) {\n throw new Error(`Public transparency witness head fork detected for org ${orgId}.`)\n }\n\n if (\n currentProofEntry.entryHash !== anchorHead.hash \|\|\n expectedCurrentEntry.entryHash !== anchorHead.hash\n ) {\n throw new Error(`User-key transparency witness anchor mismatch for org ${orgId}.`)\n }\n } else if (\n !verifyUserKeyDirectoryTransparencyProof({\n currentEntry: expectedCurrentEntry,\n proof: directory.transparency,\n previousHead: trustedPreviousHead,\n })\n ) {\n throw new Error(`User-key transparency proof verification failed for org ${orgId}.`)\n }\n } else if (\n anchorHead &&\n directory.transparency.head.version === anchorHead.version\n ) {\n throw new Error(`Server omitted the current transparency entry required to verify org ${orgId} against the public witness.`)\n } else if (\n !trustedPreviousHead \|\|\n trustedPreviousHead.version !== directory.transparency.head.version \|\|\n trustedPreviousHead.hash !== directory.transparency.head.hash\n ) {\n throw new Error(`Server returned an incomplete user-key transparency proof for org ${orgId}.`)\n }\n\n assertAndPinTransparencyHead(trustStorePath, orgId, directory.transparency.head)\n\n const checkpointEntries = new Map(\n directoryCheckpoint.checkpoint.entries.map((entry) => [entry.userKeyPairId, entry]),\n )\n\n for (const key of directory.publicKeys) {\n const entry = checkpointEntries.get(key.userKeyPairId)\n\n if (!entry) {\n throw new Error(`User key ${key.userKeyPairId} is missing from the signed org directory.`)\n }\n\n if (\n entry.orgUserId !== key.orgUserId \|\|\n entry.fingerprint !== key.fingerprint \|\|\n entry.previousUserKeyPairId !== key.previousUserKeyPairId \|\|\n entry.rotationSignature !== key.rotationSignature\n ) {\n throw new Error(`User key ${key.userKeyPairId} does not match the signed org directory.`)\n }\n }\n\n return orgId\n } catch (error) {\n saveTrustStore(trustStorePath, storeBeforeVerification)\n throw error\n }\n}\n\n/\n Verifies the signed org directory first, then advances local per-user pins\n * only for the vault principals covered by that trusted directory.\n /\nexport async function verifyAndPinVaultUserPublicKeys(\n trustStorePath: string,\n directory: MachineVaultUserKeyDirectoryResponse,\n anchorHead?: { version: number; hash: string } \| null,\n): Promise<MachineVaultUserPublicKey[]> {\n const orgId = await verifySignedUserKeyDirectory(trustStorePath, directory, anchorHead)\n if (!orgId) {\n return directory.publicKeys\n }\n return pinVaultUserPublicKeys(trustStorePath, orgId, directory.publicKeys)\n}\n\n/\n Rejects rollbacked checkpoint versions and persists the newest version so\n * subsequent SDK runs continue to enforce monotonic metadata history.\n */\nexport function assertAndPinCheckpointVersion(\n trustStorePath: string,\n storageKey: string,\n version: number,\n): void {\n const store = loadTrustStore(trustStorePath)\n const pinnedVersion = store.checkpointVersionPins[storageKey]\n\n if (pinnedVersion !== undefined && version < pinnedVersion) {\n throw new Error(`Checkpoint version rolled back unexpectedly for ${storageKey}.`)\n }\n\n if (pinnedVersion === undefined \|\| version > pinnedVersion) {\n store.checkpointVersionPins[storageKey] = version\n saveTrustStore(trustStorePath, store)\n }\n}\n\nfunction assertAndPinTransparencyHead(\n trustStorePath: string,\n orgId: string,\n head: { version: number; hash: string },\n): void {\n const store = loadTrustStore(trustStorePath)\n const storageKey = getDirectoryPinStorageKey(orgId)\n const pinnedHead = store.transparencyHeadPins[storageKey]\n\n if (pinnedHead) {\n if (head.version < pinnedHead.version) {\n throw new Error(`User-key transparency head rolled back unexpectedly for org ${orgId}.`)\n }\n\n if (head.version === pinnedHead.version && head.hash !== pinnedHead.hash) {\n throw new Error(`User-key transparency head fork detected for org ${orgId}.`)\n }\n }\n\n if (!pinnedHead \|\| head.version > pinnedHead.version) {\n store.transparencyHeadPins[storageKey] = head\n saveTrustStore(trustStorePath, store)\n }\n\n assertAndPinCheckpointVersion(trustStorePath, storageKey, head.version)\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAAAA,oBAAiB;;;ACsBV,IAAM,WAAN,MAAe;AAAA,EACH;AAAA,EACA;AAAA,EAEjB,YAAY,QAAgB,SAAiB;AAC3C,SAAK,SAAS;AACd,SAAK,UAAU,QAAQ,QAAQ,OAAO,EAAE;AAAA,EAC1C;AAAA,EAEQ,eAAuC;AAC7C,WAAO;AAAA,MACL,aAAa,KAAK;AAAA,MAClB,gBAAgB;AAAA,IAClB;AAAA,EACF;AAAA,EAEA,MAAc,QAAWC,OAAc,MAA+B;AACpE,UAAM,WAAW,MAAM,MAAM,GAAG,KAAK,OAAO,GAAGA,KAAI,IAAI;AAAA,MACrD,GAAG;AAAA,MACH,SAAS;AAAA,QACP,GAAG,KAAK,aAAa;AAAA,QACrB,GAAI,KAAK,WAAW,CAAC;AAAA,MACvB;AAAA,IACF,CAAC;AAED,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,YAAa,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACzD,YAAM,eACJ,OAAO,UAAU,OAAO,YAAY,WAChC,UAAU,MAAM,UAChB,QAAQ,SAAS,MAAM,KAAK,SAAS,UAAU;AACrD,YAAM,YACJ,OAAO,UAAU,OAAO,SAAS,WAC7B,KAAK,UAAU,MAAM,IAAI,MACzB;AACN,YAAM,IAAI,MAAM,eAAe,SAAS,KAAK,YAAY,EAAE;AAAA,IAC7D;AAEA,QAAI,SAAS,WAAW,KAAK;AAC3B,aAAO;AAAA,IACT;AAEA,WAAO,SAAS,KAAK;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,uBACJ,MACwC;AACxC,WAAO,KAAK,QAAuC,oCAAoC;AAAA,MACrF,QAAQ;AAAA,MACR,MAAM,KAAK,UAAU,IAAI;AAAA,IAC3B,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,WAAW,WAAwD;AACvE,UAAM,SAAS,YACX,cAAc,mBAAmB,SAAS,CAAC,KAC3C;AACJ,WAAO,KAAK,QAAmC,wBAAwB,MAAM,IAAI;AAAA,MAC/E,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,mBAAmB,SAAqD;AAC5E,WAAO,KAAK;AAAA,MACV,yBAAyB,mBAAmB,OAAO,CAAC;AAAA,MACpD,EAAE,QAAQ,MAAM;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,yBACJ,SACA,QAI+C;AAC/C,UAAM,eAAe,IAAI,gBAAgB;AACzC,QAAI,QAAQ,6BAA6B,QAAW;AAClD,mBAAa,IAAI,4BAA4B,OAAO,OAAO,wBAAwB,CAAC;AAAA,IACtF;AACA,QAAI,QAAQ,uBAAuB;AACjC,mBAAa,IAAI,yBAAyB,OAAO,qBAAqB;AAAA,IACxE;AACA,UAAM,SAAS,aAAa,OAAO,IAAI,IAAI,aAAa,SAAS,CAAC,KAAK;AAEvE,WAAO,KAAK;AAAA,MACV,yBAAyB,mBAAmB,OAAO,CAAC,eAAe,MAAM;AAAA,MACzE,EAAE,QAAQ,MAAM;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,eAAe,SAAyD;AAC5E,WAAO,KAAK;AAAA,MACV,yBAAyB,mBAAmB,OAAO,CAAC;AAAA,MACpD,EAAE,QAAQ,MAAM;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,mBACJ,SACA,QACyC;AACzC,WAAO,KAAK;AAAA,MACV,yBAAyB,mBAAmB,OAAO,CAAC,UAAU,mBAAmB,MAAM,CAAC;AAAA,MACxF,EAAE,QAAQ,MAAM;AAAA,IAClB;AAAA,EACF;AACF;;;ACtJA,yBAAmB;AACnB,qBAAe;AACf,uBAAiB;;;ACGjB,IAAM,sCAAsC;AAErC,IAAM,mCAAmC;AAEzC,IAAM,2CAA2C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAwCjD,IAAM,yCAAyC,CACpD,OACA,SAEA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA,OAAO,KAAK,OAAO;AAAA,EACnB,KAAK;AACP,EAAE,KAAK,GAAG;AAcL,IAAM,sCAAsC,CAAC,UAClD,WAAW,KAAK;AAEX,IAAM,8BAA8B,CAAC,SAAiBC,UAC3D,GAAG,QAAQ,QAAQ,QAAQ,EAAE,CAAC,IAAIA,MAAK,QAAQ,QAAQ,EAAE,CAAC;AAE5D,SAAS,cAAc,YAAmC;AACxD,QAAM,UAAU,WAAW,KAAK;AAChC,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,aAAa,QAAQ,SAAS,KAAK,IAAI,UAAU,WAAW,OAAO;AACzE,WAAO,IAAI,IAAI,UAAU,EAAE,SAAS,YAAY;AAAA,EAClD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,IAAM,sCAAsC,CAAC,eAAgC;AAClF,QAAM,WAAW,cAAc,UAAU;AACzC,SAAO,aAAa,YAAY,aAAa;AAC/C;;;AD9EA,IAAM,kBAAkB;AAAA,EACtB,SAAS,mBAAAC,QAAO,UAAU;AAAA,EAC1B,UAAU;AACZ;AAEA,IAAM,sBAAsB;AAAA,EAC1B,SAAS,mBAAAA,QAAO,UAAU;AAAA,EAC1B,YAAY;AACd;AAEA,IAAM,2BAA2B;AACjC,IAAM,uCAAuC;AAC7C,IAAM,+CAA+C;AACrD,IAAM,+BAA+B;AACrC,IAAM,kCAAkC;AACxC,IAAM,sCAAsC;AAS5C,SAAS,SAAS,KAAa,YAAoB,UAA0B;AAC3E,QAAM,YAAY,IACf,QAAQ,YAAY,EAAE,EACtB,QAAQ,UAAU,EAAE,EACpB,QAAQ,OAAO,EAAE;AAEpB,SAAO,OAAO,KAAK,WAAW,QAAQ;AACxC;AAEA,SAAS,yBAAyB,YAA4B;AAC5D,SAAO,mBAAAA,QAAO,WAAW,QAAQ,EAAE,OAAO,OAAO,KAAK,YAAY,QAAQ,CAAC,EAAE,OAAO,KAAK;AAC3F;AAEA,SAAS,yBAAyB,QAAgB,eAA+B;AAC/E,SAAO,GAAG,MAAM,IAAI,mBAAAA,QAAO,WAAW,QAAQ,EAAE,OAAO,eAAe,MAAM,EAAE,OAAO,KAAK,CAAC;AAC7F;AAKO,SAAS,eAAe,gBAAgC;AAC7D,SAAO,eAAAC,QAAG,aAAa,iBAAAC,QAAK,QAAQ,cAAc,GAAG,MAAM,EAAE,KAAK;AACpE;AAKO,SAAS,gBAAgB,eAA+B;AAC7D,SAAO,mBAAAF,QAAO,gBAAgB,aAAa,EAAE,OAAO;AAAA,IAClD,MAAM;AAAA,IACN,QAAQ;AAAA,EACV,CAAC,EAAE,SAAS;AACd;AAMO,SAAS,wBAAwB,cAA8B;AACpE,QAAM,WAAW,SAAS,cAAc,8BAA8B,0BAA0B;AAChG,SAAO,mBAAAA,QAAO,WAAW,QAAQ,EAAE,OAAO,QAAQ,EAAE,OAAO,KAAK;AAClE;AAEA,SAAS,4BAA4B,uBAA+B,yBAAyC;AAC3G,SAAO,GAAG,wBAAwB,IAAI,qBAAqB,IAAI,uBAAuB;AACxF;AA4BO,SAAS,sBACd,uBACA,iBACA,mBACA,sBACS;AACT,QAAM,UAAU;AAAA,IACd;AAAA,IACA,wBAAwB,eAAe;AAAA,EACzC;AAEA,MAAI;AACF,WAAO,mBAAAG,QAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,SAAS,MAAM;AAAA,MAC3B;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,mBAAmB,QAAQ;AAAA,IACzC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,iCACd,SACA,WACA,cACS;AACT,MAAI;AACF,WAAO,mBAAAA,QAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,SAAS,MAAM;AAAA,MAC3B;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,WAAW,QAAQ;AAAA,IACjC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,yCACd,UACA,cACS;AACT,SAAO;AAAA,IACL,uCAAuC,SAAS,OAAO,SAAS,IAAI;AAAA,IACpE,SAAS;AAAA,IACT;AAAA,EACF;AACF;AAaO,SAAS,oCACd,YAC4B;AAC5B,SAAO;AAAA,IACL,OAAO,WAAW;AAAA,IAClB,SAAS,WAAW;AAAA,IACpB,SAAS,CAAC,GAAG,WAAW,OAAO,EAC5B,IAAI,CAAC,WAAW;AAAA,MACf,eAAe,MAAM;AAAA,MACrB,WAAW,MAAM;AAAA,MACjB,aAAa,MAAM;AAAA,MACnB,uBAAuB,MAAM,yBAAyB;AAAA,MACtD,mBAAmB,MAAM,qBAAqB;AAAA,IAChD,EAAE,EACD,KAAK,CAAC,MAAM,UAAU,KAAK,cAAc,cAAc,MAAM,aAAa,CAAC;AAAA,EAChF;AACF;AAEO,SAAS,uCACd,YACQ;AACR,SAAO,KAAK,UAAU,oCAAoC,UAAU,CAAC;AACvE;AAEO,SAAS,uCACd,YACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA,uCAAuC,UAAU;AAAA,EACnD;AACF;AAgBO,SAAS,iCACd,YACA,WACA,cACS;AACT,MAAI;AACF,WAAO,mBAAAC,QAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,uCAAuC,UAAU,GAAG,MAAM;AAAA,MACtE;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,WAAW,QAAQ;AAAA,IACjC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,2CACd,OACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA,KAAK,UAAU;AAAA,MACb,OAAO,MAAM;AAAA,MACb,SAAS,MAAM;AAAA,MACf,4BAA4B,MAAM;AAAA,MAClC,qBAAqB,MAAM;AAAA,MAC3B,iBAAiB,MAAM;AAAA,MACvB,mBAAmB,MAAM;AAAA,MACzB,WAAW,MAAM;AAAA,MACjB,mBAAmB,MAAM,qBAAqB;AAAA,IAChD,CAAC;AAAA,EACH;AACF;AAEO,SAAS,uCAAuC,QAOjB;AACpC,QAAM,mBAAmB;AAAA,IACvB,OAAO,OAAO,WAAW;AAAA,IACzB,SAAS,OAAO,WAAW;AAAA,IAC3B,4BAA4B,uCAAuC,OAAO,UAAU;AAAA,IACpF,qBAAqB,OAAO;AAAA,IAC5B,iBAAiB,OAAO;AAAA,IACxB,mBAAmB,wBAAwB,OAAO,eAAe;AAAA,IACjE,WAAW,OAAO;AAAA,IAClB,mBAAmB,OAAO,qBAAqB;AAAA,EACjD;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,IACH,WAAW,2CAA2C,gBAAgB;AAAA,EACxE;AACF;AAEO,SAAS,wCAAwC,QAI5C;AACV,MACE,OAAO,MAAM,KAAK,YAAY,OAAO,aAAa,WAClD,OAAO,MAAM,KAAK,SAAS,OAAO,aAAa,WAC/C;AACA,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,OAAO,cAAc;AACxB,QAAI,OAAO,MAAM,QAAQ,WAAW,GAAG;AACrC,aAAO;AAAA,IACT;AAEA,aAAS,QAAQ,GAAG,QAAQ,OAAO,MAAM,QAAQ,QAAQ,SAAS;AAChE,YAAM,QAAQ,OAAO,MAAM,QAAQ,KAAK;AACxC,UAAI,CAAC,OAAO;AACV,eAAO;AAAA,MACT;AAEA,YAAM,eAAe,2CAA2C;AAAA,QAC9D,OAAO,MAAM;AAAA,QACb,SAAS,MAAM;AAAA,QACf,4BAA4B,MAAM;AAAA,QAClC,qBAAqB,MAAM;AAAA,QAC3B,iBAAiB,MAAM;AAAA,QACvB,mBAAmB,MAAM;AAAA,QACzB,WAAW,MAAM;AAAA,QACjB,mBAAmB,MAAM;AAAA,MAC3B,CAAC;AAED,UAAI,iBAAiB,MAAM,WAAW;AACpC,eAAO;AAAA,MACT;AAEA,UAAI,UAAU,GAAG;AACf;AAAA,MACF;AAEA,YAAM,gBAAgB,OAAO,MAAM,QAAQ,QAAQ,CAAC;AACpD,UAAI,CAAC,eAAe;AAClB,eAAO;AAAA,MACT;AAEA,UAAI,MAAM,sBAAsB,cAAc,aAAa,MAAM,YAAY,cAAc,UAAU,GAAG;AACtG,eAAO;AAAA,MACT;AAAA,IACF;AAEA,UAAM,YAAY,OAAO,MAAM,QAAQ,OAAO,MAAM,QAAQ,SAAS,CAAC;AACtE,WAAO,WAAW,cAAc,OAAO,aAAa,aAAa,UAAU,YAAY,OAAO,aAAa;AAAA,EAC7G;AAEA,MAAI,OAAO,aAAa,UAAU,OAAO,aAAa,SAAS;AAC7D,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,aAAa,YAAY,OAAO,aAAa,SAAS;AAC/D,WAAO,OAAO,aAAa,cAAc,OAAO,aAAa,QAAQ,OAAO,MAAM,QAAQ,WAAW;AAAA,EACvG;AAEA,MAAI,OAAO,MAAM,QAAQ,WAAW,GAAG;AACrC,WAAO;AAAA,EACT;AAEA,MAAI,kBAAkB,OAAO,aAAa;AAC1C,MAAI,eAAe,OAAO,aAAa;AAEvC,aAAW,SAAS,OAAO,MAAM,SAAS;AACxC,UAAM,eAAe,2CAA2C;AAAA,MAC9D,OAAO,MAAM;AAAA,MACb,SAAS,MAAM;AAAA,MACf,4BAA4B,MAAM;AAAA,MAClC,qBAAqB,MAAM;AAAA,MAC3B,iBAAiB,MAAM;AAAA,MACvB,mBAAmB,MAAM;AAAA,MACzB,WAAW,MAAM;AAAA,MACjB,mBAAmB,MAAM;AAAA,IAC3B,CAAC;AAED,QACE,iBAAiB,MAAM,aACvB,MAAM,sBAAsB,gBAC5B,MAAM,YAAY,kBAAkB,GACpC;AACA,aAAO;AAAA,IACT;AAEA,sBAAkB,MAAM;AACxB,mBAAe,MAAM;AAAA,EACvB;AAEA,SAAO,iBAAiB,OAAO,aAAa,aAAa,oBAAoB,OAAO,aAAa;AACnG;AAEA,SAAS,gCACP,SACA,gBACA,qBACA,YACA,YACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO,UAAU;AAAA,IACjB,yBAAyB,UAAU;AAAA,EACrC,EAAE,KAAK,GAAG;AACZ;AAkCO,SAAS,0BACd,SACA,gBACA,qBACA,YACA,YACA,qBACA,oBACS;AACT,QAAM,UAAU;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,MAAI;AACF,WAAO,mBAAAC,QAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,SAAS,MAAM;AAAA,MAC3B;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,qBAAqB,QAAQ;AAAA,IAC3C;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,gCACd,YACwB;AACxB,SAAO;AAAA,IACL,SAAS,WAAW;AAAA,IACpB,SAAS,WAAW;AAAA,IACpB,MAAM,WAAW;AAAA,IACjB,oBAAoB,WAAW,sBAAsB;AAAA,IACrD,mBAAmB,WAAW,qBAAqB;AAAA,IACnD,OAAO,CAAC,GAAG,WAAW,KAAK,EACxB,IAAI,CAAC,UAAU;AAAA,MACd,IAAI,KAAK;AAAA,MACT,MAAM,KAAK;AAAA,MACX,MAAM,KAAK,QAAQ;AAAA,MACnB,UAAU,CAAC,GAAG,KAAK,QAAQ;AAAA,MAC3B,SAAS,KAAK,WAAW;AAAA,IAC3B,EAAE,EACD,KAAK,CAAC,MAAM,UAAU,KAAK,GAAG,cAAc,MAAM,EAAE,CAAC;AAAA,IACxD,QAAQ,CAAC,GAAG,WAAW,MAAM,EAC1B,IAAI,CAAC,WAAW;AAAA,MACf,IAAI,MAAM;AAAA,MACV,MAAM,MAAM;AAAA,MACZ,UAAU,MAAM,YAAY;AAAA,IAC9B,EAAE,EACD,KAAK,CAAC,MAAM,UAAU,KAAK,GAAG,cAAc,MAAM,EAAE,CAAC;AAAA,EAC1D;AACF;AAEO,SAAS,mCACd,YACQ;AACR,SAAO,KAAK,UAAU,gCAAgC,UAAU,CAAC;AACnE;AAEO,SAAS,mCACd,YACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA,mCAAmC,UAAU;AAAA,EAC/C;AACF;AAEO,SAAS,6BACd,YACA,WACA,cACS;AACT,MAAI;AACF,WAAO,mBAAAA,QAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,mCAAmC,UAAU,GAAG,MAAM;AAAA,MAClE;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,WAAW,QAAQ;AAAA,IACjC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAgBO,SAAS,mCACd,YAC2B;AAC3B,SAAO;AAAA,IACL,aAAa,WAAW;AAAA,IACxB,SAAS,WAAW;AAAA,IACpB,SAAS,WAAW;AAAA,IACpB,MAAM,WAAW;AAAA,IACjB,MAAM,WAAW,QAAQ;AAAA,IACzB,UAAU,CAAC,GAAG,WAAW,QAAQ;AAAA,IACjC,SAAS,WAAW,WAAW;AAAA,IAC/B,QAAQ,CAAC,GAAG,WAAW,MAAM,EAC1B,IAAI,CAAC,WAAW;AAAA,MACf,IAAI,MAAM;AAAA,MACV,MAAM,MAAM;AAAA,MACZ,MAAM,MAAM;AAAA,MACZ,OAAO,MAAM;AAAA,MACb,kBAAkB,CAAC,GAAG,MAAM,gBAAgB,EAAE,KAAK;AAAA,MACnD,UAAU,CAAC,GAAG,MAAM,QAAQ,EAAE,KAAK;AAAA,IACrC,EAAE,EACD,KAAK,CAAC,MAAM,UAAU,KAAK,QAAQ,MAAM,SAAS,KAAK,GAAG,cAAc,MAAM,EAAE,CAAC;AAAA,EACtF;AACF;AAEO,SAAS,sCACd,YACQ;AACR,SAAO,KAAK,UAAU,mCAAmC,UAAU,CAAC;AACtE;AAEO,SAAS,sCACd,YACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA,sCAAsC,UAAU;AAAA,EAClD;AACF;AAEO,SAAS,gCACd,YACA,WACA,cACS;AACT,MAAI;AACF,WAAO,mBAAAC,QAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,sCAAsC,UAAU,GAAG,MAAM;AAAA,MACrE;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,WAAW,QAAQ;AAAA,IACjC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAmBO,SAAS,gBAAgB,OAAwB;AACtD,MAAI,CAAC,MAAM,WAAW,GAAG,GAAG;AAC1B,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,KAAK;AAC/B,WAAO,OAAO,MAAM;AAAA,EACtB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAKO,SAAS,oBAAoB,gBAAwB,KAAqB;AAC/E,MAAI,CAAC,gBAAgB,cAAc,GAAG;AACpC,UAAM,IAAI,MAAM,4DAA4D;AAAA,EAC9E;AAEA,QAAM,WAAW,KAAK,MAAM,cAAc;AAC1C,QAAM,WAAW,mBAAAC,QAAO,iBAAiB,eAAe,KAAK,OAAO,KAAK,SAAS,IAAI,QAAQ,CAAC;AAC/F,WAAS,WAAW,OAAO,KAAK,SAAS,GAAG,QAAQ,CAAC;AACrD,QAAM,YAAY,OAAO,OAAO;AAAA,IAC9B,SAAS,OAAO,OAAO,KAAK,SAAS,GAAG,QAAQ,CAAC;AAAA,IACjD,SAAS,MAAM;AAAA,EACjB,CAAC;AACD,SAAO,UAAU,SAAS,MAAM;AAClC;AAMO,SAAS,wBAAwB,OAAe,KAAqB;AAC1E,SAAO,gBAAgB,KAAK,IAAI,oBAAoB,OAAO,GAAG,IAAI;AACpE;AAsBO,SAAS,wBAAwB,YAAoB,eAA+B;AACzF,SAAO,mBAAAC,QAAO;AAAA,IACZ,EAAE,KAAK,eAAe,GAAG,gBAAgB;AAAA,IACzC,OAAO,KAAK,YAAY,QAAQ;AAAA,EAClC;AACF;;;AEjrBA,IAAAC,kBAAe;AACf,IAAAC,oBAAiB;AAqCjB,SAAS,eAAe,gBAAoC;AAC1D,MAAI;AACF,UAAM,MAAM,gBAAAC,QAAG,aAAa,gBAAgB,MAAM;AAClD,UAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,WAAO;AAAA,MACL,SAAS;AAAA,MACT,aAAa,OAAO,eAAe,CAAC;AAAA,MACpC,uBAAuB,OAAO,yBAAyB,CAAC;AAAA,MACxD,sBAAsB,OAAO,wBAAwB,CAAC;AAAA,IACxD;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,MACL,SAAS;AAAA,MACT,aAAa,CAAC;AAAA,MACd,uBAAuB,CAAC;AAAA,MACxB,sBAAsB,CAAC;AAAA,IACzB;AAAA,EACF;AACF;AAEA,SAAS,eAAe,gBAAwB,OAAyB;AACvE,kBAAAA,QAAG,UAAU,kBAAAC,QAAK,QAAQ,cAAc,GAAG,EAAE,WAAW,KAAK,CAAC;AAC9D,kBAAAD,QAAG,cAAc,gBAAgB,KAAK,UAAU,OAAO,MAAM,CAAC,IAAI,MAAM,MAAM;AAChF;AAEA,SAAS,iBAAiB,OAAe,WAA2B;AAClE,SAAO,GAAG,KAAK,IAAI,SAAS;AAC9B;AAEA,SAAS,0BAA0B,OAAuB;AACxD,SAAO,OAAO,KAAK;AACrB;AAEA,eAAe,qBAAwB,UAA8B;AACnE,QAAM,WAAW,MAAM;AAAA,IACrB,4BAA4B,kCAAkC,QAAQ;AAAA,IACtE;AAAA,MACE,OAAO;AAAA,IACT;AAAA,EACF;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAI;AAAA,MACR,yDAAyD,SAAS,MAAM;AAAA,IAI1E;AAAA,EACF;AAEA,SAAO,SAAS,KAAK;AACvB;AAUO,SAAS,gCACd,gBAC0C;AAC1C,QAAM,QAAQ,eAAe,cAAc;AAC3C,QAAM,QAAQ,OAAO,OAAO,MAAM,oBAAoB;AACtD,SAAO,MAAM,WAAW,IAAI,MAAM,CAAC,IAAK;AAC1C;AAEA,eAAsB,wBACpB,YACA,OACmD;AACnD,MAAI,CAAC,oCAAoC,UAAU,GAAG;AACpD,WAAO;AAAA,EACT;AAEA,QAAM,WAAW,MAAM;AAAA,IACrB,oCAAoC,KAAK;AAAA,EAC3C;AAEA,MACE,SAAS,SAAS,4BAClB,SAAS,UAAU,SACnB,CAAC;AAAA,IACC;AAAA,IACA;AAAA,EACF,GACA;AACA,UAAM,IAAI,MAAM,2DAA2D,KAAK,GAAG;AAAA,EACrF;AAEA,SAAO,SAAS;AAClB;AAEA,eAAe,uBACb,gBACA,OACA,YACsC;AACtC,QAAM,QAAQ,eAAe,cAAc;AAC3C,MAAI,UAAU;AAEd,aAAW,OAAO,YAAY;AAC5B,UAAM,aAAa,iBAAiB,OAAO,IAAI,SAAS;AACxD,UAAM,sBAAsB,wBAAwB,IAAI,SAAS;AAEjE,QAAI,wBAAwB,IAAI,aAAa;AAC3C,YAAM,IAAI,MAAM,qDAAqD,IAAI,SAAS,GAAG;AAAA,IACvF;AAEA,UAAM,WAAW,MAAM,YAAY,UAAU;AAC7C,UAAM,cAAa,oBAAI,KAAK,GAAE,YAAY;AAE1C,QAAI,CAAC,UAAU;AACb,YAAM,YAAY,UAAU,IAAI;AAAA,QAC9B,WAAW,IAAI;AAAA,QACf,aAAa,IAAI;AAAA,QACjB,WAAW,IAAI;AAAA,QACf,UAAU;AAAA,QACV;AAAA,MACF;AACA,gBAAU;AACV;AAAA,IACF;AAEA,QAAI,SAAS,cAAc,IAAI,eAAe;AAC5C,UAAI,SAAS,gBAAgB,IAAI,eAAe,SAAS,cAAc,IAAI,WAAW;AACpF,cAAM,IAAI;AAAA,UACR,qBAAqB,IAAI,aAAa,kCAAkC,IAAI,SAAS;AAAA,QACvF;AAAA,MACF;AAEA,UAAI,SAAS,eAAe,YAAY;AACtC,cAAM,YAAY,UAAU,IAAI;AAAA,UAC9B,GAAG;AAAA,UACH;AAAA,QACF;AACA,kBAAU;AAAA,MACZ;AACA;AAAA,IACF;AAEA,QAAI,CAAC,IAAI,yBAAyB,IAAI,0BAA0B,SAAS,aAAa,CAAC,IAAI,mBAAmB;AAC5G,YAAM,IAAI,MAAM,gCAAgC,IAAI,SAAS,yCAAyC;AAAA,IACxG;AAEA,UAAM,mBAAmB;AAAA,MACvB,SAAS;AAAA,MACT,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ,SAAS;AAAA,IACX;AAEA,QAAI,CAAC,kBAAkB;AACrB,YAAM,IAAI,MAAM,gCAAgC,IAAI,SAAS,iCAAiC;AAAA,IAChG;AAEA,UAAM,YAAY,UAAU,IAAI;AAAA,MAC9B,WAAW,IAAI;AAAA,MACf,aAAa,IAAI;AAAA,MACjB,WAAW,IAAI;AAAA,MACf,UAAU,SAAS;AAAA,MACnB;AAAA,IACF;AACA,cAAU;AAAA,EACZ;AAEA,MAAI,SAAS;AACX,mBAAe,gBAAgB,KAAK;AAAA,EACtC;AAEA,SAAO;AACT;AAEA,eAAe,6BACb,gBACA,WACA,YACwB;AACxB,MAAI,CAAC,UAAU,qBAAqB;AAClC,QAAI,UAAU,WAAW,SAAS,GAAG;AACnC,YAAM,IAAI,MAAM,0FAA0F;AAAA,IAC5G;AACA,WAAO;AAAA,EACT;AAEA,QAAM,EAAE,oBAAoB,IAAI;AAChC,QAAM,QAAQ,oBAAoB,WAAW;AAE7C,MAAI,CAAC,oBAAoB,mBAAmB,CAAC,oBAAoB,iBAAiB;AAChF,UAAM,IAAI,MAAM,kEAAkE;AAAA,EACpF;AAEA,QAAM,oBAAoB,wBAAwB,oBAAoB,eAAe;AACrF,QAAM,cAAc,oBAAoB,WAAW,QAAQ;AAAA,IACzD,CAAC,UACC,MAAM,kBAAkB,oBAAoB,uBAC5C,MAAM,cAAc,oBAAoB;AAAA,EAC5C;AACA,QAAM,YAAuC;AAAA,IAC3C,eAAe,oBAAoB;AAAA,IACnC,WAAW,oBAAoB;AAAA,IAC/B,WAAW,oBAAoB;AAAA,IAC/B,aAAa;AAAA,IACb,uBAAuB,aAAa,yBAAyB;AAAA,IAC7D,mBAAmB,aAAa,qBAAqB;AAAA,EACvD;AACA,QAAM,0BAA0B,eAAe,cAAc;AAE7D,MAAI;AACF,UAAM,uBAAuB,gBAAgB,OAAO,CAAC,SAAS,CAAC;AAE/D,UAAM,WAAW;AAAA,MACf,oBAAoB;AAAA,MACpB,oBAAoB;AAAA,MACpB,oBAAoB;AAAA,IACtB;AAEA,QAAI,CAAC,UAAU;AACb,YAAM,IAAI,MAAM,4DAA4D,KAAK,GAAG;AAAA,IACtF;AACA,QAAI,CAAC,UAAU,cAAc;AAC3B,YAAM,IAAI,MAAM,oEAAoE,KAAK,GAAG;AAAA,IAC9F;AAEA,UAAM,QAAQ,eAAe,cAAc;AAC3C,UAAM,yBAAyB,MAAM,qBAAqB,0BAA0B,KAAK,CAAC,KAAK;AAC/F,UAAM,sBAAsB,cAAc;AAC1C,UAAM,sBAAsB,MAAM,sBAAsB,0BAA0B,KAAK,CAAC,KAAK;AAE7F,QAAI,CAAC,uBAAuB,wBAAwB,QAAQ,UAAU,aAAa,KAAK,UAAU,qBAAqB;AACrH,YAAM,IAAI,MAAM,+DAA+D,KAAK,GAAG;AAAA,IACzF;AAEA,QAAI,CAAC,uBAAuB,UAAU,aAAa,QAAQ,WAAW,GAAG;AACvE,YAAM,IAAI,MAAM,yDAAyD,KAAK,GAAG;AAAA,IACnF;AAEA,QAAI,UAAU,aAAa,QAAQ,SAAS,GAAG;AAC7C,YAAM,oBAAoB,UAAU,aAAa,QAAQ,UAAU,aAAa,QAAQ,SAAS,CAAC;AAClG,UAAI,CAAC,mBAAmB;AACtB,cAAM,IAAI,MAAM,uDAAuD,KAAK,GAAG;AAAA,MACjF;AAEA,YAAM,uBAAuB,uCAAuC;AAAA,QAClE,YAAY,oBAAoB;AAAA,QAChC,qBAAqB,oBAAoB;AAAA,QACzC,iBAAiB,oBAAoB;AAAA,QACrC,iBAAiB,oBAAoB;AAAA,QACrC,WAAW,oBAAoB;AAAA,QAC/B,mBAAmB,kBAAkB,qBAAqB;AAAA,MAC5D,CAAC;AAED,UAAI,qBAAqB,cAAc,kBAAkB,WAAW;AAClE,cAAM,IAAI,MAAM,2EAA2E,KAAK,GAAG;AAAA,MACrG;AAEA,UAAI,cAAc,UAAU,aAAa,KAAK,YAAY,WAAW,SAAS;AAC5E,YAAI,UAAU,aAAa,KAAK,SAAS,WAAW,MAAM;AACxD,gBAAM,IAAI,MAAM,0DAA0D,KAAK,GAAG;AAAA,QACpF;AAEA,YACE,kBAAkB,cAAc,WAAW,QAC3C,qBAAqB,cAAc,WAAW,MAC9C;AACA,gBAAM,IAAI,MAAM,yDAAyD,KAAK,GAAG;AAAA,QACnF;AAAA,MACF,WACE,CAAC,wCAAwC;AAAA,QACvC,cAAc;AAAA,QACd,OAAO,UAAU;AAAA,QACjB,cAAc;AAAA,MAChB,CAAC,GACD;AACA,cAAM,IAAI,MAAM,2DAA2D,KAAK,GAAG;AAAA,MACrF;AAAA,IACF,WACE,cACA,UAAU,aAAa,KAAK,YAAY,WAAW,SACnD;AACA,YAAM,IAAI,MAAM,wEAAwE,KAAK,8BAA8B;AAAA,IAC7H,WACE,CAAC,uBACD,oBAAoB,YAAY,UAAU,aAAa,KAAK,WAC5D,oBAAoB,SAAS,UAAU,aAAa,KAAK,MACzD;AACA,YAAM,IAAI,MAAM,qEAAqE,KAAK,GAAG;AAAA,IAC/F;AAEA,iCAA6B,gBAAgB,OAAO,UAAU,aAAa,IAAI;AAE/E,UAAM,oBAAoB,IAAI;AAAA,MAC5B,oBAAoB,WAAW,QAAQ,IAAI,CAAC,UAAU,CAAC,MAAM,eAAe,KAAK,CAAC;AAAA,IACpF;AAEA,eAAW,OAAO,UAAU,YAAY;AACtC,YAAM,QAAQ,kBAAkB,IAAI,IAAI,aAAa;AAErD,UAAI,CAAC,OAAO;AACV,cAAM,IAAI,MAAM,YAAY,IAAI,aAAa,4CAA4C;AAAA,MAC3F;AAEA,UACE,MAAM,cAAc,IAAI,aACxB,MAAM,gBAAgB,IAAI,eAC1B,MAAM,0BAA0B,IAAI,yBACpC,MAAM,sBAAsB,IAAI,mBAChC;AACA,cAAM,IAAI,MAAM,YAAY,IAAI,aAAa,2CAA2C;AAAA,MAC1F;AAAA,IACF;AAEA,WAAO;AAAA,EACT,SAAS,OAAO;AACd,mBAAe,gBAAgB,uBAAuB;AACtD,UAAM;AAAA,EACR;AACF;AAMA,eAAsB,gCACpB,gBACA,WACA,YACsC;AACtC,QAAM,QAAQ,MAAM,6BAA6B,gBAAgB,WAAW,UAAU;AACtF,MAAI,CAAC,OAAO;AACV,WAAO,UAAU;AAAA,EACnB;AACA,SAAO,uBAAuB,gBAAgB,OAAO,UAAU,UAAU;AAC3E;AAMO,SAAS,8BACd,gBACA,YACA,SACM;AACN,QAAM,QAAQ,eAAe,cAAc;AAC3C,QAAM,gBAAgB,MAAM,sBAAsB,UAAU;AAE5D,MAAI,kBAAkB,UAAa,UAAU,eAAe;AAC1D,UAAM,IAAI,MAAM,mDAAmD,UAAU,GAAG;AAAA,EAClF;AAEA,MAAI,kBAAkB,UAAa,UAAU,eAAe;AAC1D,UAAM,sBAAsB,UAAU,IAAI;AAC1C,mBAAe,gBAAgB,KAAK;AAAA,EACtC;AACF;AAEA,SAAS,6BACP,gBACA,OACA,MACM;AACN,QAAM,QAAQ,eAAe,cAAc;AAC3C,QAAM,aAAa,0BAA0B,KAAK;AAClD,QAAM,aAAa,MAAM,qBAAqB,UAAU;AAExD,MAAI,YAAY;AACd,QAAI,KAAK,UAAU,WAAW,SAAS;AACrC,YAAM,IAAI,MAAM,+DAA+D,KAAK,GAAG;AAAA,IACzF;AAEA,QAAI,KAAK,YAAY,WAAW,WAAW,KAAK,SAAS,WAAW,MAAM;AACxE,YAAM,IAAI,MAAM,oDAAoD,KAAK,GAAG;AAAA,IAC9E;AAAA,EACF;AAEA,MAAI,CAAC,cAAc,KAAK,UAAU,WAAW,SAAS;AACpD,UAAM,qBAAqB,UAAU,IAAI;AACzC,mBAAe,gBAAgB,KAAK;AAAA,EACtC;AAEA,gCAA8B,gBAAgB,YAAY,KAAK,OAAO;AACxE;;;AJ1YA,IAAM,0BAA0B;AAChC,IAAM,sBAAsB;AAE5B,SAAS,qBAAqB,OAAuB;AACnD,SAAO,MACJ,QAAQ,iBAAiB,GAAG,EAC5B,QAAQ,OAAO,GAAG,EAClB,QAAQ,UAAU,EAAE,EACpB,YAAY;AACjB;AAEA,SAAS,sBAAsB,QAA0B;AACvD,MAAI,OAAO,gBAAgB;AACzB,WAAO,kBAAAE,QAAK,QAAQ,OAAO,cAAc;AAAA,EAC3C;AAEA,MAAI,OAAO,gBAAgB;AACzB,WAAO,GAAG,kBAAAA,QAAK,QAAQ,OAAO,cAAc,CAAC;AAAA,EAC/C;AAEA,SAAO,kBAAAA,QAAK,QAAQ,QAAQ,IAAI,GAAG,sBAAsB;AAC3D;AAEA,SAAS,kBAAkB,QAA0B;AACnD,MAAI,OAAO,SAAS;AAClB,WAAO,OAAO;AAAA,EAChB;AAEA,SAAO,OAAO,MAAM,sBAAsB;AAC5C;AAEA,SAAS,4CACP,UACA,SACwB;AACxB,SAAO;AAAA,IACL,SAAS,SAAS;AAAA,IAClB;AAAA,IACA,MAAM,SAAS;AAAA,IACf,oBAAoB,SAAS,sBAAsB;AAAA,IACnD,mBAAmB,SAAS,qBAAqB;AAAA,IACjD,OAAO,SAAS,MAAM,IAAI,CAAC,UAAU;AAAA,MACnC,IAAI,KAAK;AAAA,MACT,MAAM,KAAK;AAAA,MACX,MAAM,KAAK,QAAQ;AAAA,MACnB,UAAU,KAAK,YAAY,CAAC;AAAA,MAC5B,SAAS,KAAK,WAAW;AAAA,IAC3B,EAAE;AAAA,IACF,QAAQ,SAAS,gBAAgB,IAAI,CAAC,WAAW;AAAA,MAC/C,IAAI,MAAM;AAAA,MACV,MAAM,MAAM;AAAA,MACZ,UAAU,MAAM,YAAY;AAAA,IAC9B,EAAE;AAAA,EACJ;AACF;AAEA,SAAS,2CACP,MACA,SAC2B;AAC3B,SAAO;AAAA,IACL,aAAa,KAAK;AAAA,IAClB,SAAS,KAAK;AAAA,IACd;AAAA,IACA,MAAM,KAAK;AAAA,IACX,MAAM,KAAK,QAAQ;AAAA,IACnB,UAAU,KAAK,YAAY,CAAC;AAAA,IAC5B,SAAS,KAAK,WAAW;AAAA,IACzB,QAAQ,KAAK,OAAO,IAAI,CAAC,OAAO,WAAW;AAAA,MACzC,IAAI,MAAM;AAAA,MACV,MAAM,MAAM;AAAA,MACZ,MAAM,MAAM;AAAA,MACZ,OAAO,MAAM,SAAS;AAAA,MACtB,kBAAkB,MAAM,oBAAoB,CAAC;AAAA,MAC7C,UAAU,MAAM,YAAY,CAAC;AAAA,IAC/B,EAAE;AAAA,EACJ;AACF;AAUO,IAAM,KAAN,MAAM,IAAG;AAAA,EACG;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACT,OAAqB;AAAA,EAE7B,YAAY,QAAkB;AAC5B,QAAI,CAAC,OAAO,QAAQ;AAClB,YAAM,IAAI,MAAM,4BAA4B;AAAA,IAC9C;AAEA,QAAI,CAAC,OAAO,cAAc,CAAC,OAAO,gBAAgB;AAChD,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,UAAM,UAAU,kBAAkB,MAAM;AACxC,SAAK,UAAU;AACf,SAAK,SAAS,IAAI,SAAS,OAAO,QAAQ,OAAO;AACjD,SAAK,YAAY,OAAO;AACxB,SAAK,gBAAgB,OAAO,cAAc,eAAe,OAAO,cAAe;AAC/E,SAAK,eAAe,gBAAgB,KAAK,aAAa;AACtD,SAAK,iBAAiB,sBAAsB,MAAM;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,OAAO,QAA+B;AACjD,UAAM,WAAW,IAAI,IAAG,MAAM;AAC9B,UAAM,SAAS,KAAK;AACpB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAsB;AAC1B,SAAK,OAAO,MAAM,KAAK,SAAS;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,MAAa;AACf,QAAI,CAAC,KAAK,MAAM;AACd,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,UAAyB;AAC7B,SAAK,OAAO,MAAM,KAAK,SAAS;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,WAA2B;AACvC,QAAI;AACF,YAAM,KAAK,OAAO,uBAAuB;AAAA,QACvC,WAAW,KAAK;AAAA,MAClB,CAAC;AAAA,IACH,SAAS,OAAO;AACd,YAAM,IAAI;AAAA,QACR,gJACE,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CACvD;AAAA,MACF;AAAA,IACF;AAEA,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,OAAO,WAAW,KAAK,SAAS;AAC9D,UAAM,aAAa,MAAM,QAAQ,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,cAAc,MAAM,EAAE,CAAC,CAAC;AAExF,WAAO,OAAO,OAAO,CAAC,GAAG,GAAG,UAAU;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,cAAc,SAAiC;AAC3D,UAAM,yBAAyB,gCAAgC,KAAK,cAAc;AAClF,UAAM,CAAC,YAAY,eAAe,yBAAyB,IAAI,MAAM,QAAQ,IAAI;AAAA,MAC/E,KAAK,OAAO,mBAAmB,OAAO;AAAA,MACtC,KAAK,OAAO,eAAe,OAAO;AAAA,MAClC,KAAK,OAAO;AAAA,QACV;AAAA,QACA,yBACI;AAAA,UACE,0BAA0B,uBAAuB;AAAA,UACjD,uBAAuB,uBAAuB;AAAA,QAChD,IACA;AAAA,MACN;AAAA,IACF,CAAC;AAED,QAAI,qBAAqB;AACzB,QAAI,oBAA8D;AAElE,QAAI,CAAC,wBAAwB;AAC3B,YAAM,QAAQ,0BAA0B,qBAAqB,WAAW,SAAS;AAEjF,UACE,SACA,0BAA0B,uBAC1B,0BAA0B,cAC1B;AACA,4BAAoB,MAAM,wBAAwB,KAAK,SAAS,KAAK;AAErE,YAAI,mBAAmB;AACrB,cAAI,0BAA0B,aAAa,KAAK,UAAU,kBAAkB,SAAS;AACnF,kBAAM,IAAI,MAAM,oFAAoF,KAAK,GAAG;AAAA,UAC9G;AAEA,cAAI,0BAA0B,aAAa,KAAK,YAAY,kBAAkB,SAAS;AACrF,gBAAI,0BAA0B,aAAa,KAAK,SAAS,kBAAkB,MAAM;AAC/E,oBAAM,IAAI,MAAM,kEAAkE,KAAK,GAAG;AAAA,YAC5F;AAAA,UACF,OAAO;AACL,iCAAqB,MAAM,KAAK,OAAO,yBAAyB,SAAS;AAAA,cACvE,0BAA0B,kBAAkB;AAAA,cAC5C,uBAAuB,kBAAkB;AAAA,YAC3C,CAAC;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,UAAM,oBAAoB,MAAM;AAAA,MAC9B,KAAK;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAEA,UAAM,YAAY,kBAAkB;AAAA,MAClC,CAAC,cAAc,UAAU,kBAAkB,WAAW;AAAA,IACxD;AAEA,QAAI,CAAC,WAAW;AACd,YAAM,IAAI;AAAA,QACR,iCAAiC,OAAO,mCAAmC,WAAW,mBAAmB;AAAA,MAC3G;AAAA,IACF;AAEA,UAAM,oBAAoB;AAAA,MACxB;AAAA,MACA,WAAW;AAAA,MACX,WAAW;AAAA,MACX,WAAW;AAAA,MACX,WAAW;AAAA,MACX,WAAW;AAAA,MACX,UAAU;AAAA,IACZ;AAEA,QAAI,CAAC,mBAAmB;AACtB,YAAM,IAAI,MAAM,+DAA+D,OAAO,GAAG;AAAA,IAC3F;AAEA,UAAM,MAAM,wBAAwB,WAAW,YAAY,KAAK,aAAa;AAE7E,QAAI,CAAC,cAAc,mBAAmB;AACpC,YAAM,IAAI,MAAM,iBAAiB,OAAO,0CAA0C;AAAA,IACpF;AAEA,UAAM,mBAAmB,kBAAkB;AAAA,MACzC,CAAC,cAAc,UAAU,kBAAkB,cAAc,kBAAmB;AAAA,IAC9E;AAEA,QAAI,CAAC,kBAAkB;AACrB,YAAM,IAAI;AAAA,QACR,iBAAiB,OAAO,sDAAsD,cAAc,kBAAkB,mBAAmB;AAAA,MACnI;AAAA,IACF;AAEA,UAAM,4BAA4B;AAAA,MAChC;AAAA,MACA,cAAc,kBAAkB,WAAW;AAAA,IAC7C;AACA,UAAM,kBAAkB;AAAA,MACtB;AAAA,MACA,cAAc,kBAAkB;AAAA,MAChC,iBAAiB;AAAA,IACnB;AAEA,QAAI,CAAC,iBAAiB;AACpB,YAAM,IAAI,MAAM,kEAAkE,OAAO,GAAG;AAAA,IAC9F;AAEA;AAAA,MACE,KAAK;AAAA,MACL,WAAW,OAAO;AAAA,MAClB,0BAA0B;AAAA,IAC5B;AAEA,UAAM,cAAc,MAAM,QAAQ;AAAA,MAChC,cAAc,MAAM,IAAI,CAAC,SAAS,KAAK,OAAO,mBAAmB,SAAS,KAAK,EAAE,CAAC;AAAA,IACpF;AAEA,UAAM,MAAa,CAAC;AAEpB,eAAW,QAAQ,aAAa;AAC9B,UAAI,CAAC,KAAK,kBAAkB;AAC1B,cAAM,IAAI,MAAM,sBAAsB,KAAK,EAAE,yCAAyC;AAAA,MACxF;AAEA,YAAM,kBAAkB,kBAAkB;AAAA,QACxC,CAAC,cAAc,UAAU,kBAAkB,KAAK,iBAAkB;AAAA,MACpE;AAEA,UAAI,CAAC,iBAAiB;AACpB,cAAM,IAAI;AAAA,UACR,sBAAsB,KAAK,EAAE,8CAA8C,KAAK,iBAAiB,mBAAmB;AAAA,QACtH;AAAA,MACF;AAEA,YAAM,2BAA2B;AAAA,QAC/B;AAAA,QACA,KAAK,iBAAiB,WAAW;AAAA,MACnC;AACA,YAAM,iBAAiB;AAAA,QACrB;AAAA,QACA,KAAK,iBAAiB;AAAA,QACtB,gBAAgB;AAAA,MAClB;AAEA,UAAI,CAAC,gBAAgB;AACnB,cAAM,IAAI,MAAM,8DAA8D,KAAK,EAAE,GAAG;AAAA,MAC1F;AAEA;AAAA,QACE,KAAK;AAAA,QACL,UAAU,KAAK,EAAE;AAAA,QACjB,yBAAyB;AAAA,MAC3B;AAEA,iBAAW,SAAS,KAAK,QAAQ;AAC/B,YAAI,MAAM,UAAU,MAAM;AACxB;AAAA,QACF;AAEA,YAAI,qBAAqB,GAAG,KAAK,IAAI,IAAI,MAAM,IAAI,EAAE,CAAC,IAAI;AAAA,UACxD,MAAM;AAAA,UACN;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;AAEA,IAAO,cAAQ;","names":["import_node_path","path","path","crypto","fs","path","crypto","crypto","crypto","crypto","crypto","crypto","import_node_fs","import_node_path","fs","path","path"]}

package/lib/index.js CHANGED Viewed

@@ -26,7 +26,8 @@ var R4Client = class {
     if (!response.ok) {
       const errorBody = await response.json().catch(() => ({}));
       const errorMessage = typeof errorBody.error?.message === "string" ? errorBody.error.message : `HTTP ${response.status}: ${response.statusText}`;
-      throw new Error(`R4 API Error: ${errorMessage}`);
+      const errorCode = typeof errorBody.error?.code === "string" ? ` [${errorBody.error.code}]` : "";
+      throw new Error(`R4 API Error${errorCode}: ${errorMessage}`);
     }
     if (response.status === 204) {
       return void 0;
@@ -130,7 +131,22 @@ var buildOrgUserKeyDirectoryWitnessPayload = (orgId, head) => [
 ].join(":");
 var buildOrgUserKeyDirectoryWitnessPath = (orgId) => `v1/orgs/${orgId}/user-key-directory-head.json`;
 var buildTransparencyWitnessUrl = (baseUrl, path4) => `${baseUrl.replace(/\/+$/, "")}/${path4.replace(/^\/+/, "")}`;
-var shouldUseDefaultTransparencyWitness = (apiBaseUrl) => /(^https?:\/\/)?([^.]+\.)?r4\.dev(?::\d+)?(\/|$)/i.test(apiBaseUrl.trim());
+function parseHostname(apiBaseUrl) {
+  const trimmed = apiBaseUrl.trim();
+  if (!trimmed) {
+    return null;
+  }
+  try {
+    const normalized = trimmed.includes("://") ? trimmed : `https://${trimmed}`;
+    return new URL(normalized).hostname.toLowerCase();
+  } catch {
+    return null;
+  }
+}
+var shouldUseDefaultTransparencyWitness = (apiBaseUrl) => {
+  const hostname = parseHostname(apiBaseUrl);
+  return hostname === "r4.dev" || hostname === "api.r4.dev";
+};
 // src/crypto.ts
 var RSA_OAEP_CONFIG = {
@@ -546,7 +562,9 @@ async function fetchWitnessArtifact(pathName) {
     }
   );
   if (!response.ok) {
-    throw new Error(`Failed to fetch public transparency witness artifact (${response.status}).`);
+    throw new Error(
+      `Failed to fetch public transparency witness artifact (${response.status}). Production first-trust bootstrapping needs access to https://transparency.r4.dev. If this is a dev environment, re-run with --dev or set R4_DEV=1. If this is production, verify outbound access to transparency.r4.dev and retry.`
+    );
   }
   return response.json();
 }

package/lib/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/index.ts","../src/client.ts","../src/crypto.ts","../src/transparency.ts","../src/trust-store.ts"],"sourcesContent":["import path from 'node:path'\nimport { R4Client } from './client'\nimport {\n decryptStoredFieldValue,\n derivePublicKey,\n loadPrivateKey,\n unwrapDEKWithPrivateKey,\n verifyVaultItemDetailCheckpoint,\n verifyVaultSummaryCheckpoint,\n verifyWrappedDekSignature,\n} from './crypto'\nimport {\n assertAndPinCheckpointVersion,\n getPublicOrgWitnessHead,\n getSinglePinnedTransparencyHead,\n verifyAndPinVaultUserPublicKeys,\n} from './trust-store'\nimport type {\n ListMachineVaultItemsResponse,\n MachineVaultItemDetailResponse,\n R4Config,\n R4Env,\n VaultItemDetailCheckpoint,\n VaultSummaryCheckpoint,\n} from './types'\n\nexport type { R4Config, R4Env } from './types'\n\nconst R4_DEFAULT_API_BASE_URL = 'https://r4.dev'\nconst R4_DEV_API_BASE_URL = 'https://dev.r4.dev'\n\nfunction toScreamingSnakeCase(input: string): string {\n return input\n .replace(/[^a-zA-Z0-9]/g, '_')\n .replace(/_+/g, '_')\n .replace(/^_\|_$/g, '')\n .toUpperCase()\n}\n\nfunction resolveTrustStorePath(config: R4Config): string {\n if (config.trustStorePath) {\n return path.resolve(config.trustStorePath)\n }\n\n if (config.privateKeyPath) {\n return `${path.resolve(config.privateKeyPath)}.trust.json`\n }\n\n return path.resolve(process.cwd(), '.r4-trust-store.json')\n}\n\nfunction resolveApiBaseUrl(config: R4Config): string {\n if (config.baseUrl) {\n return config.baseUrl\n }\n\n return config.dev ? R4_DEV_API_BASE_URL : R4_DEFAULT_API_BASE_URL\n}\n\nfunction buildVaultSummaryCheckpointFromListResponse(\n response: ListMachineVaultItemsResponse,\n version: number,\n): VaultSummaryCheckpoint {\n return {\n vaultId: response.vaultId,\n version,\n name: response.vaultName,\n dataClassification: response.dataClassification ?? null,\n currentDekVersion: response.currentDekVersion ?? null,\n items: response.items.map((item) => ({\n id: item.id,\n name: item.name,\n type: item.type ?? null,\n websites: item.websites ?? [],\n groupId: item.groupId ?? null,\n })),\n groups: response.vaultItemGroups.map((group) => ({\n id: group.id,\n name: group.name,\n parentId: group.parentId ?? null,\n })),\n }\n}\n\nfunction buildVaultItemDetailCheckpointFromResponse(\n item: MachineVaultItemDetailResponse,\n version: number,\n): VaultItemDetailCheckpoint {\n return {\n vaultItemId: item.id,\n vaultId: item.vaultId,\n version,\n name: item.name,\n type: item.type ?? null,\n websites: item.websites ?? [],\n groupId: item.groupId ?? null,\n fields: item.fields.map((field, index) => ({\n id: field.id,\n name: field.name,\n type: field.type,\n order: field.order ?? index,\n fieldInstanceIds: field.fieldInstanceIds ?? [],\n assetIds: field.assetIds ?? [],\n })),\n }\n}\n\n/*\n R4 SDK — zero-trust Node.js SDK for machine agents.\n \n The runtime keeps its private key locally, registers only the matching public\n * key with the machine API, verifies wrapped-DEK signatures against a pinned\n * signer directory, unwraps each vault DEK locally, and decrypts env values\n * without trusting the backend to see or transform plaintext.\n /\nexport class R4 {\n private readonly client: R4Client\n private readonly baseUrl: string\n private readonly projectId?: string\n private readonly privateKeyPem: string\n private readonly publicKeyPem: string\n private readonly trustStorePath: string\n private _env: R4Env \| null = null\n\n constructor(config: R4Config) {\n if (!config.apiKey) {\n throw new Error('R4 SDK: apiKey is required')\n }\n\n if (!config.privateKey && !config.privateKeyPath) {\n throw new Error(\n 'R4 SDK: privateKey or privateKeyPath is required for zero-trust local decryption.',\n )\n }\n\n const baseUrl = resolveApiBaseUrl(config)\n this.baseUrl = baseUrl\n this.client = new R4Client(config.apiKey, baseUrl)\n this.projectId = config.projectId\n this.privateKeyPem = config.privateKey ?? loadPrivateKey(config.privateKeyPath!)\n this.publicKeyPem = derivePublicKey(this.privateKeyPem)\n this.trustStorePath = resolveTrustStorePath(config)\n }\n\n /\n Static factory method that creates and initializes an R4 instance.\n /\n static async create(config: R4Config): Promise<R4> {\n const instance = new R4(config)\n await instance.init()\n return instance\n }\n\n /\n Initializes the SDK by registering the agent public key (idempotent) and\n * decrypting all accessible vault values locally into a flat env map.\n /\n async init(): Promise<void> {\n this._env = await this.fetchEnv()\n }\n\n /\n Returns the locally decrypted env map.\n /\n get env(): R4Env {\n if (!this._env) {\n throw new Error(\n 'R4 SDK: env is not initialized. Call await r4.init() first, or use R4.create() for automatic initialization.',\n )\n }\n return this._env\n }\n\n /\n Re-fetches and locally re-decrypts the current vault view.\n /\n async refresh(): Promise<void> {\n this._env = await this.fetchEnv()\n }\n\n /\n Registers the local agent public key, loads all accessible vaults, verifies\n * wrapped-DEK signatures against pinned signer keys, unwraps each vault DEK,\n * and builds a flat SCREAMING_SNAKE_CASE env map from decrypted field values.\n /\n private async fetchEnv(): Promise<R4Env> {\n try {\n await this.client.registerAgentPublicKey({\n publicKey: this.publicKeyPem,\n })\n } catch (error) {\n throw new Error(\n `R4 SDK: failed to register the local agent public key. The zero-trust SDK requires an AGENT-scoped API key and a matching local private key. ${\n error instanceof Error ? error.message : String(error)\n }`,\n )\n }\n\n const { vaults } = await this.client.listVaults(this.projectId)\n const envEntries = await Promise.all(vaults.map((vault) => this.fetchVaultEnv(vault.id)))\n\n return Object.assign({}, ...envEntries)\n }\n\n /\n Fetches a single vault's wrapped DEK, verifies it against the pinned signer\n * directory, unwraps the DEK locally, then decrypts every field value in that\n * vault item-by-item.\n /\n private async fetchVaultEnv(vaultId: string): Promise<R4Env> {\n const pinnedTransparencyHead = getSinglePinnedTransparencyHead(this.trustStorePath)\n const [wrappedKey, itemsResponse, initialPublicKeyDirectory] = await Promise.all([\n this.client.getAgentWrappedKey(vaultId),\n this.client.listVaultItems(vaultId),\n this.client.getVaultUserKeyDirectory(\n vaultId,\n pinnedTransparencyHead\n ? {\n knownTransparencyVersion: pinnedTransparencyHead.version,\n knownTransparencyHash: pinnedTransparencyHead.hash,\n }\n : undefined,\n ),\n ])\n\n let publicKeyDirectory = initialPublicKeyDirectory\n let witnessAnchorHead: { version: number; hash: string } \| null = null\n\n if (!pinnedTransparencyHead) {\n const orgId = initialPublicKeyDirectory.directoryCheckpoint?.checkpoint.orgId ?? null\n\n if (\n orgId &&\n initialPublicKeyDirectory.directoryCheckpoint &&\n initialPublicKeyDirectory.transparency\n ) {\n witnessAnchorHead = await getPublicOrgWitnessHead(this.baseUrl, orgId)\n\n if (witnessAnchorHead) {\n if (initialPublicKeyDirectory.transparency.head.version < witnessAnchorHead.version) {\n throw new Error(`R4 SDK: public transparency witness head is ahead of the server response for org ${orgId}.`)\n }\n\n if (initialPublicKeyDirectory.transparency.head.version === witnessAnchorHead.version) {\n if (initialPublicKeyDirectory.transparency.head.hash !== witnessAnchorHead.hash) {\n throw new Error(`R4 SDK: public transparency witness head fork detected for org ${orgId}.`)\n }\n } else {\n publicKeyDirectory = await this.client.getVaultUserKeyDirectory(vaultId, {\n knownTransparencyVersion: witnessAnchorHead.version,\n knownTransparencyHash: witnessAnchorHead.hash,\n })\n }\n }\n }\n }\n\n const trustedPublicKeys = await verifyAndPinVaultUserPublicKeys(\n this.trustStorePath,\n publicKeyDirectory,\n witnessAnchorHead,\n )\n\n const signerKey = trustedPublicKeys.find(\n (publicKey) => publicKey.userKeyPairId === wrappedKey.signerUserKeyPairId,\n )\n\n if (!signerKey) {\n throw new Error(\n `R4 SDK: wrapped DEK for vault ${vaultId} was signed by unknown user key ${wrappedKey.signerUserKeyPairId}.`,\n )\n }\n\n const signatureVerified = verifyWrappedDekSignature(\n vaultId,\n wrappedKey.encryptionKeyId,\n wrappedKey.signerUserKeyPairId,\n wrappedKey.dekVersion,\n wrappedKey.wrappedDek,\n wrappedKey.wrappedDekSignature,\n signerKey.publicKey,\n )\n\n if (!signatureVerified) {\n throw new Error(`R4 SDK: wrapped DEK signature verification failed for vault ${vaultId}.`)\n }\n\n const dek = unwrapDEKWithPrivateKey(wrappedKey.wrappedDek, this.privateKeyPem)\n\n if (!itemsResponse.summaryCheckpoint) {\n throw new Error(`R4 SDK: vault ${vaultId} is missing a signed summary checkpoint.`)\n }\n\n const summarySignerKey = trustedPublicKeys.find(\n (publicKey) => publicKey.userKeyPairId === itemsResponse.summaryCheckpoint!.signerUserKeyPairId,\n )\n\n if (!summarySignerKey) {\n throw new Error(\n `R4 SDK: vault ${vaultId} summary checkpoint was signed by unknown user key ${itemsResponse.summaryCheckpoint.signerUserKeyPairId}.`,\n )\n }\n\n const expectedSummaryCheckpoint = buildVaultSummaryCheckpointFromListResponse(\n itemsResponse,\n itemsResponse.summaryCheckpoint.checkpoint.version,\n )\n const summaryVerified = verifyVaultSummaryCheckpoint(\n expectedSummaryCheckpoint,\n itemsResponse.summaryCheckpoint.signature,\n summarySignerKey.publicKey,\n )\n\n if (!summaryVerified) {\n throw new Error(`R4 SDK: vault summary checkpoint verification failed for vault ${vaultId}.`)\n }\n\n assertAndPinCheckpointVersion(\n this.trustStorePath,\n `summary:${vaultId}`,\n expectedSummaryCheckpoint.version,\n )\n\n const itemDetails = await Promise.all(\n itemsResponse.items.map((item) => this.client.getVaultItemDetail(vaultId, item.id)),\n )\n\n const env: R4Env = {}\n\n for (const item of itemDetails) {\n if (!item.detailCheckpoint) {\n throw new Error(`R4 SDK: vault item ${item.id} is missing a signed detail checkpoint.`)\n }\n\n const detailSignerKey = trustedPublicKeys.find(\n (publicKey) => publicKey.userKeyPairId === item.detailCheckpoint!.signerUserKeyPairId,\n )\n\n if (!detailSignerKey) {\n throw new Error(\n `R4 SDK: vault item ${item.id} checkpoint was signed by unknown user key ${item.detailCheckpoint.signerUserKeyPairId}.`,\n )\n }\n\n const expectedDetailCheckpoint = buildVaultItemDetailCheckpointFromResponse(\n item,\n item.detailCheckpoint.checkpoint.version,\n )\n const detailVerified = verifyVaultItemDetailCheckpoint(\n expectedDetailCheckpoint,\n item.detailCheckpoint.signature,\n detailSignerKey.publicKey,\n )\n\n if (!detailVerified) {\n throw new Error(`R4 SDK: vault item checkpoint verification failed for item ${item.id}.`)\n }\n\n assertAndPinCheckpointVersion(\n this.trustStorePath,\n `detail:${item.id}`,\n expectedDetailCheckpoint.version,\n )\n\n for (const field of item.fields) {\n if (field.value === null) {\n continue\n }\n\n env[toScreamingSnakeCase(`${item.name}_${field.name}`)] = decryptStoredFieldValue(\n field.value,\n dek,\n )\n }\n }\n\n return env\n }\n}\n\nexport default R4\n","import type {\n ListMachineVaultItemsResponse,\n ListMachineVaultsResponse,\n MachineAgentPublicKeyResponse,\n MachineVaultItemDetailResponse,\n MachineVaultUserKeyDirectoryResponse,\n MachineWrappedKeyResponse,\n RegisterMachinePublicKeyRequest,\n} from './types'\n\ntype ApiErrorBody = {\n error?: {\n message?: unknown\n }\n}\n\n/\n Minimal machine-API client used by the zero-trust Node SDK.\n * Agents authenticate with an AGENT-scoped API key, register their local public\n * key, then fetch wrapped vault DEKs and ciphertext for local decryption.\n /\nexport class R4Client {\n private readonly apiKey: string\n private readonly baseUrl: string\n\n constructor(apiKey: string, baseUrl: string) {\n this.apiKey = apiKey\n this.baseUrl = baseUrl.replace(/\\/$/, '')\n }\n\n private buildHeaders(): Record<string, string> {\n return {\n 'X-API-Key': this.apiKey,\n 'Content-Type': 'application/json',\n }\n }\n\n private async request<T>(path: string, init: RequestInit): Promise<T> {\n const response = await fetch(`${this.baseUrl}${path}`, {\n ...init,\n headers: {\n ...this.buildHeaders(),\n ...(init.headers ?? {}),\n },\n })\n\n if (!response.ok) {\n const errorBody = (await response.json().catch(() => ({}))) as ApiErrorBody\n const errorMessage =\n typeof errorBody.error?.message === 'string'\n ? errorBody.error.message\n : `HTTP ${response.status}: ${response.statusText}`\n throw new Error(`R4 API Error: ${errorMessage}`)\n }\n\n if (response.status === 204) {\n return undefined as T\n }\n\n return response.json() as Promise<T>\n }\n\n /\n Registers or re-confirms the agent runtime's local RSA public key.\n /\n async registerAgentPublicKey(\n body: RegisterMachinePublicKeyRequest,\n ): Promise<MachineAgentPublicKeyResponse> {\n return this.request<MachineAgentPublicKeyResponse>('/api/v1/machine/vault/public-key', {\n method: 'POST',\n body: JSON.stringify(body),\n })\n }\n\n /\n Lists all accessible non-hidden vaults. When `projectId` is provided, the\n * backend additionally filters to vaults associated with that project.\n /\n async listVaults(projectId?: string): Promise<ListMachineVaultsResponse> {\n const search = projectId\n ? `?projectId=${encodeURIComponent(projectId)}`\n : ''\n return this.request<ListMachineVaultsResponse>(`/api/v1/machine/vault${search}`, {\n method: 'GET',\n })\n }\n\n /\n Retrieves the active wrapped DEK for the authenticated agent on a vault.\n /\n async getAgentWrappedKey(vaultId: string): Promise<MachineWrappedKeyResponse> {\n return this.request<MachineWrappedKeyResponse>(\n `/api/v1/machine/vault/${encodeURIComponent(vaultId)}/wrapped-key`,\n { method: 'GET' },\n )\n }\n\n /\n Retrieves the trusted user-key directory for a vault so the runtime can\n * verify wrapped-DEK signatures locally.\n /\n async getVaultUserKeyDirectory(\n vaultId: string,\n params?: {\n knownTransparencyVersion?: number\n knownTransparencyHash?: string\n },\n ): Promise<MachineVaultUserKeyDirectoryResponse> {\n const searchParams = new URLSearchParams()\n if (params?.knownTransparencyVersion !== undefined) {\n searchParams.set('knownTransparencyVersion', String(params.knownTransparencyVersion))\n }\n if (params?.knownTransparencyHash) {\n searchParams.set('knownTransparencyHash', params.knownTransparencyHash)\n }\n const search = searchParams.size > 0 ? `?${searchParams.toString()}` : ''\n\n return this.request<MachineVaultUserKeyDirectoryResponse>(\n `/api/v1/machine/vault/${encodeURIComponent(vaultId)}/public-keys${search}`,\n { method: 'GET' },\n )\n }\n\n /\n Lists all items in a vault with lightweight metadata.\n /\n async listVaultItems(vaultId: string): Promise<ListMachineVaultItemsResponse> {\n return this.request<ListMachineVaultItemsResponse>(\n `/api/v1/machine/vault/${encodeURIComponent(vaultId)}/items`,\n { method: 'GET' },\n )\n }\n\n /\n Retrieves the full field payloads for a vault item.\n /\n async getVaultItemDetail(\n vaultId: string,\n itemId: string,\n ): Promise<MachineVaultItemDetailResponse> {\n return this.request<MachineVaultItemDetailResponse>(\n `/api/v1/machine/vault/${encodeURIComponent(vaultId)}/items/${encodeURIComponent(itemId)}`,\n { method: 'GET' },\n )\n }\n}\n","import crypto from 'node:crypto'\nimport fs from 'node:fs'\nimport path from 'node:path'\nimport {\n buildAgentPublicKeyWitnessPayload,\n buildOrgUserKeyDirectoryWitnessPayload,\n type AgentPublicKeyWitnessArtifact,\n type OrgUserKeyDirectoryWitnessArtifact,\n} from './transparency'\nimport type {\n UserKeyDirectoryCheckpoint,\n UserKeyDirectoryTransparencyEntry,\n UserKeyDirectoryTransparencyHead,\n UserKeyDirectoryTransparencyProof,\n VaultItemDetailCheckpoint,\n VaultSummaryCheckpoint,\n} from './types'\n\nconst RSA_OAEP_CONFIG = {\n padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,\n oaepHash: 'sha256',\n} as const\n\nconst RSA_PSS_SIGN_CONFIG = {\n padding: crypto.constants.RSA_PKCS1_PSS_PADDING,\n saltLength: 32,\n} as const\n\nconst USER_KEY_ROTATION_PREFIX = 'r4-user-key-rotation-v1'\nconst USER_KEY_DIRECTORY_CHECKPOINT_PREFIX = 'r4-user-key-directory-checkpoint-v1'\nconst USER_KEY_DIRECTORY_TRANSPARENCY_ENTRY_PREFIX = 'r4-user-key-directory-transparency-entry-v1'\nconst WRAPPED_DEK_SIGNATURE_PREFIX = 'r4-wrapped-dek-signature-v1'\nconst VAULT_SUMMARY_CHECKPOINT_PREFIX = 'r4-vault-summary-checkpoint-v1'\nconst VAULT_ITEM_DETAIL_CHECKPOINT_PREFIX = 'r4-vault-item-detail-checkpoint-v1'\n\ntype VaultEnvelope = {\n v: 3\n iv: string\n t: string\n d: string\n}\n\nfunction pemToDer(pem: string, beginLabel: string, endLabel: string): Buffer {\n const derBase64 = pem\n .replace(beginLabel, '')\n .replace(endLabel, '')\n .replace(/\\s/g, '')\n\n return Buffer.from(derBase64, 'base64')\n}\n\nfunction getWrappedDekFingerprint(wrappedDek: string): string {\n return crypto.createHash('sha256').update(Buffer.from(wrappedDek, 'base64')).digest('hex')\n}\n\nfunction getCheckpointFingerprint(prefix: string, canonicalJson: string): string {\n return `${prefix}:${crypto.createHash('sha256').update(canonicalJson, 'utf8').digest('hex')}`\n}\n\n/\n Loads a PEM-encoded private key from the provided path.\n /\nexport function loadPrivateKey(privateKeyPath: string): string {\n return fs.readFileSync(path.resolve(privateKeyPath), 'utf8').trim()\n}\n\n/\n Derives the matching PEM-encoded public key from a PEM private key.\n /\nexport function derivePublicKey(privateKeyPem: string): string {\n return crypto.createPublicKey(privateKeyPem).export({\n type: 'spki',\n format: 'pem',\n }).toString()\n}\n\n/\n Compute a stable SHA-256 fingerprint for a PEM-encoded public key.\n * The fingerprint uses the DER bytes so PEM formatting differences do not matter.\n /\nexport function getPublicKeyFingerprint(publicKeyPem: string): string {\n const derBytes = pemToDer(publicKeyPem, '-----BEGIN PUBLIC KEY-----', '-----END PUBLIC KEY-----')\n return crypto.createHash('sha256').update(derBytes).digest('hex')\n}\n\nfunction buildUserKeyRotationPayload(previousUserKeyPairId: string, newPublicKeyFingerprint: string): string {\n return `${USER_KEY_ROTATION_PREFIX}:${previousUserKeyPairId}:${newPublicKeyFingerprint}`\n}\n\n/\n Signs a new key fingerprint with the previous private key to prove continuity.\n /\nexport function signUserKeyRotation(\n previousUserKeyPairId: string,\n newPublicKeyPem: string,\n previousPrivateKeyPem: string,\n): string {\n const payload = buildUserKeyRotationPayload(\n previousUserKeyPairId,\n getPublicKeyFingerprint(newPublicKeyPem),\n )\n\n return crypto.sign(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: previousPrivateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\n/\n Verifies continuity for a rotated signer key.\n /\nexport function verifyUserKeyRotation(\n previousUserKeyPairId: string,\n newPublicKeyPem: string,\n rotationSignature: string,\n previousPublicKeyPem: string,\n): boolean {\n const payload = buildUserKeyRotationPayload(\n previousUserKeyPairId,\n getPublicKeyFingerprint(newPublicKeyPem),\n )\n\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: previousPublicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(rotationSignature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function verifyTransparencyWitnessPayload(\n payload: string,\n signature: string,\n publicKeyPem: string,\n): boolean {\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: publicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(signature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function verifyOrgUserKeyDirectoryWitnessArtifact(\n artifact: OrgUserKeyDirectoryWitnessArtifact,\n publicKeyPem: string,\n): boolean {\n return verifyTransparencyWitnessPayload(\n buildOrgUserKeyDirectoryWitnessPayload(artifact.orgId, artifact.head),\n artifact.signature,\n publicKeyPem,\n )\n}\n\nexport function verifyAgentPublicKeyWitnessArtifact(\n artifact: AgentPublicKeyWitnessArtifact,\n publicKeyPem: string,\n): boolean {\n return verifyTransparencyWitnessPayload(\n buildAgentPublicKeyWitnessPayload(artifact.agentId, artifact.head),\n artifact.signature,\n publicKeyPem,\n )\n}\n\nexport function normalizeUserKeyDirectoryCheckpoint(\n checkpoint: UserKeyDirectoryCheckpoint,\n): UserKeyDirectoryCheckpoint {\n return {\n orgId: checkpoint.orgId,\n version: checkpoint.version,\n entries: [...checkpoint.entries]\n .map((entry) => ({\n userKeyPairId: entry.userKeyPairId,\n orgUserId: entry.orgUserId,\n fingerprint: entry.fingerprint,\n previousUserKeyPairId: entry.previousUserKeyPairId ?? null,\n rotationSignature: entry.rotationSignature ?? null,\n }))\n .sort((left, right) => left.userKeyPairId.localeCompare(right.userKeyPairId)),\n }\n}\n\nexport function canonicalizeUserKeyDirectoryCheckpoint(\n checkpoint: UserKeyDirectoryCheckpoint,\n): string {\n return JSON.stringify(normalizeUserKeyDirectoryCheckpoint(checkpoint))\n}\n\nexport function buildUserKeyDirectoryCheckpointPayload(\n checkpoint: UserKeyDirectoryCheckpoint,\n): string {\n return getCheckpointFingerprint(\n USER_KEY_DIRECTORY_CHECKPOINT_PREFIX,\n canonicalizeUserKeyDirectoryCheckpoint(checkpoint),\n )\n}\n\nexport function signUserKeyDirectoryCheckpoint(\n checkpoint: UserKeyDirectoryCheckpoint,\n privateKeyPem: string,\n): string {\n return crypto.sign(\n 'sha256',\n Buffer.from(buildUserKeyDirectoryCheckpointPayload(checkpoint), 'utf8'),\n {\n key: privateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\nexport function verifyUserKeyDirectoryCheckpoint(\n checkpoint: UserKeyDirectoryCheckpoint,\n signature: string,\n publicKeyPem: string,\n): boolean {\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(buildUserKeyDirectoryCheckpointPayload(checkpoint), 'utf8'),\n {\n key: publicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(signature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function buildUserKeyDirectoryTransparencyEntryHash(\n entry: Omit<UserKeyDirectoryTransparencyEntry, 'entryHash'>,\n): string {\n return getCheckpointFingerprint(\n USER_KEY_DIRECTORY_TRANSPARENCY_ENTRY_PREFIX,\n JSON.stringify({\n orgId: entry.orgId,\n version: entry.version,\n directoryCheckpointPayload: entry.directoryCheckpointPayload,\n signerUserKeyPairId: entry.signerUserKeyPairId,\n signerOrgUserId: entry.signerOrgUserId,\n signerFingerprint: entry.signerFingerprint,\n signature: entry.signature,\n previousEntryHash: entry.previousEntryHash ?? null,\n }),\n )\n}\n\nexport function buildUserKeyDirectoryTransparencyEntry(params: {\n checkpoint: UserKeyDirectoryCheckpoint\n signerUserKeyPairId: string\n signerOrgUserId: string\n signerPublicKey: string\n signature: string\n previousEntryHash: string \| null\n}): UserKeyDirectoryTransparencyEntry {\n const entryWithoutHash = {\n orgId: params.checkpoint.orgId,\n version: params.checkpoint.version,\n directoryCheckpointPayload: buildUserKeyDirectoryCheckpointPayload(params.checkpoint),\n signerUserKeyPairId: params.signerUserKeyPairId,\n signerOrgUserId: params.signerOrgUserId,\n signerFingerprint: getPublicKeyFingerprint(params.signerPublicKey),\n signature: params.signature,\n previousEntryHash: params.previousEntryHash ?? null,\n }\n\n return {\n ...entryWithoutHash,\n entryHash: buildUserKeyDirectoryTransparencyEntryHash(entryWithoutHash),\n }\n}\n\nexport function verifyUserKeyDirectoryTransparencyProof(params: {\n currentEntry: UserKeyDirectoryTransparencyEntry\n proof: UserKeyDirectoryTransparencyProof\n previousHead: UserKeyDirectoryTransparencyHead \| null\n}): boolean {\n if (\n params.proof.head.version !== params.currentEntry.version \|\|\n params.proof.head.hash !== params.currentEntry.entryHash\n ) {\n return false\n }\n\n if (!params.previousHead) {\n if (params.proof.entries.length === 0) {\n return false\n }\n\n for (let index = 0; index < params.proof.entries.length; index++) {\n const entry = params.proof.entries[index]\n if (!entry) {\n return false\n }\n\n const expectedHash = buildUserKeyDirectoryTransparencyEntryHash({\n orgId: entry.orgId,\n version: entry.version,\n directoryCheckpointPayload: entry.directoryCheckpointPayload,\n signerUserKeyPairId: entry.signerUserKeyPairId,\n signerOrgUserId: entry.signerOrgUserId,\n signerFingerprint: entry.signerFingerprint,\n signature: entry.signature,\n previousEntryHash: entry.previousEntryHash,\n })\n\n if (expectedHash !== entry.entryHash) {\n return false\n }\n\n if (index === 0) {\n continue\n }\n\n const previousEntry = params.proof.entries[index - 1]\n if (!previousEntry) {\n return false\n }\n\n if (entry.previousEntryHash !== previousEntry.entryHash \|\| entry.version !== previousEntry.version + 1) {\n return false\n }\n }\n\n const lastEntry = params.proof.entries[params.proof.entries.length - 1]\n return lastEntry?.entryHash === params.currentEntry.entryHash && lastEntry.version === params.currentEntry.version\n }\n\n if (params.currentEntry.version < params.previousHead.version) {\n return false\n }\n\n if (params.currentEntry.version === params.previousHead.version) {\n return params.currentEntry.entryHash === params.previousHead.hash && params.proof.entries.length === 0\n }\n\n if (params.proof.entries.length === 0) {\n return false\n }\n\n let previousVersion = params.previousHead.version\n let previousHash = params.previousHead.hash\n\n for (const entry of params.proof.entries) {\n const expectedHash = buildUserKeyDirectoryTransparencyEntryHash({\n orgId: entry.orgId,\n version: entry.version,\n directoryCheckpointPayload: entry.directoryCheckpointPayload,\n signerUserKeyPairId: entry.signerUserKeyPairId,\n signerOrgUserId: entry.signerOrgUserId,\n signerFingerprint: entry.signerFingerprint,\n signature: entry.signature,\n previousEntryHash: entry.previousEntryHash,\n })\n\n if (\n expectedHash !== entry.entryHash \|\|\n entry.previousEntryHash !== previousHash \|\|\n entry.version !== previousVersion + 1\n ) {\n return false\n }\n\n previousVersion = entry.version\n previousHash = entry.entryHash\n }\n\n return previousHash === params.currentEntry.entryHash && previousVersion === params.currentEntry.version\n}\n\nfunction buildWrappedDekSignaturePayload(\n vaultId: string,\n recipientKeyId: string,\n signerUserKeyPairId: string,\n dekVersion: number,\n wrappedDek: string,\n): string {\n return [\n WRAPPED_DEK_SIGNATURE_PREFIX,\n vaultId,\n recipientKeyId,\n signerUserKeyPairId,\n String(dekVersion),\n getWrappedDekFingerprint(wrappedDek),\n ].join(':')\n}\n\n/\n Signs a wrapped-DEK payload with the signer's private key.\n /\nexport function signWrappedDek(\n vaultId: string,\n recipientKeyId: string,\n signerUserKeyPairId: string,\n dekVersion: number,\n wrappedDek: string,\n signerPrivateKeyPem: string,\n): string {\n const payload = buildWrappedDekSignaturePayload(\n vaultId,\n recipientKeyId,\n signerUserKeyPairId,\n dekVersion,\n wrappedDek,\n )\n\n return crypto.sign(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: signerPrivateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\n/\n Verifies a wrapped vault DEK signature using the signer's public key.\n /\nexport function verifyWrappedDekSignature(\n vaultId: string,\n recipientKeyId: string,\n signerUserKeyPairId: string,\n dekVersion: number,\n wrappedDek: string,\n wrappedDekSignature: string,\n signerPublicKeyPem: string,\n): boolean {\n const payload = buildWrappedDekSignaturePayload(\n vaultId,\n recipientKeyId,\n signerUserKeyPairId,\n dekVersion,\n wrappedDek,\n )\n\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: signerPublicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(wrappedDekSignature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function normalizeVaultSummaryCheckpoint(\n checkpoint: VaultSummaryCheckpoint,\n): VaultSummaryCheckpoint {\n return {\n vaultId: checkpoint.vaultId,\n version: checkpoint.version,\n name: checkpoint.name,\n dataClassification: checkpoint.dataClassification ?? null,\n currentDekVersion: checkpoint.currentDekVersion ?? null,\n items: [...checkpoint.items]\n .map((item) => ({\n id: item.id,\n name: item.name,\n type: item.type ?? null,\n websites: [...item.websites],\n groupId: item.groupId ?? null,\n }))\n .sort((left, right) => left.id.localeCompare(right.id)),\n groups: [...checkpoint.groups]\n .map((group) => ({\n id: group.id,\n name: group.name,\n parentId: group.parentId ?? null,\n }))\n .sort((left, right) => left.id.localeCompare(right.id)),\n }\n}\n\nexport function canonicalizeVaultSummaryCheckpoint(\n checkpoint: VaultSummaryCheckpoint,\n): string {\n return JSON.stringify(normalizeVaultSummaryCheckpoint(checkpoint))\n}\n\nexport function buildVaultSummaryCheckpointPayload(\n checkpoint: VaultSummaryCheckpoint,\n): string {\n return getCheckpointFingerprint(\n VAULT_SUMMARY_CHECKPOINT_PREFIX,\n canonicalizeVaultSummaryCheckpoint(checkpoint),\n )\n}\n\nexport function verifyVaultSummaryCheckpoint(\n checkpoint: VaultSummaryCheckpoint,\n signature: string,\n publicKeyPem: string,\n): boolean {\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(buildVaultSummaryCheckpointPayload(checkpoint), 'utf8'),\n {\n key: publicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(signature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function signVaultSummaryCheckpoint(\n checkpoint: VaultSummaryCheckpoint,\n privateKeyPem: string,\n): string {\n return crypto.sign(\n 'sha256',\n Buffer.from(buildVaultSummaryCheckpointPayload(checkpoint), 'utf8'),\n {\n key: privateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\nexport function normalizeVaultItemDetailCheckpoint(\n checkpoint: VaultItemDetailCheckpoint,\n): VaultItemDetailCheckpoint {\n return {\n vaultItemId: checkpoint.vaultItemId,\n vaultId: checkpoint.vaultId,\n version: checkpoint.version,\n name: checkpoint.name,\n type: checkpoint.type ?? null,\n websites: [...checkpoint.websites],\n groupId: checkpoint.groupId ?? null,\n fields: [...checkpoint.fields]\n .map((field) => ({\n id: field.id,\n name: field.name,\n type: field.type,\n order: field.order,\n fieldInstanceIds: [...field.fieldInstanceIds].sort(),\n assetIds: [...field.assetIds].sort(),\n }))\n .sort((left, right) => left.order - right.order \|\| left.id.localeCompare(right.id)),\n }\n}\n\nexport function canonicalizeVaultItemDetailCheckpoint(\n checkpoint: VaultItemDetailCheckpoint,\n): string {\n return JSON.stringify(normalizeVaultItemDetailCheckpoint(checkpoint))\n}\n\nexport function buildVaultItemDetailCheckpointPayload(\n checkpoint: VaultItemDetailCheckpoint,\n): string {\n return getCheckpointFingerprint(\n VAULT_ITEM_DETAIL_CHECKPOINT_PREFIX,\n canonicalizeVaultItemDetailCheckpoint(checkpoint),\n )\n}\n\nexport function verifyVaultItemDetailCheckpoint(\n checkpoint: VaultItemDetailCheckpoint,\n signature: string,\n publicKeyPem: string,\n): boolean {\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(buildVaultItemDetailCheckpointPayload(checkpoint), 'utf8'),\n {\n key: publicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(signature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function signVaultItemDetailCheckpoint(\n checkpoint: VaultItemDetailCheckpoint,\n privateKeyPem: string,\n): string {\n return crypto.sign(\n 'sha256',\n Buffer.from(buildVaultItemDetailCheckpointPayload(checkpoint), 'utf8'),\n {\n key: privateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\n/\n Checks whether a stored field value is a v3 vault envelope.\n /\nexport function isVaultEnvelope(value: string): boolean {\n if (!value.startsWith('{')) {\n return false\n }\n\n try {\n const parsed = JSON.parse(value) as { v?: number }\n return parsed.v === 3\n } catch {\n return false\n }\n}\n\n/\n Decrypts a v3 vault envelope with the provided 32-byte AES vault DEK.\n /\nexport function decryptWithVaultDEK(encryptedValue: string, dek: Buffer): string {\n if (!isVaultEnvelope(encryptedValue)) {\n throw new Error('Invalid encrypted value: expected v3 vault envelope format')\n }\n\n const envelope = JSON.parse(encryptedValue) as VaultEnvelope\n const decipher = crypto.createDecipheriv('aes-256-gcm', dek, Buffer.from(envelope.iv, 'base64'))\n decipher.setAuthTag(Buffer.from(envelope.t, 'base64'))\n const decrypted = Buffer.concat([\n decipher.update(Buffer.from(envelope.d, 'base64')),\n decipher.final(),\n ])\n return decrypted.toString('utf8')\n}\n\n/\n Returns plaintext for a field value. Plain strings are returned as-is, while\n * v3 envelopes are decrypted with the provided vault DEK.\n /\nexport function decryptStoredFieldValue(value: string, dek: Buffer): string {\n return isVaultEnvelope(value) ? decryptWithVaultDEK(value, dek) : value\n}\n\n/\n Encrypts a plaintext field value into a v3 vault envelope. Used by tests.\n /\nexport function encryptWithVaultDEK(value: string, dek: Buffer): string {\n const iv = crypto.randomBytes(12)\n const cipher = crypto.createCipheriv('aes-256-gcm', dek, iv)\n const ciphertext = Buffer.concat([cipher.update(value, 'utf8'), cipher.final()])\n const tag = cipher.getAuthTag()\n\n return JSON.stringify({\n v: 3,\n iv: iv.toString('base64'),\n t: tag.toString('base64'),\n d: ciphertext.toString('base64'),\n } satisfies VaultEnvelope)\n}\n\n/\n Unwraps a vault DEK using the agent runtime's local private key.\n /\nexport function unwrapDEKWithPrivateKey(wrappedDek: string, privateKeyPem: string): Buffer {\n return crypto.privateDecrypt(\n { key: privateKeyPem, ...RSA_OAEP_CONFIG },\n Buffer.from(wrappedDek, 'base64'),\n )\n}\n","/\n Minimal transparency witness helpers vendored into the public Node SDK so the\n * published package does not depend on unpublished internal workspace packages.\n /\n\nconst TRANSPARENCY_WITNESS_PAYLOAD_PREFIX = 'r4-transparency-witness-v1'\n\nexport const DEFAULT_TRANSPARENCY_WITNESS_URL = 'https://transparency.r4.dev'\n\nexport const TRANSPARENCY_WITNESS_ROOT_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA18JhILFiS/BOWR9laubW\ng2vepQy26BXAlnrscZZVQUzBBaCM4hWobpt3Nh77vxP0gqVAJXP1hVhPPwxGQnOF\n4Qg/RK4iEETjMdmh3KMqFX9MeE9tP4cTOGtsgWsedNpu6TvMT+2vu+0ltmr7p4Xv\nH0ID48Q8JLeNksc/RekrsfzQ9DVtXFS7z1FF2VQgzamdJsW9hGMiM7Q+0iXei7PW\n3PsLd1aNtqJ3lIj3t12qFiJiYyKF0hEq0//Abgb9SgDv/WOlRG1Ianf1/fnP2jer\nZYiZSylXqQdun0Db2d0+FDm/znV2AGAmBEXm6qnCogEHu77LoLyCyJOlB9WNtRwh\nKnbzTmE2Mw/43jxvCcR7pE5kik/tdeMvqGFZfg3ozUG9eM0q0TURH6g9b9J4sBnR\ndxz2PbF4cl/AeL4ANPmLz3kUQaDA6wR0veVk5jV+Uqr55TYz/zEbY1rtJbmnc53Q\nihPS6xtSiexrqnOgqm/AVbiRhxjPqfg3/VJM3zR5Blnu02AqVR9kCT0WkyEWRz5X\n6HU8DEocJIPz8UwBMKQ7rnjMPv/Fjpuav/EIad5vOdfxCZkjyTYoQg8vLUyfXvgD\nmBWFgKIN8GTRyM+LjZIgznjN58dZ8ZvsGd14oKnH7WgAh9FVh8ri7gNmsdJeRTn/\n2zDkTlx+FQxAxqFaYV7qCvcCAwEAAQ==\n-----END PUBLIC KEY-----`\n\nexport type TransparencyWitnessHead = {\n version: number\n hash: string\n}\n\nexport type OrgUserKeyDirectoryWitnessArtifact = {\n version: 1\n kind: 'org-user-key-directory'\n orgId: string\n head: TransparencyWitnessHead\n signature: string\n keyId: string\n publishedAt: string\n}\n\nexport type AgentPublicKeyWitnessArtifact = {\n version: 1\n kind: 'agent-public-key'\n agentId: string\n head: TransparencyWitnessHead\n signature: string\n keyId: string\n publishedAt: string\n}\n\nexport const buildOrgUserKeyDirectoryWitnessPayload = (\n orgId: string,\n head: TransparencyWitnessHead,\n): string =>\n [\n TRANSPARENCY_WITNESS_PAYLOAD_PREFIX,\n 'org-user-key-directory',\n orgId,\n String(head.version),\n head.hash,\n ].join(':')\n\nexport const buildAgentPublicKeyWitnessPayload = (\n agentId: string,\n head: TransparencyWitnessHead,\n): string =>\n [\n TRANSPARENCY_WITNESS_PAYLOAD_PREFIX,\n 'agent-public-key',\n agentId,\n String(head.version),\n head.hash,\n ].join(':')\n\nexport const buildOrgUserKeyDirectoryWitnessPath = (orgId: string): string =>\n `v1/orgs/${orgId}/user-key-directory-head.json`\n\nexport const buildTransparencyWitnessUrl = (baseUrl: string, path: string): string =>\n `${baseUrl.replace(/\\/+$/, '')}/${path.replace(/^\\/+/, '')}`\n\nexport const shouldUseDefaultTransparencyWitness = (apiBaseUrl: string): boolean =>\n /(^https?:\\/\\/)?([^.]+\\.)?r4\\.dev(?::\\d+)?(\\/\|$)/i.test(apiBaseUrl.trim())\n","import fs from 'node:fs'\nimport path from 'node:path'\nimport {\n DEFAULT_TRANSPARENCY_WITNESS_URL,\n TRANSPARENCY_WITNESS_ROOT_PUBLIC_KEY_PEM,\n buildOrgUserKeyDirectoryWitnessPath,\n buildTransparencyWitnessUrl,\n shouldUseDefaultTransparencyWitness,\n type OrgUserKeyDirectoryWitnessArtifact,\n} from './transparency'\nimport {\n buildUserKeyDirectoryTransparencyEntry,\n getPublicKeyFingerprint,\n verifyOrgUserKeyDirectoryWitnessArtifact,\n verifyUserKeyDirectoryCheckpoint,\n verifyUserKeyDirectoryTransparencyProof,\n verifyUserKeyRotation,\n} from './crypto'\nimport type {\n MachineVaultUserKeyDirectoryResponse,\n MachineVaultUserPublicKey,\n} from './types'\n\ntype PublicKeyPinRecord = {\n keyPairId: string\n fingerprint: string\n publicKey: string\n pinnedAt: string\n verifiedAt: string\n}\n\ntype TrustStore = {\n version: 1\n userKeyPins: Record<string, PublicKeyPinRecord>\n checkpointVersionPins: Record<string, number>\n transparencyHeadPins: Record<string, { version: number; hash: string }>\n}\n\nfunction loadTrustStore(trustStorePath: string): TrustStore {\n try {\n const raw = fs.readFileSync(trustStorePath, 'utf8')\n const parsed = JSON.parse(raw) as Partial<TrustStore>\n return {\n version: 1,\n userKeyPins: parsed.userKeyPins ?? {},\n checkpointVersionPins: parsed.checkpointVersionPins ?? {},\n transparencyHeadPins: parsed.transparencyHeadPins ?? {},\n }\n } catch {\n return {\n version: 1,\n userKeyPins: {},\n checkpointVersionPins: {},\n transparencyHeadPins: {},\n }\n }\n}\n\nfunction saveTrustStore(trustStorePath: string, store: TrustStore): void {\n fs.mkdirSync(path.dirname(trustStorePath), { recursive: true })\n fs.writeFileSync(trustStorePath, JSON.stringify(store, null, 2) + '\\n', 'utf8')\n}\n\nfunction getPinStorageKey(orgId: string, orgUserId: string): string {\n return `${orgId}:${orgUserId}`\n}\n\nfunction getDirectoryPinStorageKey(orgId: string): string {\n return `org:${orgId}`\n}\n\nasync function fetchWitnessArtifact<T>(pathName: string): Promise<T> {\n const response = await fetch(\n buildTransparencyWitnessUrl(DEFAULT_TRANSPARENCY_WITNESS_URL, pathName),\n {\n cache: 'no-store',\n },\n )\n\n if (!response.ok) {\n throw new Error(`Failed to fetch public transparency witness artifact (${response.status}).`)\n }\n\n return response.json() as Promise<T>\n}\n\nexport function getPinnedTransparencyHead(\n trustStorePath: string,\n orgId: string,\n): { version: number; hash: string } \| null {\n const store = loadTrustStore(trustStorePath)\n return store.transparencyHeadPins[getDirectoryPinStorageKey(orgId)] ?? null\n}\n\nexport function getSinglePinnedTransparencyHead(\n trustStorePath: string,\n): { version: number; hash: string } \| null {\n const store = loadTrustStore(trustStorePath)\n const heads = Object.values(store.transparencyHeadPins)\n return heads.length === 1 ? heads[0]! : null\n}\n\nexport async function getPublicOrgWitnessHead(\n apiBaseUrl: string,\n orgId: string,\n): Promise<{ version: number; hash: string } \| null> {\n if (!shouldUseDefaultTransparencyWitness(apiBaseUrl)) {\n return null\n }\n\n const artifact = await fetchWitnessArtifact<OrgUserKeyDirectoryWitnessArtifact>(\n buildOrgUserKeyDirectoryWitnessPath(orgId),\n )\n\n if (\n artifact.kind !== 'org-user-key-directory' \|\|\n artifact.orgId !== orgId \|\|\n !verifyOrgUserKeyDirectoryWitnessArtifact(\n artifact,\n TRANSPARENCY_WITNESS_ROOT_PUBLIC_KEY_PEM,\n )\n ) {\n throw new Error(`Public transparency witness verification failed for org ${orgId}.`)\n }\n\n return artifact.head\n}\n\nasync function pinVaultUserPublicKeys(\n trustStorePath: string,\n orgId: string,\n publicKeys: MachineVaultUserPublicKey[],\n): Promise<MachineVaultUserPublicKey[]> {\n const store = loadTrustStore(trustStorePath)\n let changed = false\n\n for (const key of publicKeys) {\n const storageKey = getPinStorageKey(orgId, key.orgUserId)\n const computedFingerprint = getPublicKeyFingerprint(key.publicKey)\n\n if (computedFingerprint !== key.fingerprint) {\n throw new Error(`Server returned a mismatched fingerprint for user ${key.orgUserId}.`)\n }\n\n const existing = store.userKeyPins[storageKey]\n const verifiedAt = new Date().toISOString()\n\n if (!existing) {\n store.userKeyPins[storageKey] = {\n keyPairId: key.userKeyPairId,\n fingerprint: key.fingerprint,\n publicKey: key.publicKey,\n pinnedAt: verifiedAt,\n verifiedAt,\n }\n changed = true\n continue\n }\n\n if (existing.keyPairId === key.userKeyPairId) {\n if (existing.fingerprint !== key.fingerprint \|\| existing.publicKey !== key.publicKey) {\n throw new Error(\n `Pinned public key ${key.userKeyPairId} changed unexpectedly for user ${key.orgUserId}.`,\n )\n }\n\n if (existing.verifiedAt !== verifiedAt) {\n store.userKeyPins[storageKey] = {\n ...existing,\n verifiedAt,\n }\n changed = true\n }\n continue\n }\n\n if (!key.previousUserKeyPairId \|\| key.previousUserKeyPairId !== existing.keyPairId \|\| !key.rotationSignature) {\n throw new Error(`Public key rotation for user ${key.orgUserId} is missing a trusted continuity proof.`)\n }\n\n const rotationVerified = verifyUserKeyRotation(\n existing.keyPairId,\n key.publicKey,\n key.rotationSignature,\n existing.publicKey,\n )\n\n if (!rotationVerified) {\n throw new Error(`Public key rotation for user ${key.orgUserId} failed signature verification.`)\n }\n\n store.userKeyPins[storageKey] = {\n keyPairId: key.userKeyPairId,\n fingerprint: key.fingerprint,\n publicKey: key.publicKey,\n pinnedAt: existing.pinnedAt,\n verifiedAt,\n }\n changed = true\n }\n\n if (changed) {\n saveTrustStore(trustStorePath, store)\n }\n\n return publicKeys\n}\n\nasync function verifySignedUserKeyDirectory(\n trustStorePath: string,\n directory: MachineVaultUserKeyDirectoryResponse,\n anchorHead?: { version: number; hash: string } \| null,\n): Promise<string \| null> {\n if (!directory.directoryCheckpoint) {\n if (directory.publicKeys.length > 0) {\n throw new Error('Server omitted the user-key directory checkpoint for a non-empty vault signer directory.')\n }\n return null\n }\n\n const { directoryCheckpoint } = directory\n const orgId = directoryCheckpoint.checkpoint.orgId\n\n if (!directoryCheckpoint.signerOrgUserId \|\| !directoryCheckpoint.signerPublicKey) {\n throw new Error('Server returned an incomplete user-key directory signer payload.')\n }\n\n const signerFingerprint = getPublicKeyFingerprint(directoryCheckpoint.signerPublicKey)\n const signerEntry = directoryCheckpoint.checkpoint.entries.find(\n (entry) =>\n entry.userKeyPairId === directoryCheckpoint.signerUserKeyPairId &&\n entry.orgUserId === directoryCheckpoint.signerOrgUserId,\n )\n const signerKey: MachineVaultUserPublicKey = {\n userKeyPairId: directoryCheckpoint.signerUserKeyPairId,\n orgUserId: directoryCheckpoint.signerOrgUserId,\n publicKey: directoryCheckpoint.signerPublicKey,\n fingerprint: signerFingerprint,\n previousUserKeyPairId: signerEntry?.previousUserKeyPairId ?? null,\n rotationSignature: signerEntry?.rotationSignature ?? null,\n }\n const storeBeforeVerification = loadTrustStore(trustStorePath)\n\n try {\n await pinVaultUserPublicKeys(trustStorePath, orgId, [signerKey])\n\n const verified = verifyUserKeyDirectoryCheckpoint(\n directoryCheckpoint.checkpoint,\n directoryCheckpoint.signature,\n directoryCheckpoint.signerPublicKey,\n )\n\n if (!verified) {\n throw new Error(`User-key directory signature verification failed for org ${orgId}.`)\n }\n if (!directory.transparency) {\n throw new Error(`Server omitted the user-key directory transparency proof for org ${orgId}.`)\n }\n\n const store = loadTrustStore(trustStorePath)\n const pinnedTransparencyHead = store.transparencyHeadPins[getDirectoryPinStorageKey(orgId)] ?? null\n const trustedPreviousHead = anchorHead ?? pinnedTransparencyHead\n const legacyPinnedVersion = store.checkpointVersionPins[getDirectoryPinStorageKey(orgId)] ?? null\n\n if (!trustedPreviousHead && legacyPinnedVersion !== null && directory.transparency.head.version < legacyPinnedVersion) {\n throw new Error(`User-key transparency head rolled back unexpectedly for org ${orgId}.`)\n }\n\n if (!trustedPreviousHead && directory.transparency.entries.length === 0) {\n throw new Error(`Server omitted the current transparency entry for org ${orgId}.`)\n }\n\n if (directory.transparency.entries.length > 0) {\n const currentProofEntry = directory.transparency.entries[directory.transparency.entries.length - 1]\n if (!currentProofEntry) {\n throw new Error(`Server returned an empty transparency proof for org ${orgId}.`)\n }\n\n const expectedCurrentEntry = buildUserKeyDirectoryTransparencyEntry({\n checkpoint: directoryCheckpoint.checkpoint,\n signerUserKeyPairId: directoryCheckpoint.signerUserKeyPairId,\n signerOrgUserId: directoryCheckpoint.signerOrgUserId,\n signerPublicKey: directoryCheckpoint.signerPublicKey,\n signature: directoryCheckpoint.signature,\n previousEntryHash: currentProofEntry.previousEntryHash ?? null,\n })\n\n if (expectedCurrentEntry.entryHash !== currentProofEntry.entryHash) {\n throw new Error(`User-key transparency entry does not match the signed directory for org ${orgId}.`)\n }\n\n if (anchorHead && directory.transparency.head.version === anchorHead.version) {\n if (directory.transparency.head.hash !== anchorHead.hash) {\n throw new Error(`Public transparency witness head fork detected for org ${orgId}.`)\n }\n\n if (\n currentProofEntry.entryHash !== anchorHead.hash \|\|\n expectedCurrentEntry.entryHash !== anchorHead.hash\n ) {\n throw new Error(`User-key transparency witness anchor mismatch for org ${orgId}.`)\n }\n } else if (\n !verifyUserKeyDirectoryTransparencyProof({\n currentEntry: expectedCurrentEntry,\n proof: directory.transparency,\n previousHead: trustedPreviousHead,\n })\n ) {\n throw new Error(`User-key transparency proof verification failed for org ${orgId}.`)\n }\n } else if (\n anchorHead &&\n directory.transparency.head.version === anchorHead.version\n ) {\n throw new Error(`Server omitted the current transparency entry required to verify org ${orgId} against the public witness.`)\n } else if (\n !trustedPreviousHead \|\|\n trustedPreviousHead.version !== directory.transparency.head.version \|\|\n trustedPreviousHead.hash !== directory.transparency.head.hash\n ) {\n throw new Error(`Server returned an incomplete user-key transparency proof for org ${orgId}.`)\n }\n\n assertAndPinTransparencyHead(trustStorePath, orgId, directory.transparency.head)\n\n const checkpointEntries = new Map(\n directoryCheckpoint.checkpoint.entries.map((entry) => [entry.userKeyPairId, entry]),\n )\n\n for (const key of directory.publicKeys) {\n const entry = checkpointEntries.get(key.userKeyPairId)\n\n if (!entry) {\n throw new Error(`User key ${key.userKeyPairId} is missing from the signed org directory.`)\n }\n\n if (\n entry.orgUserId !== key.orgUserId \|\|\n entry.fingerprint !== key.fingerprint \|\|\n entry.previousUserKeyPairId !== key.previousUserKeyPairId \|\|\n entry.rotationSignature !== key.rotationSignature\n ) {\n throw new Error(`User key ${key.userKeyPairId} does not match the signed org directory.`)\n }\n }\n\n return orgId\n } catch (error) {\n saveTrustStore(trustStorePath, storeBeforeVerification)\n throw error\n }\n}\n\n/\n Verifies the signed org directory first, then advances local per-user pins\n * only for the vault principals covered by that trusted directory.\n /\nexport async function verifyAndPinVaultUserPublicKeys(\n trustStorePath: string,\n directory: MachineVaultUserKeyDirectoryResponse,\n anchorHead?: { version: number; hash: string } \| null,\n): Promise<MachineVaultUserPublicKey[]> {\n const orgId = await verifySignedUserKeyDirectory(trustStorePath, directory, anchorHead)\n if (!orgId) {\n return directory.publicKeys\n }\n return pinVaultUserPublicKeys(trustStorePath, orgId, directory.publicKeys)\n}\n\n/\n Rejects rollbacked checkpoint versions and persists the newest version so\n * subsequent SDK runs continue to enforce monotonic metadata history.\n */\nexport function assertAndPinCheckpointVersion(\n trustStorePath: string,\n storageKey: string,\n version: number,\n): void {\n const store = loadTrustStore(trustStorePath)\n const pinnedVersion = store.checkpointVersionPins[storageKey]\n\n if (pinnedVersion !== undefined && version < pinnedVersion) {\n throw new Error(`Checkpoint version rolled back unexpectedly for ${storageKey}.`)\n }\n\n if (pinnedVersion === undefined \|\| version > pinnedVersion) {\n store.checkpointVersionPins[storageKey] = version\n saveTrustStore(trustStorePath, store)\n }\n}\n\nfunction assertAndPinTransparencyHead(\n trustStorePath: string,\n orgId: string,\n head: { version: number; hash: string },\n): void {\n const store = loadTrustStore(trustStorePath)\n const storageKey = getDirectoryPinStorageKey(orgId)\n const pinnedHead = store.transparencyHeadPins[storageKey]\n\n if (pinnedHead) {\n if (head.version < pinnedHead.version) {\n throw new Error(`User-key transparency head rolled back unexpectedly for org ${orgId}.`)\n }\n\n if (head.version === pinnedHead.version && head.hash !== pinnedHead.hash) {\n throw new Error(`User-key transparency head fork detected for org ${orgId}.`)\n }\n }\n\n if (!pinnedHead \|\| head.version > pinnedHead.version) {\n store.transparencyHeadPins[storageKey] = head\n saveTrustStore(trustStorePath, store)\n }\n\n assertAndPinCheckpointVersion(trustStorePath, storageKey, head.version)\n}\n"],"mappings":";AAAA,OAAOA,WAAU;;;ACqBV,IAAM,WAAN,MAAe;AAAA,EACH;AAAA,EACA;AAAA,EAEjB,YAAY,QAAgB,SAAiB;AAC3C,SAAK,SAAS;AACd,SAAK,UAAU,QAAQ,QAAQ,OAAO,EAAE;AAAA,EAC1C;AAAA,EAEQ,eAAuC;AAC7C,WAAO;AAAA,MACL,aAAa,KAAK;AAAA,MAClB,gBAAgB;AAAA,IAClB;AAAA,EACF;AAAA,EAEA,MAAc,QAAWC,OAAc,MAA+B;AACpE,UAAM,WAAW,MAAM,MAAM,GAAG,KAAK,OAAO,GAAGA,KAAI,IAAI;AAAA,MACrD,GAAG;AAAA,MACH,SAAS;AAAA,QACP,GAAG,KAAK,aAAa;AAAA,QACrB,GAAI,KAAK,WAAW,CAAC;AAAA,MACvB;AAAA,IACF,CAAC;AAED,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,YAAa,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACzD,YAAM,eACJ,OAAO,UAAU,OAAO,YAAY,WAChC,UAAU,MAAM,UAChB,QAAQ,SAAS,MAAM,KAAK,SAAS,UAAU;AACrD,YAAM,IAAI,MAAM,iBAAiB,YAAY,EAAE;AAAA,IACjD;AAEA,QAAI,SAAS,WAAW,KAAK;AAC3B,aAAO;AAAA,IACT;AAEA,WAAO,SAAS,KAAK;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,uBACJ,MACwC;AACxC,WAAO,KAAK,QAAuC,oCAAoC;AAAA,MACrF,QAAQ;AAAA,MACR,MAAM,KAAK,UAAU,IAAI;AAAA,IAC3B,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,WAAW,WAAwD;AACvE,UAAM,SAAS,YACX,cAAc,mBAAmB,SAAS,CAAC,KAC3C;AACJ,WAAO,KAAK,QAAmC,wBAAwB,MAAM,IAAI;AAAA,MAC/E,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,mBAAmB,SAAqD;AAC5E,WAAO,KAAK;AAAA,MACV,yBAAyB,mBAAmB,OAAO,CAAC;AAAA,MACpD,EAAE,QAAQ,MAAM;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,yBACJ,SACA,QAI+C;AAC/C,UAAM,eAAe,IAAI,gBAAgB;AACzC,QAAI,QAAQ,6BAA6B,QAAW;AAClD,mBAAa,IAAI,4BAA4B,OAAO,OAAO,wBAAwB,CAAC;AAAA,IACtF;AACA,QAAI,QAAQ,uBAAuB;AACjC,mBAAa,IAAI,yBAAyB,OAAO,qBAAqB;AAAA,IACxE;AACA,UAAM,SAAS,aAAa,OAAO,IAAI,IAAI,aAAa,SAAS,CAAC,KAAK;AAEvE,WAAO,KAAK;AAAA,MACV,yBAAyB,mBAAmB,OAAO,CAAC,eAAe,MAAM;AAAA,MACzE,EAAE,QAAQ,MAAM;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,eAAe,SAAyD;AAC5E,WAAO,KAAK;AAAA,MACV,yBAAyB,mBAAmB,OAAO,CAAC;AAAA,MACpD,EAAE,QAAQ,MAAM;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,mBACJ,SACA,QACyC;AACzC,WAAO,KAAK;AAAA,MACV,yBAAyB,mBAAmB,OAAO,CAAC,UAAU,mBAAmB,MAAM,CAAC;AAAA,MACxF,EAAE,QAAQ,MAAM;AAAA,IAClB;AAAA,EACF;AACF;;;ACjJA,OAAO,YAAY;AACnB,OAAO,QAAQ;AACf,OAAO,UAAU;;;ACGjB,IAAM,sCAAsC;AAErC,IAAM,mCAAmC;AAEzC,IAAM,2CAA2C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAwCjD,IAAM,yCAAyC,CACpD,OACA,SAEA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA,OAAO,KAAK,OAAO;AAAA,EACnB,KAAK;AACP,EAAE,KAAK,GAAG;AAcL,IAAM,sCAAsC,CAAC,UAClD,WAAW,KAAK;AAEX,IAAM,8BAA8B,CAAC,SAAiBC,UAC3D,GAAG,QAAQ,QAAQ,QAAQ,EAAE,CAAC,IAAIA,MAAK,QAAQ,QAAQ,EAAE,CAAC;AAErD,IAAM,sCAAsC,CAAC,eAClD,mDAAmD,KAAK,WAAW,KAAK,CAAC;;;AD9D3E,IAAM,kBAAkB;AAAA,EACtB,SAAS,OAAO,UAAU;AAAA,EAC1B,UAAU;AACZ;AAEA,IAAM,sBAAsB;AAAA,EAC1B,SAAS,OAAO,UAAU;AAAA,EAC1B,YAAY;AACd;AAEA,IAAM,2BAA2B;AACjC,IAAM,uCAAuC;AAC7C,IAAM,+CAA+C;AACrD,IAAM,+BAA+B;AACrC,IAAM,kCAAkC;AACxC,IAAM,sCAAsC;AAS5C,SAAS,SAAS,KAAa,YAAoB,UAA0B;AAC3E,QAAM,YAAY,IACf,QAAQ,YAAY,EAAE,EACtB,QAAQ,UAAU,EAAE,EACpB,QAAQ,OAAO,EAAE;AAEpB,SAAO,OAAO,KAAK,WAAW,QAAQ;AACxC;AAEA,SAAS,yBAAyB,YAA4B;AAC5D,SAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,OAAO,KAAK,YAAY,QAAQ,CAAC,EAAE,OAAO,KAAK;AAC3F;AAEA,SAAS,yBAAyB,QAAgB,eAA+B;AAC/E,SAAO,GAAG,MAAM,IAAI,OAAO,WAAW,QAAQ,EAAE,OAAO,eAAe,MAAM,EAAE,OAAO,KAAK,CAAC;AAC7F;AAKO,SAAS,eAAe,gBAAgC;AAC7D,SAAO,GAAG,aAAa,KAAK,QAAQ,cAAc,GAAG,MAAM,EAAE,KAAK;AACpE;AAKO,SAAS,gBAAgB,eAA+B;AAC7D,SAAO,OAAO,gBAAgB,aAAa,EAAE,OAAO;AAAA,IAClD,MAAM;AAAA,IACN,QAAQ;AAAA,EACV,CAAC,EAAE,SAAS;AACd;AAMO,SAAS,wBAAwB,cAA8B;AACpE,QAAM,WAAW,SAAS,cAAc,8BAA8B,0BAA0B;AAChG,SAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,QAAQ,EAAE,OAAO,KAAK;AAClE;AAEA,SAAS,4BAA4B,uBAA+B,yBAAyC;AAC3G,SAAO,GAAG,wBAAwB,IAAI,qBAAqB,IAAI,uBAAuB;AACxF;AA4BO,SAAS,sBACd,uBACA,iBACA,mBACA,sBACS;AACT,QAAM,UAAU;AAAA,IACd;AAAA,IACA,wBAAwB,eAAe;AAAA,EACzC;AAEA,MAAI;AACF,WAAO,OAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,SAAS,MAAM;AAAA,MAC3B;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,mBAAmB,QAAQ;AAAA,IACzC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,iCACd,SACA,WACA,cACS;AACT,MAAI;AACF,WAAO,OAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,SAAS,MAAM;AAAA,MAC3B;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,WAAW,QAAQ;AAAA,IACjC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,yCACd,UACA,cACS;AACT,SAAO;AAAA,IACL,uCAAuC,SAAS,OAAO,SAAS,IAAI;AAAA,IACpE,SAAS;AAAA,IACT;AAAA,EACF;AACF;AAaO,SAAS,oCACd,YAC4B;AAC5B,SAAO;AAAA,IACL,OAAO,WAAW;AAAA,IAClB,SAAS,WAAW;AAAA,IACpB,SAAS,CAAC,GAAG,WAAW,OAAO,EAC5B,IAAI,CAAC,WAAW;AAAA,MACf,eAAe,MAAM;AAAA,MACrB,WAAW,MAAM;AAAA,MACjB,aAAa,MAAM;AAAA,MACnB,uBAAuB,MAAM,yBAAyB;AAAA,MACtD,mBAAmB,MAAM,qBAAqB;AAAA,IAChD,EAAE,EACD,KAAK,CAAC,MAAM,UAAU,KAAK,cAAc,cAAc,MAAM,aAAa,CAAC;AAAA,EAChF;AACF;AAEO,SAAS,uCACd,YACQ;AACR,SAAO,KAAK,UAAU,oCAAoC,UAAU,CAAC;AACvE;AAEO,SAAS,uCACd,YACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA,uCAAuC,UAAU;AAAA,EACnD;AACF;AAgBO,SAAS,iCACd,YACA,WACA,cACS;AACT,MAAI;AACF,WAAO,OAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,uCAAuC,UAAU,GAAG,MAAM;AAAA,MACtE;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,WAAW,QAAQ;AAAA,IACjC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,2CACd,OACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA,KAAK,UAAU;AAAA,MACb,OAAO,MAAM;AAAA,MACb,SAAS,MAAM;AAAA,MACf,4BAA4B,MAAM;AAAA,MAClC,qBAAqB,MAAM;AAAA,MAC3B,iBAAiB,MAAM;AAAA,MACvB,mBAAmB,MAAM;AAAA,MACzB,WAAW,MAAM;AAAA,MACjB,mBAAmB,MAAM,qBAAqB;AAAA,IAChD,CAAC;AAAA,EACH;AACF;AAEO,SAAS,uCAAuC,QAOjB;AACpC,QAAM,mBAAmB;AAAA,IACvB,OAAO,OAAO,WAAW;AAAA,IACzB,SAAS,OAAO,WAAW;AAAA,IAC3B,4BAA4B,uCAAuC,OAAO,UAAU;AAAA,IACpF,qBAAqB,OAAO;AAAA,IAC5B,iBAAiB,OAAO;AAAA,IACxB,mBAAmB,wBAAwB,OAAO,eAAe;AAAA,IACjE,WAAW,OAAO;AAAA,IAClB,mBAAmB,OAAO,qBAAqB;AAAA,EACjD;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,IACH,WAAW,2CAA2C,gBAAgB;AAAA,EACxE;AACF;AAEO,SAAS,wCAAwC,QAI5C;AACV,MACE,OAAO,MAAM,KAAK,YAAY,OAAO,aAAa,WAClD,OAAO,MAAM,KAAK,SAAS,OAAO,aAAa,WAC/C;AACA,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,OAAO,cAAc;AACxB,QAAI,OAAO,MAAM,QAAQ,WAAW,GAAG;AACrC,aAAO;AAAA,IACT;AAEA,aAAS,QAAQ,GAAG,QAAQ,OAAO,MAAM,QAAQ,QAAQ,SAAS;AAChE,YAAM,QAAQ,OAAO,MAAM,QAAQ,KAAK;AACxC,UAAI,CAAC,OAAO;AACV,eAAO;AAAA,MACT;AAEA,YAAM,eAAe,2CAA2C;AAAA,QAC9D,OAAO,MAAM;AAAA,QACb,SAAS,MAAM;AAAA,QACf,4BAA4B,MAAM;AAAA,QAClC,qBAAqB,MAAM;AAAA,QAC3B,iBAAiB,MAAM;AAAA,QACvB,mBAAmB,MAAM;AAAA,QACzB,WAAW,MAAM;AAAA,QACjB,mBAAmB,MAAM;AAAA,MAC3B,CAAC;AAED,UAAI,iBAAiB,MAAM,WAAW;AACpC,eAAO;AAAA,MACT;AAEA,UAAI,UAAU,GAAG;AACf;AAAA,MACF;AAEA,YAAM,gBAAgB,OAAO,MAAM,QAAQ,QAAQ,CAAC;AACpD,UAAI,CAAC,eAAe;AAClB,eAAO;AAAA,MACT;AAEA,UAAI,MAAM,sBAAsB,cAAc,aAAa,MAAM,YAAY,cAAc,UAAU,GAAG;AACtG,eAAO;AAAA,MACT;AAAA,IACF;AAEA,UAAM,YAAY,OAAO,MAAM,QAAQ,OAAO,MAAM,QAAQ,SAAS,CAAC;AACtE,WAAO,WAAW,cAAc,OAAO,aAAa,aAAa,UAAU,YAAY,OAAO,aAAa;AAAA,EAC7G;AAEA,MAAI,OAAO,aAAa,UAAU,OAAO,aAAa,SAAS;AAC7D,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,aAAa,YAAY,OAAO,aAAa,SAAS;AAC/D,WAAO,OAAO,aAAa,cAAc,OAAO,aAAa,QAAQ,OAAO,MAAM,QAAQ,WAAW;AAAA,EACvG;AAEA,MAAI,OAAO,MAAM,QAAQ,WAAW,GAAG;AACrC,WAAO;AAAA,EACT;AAEA,MAAI,kBAAkB,OAAO,aAAa;AAC1C,MAAI,eAAe,OAAO,aAAa;AAEvC,aAAW,SAAS,OAAO,MAAM,SAAS;AACxC,UAAM,eAAe,2CAA2C;AAAA,MAC9D,OAAO,MAAM;AAAA,MACb,SAAS,MAAM;AAAA,MACf,4BAA4B,MAAM;AAAA,MAClC,qBAAqB,MAAM;AAAA,MAC3B,iBAAiB,MAAM;AAAA,MACvB,mBAAmB,MAAM;AAAA,MACzB,WAAW,MAAM;AAAA,MACjB,mBAAmB,MAAM;AAAA,IAC3B,CAAC;AAED,QACE,iBAAiB,MAAM,aACvB,MAAM,sBAAsB,gBAC5B,MAAM,YAAY,kBAAkB,GACpC;AACA,aAAO;AAAA,IACT;AAEA,sBAAkB,MAAM;AACxB,mBAAe,MAAM;AAAA,EACvB;AAEA,SAAO,iBAAiB,OAAO,aAAa,aAAa,oBAAoB,OAAO,aAAa;AACnG;AAEA,SAAS,gCACP,SACA,gBACA,qBACA,YACA,YACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO,UAAU;AAAA,IACjB,yBAAyB,UAAU;AAAA,EACrC,EAAE,KAAK,GAAG;AACZ;AAkCO,SAAS,0BACd,SACA,gBACA,qBACA,YACA,YACA,qBACA,oBACS;AACT,QAAM,UAAU;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,MAAI;AACF,WAAO,OAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,SAAS,MAAM;AAAA,MAC3B;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,qBAAqB,QAAQ;AAAA,IAC3C;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,gCACd,YACwB;AACxB,SAAO;AAAA,IACL,SAAS,WAAW;AAAA,IACpB,SAAS,WAAW;AAAA,IACpB,MAAM,WAAW;AAAA,IACjB,oBAAoB,WAAW,sBAAsB;AAAA,IACrD,mBAAmB,WAAW,qBAAqB;AAAA,IACnD,OAAO,CAAC,GAAG,WAAW,KAAK,EACxB,IAAI,CAAC,UAAU;AAAA,MACd,IAAI,KAAK;AAAA,MACT,MAAM,KAAK;AAAA,MACX,MAAM,KAAK,QAAQ;AAAA,MACnB,UAAU,CAAC,GAAG,KAAK,QAAQ;AAAA,MAC3B,SAAS,KAAK,WAAW;AAAA,IAC3B,EAAE,EACD,KAAK,CAAC,MAAM,UAAU,KAAK,GAAG,cAAc,MAAM,EAAE,CAAC;AAAA,IACxD,QAAQ,CAAC,GAAG,WAAW,MAAM,EAC1B,IAAI,CAAC,WAAW;AAAA,MACf,IAAI,MAAM;AAAA,MACV,MAAM,MAAM;AAAA,MACZ,UAAU,MAAM,YAAY;AAAA,IAC9B,EAAE,EACD,KAAK,CAAC,MAAM,UAAU,KAAK,GAAG,cAAc,MAAM,EAAE,CAAC;AAAA,EAC1D;AACF;AAEO,SAAS,mCACd,YACQ;AACR,SAAO,KAAK,UAAU,gCAAgC,UAAU,CAAC;AACnE;AAEO,SAAS,mCACd,YACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA,mCAAmC,UAAU;AAAA,EAC/C;AACF;AAEO,SAAS,6BACd,YACA,WACA,cACS;AACT,MAAI;AACF,WAAO,OAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,mCAAmC,UAAU,GAAG,MAAM;AAAA,MAClE;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,WAAW,QAAQ;AAAA,IACjC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAgBO,SAAS,mCACd,YAC2B;AAC3B,SAAO;AAAA,IACL,aAAa,WAAW;AAAA,IACxB,SAAS,WAAW;AAAA,IACpB,SAAS,WAAW;AAAA,IACpB,MAAM,WAAW;AAAA,IACjB,MAAM,WAAW,QAAQ;AAAA,IACzB,UAAU,CAAC,GAAG,WAAW,QAAQ;AAAA,IACjC,SAAS,WAAW,WAAW;AAAA,IAC/B,QAAQ,CAAC,GAAG,WAAW,MAAM,EAC1B,IAAI,CAAC,WAAW;AAAA,MACf,IAAI,MAAM;AAAA,MACV,MAAM,MAAM;AAAA,MACZ,MAAM,MAAM;AAAA,MACZ,OAAO,MAAM;AAAA,MACb,kBAAkB,CAAC,GAAG,MAAM,gBAAgB,EAAE,KAAK;AAAA,MACnD,UAAU,CAAC,GAAG,MAAM,QAAQ,EAAE,KAAK;AAAA,IACrC,EAAE,EACD,KAAK,CAAC,MAAM,UAAU,KAAK,QAAQ,MAAM,SAAS,KAAK,GAAG,cAAc,MAAM,EAAE,CAAC;AAAA,EACtF;AACF;AAEO,SAAS,sCACd,YACQ;AACR,SAAO,KAAK,UAAU,mCAAmC,UAAU,CAAC;AACtE;AAEO,SAAS,sCACd,YACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA,sCAAsC,UAAU;AAAA,EAClD;AACF;AAEO,SAAS,gCACd,YACA,WACA,cACS;AACT,MAAI;AACF,WAAO,OAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,sCAAsC,UAAU,GAAG,MAAM;AAAA,MACrE;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,WAAW,QAAQ;AAAA,IACjC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAmBO,SAAS,gBAAgB,OAAwB;AACtD,MAAI,CAAC,MAAM,WAAW,GAAG,GAAG;AAC1B,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,KAAK;AAC/B,WAAO,OAAO,MAAM;AAAA,EACtB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAKO,SAAS,oBAAoB,gBAAwB,KAAqB;AAC/E,MAAI,CAAC,gBAAgB,cAAc,GAAG;AACpC,UAAM,IAAI,MAAM,4DAA4D;AAAA,EAC9E;AAEA,QAAM,WAAW,KAAK,MAAM,cAAc;AAC1C,QAAM,WAAW,OAAO,iBAAiB,eAAe,KAAK,OAAO,KAAK,SAAS,IAAI,QAAQ,CAAC;AAC/F,WAAS,WAAW,OAAO,KAAK,SAAS,GAAG,QAAQ,CAAC;AACrD,QAAM,YAAY,OAAO,OAAO;AAAA,IAC9B,SAAS,OAAO,OAAO,KAAK,SAAS,GAAG,QAAQ,CAAC;AAAA,IACjD,SAAS,MAAM;AAAA,EACjB,CAAC;AACD,SAAO,UAAU,SAAS,MAAM;AAClC;AAMO,SAAS,wBAAwB,OAAe,KAAqB;AAC1E,SAAO,gBAAgB,KAAK,IAAI,oBAAoB,OAAO,GAAG,IAAI;AACpE;AAsBO,SAAS,wBAAwB,YAAoB,eAA+B;AACzF,SAAO,OAAO;AAAA,IACZ,EAAE,KAAK,eAAe,GAAG,gBAAgB;AAAA,IACzC,OAAO,KAAK,YAAY,QAAQ;AAAA,EAClC;AACF;;;AEjrBA,OAAOC,SAAQ;AACf,OAAOC,WAAU;AAqCjB,SAAS,eAAe,gBAAoC;AAC1D,MAAI;AACF,UAAM,MAAMC,IAAG,aAAa,gBAAgB,MAAM;AAClD,UAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,WAAO;AAAA,MACL,SAAS;AAAA,MACT,aAAa,OAAO,eAAe,CAAC;AAAA,MACpC,uBAAuB,OAAO,yBAAyB,CAAC;AAAA,MACxD,sBAAsB,OAAO,wBAAwB,CAAC;AAAA,IACxD;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,MACL,SAAS;AAAA,MACT,aAAa,CAAC;AAAA,MACd,uBAAuB,CAAC;AAAA,MACxB,sBAAsB,CAAC;AAAA,IACzB;AAAA,EACF;AACF;AAEA,SAAS,eAAe,gBAAwB,OAAyB;AACvE,EAAAA,IAAG,UAAUC,MAAK,QAAQ,cAAc,GAAG,EAAE,WAAW,KAAK,CAAC;AAC9D,EAAAD,IAAG,cAAc,gBAAgB,KAAK,UAAU,OAAO,MAAM,CAAC,IAAI,MAAM,MAAM;AAChF;AAEA,SAAS,iBAAiB,OAAe,WAA2B;AAClE,SAAO,GAAG,KAAK,IAAI,SAAS;AAC9B;AAEA,SAAS,0BAA0B,OAAuB;AACxD,SAAO,OAAO,KAAK;AACrB;AAEA,eAAe,qBAAwB,UAA8B;AACnE,QAAM,WAAW,MAAM;AAAA,IACrB,4BAA4B,kCAAkC,QAAQ;AAAA,IACtE;AAAA,MACE,OAAO;AAAA,IACT;AAAA,EACF;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAI,MAAM,yDAAyD,SAAS,MAAM,IAAI;AAAA,EAC9F;AAEA,SAAO,SAAS,KAAK;AACvB;AAUO,SAAS,gCACd,gBAC0C;AAC1C,QAAM,QAAQ,eAAe,cAAc;AAC3C,QAAM,QAAQ,OAAO,OAAO,MAAM,oBAAoB;AACtD,SAAO,MAAM,WAAW,IAAI,MAAM,CAAC,IAAK;AAC1C;AAEA,eAAsB,wBACpB,YACA,OACmD;AACnD,MAAI,CAAC,oCAAoC,UAAU,GAAG;AACpD,WAAO;AAAA,EACT;AAEA,QAAM,WAAW,MAAM;AAAA,IACrB,oCAAoC,KAAK;AAAA,EAC3C;AAEA,MACE,SAAS,SAAS,4BAClB,SAAS,UAAU,SACnB,CAAC;AAAA,IACC;AAAA,IACA;AAAA,EACF,GACA;AACA,UAAM,IAAI,MAAM,2DAA2D,KAAK,GAAG;AAAA,EACrF;AAEA,SAAO,SAAS;AAClB;AAEA,eAAe,uBACb,gBACA,OACA,YACsC;AACtC,QAAM,QAAQ,eAAe,cAAc;AAC3C,MAAI,UAAU;AAEd,aAAW,OAAO,YAAY;AAC5B,UAAM,aAAa,iBAAiB,OAAO,IAAI,SAAS;AACxD,UAAM,sBAAsB,wBAAwB,IAAI,SAAS;AAEjE,QAAI,wBAAwB,IAAI,aAAa;AAC3C,YAAM,IAAI,MAAM,qDAAqD,IAAI,SAAS,GAAG;AAAA,IACvF;AAEA,UAAM,WAAW,MAAM,YAAY,UAAU;AAC7C,UAAM,cAAa,oBAAI,KAAK,GAAE,YAAY;AAE1C,QAAI,CAAC,UAAU;AACb,YAAM,YAAY,UAAU,IAAI;AAAA,QAC9B,WAAW,IAAI;AAAA,QACf,aAAa,IAAI;AAAA,QACjB,WAAW,IAAI;AAAA,QACf,UAAU;AAAA,QACV;AAAA,MACF;AACA,gBAAU;AACV;AAAA,IACF;AAEA,QAAI,SAAS,cAAc,IAAI,eAAe;AAC5C,UAAI,SAAS,gBAAgB,IAAI,eAAe,SAAS,cAAc,IAAI,WAAW;AACpF,cAAM,IAAI;AAAA,UACR,qBAAqB,IAAI,aAAa,kCAAkC,IAAI,SAAS;AAAA,QACvF;AAAA,MACF;AAEA,UAAI,SAAS,eAAe,YAAY;AACtC,cAAM,YAAY,UAAU,IAAI;AAAA,UAC9B,GAAG;AAAA,UACH;AAAA,QACF;AACA,kBAAU;AAAA,MACZ;AACA;AAAA,IACF;AAEA,QAAI,CAAC,IAAI,yBAAyB,IAAI,0BAA0B,SAAS,aAAa,CAAC,IAAI,mBAAmB;AAC5G,YAAM,IAAI,MAAM,gCAAgC,IAAI,SAAS,yCAAyC;AAAA,IACxG;AAEA,UAAM,mBAAmB;AAAA,MACvB,SAAS;AAAA,MACT,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ,SAAS;AAAA,IACX;AAEA,QAAI,CAAC,kBAAkB;AACrB,YAAM,IAAI,MAAM,gCAAgC,IAAI,SAAS,iCAAiC;AAAA,IAChG;AAEA,UAAM,YAAY,UAAU,IAAI;AAAA,MAC9B,WAAW,IAAI;AAAA,MACf,aAAa,IAAI;AAAA,MACjB,WAAW,IAAI;AAAA,MACf,UAAU,SAAS;AAAA,MACnB;AAAA,IACF;AACA,cAAU;AAAA,EACZ;AAEA,MAAI,SAAS;AACX,mBAAe,gBAAgB,KAAK;AAAA,EACtC;AAEA,SAAO;AACT;AAEA,eAAe,6BACb,gBACA,WACA,YACwB;AACxB,MAAI,CAAC,UAAU,qBAAqB;AAClC,QAAI,UAAU,WAAW,SAAS,GAAG;AACnC,YAAM,IAAI,MAAM,0FAA0F;AAAA,IAC5G;AACA,WAAO;AAAA,EACT;AAEA,QAAM,EAAE,oBAAoB,IAAI;AAChC,QAAM,QAAQ,oBAAoB,WAAW;AAE7C,MAAI,CAAC,oBAAoB,mBAAmB,CAAC,oBAAoB,iBAAiB;AAChF,UAAM,IAAI,MAAM,kEAAkE;AAAA,EACpF;AAEA,QAAM,oBAAoB,wBAAwB,oBAAoB,eAAe;AACrF,QAAM,cAAc,oBAAoB,WAAW,QAAQ;AAAA,IACzD,CAAC,UACC,MAAM,kBAAkB,oBAAoB,uBAC5C,MAAM,cAAc,oBAAoB;AAAA,EAC5C;AACA,QAAM,YAAuC;AAAA,IAC3C,eAAe,oBAAoB;AAAA,IACnC,WAAW,oBAAoB;AAAA,IAC/B,WAAW,oBAAoB;AAAA,IAC/B,aAAa;AAAA,IACb,uBAAuB,aAAa,yBAAyB;AAAA,IAC7D,mBAAmB,aAAa,qBAAqB;AAAA,EACvD;AACA,QAAM,0BAA0B,eAAe,cAAc;AAE7D,MAAI;AACF,UAAM,uBAAuB,gBAAgB,OAAO,CAAC,SAAS,CAAC;AAE/D,UAAM,WAAW;AAAA,MACf,oBAAoB;AAAA,MACpB,oBAAoB;AAAA,MACpB,oBAAoB;AAAA,IACtB;AAEA,QAAI,CAAC,UAAU;AACb,YAAM,IAAI,MAAM,4DAA4D,KAAK,GAAG;AAAA,IACtF;AACA,QAAI,CAAC,UAAU,cAAc;AAC3B,YAAM,IAAI,MAAM,oEAAoE,KAAK,GAAG;AAAA,IAC9F;AAEA,UAAM,QAAQ,eAAe,cAAc;AAC3C,UAAM,yBAAyB,MAAM,qBAAqB,0BAA0B,KAAK,CAAC,KAAK;AAC/F,UAAM,sBAAsB,cAAc;AAC1C,UAAM,sBAAsB,MAAM,sBAAsB,0BAA0B,KAAK,CAAC,KAAK;AAE7F,QAAI,CAAC,uBAAuB,wBAAwB,QAAQ,UAAU,aAAa,KAAK,UAAU,qBAAqB;AACrH,YAAM,IAAI,MAAM,+DAA+D,KAAK,GAAG;AAAA,IACzF;AAEA,QAAI,CAAC,uBAAuB,UAAU,aAAa,QAAQ,WAAW,GAAG;AACvE,YAAM,IAAI,MAAM,yDAAyD,KAAK,GAAG;AAAA,IACnF;AAEA,QAAI,UAAU,aAAa,QAAQ,SAAS,GAAG;AAC7C,YAAM,oBAAoB,UAAU,aAAa,QAAQ,UAAU,aAAa,QAAQ,SAAS,CAAC;AAClG,UAAI,CAAC,mBAAmB;AACtB,cAAM,IAAI,MAAM,uDAAuD,KAAK,GAAG;AAAA,MACjF;AAEA,YAAM,uBAAuB,uCAAuC;AAAA,QAClE,YAAY,oBAAoB;AAAA,QAChC,qBAAqB,oBAAoB;AAAA,QACzC,iBAAiB,oBAAoB;AAAA,QACrC,iBAAiB,oBAAoB;AAAA,QACrC,WAAW,oBAAoB;AAAA,QAC/B,mBAAmB,kBAAkB,qBAAqB;AAAA,MAC5D,CAAC;AAED,UAAI,qBAAqB,cAAc,kBAAkB,WAAW;AAClE,cAAM,IAAI,MAAM,2EAA2E,KAAK,GAAG;AAAA,MACrG;AAEA,UAAI,cAAc,UAAU,aAAa,KAAK,YAAY,WAAW,SAAS;AAC5E,YAAI,UAAU,aAAa,KAAK,SAAS,WAAW,MAAM;AACxD,gBAAM,IAAI,MAAM,0DAA0D,KAAK,GAAG;AAAA,QACpF;AAEA,YACE,kBAAkB,cAAc,WAAW,QAC3C,qBAAqB,cAAc,WAAW,MAC9C;AACA,gBAAM,IAAI,MAAM,yDAAyD,KAAK,GAAG;AAAA,QACnF;AAAA,MACF,WACE,CAAC,wCAAwC;AAAA,QACvC,cAAc;AAAA,QACd,OAAO,UAAU;AAAA,QACjB,cAAc;AAAA,MAChB,CAAC,GACD;AACA,cAAM,IAAI,MAAM,2DAA2D,KAAK,GAAG;AAAA,MACrF;AAAA,IACF,WACE,cACA,UAAU,aAAa,KAAK,YAAY,WAAW,SACnD;AACA,YAAM,IAAI,MAAM,wEAAwE,KAAK,8BAA8B;AAAA,IAC7H,WACE,CAAC,uBACD,oBAAoB,YAAY,UAAU,aAAa,KAAK,WAC5D,oBAAoB,SAAS,UAAU,aAAa,KAAK,MACzD;AACA,YAAM,IAAI,MAAM,qEAAqE,KAAK,GAAG;AAAA,IAC/F;AAEA,iCAA6B,gBAAgB,OAAO,UAAU,aAAa,IAAI;AAE/E,UAAM,oBAAoB,IAAI;AAAA,MAC5B,oBAAoB,WAAW,QAAQ,IAAI,CAAC,UAAU,CAAC,MAAM,eAAe,KAAK,CAAC;AAAA,IACpF;AAEA,eAAW,OAAO,UAAU,YAAY;AACtC,YAAM,QAAQ,kBAAkB,IAAI,IAAI,aAAa;AAErD,UAAI,CAAC,OAAO;AACV,cAAM,IAAI,MAAM,YAAY,IAAI,aAAa,4CAA4C;AAAA,MAC3F;AAEA,UACE,MAAM,cAAc,IAAI,aACxB,MAAM,gBAAgB,IAAI,eAC1B,MAAM,0BAA0B,IAAI,yBACpC,MAAM,sBAAsB,IAAI,mBAChC;AACA,cAAM,IAAI,MAAM,YAAY,IAAI,aAAa,2CAA2C;AAAA,MAC1F;AAAA,IACF;AAEA,WAAO;AAAA,EACT,SAAS,OAAO;AACd,mBAAe,gBAAgB,uBAAuB;AACtD,UAAM;AAAA,EACR;AACF;AAMA,eAAsB,gCACpB,gBACA,WACA,YACsC;AACtC,QAAM,QAAQ,MAAM,6BAA6B,gBAAgB,WAAW,UAAU;AACtF,MAAI,CAAC,OAAO;AACV,WAAO,UAAU;AAAA,EACnB;AACA,SAAO,uBAAuB,gBAAgB,OAAO,UAAU,UAAU;AAC3E;AAMO,SAAS,8BACd,gBACA,YACA,SACM;AACN,QAAM,QAAQ,eAAe,cAAc;AAC3C,QAAM,gBAAgB,MAAM,sBAAsB,UAAU;AAE5D,MAAI,kBAAkB,UAAa,UAAU,eAAe;AAC1D,UAAM,IAAI,MAAM,mDAAmD,UAAU,GAAG;AAAA,EAClF;AAEA,MAAI,kBAAkB,UAAa,UAAU,eAAe;AAC1D,UAAM,sBAAsB,UAAU,IAAI;AAC1C,mBAAe,gBAAgB,KAAK;AAAA,EACtC;AACF;AAEA,SAAS,6BACP,gBACA,OACA,MACM;AACN,QAAM,QAAQ,eAAe,cAAc;AAC3C,QAAM,aAAa,0BAA0B,KAAK;AAClD,QAAM,aAAa,MAAM,qBAAqB,UAAU;AAExD,MAAI,YAAY;AACd,QAAI,KAAK,UAAU,WAAW,SAAS;AACrC,YAAM,IAAI,MAAM,+DAA+D,KAAK,GAAG;AAAA,IACzF;AAEA,QAAI,KAAK,YAAY,WAAW,WAAW,KAAK,SAAS,WAAW,MAAM;AACxE,YAAM,IAAI,MAAM,oDAAoD,KAAK,GAAG;AAAA,IAC9E;AAAA,EACF;AAEA,MAAI,CAAC,cAAc,KAAK,UAAU,WAAW,SAAS;AACpD,UAAM,qBAAqB,UAAU,IAAI;AACzC,mBAAe,gBAAgB,KAAK;AAAA,EACtC;AAEA,gCAA8B,gBAAgB,YAAY,KAAK,OAAO;AACxE;;;AJrYA,IAAM,0BAA0B;AAChC,IAAM,sBAAsB;AAE5B,SAAS,qBAAqB,OAAuB;AACnD,SAAO,MACJ,QAAQ,iBAAiB,GAAG,EAC5B,QAAQ,OAAO,GAAG,EAClB,QAAQ,UAAU,EAAE,EACpB,YAAY;AACjB;AAEA,SAAS,sBAAsB,QAA0B;AACvD,MAAI,OAAO,gBAAgB;AACzB,WAAOE,MAAK,QAAQ,OAAO,cAAc;AAAA,EAC3C;AAEA,MAAI,OAAO,gBAAgB;AACzB,WAAO,GAAGA,MAAK,QAAQ,OAAO,cAAc,CAAC;AAAA,EAC/C;AAEA,SAAOA,MAAK,QAAQ,QAAQ,IAAI,GAAG,sBAAsB;AAC3D;AAEA,SAAS,kBAAkB,QAA0B;AACnD,MAAI,OAAO,SAAS;AAClB,WAAO,OAAO;AAAA,EAChB;AAEA,SAAO,OAAO,MAAM,sBAAsB;AAC5C;AAEA,SAAS,4CACP,UACA,SACwB;AACxB,SAAO;AAAA,IACL,SAAS,SAAS;AAAA,IAClB;AAAA,IACA,MAAM,SAAS;AAAA,IACf,oBAAoB,SAAS,sBAAsB;AAAA,IACnD,mBAAmB,SAAS,qBAAqB;AAAA,IACjD,OAAO,SAAS,MAAM,IAAI,CAAC,UAAU;AAAA,MACnC,IAAI,KAAK;AAAA,MACT,MAAM,KAAK;AAAA,MACX,MAAM,KAAK,QAAQ;AAAA,MACnB,UAAU,KAAK,YAAY,CAAC;AAAA,MAC5B,SAAS,KAAK,WAAW;AAAA,IAC3B,EAAE;AAAA,IACF,QAAQ,SAAS,gBAAgB,IAAI,CAAC,WAAW;AAAA,MAC/C,IAAI,MAAM;AAAA,MACV,MAAM,MAAM;AAAA,MACZ,UAAU,MAAM,YAAY;AAAA,IAC9B,EAAE;AAAA,EACJ;AACF;AAEA,SAAS,2CACP,MACA,SAC2B;AAC3B,SAAO;AAAA,IACL,aAAa,KAAK;AAAA,IAClB,SAAS,KAAK;AAAA,IACd;AAAA,IACA,MAAM,KAAK;AAAA,IACX,MAAM,KAAK,QAAQ;AAAA,IACnB,UAAU,KAAK,YAAY,CAAC;AAAA,IAC5B,SAAS,KAAK,WAAW;AAAA,IACzB,QAAQ,KAAK,OAAO,IAAI,CAAC,OAAO,WAAW;AAAA,MACzC,IAAI,MAAM;AAAA,MACV,MAAM,MAAM;AAAA,MACZ,MAAM,MAAM;AAAA,MACZ,OAAO,MAAM,SAAS;AAAA,MACtB,kBAAkB,MAAM,oBAAoB,CAAC;AAAA,MAC7C,UAAU,MAAM,YAAY,CAAC;AAAA,IAC/B,EAAE;AAAA,EACJ;AACF;AAUO,IAAM,KAAN,MAAM,IAAG;AAAA,EACG;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACT,OAAqB;AAAA,EAE7B,YAAY,QAAkB;AAC5B,QAAI,CAAC,OAAO,QAAQ;AAClB,YAAM,IAAI,MAAM,4BAA4B;AAAA,IAC9C;AAEA,QAAI,CAAC,OAAO,cAAc,CAAC,OAAO,gBAAgB;AAChD,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,UAAM,UAAU,kBAAkB,MAAM;AACxC,SAAK,UAAU;AACf,SAAK,SAAS,IAAI,SAAS,OAAO,QAAQ,OAAO;AACjD,SAAK,YAAY,OAAO;AACxB,SAAK,gBAAgB,OAAO,cAAc,eAAe,OAAO,cAAe;AAC/E,SAAK,eAAe,gBAAgB,KAAK,aAAa;AACtD,SAAK,iBAAiB,sBAAsB,MAAM;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,OAAO,QAA+B;AACjD,UAAM,WAAW,IAAI,IAAG,MAAM;AAC9B,UAAM,SAAS,KAAK;AACpB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAsB;AAC1B,SAAK,OAAO,MAAM,KAAK,SAAS;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,MAAa;AACf,QAAI,CAAC,KAAK,MAAM;AACd,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,UAAyB;AAC7B,SAAK,OAAO,MAAM,KAAK,SAAS;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,WAA2B;AACvC,QAAI;AACF,YAAM,KAAK,OAAO,uBAAuB;AAAA,QACvC,WAAW,KAAK;AAAA,MAClB,CAAC;AAAA,IACH,SAAS,OAAO;AACd,YAAM,IAAI;AAAA,QACR,gJACE,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CACvD;AAAA,MACF;AAAA,IACF;AAEA,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,OAAO,WAAW,KAAK,SAAS;AAC9D,UAAM,aAAa,MAAM,QAAQ,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,cAAc,MAAM,EAAE,CAAC,CAAC;AAExF,WAAO,OAAO,OAAO,CAAC,GAAG,GAAG,UAAU;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,cAAc,SAAiC;AAC3D,UAAM,yBAAyB,gCAAgC,KAAK,cAAc;AAClF,UAAM,CAAC,YAAY,eAAe,yBAAyB,IAAI,MAAM,QAAQ,IAAI;AAAA,MAC/E,KAAK,OAAO,mBAAmB,OAAO;AAAA,MACtC,KAAK,OAAO,eAAe,OAAO;AAAA,MAClC,KAAK,OAAO;AAAA,QACV;AAAA,QACA,yBACI;AAAA,UACE,0BAA0B,uBAAuB;AAAA,UACjD,uBAAuB,uBAAuB;AAAA,QAChD,IACA;AAAA,MACN;AAAA,IACF,CAAC;AAED,QAAI,qBAAqB;AACzB,QAAI,oBAA8D;AAElE,QAAI,CAAC,wBAAwB;AAC3B,YAAM,QAAQ,0BAA0B,qBAAqB,WAAW,SAAS;AAEjF,UACE,SACA,0BAA0B,uBAC1B,0BAA0B,cAC1B;AACA,4BAAoB,MAAM,wBAAwB,KAAK,SAAS,KAAK;AAErE,YAAI,mBAAmB;AACrB,cAAI,0BAA0B,aAAa,KAAK,UAAU,kBAAkB,SAAS;AACnF,kBAAM,IAAI,MAAM,oFAAoF,KAAK,GAAG;AAAA,UAC9G;AAEA,cAAI,0BAA0B,aAAa,KAAK,YAAY,kBAAkB,SAAS;AACrF,gBAAI,0BAA0B,aAAa,KAAK,SAAS,kBAAkB,MAAM;AAC/E,oBAAM,IAAI,MAAM,kEAAkE,KAAK,GAAG;AAAA,YAC5F;AAAA,UACF,OAAO;AACL,iCAAqB,MAAM,KAAK,OAAO,yBAAyB,SAAS;AAAA,cACvE,0BAA0B,kBAAkB;AAAA,cAC5C,uBAAuB,kBAAkB;AAAA,YAC3C,CAAC;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,UAAM,oBAAoB,MAAM;AAAA,MAC9B,KAAK;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAEA,UAAM,YAAY,kBAAkB;AAAA,MAClC,CAAC,cAAc,UAAU,kBAAkB,WAAW;AAAA,IACxD;AAEA,QAAI,CAAC,WAAW;AACd,YAAM,IAAI;AAAA,QACR,iCAAiC,OAAO,mCAAmC,WAAW,mBAAmB;AAAA,MAC3G;AAAA,IACF;AAEA,UAAM,oBAAoB;AAAA,MACxB;AAAA,MACA,WAAW;AAAA,MACX,WAAW;AAAA,MACX,WAAW;AAAA,MACX,WAAW;AAAA,MACX,WAAW;AAAA,MACX,UAAU;AAAA,IACZ;AAEA,QAAI,CAAC,mBAAmB;AACtB,YAAM,IAAI,MAAM,+DAA+D,OAAO,GAAG;AAAA,IAC3F;AAEA,UAAM,MAAM,wBAAwB,WAAW,YAAY,KAAK,aAAa;AAE7E,QAAI,CAAC,cAAc,mBAAmB;AACpC,YAAM,IAAI,MAAM,iBAAiB,OAAO,0CAA0C;AAAA,IACpF;AAEA,UAAM,mBAAmB,kBAAkB;AAAA,MACzC,CAAC,cAAc,UAAU,kBAAkB,cAAc,kBAAmB;AAAA,IAC9E;AAEA,QAAI,CAAC,kBAAkB;AACrB,YAAM,IAAI;AAAA,QACR,iBAAiB,OAAO,sDAAsD,cAAc,kBAAkB,mBAAmB;AAAA,MACnI;AAAA,IACF;AAEA,UAAM,4BAA4B;AAAA,MAChC;AAAA,MACA,cAAc,kBAAkB,WAAW;AAAA,IAC7C;AACA,UAAM,kBAAkB;AAAA,MACtB;AAAA,MACA,cAAc,kBAAkB;AAAA,MAChC,iBAAiB;AAAA,IACnB;AAEA,QAAI,CAAC,iBAAiB;AACpB,YAAM,IAAI,MAAM,kEAAkE,OAAO,GAAG;AAAA,IAC9F;AAEA;AAAA,MACE,KAAK;AAAA,MACL,WAAW,OAAO;AAAA,MAClB,0BAA0B;AAAA,IAC5B;AAEA,UAAM,cAAc,MAAM,QAAQ;AAAA,MAChC,cAAc,MAAM,IAAI,CAAC,SAAS,KAAK,OAAO,mBAAmB,SAAS,KAAK,EAAE,CAAC;AAAA,IACpF;AAEA,UAAM,MAAa,CAAC;AAEpB,eAAW,QAAQ,aAAa;AAC9B,UAAI,CAAC,KAAK,kBAAkB;AAC1B,cAAM,IAAI,MAAM,sBAAsB,KAAK,EAAE,yCAAyC;AAAA,MACxF;AAEA,YAAM,kBAAkB,kBAAkB;AAAA,QACxC,CAAC,cAAc,UAAU,kBAAkB,KAAK,iBAAkB;AAAA,MACpE;AAEA,UAAI,CAAC,iBAAiB;AACpB,cAAM,IAAI;AAAA,UACR,sBAAsB,KAAK,EAAE,8CAA8C,KAAK,iBAAiB,mBAAmB;AAAA,QACtH;AAAA,MACF;AAEA,YAAM,2BAA2B;AAAA,QAC/B;AAAA,QACA,KAAK,iBAAiB,WAAW;AAAA,MACnC;AACA,YAAM,iBAAiB;AAAA,QACrB;AAAA,QACA,KAAK,iBAAiB;AAAA,QACtB,gBAAgB;AAAA,MAClB;AAEA,UAAI,CAAC,gBAAgB;AACnB,cAAM,IAAI,MAAM,8DAA8D,KAAK,EAAE,GAAG;AAAA,MAC1F;AAEA;AAAA,QACE,KAAK;AAAA,QACL,UAAU,KAAK,EAAE;AAAA,QACjB,yBAAyB;AAAA,MAC3B;AAEA,iBAAW,SAAS,KAAK,QAAQ;AAC/B,YAAI,MAAM,UAAU,MAAM;AACxB;AAAA,QACF;AAEA,YAAI,qBAAqB,GAAG,KAAK,IAAI,IAAI,MAAM,IAAI,EAAE,CAAC,IAAI;AAAA,UACxD,MAAM;AAAA,UACN;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;AAEA,IAAO,cAAQ;","names":["path","path","path","fs","path","fs","path","path"]}
1	+ {"version":3,"sources":["../src/index.ts","../src/client.ts","../src/crypto.ts","../src/transparency.ts","../src/trust-store.ts"],"sourcesContent":["import path from 'node:path'\nimport { R4Client } from './client'\nimport {\n decryptStoredFieldValue,\n derivePublicKey,\n loadPrivateKey,\n unwrapDEKWithPrivateKey,\n verifyVaultItemDetailCheckpoint,\n verifyVaultSummaryCheckpoint,\n verifyWrappedDekSignature,\n} from './crypto'\nimport {\n assertAndPinCheckpointVersion,\n getPublicOrgWitnessHead,\n getSinglePinnedTransparencyHead,\n verifyAndPinVaultUserPublicKeys,\n} from './trust-store'\nimport type {\n ListMachineVaultItemsResponse,\n MachineVaultItemDetailResponse,\n R4Config,\n R4Env,\n VaultItemDetailCheckpoint,\n VaultSummaryCheckpoint,\n} from './types'\n\nexport type { R4Config, R4Env } from './types'\n\nconst R4_DEFAULT_API_BASE_URL = 'https://r4.dev'\nconst R4_DEV_API_BASE_URL = 'https://dev.r4.dev'\n\nfunction toScreamingSnakeCase(input: string): string {\n return input\n .replace(/[^a-zA-Z0-9]/g, '_')\n .replace(/_+/g, '_')\n .replace(/^_\|_$/g, '')\n .toUpperCase()\n}\n\nfunction resolveTrustStorePath(config: R4Config): string {\n if (config.trustStorePath) {\n return path.resolve(config.trustStorePath)\n }\n\n if (config.privateKeyPath) {\n return `${path.resolve(config.privateKeyPath)}.trust.json`\n }\n\n return path.resolve(process.cwd(), '.r4-trust-store.json')\n}\n\nfunction resolveApiBaseUrl(config: R4Config): string {\n if (config.baseUrl) {\n return config.baseUrl\n }\n\n return config.dev ? R4_DEV_API_BASE_URL : R4_DEFAULT_API_BASE_URL\n}\n\nfunction buildVaultSummaryCheckpointFromListResponse(\n response: ListMachineVaultItemsResponse,\n version: number,\n): VaultSummaryCheckpoint {\n return {\n vaultId: response.vaultId,\n version,\n name: response.vaultName,\n dataClassification: response.dataClassification ?? null,\n currentDekVersion: response.currentDekVersion ?? null,\n items: response.items.map((item) => ({\n id: item.id,\n name: item.name,\n type: item.type ?? null,\n websites: item.websites ?? [],\n groupId: item.groupId ?? null,\n })),\n groups: response.vaultItemGroups.map((group) => ({\n id: group.id,\n name: group.name,\n parentId: group.parentId ?? null,\n })),\n }\n}\n\nfunction buildVaultItemDetailCheckpointFromResponse(\n item: MachineVaultItemDetailResponse,\n version: number,\n): VaultItemDetailCheckpoint {\n return {\n vaultItemId: item.id,\n vaultId: item.vaultId,\n version,\n name: item.name,\n type: item.type ?? null,\n websites: item.websites ?? [],\n groupId: item.groupId ?? null,\n fields: item.fields.map((field, index) => ({\n id: field.id,\n name: field.name,\n type: field.type,\n order: field.order ?? index,\n fieldInstanceIds: field.fieldInstanceIds ?? [],\n assetIds: field.assetIds ?? [],\n })),\n }\n}\n\n/*\n R4 SDK — zero-trust Node.js SDK for machine agents.\n \n The runtime keeps its private key locally, registers only the matching public\n * key with the machine API, verifies wrapped-DEK signatures against a pinned\n * signer directory, unwraps each vault DEK locally, and decrypts env values\n * without trusting the backend to see or transform plaintext.\n /\nexport class R4 {\n private readonly client: R4Client\n private readonly baseUrl: string\n private readonly projectId?: string\n private readonly privateKeyPem: string\n private readonly publicKeyPem: string\n private readonly trustStorePath: string\n private _env: R4Env \| null = null\n\n constructor(config: R4Config) {\n if (!config.apiKey) {\n throw new Error('R4 SDK: apiKey is required')\n }\n\n if (!config.privateKey && !config.privateKeyPath) {\n throw new Error(\n 'R4 SDK: privateKey or privateKeyPath is required for zero-trust local decryption.',\n )\n }\n\n const baseUrl = resolveApiBaseUrl(config)\n this.baseUrl = baseUrl\n this.client = new R4Client(config.apiKey, baseUrl)\n this.projectId = config.projectId\n this.privateKeyPem = config.privateKey ?? loadPrivateKey(config.privateKeyPath!)\n this.publicKeyPem = derivePublicKey(this.privateKeyPem)\n this.trustStorePath = resolveTrustStorePath(config)\n }\n\n /\n Static factory method that creates and initializes an R4 instance.\n /\n static async create(config: R4Config): Promise<R4> {\n const instance = new R4(config)\n await instance.init()\n return instance\n }\n\n /\n Initializes the SDK by registering the agent public key (idempotent) and\n * decrypting all accessible vault values locally into a flat env map.\n /\n async init(): Promise<void> {\n this._env = await this.fetchEnv()\n }\n\n /\n Returns the locally decrypted env map.\n /\n get env(): R4Env {\n if (!this._env) {\n throw new Error(\n 'R4 SDK: env is not initialized. Call await r4.init() first, or use R4.create() for automatic initialization.',\n )\n }\n return this._env\n }\n\n /\n Re-fetches and locally re-decrypts the current vault view.\n /\n async refresh(): Promise<void> {\n this._env = await this.fetchEnv()\n }\n\n /\n Registers the local agent public key, loads all accessible vaults, verifies\n * wrapped-DEK signatures against pinned signer keys, unwraps each vault DEK,\n * and builds a flat SCREAMING_SNAKE_CASE env map from decrypted field values.\n /\n private async fetchEnv(): Promise<R4Env> {\n try {\n await this.client.registerAgentPublicKey({\n publicKey: this.publicKeyPem,\n })\n } catch (error) {\n throw new Error(\n `R4 SDK: failed to register the local agent public key. The zero-trust SDK requires an AGENT-scoped API key and a matching local private key. ${\n error instanceof Error ? error.message : String(error)\n }`,\n )\n }\n\n const { vaults } = await this.client.listVaults(this.projectId)\n const envEntries = await Promise.all(vaults.map((vault) => this.fetchVaultEnv(vault.id)))\n\n return Object.assign({}, ...envEntries)\n }\n\n /\n Fetches a single vault's wrapped DEK, verifies it against the pinned signer\n * directory, unwraps the DEK locally, then decrypts every field value in that\n * vault item-by-item.\n /\n private async fetchVaultEnv(vaultId: string): Promise<R4Env> {\n const pinnedTransparencyHead = getSinglePinnedTransparencyHead(this.trustStorePath)\n const [wrappedKey, itemsResponse, initialPublicKeyDirectory] = await Promise.all([\n this.client.getAgentWrappedKey(vaultId),\n this.client.listVaultItems(vaultId),\n this.client.getVaultUserKeyDirectory(\n vaultId,\n pinnedTransparencyHead\n ? {\n knownTransparencyVersion: pinnedTransparencyHead.version,\n knownTransparencyHash: pinnedTransparencyHead.hash,\n }\n : undefined,\n ),\n ])\n\n let publicKeyDirectory = initialPublicKeyDirectory\n let witnessAnchorHead: { version: number; hash: string } \| null = null\n\n if (!pinnedTransparencyHead) {\n const orgId = initialPublicKeyDirectory.directoryCheckpoint?.checkpoint.orgId ?? null\n\n if (\n orgId &&\n initialPublicKeyDirectory.directoryCheckpoint &&\n initialPublicKeyDirectory.transparency\n ) {\n witnessAnchorHead = await getPublicOrgWitnessHead(this.baseUrl, orgId)\n\n if (witnessAnchorHead) {\n if (initialPublicKeyDirectory.transparency.head.version < witnessAnchorHead.version) {\n throw new Error(`R4 SDK: public transparency witness head is ahead of the server response for org ${orgId}.`)\n }\n\n if (initialPublicKeyDirectory.transparency.head.version === witnessAnchorHead.version) {\n if (initialPublicKeyDirectory.transparency.head.hash !== witnessAnchorHead.hash) {\n throw new Error(`R4 SDK: public transparency witness head fork detected for org ${orgId}.`)\n }\n } else {\n publicKeyDirectory = await this.client.getVaultUserKeyDirectory(vaultId, {\n knownTransparencyVersion: witnessAnchorHead.version,\n knownTransparencyHash: witnessAnchorHead.hash,\n })\n }\n }\n }\n }\n\n const trustedPublicKeys = await verifyAndPinVaultUserPublicKeys(\n this.trustStorePath,\n publicKeyDirectory,\n witnessAnchorHead,\n )\n\n const signerKey = trustedPublicKeys.find(\n (publicKey) => publicKey.userKeyPairId === wrappedKey.signerUserKeyPairId,\n )\n\n if (!signerKey) {\n throw new Error(\n `R4 SDK: wrapped DEK for vault ${vaultId} was signed by unknown user key ${wrappedKey.signerUserKeyPairId}.`,\n )\n }\n\n const signatureVerified = verifyWrappedDekSignature(\n vaultId,\n wrappedKey.encryptionKeyId,\n wrappedKey.signerUserKeyPairId,\n wrappedKey.dekVersion,\n wrappedKey.wrappedDek,\n wrappedKey.wrappedDekSignature,\n signerKey.publicKey,\n )\n\n if (!signatureVerified) {\n throw new Error(`R4 SDK: wrapped DEK signature verification failed for vault ${vaultId}.`)\n }\n\n const dek = unwrapDEKWithPrivateKey(wrappedKey.wrappedDek, this.privateKeyPem)\n\n if (!itemsResponse.summaryCheckpoint) {\n throw new Error(`R4 SDK: vault ${vaultId} is missing a signed summary checkpoint.`)\n }\n\n const summarySignerKey = trustedPublicKeys.find(\n (publicKey) => publicKey.userKeyPairId === itemsResponse.summaryCheckpoint!.signerUserKeyPairId,\n )\n\n if (!summarySignerKey) {\n throw new Error(\n `R4 SDK: vault ${vaultId} summary checkpoint was signed by unknown user key ${itemsResponse.summaryCheckpoint.signerUserKeyPairId}.`,\n )\n }\n\n const expectedSummaryCheckpoint = buildVaultSummaryCheckpointFromListResponse(\n itemsResponse,\n itemsResponse.summaryCheckpoint.checkpoint.version,\n )\n const summaryVerified = verifyVaultSummaryCheckpoint(\n expectedSummaryCheckpoint,\n itemsResponse.summaryCheckpoint.signature,\n summarySignerKey.publicKey,\n )\n\n if (!summaryVerified) {\n throw new Error(`R4 SDK: vault summary checkpoint verification failed for vault ${vaultId}.`)\n }\n\n assertAndPinCheckpointVersion(\n this.trustStorePath,\n `summary:${vaultId}`,\n expectedSummaryCheckpoint.version,\n )\n\n const itemDetails = await Promise.all(\n itemsResponse.items.map((item) => this.client.getVaultItemDetail(vaultId, item.id)),\n )\n\n const env: R4Env = {}\n\n for (const item of itemDetails) {\n if (!item.detailCheckpoint) {\n throw new Error(`R4 SDK: vault item ${item.id} is missing a signed detail checkpoint.`)\n }\n\n const detailSignerKey = trustedPublicKeys.find(\n (publicKey) => publicKey.userKeyPairId === item.detailCheckpoint!.signerUserKeyPairId,\n )\n\n if (!detailSignerKey) {\n throw new Error(\n `R4 SDK: vault item ${item.id} checkpoint was signed by unknown user key ${item.detailCheckpoint.signerUserKeyPairId}.`,\n )\n }\n\n const expectedDetailCheckpoint = buildVaultItemDetailCheckpointFromResponse(\n item,\n item.detailCheckpoint.checkpoint.version,\n )\n const detailVerified = verifyVaultItemDetailCheckpoint(\n expectedDetailCheckpoint,\n item.detailCheckpoint.signature,\n detailSignerKey.publicKey,\n )\n\n if (!detailVerified) {\n throw new Error(`R4 SDK: vault item checkpoint verification failed for item ${item.id}.`)\n }\n\n assertAndPinCheckpointVersion(\n this.trustStorePath,\n `detail:${item.id}`,\n expectedDetailCheckpoint.version,\n )\n\n for (const field of item.fields) {\n if (field.value === null) {\n continue\n }\n\n env[toScreamingSnakeCase(`${item.name}_${field.name}`)] = decryptStoredFieldValue(\n field.value,\n dek,\n )\n }\n }\n\n return env\n }\n}\n\nexport default R4\n","import type {\n ListMachineVaultItemsResponse,\n ListMachineVaultsResponse,\n MachineAgentPublicKeyResponse,\n MachineVaultItemDetailResponse,\n MachineVaultUserKeyDirectoryResponse,\n MachineWrappedKeyResponse,\n RegisterMachinePublicKeyRequest,\n} from './types'\n\ntype ApiErrorBody = {\n error?: {\n code?: unknown\n message?: unknown\n }\n}\n\n/\n Minimal machine-API client used by the zero-trust Node SDK.\n * Agents authenticate with an AGENT-scoped API key, register their local public\n * key, then fetch wrapped vault DEKs and ciphertext for local decryption.\n /\nexport class R4Client {\n private readonly apiKey: string\n private readonly baseUrl: string\n\n constructor(apiKey: string, baseUrl: string) {\n this.apiKey = apiKey\n this.baseUrl = baseUrl.replace(/\\/$/, '')\n }\n\n private buildHeaders(): Record<string, string> {\n return {\n 'X-API-Key': this.apiKey,\n 'Content-Type': 'application/json',\n }\n }\n\n private async request<T>(path: string, init: RequestInit): Promise<T> {\n const response = await fetch(`${this.baseUrl}${path}`, {\n ...init,\n headers: {\n ...this.buildHeaders(),\n ...(init.headers ?? {}),\n },\n })\n\n if (!response.ok) {\n const errorBody = (await response.json().catch(() => ({}))) as ApiErrorBody\n const errorMessage =\n typeof errorBody.error?.message === 'string'\n ? errorBody.error.message\n : `HTTP ${response.status}: ${response.statusText}`\n const errorCode =\n typeof errorBody.error?.code === 'string'\n ? ` [${errorBody.error.code}]`\n : ''\n throw new Error(`R4 API Error${errorCode}: ${errorMessage}`)\n }\n\n if (response.status === 204) {\n return undefined as T\n }\n\n return response.json() as Promise<T>\n }\n\n /\n Registers or re-confirms the agent runtime's local RSA public key.\n /\n async registerAgentPublicKey(\n body: RegisterMachinePublicKeyRequest,\n ): Promise<MachineAgentPublicKeyResponse> {\n return this.request<MachineAgentPublicKeyResponse>('/api/v1/machine/vault/public-key', {\n method: 'POST',\n body: JSON.stringify(body),\n })\n }\n\n /\n Lists all accessible non-hidden vaults. When `projectId` is provided, the\n * backend additionally filters to vaults associated with that project.\n /\n async listVaults(projectId?: string): Promise<ListMachineVaultsResponse> {\n const search = projectId\n ? `?projectId=${encodeURIComponent(projectId)}`\n : ''\n return this.request<ListMachineVaultsResponse>(`/api/v1/machine/vault${search}`, {\n method: 'GET',\n })\n }\n\n /\n Retrieves the active wrapped DEK for the authenticated agent on a vault.\n /\n async getAgentWrappedKey(vaultId: string): Promise<MachineWrappedKeyResponse> {\n return this.request<MachineWrappedKeyResponse>(\n `/api/v1/machine/vault/${encodeURIComponent(vaultId)}/wrapped-key`,\n { method: 'GET' },\n )\n }\n\n /\n Retrieves the trusted user-key directory for a vault so the runtime can\n * verify wrapped-DEK signatures locally.\n /\n async getVaultUserKeyDirectory(\n vaultId: string,\n params?: {\n knownTransparencyVersion?: number\n knownTransparencyHash?: string\n },\n ): Promise<MachineVaultUserKeyDirectoryResponse> {\n const searchParams = new URLSearchParams()\n if (params?.knownTransparencyVersion !== undefined) {\n searchParams.set('knownTransparencyVersion', String(params.knownTransparencyVersion))\n }\n if (params?.knownTransparencyHash) {\n searchParams.set('knownTransparencyHash', params.knownTransparencyHash)\n }\n const search = searchParams.size > 0 ? `?${searchParams.toString()}` : ''\n\n return this.request<MachineVaultUserKeyDirectoryResponse>(\n `/api/v1/machine/vault/${encodeURIComponent(vaultId)}/public-keys${search}`,\n { method: 'GET' },\n )\n }\n\n /\n Lists all items in a vault with lightweight metadata.\n /\n async listVaultItems(vaultId: string): Promise<ListMachineVaultItemsResponse> {\n return this.request<ListMachineVaultItemsResponse>(\n `/api/v1/machine/vault/${encodeURIComponent(vaultId)}/items`,\n { method: 'GET' },\n )\n }\n\n /\n Retrieves the full field payloads for a vault item.\n /\n async getVaultItemDetail(\n vaultId: string,\n itemId: string,\n ): Promise<MachineVaultItemDetailResponse> {\n return this.request<MachineVaultItemDetailResponse>(\n `/api/v1/machine/vault/${encodeURIComponent(vaultId)}/items/${encodeURIComponent(itemId)}`,\n { method: 'GET' },\n )\n }\n}\n","import crypto from 'node:crypto'\nimport fs from 'node:fs'\nimport path from 'node:path'\nimport {\n buildAgentPublicKeyWitnessPayload,\n buildOrgUserKeyDirectoryWitnessPayload,\n type AgentPublicKeyWitnessArtifact,\n type OrgUserKeyDirectoryWitnessArtifact,\n} from './transparency'\nimport type {\n UserKeyDirectoryCheckpoint,\n UserKeyDirectoryTransparencyEntry,\n UserKeyDirectoryTransparencyHead,\n UserKeyDirectoryTransparencyProof,\n VaultItemDetailCheckpoint,\n VaultSummaryCheckpoint,\n} from './types'\n\nconst RSA_OAEP_CONFIG = {\n padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,\n oaepHash: 'sha256',\n} as const\n\nconst RSA_PSS_SIGN_CONFIG = {\n padding: crypto.constants.RSA_PKCS1_PSS_PADDING,\n saltLength: 32,\n} as const\n\nconst USER_KEY_ROTATION_PREFIX = 'r4-user-key-rotation-v1'\nconst USER_KEY_DIRECTORY_CHECKPOINT_PREFIX = 'r4-user-key-directory-checkpoint-v1'\nconst USER_KEY_DIRECTORY_TRANSPARENCY_ENTRY_PREFIX = 'r4-user-key-directory-transparency-entry-v1'\nconst WRAPPED_DEK_SIGNATURE_PREFIX = 'r4-wrapped-dek-signature-v1'\nconst VAULT_SUMMARY_CHECKPOINT_PREFIX = 'r4-vault-summary-checkpoint-v1'\nconst VAULT_ITEM_DETAIL_CHECKPOINT_PREFIX = 'r4-vault-item-detail-checkpoint-v1'\n\ntype VaultEnvelope = {\n v: 3\n iv: string\n t: string\n d: string\n}\n\nfunction pemToDer(pem: string, beginLabel: string, endLabel: string): Buffer {\n const derBase64 = pem\n .replace(beginLabel, '')\n .replace(endLabel, '')\n .replace(/\\s/g, '')\n\n return Buffer.from(derBase64, 'base64')\n}\n\nfunction getWrappedDekFingerprint(wrappedDek: string): string {\n return crypto.createHash('sha256').update(Buffer.from(wrappedDek, 'base64')).digest('hex')\n}\n\nfunction getCheckpointFingerprint(prefix: string, canonicalJson: string): string {\n return `${prefix}:${crypto.createHash('sha256').update(canonicalJson, 'utf8').digest('hex')}`\n}\n\n/\n Loads a PEM-encoded private key from the provided path.\n /\nexport function loadPrivateKey(privateKeyPath: string): string {\n return fs.readFileSync(path.resolve(privateKeyPath), 'utf8').trim()\n}\n\n/\n Derives the matching PEM-encoded public key from a PEM private key.\n /\nexport function derivePublicKey(privateKeyPem: string): string {\n return crypto.createPublicKey(privateKeyPem).export({\n type: 'spki',\n format: 'pem',\n }).toString()\n}\n\n/\n Compute a stable SHA-256 fingerprint for a PEM-encoded public key.\n * The fingerprint uses the DER bytes so PEM formatting differences do not matter.\n /\nexport function getPublicKeyFingerprint(publicKeyPem: string): string {\n const derBytes = pemToDer(publicKeyPem, '-----BEGIN PUBLIC KEY-----', '-----END PUBLIC KEY-----')\n return crypto.createHash('sha256').update(derBytes).digest('hex')\n}\n\nfunction buildUserKeyRotationPayload(previousUserKeyPairId: string, newPublicKeyFingerprint: string): string {\n return `${USER_KEY_ROTATION_PREFIX}:${previousUserKeyPairId}:${newPublicKeyFingerprint}`\n}\n\n/\n Signs a new key fingerprint with the previous private key to prove continuity.\n /\nexport function signUserKeyRotation(\n previousUserKeyPairId: string,\n newPublicKeyPem: string,\n previousPrivateKeyPem: string,\n): string {\n const payload = buildUserKeyRotationPayload(\n previousUserKeyPairId,\n getPublicKeyFingerprint(newPublicKeyPem),\n )\n\n return crypto.sign(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: previousPrivateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\n/\n Verifies continuity for a rotated signer key.\n /\nexport function verifyUserKeyRotation(\n previousUserKeyPairId: string,\n newPublicKeyPem: string,\n rotationSignature: string,\n previousPublicKeyPem: string,\n): boolean {\n const payload = buildUserKeyRotationPayload(\n previousUserKeyPairId,\n getPublicKeyFingerprint(newPublicKeyPem),\n )\n\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: previousPublicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(rotationSignature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function verifyTransparencyWitnessPayload(\n payload: string,\n signature: string,\n publicKeyPem: string,\n): boolean {\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: publicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(signature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function verifyOrgUserKeyDirectoryWitnessArtifact(\n artifact: OrgUserKeyDirectoryWitnessArtifact,\n publicKeyPem: string,\n): boolean {\n return verifyTransparencyWitnessPayload(\n buildOrgUserKeyDirectoryWitnessPayload(artifact.orgId, artifact.head),\n artifact.signature,\n publicKeyPem,\n )\n}\n\nexport function verifyAgentPublicKeyWitnessArtifact(\n artifact: AgentPublicKeyWitnessArtifact,\n publicKeyPem: string,\n): boolean {\n return verifyTransparencyWitnessPayload(\n buildAgentPublicKeyWitnessPayload(artifact.agentId, artifact.head),\n artifact.signature,\n publicKeyPem,\n )\n}\n\nexport function normalizeUserKeyDirectoryCheckpoint(\n checkpoint: UserKeyDirectoryCheckpoint,\n): UserKeyDirectoryCheckpoint {\n return {\n orgId: checkpoint.orgId,\n version: checkpoint.version,\n entries: [...checkpoint.entries]\n .map((entry) => ({\n userKeyPairId: entry.userKeyPairId,\n orgUserId: entry.orgUserId,\n fingerprint: entry.fingerprint,\n previousUserKeyPairId: entry.previousUserKeyPairId ?? null,\n rotationSignature: entry.rotationSignature ?? null,\n }))\n .sort((left, right) => left.userKeyPairId.localeCompare(right.userKeyPairId)),\n }\n}\n\nexport function canonicalizeUserKeyDirectoryCheckpoint(\n checkpoint: UserKeyDirectoryCheckpoint,\n): string {\n return JSON.stringify(normalizeUserKeyDirectoryCheckpoint(checkpoint))\n}\n\nexport function buildUserKeyDirectoryCheckpointPayload(\n checkpoint: UserKeyDirectoryCheckpoint,\n): string {\n return getCheckpointFingerprint(\n USER_KEY_DIRECTORY_CHECKPOINT_PREFIX,\n canonicalizeUserKeyDirectoryCheckpoint(checkpoint),\n )\n}\n\nexport function signUserKeyDirectoryCheckpoint(\n checkpoint: UserKeyDirectoryCheckpoint,\n privateKeyPem: string,\n): string {\n return crypto.sign(\n 'sha256',\n Buffer.from(buildUserKeyDirectoryCheckpointPayload(checkpoint), 'utf8'),\n {\n key: privateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\nexport function verifyUserKeyDirectoryCheckpoint(\n checkpoint: UserKeyDirectoryCheckpoint,\n signature: string,\n publicKeyPem: string,\n): boolean {\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(buildUserKeyDirectoryCheckpointPayload(checkpoint), 'utf8'),\n {\n key: publicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(signature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function buildUserKeyDirectoryTransparencyEntryHash(\n entry: Omit<UserKeyDirectoryTransparencyEntry, 'entryHash'>,\n): string {\n return getCheckpointFingerprint(\n USER_KEY_DIRECTORY_TRANSPARENCY_ENTRY_PREFIX,\n JSON.stringify({\n orgId: entry.orgId,\n version: entry.version,\n directoryCheckpointPayload: entry.directoryCheckpointPayload,\n signerUserKeyPairId: entry.signerUserKeyPairId,\n signerOrgUserId: entry.signerOrgUserId,\n signerFingerprint: entry.signerFingerprint,\n signature: entry.signature,\n previousEntryHash: entry.previousEntryHash ?? null,\n }),\n )\n}\n\nexport function buildUserKeyDirectoryTransparencyEntry(params: {\n checkpoint: UserKeyDirectoryCheckpoint\n signerUserKeyPairId: string\n signerOrgUserId: string\n signerPublicKey: string\n signature: string\n previousEntryHash: string \| null\n}): UserKeyDirectoryTransparencyEntry {\n const entryWithoutHash = {\n orgId: params.checkpoint.orgId,\n version: params.checkpoint.version,\n directoryCheckpointPayload: buildUserKeyDirectoryCheckpointPayload(params.checkpoint),\n signerUserKeyPairId: params.signerUserKeyPairId,\n signerOrgUserId: params.signerOrgUserId,\n signerFingerprint: getPublicKeyFingerprint(params.signerPublicKey),\n signature: params.signature,\n previousEntryHash: params.previousEntryHash ?? null,\n }\n\n return {\n ...entryWithoutHash,\n entryHash: buildUserKeyDirectoryTransparencyEntryHash(entryWithoutHash),\n }\n}\n\nexport function verifyUserKeyDirectoryTransparencyProof(params: {\n currentEntry: UserKeyDirectoryTransparencyEntry\n proof: UserKeyDirectoryTransparencyProof\n previousHead: UserKeyDirectoryTransparencyHead \| null\n}): boolean {\n if (\n params.proof.head.version !== params.currentEntry.version \|\|\n params.proof.head.hash !== params.currentEntry.entryHash\n ) {\n return false\n }\n\n if (!params.previousHead) {\n if (params.proof.entries.length === 0) {\n return false\n }\n\n for (let index = 0; index < params.proof.entries.length; index++) {\n const entry = params.proof.entries[index]\n if (!entry) {\n return false\n }\n\n const expectedHash = buildUserKeyDirectoryTransparencyEntryHash({\n orgId: entry.orgId,\n version: entry.version,\n directoryCheckpointPayload: entry.directoryCheckpointPayload,\n signerUserKeyPairId: entry.signerUserKeyPairId,\n signerOrgUserId: entry.signerOrgUserId,\n signerFingerprint: entry.signerFingerprint,\n signature: entry.signature,\n previousEntryHash: entry.previousEntryHash,\n })\n\n if (expectedHash !== entry.entryHash) {\n return false\n }\n\n if (index === 0) {\n continue\n }\n\n const previousEntry = params.proof.entries[index - 1]\n if (!previousEntry) {\n return false\n }\n\n if (entry.previousEntryHash !== previousEntry.entryHash \|\| entry.version !== previousEntry.version + 1) {\n return false\n }\n }\n\n const lastEntry = params.proof.entries[params.proof.entries.length - 1]\n return lastEntry?.entryHash === params.currentEntry.entryHash && lastEntry.version === params.currentEntry.version\n }\n\n if (params.currentEntry.version < params.previousHead.version) {\n return false\n }\n\n if (params.currentEntry.version === params.previousHead.version) {\n return params.currentEntry.entryHash === params.previousHead.hash && params.proof.entries.length === 0\n }\n\n if (params.proof.entries.length === 0) {\n return false\n }\n\n let previousVersion = params.previousHead.version\n let previousHash = params.previousHead.hash\n\n for (const entry of params.proof.entries) {\n const expectedHash = buildUserKeyDirectoryTransparencyEntryHash({\n orgId: entry.orgId,\n version: entry.version,\n directoryCheckpointPayload: entry.directoryCheckpointPayload,\n signerUserKeyPairId: entry.signerUserKeyPairId,\n signerOrgUserId: entry.signerOrgUserId,\n signerFingerprint: entry.signerFingerprint,\n signature: entry.signature,\n previousEntryHash: entry.previousEntryHash,\n })\n\n if (\n expectedHash !== entry.entryHash \|\|\n entry.previousEntryHash !== previousHash \|\|\n entry.version !== previousVersion + 1\n ) {\n return false\n }\n\n previousVersion = entry.version\n previousHash = entry.entryHash\n }\n\n return previousHash === params.currentEntry.entryHash && previousVersion === params.currentEntry.version\n}\n\nfunction buildWrappedDekSignaturePayload(\n vaultId: string,\n recipientKeyId: string,\n signerUserKeyPairId: string,\n dekVersion: number,\n wrappedDek: string,\n): string {\n return [\n WRAPPED_DEK_SIGNATURE_PREFIX,\n vaultId,\n recipientKeyId,\n signerUserKeyPairId,\n String(dekVersion),\n getWrappedDekFingerprint(wrappedDek),\n ].join(':')\n}\n\n/\n Signs a wrapped-DEK payload with the signer's private key.\n /\nexport function signWrappedDek(\n vaultId: string,\n recipientKeyId: string,\n signerUserKeyPairId: string,\n dekVersion: number,\n wrappedDek: string,\n signerPrivateKeyPem: string,\n): string {\n const payload = buildWrappedDekSignaturePayload(\n vaultId,\n recipientKeyId,\n signerUserKeyPairId,\n dekVersion,\n wrappedDek,\n )\n\n return crypto.sign(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: signerPrivateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\n/\n Verifies a wrapped vault DEK signature using the signer's public key.\n /\nexport function verifyWrappedDekSignature(\n vaultId: string,\n recipientKeyId: string,\n signerUserKeyPairId: string,\n dekVersion: number,\n wrappedDek: string,\n wrappedDekSignature: string,\n signerPublicKeyPem: string,\n): boolean {\n const payload = buildWrappedDekSignaturePayload(\n vaultId,\n recipientKeyId,\n signerUserKeyPairId,\n dekVersion,\n wrappedDek,\n )\n\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(payload, 'utf8'),\n {\n key: signerPublicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(wrappedDekSignature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function normalizeVaultSummaryCheckpoint(\n checkpoint: VaultSummaryCheckpoint,\n): VaultSummaryCheckpoint {\n return {\n vaultId: checkpoint.vaultId,\n version: checkpoint.version,\n name: checkpoint.name,\n dataClassification: checkpoint.dataClassification ?? null,\n currentDekVersion: checkpoint.currentDekVersion ?? null,\n items: [...checkpoint.items]\n .map((item) => ({\n id: item.id,\n name: item.name,\n type: item.type ?? null,\n websites: [...item.websites],\n groupId: item.groupId ?? null,\n }))\n .sort((left, right) => left.id.localeCompare(right.id)),\n groups: [...checkpoint.groups]\n .map((group) => ({\n id: group.id,\n name: group.name,\n parentId: group.parentId ?? null,\n }))\n .sort((left, right) => left.id.localeCompare(right.id)),\n }\n}\n\nexport function canonicalizeVaultSummaryCheckpoint(\n checkpoint: VaultSummaryCheckpoint,\n): string {\n return JSON.stringify(normalizeVaultSummaryCheckpoint(checkpoint))\n}\n\nexport function buildVaultSummaryCheckpointPayload(\n checkpoint: VaultSummaryCheckpoint,\n): string {\n return getCheckpointFingerprint(\n VAULT_SUMMARY_CHECKPOINT_PREFIX,\n canonicalizeVaultSummaryCheckpoint(checkpoint),\n )\n}\n\nexport function verifyVaultSummaryCheckpoint(\n checkpoint: VaultSummaryCheckpoint,\n signature: string,\n publicKeyPem: string,\n): boolean {\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(buildVaultSummaryCheckpointPayload(checkpoint), 'utf8'),\n {\n key: publicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(signature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function signVaultSummaryCheckpoint(\n checkpoint: VaultSummaryCheckpoint,\n privateKeyPem: string,\n): string {\n return crypto.sign(\n 'sha256',\n Buffer.from(buildVaultSummaryCheckpointPayload(checkpoint), 'utf8'),\n {\n key: privateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\nexport function normalizeVaultItemDetailCheckpoint(\n checkpoint: VaultItemDetailCheckpoint,\n): VaultItemDetailCheckpoint {\n return {\n vaultItemId: checkpoint.vaultItemId,\n vaultId: checkpoint.vaultId,\n version: checkpoint.version,\n name: checkpoint.name,\n type: checkpoint.type ?? null,\n websites: [...checkpoint.websites],\n groupId: checkpoint.groupId ?? null,\n fields: [...checkpoint.fields]\n .map((field) => ({\n id: field.id,\n name: field.name,\n type: field.type,\n order: field.order,\n fieldInstanceIds: [...field.fieldInstanceIds].sort(),\n assetIds: [...field.assetIds].sort(),\n }))\n .sort((left, right) => left.order - right.order \|\| left.id.localeCompare(right.id)),\n }\n}\n\nexport function canonicalizeVaultItemDetailCheckpoint(\n checkpoint: VaultItemDetailCheckpoint,\n): string {\n return JSON.stringify(normalizeVaultItemDetailCheckpoint(checkpoint))\n}\n\nexport function buildVaultItemDetailCheckpointPayload(\n checkpoint: VaultItemDetailCheckpoint,\n): string {\n return getCheckpointFingerprint(\n VAULT_ITEM_DETAIL_CHECKPOINT_PREFIX,\n canonicalizeVaultItemDetailCheckpoint(checkpoint),\n )\n}\n\nexport function verifyVaultItemDetailCheckpoint(\n checkpoint: VaultItemDetailCheckpoint,\n signature: string,\n publicKeyPem: string,\n): boolean {\n try {\n return crypto.verify(\n 'sha256',\n Buffer.from(buildVaultItemDetailCheckpointPayload(checkpoint), 'utf8'),\n {\n key: publicKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n Buffer.from(signature, 'base64'),\n )\n } catch {\n return false\n }\n}\n\nexport function signVaultItemDetailCheckpoint(\n checkpoint: VaultItemDetailCheckpoint,\n privateKeyPem: string,\n): string {\n return crypto.sign(\n 'sha256',\n Buffer.from(buildVaultItemDetailCheckpointPayload(checkpoint), 'utf8'),\n {\n key: privateKeyPem,\n ...RSA_PSS_SIGN_CONFIG,\n },\n ).toString('base64')\n}\n\n/\n Checks whether a stored field value is a v3 vault envelope.\n /\nexport function isVaultEnvelope(value: string): boolean {\n if (!value.startsWith('{')) {\n return false\n }\n\n try {\n const parsed = JSON.parse(value) as { v?: number }\n return parsed.v === 3\n } catch {\n return false\n }\n}\n\n/\n Decrypts a v3 vault envelope with the provided 32-byte AES vault DEK.\n /\nexport function decryptWithVaultDEK(encryptedValue: string, dek: Buffer): string {\n if (!isVaultEnvelope(encryptedValue)) {\n throw new Error('Invalid encrypted value: expected v3 vault envelope format')\n }\n\n const envelope = JSON.parse(encryptedValue) as VaultEnvelope\n const decipher = crypto.createDecipheriv('aes-256-gcm', dek, Buffer.from(envelope.iv, 'base64'))\n decipher.setAuthTag(Buffer.from(envelope.t, 'base64'))\n const decrypted = Buffer.concat([\n decipher.update(Buffer.from(envelope.d, 'base64')),\n decipher.final(),\n ])\n return decrypted.toString('utf8')\n}\n\n/\n Returns plaintext for a field value. Plain strings are returned as-is, while\n * v3 envelopes are decrypted with the provided vault DEK.\n /\nexport function decryptStoredFieldValue(value: string, dek: Buffer): string {\n return isVaultEnvelope(value) ? decryptWithVaultDEK(value, dek) : value\n}\n\n/\n Encrypts a plaintext field value into a v3 vault envelope. Used by tests.\n /\nexport function encryptWithVaultDEK(value: string, dek: Buffer): string {\n const iv = crypto.randomBytes(12)\n const cipher = crypto.createCipheriv('aes-256-gcm', dek, iv)\n const ciphertext = Buffer.concat([cipher.update(value, 'utf8'), cipher.final()])\n const tag = cipher.getAuthTag()\n\n return JSON.stringify({\n v: 3,\n iv: iv.toString('base64'),\n t: tag.toString('base64'),\n d: ciphertext.toString('base64'),\n } satisfies VaultEnvelope)\n}\n\n/\n Unwraps a vault DEK using the agent runtime's local private key.\n /\nexport function unwrapDEKWithPrivateKey(wrappedDek: string, privateKeyPem: string): Buffer {\n return crypto.privateDecrypt(\n { key: privateKeyPem, ...RSA_OAEP_CONFIG },\n Buffer.from(wrappedDek, 'base64'),\n )\n}\n","/\n Minimal transparency witness helpers vendored into the public Node SDK so the\n * published package does not depend on unpublished internal workspace packages.\n /\n\nconst TRANSPARENCY_WITNESS_PAYLOAD_PREFIX = 'r4-transparency-witness-v1'\n\nexport const DEFAULT_TRANSPARENCY_WITNESS_URL = 'https://transparency.r4.dev'\n\nexport const TRANSPARENCY_WITNESS_ROOT_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA18JhILFiS/BOWR9laubW\ng2vepQy26BXAlnrscZZVQUzBBaCM4hWobpt3Nh77vxP0gqVAJXP1hVhPPwxGQnOF\n4Qg/RK4iEETjMdmh3KMqFX9MeE9tP4cTOGtsgWsedNpu6TvMT+2vu+0ltmr7p4Xv\nH0ID48Q8JLeNksc/RekrsfzQ9DVtXFS7z1FF2VQgzamdJsW9hGMiM7Q+0iXei7PW\n3PsLd1aNtqJ3lIj3t12qFiJiYyKF0hEq0//Abgb9SgDv/WOlRG1Ianf1/fnP2jer\nZYiZSylXqQdun0Db2d0+FDm/znV2AGAmBEXm6qnCogEHu77LoLyCyJOlB9WNtRwh\nKnbzTmE2Mw/43jxvCcR7pE5kik/tdeMvqGFZfg3ozUG9eM0q0TURH6g9b9J4sBnR\ndxz2PbF4cl/AeL4ANPmLz3kUQaDA6wR0veVk5jV+Uqr55TYz/zEbY1rtJbmnc53Q\nihPS6xtSiexrqnOgqm/AVbiRhxjPqfg3/VJM3zR5Blnu02AqVR9kCT0WkyEWRz5X\n6HU8DEocJIPz8UwBMKQ7rnjMPv/Fjpuav/EIad5vOdfxCZkjyTYoQg8vLUyfXvgD\nmBWFgKIN8GTRyM+LjZIgznjN58dZ8ZvsGd14oKnH7WgAh9FVh8ri7gNmsdJeRTn/\n2zDkTlx+FQxAxqFaYV7qCvcCAwEAAQ==\n-----END PUBLIC KEY-----`\n\nexport type TransparencyWitnessHead = {\n version: number\n hash: string\n}\n\nexport type OrgUserKeyDirectoryWitnessArtifact = {\n version: 1\n kind: 'org-user-key-directory'\n orgId: string\n head: TransparencyWitnessHead\n signature: string\n keyId: string\n publishedAt: string\n}\n\nexport type AgentPublicKeyWitnessArtifact = {\n version: 1\n kind: 'agent-public-key'\n agentId: string\n head: TransparencyWitnessHead\n signature: string\n keyId: string\n publishedAt: string\n}\n\nexport const buildOrgUserKeyDirectoryWitnessPayload = (\n orgId: string,\n head: TransparencyWitnessHead,\n): string =>\n [\n TRANSPARENCY_WITNESS_PAYLOAD_PREFIX,\n 'org-user-key-directory',\n orgId,\n String(head.version),\n head.hash,\n ].join(':')\n\nexport const buildAgentPublicKeyWitnessPayload = (\n agentId: string,\n head: TransparencyWitnessHead,\n): string =>\n [\n TRANSPARENCY_WITNESS_PAYLOAD_PREFIX,\n 'agent-public-key',\n agentId,\n String(head.version),\n head.hash,\n ].join(':')\n\nexport const buildOrgUserKeyDirectoryWitnessPath = (orgId: string): string =>\n `v1/orgs/${orgId}/user-key-directory-head.json`\n\nexport const buildTransparencyWitnessUrl = (baseUrl: string, path: string): string =>\n `${baseUrl.replace(/\\/+$/, '')}/${path.replace(/^\\/+/, '')}`\n\nfunction parseHostname(apiBaseUrl: string): string \| null {\n const trimmed = apiBaseUrl.trim()\n if (!trimmed) {\n return null\n }\n\n try {\n const normalized = trimmed.includes('://') ? trimmed : `https://${trimmed}`\n return new URL(normalized).hostname.toLowerCase()\n } catch {\n return null\n }\n}\n\nexport const shouldUseDefaultTransparencyWitness = (apiBaseUrl: string): boolean => {\n const hostname = parseHostname(apiBaseUrl)\n return hostname === 'r4.dev' \|\| hostname === 'api.r4.dev'\n}\n","import fs from 'node:fs'\nimport path from 'node:path'\nimport {\n DEFAULT_TRANSPARENCY_WITNESS_URL,\n TRANSPARENCY_WITNESS_ROOT_PUBLIC_KEY_PEM,\n buildOrgUserKeyDirectoryWitnessPath,\n buildTransparencyWitnessUrl,\n shouldUseDefaultTransparencyWitness,\n type OrgUserKeyDirectoryWitnessArtifact,\n} from './transparency'\nimport {\n buildUserKeyDirectoryTransparencyEntry,\n getPublicKeyFingerprint,\n verifyOrgUserKeyDirectoryWitnessArtifact,\n verifyUserKeyDirectoryCheckpoint,\n verifyUserKeyDirectoryTransparencyProof,\n verifyUserKeyRotation,\n} from './crypto'\nimport type {\n MachineVaultUserKeyDirectoryResponse,\n MachineVaultUserPublicKey,\n} from './types'\n\ntype PublicKeyPinRecord = {\n keyPairId: string\n fingerprint: string\n publicKey: string\n pinnedAt: string\n verifiedAt: string\n}\n\ntype TrustStore = {\n version: 1\n userKeyPins: Record<string, PublicKeyPinRecord>\n checkpointVersionPins: Record<string, number>\n transparencyHeadPins: Record<string, { version: number; hash: string }>\n}\n\nfunction loadTrustStore(trustStorePath: string): TrustStore {\n try {\n const raw = fs.readFileSync(trustStorePath, 'utf8')\n const parsed = JSON.parse(raw) as Partial<TrustStore>\n return {\n version: 1,\n userKeyPins: parsed.userKeyPins ?? {},\n checkpointVersionPins: parsed.checkpointVersionPins ?? {},\n transparencyHeadPins: parsed.transparencyHeadPins ?? {},\n }\n } catch {\n return {\n version: 1,\n userKeyPins: {},\n checkpointVersionPins: {},\n transparencyHeadPins: {},\n }\n }\n}\n\nfunction saveTrustStore(trustStorePath: string, store: TrustStore): void {\n fs.mkdirSync(path.dirname(trustStorePath), { recursive: true })\n fs.writeFileSync(trustStorePath, JSON.stringify(store, null, 2) + '\\n', 'utf8')\n}\n\nfunction getPinStorageKey(orgId: string, orgUserId: string): string {\n return `${orgId}:${orgUserId}`\n}\n\nfunction getDirectoryPinStorageKey(orgId: string): string {\n return `org:${orgId}`\n}\n\nasync function fetchWitnessArtifact<T>(pathName: string): Promise<T> {\n const response = await fetch(\n buildTransparencyWitnessUrl(DEFAULT_TRANSPARENCY_WITNESS_URL, pathName),\n {\n cache: 'no-store',\n },\n )\n\n if (!response.ok) {\n throw new Error(\n `Failed to fetch public transparency witness artifact (${response.status}). ` +\n 'Production first-trust bootstrapping needs access to https://transparency.r4.dev. ' +\n 'If this is a dev environment, re-run with --dev or set R4_DEV=1. ' +\n 'If this is production, verify outbound access to transparency.r4.dev and retry.',\n )\n }\n\n return response.json() as Promise<T>\n}\n\nexport function getPinnedTransparencyHead(\n trustStorePath: string,\n orgId: string,\n): { version: number; hash: string } \| null {\n const store = loadTrustStore(trustStorePath)\n return store.transparencyHeadPins[getDirectoryPinStorageKey(orgId)] ?? null\n}\n\nexport function getSinglePinnedTransparencyHead(\n trustStorePath: string,\n): { version: number; hash: string } \| null {\n const store = loadTrustStore(trustStorePath)\n const heads = Object.values(store.transparencyHeadPins)\n return heads.length === 1 ? heads[0]! : null\n}\n\nexport async function getPublicOrgWitnessHead(\n apiBaseUrl: string,\n orgId: string,\n): Promise<{ version: number; hash: string } \| null> {\n if (!shouldUseDefaultTransparencyWitness(apiBaseUrl)) {\n return null\n }\n\n const artifact = await fetchWitnessArtifact<OrgUserKeyDirectoryWitnessArtifact>(\n buildOrgUserKeyDirectoryWitnessPath(orgId),\n )\n\n if (\n artifact.kind !== 'org-user-key-directory' \|\|\n artifact.orgId !== orgId \|\|\n !verifyOrgUserKeyDirectoryWitnessArtifact(\n artifact,\n TRANSPARENCY_WITNESS_ROOT_PUBLIC_KEY_PEM,\n )\n ) {\n throw new Error(`Public transparency witness verification failed for org ${orgId}.`)\n }\n\n return artifact.head\n}\n\nasync function pinVaultUserPublicKeys(\n trustStorePath: string,\n orgId: string,\n publicKeys: MachineVaultUserPublicKey[],\n): Promise<MachineVaultUserPublicKey[]> {\n const store = loadTrustStore(trustStorePath)\n let changed = false\n\n for (const key of publicKeys) {\n const storageKey = getPinStorageKey(orgId, key.orgUserId)\n const computedFingerprint = getPublicKeyFingerprint(key.publicKey)\n\n if (computedFingerprint !== key.fingerprint) {\n throw new Error(`Server returned a mismatched fingerprint for user ${key.orgUserId}.`)\n }\n\n const existing = store.userKeyPins[storageKey]\n const verifiedAt = new Date().toISOString()\n\n if (!existing) {\n store.userKeyPins[storageKey] = {\n keyPairId: key.userKeyPairId,\n fingerprint: key.fingerprint,\n publicKey: key.publicKey,\n pinnedAt: verifiedAt,\n verifiedAt,\n }\n changed = true\n continue\n }\n\n if (existing.keyPairId === key.userKeyPairId) {\n if (existing.fingerprint !== key.fingerprint \|\| existing.publicKey !== key.publicKey) {\n throw new Error(\n `Pinned public key ${key.userKeyPairId} changed unexpectedly for user ${key.orgUserId}.`,\n )\n }\n\n if (existing.verifiedAt !== verifiedAt) {\n store.userKeyPins[storageKey] = {\n ...existing,\n verifiedAt,\n }\n changed = true\n }\n continue\n }\n\n if (!key.previousUserKeyPairId \|\| key.previousUserKeyPairId !== existing.keyPairId \|\| !key.rotationSignature) {\n throw new Error(`Public key rotation for user ${key.orgUserId} is missing a trusted continuity proof.`)\n }\n\n const rotationVerified = verifyUserKeyRotation(\n existing.keyPairId,\n key.publicKey,\n key.rotationSignature,\n existing.publicKey,\n )\n\n if (!rotationVerified) {\n throw new Error(`Public key rotation for user ${key.orgUserId} failed signature verification.`)\n }\n\n store.userKeyPins[storageKey] = {\n keyPairId: key.userKeyPairId,\n fingerprint: key.fingerprint,\n publicKey: key.publicKey,\n pinnedAt: existing.pinnedAt,\n verifiedAt,\n }\n changed = true\n }\n\n if (changed) {\n saveTrustStore(trustStorePath, store)\n }\n\n return publicKeys\n}\n\nasync function verifySignedUserKeyDirectory(\n trustStorePath: string,\n directory: MachineVaultUserKeyDirectoryResponse,\n anchorHead?: { version: number; hash: string } \| null,\n): Promise<string \| null> {\n if (!directory.directoryCheckpoint) {\n if (directory.publicKeys.length > 0) {\n throw new Error('Server omitted the user-key directory checkpoint for a non-empty vault signer directory.')\n }\n return null\n }\n\n const { directoryCheckpoint } = directory\n const orgId = directoryCheckpoint.checkpoint.orgId\n\n if (!directoryCheckpoint.signerOrgUserId \|\| !directoryCheckpoint.signerPublicKey) {\n throw new Error('Server returned an incomplete user-key directory signer payload.')\n }\n\n const signerFingerprint = getPublicKeyFingerprint(directoryCheckpoint.signerPublicKey)\n const signerEntry = directoryCheckpoint.checkpoint.entries.find(\n (entry) =>\n entry.userKeyPairId === directoryCheckpoint.signerUserKeyPairId &&\n entry.orgUserId === directoryCheckpoint.signerOrgUserId,\n )\n const signerKey: MachineVaultUserPublicKey = {\n userKeyPairId: directoryCheckpoint.signerUserKeyPairId,\n orgUserId: directoryCheckpoint.signerOrgUserId,\n publicKey: directoryCheckpoint.signerPublicKey,\n fingerprint: signerFingerprint,\n previousUserKeyPairId: signerEntry?.previousUserKeyPairId ?? null,\n rotationSignature: signerEntry?.rotationSignature ?? null,\n }\n const storeBeforeVerification = loadTrustStore(trustStorePath)\n\n try {\n await pinVaultUserPublicKeys(trustStorePath, orgId, [signerKey])\n\n const verified = verifyUserKeyDirectoryCheckpoint(\n directoryCheckpoint.checkpoint,\n directoryCheckpoint.signature,\n directoryCheckpoint.signerPublicKey,\n )\n\n if (!verified) {\n throw new Error(`User-key directory signature verification failed for org ${orgId}.`)\n }\n if (!directory.transparency) {\n throw new Error(`Server omitted the user-key directory transparency proof for org ${orgId}.`)\n }\n\n const store = loadTrustStore(trustStorePath)\n const pinnedTransparencyHead = store.transparencyHeadPins[getDirectoryPinStorageKey(orgId)] ?? null\n const trustedPreviousHead = anchorHead ?? pinnedTransparencyHead\n const legacyPinnedVersion = store.checkpointVersionPins[getDirectoryPinStorageKey(orgId)] ?? null\n\n if (!trustedPreviousHead && legacyPinnedVersion !== null && directory.transparency.head.version < legacyPinnedVersion) {\n throw new Error(`User-key transparency head rolled back unexpectedly for org ${orgId}.`)\n }\n\n if (!trustedPreviousHead && directory.transparency.entries.length === 0) {\n throw new Error(`Server omitted the current transparency entry for org ${orgId}.`)\n }\n\n if (directory.transparency.entries.length > 0) {\n const currentProofEntry = directory.transparency.entries[directory.transparency.entries.length - 1]\n if (!currentProofEntry) {\n throw new Error(`Server returned an empty transparency proof for org ${orgId}.`)\n }\n\n const expectedCurrentEntry = buildUserKeyDirectoryTransparencyEntry({\n checkpoint: directoryCheckpoint.checkpoint,\n signerUserKeyPairId: directoryCheckpoint.signerUserKeyPairId,\n signerOrgUserId: directoryCheckpoint.signerOrgUserId,\n signerPublicKey: directoryCheckpoint.signerPublicKey,\n signature: directoryCheckpoint.signature,\n previousEntryHash: currentProofEntry.previousEntryHash ?? null,\n })\n\n if (expectedCurrentEntry.entryHash !== currentProofEntry.entryHash) {\n throw new Error(`User-key transparency entry does not match the signed directory for org ${orgId}.`)\n }\n\n if (anchorHead && directory.transparency.head.version === anchorHead.version) {\n if (directory.transparency.head.hash !== anchorHead.hash) {\n throw new Error(`Public transparency witness head fork detected for org ${orgId}.`)\n }\n\n if (\n currentProofEntry.entryHash !== anchorHead.hash \|\|\n expectedCurrentEntry.entryHash !== anchorHead.hash\n ) {\n throw new Error(`User-key transparency witness anchor mismatch for org ${orgId}.`)\n }\n } else if (\n !verifyUserKeyDirectoryTransparencyProof({\n currentEntry: expectedCurrentEntry,\n proof: directory.transparency,\n previousHead: trustedPreviousHead,\n })\n ) {\n throw new Error(`User-key transparency proof verification failed for org ${orgId}.`)\n }\n } else if (\n anchorHead &&\n directory.transparency.head.version === anchorHead.version\n ) {\n throw new Error(`Server omitted the current transparency entry required to verify org ${orgId} against the public witness.`)\n } else if (\n !trustedPreviousHead \|\|\n trustedPreviousHead.version !== directory.transparency.head.version \|\|\n trustedPreviousHead.hash !== directory.transparency.head.hash\n ) {\n throw new Error(`Server returned an incomplete user-key transparency proof for org ${orgId}.`)\n }\n\n assertAndPinTransparencyHead(trustStorePath, orgId, directory.transparency.head)\n\n const checkpointEntries = new Map(\n directoryCheckpoint.checkpoint.entries.map((entry) => [entry.userKeyPairId, entry]),\n )\n\n for (const key of directory.publicKeys) {\n const entry = checkpointEntries.get(key.userKeyPairId)\n\n if (!entry) {\n throw new Error(`User key ${key.userKeyPairId} is missing from the signed org directory.`)\n }\n\n if (\n entry.orgUserId !== key.orgUserId \|\|\n entry.fingerprint !== key.fingerprint \|\|\n entry.previousUserKeyPairId !== key.previousUserKeyPairId \|\|\n entry.rotationSignature !== key.rotationSignature\n ) {\n throw new Error(`User key ${key.userKeyPairId} does not match the signed org directory.`)\n }\n }\n\n return orgId\n } catch (error) {\n saveTrustStore(trustStorePath, storeBeforeVerification)\n throw error\n }\n}\n\n/\n Verifies the signed org directory first, then advances local per-user pins\n * only for the vault principals covered by that trusted directory.\n /\nexport async function verifyAndPinVaultUserPublicKeys(\n trustStorePath: string,\n directory: MachineVaultUserKeyDirectoryResponse,\n anchorHead?: { version: number; hash: string } \| null,\n): Promise<MachineVaultUserPublicKey[]> {\n const orgId = await verifySignedUserKeyDirectory(trustStorePath, directory, anchorHead)\n if (!orgId) {\n return directory.publicKeys\n }\n return pinVaultUserPublicKeys(trustStorePath, orgId, directory.publicKeys)\n}\n\n/\n Rejects rollbacked checkpoint versions and persists the newest version so\n * subsequent SDK runs continue to enforce monotonic metadata history.\n */\nexport function assertAndPinCheckpointVersion(\n trustStorePath: string,\n storageKey: string,\n version: number,\n): void {\n const store = loadTrustStore(trustStorePath)\n const pinnedVersion = store.checkpointVersionPins[storageKey]\n\n if (pinnedVersion !== undefined && version < pinnedVersion) {\n throw new Error(`Checkpoint version rolled back unexpectedly for ${storageKey}.`)\n }\n\n if (pinnedVersion === undefined \|\| version > pinnedVersion) {\n store.checkpointVersionPins[storageKey] = version\n saveTrustStore(trustStorePath, store)\n }\n}\n\nfunction assertAndPinTransparencyHead(\n trustStorePath: string,\n orgId: string,\n head: { version: number; hash: string },\n): void {\n const store = loadTrustStore(trustStorePath)\n const storageKey = getDirectoryPinStorageKey(orgId)\n const pinnedHead = store.transparencyHeadPins[storageKey]\n\n if (pinnedHead) {\n if (head.version < pinnedHead.version) {\n throw new Error(`User-key transparency head rolled back unexpectedly for org ${orgId}.`)\n }\n\n if (head.version === pinnedHead.version && head.hash !== pinnedHead.hash) {\n throw new Error(`User-key transparency head fork detected for org ${orgId}.`)\n }\n }\n\n if (!pinnedHead \|\| head.version > pinnedHead.version) {\n store.transparencyHeadPins[storageKey] = head\n saveTrustStore(trustStorePath, store)\n }\n\n assertAndPinCheckpointVersion(trustStorePath, storageKey, head.version)\n}\n"],"mappings":";AAAA,OAAOA,WAAU;;;ACsBV,IAAM,WAAN,MAAe;AAAA,EACH;AAAA,EACA;AAAA,EAEjB,YAAY,QAAgB,SAAiB;AAC3C,SAAK,SAAS;AACd,SAAK,UAAU,QAAQ,QAAQ,OAAO,EAAE;AAAA,EAC1C;AAAA,EAEQ,eAAuC;AAC7C,WAAO;AAAA,MACL,aAAa,KAAK;AAAA,MAClB,gBAAgB;AAAA,IAClB;AAAA,EACF;AAAA,EAEA,MAAc,QAAWC,OAAc,MAA+B;AACpE,UAAM,WAAW,MAAM,MAAM,GAAG,KAAK,OAAO,GAAGA,KAAI,IAAI;AAAA,MACrD,GAAG;AAAA,MACH,SAAS;AAAA,QACP,GAAG,KAAK,aAAa;AAAA,QACrB,GAAI,KAAK,WAAW,CAAC;AAAA,MACvB;AAAA,IACF,CAAC;AAED,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,YAAa,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACzD,YAAM,eACJ,OAAO,UAAU,OAAO,YAAY,WAChC,UAAU,MAAM,UAChB,QAAQ,SAAS,MAAM,KAAK,SAAS,UAAU;AACrD,YAAM,YACJ,OAAO,UAAU,OAAO,SAAS,WAC7B,KAAK,UAAU,MAAM,IAAI,MACzB;AACN,YAAM,IAAI,MAAM,eAAe,SAAS,KAAK,YAAY,EAAE;AAAA,IAC7D;AAEA,QAAI,SAAS,WAAW,KAAK;AAC3B,aAAO;AAAA,IACT;AAEA,WAAO,SAAS,KAAK;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,uBACJ,MACwC;AACxC,WAAO,KAAK,QAAuC,oCAAoC;AAAA,MACrF,QAAQ;AAAA,MACR,MAAM,KAAK,UAAU,IAAI;AAAA,IAC3B,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,WAAW,WAAwD;AACvE,UAAM,SAAS,YACX,cAAc,mBAAmB,SAAS,CAAC,KAC3C;AACJ,WAAO,KAAK,QAAmC,wBAAwB,MAAM,IAAI;AAAA,MAC/E,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,mBAAmB,SAAqD;AAC5E,WAAO,KAAK;AAAA,MACV,yBAAyB,mBAAmB,OAAO,CAAC;AAAA,MACpD,EAAE,QAAQ,MAAM;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,yBACJ,SACA,QAI+C;AAC/C,UAAM,eAAe,IAAI,gBAAgB;AACzC,QAAI,QAAQ,6BAA6B,QAAW;AAClD,mBAAa,IAAI,4BAA4B,OAAO,OAAO,wBAAwB,CAAC;AAAA,IACtF;AACA,QAAI,QAAQ,uBAAuB;AACjC,mBAAa,IAAI,yBAAyB,OAAO,qBAAqB;AAAA,IACxE;AACA,UAAM,SAAS,aAAa,OAAO,IAAI,IAAI,aAAa,SAAS,CAAC,KAAK;AAEvE,WAAO,KAAK;AAAA,MACV,yBAAyB,mBAAmB,OAAO,CAAC,eAAe,MAAM;AAAA,MACzE,EAAE,QAAQ,MAAM;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,eAAe,SAAyD;AAC5E,WAAO,KAAK;AAAA,MACV,yBAAyB,mBAAmB,OAAO,CAAC;AAAA,MACpD,EAAE,QAAQ,MAAM;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,mBACJ,SACA,QACyC;AACzC,WAAO,KAAK;AAAA,MACV,yBAAyB,mBAAmB,OAAO,CAAC,UAAU,mBAAmB,MAAM,CAAC;AAAA,MACxF,EAAE,QAAQ,MAAM;AAAA,IAClB;AAAA,EACF;AACF;;;ACtJA,OAAO,YAAY;AACnB,OAAO,QAAQ;AACf,OAAO,UAAU;;;ACGjB,IAAM,sCAAsC;AAErC,IAAM,mCAAmC;AAEzC,IAAM,2CAA2C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAwCjD,IAAM,yCAAyC,CACpD,OACA,SAEA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA,OAAO,KAAK,OAAO;AAAA,EACnB,KAAK;AACP,EAAE,KAAK,GAAG;AAcL,IAAM,sCAAsC,CAAC,UAClD,WAAW,KAAK;AAEX,IAAM,8BAA8B,CAAC,SAAiBC,UAC3D,GAAG,QAAQ,QAAQ,QAAQ,EAAE,CAAC,IAAIA,MAAK,QAAQ,QAAQ,EAAE,CAAC;AAE5D,SAAS,cAAc,YAAmC;AACxD,QAAM,UAAU,WAAW,KAAK;AAChC,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,aAAa,QAAQ,SAAS,KAAK,IAAI,UAAU,WAAW,OAAO;AACzE,WAAO,IAAI,IAAI,UAAU,EAAE,SAAS,YAAY;AAAA,EAClD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,IAAM,sCAAsC,CAAC,eAAgC;AAClF,QAAM,WAAW,cAAc,UAAU;AACzC,SAAO,aAAa,YAAY,aAAa;AAC/C;;;AD9EA,IAAM,kBAAkB;AAAA,EACtB,SAAS,OAAO,UAAU;AAAA,EAC1B,UAAU;AACZ;AAEA,IAAM,sBAAsB;AAAA,EAC1B,SAAS,OAAO,UAAU;AAAA,EAC1B,YAAY;AACd;AAEA,IAAM,2BAA2B;AACjC,IAAM,uCAAuC;AAC7C,IAAM,+CAA+C;AACrD,IAAM,+BAA+B;AACrC,IAAM,kCAAkC;AACxC,IAAM,sCAAsC;AAS5C,SAAS,SAAS,KAAa,YAAoB,UAA0B;AAC3E,QAAM,YAAY,IACf,QAAQ,YAAY,EAAE,EACtB,QAAQ,UAAU,EAAE,EACpB,QAAQ,OAAO,EAAE;AAEpB,SAAO,OAAO,KAAK,WAAW,QAAQ;AACxC;AAEA,SAAS,yBAAyB,YAA4B;AAC5D,SAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,OAAO,KAAK,YAAY,QAAQ,CAAC,EAAE,OAAO,KAAK;AAC3F;AAEA,SAAS,yBAAyB,QAAgB,eAA+B;AAC/E,SAAO,GAAG,MAAM,IAAI,OAAO,WAAW,QAAQ,EAAE,OAAO,eAAe,MAAM,EAAE,OAAO,KAAK,CAAC;AAC7F;AAKO,SAAS,eAAe,gBAAgC;AAC7D,SAAO,GAAG,aAAa,KAAK,QAAQ,cAAc,GAAG,MAAM,EAAE,KAAK;AACpE;AAKO,SAAS,gBAAgB,eAA+B;AAC7D,SAAO,OAAO,gBAAgB,aAAa,EAAE,OAAO;AAAA,IAClD,MAAM;AAAA,IACN,QAAQ;AAAA,EACV,CAAC,EAAE,SAAS;AACd;AAMO,SAAS,wBAAwB,cAA8B;AACpE,QAAM,WAAW,SAAS,cAAc,8BAA8B,0BAA0B;AAChG,SAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,QAAQ,EAAE,OAAO,KAAK;AAClE;AAEA,SAAS,4BAA4B,uBAA+B,yBAAyC;AAC3G,SAAO,GAAG,wBAAwB,IAAI,qBAAqB,IAAI,uBAAuB;AACxF;AA4BO,SAAS,sBACd,uBACA,iBACA,mBACA,sBACS;AACT,QAAM,UAAU;AAAA,IACd;AAAA,IACA,wBAAwB,eAAe;AAAA,EACzC;AAEA,MAAI;AACF,WAAO,OAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,SAAS,MAAM;AAAA,MAC3B;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,mBAAmB,QAAQ;AAAA,IACzC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,iCACd,SACA,WACA,cACS;AACT,MAAI;AACF,WAAO,OAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,SAAS,MAAM;AAAA,MAC3B;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,WAAW,QAAQ;AAAA,IACjC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,yCACd,UACA,cACS;AACT,SAAO;AAAA,IACL,uCAAuC,SAAS,OAAO,SAAS,IAAI;AAAA,IACpE,SAAS;AAAA,IACT;AAAA,EACF;AACF;AAaO,SAAS,oCACd,YAC4B;AAC5B,SAAO;AAAA,IACL,OAAO,WAAW;AAAA,IAClB,SAAS,WAAW;AAAA,IACpB,SAAS,CAAC,GAAG,WAAW,OAAO,EAC5B,IAAI,CAAC,WAAW;AAAA,MACf,eAAe,MAAM;AAAA,MACrB,WAAW,MAAM;AAAA,MACjB,aAAa,MAAM;AAAA,MACnB,uBAAuB,MAAM,yBAAyB;AAAA,MACtD,mBAAmB,MAAM,qBAAqB;AAAA,IAChD,EAAE,EACD,KAAK,CAAC,MAAM,UAAU,KAAK,cAAc,cAAc,MAAM,aAAa,CAAC;AAAA,EAChF;AACF;AAEO,SAAS,uCACd,YACQ;AACR,SAAO,KAAK,UAAU,oCAAoC,UAAU,CAAC;AACvE;AAEO,SAAS,uCACd,YACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA,uCAAuC,UAAU;AAAA,EACnD;AACF;AAgBO,SAAS,iCACd,YACA,WACA,cACS;AACT,MAAI;AACF,WAAO,OAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,uCAAuC,UAAU,GAAG,MAAM;AAAA,MACtE;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,WAAW,QAAQ;AAAA,IACjC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,2CACd,OACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA,KAAK,UAAU;AAAA,MACb,OAAO,MAAM;AAAA,MACb,SAAS,MAAM;AAAA,MACf,4BAA4B,MAAM;AAAA,MAClC,qBAAqB,MAAM;AAAA,MAC3B,iBAAiB,MAAM;AAAA,MACvB,mBAAmB,MAAM;AAAA,MACzB,WAAW,MAAM;AAAA,MACjB,mBAAmB,MAAM,qBAAqB;AAAA,IAChD,CAAC;AAAA,EACH;AACF;AAEO,SAAS,uCAAuC,QAOjB;AACpC,QAAM,mBAAmB;AAAA,IACvB,OAAO,OAAO,WAAW;AAAA,IACzB,SAAS,OAAO,WAAW;AAAA,IAC3B,4BAA4B,uCAAuC,OAAO,UAAU;AAAA,IACpF,qBAAqB,OAAO;AAAA,IAC5B,iBAAiB,OAAO;AAAA,IACxB,mBAAmB,wBAAwB,OAAO,eAAe;AAAA,IACjE,WAAW,OAAO;AAAA,IAClB,mBAAmB,OAAO,qBAAqB;AAAA,EACjD;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,IACH,WAAW,2CAA2C,gBAAgB;AAAA,EACxE;AACF;AAEO,SAAS,wCAAwC,QAI5C;AACV,MACE,OAAO,MAAM,KAAK,YAAY,OAAO,aAAa,WAClD,OAAO,MAAM,KAAK,SAAS,OAAO,aAAa,WAC/C;AACA,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,OAAO,cAAc;AACxB,QAAI,OAAO,MAAM,QAAQ,WAAW,GAAG;AACrC,aAAO;AAAA,IACT;AAEA,aAAS,QAAQ,GAAG,QAAQ,OAAO,MAAM,QAAQ,QAAQ,SAAS;AAChE,YAAM,QAAQ,OAAO,MAAM,QAAQ,KAAK;AACxC,UAAI,CAAC,OAAO;AACV,eAAO;AAAA,MACT;AAEA,YAAM,eAAe,2CAA2C;AAAA,QAC9D,OAAO,MAAM;AAAA,QACb,SAAS,MAAM;AAAA,QACf,4BAA4B,MAAM;AAAA,QAClC,qBAAqB,MAAM;AAAA,QAC3B,iBAAiB,MAAM;AAAA,QACvB,mBAAmB,MAAM;AAAA,QACzB,WAAW,MAAM;AAAA,QACjB,mBAAmB,MAAM;AAAA,MAC3B,CAAC;AAED,UAAI,iBAAiB,MAAM,WAAW;AACpC,eAAO;AAAA,MACT;AAEA,UAAI,UAAU,GAAG;AACf;AAAA,MACF;AAEA,YAAM,gBAAgB,OAAO,MAAM,QAAQ,QAAQ,CAAC;AACpD,UAAI,CAAC,eAAe;AAClB,eAAO;AAAA,MACT;AAEA,UAAI,MAAM,sBAAsB,cAAc,aAAa,MAAM,YAAY,cAAc,UAAU,GAAG;AACtG,eAAO;AAAA,MACT;AAAA,IACF;AAEA,UAAM,YAAY,OAAO,MAAM,QAAQ,OAAO,MAAM,QAAQ,SAAS,CAAC;AACtE,WAAO,WAAW,cAAc,OAAO,aAAa,aAAa,UAAU,YAAY,OAAO,aAAa;AAAA,EAC7G;AAEA,MAAI,OAAO,aAAa,UAAU,OAAO,aAAa,SAAS;AAC7D,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,aAAa,YAAY,OAAO,aAAa,SAAS;AAC/D,WAAO,OAAO,aAAa,cAAc,OAAO,aAAa,QAAQ,OAAO,MAAM,QAAQ,WAAW;AAAA,EACvG;AAEA,MAAI,OAAO,MAAM,QAAQ,WAAW,GAAG;AACrC,WAAO;AAAA,EACT;AAEA,MAAI,kBAAkB,OAAO,aAAa;AAC1C,MAAI,eAAe,OAAO,aAAa;AAEvC,aAAW,SAAS,OAAO,MAAM,SAAS;AACxC,UAAM,eAAe,2CAA2C;AAAA,MAC9D,OAAO,MAAM;AAAA,MACb,SAAS,MAAM;AAAA,MACf,4BAA4B,MAAM;AAAA,MAClC,qBAAqB,MAAM;AAAA,MAC3B,iBAAiB,MAAM;AAAA,MACvB,mBAAmB,MAAM;AAAA,MACzB,WAAW,MAAM;AAAA,MACjB,mBAAmB,MAAM;AAAA,IAC3B,CAAC;AAED,QACE,iBAAiB,MAAM,aACvB,MAAM,sBAAsB,gBAC5B,MAAM,YAAY,kBAAkB,GACpC;AACA,aAAO;AAAA,IACT;AAEA,sBAAkB,MAAM;AACxB,mBAAe,MAAM;AAAA,EACvB;AAEA,SAAO,iBAAiB,OAAO,aAAa,aAAa,oBAAoB,OAAO,aAAa;AACnG;AAEA,SAAS,gCACP,SACA,gBACA,qBACA,YACA,YACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO,UAAU;AAAA,IACjB,yBAAyB,UAAU;AAAA,EACrC,EAAE,KAAK,GAAG;AACZ;AAkCO,SAAS,0BACd,SACA,gBACA,qBACA,YACA,YACA,qBACA,oBACS;AACT,QAAM,UAAU;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,MAAI;AACF,WAAO,OAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,SAAS,MAAM;AAAA,MAC3B;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,qBAAqB,QAAQ;AAAA,IAC3C;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,gCACd,YACwB;AACxB,SAAO;AAAA,IACL,SAAS,WAAW;AAAA,IACpB,SAAS,WAAW;AAAA,IACpB,MAAM,WAAW;AAAA,IACjB,oBAAoB,WAAW,sBAAsB;AAAA,IACrD,mBAAmB,WAAW,qBAAqB;AAAA,IACnD,OAAO,CAAC,GAAG,WAAW,KAAK,EACxB,IAAI,CAAC,UAAU;AAAA,MACd,IAAI,KAAK;AAAA,MACT,MAAM,KAAK;AAAA,MACX,MAAM,KAAK,QAAQ;AAAA,MACnB,UAAU,CAAC,GAAG,KAAK,QAAQ;AAAA,MAC3B,SAAS,KAAK,WAAW;AAAA,IAC3B,EAAE,EACD,KAAK,CAAC,MAAM,UAAU,KAAK,GAAG,cAAc,MAAM,EAAE,CAAC;AAAA,IACxD,QAAQ,CAAC,GAAG,WAAW,MAAM,EAC1B,IAAI,CAAC,WAAW;AAAA,MACf,IAAI,MAAM;AAAA,MACV,MAAM,MAAM;AAAA,MACZ,UAAU,MAAM,YAAY;AAAA,IAC9B,EAAE,EACD,KAAK,CAAC,MAAM,UAAU,KAAK,GAAG,cAAc,MAAM,EAAE,CAAC;AAAA,EAC1D;AACF;AAEO,SAAS,mCACd,YACQ;AACR,SAAO,KAAK,UAAU,gCAAgC,UAAU,CAAC;AACnE;AAEO,SAAS,mCACd,YACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA,mCAAmC,UAAU;AAAA,EAC/C;AACF;AAEO,SAAS,6BACd,YACA,WACA,cACS;AACT,MAAI;AACF,WAAO,OAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,mCAAmC,UAAU,GAAG,MAAM;AAAA,MAClE;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,WAAW,QAAQ;AAAA,IACjC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAgBO,SAAS,mCACd,YAC2B;AAC3B,SAAO;AAAA,IACL,aAAa,WAAW;AAAA,IACxB,SAAS,WAAW;AAAA,IACpB,SAAS,WAAW;AAAA,IACpB,MAAM,WAAW;AAAA,IACjB,MAAM,WAAW,QAAQ;AAAA,IACzB,UAAU,CAAC,GAAG,WAAW,QAAQ;AAAA,IACjC,SAAS,WAAW,WAAW;AAAA,IAC/B,QAAQ,CAAC,GAAG,WAAW,MAAM,EAC1B,IAAI,CAAC,WAAW;AAAA,MACf,IAAI,MAAM;AAAA,MACV,MAAM,MAAM;AAAA,MACZ,MAAM,MAAM;AAAA,MACZ,OAAO,MAAM;AAAA,MACb,kBAAkB,CAAC,GAAG,MAAM,gBAAgB,EAAE,KAAK;AAAA,MACnD,UAAU,CAAC,GAAG,MAAM,QAAQ,EAAE,KAAK;AAAA,IACrC,EAAE,EACD,KAAK,CAAC,MAAM,UAAU,KAAK,QAAQ,MAAM,SAAS,KAAK,GAAG,cAAc,MAAM,EAAE,CAAC;AAAA,EACtF;AACF;AAEO,SAAS,sCACd,YACQ;AACR,SAAO,KAAK,UAAU,mCAAmC,UAAU,CAAC;AACtE;AAEO,SAAS,sCACd,YACQ;AACR,SAAO;AAAA,IACL;AAAA,IACA,sCAAsC,UAAU;AAAA,EAClD;AACF;AAEO,SAAS,gCACd,YACA,WACA,cACS;AACT,MAAI;AACF,WAAO,OAAO;AAAA,MACZ;AAAA,MACA,OAAO,KAAK,sCAAsC,UAAU,GAAG,MAAM;AAAA,MACrE;AAAA,QACE,KAAK;AAAA,QACL,GAAG;AAAA,MACL;AAAA,MACA,OAAO,KAAK,WAAW,QAAQ;AAAA,IACjC;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAmBO,SAAS,gBAAgB,OAAwB;AACtD,MAAI,CAAC,MAAM,WAAW,GAAG,GAAG;AAC1B,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,KAAK;AAC/B,WAAO,OAAO,MAAM;AAAA,EACtB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAKO,SAAS,oBAAoB,gBAAwB,KAAqB;AAC/E,MAAI,CAAC,gBAAgB,cAAc,GAAG;AACpC,UAAM,IAAI,MAAM,4DAA4D;AAAA,EAC9E;AAEA,QAAM,WAAW,KAAK,MAAM,cAAc;AAC1C,QAAM,WAAW,OAAO,iBAAiB,eAAe,KAAK,OAAO,KAAK,SAAS,IAAI,QAAQ,CAAC;AAC/F,WAAS,WAAW,OAAO,KAAK,SAAS,GAAG,QAAQ,CAAC;AACrD,QAAM,YAAY,OAAO,OAAO;AAAA,IAC9B,SAAS,OAAO,OAAO,KAAK,SAAS,GAAG,QAAQ,CAAC;AAAA,IACjD,SAAS,MAAM;AAAA,EACjB,CAAC;AACD,SAAO,UAAU,SAAS,MAAM;AAClC;AAMO,SAAS,wBAAwB,OAAe,KAAqB;AAC1E,SAAO,gBAAgB,KAAK,IAAI,oBAAoB,OAAO,GAAG,IAAI;AACpE;AAsBO,SAAS,wBAAwB,YAAoB,eAA+B;AACzF,SAAO,OAAO;AAAA,IACZ,EAAE,KAAK,eAAe,GAAG,gBAAgB;AAAA,IACzC,OAAO,KAAK,YAAY,QAAQ;AAAA,EAClC;AACF;;;AEjrBA,OAAOC,SAAQ;AACf,OAAOC,WAAU;AAqCjB,SAAS,eAAe,gBAAoC;AAC1D,MAAI;AACF,UAAM,MAAMC,IAAG,aAAa,gBAAgB,MAAM;AAClD,UAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,WAAO;AAAA,MACL,SAAS;AAAA,MACT,aAAa,OAAO,eAAe,CAAC;AAAA,MACpC,uBAAuB,OAAO,yBAAyB,CAAC;AAAA,MACxD,sBAAsB,OAAO,wBAAwB,CAAC;AAAA,IACxD;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,MACL,SAAS;AAAA,MACT,aAAa,CAAC;AAAA,MACd,uBAAuB,CAAC;AAAA,MACxB,sBAAsB,CAAC;AAAA,IACzB;AAAA,EACF;AACF;AAEA,SAAS,eAAe,gBAAwB,OAAyB;AACvE,EAAAA,IAAG,UAAUC,MAAK,QAAQ,cAAc,GAAG,EAAE,WAAW,KAAK,CAAC;AAC9D,EAAAD,IAAG,cAAc,gBAAgB,KAAK,UAAU,OAAO,MAAM,CAAC,IAAI,MAAM,MAAM;AAChF;AAEA,SAAS,iBAAiB,OAAe,WAA2B;AAClE,SAAO,GAAG,KAAK,IAAI,SAAS;AAC9B;AAEA,SAAS,0BAA0B,OAAuB;AACxD,SAAO,OAAO,KAAK;AACrB;AAEA,eAAe,qBAAwB,UAA8B;AACnE,QAAM,WAAW,MAAM;AAAA,IACrB,4BAA4B,kCAAkC,QAAQ;AAAA,IACtE;AAAA,MACE,OAAO;AAAA,IACT;AAAA,EACF;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAI;AAAA,MACR,yDAAyD,SAAS,MAAM;AAAA,IAI1E;AAAA,EACF;AAEA,SAAO,SAAS,KAAK;AACvB;AAUO,SAAS,gCACd,gBAC0C;AAC1C,QAAM,QAAQ,eAAe,cAAc;AAC3C,QAAM,QAAQ,OAAO,OAAO,MAAM,oBAAoB;AACtD,SAAO,MAAM,WAAW,IAAI,MAAM,CAAC,IAAK;AAC1C;AAEA,eAAsB,wBACpB,YACA,OACmD;AACnD,MAAI,CAAC,oCAAoC,UAAU,GAAG;AACpD,WAAO;AAAA,EACT;AAEA,QAAM,WAAW,MAAM;AAAA,IACrB,oCAAoC,KAAK;AAAA,EAC3C;AAEA,MACE,SAAS,SAAS,4BAClB,SAAS,UAAU,SACnB,CAAC;AAAA,IACC;AAAA,IACA;AAAA,EACF,GACA;AACA,UAAM,IAAI,MAAM,2DAA2D,KAAK,GAAG;AAAA,EACrF;AAEA,SAAO,SAAS;AAClB;AAEA,eAAe,uBACb,gBACA,OACA,YACsC;AACtC,QAAM,QAAQ,eAAe,cAAc;AAC3C,MAAI,UAAU;AAEd,aAAW,OAAO,YAAY;AAC5B,UAAM,aAAa,iBAAiB,OAAO,IAAI,SAAS;AACxD,UAAM,sBAAsB,wBAAwB,IAAI,SAAS;AAEjE,QAAI,wBAAwB,IAAI,aAAa;AAC3C,YAAM,IAAI,MAAM,qDAAqD,IAAI,SAAS,GAAG;AAAA,IACvF;AAEA,UAAM,WAAW,MAAM,YAAY,UAAU;AAC7C,UAAM,cAAa,oBAAI,KAAK,GAAE,YAAY;AAE1C,QAAI,CAAC,UAAU;AACb,YAAM,YAAY,UAAU,IAAI;AAAA,QAC9B,WAAW,IAAI;AAAA,QACf,aAAa,IAAI;AAAA,QACjB,WAAW,IAAI;AAAA,QACf,UAAU;AAAA,QACV;AAAA,MACF;AACA,gBAAU;AACV;AAAA,IACF;AAEA,QAAI,SAAS,cAAc,IAAI,eAAe;AAC5C,UAAI,SAAS,gBAAgB,IAAI,eAAe,SAAS,cAAc,IAAI,WAAW;AACpF,cAAM,IAAI;AAAA,UACR,qBAAqB,IAAI,aAAa,kCAAkC,IAAI,SAAS;AAAA,QACvF;AAAA,MACF;AAEA,UAAI,SAAS,eAAe,YAAY;AACtC,cAAM,YAAY,UAAU,IAAI;AAAA,UAC9B,GAAG;AAAA,UACH;AAAA,QACF;AACA,kBAAU;AAAA,MACZ;AACA;AAAA,IACF;AAEA,QAAI,CAAC,IAAI,yBAAyB,IAAI,0BAA0B,SAAS,aAAa,CAAC,IAAI,mBAAmB;AAC5G,YAAM,IAAI,MAAM,gCAAgC,IAAI,SAAS,yCAAyC;AAAA,IACxG;AAEA,UAAM,mBAAmB;AAAA,MACvB,SAAS;AAAA,MACT,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ,SAAS;AAAA,IACX;AAEA,QAAI,CAAC,kBAAkB;AACrB,YAAM,IAAI,MAAM,gCAAgC,IAAI,SAAS,iCAAiC;AAAA,IAChG;AAEA,UAAM,YAAY,UAAU,IAAI;AAAA,MAC9B,WAAW,IAAI;AAAA,MACf,aAAa,IAAI;AAAA,MACjB,WAAW,IAAI;AAAA,MACf,UAAU,SAAS;AAAA,MACnB;AAAA,IACF;AACA,cAAU;AAAA,EACZ;AAEA,MAAI,SAAS;AACX,mBAAe,gBAAgB,KAAK;AAAA,EACtC;AAEA,SAAO;AACT;AAEA,eAAe,6BACb,gBACA,WACA,YACwB;AACxB,MAAI,CAAC,UAAU,qBAAqB;AAClC,QAAI,UAAU,WAAW,SAAS,GAAG;AACnC,YAAM,IAAI,MAAM,0FAA0F;AAAA,IAC5G;AACA,WAAO;AAAA,EACT;AAEA,QAAM,EAAE,oBAAoB,IAAI;AAChC,QAAM,QAAQ,oBAAoB,WAAW;AAE7C,MAAI,CAAC,oBAAoB,mBAAmB,CAAC,oBAAoB,iBAAiB;AAChF,UAAM,IAAI,MAAM,kEAAkE;AAAA,EACpF;AAEA,QAAM,oBAAoB,wBAAwB,oBAAoB,eAAe;AACrF,QAAM,cAAc,oBAAoB,WAAW,QAAQ;AAAA,IACzD,CAAC,UACC,MAAM,kBAAkB,oBAAoB,uBAC5C,MAAM,cAAc,oBAAoB;AAAA,EAC5C;AACA,QAAM,YAAuC;AAAA,IAC3C,eAAe,oBAAoB;AAAA,IACnC,WAAW,oBAAoB;AAAA,IAC/B,WAAW,oBAAoB;AAAA,IAC/B,aAAa;AAAA,IACb,uBAAuB,aAAa,yBAAyB;AAAA,IAC7D,mBAAmB,aAAa,qBAAqB;AAAA,EACvD;AACA,QAAM,0BAA0B,eAAe,cAAc;AAE7D,MAAI;AACF,UAAM,uBAAuB,gBAAgB,OAAO,CAAC,SAAS,CAAC;AAE/D,UAAM,WAAW;AAAA,MACf,oBAAoB;AAAA,MACpB,oBAAoB;AAAA,MACpB,oBAAoB;AAAA,IACtB;AAEA,QAAI,CAAC,UAAU;AACb,YAAM,IAAI,MAAM,4DAA4D,KAAK,GAAG;AAAA,IACtF;AACA,QAAI,CAAC,UAAU,cAAc;AAC3B,YAAM,IAAI,MAAM,oEAAoE,KAAK,GAAG;AAAA,IAC9F;AAEA,UAAM,QAAQ,eAAe,cAAc;AAC3C,UAAM,yBAAyB,MAAM,qBAAqB,0BAA0B,KAAK,CAAC,KAAK;AAC/F,UAAM,sBAAsB,cAAc;AAC1C,UAAM,sBAAsB,MAAM,sBAAsB,0BAA0B,KAAK,CAAC,KAAK;AAE7F,QAAI,CAAC,uBAAuB,wBAAwB,QAAQ,UAAU,aAAa,KAAK,UAAU,qBAAqB;AACrH,YAAM,IAAI,MAAM,+DAA+D,KAAK,GAAG;AAAA,IACzF;AAEA,QAAI,CAAC,uBAAuB,UAAU,aAAa,QAAQ,WAAW,GAAG;AACvE,YAAM,IAAI,MAAM,yDAAyD,KAAK,GAAG;AAAA,IACnF;AAEA,QAAI,UAAU,aAAa,QAAQ,SAAS,GAAG;AAC7C,YAAM,oBAAoB,UAAU,aAAa,QAAQ,UAAU,aAAa,QAAQ,SAAS,CAAC;AAClG,UAAI,CAAC,mBAAmB;AACtB,cAAM,IAAI,MAAM,uDAAuD,KAAK,GAAG;AAAA,MACjF;AAEA,YAAM,uBAAuB,uCAAuC;AAAA,QAClE,YAAY,oBAAoB;AAAA,QAChC,qBAAqB,oBAAoB;AAAA,QACzC,iBAAiB,oBAAoB;AAAA,QACrC,iBAAiB,oBAAoB;AAAA,QACrC,WAAW,oBAAoB;AAAA,QAC/B,mBAAmB,kBAAkB,qBAAqB;AAAA,MAC5D,CAAC;AAED,UAAI,qBAAqB,cAAc,kBAAkB,WAAW;AAClE,cAAM,IAAI,MAAM,2EAA2E,KAAK,GAAG;AAAA,MACrG;AAEA,UAAI,cAAc,UAAU,aAAa,KAAK,YAAY,WAAW,SAAS;AAC5E,YAAI,UAAU,aAAa,KAAK,SAAS,WAAW,MAAM;AACxD,gBAAM,IAAI,MAAM,0DAA0D,KAAK,GAAG;AAAA,QACpF;AAEA,YACE,kBAAkB,cAAc,WAAW,QAC3C,qBAAqB,cAAc,WAAW,MAC9C;AACA,gBAAM,IAAI,MAAM,yDAAyD,KAAK,GAAG;AAAA,QACnF;AAAA,MACF,WACE,CAAC,wCAAwC;AAAA,QACvC,cAAc;AAAA,QACd,OAAO,UAAU;AAAA,QACjB,cAAc;AAAA,MAChB,CAAC,GACD;AACA,cAAM,IAAI,MAAM,2DAA2D,KAAK,GAAG;AAAA,MACrF;AAAA,IACF,WACE,cACA,UAAU,aAAa,KAAK,YAAY,WAAW,SACnD;AACA,YAAM,IAAI,MAAM,wEAAwE,KAAK,8BAA8B;AAAA,IAC7H,WACE,CAAC,uBACD,oBAAoB,YAAY,UAAU,aAAa,KAAK,WAC5D,oBAAoB,SAAS,UAAU,aAAa,KAAK,MACzD;AACA,YAAM,IAAI,MAAM,qEAAqE,KAAK,GAAG;AAAA,IAC/F;AAEA,iCAA6B,gBAAgB,OAAO,UAAU,aAAa,IAAI;AAE/E,UAAM,oBAAoB,IAAI;AAAA,MAC5B,oBAAoB,WAAW,QAAQ,IAAI,CAAC,UAAU,CAAC,MAAM,eAAe,KAAK,CAAC;AAAA,IACpF;AAEA,eAAW,OAAO,UAAU,YAAY;AACtC,YAAM,QAAQ,kBAAkB,IAAI,IAAI,aAAa;AAErD,UAAI,CAAC,OAAO;AACV,cAAM,IAAI,MAAM,YAAY,IAAI,aAAa,4CAA4C;AAAA,MAC3F;AAEA,UACE,MAAM,cAAc,IAAI,aACxB,MAAM,gBAAgB,IAAI,eAC1B,MAAM,0BAA0B,IAAI,yBACpC,MAAM,sBAAsB,IAAI,mBAChC;AACA,cAAM,IAAI,MAAM,YAAY,IAAI,aAAa,2CAA2C;AAAA,MAC1F;AAAA,IACF;AAEA,WAAO;AAAA,EACT,SAAS,OAAO;AACd,mBAAe,gBAAgB,uBAAuB;AACtD,UAAM;AAAA,EACR;AACF;AAMA,eAAsB,gCACpB,gBACA,WACA,YACsC;AACtC,QAAM,QAAQ,MAAM,6BAA6B,gBAAgB,WAAW,UAAU;AACtF,MAAI,CAAC,OAAO;AACV,WAAO,UAAU;AAAA,EACnB;AACA,SAAO,uBAAuB,gBAAgB,OAAO,UAAU,UAAU;AAC3E;AAMO,SAAS,8BACd,gBACA,YACA,SACM;AACN,QAAM,QAAQ,eAAe,cAAc;AAC3C,QAAM,gBAAgB,MAAM,sBAAsB,UAAU;AAE5D,MAAI,kBAAkB,UAAa,UAAU,eAAe;AAC1D,UAAM,IAAI,MAAM,mDAAmD,UAAU,GAAG;AAAA,EAClF;AAEA,MAAI,kBAAkB,UAAa,UAAU,eAAe;AAC1D,UAAM,sBAAsB,UAAU,IAAI;AAC1C,mBAAe,gBAAgB,KAAK;AAAA,EACtC;AACF;AAEA,SAAS,6BACP,gBACA,OACA,MACM;AACN,QAAM,QAAQ,eAAe,cAAc;AAC3C,QAAM,aAAa,0BAA0B,KAAK;AAClD,QAAM,aAAa,MAAM,qBAAqB,UAAU;AAExD,MAAI,YAAY;AACd,QAAI,KAAK,UAAU,WAAW,SAAS;AACrC,YAAM,IAAI,MAAM,+DAA+D,KAAK,GAAG;AAAA,IACzF;AAEA,QAAI,KAAK,YAAY,WAAW,WAAW,KAAK,SAAS,WAAW,MAAM;AACxE,YAAM,IAAI,MAAM,oDAAoD,KAAK,GAAG;AAAA,IAC9E;AAAA,EACF;AAEA,MAAI,CAAC,cAAc,KAAK,UAAU,WAAW,SAAS;AACpD,UAAM,qBAAqB,UAAU,IAAI;AACzC,mBAAe,gBAAgB,KAAK;AAAA,EACtC;AAEA,gCAA8B,gBAAgB,YAAY,KAAK,OAAO;AACxE;;;AJ1YA,IAAM,0BAA0B;AAChC,IAAM,sBAAsB;AAE5B,SAAS,qBAAqB,OAAuB;AACnD,SAAO,MACJ,QAAQ,iBAAiB,GAAG,EAC5B,QAAQ,OAAO,GAAG,EAClB,QAAQ,UAAU,EAAE,EACpB,YAAY;AACjB;AAEA,SAAS,sBAAsB,QAA0B;AACvD,MAAI,OAAO,gBAAgB;AACzB,WAAOE,MAAK,QAAQ,OAAO,cAAc;AAAA,EAC3C;AAEA,MAAI,OAAO,gBAAgB;AACzB,WAAO,GAAGA,MAAK,QAAQ,OAAO,cAAc,CAAC;AAAA,EAC/C;AAEA,SAAOA,MAAK,QAAQ,QAAQ,IAAI,GAAG,sBAAsB;AAC3D;AAEA,SAAS,kBAAkB,QAA0B;AACnD,MAAI,OAAO,SAAS;AAClB,WAAO,OAAO;AAAA,EAChB;AAEA,SAAO,OAAO,MAAM,sBAAsB;AAC5C;AAEA,SAAS,4CACP,UACA,SACwB;AACxB,SAAO;AAAA,IACL,SAAS,SAAS;AAAA,IAClB;AAAA,IACA,MAAM,SAAS;AAAA,IACf,oBAAoB,SAAS,sBAAsB;AAAA,IACnD,mBAAmB,SAAS,qBAAqB;AAAA,IACjD,OAAO,SAAS,MAAM,IAAI,CAAC,UAAU;AAAA,MACnC,IAAI,KAAK;AAAA,MACT,MAAM,KAAK;AAAA,MACX,MAAM,KAAK,QAAQ;AAAA,MACnB,UAAU,KAAK,YAAY,CAAC;AAAA,MAC5B,SAAS,KAAK,WAAW;AAAA,IAC3B,EAAE;AAAA,IACF,QAAQ,SAAS,gBAAgB,IAAI,CAAC,WAAW;AAAA,MAC/C,IAAI,MAAM;AAAA,MACV,MAAM,MAAM;AAAA,MACZ,UAAU,MAAM,YAAY;AAAA,IAC9B,EAAE;AAAA,EACJ;AACF;AAEA,SAAS,2CACP,MACA,SAC2B;AAC3B,SAAO;AAAA,IACL,aAAa,KAAK;AAAA,IAClB,SAAS,KAAK;AAAA,IACd;AAAA,IACA,MAAM,KAAK;AAAA,IACX,MAAM,KAAK,QAAQ;AAAA,IACnB,UAAU,KAAK,YAAY,CAAC;AAAA,IAC5B,SAAS,KAAK,WAAW;AAAA,IACzB,QAAQ,KAAK,OAAO,IAAI,CAAC,OAAO,WAAW;AAAA,MACzC,IAAI,MAAM;AAAA,MACV,MAAM,MAAM;AAAA,MACZ,MAAM,MAAM;AAAA,MACZ,OAAO,MAAM,SAAS;AAAA,MACtB,kBAAkB,MAAM,oBAAoB,CAAC;AAAA,MAC7C,UAAU,MAAM,YAAY,CAAC;AAAA,IAC/B,EAAE;AAAA,EACJ;AACF;AAUO,IAAM,KAAN,MAAM,IAAG;AAAA,EACG;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACT,OAAqB;AAAA,EAE7B,YAAY,QAAkB;AAC5B,QAAI,CAAC,OAAO,QAAQ;AAClB,YAAM,IAAI,MAAM,4BAA4B;AAAA,IAC9C;AAEA,QAAI,CAAC,OAAO,cAAc,CAAC,OAAO,gBAAgB;AAChD,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,UAAM,UAAU,kBAAkB,MAAM;AACxC,SAAK,UAAU;AACf,SAAK,SAAS,IAAI,SAAS,OAAO,QAAQ,OAAO;AACjD,SAAK,YAAY,OAAO;AACxB,SAAK,gBAAgB,OAAO,cAAc,eAAe,OAAO,cAAe;AAC/E,SAAK,eAAe,gBAAgB,KAAK,aAAa;AACtD,SAAK,iBAAiB,sBAAsB,MAAM;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,OAAO,QAA+B;AACjD,UAAM,WAAW,IAAI,IAAG,MAAM;AAC9B,UAAM,SAAS,KAAK;AACpB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAsB;AAC1B,SAAK,OAAO,MAAM,KAAK,SAAS;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,MAAa;AACf,QAAI,CAAC,KAAK,MAAM;AACd,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,UAAyB;AAC7B,SAAK,OAAO,MAAM,KAAK,SAAS;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,WAA2B;AACvC,QAAI;AACF,YAAM,KAAK,OAAO,uBAAuB;AAAA,QACvC,WAAW,KAAK;AAAA,MAClB,CAAC;AAAA,IACH,SAAS,OAAO;AACd,YAAM,IAAI;AAAA,QACR,gJACE,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CACvD;AAAA,MACF;AAAA,IACF;AAEA,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,OAAO,WAAW,KAAK,SAAS;AAC9D,UAAM,aAAa,MAAM,QAAQ,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,cAAc,MAAM,EAAE,CAAC,CAAC;AAExF,WAAO,OAAO,OAAO,CAAC,GAAG,GAAG,UAAU;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,cAAc,SAAiC;AAC3D,UAAM,yBAAyB,gCAAgC,KAAK,cAAc;AAClF,UAAM,CAAC,YAAY,eAAe,yBAAyB,IAAI,MAAM,QAAQ,IAAI;AAAA,MAC/E,KAAK,OAAO,mBAAmB,OAAO;AAAA,MACtC,KAAK,OAAO,eAAe,OAAO;AAAA,MAClC,KAAK,OAAO;AAAA,QACV;AAAA,QACA,yBACI;AAAA,UACE,0BAA0B,uBAAuB;AAAA,UACjD,uBAAuB,uBAAuB;AAAA,QAChD,IACA;AAAA,MACN;AAAA,IACF,CAAC;AAED,QAAI,qBAAqB;AACzB,QAAI,oBAA8D;AAElE,QAAI,CAAC,wBAAwB;AAC3B,YAAM,QAAQ,0BAA0B,qBAAqB,WAAW,SAAS;AAEjF,UACE,SACA,0BAA0B,uBAC1B,0BAA0B,cAC1B;AACA,4BAAoB,MAAM,wBAAwB,KAAK,SAAS,KAAK;AAErE,YAAI,mBAAmB;AACrB,cAAI,0BAA0B,aAAa,KAAK,UAAU,kBAAkB,SAAS;AACnF,kBAAM,IAAI,MAAM,oFAAoF,KAAK,GAAG;AAAA,UAC9G;AAEA,cAAI,0BAA0B,aAAa,KAAK,YAAY,kBAAkB,SAAS;AACrF,gBAAI,0BAA0B,aAAa,KAAK,SAAS,kBAAkB,MAAM;AAC/E,oBAAM,IAAI,MAAM,kEAAkE,KAAK,GAAG;AAAA,YAC5F;AAAA,UACF,OAAO;AACL,iCAAqB,MAAM,KAAK,OAAO,yBAAyB,SAAS;AAAA,cACvE,0BAA0B,kBAAkB;AAAA,cAC5C,uBAAuB,kBAAkB;AAAA,YAC3C,CAAC;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,UAAM,oBAAoB,MAAM;AAAA,MAC9B,KAAK;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAEA,UAAM,YAAY,kBAAkB;AAAA,MAClC,CAAC,cAAc,UAAU,kBAAkB,WAAW;AAAA,IACxD;AAEA,QAAI,CAAC,WAAW;AACd,YAAM,IAAI;AAAA,QACR,iCAAiC,OAAO,mCAAmC,WAAW,mBAAmB;AAAA,MAC3G;AAAA,IACF;AAEA,UAAM,oBAAoB;AAAA,MACxB;AAAA,MACA,WAAW;AAAA,MACX,WAAW;AAAA,MACX,WAAW;AAAA,MACX,WAAW;AAAA,MACX,WAAW;AAAA,MACX,UAAU;AAAA,IACZ;AAEA,QAAI,CAAC,mBAAmB;AACtB,YAAM,IAAI,MAAM,+DAA+D,OAAO,GAAG;AAAA,IAC3F;AAEA,UAAM,MAAM,wBAAwB,WAAW,YAAY,KAAK,aAAa;AAE7E,QAAI,CAAC,cAAc,mBAAmB;AACpC,YAAM,IAAI,MAAM,iBAAiB,OAAO,0CAA0C;AAAA,IACpF;AAEA,UAAM,mBAAmB,kBAAkB;AAAA,MACzC,CAAC,cAAc,UAAU,kBAAkB,cAAc,kBAAmB;AAAA,IAC9E;AAEA,QAAI,CAAC,kBAAkB;AACrB,YAAM,IAAI;AAAA,QACR,iBAAiB,OAAO,sDAAsD,cAAc,kBAAkB,mBAAmB;AAAA,MACnI;AAAA,IACF;AAEA,UAAM,4BAA4B;AAAA,MAChC;AAAA,MACA,cAAc,kBAAkB,WAAW;AAAA,IAC7C;AACA,UAAM,kBAAkB;AAAA,MACtB;AAAA,MACA,cAAc,kBAAkB;AAAA,MAChC,iBAAiB;AAAA,IACnB;AAEA,QAAI,CAAC,iBAAiB;AACpB,YAAM,IAAI,MAAM,kEAAkE,OAAO,GAAG;AAAA,IAC9F;AAEA;AAAA,MACE,KAAK;AAAA,MACL,WAAW,OAAO;AAAA,MAClB,0BAA0B;AAAA,IAC5B;AAEA,UAAM,cAAc,MAAM,QAAQ;AAAA,MAChC,cAAc,MAAM,IAAI,CAAC,SAAS,KAAK,OAAO,mBAAmB,SAAS,KAAK,EAAE,CAAC;AAAA,IACpF;AAEA,UAAM,MAAa,CAAC;AAEpB,eAAW,QAAQ,aAAa;AAC9B,UAAI,CAAC,KAAK,kBAAkB;AAC1B,cAAM,IAAI,MAAM,sBAAsB,KAAK,EAAE,yCAAyC;AAAA,MACxF;AAEA,YAAM,kBAAkB,kBAAkB;AAAA,QACxC,CAAC,cAAc,UAAU,kBAAkB,KAAK,iBAAkB;AAAA,MACpE;AAEA,UAAI,CAAC,iBAAiB;AACpB,cAAM,IAAI;AAAA,UACR,sBAAsB,KAAK,EAAE,8CAA8C,KAAK,iBAAiB,mBAAmB;AAAA,QACtH;AAAA,MACF;AAEA,YAAM,2BAA2B;AAAA,QAC/B;AAAA,QACA,KAAK,iBAAiB,WAAW;AAAA,MACnC;AACA,YAAM,iBAAiB;AAAA,QACrB;AAAA,QACA,KAAK,iBAAiB;AAAA,QACtB,gBAAgB;AAAA,MAClB;AAEA,UAAI,CAAC,gBAAgB;AACnB,cAAM,IAAI,MAAM,8DAA8D,KAAK,EAAE,GAAG;AAAA,MAC1F;AAEA;AAAA,QACE,KAAK;AAAA,QACL,UAAU,KAAK,EAAE;AAAA,QACjB,yBAAyB;AAAA,MAC3B;AAEA,iBAAW,SAAS,KAAK,QAAQ;AAC/B,YAAI,MAAM,UAAU,MAAM;AACxB;AAAA,QACF;AAEA,YAAI,qBAAqB,GAAG,KAAK,IAAI,IAAI,MAAM,IAAI,EAAE,CAAC,IAAI;AAAA,UACxD,MAAM;AAAA,UACN;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;AAEA,IAAO,cAAQ;","names":["path","path","path","fs","path","fs","path","path"]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@r4security/sdk",
-  "version": "0.0.2",
+  "version": "0.0.5",
   "description": "Official R4 SDK for Node.js — programmatic access to R4 vault secrets",
   "main": "lib/index.cjs",
   "module": "lib/index.js",
@@ -39,6 +39,7 @@
   "scripts": {
     "build": "tsup",
     "clean": "rm -rf lib",
-    "test": "tsx --test src/**/*.test.ts"
+    "test": "tsx --test test/**/*.test.ts",
+    "test:pack": "tsx --test test/package.smoke.ts"
   }
 }