@ravi-hq/ravi 0.6.3 → 0.7.1

package/dist/utils.d.ts

@@ -3,7 +3,6 @@
  *
  * @module utils
  */
-import type { CryptoManager } from "./crypto.js";
 /**
  * Prepare text for email sending as HTML.
  *
@@ -12,9 +11,4 @@ import type { CryptoManager } from "./crypto.js";
  * and the result is wrapped in a `<div>` element.
  */
 export declare function wrapInHtml(text: string): string;
-/**
- * Try to decrypt a value, returning a fallback on failure.
- * Logs the first decryption failure to help diagnose wrong-PIN issues.
- */
-export declare function tryDecrypt(crypto: CryptoManager, value: string, context: string): Promise<string>;
 //# sourceMappingURL=utils.d.ts.map

package/dist/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAEjD;;;;;;GAMG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAU/C;AAID;;;GAGG;AACH,wBAAsB,UAAU,CAC9B,MAAM,EAAE,aAAa,EACrB,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,MAAM,CAAC,CAWjB"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;GAMG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAU/C"}

package/dist/utils.js

@@ -21,22 +21,4 @@ export function wrapInHtml(text) {
         .replace(/\n/g, "<br>");
     return `<div>${escaped}</div>`;
 }
-let decryptionWarningLogged = false;
-/**
- * Try to decrypt a value, returning a fallback on failure.
- * Logs the first decryption failure to help diagnose wrong-PIN issues.
- */
-export async function tryDecrypt(crypto, value, context) {
-    try {
-        return await crypto.decrypt(value);
-    }
-    catch (err) {
-        if (!decryptionWarningLogged) {
-            const detail = err instanceof Error ? err.message : String(err);
-            console.error(`[ravi] Decryption failed (${context}): ${detail}. Wrong PIN?`);
-            decryptionWarningLogged = true;
-        }
-        return "[decryption failed]";
-    }
-}
 //# sourceMappingURL=utils.js.map

package/dist/utils.js.map

@@ -1 +1 @@
-{"version":3,"file":"utils.js","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;;;;GAMG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY;IACrC,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAClC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,OAAO,GAAG,IAAI;SACjB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC1B,OAAO,QAAQ,OAAO,QAAQ,CAAC;AACjC,CAAC;AAED,IAAI,uBAAuB,GAAG,KAAK,CAAC;AAEpC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,MAAqB,EACrB,KAAa,EACb,OAAe;IAEf,IAAI,CAAC;QACH,OAAO,MAAM,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,uBAAuB,EAAE,CAAC;YAC7B,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChE,OAAO,CAAC,KAAK,CAAC,6BAA6B,OAAO,MAAM,MAAM,cAAc,CAAC,CAAC;YAC9E,uBAAuB,GAAG,IAAI,CAAC;QACjC,CAAC;QACD,OAAO,qBAAqB,CAAC;IAC/B,CAAC;AACH,CAAC"}
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;GAMG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY;IACrC,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAClC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,OAAO,GAAG,IAAI;SACjB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC1B,OAAO,QAAQ,OAAO,QAAQ,CAAC;AACjC,CAAC"}

package/openclaw.plugin.json

@@ -6,6 +6,7 @@
     "type": "object",
     "properties": {
       "identityUuid": { "type": "string" },
+      "identityKey": { "type": "string", "description": "Identity API key (ravi_id_...). Set per-agent for multi-agent setups." },
       "externalEmail": {
         "type": "boolean",
         "default": true,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ravi-hq/ravi",
-  "version": "0.6.3",
+  "version": "0.7.1",
   "description": "OpenClaw plugin for Ravi — identity provider for AI agents. Email channels + full agent toolbox.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -32,10 +32,6 @@
       }
     ]
   },
-  "dependencies": {
-    "hash-wasm": "^4.11.0",
-    "tweetnacl": "^1.0.3"
-  },
   "devDependencies": {
     "@types/node": "^22.0.0",
     "tsx": "^4.21.0",

package/dist/crypto.d.ts

@@ -1,156 +0,0 @@
-/**
- * E2E encryption/decryption module for the OpenClaw plugin.
- *
- * Implements the same key derivation and NaCl SealedBox operations as the Go CLI,
- * ensuring cross-platform compatibility. Ciphertext format: `"e2e::<base64>"`.
- *
- * Key derivation flow:
- *   PIN + salt -> Argon2id -> 32-byte seed -> SHA-512 -> clamp first 32 bytes
- *   -> X25519 scalar base mult -> public key
- *
- * @module crypto
- */
-/** Prefix prepended to every E2E-encrypted field value. */
-export declare const ENCRYPTED_PREFIX = "e2e::";
-/** A NaCl box keypair derived from a PIN and salt. */
-export interface KeyPair {
-    /** 32-byte X25519 public key. */
-    publicKey: Uint8Array;
-    /** 32-byte clamped private key (Curve25519 scalar). */
-    secretKey: Uint8Array;
-}
-/**
- * High-level manager that caches a derived keypair and exposes
- * encrypt/decrypt operations for tool use.
- */
-export interface CryptoManager {
-    /** Decrypt an `"e2e::<base64>"` string. Non-encrypted values pass through unchanged. */
-    decrypt(ciphertext: string): Promise<string>;
-    /** Encrypt plaintext into `"e2e::<base64>"` format. Empty input returns `""`. */
-    encrypt(plaintext: string): Promise<string>;
-    /** Return the public key as a lowercase hex string. */
-    getPublicKeyHex(): string;
-}
-/**
- * Encrypt a message using NaCl SealedBox (anonymous sender).
- *
- * Layout: `ephemeralPK (32) || crypto_box(message, nonce, recipientPK, ephemeralSK)`.
- *
- * @param message   - Plaintext bytes to encrypt.
- * @param recipientPK - Recipient's 32-byte X25519 public key.
- * @returns Sealed ciphertext (32 + message.length + 16 bytes).
- */
-export declare function sealedBoxSeal(message: Uint8Array, recipientPK: Uint8Array): Promise<Uint8Array>;
-/**
- * Decrypt a NaCl SealedBox ciphertext.
- *
- * @param sealed      - The full sealed ciphertext (ephemeralPK || box output).
- * @param recipientPK - Recipient's 32-byte X25519 public key.
- * @param recipientSK - Recipient's 32-byte private key (clamped scalar).
- * @returns Decrypted plaintext bytes, or `null` if decryption fails.
- */
-export declare function sealedBoxOpen(sealed: Uint8Array, recipientPK: Uint8Array, recipientSK: Uint8Array): Promise<Uint8Array | null>;
-/**
- * Derive a NaCl keypair from a PIN and salt, matching the Go CLI exactly.
- *
- * Steps:
- *  1. Argon2id(PIN, salt, time=3, mem=64MB, threads=1, keyLen=32) -> 32-byte seed
- *  2. SHA-512(seed) -> 64-byte hash
- *  3. First 32 bytes of hash with Curve25519 clamping applied
- *  4. X25519 scalar base multiplication -> public key
- *
- * @param pin        - User's encryption PIN (arbitrary string).
- * @param saltBase64 - Base64-encoded 16-byte salt from the server.
- * @returns The derived keypair.
- */
-export declare function deriveKeyPair(pin: string, saltBase64: string): Promise<KeyPair>;
-/**
- * Check whether a field value carries the `"e2e::"` encrypted prefix.
- */
-export declare function isEncrypted(value: string): boolean;
-/**
- * Decrypt an `"e2e::<base64>"` field value.
- *
- * If the value does not carry the encrypted prefix it is returned unchanged.
- * Uses standard base64 (with padding) to match Go's `base64.StdEncoding`.
- *
- * @param value - The field value, possibly prefixed with `"e2e::"`.
- * @param kp    - The recipient keypair.
- * @returns The plaintext string.
- * @throws If base64 decoding or SealedBox decryption fails.
- */
-export declare function decryptField(value: string, kp: KeyPair): Promise<string>;
-/**
- * Encrypt plaintext into `"e2e::<base64>"` format using a SealedBox.
- *
- * Empty plaintext returns an empty string (matching Go CLI behavior).
- *
- * @param plaintext - The string to encrypt.
- * @param publicKey - Recipient's 32-byte X25519 public key.
- * @returns The encrypted field value with `"e2e::"` prefix.
- */
-export declare function encryptField(plaintext: string, publicKey: Uint8Array): Promise<string>;
-/**
- * Verify that a keypair can decrypt the server-stored verifier.
- *
- * The verifier is a base64-encoded SealedBox ciphertext of the literal
- * string `"ravi-e2e-verify"`.
- *
- * @param kp          - The derived keypair to verify.
- * @param verifierB64 - Base64-encoded SealedBox ciphertext from the server.
- * @returns `true` if decryption succeeds and produces the expected plaintext.
- */
-export declare function verify(kp: KeyPair, verifierB64: string): Promise<boolean>;
-/**
- * Create a verifier by encrypting `"ravi-e2e-verify"` with the public key.
- *
- * @param kp - The keypair whose public key will be used to seal the verifier.
- * @returns Base64-encoded SealedBox ciphertext.
- */
-export declare function createVerifier(kp: KeyPair): Promise<string>;
-/**
- * Perform first-time E2E encryption setup.
- *
- * Generates a random 16-byte salt, derives a keypair from the PIN,
- * creates a verifier, and returns all values needed to register
- * with the server. Matches the Go CLI's `initialEncryptionSetup`.
- *
- * @param pin - The user's 6-digit PIN.
- * @returns Object with base64-encoded salt, publicKey, verifier, and recoveryKey.
- */
-export declare function setupEncryption(pin: string): Promise<{
-    salt: string;
-    publicKey: string;
-    verifier: string;
-    recoveryKey: string;
-    keyPair: KeyPair;
-}>;
-/**
- * Create a {@link CryptoManager} that caches a derived keypair.
- *
- * On creation the manager:
- *  1. Derives a keypair from PIN + salt.
- *  2. Verifies the derived public key matches the server's stored public key.
- *  3. Decrypts the server-stored verifier to confirm the PIN is correct.
- *
- * @param pin                  - User's encryption PIN.
- * @param saltBase64           - Base64-encoded 16-byte salt from the server.
- * @param verifierBase64       - Base64-encoded SealedBox ciphertext of `"ravi-e2e-verify"`.
- * @param serverPublicKeyBase64 - Base64-encoded 32-byte public key stored on the server.
- * @returns A ready-to-use CryptoManager.
- * @throws If the derived public key does not match or the verifier decryption fails.
- */
-export declare function createCryptoManager(pin: string, saltBase64: string, verifierBase64: string, serverPublicKeyBase64: string): Promise<CryptoManager>;
-/**
- * Create a {@link CryptoManager} from an already-derived keypair.
- *
- * Used when the keypair is loaded from ~/.ravi/auth.json (stored after
- * initial PIN-based derivation). Skips Argon2id derivation and verification.
- *
- * @param publicKeyBase64 - Base64-encoded 32-byte public key.
- * @param privateKeyBase64 - Base64-encoded 32-byte private key.
- */
-export declare function createCryptoManagerFromKeyPair(publicKeyBase64: string, privateKeyBase64: string): CryptoManager;
-/** Encode bytes to standard base64 with padding. Matches Go's `base64.StdEncoding`. */
-export declare function bytesToBase64(bytes: Uint8Array): string;
-//# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AASH,2DAA2D;AAC3D,eAAO,MAAM,gBAAgB,UAAU,CAAC;AAkBxC,sDAAsD;AACtD,MAAM,WAAW,OAAO;IACtB,iCAAiC;IACjC,SAAS,EAAE,UAAU,CAAC;IACtB,uDAAuD;IACvD,SAAS,EAAE,UAAU,CAAC;CACvB;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,wFAAwF;IACxF,OAAO,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7C,iFAAiF;IACjF,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC5C,uDAAuD;IACvD,eAAe,IAAI,MAAM,CAAC;CAC3B;AAwBD;;;;;;;;GAQG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,UAAU,EACnB,WAAW,EAAE,UAAU,GACtB,OAAO,CAAC,UAAU,CAAC,CAcrB;AAED;;;;;;;GAOG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,UAAU,EAClB,WAAW,EAAE,UAAU,EACvB,WAAW,EAAE,UAAU,GACtB,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAY5B;AAMD;;;;;;;;;;;;GAYG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,MAAM,EACX,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,OAAO,CAAC,CA+BlB;AAMD;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAElD;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,MAAM,EACb,EAAE,EAAE,OAAO,GACV,OAAO,CAAC,MAAM,CAAC,CAcjB;AAED;;;;;;;;GAQG;AACH,wBAAsB,YAAY,CAChC,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,MAAM,CAAC,CAQjB;AAMD;;;;;;;;;GASG;AACH,wBAAsB,MAAM,CAC1B,EAAE,EAAE,OAAO,EACX,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,OAAO,CAAC,CASlB;AAED;;;;;GAKG;AACH,wBAAsB,cAAc,CAAC,EAAE,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAIjE;AAMD;;;;;;;;;GASG;AACH,wBAAsB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAC1D,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,OAAO,CAAC;CAClB,CAAC,CAwBD;AAMD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,MAAM,EACX,UAAU,EAAE,MAAM,EAClB,cAAc,EAAE,MAAM,EACtB,qBAAqB,EAAE,MAAM,GAC5B,OAAO,CAAC,aAAa,CAAC,CA4BxB;AAED;;;;;;;;GAQG;AACH,wBAAgB,8BAA8B,CAC5C,eAAe,EAAE,MAAM,EACvB,gBAAgB,EAAE,MAAM,GACvB,aAAa,CAsBf;AAkBD,uFAAuF;AACvF,wBAAgB,aAAa,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAEvD"}

package/dist/crypto.js

@@ -1,350 +0,0 @@
-/**
- * E2E encryption/decryption module for the OpenClaw plugin.
- *
- * Implements the same key derivation and NaCl SealedBox operations as the Go CLI,
- * ensuring cross-platform compatibility. Ciphertext format: `"e2e::<base64>"`.
- *
- * Key derivation flow:
- *   PIN + salt -> Argon2id -> 32-byte seed -> SHA-512 -> clamp first 32 bytes
- *   -> X25519 scalar base mult -> public key
- *
- * @module crypto
- */
-import { argon2id, blake2b } from "hash-wasm";
-import nacl from "tweetnacl";
-// ---------------------------------------------------------------------------
-// Constants
-// ---------------------------------------------------------------------------
-/** Prefix prepended to every E2E-encrypted field value. */
-export const ENCRYPTED_PREFIX = "e2e::";
-/** Literal string encrypted inside the verifier ciphertext. */
-const VERIFY_PLAINTEXT = "ravi-e2e-verify";
-/** SealedBox overhead: 32-byte ephemeral public key + 16-byte Poly1305 MAC. */
-const SEALED_BOX_OVERHEAD = 48;
-// Argon2id parameters -- must match the Go CLI and libsodium exactly.
-const ARGON2_TIME = 3;
-const ARGON2_MEMORY = 65536; // 64 MB in KiB
-const ARGON2_THREADS = 1;
-const ARGON2_KEY_LEN = 32;
-// ---------------------------------------------------------------------------
-// SealedBox primitives (NaCl anonymous box using tweetnacl + hash-wasm)
-// ---------------------------------------------------------------------------
-/**
- * Compute the 24-byte nonce for a NaCl SealedBox.
- *
- * The nonce is `BLAKE2b(ephemeralPK || recipientPK)` with a 24-byte digest,
- * matching libsodium's `crypto_box_seal` implementation.
- */
-async function sealedBoxNonce(ephemeralPK, recipientPK) {
-    const input = new Uint8Array(64);
-    input.set(ephemeralPK, 0);
-    input.set(recipientPK, 32);
-    const nonceHex = await blake2b(input, 192); // 192 bits = 24 bytes
-    return hexToBytes(nonceHex);
-}
-/**
- * Encrypt a message using NaCl SealedBox (anonymous sender).
- *
- * Layout: `ephemeralPK (32) || crypto_box(message, nonce, recipientPK, ephemeralSK)`.
- *
- * @param message   - Plaintext bytes to encrypt.
- * @param recipientPK - Recipient's 32-byte X25519 public key.
- * @returns Sealed ciphertext (32 + message.length + 16 bytes).
- */
-export async function sealedBoxSeal(message, recipientPK) {
-    const ephemeral = nacl.box.keyPair();
-    const nonce = await sealedBoxNonce(ephemeral.publicKey, recipientPK);
-    const encrypted = nacl.box(message, nonce, recipientPK, ephemeral.secretKey);
-    if (!encrypted) {
-        throw new Error("nacl.box encryption failed");
-    }
-    // sealed = ephemeralPK || encrypted
-    const sealed = new Uint8Array(32 + encrypted.length);
-    sealed.set(ephemeral.publicKey, 0);
-    sealed.set(encrypted, 32);
-    return sealed;
-}
-/**
- * Decrypt a NaCl SealedBox ciphertext.
- *
- * @param sealed      - The full sealed ciphertext (ephemeralPK || box output).
- * @param recipientPK - Recipient's 32-byte X25519 public key.
- * @param recipientSK - Recipient's 32-byte private key (clamped scalar).
- * @returns Decrypted plaintext bytes, or `null` if decryption fails.
- */
-export async function sealedBoxOpen(sealed, recipientPK, recipientSK) {
-    if (sealed.length < SEALED_BOX_OVERHEAD) {
-        throw new Error(`Ciphertext too short (${sealed.length} bytes, minimum ${SEALED_BOX_OVERHEAD}). Data may be corrupted.`);
-    }
-    const ephemeralPK = sealed.subarray(0, 32);
-    const ciphertext = sealed.subarray(32);
-    const nonce = await sealedBoxNonce(ephemeralPK, recipientPK);
-    return nacl.box.open(ciphertext, nonce, ephemeralPK, recipientSK);
-}
-// ---------------------------------------------------------------------------
-// Key derivation
-// ---------------------------------------------------------------------------
-/**
- * Derive a NaCl keypair from a PIN and salt, matching the Go CLI exactly.
- *
- * Steps:
- *  1. Argon2id(PIN, salt, time=3, mem=64MB, threads=1, keyLen=32) -> 32-byte seed
- *  2. SHA-512(seed) -> 64-byte hash
- *  3. First 32 bytes of hash with Curve25519 clamping applied
- *  4. X25519 scalar base multiplication -> public key
- *
- * @param pin        - User's encryption PIN (arbitrary string).
- * @param saltBase64 - Base64-encoded 16-byte salt from the server.
- * @returns The derived keypair.
- */
-export async function deriveKeyPair(pin, saltBase64) {
-    // 1. Decode salt from base64
-    const salt = base64ToBytes(saltBase64);
-    // 2. Argon2id -> 32-byte seed
-    const seedHex = await argon2id({
-        password: pin,
-        salt,
-        parallelism: ARGON2_THREADS,
-        iterations: ARGON2_TIME,
-        memorySize: ARGON2_MEMORY,
-        hashLength: ARGON2_KEY_LEN,
-        outputType: "hex",
-    });
-    const seed = hexToBytes(seedHex);
-    // 3. SHA-512 of the seed
-    const { createHash } = await import("node:crypto");
-    const hashBuf = createHash("sha512").update(seed).digest();
-    const hash = new Uint8Array(hashBuf.buffer, hashBuf.byteOffset, hashBuf.byteLength);
-    // 4. Curve25519 clamping on the first 32 bytes
-    const privateKey = new Uint8Array(hash.subarray(0, 32));
-    privateKey[0] &= 248;
-    privateKey[31] &= 127;
-    privateKey[31] |= 64;
-    // 5. Scalar base multiplication -> public key
-    const publicKey = nacl.scalarMult.base(privateKey);
-    return { publicKey, secretKey: privateKey };
-}
-// ---------------------------------------------------------------------------
-// Field-level encrypt / decrypt
-// ---------------------------------------------------------------------------
-/**
- * Check whether a field value carries the `"e2e::"` encrypted prefix.
- */
-export function isEncrypted(value) {
-    return value.startsWith(ENCRYPTED_PREFIX);
-}
-/**
- * Decrypt an `"e2e::<base64>"` field value.
- *
- * If the value does not carry the encrypted prefix it is returned unchanged.
- * Uses standard base64 (with padding) to match Go's `base64.StdEncoding`.
- *
- * @param value - The field value, possibly prefixed with `"e2e::"`.
- * @param kp    - The recipient keypair.
- * @returns The plaintext string.
- * @throws If base64 decoding or SealedBox decryption fails.
- */
-export async function decryptField(value, kp) {
-    if (!isEncrypted(value)) {
-        return value;
-    }
-    const b64 = value.slice(ENCRYPTED_PREFIX.length);
-    const sealed = base64ToBytes(b64);
-    const plaintext = await sealedBoxOpen(sealed, kp.publicKey, kp.secretKey);
-    if (!plaintext) {
-        throw new Error("Decryption failed: invalid ciphertext or wrong key");
-    }
-    return new TextDecoder().decode(plaintext);
-}
-/**
- * Encrypt plaintext into `"e2e::<base64>"` format using a SealedBox.
- *
- * Empty plaintext returns an empty string (matching Go CLI behavior).
- *
- * @param plaintext - The string to encrypt.
- * @param publicKey - Recipient's 32-byte X25519 public key.
- * @returns The encrypted field value with `"e2e::"` prefix.
- */
-export async function encryptField(plaintext, publicKey) {
-    if (plaintext === "") {
-        return "";
-    }
-    const message = new TextEncoder().encode(plaintext);
-    const sealed = await sealedBoxSeal(message, publicKey);
-    return ENCRYPTED_PREFIX + bytesToBase64(sealed);
-}
-// ---------------------------------------------------------------------------
-// Verifier
-// ---------------------------------------------------------------------------
-/**
- * Verify that a keypair can decrypt the server-stored verifier.
- *
- * The verifier is a base64-encoded SealedBox ciphertext of the literal
- * string `"ravi-e2e-verify"`.
- *
- * @param kp          - The derived keypair to verify.
- * @param verifierB64 - Base64-encoded SealedBox ciphertext from the server.
- * @returns `true` if decryption succeeds and produces the expected plaintext.
- */
-export async function verify(kp, verifierB64) {
-    try {
-        const ciphertext = base64ToBytes(verifierB64);
-        const plaintext = await sealedBoxOpen(ciphertext, kp.publicKey, kp.secretKey);
-        if (!plaintext)
-            return false;
-        return new TextDecoder().decode(plaintext) === VERIFY_PLAINTEXT;
-    }
-    catch {
-        return false;
-    }
-}
-/**
- * Create a verifier by encrypting `"ravi-e2e-verify"` with the public key.
- *
- * @param kp - The keypair whose public key will be used to seal the verifier.
- * @returns Base64-encoded SealedBox ciphertext.
- */
-export async function createVerifier(kp) {
-    const message = new TextEncoder().encode(VERIFY_PLAINTEXT);
-    const sealed = await sealedBoxSeal(message, kp.publicKey);
-    return bytesToBase64(sealed);
-}
-// ---------------------------------------------------------------------------
-// First-time encryption setup
-// ---------------------------------------------------------------------------
-/**
- * Perform first-time E2E encryption setup.
- *
- * Generates a random 16-byte salt, derives a keypair from the PIN,
- * creates a verifier, and returns all values needed to register
- * with the server. Matches the Go CLI's `initialEncryptionSetup`.
- *
- * @param pin - The user's 6-digit PIN.
- * @returns Object with base64-encoded salt, publicKey, verifier, and recoveryKey.
- */
-export async function setupEncryption(pin) {
-    // Generate random 16-byte salt (same as Go CLI's rand.Read(salt))
-    const salt = new Uint8Array(16);
-    globalThis.crypto.getRandomValues(salt);
-    // Base64-encode the salt (deriveKeyPair expects base64)
-    const saltB64 = bytesToBase64(salt);
-    // Derive keypair from PIN + salt
-    const kp = await deriveKeyPair(pin, saltB64);
-    // Create verifier (encrypted "ravi-e2e-verify")
-    const verifierB64 = await createVerifier(kp);
-    // Base64-encode the public key
-    const publicKeyB64 = bytesToBase64(kp.publicKey);
-    return {
-        salt: saltB64,
-        publicKey: publicKeyB64,
-        verifier: verifierB64,
-        recoveryKey: saltB64, // Same as CLI — recovery key IS the salt
-        keyPair: kp,
-    };
-}
-// ---------------------------------------------------------------------------
-// CryptoManager factory
-// ---------------------------------------------------------------------------
-/**
- * Create a {@link CryptoManager} that caches a derived keypair.
- *
- * On creation the manager:
- *  1. Derives a keypair from PIN + salt.
- *  2. Verifies the derived public key matches the server's stored public key.
- *  3. Decrypts the server-stored verifier to confirm the PIN is correct.
- *
- * @param pin                  - User's encryption PIN.
- * @param saltBase64           - Base64-encoded 16-byte salt from the server.
- * @param verifierBase64       - Base64-encoded SealedBox ciphertext of `"ravi-e2e-verify"`.
- * @param serverPublicKeyBase64 - Base64-encoded 32-byte public key stored on the server.
- * @returns A ready-to-use CryptoManager.
- * @throws If the derived public key does not match or the verifier decryption fails.
- */
-export async function createCryptoManager(pin, saltBase64, verifierBase64, serverPublicKeyBase64) {
-    const keyPair = await deriveKeyPair(pin, saltBase64);
-    // Verify: derived public key must match the server's stored public key
-    const serverPubKey = base64ToBytes(serverPublicKeyBase64);
-    if (!nacl.verify(keyPair.publicKey, serverPubKey)) {
-        throw new Error("Derived public key does not match server record. Wrong PIN?");
-    }
-    // Verify: decrypting the verifier must produce "ravi-e2e-verify"
-    const isValid = await verify(keyPair, verifierBase64);
-    if (!isValid) {
-        throw new Error("Verifier decryption failed. Wrong PIN?");
-    }
-    return {
-        async decrypt(ciphertext) {
-            return decryptField(ciphertext, keyPair);
-        },
-        async encrypt(plaintext) {
-            return encryptField(plaintext, keyPair.publicKey);
-        },
-        getPublicKeyHex() {
-            return bytesToHex(keyPair.publicKey);
-        },
-    };
-}
-/**
- * Create a {@link CryptoManager} from an already-derived keypair.
- *
- * Used when the keypair is loaded from ~/.ravi/auth.json (stored after
- * initial PIN-based derivation). Skips Argon2id derivation and verification.
- *
- * @param publicKeyBase64 - Base64-encoded 32-byte public key.
- * @param privateKeyBase64 - Base64-encoded 32-byte private key.
- */
-export function createCryptoManagerFromKeyPair(publicKeyBase64, privateKeyBase64) {
-    const publicKey = base64ToBytes(publicKeyBase64);
-    const secretKey = base64ToBytes(privateKeyBase64);
-    if (publicKey.length !== 32) {
-        throw new Error(`Invalid public key length: expected 32 bytes, got ${publicKey.length}`);
-    }
-    if (secretKey.length !== 32) {
-        throw new Error(`Invalid private key length: expected 32 bytes, got ${secretKey.length}`);
-    }
-    const keyPair = { publicKey, secretKey };
-    return {
-        async decrypt(ciphertext) {
-            return decryptField(ciphertext, keyPair);
-        },
-        async encrypt(plaintext) {
-            return encryptField(plaintext, keyPair.publicKey);
-        },
-        getPublicKeyHex() {
-            return bytesToHex(keyPair.publicKey);
-        },
-    };
-}
-// ---------------------------------------------------------------------------
-// Encoding helpers
-// ---------------------------------------------------------------------------
-/**
- * Decode a standard base64 string (with padding) to bytes.
- * Matches Go's `base64.StdEncoding`.
- */
-function base64ToBytes(b64) {
-    if (!/^[A-Za-z0-9+/]*={0,2}$/.test(b64)) {
-        throw new Error("Invalid base64 string");
-    }
-    const buf = Buffer.from(b64, "base64");
-    return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);
-}
-/** Encode bytes to standard base64 with padding. Matches Go's `base64.StdEncoding`. */
-export function bytesToBase64(bytes) {
-    return Buffer.from(bytes).toString("base64");
-}
-/** Convert a hex string to a Uint8Array. */
-function hexToBytes(hex) {
-    const bytes = new Uint8Array(hex.length / 2);
-    for (let i = 0; i < hex.length; i += 2) {
-        bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
-    }
-    return bytes;
-}
-/** Convert bytes to a lowercase hex string. */
-function bytesToHex(bytes) {
-    return Array.from(bytes)
-        .map((b) => b.toString(16).padStart(2, "0"))
-        .join("");
-}
-//# sourceMappingURL=crypto.js.map

package/dist/crypto.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC9C,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,2DAA2D;AAC3D,MAAM,CAAC,MAAM,gBAAgB,GAAG,OAAO,CAAC;AAExC,+DAA+D;AAC/D,MAAM,gBAAgB,GAAG,iBAAiB,CAAC;AAE3C,+EAA+E;AAC/E,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAE/B,sEAAsE;AACtE,MAAM,WAAW,GAAG,CAAC,CAAC;AACtB,MAAM,aAAa,GAAG,KAAK,CAAC,CAAC,eAAe;AAC5C,MAAM,cAAc,GAAG,CAAC,CAAC;AACzB,MAAM,cAAc,GAAG,EAAE,CAAC;AA2B1B,8EAA8E;AAC9E,wEAAwE;AACxE,8EAA8E;AAE9E;;;;;GAKG;AACH,KAAK,UAAU,cAAc,CAC3B,WAAuB,EACvB,WAAuB;IAEvB,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,KAAK,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IAC1B,KAAK,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IAE3B,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAClE,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC;AAC9B,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAmB,EACnB,WAAuB;IAEvB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IACrC,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,SAAS,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IAErE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;IAC7E,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IAED,oCAAoC;IACpC,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,EAAE,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;IACrD,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;IACnC,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IAC1B,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAAkB,EAClB,WAAuB,EACvB,WAAuB;IAEvB,IAAI,MAAM,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CACb,yBAAyB,MAAM,CAAC,MAAM,mBAAmB,mBAAmB,2BAA2B,CACxG,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC3C,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACvC,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;IAE7D,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;AACpE,CAAC;AAED,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,GAAW,EACX,UAAkB;IAElB,6BAA6B;IAC7B,MAAM,IAAI,GAAG,aAAa,CAAC,UAAU,CAAC,CAAC;IAEvC,8BAA8B;IAC9B,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC;QAC7B,QAAQ,EAAE,GAAG;QACb,IAAI;QACJ,WAAW,EAAE,cAAc;QAC3B,UAAU,EAAE,WAAW;QACvB,UAAU,EAAE,aAAa;QACzB,UAAU,EAAE,cAAc;QAC1B,UAAU,EAAE,KAAK;KAClB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IAEjC,yBAAyB;IACzB,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;IACnD,MAAM,OAAO,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;IAC3D,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IAEpF,+CAA+C;IAC/C,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACxD,UAAU,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC;IACrB,UAAU,CAAC,EAAE,CAAC,IAAI,GAAG,CAAC;IACtB,UAAU,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;IAErB,8CAA8C;IAC9C,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAEnD,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC;AAC9C,CAAC;AAED,8EAA8E;AAC9E,gCAAgC;AAChC,8EAA8E;AAE9E;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,KAAa;IACvC,OAAO,KAAK,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC;AAC5C,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,KAAa,EACb,EAAW;IAEX,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IAElC,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,EAAE,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC;IAC1E,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IAED,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAC7C,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,SAAiB,EACjB,SAAqB;IAErB,IAAI,SAAS,KAAK,EAAE,EAAE,CAAC;QACrB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IACvD,OAAO,gBAAgB,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;AAClD,CAAC;AAED,8EAA8E;AAC9E,WAAW;AACX,8EAA8E;AAE9E;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,EAAW,EACX,WAAmB;IAEnB,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;QAC9C,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE,EAAE,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC;QAC9E,IAAI,CAAC,SAAS;YAAE,OAAO,KAAK,CAAC;QAC7B,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,gBAAgB,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,EAAW;IAC9C,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC;IAC1D,OAAO,aAAa,CAAC,MAAM,CAAC,CAAC;AAC/B,CAAC;AAED,8EAA8E;AAC9E,8BAA8B;AAC9B,8EAA8E;AAE9E;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,GAAW;IAO/C,kEAAkE;IAClE,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IAChC,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;IAExC,wDAAwD;IACxD,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;IAEpC,iCAAiC;IACjC,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAE7C,gDAAgD;IAChD,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,EAAE,CAAC,CAAC;IAE7C,+BAA+B;IAC/B,MAAM,YAAY,GAAG,aAAa,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC;IAEjD,OAAO;QACL,IAAI,EAAE,OAAO;QACb,SAAS,EAAE,YAAY;QACvB,QAAQ,EAAE,WAAW;QACrB,WAAW,EAAE,OAAO,EAAE,yCAAyC;QAC/D,OAAO,EAAE,EAAE;KACZ,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,wBAAwB;AACxB,8EAA8E;AAE9E;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,GAAW,EACX,UAAkB,EAClB,cAAsB,EACtB,qBAA6B;IAE7B,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IAErD,uEAAuE;IACvE,MAAM,YAAY,GAAG,aAAa,CAAC,qBAAqB,CAAC,CAAC;IAC1D,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,YAAY,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACjF,CAAC;IAED,iEAAiE;IACjE,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;IACtD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC5D,CAAC;IAED,OAAO;QACL,KAAK,CAAC,OAAO,CAAC,UAAkB;YAC9B,OAAO,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAC3C,CAAC;QAED,KAAK,CAAC,OAAO,CAAC,SAAiB;YAC7B,OAAO,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QACpD,CAAC;QAED,eAAe;YACb,OAAO,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACvC,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,8BAA8B,CAC5C,eAAuB,EACvB,gBAAwB;IAExB,MAAM,SAAS,GAAG,aAAa,CAAC,eAAe,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAClD,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,qDAAqD,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3F,CAAC;IACD,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,sDAAsD,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5F,CAAC;IACD,MAAM,OAAO,GAAY,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;IAElD,OAAO;QACL,KAAK,CAAC,OAAO,CAAC,UAAkB;YAC9B,OAAO,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAC3C,CAAC;QACD,KAAK,CAAC,OAAO,CAAC,SAAiB;YAC7B,OAAO,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QACpD,CAAC;QACD,eAAe;YACb,OAAO,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACvC,CAAC;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E;;;GAGG;AACH,SAAS,aAAa,CAAC,GAAW;IAChC,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IACvC,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,UAAU,CAAC,CAAC;AACpE,CAAC;AAED,uFAAuF;AACvF,MAAM,UAAU,aAAa,CAAC,KAAiB;IAC7C,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC/C,CAAC;AAED,4CAA4C;AAC5C,SAAS,UAAU,CAAC,GAAW;IAC7B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACvD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,+CAA+C;AAC/C,SAAS,UAAU,CAAC,KAAiB;IACnC,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;SACrB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC"}