@ripwords/myinvois-client 0.3.7 → 0.4.0

package/dist/index15.cjs

@@ -1,193 +1,329 @@
+const require_document = require('./document-B11B5lqd.cjs');
+require('./formatIdValue-i67o4kyD.cjs');
+const crypto = require_document.__toESM(require("crypto"));
 
-//#region src/utils/validation.ts
+//#region src/utils/signature-diagnostics.ts
 /**
-* Validates TIN format based on registration type
+* Analyzes certificate for MyInvois compatibility issues
 */
-const validateTIN = (tin, registrationType) => {
-	const errors = [];
-	if (!tin) {
-		errors.push({
-			field: "tin",
-			code: "TIN_REQUIRED",
-			message: "TIN is required",
-			severity: "error"
+function analyzeCertificateForDiagnostics(certificatePem) {
+	const issues = [];
+	const recommendations = [];
+	try {
+		const cert = new crypto.default.X509Certificate(certificatePem);
+		const certInfo = require_document.extractCertificateInfo(certificatePem);
+		const parseSubjectFields = (dn) => {
+			const fields = {};
+			dn.split("\n").forEach((line) => {
+				const trimmed = line.trim();
+				if (trimmed.includes("=")) {
+					const [key, ...valueParts] = trimmed.split("=");
+					if (key) fields[key.trim()] = valueParts.join("=").trim();
+				}
+			});
+			return fields;
+		};
+		const subjectFields = parseSubjectFields(cert.subject);
+		const organizationIdentifier = subjectFields["organizationIdentifier"] || subjectFields["2.5.4.97"];
+		const serialNumber = subjectFields["serialNumber"];
+		if (!organizationIdentifier) {
+			issues.push("DS311: Certificate missing organizationIdentifier field (TIN)");
+			recommendations.push("CRITICAL: Generate new certificate with organizationIdentifier matching your MyInvois TIN");
+			recommendations.push("Portal Error: \"Signer of invoice doesn't match the submitter of document. TIN doesn't match with the OI.\"");
+		} else if (organizationIdentifier.length < 10) {
+			issues.push("DS311: OrganizationIdentifier (TIN) appears too short - may cause submission rejection");
+			recommendations.push("Verify TIN format matches exactly what is registered in MyInvois");
+		}
+		if (!serialNumber) {
+			issues.push("DS312: Certificate missing serialNumber field (business registration)");
+			recommendations.push("CRITICAL: Generate new certificate with serialNumber matching your business registration");
+			recommendations.push("Portal Error: \"Submitter registration/identity number doesn't match with the certificate SERIALNUMBER.\"");
+		}
+		if (cert.issuer === cert.subject) {
+			issues.push("DS329: Self-signed certificate detected - will fail chain of trust validation");
+			recommendations.push("BLOCKING: Obtain certificate from MyInvois-approved CA:");
+			recommendations.push("• MSC Trustgate Sdn Bhd");
+			recommendations.push("• DigiCert Sdn Bhd");
+			recommendations.push("• Cybersign Asia Sdn Bhd");
+			recommendations.push("Portal Error: \"Certificate is not valid according to the chain of trust validation or has been issued by an untrusted certificate authority.\"");
+		} else {
+			const issuerName = cert.issuer.toLowerCase();
+			const approvedCAs = [
+				"msc trustgate",
+				"digicert",
+				"cybersign"
+			];
+			const isFromApprovedCA = approvedCAs.some((ca) => issuerName.includes(ca));
+			if (!isFromApprovedCA) {
+				issues.push("DS329: Certificate may not be from MyInvois-approved CA");
+				recommendations.push("Verify certificate was issued by an approved CA for MyInvois");
+			}
+		}
+		const rawIssuer = cert.issuer;
+		const normalizedIssuer = certInfo.issuerName;
+		const normalizedIssuerIssues = [
+			{
+				check: normalizedIssuer.includes("\n"),
+				issue: "Normalized issuer still contains newlines"
+			},
+			{
+				check: normalizedIssuer.includes("  "),
+				issue: "Normalized issuer contains double spaces"
+			},
+			{
+				check: /=\s+/.test(normalizedIssuer),
+				issue: "Normalized issuer has spaces after equals"
+			},
+			{
+				check: /\s+=/.test(normalizedIssuer),
+				issue: "Normalized issuer has spaces before equals"
+			},
+			{
+				check: normalizedIssuer.includes("\r"),
+				issue: "Normalized issuer contains carriage returns"
+			}
+		];
+		const hasActualFormatIssues = normalizedIssuerIssues.some(({ check, issue }) => {
+			if (check) {
+				issues.push(`DS326: ${issue} - will cause X509IssuerName mismatch`);
+				return true;
+			}
+			return false;
 		});
-		return errors;
+		const hasRawIssuesButNormalizedOk = rawIssuer.includes("\n") && !normalizedIssuer.includes("\n");
+		if (hasActualFormatIssues) {
+			recommendations.push("CRITICAL: Fix issuer name normalization in signature generation");
+			recommendations.push("Portal Error: \"Certificate X509IssuerName doesn't match the X509IssuerName value provided in the signed properties section.\"");
+			recommendations.push("The normalization function is not properly formatting the issuer name");
+			recommendations.push("Debug: Check document.ts extractCertificateInfo() normalization logic");
+		} else if (hasRawIssuesButNormalizedOk) console.log("ℹ️  Note: Raw certificate issuer has newlines but normalization is handling them correctly");
+		const now = /* @__PURE__ */ new Date();
+		const validFrom = new Date(cert.validFrom);
+		const validTo = new Date(cert.validTo);
+		if (now < validFrom) {
+			issues.push("DS329: Certificate not yet valid (future start date)");
+			recommendations.push("Wait until certificate validity period begins");
+		}
+		if (now > validTo) {
+			issues.push("DS329: Certificate has expired");
+			recommendations.push("BLOCKING: Renew certificate - expired certificates are rejected");
+		}
+		try {
+			if (cert.keyUsage && !cert.keyUsage.includes("digital signature")) {
+				issues.push("DS333: Certificate lacks digitalSignature key usage");
+				recommendations.push("Generate new certificate with digitalSignature key usage enabled");
+			}
+		} catch {
+			console.log("Note: Could not check key usage extensions");
+		}
+		return {
+			organizationIdentifier,
+			serialNumber,
+			issuerName: certInfo.issuerName,
+			subjectName: certInfo.subjectName,
+			issues,
+			recommendations
+		};
+	} catch (error) {
+		issues.push(`Certificate parsing failed: ${error}`);
+		recommendations.push("Verify certificate format and validity");
+		return {
+			issuerName: "",
+			subjectName: "",
+			issues,
+			recommendations
+		};
 	}
-	if (registrationType === "BRN" && !tin.startsWith("C")) errors.push({
-		field: "tin",
-		code: "TIN_FORMAT_INVALID",
-		message: "Company TIN should start with \"C\" for BRN registration",
-		severity: "warning"
-	});
-	if (registrationType === "NRIC" && !tin.startsWith("IG")) errors.push({
-		field: "tin",
-		code: "TIN_FORMAT_INVALID",
-		message: "Individual TIN should start with \"IG\" for NRIC registration",
-		severity: "warning"
-	});
-	if (tin.length > 14) errors.push({
-		field: "tin",
-		code: "TIN_LENGTH_INVALID",
-		message: "TIN cannot exceed 14 characters",
-		severity: "error"
-	});
-	return errors;
-};
+}
 /**
-* Validates contact number format (E.164 standard)
+* Analyzes signature generation for potential issues
 */
-const validateContactNumber = (contactNumber) => {
-	const errors = [];
-	if (!contactNumber || contactNumber === "NA") return errors;
-	const e164Regex = /^\+[1-9]\d{1,14}$/;
-	if (!e164Regex.test(contactNumber)) errors.push({
-		field: "contactNumber",
-		code: "CONTACT_FORMAT_INVALID",
-		message: "Contact number must be in E.164 format (e.g., +60123456789)",
-		severity: "error"
-	});
-	if (contactNumber.length < 8) errors.push({
-		field: "contactNumber",
-		code: "CONTACT_LENGTH_INVALID",
-		message: "Contact number must be at least 8 characters",
-		severity: "error"
-	});
-	return errors;
-};
+function analyzeSignatureForDiagnostics(invoices, certificatePem) {
+	const issues = [];
+	const recommendations = [];
+	try {
+		const documentDigest = require_document.calculateDocumentDigest(invoices);
+		const certificateDigest = require_document.calculateCertificateDigest(certificatePem);
+		const certInfo = require_document.extractCertificateInfo(certificatePem);
+		const signingTime = (/* @__PURE__ */ new Date()).toISOString();
+		const signedProperties = require_document.createSignedProperties(certificateDigest, signingTime, certInfo.issuerName, certInfo.serialNumber);
+		const signedPropertiesDigest = require_document.calculateSignedPropertiesDigest(signedProperties);
+		if (documentDigest.length === 0) {
+			issues.push("DS333: Document digest generation failed");
+			recommendations.push("CRITICAL: Verify document serialization excludes UBLExtensions/Signature");
+			recommendations.push("Portal Error: \"Document signature value is not a valid signature of the document digest using the public key of the certificate provided.\"");
+		}
+		if (certificateDigest.length === 0) {
+			issues.push("DS333: Certificate digest generation failed");
+			recommendations.push("CRITICAL: Verify certificate format and encoding");
+			recommendations.push("Certificate must be properly base64 encoded without headers/footers");
+		}
+		if (signedPropertiesDigest.length === 0) {
+			issues.push("DS333: Signed properties digest generation failed");
+			recommendations.push("CRITICAL: Verify signed properties structure and canonicalization");
+			recommendations.push("Check XML canonicalization (C14N) is applied correctly");
+		}
+		try {
+			const cert = new crypto.default.X509Certificate(certificatePem);
+			const publicKey = cert.publicKey;
+			const keyDetails = publicKey.asymmetricKeyDetails;
+			if (keyDetails) {
+				if (publicKey.asymmetricKeyType === "rsa" && keyDetails.modulusLength && keyDetails.modulusLength < 2048) {
+					issues.push("DS333: RSA key size too small (minimum 2048 bits required)");
+					recommendations.push("CRITICAL: Generate new certificate with RSA 2048+ bits");
+				}
+				const supportedKeyTypes = ["rsa", "ec"];
+				if (!supportedKeyTypes.includes(publicKey.asymmetricKeyType || "")) {
+					issues.push(`DS333: Unsupported key type: ${publicKey.asymmetricKeyType}`);
+					recommendations.push("CRITICAL: Use RSA or EC key types for MyInvois compatibility");
+				}
+			}
+			const certBuffer = Buffer.from(certificatePem.replace(/-----[^-]+-----/g, "").replace(/\s/g, ""), "base64");
+			if (certBuffer.length === 0) {
+				issues.push("DS333: Certificate encoding appears invalid");
+				recommendations.push("CRITICAL: Verify certificate is properly PEM encoded");
+			}
+		} catch (error) {
+			issues.push(`DS333: Certificate validation failed - ${error}`);
+			recommendations.push("CRITICAL: Verify certificate format and structure are valid");
+		}
+		const isValidBase64 = (str) => {
+			try {
+				return Buffer.from(str, "base64").toString("base64") === str;
+			} catch {
+				return false;
+			}
+		};
+		if (documentDigest && !isValidBase64(documentDigest)) {
+			issues.push("DS333: Document digest is not valid base64 format");
+			recommendations.push("Ensure digest is properly base64 encoded");
+		}
+		if (certificateDigest && !isValidBase64(certificateDigest)) {
+			issues.push("DS333: Certificate digest is not valid base64 format");
+			recommendations.push("Ensure certificate digest is properly base64 encoded");
+		}
+		if (signedPropertiesDigest && !isValidBase64(signedPropertiesDigest)) {
+			issues.push("DS333: Signed properties digest is not valid base64 format");
+			recommendations.push("Ensure signed properties digest is properly base64 encoded");
+		}
+		return {
+			documentDigest,
+			certificateDigest,
+			signedPropertiesDigest,
+			issues,
+			recommendations
+		};
+	} catch (error) {
+		issues.push(`Signature analysis failed: ${error}`);
+		recommendations.push("Review signature generation implementation");
+		return {
+			documentDigest: "",
+			certificateDigest: "",
+			signedPropertiesDigest: "",
+			issues,
+			recommendations
+		};
+	}
+}
 /**
-* Validates monetary amounts
+* Comprehensive signature diagnostics
 */
-const validateMonetaryAmount = (amount, fieldName, maxDigits = 18, maxDecimals = 2) => {
-	const errors = [];
-	if (amount < 0) errors.push({
-		field: fieldName,
-		code: "AMOUNT_NEGATIVE",
-		message: `${fieldName} cannot be negative`,
-		severity: "error"
-	});
-	const amountStr = amount.toString();
-	const [integerPart, decimalPart] = amountStr.split(".");
-	if (integerPart && integerPart.length > maxDigits - maxDecimals) errors.push({
-		field: fieldName,
-		code: "AMOUNT_DIGITS_EXCEEDED",
-		message: `${fieldName} exceeds maximum ${maxDigits} digits`,
-		severity: "error"
-	});
-	if (decimalPart && decimalPart.length > maxDecimals) errors.push({
-		field: fieldName,
-		code: "AMOUNT_DECIMALS_EXCEEDED",
-		message: `${fieldName} exceeds maximum ${maxDecimals} decimal places`,
-		severity: "error"
-	});
-	return errors;
-};
+function diagnoseSignatureIssues(invoices, certificatePem) {
+	const certificateAnalysis = analyzeCertificateForDiagnostics(certificatePem);
+	const signatureAnalysis = analyzeSignatureForDiagnostics(invoices, certificatePem);
+	const certificateIssues = certificateAnalysis.issues.length;
+	const signatureIssues = signatureAnalysis.issues.length;
+	return {
+		certificateAnalysis,
+		signatureAnalysis,
+		summary: {
+			totalIssues: certificateIssues + signatureIssues,
+			certificateIssues,
+			signatureIssues
+		}
+	};
+}
 /**
-* Validates line item tax calculation consistency for both fixed rate and percentage taxation
+* Prints diagnostic results in a formatted way
 */
-const validateLineItemTax = (item, index) => {
-	const errors = [];
-	const tolerance = .01;
-	const hasFixedRate = item.taxPerUnitAmount !== void 0 && item.baseUnitMeasure !== void 0;
-	const hasPercentageRate = item.taxRate !== void 0;
-	if (!hasFixedRate && !hasPercentageRate) {
-		errors.push({
-			field: `lineItem[${index}]`,
-			code: "TAX_METHOD_MISSING",
-			message: `Line item ${index + 1} must specify either taxRate (for percentage) or taxPerUnitAmount + baseUnitMeasure (for fixed rate)`,
-			severity: "error"
+function printDiagnostics(result) {
+	console.log("\n🔍 MyInvois Signature Diagnostics Report");
+	console.log("=".repeat(60));
+	console.log("\n📜 CERTIFICATE ANALYSIS");
+	console.log("-".repeat(30));
+	console.log(`  Issuer: ${result.certificateAnalysis.issuerName}`);
+	console.log(`  Subject: ${result.certificateAnalysis.subjectName}`);
+	if (result.certificateAnalysis.organizationIdentifier) console.log(`  Organization ID (TIN): ${result.certificateAnalysis.organizationIdentifier}`);
+	if (result.certificateAnalysis.serialNumber) console.log(`  Serial Number: ${result.certificateAnalysis.serialNumber}`);
+	if (result.certificateAnalysis.issues.length > 0) {
+		console.log("\n  🚨 Certificate Issues:");
+		result.certificateAnalysis.issues.forEach((issue, index) => {
+			console.log(`    ${index + 1}. ${issue}`);
 		});
-		return errors;
 	}
-	if (hasFixedRate && hasPercentageRate) errors.push({
-		field: `lineItem[${index}]`,
-		code: "TAX_METHOD_CONFLICT",
-		message: `Line item ${index + 1} cannot have both percentage and fixed rate tax methods`,
-		severity: "error"
-	});
-	if (hasFixedRate) {
-		if (item.baseUnitMeasureCode === void 0) errors.push({
-			field: `lineItem[${index}].baseUnitMeasureCode`,
-			code: "UNIT_CODE_MISSING",
-			message: `Line item ${index + 1} with fixed rate tax must specify baseUnitMeasureCode`,
-			severity: "error"
+	if (result.certificateAnalysis.recommendations.length > 0) {
+		console.log("\n  💡 Certificate Recommendations:");
+		result.certificateAnalysis.recommendations.forEach((rec, index) => {
+			console.log(`    ${index + 1}. ${rec}`);
 		});
-		const expectedTaxAmount = item.taxPerUnitAmount * item.baseUnitMeasure;
-		if (Math.abs(item.taxAmount - expectedTaxAmount) > tolerance) errors.push({
-			field: `lineItem[${index}].taxAmount`,
-			code: "FIXED_TAX_CALCULATION_MISMATCH",
-			message: `Line item ${index + 1} tax amount (${item.taxAmount}) doesn't match fixed rate calculation (${item.taxPerUnitAmount} × ${item.baseUnitMeasure} = ${expectedTaxAmount})`,
-			severity: "error"
+	}
+	console.log("\n🔐 SIGNATURE ANALYSIS");
+	console.log("-".repeat(30));
+	console.log(`  Document Digest: ${result.signatureAnalysis.documentDigest.substring(0, 32)}...`);
+	console.log(`  Certificate Digest: ${result.signatureAnalysis.certificateDigest.substring(0, 32)}...`);
+	console.log(`  Signed Properties Digest: ${result.signatureAnalysis.signedPropertiesDigest.substring(0, 32)}...`);
+	if (result.signatureAnalysis.issues.length > 0) {
+		console.log("\n  🚨 Signature Issues:");
+		result.signatureAnalysis.issues.forEach((issue, index) => {
+			console.log(`    ${index + 1}. ${issue}`);
 		});
 	}
-	if (hasPercentageRate && !hasFixedRate) {
-		const expectedTaxAmount = item.totalTaxableAmountPerLine * item.taxRate / 100;
-		if (Math.abs(item.taxAmount - expectedTaxAmount) > tolerance) errors.push({
-			field: `lineItem[${index}].taxAmount`,
-			code: "PERCENTAGE_TAX_CALCULATION_MISMATCH",
-			message: `Line item ${index + 1} tax amount (${item.taxAmount}) doesn't match percentage calculation (${item.totalTaxableAmountPerLine} × ${item.taxRate}% = ${expectedTaxAmount})`,
-			severity: "error"
+	if (result.signatureAnalysis.recommendations.length > 0) {
+		console.log("\n  💡 Signature Recommendations:");
+		result.signatureAnalysis.recommendations.forEach((rec, index) => {
+			console.log(`    ${index + 1}. ${rec}`);
 		});
 	}
-	return errors;
-};
-/**
-* Validates tax calculation consistency
-*/
-const validateTaxCalculations = (invoice) => {
-	const errors = [];
-	invoice.invoiceLineItems.forEach((item, index) => {
-		errors.push(...validateLineItemTax(item, index));
-	});
-	const expectedTaxExclusive = invoice.invoiceLineItems.reduce((sum, item) => sum + item.totalTaxableAmountPerLine, 0);
-	const expectedTaxAmount = invoice.invoiceLineItems.reduce((sum, item) => sum + item.taxAmount, 0);
-	const tolerance = .01;
-	if (Math.abs(invoice.legalMonetaryTotal.taxExclusiveAmount - expectedTaxExclusive) > tolerance) errors.push({
-		field: "legalMonetaryTotal.taxExclusiveAmount",
-		code: "TAX_EXCLUSIVE_MISMATCH",
-		message: `Tax exclusive amount (${invoice.legalMonetaryTotal.taxExclusiveAmount}) doesn't match sum of line items (${expectedTaxExclusive})`,
-		severity: "error"
-	});
-	if (Math.abs(invoice.taxTotal.taxAmount - expectedTaxAmount) > tolerance) errors.push({
-		field: "taxTotal.taxAmount",
-		code: "TAX_AMOUNT_MISMATCH",
-		message: `Tax amount (${invoice.taxTotal.taxAmount}) doesn't match sum of line item taxes (${expectedTaxAmount})`,
-		severity: "error"
-	});
-	return errors;
-};
-/**
-* Main validation function for complete invoice
-*/
-const validateInvoice = (invoice) => {
-	const allErrors = [];
-	allErrors.push(...validateTIN(invoice.supplier.tin, invoice.supplier.registrationType));
-	allErrors.push(...validateTIN(invoice.buyer.tin, invoice.buyer.registrationType));
-	allErrors.push(...validateContactNumber(invoice.supplier.contactNumber));
-	allErrors.push(...validateContactNumber(invoice.buyer.contactNumber));
-	allErrors.push(...validateMonetaryAmount(invoice.legalMonetaryTotal.taxExclusiveAmount, "taxExclusiveAmount"));
-	allErrors.push(...validateMonetaryAmount(invoice.legalMonetaryTotal.payableAmount, "payableAmount"));
-	allErrors.push(...validateMonetaryAmount(invoice.taxTotal.taxAmount, "taxAmount"));
-	invoice.invoiceLineItems.forEach((item, index) => {
-		allErrors.push(...validateMonetaryAmount(item.unitPrice, `lineItem[${index}].unitPrice`));
-		allErrors.push(...validateMonetaryAmount(item.taxAmount, `lineItem[${index}].taxAmount`));
-		allErrors.push(...validateMonetaryAmount(item.totalTaxableAmountPerLine, `lineItem[${index}].totalTaxableAmountPerLine`));
-	});
-	allErrors.push(...validateTaxCalculations(invoice));
-	const errors = allErrors.filter((e) => e.severity === "error");
-	const warnings = allErrors.filter((e) => e.severity === "warning");
-	return {
-		isValid: errors.length === 0,
-		errors,
-		warnings
-	};
-};
+	console.log("\n📊 SUMMARY");
+	console.log("-".repeat(30));
+	console.log(`  Total Issues Found: ${result.summary.totalIssues}`);
+	console.log(`  Certificate Issues: ${result.summary.certificateIssues}`);
+	console.log(`  Signature Issues: ${result.summary.signatureIssues}`);
+	if (result.summary.totalIssues === 0) {
+		console.log("\n  ✅ No issues detected in current analysis");
+		console.log("  🎉 Certificate and signature implementation appear valid");
+	} else {
+		console.log("\n  ⚠️  Issues detected - review recommendations above");
+		const hasDS311 = result.certificateAnalysis.issues.some((issue) => issue.includes("DS311"));
+		const hasDS312 = result.certificateAnalysis.issues.some((issue) => issue.includes("DS312"));
+		const hasDS326 = result.certificateAnalysis.issues.some((issue) => issue.includes("DS326"));
+		const hasDS329 = result.certificateAnalysis.issues.some((issue) => issue.includes("DS329"));
+		const hasDS333 = result.signatureAnalysis.issues.some((issue) => issue.includes("DS333"));
+		console.log("\n  🎯 MYINVOIS PORTAL ERROR ANALYSIS:");
+		if (hasDS311) console.log("     ❌ DS311 - TIN mismatch between certificate and submitter");
+		if (hasDS312) console.log("     ❌ DS312 - Registration number mismatch with certificate");
+		if (hasDS326) console.log("     ❌ DS326 - X509IssuerName format inconsistency");
+		if (hasDS329) console.log("     ❌ DS329 - Certificate trust chain validation failure");
+		if (hasDS333) console.log("     ❌ DS333 - Document signature validation failure");
+		if (result.summary.certificateIssues > 0) {
+			console.log("\n  🚨 PRIMARY ACTION REQUIRED:");
+			console.log("     Certificate issues must be resolved first");
+			console.log("     Self-generated certificates cannot pass MyInvois validation");
+		}
+		if (result.summary.signatureIssues > 0) {
+			console.log("\n  ⚙️  SECONDARY ACTION:");
+			console.log("     Review and optimize signature implementation");
+		}
+		console.log("\n  📋 NEXT STEPS:");
+		console.log("     1. Address BLOCKING/CRITICAL issues first");
+		console.log("     2. Test with updated certificate/implementation");
+		console.log("     3. Re-run diagnostics to verify fixes");
+		console.log("     4. Submit test document to MyInvois portal");
+	}
+	console.log("\n" + "=".repeat(60));
+}
 
 //#endregion
-exports.validateContactNumber = validateContactNumber;
-exports.validateInvoice = validateInvoice;
-exports.validateLineItemTax = validateLineItemTax;
-exports.validateMonetaryAmount = validateMonetaryAmount;
-exports.validateTIN = validateTIN;
-exports.validateTaxCalculations = validateTaxCalculations;
+exports.diagnoseSignatureIssues = diagnoseSignatureIssues;
+exports.printDiagnostics = printDiagnostics;
 //# sourceMappingURL=index15.cjs.map

package/dist/index15.cjs.map

@@ -1 +1 @@
-{"version":3,"file":"index15.cjs","names":["tin: string","registrationType?: string","errors: ValidationError[]","contactNumber: string","amount: number","fieldName: string","item: InvoiceLineItem","index: number","invoice: InvoiceV1_1","allErrors: ValidationError[]"],"sources":["../src/utils/validation.ts"],"sourcesContent":["import type { InvoiceV1_1, InvoiceLineItem } from '../types'\n\n/**\n * MyInvois Invoice Validation Utilities\n *\n * Provides comprehensive validation for invoice data before document generation\n * and submission to ensure compliance with MyInvois business rules and format requirements.\n */\n\nexport interface ValidationResult {\n  isValid: boolean\n  errors: ValidationError[]\n  warnings: ValidationWarning[]\n}\n\nexport interface ValidationError {\n  field: string\n  code: string\n  message: string\n  severity: 'error' | 'warning'\n}\n\nexport interface ValidationWarning extends ValidationError {\n  severity: 'warning'\n}\n\n/**\n * Validates TIN format based on registration type\n */\nexport const validateTIN = (\n  tin: string,\n  registrationType?: string,\n): ValidationError[] => {\n  const errors: ValidationError[] = []\n\n  if (!tin) {\n    errors.push({\n      field: 'tin',\n      code: 'TIN_REQUIRED',\n      message: 'TIN is required',\n      severity: 'error',\n    })\n    return errors\n  }\n\n  // TIN format validation based on type\n  if (registrationType === 'BRN' && !tin.startsWith('C')) {\n    errors.push({\n      field: 'tin',\n      code: 'TIN_FORMAT_INVALID',\n      message: 'Company TIN should start with \"C\" for BRN registration',\n      severity: 'warning',\n    })\n  }\n\n  if (registrationType === 'NRIC' && !tin.startsWith('IG')) {\n    errors.push({\n      field: 'tin',\n      code: 'TIN_FORMAT_INVALID',\n      message: 'Individual TIN should start with \"IG\" for NRIC registration',\n      severity: 'warning',\n    })\n  }\n\n  // Length validation\n  if (tin.length > 14) {\n    errors.push({\n      field: 'tin',\n      code: 'TIN_LENGTH_INVALID',\n      message: 'TIN cannot exceed 14 characters',\n      severity: 'error',\n    })\n  }\n\n  return errors\n}\n\n/**\n * Validates contact number format (E.164 standard)\n */\nexport const validateContactNumber = (\n  contactNumber: string,\n): ValidationError[] => {\n  const errors: ValidationError[] = []\n\n  if (!contactNumber || contactNumber === 'NA') {\n    return errors // Allow NA for consolidated e-invoices\n  }\n\n  // E.164 format validation\n  const e164Regex = /^\\+[1-9]\\d{1,14}$/\n  if (!e164Regex.test(contactNumber)) {\n    errors.push({\n      field: 'contactNumber',\n      code: 'CONTACT_FORMAT_INVALID',\n      message: 'Contact number must be in E.164 format (e.g., +60123456789)',\n      severity: 'error',\n    })\n  }\n\n  if (contactNumber.length < 8) {\n    errors.push({\n      field: 'contactNumber',\n      code: 'CONTACT_LENGTH_INVALID',\n      message: 'Contact number must be at least 8 characters',\n      severity: 'error',\n    })\n  }\n\n  return errors\n}\n\n/**\n * Validates monetary amounts\n */\nexport const validateMonetaryAmount = (\n  amount: number,\n  fieldName: string,\n  maxDigits = 18,\n  maxDecimals = 2,\n): ValidationError[] => {\n  const errors: ValidationError[] = []\n\n  if (amount < 0) {\n    errors.push({\n      field: fieldName,\n      code: 'AMOUNT_NEGATIVE',\n      message: `${fieldName} cannot be negative`,\n      severity: 'error',\n    })\n  }\n\n  // Check total digits\n  const amountStr = amount.toString()\n  const [integerPart, decimalPart] = amountStr.split('.')\n\n  if (integerPart && integerPart.length > maxDigits - maxDecimals) {\n    errors.push({\n      field: fieldName,\n      code: 'AMOUNT_DIGITS_EXCEEDED',\n      message: `${fieldName} exceeds maximum ${maxDigits} digits`,\n      severity: 'error',\n    })\n  }\n\n  if (decimalPart && decimalPart.length > maxDecimals) {\n    errors.push({\n      field: fieldName,\n      code: 'AMOUNT_DECIMALS_EXCEEDED',\n      message: `${fieldName} exceeds maximum ${maxDecimals} decimal places`,\n      severity: 'error',\n    })\n  }\n\n  return errors\n}\n\n/**\n * Validates line item tax calculation consistency for both fixed rate and percentage taxation\n */\nexport const validateLineItemTax = (\n  item: InvoiceLineItem,\n  index: number,\n): ValidationError[] => {\n  const errors: ValidationError[] = []\n  const tolerance = 0.01\n\n  // Check if tax calculation method is specified\n  const hasFixedRate =\n    item.taxPerUnitAmount !== undefined && item.baseUnitMeasure !== undefined\n  const hasPercentageRate = item.taxRate !== undefined\n\n  if (!hasFixedRate && !hasPercentageRate) {\n    errors.push({\n      field: `lineItem[${index}]`,\n      code: 'TAX_METHOD_MISSING',\n      message: `Line item ${index + 1} must specify either taxRate (for percentage) or taxPerUnitAmount + baseUnitMeasure (for fixed rate)`,\n      severity: 'error',\n    })\n    return errors\n  }\n\n  if (hasFixedRate && hasPercentageRate) {\n    errors.push({\n      field: `lineItem[${index}]`,\n      code: 'TAX_METHOD_CONFLICT',\n      message: `Line item ${index + 1} cannot have both percentage and fixed rate tax methods`,\n      severity: 'error',\n    })\n  }\n\n  // Validate fixed rate tax calculation\n  if (hasFixedRate) {\n    if (item.baseUnitMeasureCode === undefined) {\n      errors.push({\n        field: `lineItem[${index}].baseUnitMeasureCode`,\n        code: 'UNIT_CODE_MISSING',\n        message: `Line item ${index + 1} with fixed rate tax must specify baseUnitMeasureCode`,\n        severity: 'error',\n      })\n    }\n\n    const expectedTaxAmount = item.taxPerUnitAmount! * item.baseUnitMeasure!\n    if (Math.abs(item.taxAmount - expectedTaxAmount) > tolerance) {\n      errors.push({\n        field: `lineItem[${index}].taxAmount`,\n        code: 'FIXED_TAX_CALCULATION_MISMATCH',\n        message: `Line item ${index + 1} tax amount (${item.taxAmount}) doesn't match fixed rate calculation (${item.taxPerUnitAmount} × ${item.baseUnitMeasure} = ${expectedTaxAmount})`,\n        severity: 'error',\n      })\n    }\n  }\n\n  // Validate percentage tax calculation\n  if (hasPercentageRate && !hasFixedRate) {\n    const expectedTaxAmount =\n      (item.totalTaxableAmountPerLine * item.taxRate!) / 100\n    if (Math.abs(item.taxAmount - expectedTaxAmount) > tolerance) {\n      errors.push({\n        field: `lineItem[${index}].taxAmount`,\n        code: 'PERCENTAGE_TAX_CALCULATION_MISMATCH',\n        message: `Line item ${index + 1} tax amount (${item.taxAmount}) doesn't match percentage calculation (${item.totalTaxableAmountPerLine} × ${item.taxRate}% = ${expectedTaxAmount})`,\n        severity: 'error',\n      })\n    }\n  }\n\n  return errors\n}\n\n/**\n * Validates tax calculation consistency\n */\nexport const validateTaxCalculations = (\n  invoice: InvoiceV1_1,\n): ValidationError[] => {\n  const errors: ValidationError[] = []\n\n  // Validate individual line item tax calculations\n  invoice.invoiceLineItems.forEach((item, index) => {\n    errors.push(...validateLineItemTax(item, index))\n  })\n\n  // Calculate expected totals from line items\n  const expectedTaxExclusive = invoice.invoiceLineItems.reduce(\n    (sum, item) => sum + item.totalTaxableAmountPerLine,\n    0,\n  )\n  const expectedTaxAmount = invoice.invoiceLineItems.reduce(\n    (sum, item) => sum + item.taxAmount,\n    0,\n  )\n\n  // Allow small rounding differences (0.01)\n  const tolerance = 0.01\n\n  if (\n    Math.abs(\n      invoice.legalMonetaryTotal.taxExclusiveAmount - expectedTaxExclusive,\n    ) > tolerance\n  ) {\n    errors.push({\n      field: 'legalMonetaryTotal.taxExclusiveAmount',\n      code: 'TAX_EXCLUSIVE_MISMATCH',\n      message: `Tax exclusive amount (${invoice.legalMonetaryTotal.taxExclusiveAmount}) doesn't match sum of line items (${expectedTaxExclusive})`,\n      severity: 'error',\n    })\n  }\n\n  if (Math.abs(invoice.taxTotal.taxAmount - expectedTaxAmount) > tolerance) {\n    errors.push({\n      field: 'taxTotal.taxAmount',\n      code: 'TAX_AMOUNT_MISMATCH',\n      message: `Tax amount (${invoice.taxTotal.taxAmount}) doesn't match sum of line item taxes (${expectedTaxAmount})`,\n      severity: 'error',\n    })\n  }\n\n  return errors\n}\n\n/**\n * Main validation function for complete invoice\n */\nexport const validateInvoice = (invoice: InvoiceV1_1): ValidationResult => {\n  const allErrors: ValidationError[] = []\n\n  // Core field validations\n  allErrors.push(\n    ...validateTIN(invoice.supplier.tin, invoice.supplier.registrationType),\n  )\n  allErrors.push(\n    ...validateTIN(invoice.buyer.tin, invoice.buyer.registrationType),\n  )\n\n  allErrors.push(...validateContactNumber(invoice.supplier.contactNumber))\n  allErrors.push(...validateContactNumber(invoice.buyer.contactNumber))\n\n  // Monetary validations\n  allErrors.push(\n    ...validateMonetaryAmount(\n      invoice.legalMonetaryTotal.taxExclusiveAmount,\n      'taxExclusiveAmount',\n    ),\n  )\n  allErrors.push(\n    ...validateMonetaryAmount(\n      invoice.legalMonetaryTotal.payableAmount,\n      'payableAmount',\n    ),\n  )\n  allErrors.push(\n    ...validateMonetaryAmount(invoice.taxTotal.taxAmount, 'taxAmount'),\n  )\n\n  // Line item validations\n  invoice.invoiceLineItems.forEach((item, index) => {\n    allErrors.push(\n      ...validateMonetaryAmount(item.unitPrice, `lineItem[${index}].unitPrice`),\n    )\n    allErrors.push(\n      ...validateMonetaryAmount(item.taxAmount, `lineItem[${index}].taxAmount`),\n    )\n    allErrors.push(\n      ...validateMonetaryAmount(\n        item.totalTaxableAmountPerLine,\n        `lineItem[${index}].totalTaxableAmountPerLine`,\n      ),\n    )\n  })\n\n  // Business rule validations\n  allErrors.push(...validateTaxCalculations(invoice))\n\n  // Separate errors and warnings\n  const errors = allErrors.filter(e => e.severity === 'error')\n  const warnings = allErrors.filter(\n    e => e.severity === 'warning',\n  ) as ValidationWarning[]\n\n  return {\n    isValid: errors.length === 0,\n    errors,\n    warnings,\n  }\n}\n"],"mappings":";;;;;AA6BA,MAAa,cAAc,CACzBA,KACAC,qBACsB;CACtB,MAAMC,SAA4B,CAAE;AAEpC,MAAK,KAAK;AACR,SAAO,KAAK;GACV,OAAO;GACP,MAAM;GACN,SAAS;GACT,UAAU;EACX,EAAC;AACF,SAAO;CACR;AAGD,KAAI,qBAAqB,UAAU,IAAI,WAAW,IAAI,CACpD,QAAO,KAAK;EACV,OAAO;EACP,MAAM;EACN,SAAS;EACT,UAAU;CACX,EAAC;AAGJ,KAAI,qBAAqB,WAAW,IAAI,WAAW,KAAK,CACtD,QAAO,KAAK;EACV,OAAO;EACP,MAAM;EACN,SAAS;EACT,UAAU;CACX,EAAC;AAIJ,KAAI,IAAI,SAAS,GACf,QAAO,KAAK;EACV,OAAO;EACP,MAAM;EACN,SAAS;EACT,UAAU;CACX,EAAC;AAGJ,QAAO;AACR;;;;AAKD,MAAa,wBAAwB,CACnCC,kBACsB;CACtB,MAAMD,SAA4B,CAAE;AAEpC,MAAK,iBAAiB,kBAAkB,KACtC,QAAO;CAIT,MAAM,YAAY;AAClB,MAAK,UAAU,KAAK,cAAc,CAChC,QAAO,KAAK;EACV,OAAO;EACP,MAAM;EACN,SAAS;EACT,UAAU;CACX,EAAC;AAGJ,KAAI,cAAc,SAAS,EACzB,QAAO,KAAK;EACV,OAAO;EACP,MAAM;EACN,SAAS;EACT,UAAU;CACX,EAAC;AAGJ,QAAO;AACR;;;;AAKD,MAAa,yBAAyB,CACpCE,QACAC,WACA,YAAY,IACZ,cAAc,MACQ;CACtB,MAAMH,SAA4B,CAAE;AAEpC,KAAI,SAAS,EACX,QAAO,KAAK;EACV,OAAO;EACP,MAAM;EACN,UAAU,EAAE,UAAU;EACtB,UAAU;CACX,EAAC;CAIJ,MAAM,YAAY,OAAO,UAAU;CACnC,MAAM,CAAC,aAAa,YAAY,GAAG,UAAU,MAAM,IAAI;AAEvD,KAAI,eAAe,YAAY,SAAS,YAAY,YAClD,QAAO,KAAK;EACV,OAAO;EACP,MAAM;EACN,UAAU,EAAE,UAAU,mBAAmB,UAAU;EACnD,UAAU;CACX,EAAC;AAGJ,KAAI,eAAe,YAAY,SAAS,YACtC,QAAO,KAAK;EACV,OAAO;EACP,MAAM;EACN,UAAU,EAAE,UAAU,mBAAmB,YAAY;EACrD,UAAU;CACX,EAAC;AAGJ,QAAO;AACR;;;;AAKD,MAAa,sBAAsB,CACjCI,MACAC,UACsB;CACtB,MAAML,SAA4B,CAAE;CACpC,MAAM,YAAY;CAGlB,MAAM,eACJ,KAAK,+BAAkC,KAAK;CAC9C,MAAM,oBAAoB,KAAK;AAE/B,MAAK,iBAAiB,mBAAmB;AACvC,SAAO,KAAK;GACV,QAAQ,WAAW,MAAM;GACzB,MAAM;GACN,UAAU,YAAY,QAAQ,EAAE;GAChC,UAAU;EACX,EAAC;AACF,SAAO;CACR;AAED,KAAI,gBAAgB,kBAClB,QAAO,KAAK;EACV,QAAQ,WAAW,MAAM;EACzB,MAAM;EACN,UAAU,YAAY,QAAQ,EAAE;EAChC,UAAU;CACX,EAAC;AAIJ,KAAI,cAAc;AAChB,MAAI,KAAK,+BACP,QAAO,KAAK;GACV,QAAQ,WAAW,MAAM;GACzB,MAAM;GACN,UAAU,YAAY,QAAQ,EAAE;GAChC,UAAU;EACX,EAAC;EAGJ,MAAM,oBAAoB,KAAK,mBAAoB,KAAK;AACxD,MAAI,KAAK,IAAI,KAAK,YAAY,kBAAkB,GAAG,UACjD,QAAO,KAAK;GACV,QAAQ,WAAW,MAAM;GACzB,MAAM;GACN,UAAU,YAAY,QAAQ,EAAE,eAAe,KAAK,UAAU,0CAA0C,KAAK,iBAAiB,KAAK,KAAK,gBAAgB,KAAK,kBAAkB;GAC/K,UAAU;EACX,EAAC;CAEL;AAGD,KAAI,sBAAsB,cAAc;EACtC,MAAM,oBACH,KAAK,4BAA4B,KAAK,UAAY;AACrD,MAAI,KAAK,IAAI,KAAK,YAAY,kBAAkB,GAAG,UACjD,QAAO,KAAK;GACV,QAAQ,WAAW,MAAM;GACzB,MAAM;GACN,UAAU,YAAY,QAAQ,EAAE,eAAe,KAAK,UAAU,0CAA0C,KAAK,0BAA0B,KAAK,KAAK,QAAQ,MAAM,kBAAkB;GACjL,UAAU;EACX,EAAC;CAEL;AAED,QAAO;AACR;;;;AAKD,MAAa,0BAA0B,CACrCM,YACsB;CACtB,MAAMN,SAA4B,CAAE;AAGpC,SAAQ,iBAAiB,QAAQ,CAAC,MAAM,UAAU;AAChD,SAAO,KAAK,GAAG,oBAAoB,MAAM,MAAM,CAAC;CACjD,EAAC;CAGF,MAAM,uBAAuB,QAAQ,iBAAiB,OACpD,CAAC,KAAK,SAAS,MAAM,KAAK,2BAC1B,EACD;CACD,MAAM,oBAAoB,QAAQ,iBAAiB,OACjD,CAAC,KAAK,SAAS,MAAM,KAAK,WAC1B,EACD;CAGD,MAAM,YAAY;AAElB,KACE,KAAK,IACH,QAAQ,mBAAmB,qBAAqB,qBACjD,GAAG,UAEJ,QAAO,KAAK;EACV,OAAO;EACP,MAAM;EACN,UAAU,wBAAwB,QAAQ,mBAAmB,mBAAmB,qCAAqC,qBAAqB;EAC1I,UAAU;CACX,EAAC;AAGJ,KAAI,KAAK,IAAI,QAAQ,SAAS,YAAY,kBAAkB,GAAG,UAC7D,QAAO,KAAK;EACV,OAAO;EACP,MAAM;EACN,UAAU,cAAc,QAAQ,SAAS,UAAU,0CAA0C,kBAAkB;EAC/G,UAAU;CACX,EAAC;AAGJ,QAAO;AACR;;;;AAKD,MAAa,kBAAkB,CAACM,YAA2C;CACzE,MAAMC,YAA+B,CAAE;AAGvC,WAAU,KACR,GAAG,YAAY,QAAQ,SAAS,KAAK,QAAQ,SAAS,iBAAiB,CACxE;AACD,WAAU,KACR,GAAG,YAAY,QAAQ,MAAM,KAAK,QAAQ,MAAM,iBAAiB,CAClE;AAED,WAAU,KAAK,GAAG,sBAAsB,QAAQ,SAAS,cAAc,CAAC;AACxE,WAAU,KAAK,GAAG,sBAAsB,QAAQ,MAAM,cAAc,CAAC;AAGrE,WAAU,KACR,GAAG,uBACD,QAAQ,mBAAmB,oBAC3B,qBACD,CACF;AACD,WAAU,KACR,GAAG,uBACD,QAAQ,mBAAmB,eAC3B,gBACD,CACF;AACD,WAAU,KACR,GAAG,uBAAuB,QAAQ,SAAS,WAAW,YAAY,CACnE;AAGD,SAAQ,iBAAiB,QAAQ,CAAC,MAAM,UAAU;AAChD,YAAU,KACR,GAAG,uBAAuB,KAAK,YAAY,WAAW,MAAM,aAAa,CAC1E;AACD,YAAU,KACR,GAAG,uBAAuB,KAAK,YAAY,WAAW,MAAM,aAAa,CAC1E;AACD,YAAU,KACR,GAAG,uBACD,KAAK,4BACJ,WAAW,MAAM,6BACnB,CACF;CACF,EAAC;AAGF,WAAU,KAAK,GAAG,wBAAwB,QAAQ,CAAC;CAGnD,MAAM,SAAS,UAAU,OAAO,OAAK,EAAE,aAAa,QAAQ;CAC5D,MAAM,WAAW,UAAU,OACzB,OAAK,EAAE,aAAa,UACrB;AAED,QAAO;EACL,SAAS,OAAO,WAAW;EAC3B;EACA;CACD;AACF"}
+{"version":3,"file":"index15.cjs","names":["certificatePem: string","issues: string[]","recommendations: string[]","dn: string","fields: Record<string, string>","invoices: InvoiceV1_1[]","str: string","result: DiagnosticResult"],"sources":["../src/utils/signature-diagnostics.ts"],"sourcesContent":["import crypto from 'crypto'\nimport type { InvoiceV1_1 } from '../types'\nimport {\n  extractCertificateInfo,\n  calculateDocumentDigest,\n  calculateSignedPropertiesDigest,\n  createSignedProperties,\n  calculateCertificateDigest,\n} from './document'\n\nexport interface CertificateAnalysisResult {\n  organizationIdentifier?: string\n  serialNumber?: string\n  issuerName: string\n  subjectName: string\n  issues: string[]\n  recommendations: string[]\n}\n\nexport interface SignatureAnalysisResult {\n  documentDigest: string\n  certificateDigest: string\n  signedPropertiesDigest: string\n  issues: string[]\n  recommendations: string[]\n}\n\nexport interface DiagnosticResult {\n  certificateAnalysis: CertificateAnalysisResult\n  signatureAnalysis: SignatureAnalysisResult\n  summary: {\n    totalIssues: number\n    certificateIssues: number\n    signatureIssues: number\n  }\n}\n\n/**\n * Analyzes certificate for MyInvois compatibility issues\n */\nfunction analyzeCertificateForDiagnostics(\n  certificatePem: string,\n): CertificateAnalysisResult {\n  const issues: string[] = []\n  const recommendations: string[] = []\n\n  try {\n    const cert = new crypto.X509Certificate(certificatePem)\n    const certInfo = extractCertificateInfo(certificatePem)\n\n    // Parse subject fields for MyInvois analysis\n    const parseSubjectFields = (dn: string) => {\n      const fields: Record<string, string> = {}\n      dn.split('\\n').forEach(line => {\n        const trimmed = line.trim()\n        if (trimmed.includes('=')) {\n          const [key, ...valueParts] = trimmed.split('=')\n          if (key) {\n            fields[key.trim()] = valueParts.join('=').trim()\n          }\n        }\n      })\n      return fields\n    }\n\n    const subjectFields = parseSubjectFields(cert.subject)\n    const organizationIdentifier =\n      subjectFields['organizationIdentifier'] || subjectFields['2.5.4.97']\n    const serialNumber = subjectFields['serialNumber']\n\n    // DS311 - TIN Mismatch Analysis\n    if (!organizationIdentifier) {\n      issues.push(\n        'DS311: Certificate missing organizationIdentifier field (TIN)',\n      )\n      recommendations.push(\n        'CRITICAL: Generate new certificate with organizationIdentifier matching your MyInvois TIN',\n      )\n      recommendations.push(\n        'Portal Error: \"Signer of invoice doesn\\'t match the submitter of document. TIN doesn\\'t match with the OI.\"',\n      )\n    } else {\n      // Additional TIN format validation\n      if (organizationIdentifier.length < 10) {\n        issues.push(\n          'DS311: OrganizationIdentifier (TIN) appears too short - may cause submission rejection',\n        )\n        recommendations.push(\n          'Verify TIN format matches exactly what is registered in MyInvois',\n        )\n      }\n    }\n\n    // DS312 - Registration Number Analysis\n    if (!serialNumber) {\n      issues.push(\n        'DS312: Certificate missing serialNumber field (business registration)',\n      )\n      recommendations.push(\n        'CRITICAL: Generate new certificate with serialNumber matching your business registration',\n      )\n      recommendations.push(\n        'Portal Error: \"Submitter registration/identity number doesn\\'t match with the certificate SERIALNUMBER.\"',\n      )\n    }\n\n    // DS329 - Certificate Trust Analysis\n    if (cert.issuer === cert.subject) {\n      issues.push(\n        'DS329: Self-signed certificate detected - will fail chain of trust validation',\n      )\n      recommendations.push(\n        'BLOCKING: Obtain certificate from MyInvois-approved CA:',\n      )\n      recommendations.push('• MSC Trustgate Sdn Bhd')\n      recommendations.push('• DigiCert Sdn Bhd')\n      recommendations.push('• Cybersign Asia Sdn Bhd')\n      recommendations.push(\n        'Portal Error: \"Certificate is not valid according to the chain of trust validation or has been issued by an untrusted certificate authority.\"',\n      )\n    } else {\n      // Check if issuer looks like a known CA\n      const issuerName = cert.issuer.toLowerCase()\n      const approvedCAs = ['msc trustgate', 'digicert', 'cybersign']\n      const isFromApprovedCA = approvedCAs.some(ca => issuerName.includes(ca))\n\n      if (!isFromApprovedCA) {\n        issues.push('DS329: Certificate may not be from MyInvois-approved CA')\n        recommendations.push(\n          'Verify certificate was issued by an approved CA for MyInvois',\n        )\n      }\n    }\n\n    // DS326 - Issuer Name Format Analysis (Enhanced)\n    const rawIssuer = cert.issuer\n    const normalizedIssuer = certInfo.issuerName\n\n    // Check for issues in the NORMALIZED issuer (these are actual problems)\n    const normalizedIssuerIssues = [\n      {\n        check: normalizedIssuer.includes('\\n'),\n        issue: 'Normalized issuer still contains newlines',\n      },\n      {\n        check: normalizedIssuer.includes('  '),\n        issue: 'Normalized issuer contains double spaces',\n      },\n      {\n        check: /=\\s+/.test(normalizedIssuer),\n        issue: 'Normalized issuer has spaces after equals',\n      },\n      {\n        check: /\\s+=/.test(normalizedIssuer),\n        issue: 'Normalized issuer has spaces before equals',\n      },\n      {\n        check: normalizedIssuer.includes('\\r'),\n        issue: 'Normalized issuer contains carriage returns',\n      },\n    ]\n\n    // Only report actual issues in the normalized version that will cause portal errors\n    const hasActualFormatIssues = normalizedIssuerIssues.some(\n      ({ check, issue }) => {\n        if (check) {\n          issues.push(`DS326: ${issue} - will cause X509IssuerName mismatch`)\n          return true\n        }\n        return false\n      },\n    )\n\n    // Check if raw issuer has issues but normalized version is OK (informational)\n    const hasRawIssuesButNormalizedOk =\n      rawIssuer.includes('\\n') && !normalizedIssuer.includes('\\n')\n\n    if (hasActualFormatIssues) {\n      recommendations.push(\n        'CRITICAL: Fix issuer name normalization in signature generation',\n      )\n      recommendations.push(\n        'Portal Error: \"Certificate X509IssuerName doesn\\'t match the X509IssuerName value provided in the signed properties section.\"',\n      )\n      recommendations.push(\n        'The normalization function is not properly formatting the issuer name',\n      )\n      recommendations.push(\n        'Debug: Check document.ts extractCertificateInfo() normalization logic',\n      )\n    } else if (hasRawIssuesButNormalizedOk) {\n      // This is informational - normalization is working correctly\n      console.log(\n        'ℹ️  Note: Raw certificate issuer has newlines but normalization is handling them correctly',\n      )\n    }\n\n    // Additional certificate validity checks\n    const now = new Date()\n    const validFrom = new Date(cert.validFrom)\n    const validTo = new Date(cert.validTo)\n\n    if (now < validFrom) {\n      issues.push('DS329: Certificate not yet valid (future start date)')\n      recommendations.push('Wait until certificate validity period begins')\n    }\n\n    if (now > validTo) {\n      issues.push('DS329: Certificate has expired')\n      recommendations.push(\n        'BLOCKING: Renew certificate - expired certificates are rejected',\n      )\n    }\n\n    // Check certificate key usage (if available)\n    try {\n      if (cert.keyUsage && !cert.keyUsage.includes('digital signature')) {\n        issues.push('DS333: Certificate lacks digitalSignature key usage')\n        recommendations.push(\n          'Generate new certificate with digitalSignature key usage enabled',\n        )\n      }\n    } catch {\n      // Key usage might not be available in all certificates\n      console.log('Note: Could not check key usage extensions')\n    }\n\n    return {\n      organizationIdentifier,\n      serialNumber,\n      issuerName: certInfo.issuerName,\n      subjectName: certInfo.subjectName,\n      issues,\n      recommendations,\n    }\n  } catch (error) {\n    issues.push(`Certificate parsing failed: ${error}`)\n    recommendations.push('Verify certificate format and validity')\n\n    return {\n      issuerName: '',\n      subjectName: '',\n      issues,\n      recommendations,\n    }\n  }\n}\n\n/**\n * Analyzes signature generation for potential issues\n */\nfunction analyzeSignatureForDiagnostics(\n  invoices: InvoiceV1_1[],\n  certificatePem: string,\n): SignatureAnalysisResult {\n  const issues: string[] = []\n  const recommendations: string[] = []\n\n  try {\n    // Step 1: Document digest\n    const documentDigest = calculateDocumentDigest(invoices)\n\n    // Step 2: Certificate digest\n    const certificateDigest = calculateCertificateDigest(certificatePem)\n\n    // Step 3: Extract certificate info\n    const certInfo = extractCertificateInfo(certificatePem)\n    const signingTime = new Date().toISOString()\n\n    // Step 4: Create signed properties\n    const signedProperties = createSignedProperties(\n      certificateDigest,\n      signingTime,\n      certInfo.issuerName,\n      certInfo.serialNumber,\n    )\n\n    // Step 5: Signed properties digest\n    const signedPropertiesDigest =\n      calculateSignedPropertiesDigest(signedProperties)\n\n    // DS333 - Document Signature Validation\n    if (documentDigest.length === 0) {\n      issues.push('DS333: Document digest generation failed')\n      recommendations.push(\n        'CRITICAL: Verify document serialization excludes UBLExtensions/Signature',\n      )\n      recommendations.push(\n        'Portal Error: \"Document signature value is not a valid signature of the document digest using the public key of the certificate provided.\"',\n      )\n    }\n\n    if (certificateDigest.length === 0) {\n      issues.push('DS333: Certificate digest generation failed')\n      recommendations.push('CRITICAL: Verify certificate format and encoding')\n      recommendations.push(\n        'Certificate must be properly base64 encoded without headers/footers',\n      )\n    }\n\n    if (signedPropertiesDigest.length === 0) {\n      issues.push('DS333: Signed properties digest generation failed')\n      recommendations.push(\n        'CRITICAL: Verify signed properties structure and canonicalization',\n      )\n      recommendations.push(\n        'Check XML canonicalization (C14N) is applied correctly',\n      )\n    }\n\n    // Additional DS333 checks\n    try {\n      const cert = new crypto.X509Certificate(certificatePem)\n\n      // Verify the certificate has the required algorithms for MyInvois\n      const publicKey = cert.publicKey\n      const keyDetails = publicKey.asymmetricKeyDetails\n\n      if (keyDetails) {\n        // Check if key size is adequate for RSA (minimum 2048 bits)\n        if (\n          publicKey.asymmetricKeyType === 'rsa' &&\n          keyDetails.modulusLength &&\n          keyDetails.modulusLength < 2048\n        ) {\n          issues.push(\n            'DS333: RSA key size too small (minimum 2048 bits required)',\n          )\n          recommendations.push(\n            'CRITICAL: Generate new certificate with RSA 2048+ bits',\n          )\n        }\n\n        // Check supported key types\n        const supportedKeyTypes = ['rsa', 'ec']\n        if (!supportedKeyTypes.includes(publicKey.asymmetricKeyType || '')) {\n          issues.push(\n            `DS333: Unsupported key type: ${publicKey.asymmetricKeyType}`,\n          )\n          recommendations.push(\n            'CRITICAL: Use RSA or EC key types for MyInvois compatibility',\n          )\n        }\n      }\n\n      // Test certificate format validity\n      const certBuffer = Buffer.from(\n        certificatePem.replace(/-----[^-]+-----/g, '').replace(/\\s/g, ''),\n        'base64',\n      )\n      if (certBuffer.length === 0) {\n        issues.push('DS333: Certificate encoding appears invalid')\n        recommendations.push(\n          'CRITICAL: Verify certificate is properly PEM encoded',\n        )\n      }\n    } catch (error) {\n      issues.push(`DS333: Certificate validation failed - ${error}`)\n      recommendations.push(\n        'CRITICAL: Verify certificate format and structure are valid',\n      )\n    }\n\n    // Validate digest formats (should be base64)\n    const isValidBase64 = (str: string) => {\n      try {\n        return Buffer.from(str, 'base64').toString('base64') === str\n      } catch {\n        return false\n      }\n    }\n\n    if (documentDigest && !isValidBase64(documentDigest)) {\n      issues.push('DS333: Document digest is not valid base64 format')\n      recommendations.push('Ensure digest is properly base64 encoded')\n    }\n\n    if (certificateDigest && !isValidBase64(certificateDigest)) {\n      issues.push('DS333: Certificate digest is not valid base64 format')\n      recommendations.push(\n        'Ensure certificate digest is properly base64 encoded',\n      )\n    }\n\n    if (signedPropertiesDigest && !isValidBase64(signedPropertiesDigest)) {\n      issues.push('DS333: Signed properties digest is not valid base64 format')\n      recommendations.push(\n        'Ensure signed properties digest is properly base64 encoded',\n      )\n    }\n\n    return {\n      documentDigest,\n      certificateDigest,\n      signedPropertiesDigest,\n      issues,\n      recommendations,\n    }\n  } catch (error) {\n    issues.push(`Signature analysis failed: ${error}`)\n    recommendations.push('Review signature generation implementation')\n\n    return {\n      documentDigest: '',\n      certificateDigest: '',\n      signedPropertiesDigest: '',\n      issues,\n      recommendations,\n    }\n  }\n}\n\n/**\n * Comprehensive signature diagnostics\n */\nexport function diagnoseSignatureIssues(\n  invoices: InvoiceV1_1[],\n  certificatePem: string,\n): DiagnosticResult {\n  const certificateAnalysis = analyzeCertificateForDiagnostics(certificatePem)\n  const signatureAnalysis = analyzeSignatureForDiagnostics(\n    invoices,\n    certificatePem,\n  )\n\n  const certificateIssues = certificateAnalysis.issues.length\n  const signatureIssues = signatureAnalysis.issues.length\n\n  return {\n    certificateAnalysis,\n    signatureAnalysis,\n    summary: {\n      totalIssues: certificateIssues + signatureIssues,\n      certificateIssues,\n      signatureIssues,\n    },\n  }\n}\n\n/**\n * Prints diagnostic results in a formatted way\n */\nexport function printDiagnostics(result: DiagnosticResult): void {\n  console.log('\\n🔍 MyInvois Signature Diagnostics Report')\n  console.log('='.repeat(60))\n\n  // Certificate Analysis\n  console.log('\\n📜 CERTIFICATE ANALYSIS')\n  console.log('-'.repeat(30))\n\n  console.log(`  Issuer: ${result.certificateAnalysis.issuerName}`)\n  console.log(`  Subject: ${result.certificateAnalysis.subjectName}`)\n\n  if (result.certificateAnalysis.organizationIdentifier) {\n    console.log(\n      `  Organization ID (TIN): ${result.certificateAnalysis.organizationIdentifier}`,\n    )\n  }\n\n  if (result.certificateAnalysis.serialNumber) {\n    console.log(`  Serial Number: ${result.certificateAnalysis.serialNumber}`)\n  }\n\n  if (result.certificateAnalysis.issues.length > 0) {\n    console.log('\\n  🚨 Certificate Issues:')\n    result.certificateAnalysis.issues.forEach((issue, index) => {\n      console.log(`    ${index + 1}. ${issue}`)\n    })\n  }\n\n  if (result.certificateAnalysis.recommendations.length > 0) {\n    console.log('\\n  💡 Certificate Recommendations:')\n    result.certificateAnalysis.recommendations.forEach((rec, index) => {\n      console.log(`    ${index + 1}. ${rec}`)\n    })\n  }\n\n  // Signature Analysis\n  console.log('\\n🔐 SIGNATURE ANALYSIS')\n  console.log('-'.repeat(30))\n\n  console.log(\n    `  Document Digest: ${result.signatureAnalysis.documentDigest.substring(0, 32)}...`,\n  )\n  console.log(\n    `  Certificate Digest: ${result.signatureAnalysis.certificateDigest.substring(0, 32)}...`,\n  )\n  console.log(\n    `  Signed Properties Digest: ${result.signatureAnalysis.signedPropertiesDigest.substring(0, 32)}...`,\n  )\n\n  if (result.signatureAnalysis.issues.length > 0) {\n    console.log('\\n  🚨 Signature Issues:')\n    result.signatureAnalysis.issues.forEach((issue, index) => {\n      console.log(`    ${index + 1}. ${issue}`)\n    })\n  }\n\n  if (result.signatureAnalysis.recommendations.length > 0) {\n    console.log('\\n  💡 Signature Recommendations:')\n    result.signatureAnalysis.recommendations.forEach((rec, index) => {\n      console.log(`    ${index + 1}. ${rec}`)\n    })\n  }\n\n  // Summary\n  console.log('\\n📊 SUMMARY')\n  console.log('-'.repeat(30))\n  console.log(`  Total Issues Found: ${result.summary.totalIssues}`)\n  console.log(`  Certificate Issues: ${result.summary.certificateIssues}`)\n  console.log(`  Signature Issues: ${result.summary.signatureIssues}`)\n\n  if (result.summary.totalIssues === 0) {\n    console.log('\\n  ✅ No issues detected in current analysis')\n    console.log('  🎉 Certificate and signature implementation appear valid')\n  } else {\n    console.log('\\n  ⚠️  Issues detected - review recommendations above')\n\n    // Check for specific portal errors\n    const hasDS311 = result.certificateAnalysis.issues.some(issue =>\n      issue.includes('DS311'),\n    )\n    const hasDS312 = result.certificateAnalysis.issues.some(issue =>\n      issue.includes('DS312'),\n    )\n    const hasDS326 = result.certificateAnalysis.issues.some(issue =>\n      issue.includes('DS326'),\n    )\n    const hasDS329 = result.certificateAnalysis.issues.some(issue =>\n      issue.includes('DS329'),\n    )\n    const hasDS333 = result.signatureAnalysis.issues.some(issue =>\n      issue.includes('DS333'),\n    )\n\n    console.log('\\n  🎯 MYINVOIS PORTAL ERROR ANALYSIS:')\n\n    if (hasDS311) {\n      console.log(\n        '     ❌ DS311 - TIN mismatch between certificate and submitter',\n      )\n    }\n\n    if (hasDS312) {\n      console.log(\n        '     ❌ DS312 - Registration number mismatch with certificate',\n      )\n    }\n\n    if (hasDS326) {\n      console.log('     ❌ DS326 - X509IssuerName format inconsistency')\n    }\n\n    if (hasDS329) {\n      console.log('     ❌ DS329 - Certificate trust chain validation failure')\n    }\n\n    if (hasDS333) {\n      console.log('     ❌ DS333 - Document signature validation failure')\n    }\n\n    if (result.summary.certificateIssues > 0) {\n      console.log('\\n  🚨 PRIMARY ACTION REQUIRED:')\n      console.log('     Certificate issues must be resolved first')\n      console.log(\n        '     Self-generated certificates cannot pass MyInvois validation',\n      )\n    }\n\n    if (result.summary.signatureIssues > 0) {\n      console.log('\\n  ⚙️  SECONDARY ACTION:')\n      console.log('     Review and optimize signature implementation')\n    }\n\n    console.log('\\n  📋 NEXT STEPS:')\n    console.log('     1. Address BLOCKING/CRITICAL issues first')\n    console.log('     2. Test with updated certificate/implementation')\n    console.log('     3. Re-run diagnostics to verify fixes')\n    console.log('     4. Submit test document to MyInvois portal')\n  }\n\n  console.log('\\n' + '='.repeat(60))\n}\n"],"mappings":";;;;;;;;AAwCA,SAAS,iCACPA,gBAC2B;CAC3B,MAAMC,SAAmB,CAAE;CAC3B,MAAMC,kBAA4B,CAAE;AAEpC,KAAI;EACF,MAAM,OAAO,IAAI,eAAO,gBAAgB;EACxC,MAAM,WAAW,wCAAuB,eAAe;EAGvD,MAAM,qBAAqB,CAACC,OAAe;GACzC,MAAMC,SAAiC,CAAE;AACzC,MAAG,MAAM,KAAK,CAAC,QAAQ,UAAQ;IAC7B,MAAM,UAAU,KAAK,MAAM;AAC3B,QAAI,QAAQ,SAAS,IAAI,EAAE;KACzB,MAAM,CAAC,KAAK,GAAG,WAAW,GAAG,QAAQ,MAAM,IAAI;AAC/C,SAAI,IACF,QAAO,IAAI,MAAM,IAAI,WAAW,KAAK,IAAI,CAAC,MAAM;IAEnD;GACF,EAAC;AACF,UAAO;EACR;EAED,MAAM,gBAAgB,mBAAmB,KAAK,QAAQ;EACtD,MAAM,yBACJ,cAAc,6BAA6B,cAAc;EAC3D,MAAM,eAAe,cAAc;AAGnC,OAAK,wBAAwB;AAC3B,UAAO,KACL,gEACD;AACD,mBAAgB,KACd,4FACD;AACD,mBAAgB,KACd,8GACD;EACF,WAEK,uBAAuB,SAAS,IAAI;AACtC,UAAO,KACL,yFACD;AACD,mBAAgB,KACd,mEACD;EACF;AAIH,OAAK,cAAc;AACjB,UAAO,KACL,wEACD;AACD,mBAAgB,KACd,2FACD;AACD,mBAAgB,KACd,4GACD;EACF;AAGD,MAAI,KAAK,WAAW,KAAK,SAAS;AAChC,UAAO,KACL,gFACD;AACD,mBAAgB,KACd,0DACD;AACD,mBAAgB,KAAK,0BAA0B;AAC/C,mBAAgB,KAAK,qBAAqB;AAC1C,mBAAgB,KAAK,2BAA2B;AAChD,mBAAgB,KACd,kJACD;EACF,OAAM;GAEL,MAAM,aAAa,KAAK,OAAO,aAAa;GAC5C,MAAM,cAAc;IAAC;IAAiB;IAAY;GAAY;GAC9D,MAAM,mBAAmB,YAAY,KAAK,QAAM,WAAW,SAAS,GAAG,CAAC;AAExE,QAAK,kBAAkB;AACrB,WAAO,KAAK,0DAA0D;AACtE,oBAAgB,KACd,+DACD;GACF;EACF;EAGD,MAAM,YAAY,KAAK;EACvB,MAAM,mBAAmB,SAAS;EAGlC,MAAM,yBAAyB;GAC7B;IACE,OAAO,iBAAiB,SAAS,KAAK;IACtC,OAAO;GACR;GACD;IACE,OAAO,iBAAiB,SAAS,KAAK;IACtC,OAAO;GACR;GACD;IACE,OAAO,OAAO,KAAK,iBAAiB;IACpC,OAAO;GACR;GACD;IACE,OAAO,OAAO,KAAK,iBAAiB;IACpC,OAAO;GACR;GACD;IACE,OAAO,iBAAiB,SAAS,KAAK;IACtC,OAAO;GACR;EACF;EAGD,MAAM,wBAAwB,uBAAuB,KACnD,CAAC,EAAE,OAAO,OAAO,KAAK;AACpB,OAAI,OAAO;AACT,WAAO,MAAM,SAAS,MAAM,uCAAuC;AACnE,WAAO;GACR;AACD,UAAO;EACR,EACF;EAGD,MAAM,8BACJ,UAAU,SAAS,KAAK,KAAK,iBAAiB,SAAS,KAAK;AAE9D,MAAI,uBAAuB;AACzB,mBAAgB,KACd,kEACD;AACD,mBAAgB,KACd,iIACD;AACD,mBAAgB,KACd,wEACD;AACD,mBAAgB,KACd,wEACD;EACF,WAAU,4BAET,SAAQ,IACN,6FACD;EAIH,MAAM,sBAAM,IAAI;EAChB,MAAM,YAAY,IAAI,KAAK,KAAK;EAChC,MAAM,UAAU,IAAI,KAAK,KAAK;AAE9B,MAAI,MAAM,WAAW;AACnB,UAAO,KAAK,uDAAuD;AACnE,mBAAgB,KAAK,gDAAgD;EACtE;AAED,MAAI,MAAM,SAAS;AACjB,UAAO,KAAK,iCAAiC;AAC7C,mBAAgB,KACd,kEACD;EACF;AAGD,MAAI;AACF,OAAI,KAAK,aAAa,KAAK,SAAS,SAAS,oBAAoB,EAAE;AACjE,WAAO,KAAK,sDAAsD;AAClE,oBAAgB,KACd,mEACD;GACF;EACF,QAAO;AAEN,WAAQ,IAAI,6CAA6C;EAC1D;AAED,SAAO;GACL;GACA;GACA,YAAY,SAAS;GACrB,aAAa,SAAS;GACtB;GACA;EACD;CACF,SAAQ,OAAO;AACd,SAAO,MAAM,8BAA8B,MAAM,EAAE;AACnD,kBAAgB,KAAK,yCAAyC;AAE9D,SAAO;GACL,YAAY;GACZ,aAAa;GACb;GACA;EACD;CACF;AACF;;;;AAKD,SAAS,+BACPC,UACAL,gBACyB;CACzB,MAAMC,SAAmB,CAAE;CAC3B,MAAMC,kBAA4B,CAAE;AAEpC,KAAI;EAEF,MAAM,iBAAiB,yCAAwB,SAAS;EAGxD,MAAM,oBAAoB,4CAA2B,eAAe;EAGpE,MAAM,WAAW,wCAAuB,eAAe;EACvD,MAAM,cAAc,qBAAI,QAAO,aAAa;EAG5C,MAAM,mBAAmB,wCACvB,mBACA,aACA,SAAS,YACT,SAAS,aACV;EAGD,MAAM,yBACJ,iDAAgC,iBAAiB;AAGnD,MAAI,eAAe,WAAW,GAAG;AAC/B,UAAO,KAAK,2CAA2C;AACvD,mBAAgB,KACd,2EACD;AACD,mBAAgB,KACd,+IACD;EACF;AAED,MAAI,kBAAkB,WAAW,GAAG;AAClC,UAAO,KAAK,8CAA8C;AAC1D,mBAAgB,KAAK,mDAAmD;AACxE,mBAAgB,KACd,sEACD;EACF;AAED,MAAI,uBAAuB,WAAW,GAAG;AACvC,UAAO,KAAK,oDAAoD;AAChE,mBAAgB,KACd,oEACD;AACD,mBAAgB,KACd,yDACD;EACF;AAGD,MAAI;GACF,MAAM,OAAO,IAAI,eAAO,gBAAgB;GAGxC,MAAM,YAAY,KAAK;GACvB,MAAM,aAAa,UAAU;AAE7B,OAAI,YAAY;AAEd,QACE,UAAU,sBAAsB,SAChC,WAAW,iBACX,WAAW,gBAAgB,MAC3B;AACA,YAAO,KACL,6DACD;AACD,qBAAgB,KACd,yDACD;IACF;IAGD,MAAM,oBAAoB,CAAC,OAAO,IAAK;AACvC,SAAK,kBAAkB,SAAS,UAAU,qBAAqB,GAAG,EAAE;AAClE,YAAO,MACJ,+BAA+B,UAAU,kBAAkB,EAC7D;AACD,qBAAgB,KACd,+DACD;IACF;GACF;GAGD,MAAM,aAAa,OAAO,KACxB,eAAe,QAAQ,oBAAoB,GAAG,CAAC,QAAQ,OAAO,GAAG,EACjE,SACD;AACD,OAAI,WAAW,WAAW,GAAG;AAC3B,WAAO,KAAK,8CAA8C;AAC1D,oBAAgB,KACd,uDACD;GACF;EACF,SAAQ,OAAO;AACd,UAAO,MAAM,yCAAyC,MAAM,EAAE;AAC9D,mBAAgB,KACd,8DACD;EACF;EAGD,MAAM,gBAAgB,CAACI,QAAgB;AACrC,OAAI;AACF,WAAO,OAAO,KAAK,KAAK,SAAS,CAAC,SAAS,SAAS,KAAK;GAC1D,QAAO;AACN,WAAO;GACR;EACF;AAED,MAAI,mBAAmB,cAAc,eAAe,EAAE;AACpD,UAAO,KAAK,oDAAoD;AAChE,mBAAgB,KAAK,2CAA2C;EACjE;AAED,MAAI,sBAAsB,cAAc,kBAAkB,EAAE;AAC1D,UAAO,KAAK,uDAAuD;AACnE,mBAAgB,KACd,uDACD;EACF;AAED,MAAI,2BAA2B,cAAc,uBAAuB,EAAE;AACpE,UAAO,KAAK,6DAA6D;AACzE,mBAAgB,KACd,6DACD;EACF;AAED,SAAO;GACL;GACA;GACA;GACA;GACA;EACD;CACF,SAAQ,OAAO;AACd,SAAO,MAAM,6BAA6B,MAAM,EAAE;AAClD,kBAAgB,KAAK,6CAA6C;AAElE,SAAO;GACL,gBAAgB;GAChB,mBAAmB;GACnB,wBAAwB;GACxB;GACA;EACD;CACF;AACF;;;;AAKD,SAAgB,wBACdD,UACAL,gBACkB;CAClB,MAAM,sBAAsB,iCAAiC,eAAe;CAC5E,MAAM,oBAAoB,+BACxB,UACA,eACD;CAED,MAAM,oBAAoB,oBAAoB,OAAO;CACrD,MAAM,kBAAkB,kBAAkB,OAAO;AAEjD,QAAO;EACL;EACA;EACA,SAAS;GACP,aAAa,oBAAoB;GACjC;GACA;EACD;CACF;AACF;;;;AAKD,SAAgB,iBAAiBO,QAAgC;AAC/D,SAAQ,IAAI,6CAA6C;AACzD,SAAQ,IAAI,IAAI,OAAO,GAAG,CAAC;AAG3B,SAAQ,IAAI,4BAA4B;AACxC,SAAQ,IAAI,IAAI,OAAO,GAAG,CAAC;AAE3B,SAAQ,KAAK,YAAY,OAAO,oBAAoB,WAAW,EAAE;AACjE,SAAQ,KAAK,aAAa,OAAO,oBAAoB,YAAY,EAAE;AAEnE,KAAI,OAAO,oBAAoB,uBAC7B,SAAQ,KACL,2BAA2B,OAAO,oBAAoB,uBAAuB,EAC/E;AAGH,KAAI,OAAO,oBAAoB,aAC7B,SAAQ,KAAK,mBAAmB,OAAO,oBAAoB,aAAa,EAAE;AAG5E,KAAI,OAAO,oBAAoB,OAAO,SAAS,GAAG;AAChD,UAAQ,IAAI,6BAA6B;AACzC,SAAO,oBAAoB,OAAO,QAAQ,CAAC,OAAO,UAAU;AAC1D,WAAQ,KAAK,MAAM,QAAQ,EAAE,IAAI,MAAM,EAAE;EAC1C,EAAC;CACH;AAED,KAAI,OAAO,oBAAoB,gBAAgB,SAAS,GAAG;AACzD,UAAQ,IAAI,sCAAsC;AAClD,SAAO,oBAAoB,gBAAgB,QAAQ,CAAC,KAAK,UAAU;AACjE,WAAQ,KAAK,MAAM,QAAQ,EAAE,IAAI,IAAI,EAAE;EACxC,EAAC;CACH;AAGD,SAAQ,IAAI,0BAA0B;AACtC,SAAQ,IAAI,IAAI,OAAO,GAAG,CAAC;AAE3B,SAAQ,KACL,qBAAqB,OAAO,kBAAkB,eAAe,UAAU,GAAG,GAAG,CAAC,KAChF;AACD,SAAQ,KACL,wBAAwB,OAAO,kBAAkB,kBAAkB,UAAU,GAAG,GAAG,CAAC,KACtF;AACD,SAAQ,KACL,8BAA8B,OAAO,kBAAkB,uBAAuB,UAAU,GAAG,GAAG,CAAC,KACjG;AAED,KAAI,OAAO,kBAAkB,OAAO,SAAS,GAAG;AAC9C,UAAQ,IAAI,2BAA2B;AACvC,SAAO,kBAAkB,OAAO,QAAQ,CAAC,OAAO,UAAU;AACxD,WAAQ,KAAK,MAAM,QAAQ,EAAE,IAAI,MAAM,EAAE;EAC1C,EAAC;CACH;AAED,KAAI,OAAO,kBAAkB,gBAAgB,SAAS,GAAG;AACvD,UAAQ,IAAI,oCAAoC;AAChD,SAAO,kBAAkB,gBAAgB,QAAQ,CAAC,KAAK,UAAU;AAC/D,WAAQ,KAAK,MAAM,QAAQ,EAAE,IAAI,IAAI,EAAE;EACxC,EAAC;CACH;AAGD,SAAQ,IAAI,eAAe;AAC3B,SAAQ,IAAI,IAAI,OAAO,GAAG,CAAC;AAC3B,SAAQ,KAAK,wBAAwB,OAAO,QAAQ,YAAY,EAAE;AAClE,SAAQ,KAAK,wBAAwB,OAAO,QAAQ,kBAAkB,EAAE;AACxE,SAAQ,KAAK,sBAAsB,OAAO,QAAQ,gBAAgB,EAAE;AAEpE,KAAI,OAAO,QAAQ,gBAAgB,GAAG;AACpC,UAAQ,IAAI,+CAA+C;AAC3D,UAAQ,IAAI,6DAA6D;CAC1E,OAAM;AACL,UAAQ,IAAI,yDAAyD;EAGrE,MAAM,WAAW,OAAO,oBAAoB,OAAO,KAAK,WACtD,MAAM,SAAS,QAAQ,CACxB;EACD,MAAM,WAAW,OAAO,oBAAoB,OAAO,KAAK,WACtD,MAAM,SAAS,QAAQ,CACxB;EACD,MAAM,WAAW,OAAO,oBAAoB,OAAO,KAAK,WACtD,MAAM,SAAS,QAAQ,CACxB;EACD,MAAM,WAAW,OAAO,oBAAoB,OAAO,KAAK,WACtD,MAAM,SAAS,QAAQ,CACxB;EACD,MAAM,WAAW,OAAO,kBAAkB,OAAO,KAAK,WACpD,MAAM,SAAS,QAAQ,CACxB;AAED,UAAQ,IAAI,yCAAyC;AAErD,MAAI,SACF,SAAQ,IACN,gEACD;AAGH,MAAI,SACF,SAAQ,IACN,+DACD;AAGH,MAAI,SACF,SAAQ,IAAI,qDAAqD;AAGnE,MAAI,SACF,SAAQ,IAAI,4DAA4D;AAG1E,MAAI,SACF,SAAQ,IAAI,uDAAuD;AAGrE,MAAI,OAAO,QAAQ,oBAAoB,GAAG;AACxC,WAAQ,IAAI,kCAAkC;AAC9C,WAAQ,IAAI,iDAAiD;AAC7D,WAAQ,IACN,mEACD;EACF;AAED,MAAI,OAAO,QAAQ,kBAAkB,GAAG;AACtC,WAAQ,IAAI,4BAA4B;AACxC,WAAQ,IAAI,oDAAoD;EACjE;AAED,UAAQ,IAAI,qBAAqB;AACjC,UAAQ,IAAI,iDAAiD;AAC7D,UAAQ,IAAI,uDAAuD;AACnE,UAAQ,IAAI,6CAA6C;AACzD,UAAQ,IAAI,kDAAkD;CAC/D;AAED,SAAQ,IAAI,OAAO,IAAI,OAAO,GAAG,CAAC;AACnC"}