@sempdev/semp 0.5.2 → 0.5.6

package/dist/keys/sign.d.ts

@@ -41,9 +41,14 @@ export declare function sign(seed: Uint8Array, message: Uint8Array): Uint8Array;
  */
 export declare function verify(publicKey: Uint8Array, signature: Uint8Array, message: Uint8Array): boolean;
 /**
- * Compute the SEMP key fingerprint per `KEY.md` §3 — SHA-256 of
- * the raw 32-byte public key, lowercase-hex encoded. Used as the
+ * Compute the SEMP key fingerprint per `KEY.md` §3 - SHA-256 of
+ * the raw public key bytes, lowercase-hex encoded. Used as the
  * `key_id` field everywhere keys are referenced.
+ *
+ * Accepts public keys of any non-empty length. Ed25519 identity
+ * keys are 32 bytes, X25519 baseline encryption keys are 32 bytes,
+ * Kyber768+X25519 hybrid encryption keys are 1216 bytes, and so on
+ * across the negotiated suite.
  */
 export declare function fingerprint(publicKey: Uint8Array): string;
 //# sourceMappingURL=sign.d.ts.map

package/dist/keys/sign.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sign.d.ts","sourceRoot":"","sources":["../../src/keys/sign.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAKH,kDAAkD;AAClD,eAAO,MAAM,aAAa,KAAK,CAAC;AAChC,mDAAmD;AACnD,eAAO,MAAM,QAAQ,KAAK,CAAC;AAC3B,iDAAiD;AACjD,eAAO,MAAM,aAAa,KAAK,CAAC;AAEhC;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,UAAU,GAAG,UAAU,CAG9D;AAED;;;GAGG;AACH,wBAAgB,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU,GAAG,UAAU,CAGtE;AAED;;;;;GAKG;AACH,wBAAgB,MAAM,CACpB,SAAS,EAAE,UAAU,EACrB,SAAS,EAAE,UAAU,EACrB,OAAO,EAAE,UAAU,GAClB,OAAO,CAST;AAED;;;;GAIG;AACH,wBAAgB,WAAW,CAAC,SAAS,EAAE,UAAU,GAAG,MAAM,CAQzD"}
+{"version":3,"file":"sign.d.ts","sourceRoot":"","sources":["../../src/keys/sign.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAKH,kDAAkD;AAClD,eAAO,MAAM,aAAa,KAAK,CAAC;AAChC,mDAAmD;AACnD,eAAO,MAAM,QAAQ,KAAK,CAAC;AAC3B,iDAAiD;AACjD,eAAO,MAAM,aAAa,KAAK,CAAC;AAEhC;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,UAAU,GAAG,UAAU,CAG9D;AAED;;;GAGG;AACH,wBAAgB,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU,GAAG,UAAU,CAGtE;AAED;;;;;GAKG;AACH,wBAAgB,MAAM,CACpB,SAAS,EAAE,UAAU,EACrB,SAAS,EAAE,UAAU,EACrB,OAAO,EAAE,UAAU,GAClB,OAAO,CAST;AAED;;;;;;;;;GASG;AACH,wBAAgB,WAAW,CAAC,SAAS,EAAE,UAAU,GAAG,MAAM,CAUzD"}

package/dist/keys/sign.js

@@ -59,12 +59,19 @@ export function verify(publicKey, signature, message) {
     }
 }
 /**
- * Compute the SEMP key fingerprint per `KEY.md` §3 — SHA-256 of
- * the raw 32-byte public key, lowercase-hex encoded. Used as the
+ * Compute the SEMP key fingerprint per `KEY.md` §3 - SHA-256 of
+ * the raw public key bytes, lowercase-hex encoded. Used as the
  * `key_id` field everywhere keys are referenced.
+ *
+ * Accepts public keys of any non-empty length. Ed25519 identity
+ * keys are 32 bytes, X25519 baseline encryption keys are 32 bytes,
+ * Kyber768+X25519 hybrid encryption keys are 1216 bytes, and so on
+ * across the negotiated suite.
  */
 export function fingerprint(publicKey) {
-    expectLength("publicKey", publicKey, PublicKeySize);
+    if (publicKey.length === 0) {
+        throw new Error("keys: publicKey is empty");
+    }
     const sum = sha256(publicKey);
     let s = "";
     for (let i = 0; i < sum.length; i++) {

package/dist/keys/sign.js.map

@@ -1 +1 @@
-{"version":3,"file":"sign.js","sourceRoot":"","sources":["../../src/keys/sign.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,0BAA0B,CAAC;AACnD,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAE/C,kDAAkD;AAClD,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC;AAChC,mDAAmD;AACnD,MAAM,CAAC,MAAM,QAAQ,GAAG,EAAE,CAAC;AAC3B,iDAAiD;AACjD,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC;AAEhC;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,IAAgB;IAChD,YAAY,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;IACrC,OAAO,OAAO,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;AACpC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,IAAI,CAAC,IAAgB,EAAE,OAAmB;IACxD,YAAY,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;IACrC,OAAO,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;AACrC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,MAAM,CACpB,SAAqB,EACrB,SAAqB,EACrB,OAAmB;IAEnB,IAAI,SAAS,CAAC,MAAM,KAAK,aAAa,IAAI,SAAS,CAAC,MAAM,KAAK,aAAa,EAAE,CAAC;QAC7E,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,CAAC;QACH,OAAO,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,WAAW,CAAC,SAAqB;IAC/C,YAAY,CAAC,WAAW,EAAE,SAAS,EAAE,aAAa,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;IAC9B,IAAI,CAAC,GAAG,EAAE,CAAC;IACX,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,YAAY,CAAC,IAAY,EAAE,CAAa,EAAE,IAAY;IAC7D,IAAI,CAAC,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,SAAS,IAAI,WAAW,CAAC,CAAC,MAAM,UAAU,IAAI,EAAE,CAAC,CAAC;IACpE,CAAC;AACH,CAAC"}
+{"version":3,"file":"sign.js","sourceRoot":"","sources":["../../src/keys/sign.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,0BAA0B,CAAC;AACnD,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAE/C,kDAAkD;AAClD,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC;AAChC,mDAAmD;AACnD,MAAM,CAAC,MAAM,QAAQ,GAAG,EAAE,CAAC;AAC3B,iDAAiD;AACjD,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC;AAEhC;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,IAAgB;IAChD,YAAY,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;IACrC,OAAO,OAAO,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;AACpC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,IAAI,CAAC,IAAgB,EAAE,OAAmB;IACxD,YAAY,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;IACrC,OAAO,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;AACrC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,MAAM,CACpB,SAAqB,EACrB,SAAqB,EACrB,OAAmB;IAEnB,IAAI,SAAS,CAAC,MAAM,KAAK,aAAa,IAAI,SAAS,CAAC,MAAM,KAAK,aAAa,EAAE,CAAC;QAC7E,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,CAAC;QACH,OAAO,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,WAAW,CAAC,SAAqB;IAC/C,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;IAC9B,IAAI,CAAC,GAAG,EAAE,CAAC;IACX,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,YAAY,CAAC,IAAY,EAAE,CAAa,EAAE,IAAY;IAC7D,IAAI,CAAC,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,SAAS,IAAI,WAAW,CAAC,CAAC,MAAM,UAAU,IAAI,EAAE,CAAC,CAAC;IACpE,CAAC;AACH,CAAC"}

package/dist/keys/signed.d.ts

@@ -1,10 +1,10 @@
 /**
  * Signed-document compose helpers.
  *
- * Every Ed25519-signed SEMP document — closure request, configuration
+ * Every Ed25519-signed SEMP document - closure request, configuration
  * update, user policy, migration record, sender-signature enclosure,
  * delivery receipt, transparency STH, recovery manifest, recovery
- * share, handshake response/accepted/rejected — follows the same
+ * share, handshake response/accepted/rejected - follows the same
  * shape: build the document with the signature value blanked,
  * canonicalize per ENVELOPE.md §4.3, prepend a domain-separation
  * prefix, sign with Ed25519, write the signature back into the
@@ -73,7 +73,7 @@ export interface VerifySignedDocResult {
  * Throws if the document is structurally malformed (path missing,
  * signature not a string, signature not valid base64). A successful
  * parse with a bad signature returns `{ ok: false, canonicalBlanked }`
- * — the canonical bytes are returned so callers can cross-check
+ * - the canonical bytes are returned so callers can cross-check
  * pinned `intermediates.canonical_with_blanked_signature_utf8`.
  */
 export declare function verifySignedDoc(spec: VerifySignedDocSpec): VerifySignedDocResult;

package/dist/keys/signed.js

@@ -1,10 +1,10 @@
 /**
  * Signed-document compose helpers.
  *
- * Every Ed25519-signed SEMP document — closure request, configuration
+ * Every Ed25519-signed SEMP document - closure request, configuration
  * update, user policy, migration record, sender-signature enclosure,
  * delivery receipt, transparency STH, recovery manifest, recovery
- * share, handshake response/accepted/rejected — follows the same
+ * share, handshake response/accepted/rejected - follows the same
  * shape: build the document with the signature value blanked,
  * canonicalize per ENVELOPE.md §4.3, prepend a domain-separation
  * prefix, sign with Ed25519, write the signature back into the
@@ -42,7 +42,7 @@ export function signSignedDoc(spec) {
  * Throws if the document is structurally malformed (path missing,
  * signature not a string, signature not valid base64). A successful
  * parse with a bad signature returns `{ ok: false, canonicalBlanked }`
- * — the canonical bytes are returned so callers can cross-check
+ * - the canonical bytes are returned so callers can cross-check
  * pinned `intermediates.canonical_with_blanked_signature_utf8`.
  */
 export function verifySignedDoc(spec) {

package/dist/keys/store.js

@@ -81,7 +81,7 @@ export class InMemoryKeyStore {
         return this.deviceCerts.get(deviceKeyId) ?? null;
     }
     putDeviceCertificate(cert) {
-        // Stored under the delegated device's public-key fingerprint —
+        // Stored under the delegated device's public-key fingerprint -
         // matches the LookupDeviceCertificate(fp) parameter shape used
         // by the scope-enforcement path. Callers compute the fingerprint
         // from cert.device_public_key.

package/dist/largeattachment/crypto.d.ts

@@ -22,7 +22,7 @@ export declare function deriveAttachmentKey(kEnclosure: Uint8Array, attachmentId
  * AEAD additional-data input bound into each attachment's
  * ciphertext per §3.2: canonical UTF-8 JSON of the item with
  * `ciphertext_hash`, `aead_nonce`, and `extensions` set to empty
- * values (`""`, `""`, `{}` — but `extensions` is dropped by the
+ * values (`""`, `""`, `{}` - but `extensions` is dropped by the
  * canonicalizer when it's the optional `extensions` field).
  *
  * Binding the metadata into AAD prevents an attacker from swapping

package/dist/largeattachment/crypto.js

@@ -37,7 +37,7 @@ export function deriveAttachmentKey(kEnclosure, attachmentId, outputLen) {
  * AEAD additional-data input bound into each attachment's
  * ciphertext per §3.2: canonical UTF-8 JSON of the item with
  * `ciphertext_hash`, `aead_nonce`, and `extensions` set to empty
- * values (`""`, `""`, `{}` — but `extensions` is dropped by the
+ * values (`""`, `""`, `{}` - but `extensions` is dropped by the
  * canonicalizer when it's the optional `extensions` field).
  *
  * Binding the metadata into AAD prevents an attacker from swapping
@@ -112,7 +112,7 @@ export function validateUrl(raw) {
     // URL may still reveal them. We accept IPv6 if it parses as an IP
     // and contains ':'.
     if (looksLikeIPv6(host)) {
-        return; // IPv6 literal — accepted
+        return; // IPv6 literal - accepted
     }
     if (looksLikeIPv4(host)) {
         throw new Error(`largeattachment: url host ${JSON.stringify(host)} is a bare IPv4 literal; FQDN required`);

package/dist/largeattachment/upload.d.ts

@@ -9,7 +9,7 @@ import { type Item } from "./types.js";
 export type AttachmentSuite = "x25519-chacha20-poly1305" | "pq-kyber768-x25519";
 /** Inputs to {@link encryptAttachment}. */
 export interface EncryptAttachmentInput {
-    /** Negotiated session suite — selects the AEAD per §3.2. */
+    /** Negotiated session suite - selects the AEAD per §3.2. */
     suite: AttachmentSuite;
     /** 32-byte K_enclosure from the envelope this item belongs to. */
     kEnclosure: Uint8Array;
@@ -32,7 +32,7 @@ export interface EncryptAttachmentInput {
 export interface EncryptAttachmentResult {
     /** Fully populated item ready to drop into the enclosure. */
     item: Item;
-    /** AEAD ciphertext bytes — uploaded by the caller to `item.url`. */
+    /** AEAD ciphertext bytes - uploaded by the caller to `item.url`. */
     ciphertext: Uint8Array;
 }
 /**
@@ -40,7 +40,7 @@ export interface EncryptAttachmentResult {
  * plaintext, populate the item with `ciphertext_hash` and return
  * the bytes the caller uploads to `item.url`.
  *
- * Does NOT upload anything — the caller PUTs `ciphertext` to `url`.
+ * Does NOT upload anything - the caller PUTs `ciphertext` to `url`.
  */
 export declare function encryptAttachment(input: EncryptAttachmentInput): EncryptAttachmentResult;
 /**

package/dist/largeattachment/upload.js

@@ -12,7 +12,7 @@ import { AEADChaCha20Poly1305, AEADXChaCha20Poly1305, } from "./types.js";
  * plaintext, populate the item with `ciphertext_hash` and return
  * the bytes the caller uploads to `item.url`.
  *
- * Does NOT upload anything — the caller PUTs `ciphertext` to `url`.
+ * Does NOT upload anything - the caller PUTs `ciphertext` to `url`.
  */
 export function encryptAttachment(input) {
     if (input.kEnclosure.length === 0) {

package/dist/migration/index.d.ts

@@ -7,7 +7,7 @@
  *
  * @module
  */
-export { type MigrationMode, type MigrationNotice, type MigrationNoticeRejection, type MigrationRecord, type MigrationSignatureBlock, MaxForwardingWindowMs, MigrationNoticeType, MigrationPrefix, MigrationRecordType, MigrationRecordVersion, MinForwardingWindowMs, RecommendedForwardingWindowMs, SignatureAlgorithmEd25519, } from "./types.js";
+export { type MigrationMode, type MigrationNotice, type MigrationNoticeRejection, type MigrationRecord, type MigrationSignatureBlock, MaxNoticeWindowMs, MigrationPrefix, MigrationRecordType, MigrationRecordVersion, MinNoticeWindowMs, RecommendedNoticeWindowMs, SignatureAlgorithmEd25519, } from "./types.js";
 export { checkMigratedAtBound, prepareSignatures, signNewDomain, signNewIdentity, signOldDomain, signOldIdentity, validateMigrationRecord, verifyMigrationPass, verifyMigrationRecord, } from "./sign.js";
 export { type ComposeMigrationInput, composeMigrationRecord, } from "./migration.js";
 export { type AcceptSubmissionInput, type BuildSubmissionInput, type ThirdPartyHook, type ThirdPartyPolicy, acceptSubmission, applyThirdPartyPolicy, buildSubmission, } from "./orchestrate.js";

package/dist/migration/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/migration/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,eAAe,EACpB,KAAK,wBAAwB,EAC7B,KAAK,eAAe,EACpB,KAAK,uBAAuB,EAC5B,qBAAqB,EACrB,mBAAmB,EACnB,eAAe,EACf,mBAAmB,EACnB,sBAAsB,EACtB,qBAAqB,EACrB,6BAA6B,EAC7B,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,aAAa,EACb,eAAe,EACf,uBAAuB,EACvB,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,KAAK,qBAAqB,EAC1B,sBAAsB,GACvB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,KAAK,qBAAqB,EAC1B,KAAK,oBAAoB,EACzB,KAAK,cAAc,EACnB,KAAK,gBAAgB,EACrB,gBAAgB,EAChB,qBAAqB,EACrB,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,KAAK,eAAe,EACpB,KAAK,kBAAkB,EACvB,uBAAuB,GACxB,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,KAAK,yBAAyB,EAC9B,oBAAoB,EACpB,2BAA2B,GAC5B,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,KAAK,gBAAgB,EACrB,wBAAwB,GACzB,MAAM,wBAAwB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/migration/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,eAAe,EACpB,KAAK,wBAAwB,EAC7B,KAAK,eAAe,EACpB,KAAK,uBAAuB,EAC5B,iBAAiB,EACjB,eAAe,EACf,mBAAmB,EACnB,sBAAsB,EACtB,iBAAiB,EACjB,yBAAyB,EACzB,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,aAAa,EACb,eAAe,EACf,uBAAuB,EACvB,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,KAAK,qBAAqB,EAC1B,sBAAsB,GACvB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,KAAK,qBAAqB,EAC1B,KAAK,oBAAoB,EACzB,KAAK,cAAc,EACnB,KAAK,gBAAgB,EACrB,gBAAgB,EAChB,qBAAqB,EACrB,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,KAAK,eAAe,EACpB,KAAK,kBAAkB,EACvB,uBAAuB,GACxB,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,KAAK,yBAAyB,EAC9B,oBAAoB,EACpB,2BAA2B,GAC5B,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,KAAK,gBAAgB,EACrB,wBAAwB,GACzB,MAAM,wBAAwB,CAAC"}

package/dist/migration/index.js

@@ -7,7 +7,7 @@
  *
  * @module
  */
-export { MaxForwardingWindowMs, MigrationNoticeType, MigrationPrefix, MigrationRecordType, MigrationRecordVersion, MinForwardingWindowMs, RecommendedForwardingWindowMs, SignatureAlgorithmEd25519, } from "./types.js";
+export { MaxNoticeWindowMs, MigrationPrefix, MigrationRecordType, MigrationRecordVersion, MinNoticeWindowMs, RecommendedNoticeWindowMs, SignatureAlgorithmEd25519, } from "./types.js";
 export { checkMigratedAtBound, prepareSignatures, signNewDomain, signNewIdentity, signOldDomain, signOldIdentity, validateMigrationRecord, verifyMigrationPass, verifyMigrationRecord, } from "./sign.js";
 export { composeMigrationRecord, } from "./migration.js";
 export { acceptSubmission, applyThirdPartyPolicy, buildSubmission, } from "./orchestrate.js";

package/dist/migration/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/migration/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAML,qBAAqB,EACrB,mBAAmB,EACnB,eAAe,EACf,mBAAmB,EACnB,sBAAsB,EACtB,qBAAqB,EACrB,6BAA6B,EAC7B,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,aAAa,EACb,eAAe,EACf,uBAAuB,EACvB,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,WAAW,CAAC;AAEnB,OAAO,EAEL,sBAAsB,GACvB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAKL,gBAAgB,EAChB,qBAAqB,EACrB,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAGL,uBAAuB,GACxB,MAAM,cAAc,CAAC;AAEtB,OAAO,EAEL,oBAAoB,EACpB,2BAA2B,GAC5B,MAAM,aAAa,CAAC;AAErB,OAAO,EAEL,wBAAwB,GACzB,MAAM,wBAAwB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/migration/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAML,iBAAiB,EACjB,eAAe,EACf,mBAAmB,EACnB,sBAAsB,EACtB,iBAAiB,EACjB,yBAAyB,EACzB,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,aAAa,EACb,eAAe,EACf,uBAAuB,EACvB,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,WAAW,CAAC;AAEnB,OAAO,EAEL,sBAAsB,GACvB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAKL,gBAAgB,EAChB,qBAAqB,EACrB,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAGL,uBAAuB,GACxB,MAAM,cAAc,CAAC;AAEtB,OAAO,EAEL,oBAAoB,EACpB,2BAA2B,GAC5B,MAAM,aAAa,CAAC;AAErB,OAAO,EAEL,wBAAwB,GACzB,MAAM,wBAAwB,CAAC"}

package/dist/migration/lockout.d.ts

@@ -2,9 +2,9 @@
  * Local-part lockout registry per MIGRATION.md §6.
  *
  * After a cooperative migration finalizes, the old provider MUST
- * lock out the old local-part for the duration of the forwarding
+ * lock out the old local-part for the duration of the notice
  * window so a different account cannot be reassigned the old
- * address while forwarding is still expected to honor it.
+ * address while the migration notice is still being served.
  *
  * @module
  */

package/dist/migration/lockout.js

@@ -2,9 +2,9 @@
  * Local-part lockout registry per MIGRATION.md §6.
  *
  * After a cooperative migration finalizes, the old provider MUST
- * lock out the old local-part for the duration of the forwarding
+ * lock out the old local-part for the duration of the notice
  * window so a different account cannot be reassigned the old
- * address while forwarding is still expected to honor it.
+ * address while the migration notice is still being served.
  *
  * @module
  */

package/dist/migration/migration.d.ts

@@ -18,11 +18,13 @@ export interface ComposeMigrationInput {
     /** ISO 8601 UTC timestamp the migration was effected. */
     migratedAt: string;
     /**
-     * ISO 8601 UTC timestamp until which the old domain forwards.
-     * REQUIRED when `mode === "cooperative"`. Pass null/undefined in
-     * unilateral mode to omit.
+     * ISO 8601 UTC end of the migration notice window. During this
+     * window the old provider serves migration_notice on rejections
+     * and migration_to on key fetches. REQUIRED when
+     * `mode === "cooperative"`. Pass null/undefined in unilateral
+     * mode to omit.
      */
-    forwardingWindowUntil?: string | null;
+    noticeWindowUntil?: string | null;
     oldAddress: string;
     newAddress: string;
     oldIdentityKeyId: string;

package/dist/migration/migration.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"migration.d.ts","sourceRoot":"","sources":["../../src/migration/migration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AASH,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,eAAe,EACpB,eAAe,EAGhB,MAAM,YAAY,CAAC;AAEpB,gDAAgD;AAChD,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,aAAa,CAAC;IACpB,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,UAAU,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IAEnB,gBAAgB,EAAE,MAAM,CAAC;IACzB,eAAe,EAAE,UAAU,CAAC;IAE5B,gBAAgB,EAAE,MAAM,CAAC;IACzB,8CAA8C;IAC9C,oBAAoB,EAAE,MAAM,CAAC;IAC7B,eAAe,EAAE,UAAU,CAAC;IAE5B,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,UAAU,CAAC;IAE1B,6BAA6B;IAC7B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,6BAA6B;IAC7B,aAAa,CAAC,EAAE,UAAU,CAAC;IAE3B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,qBAAqB,GAC3B,eAAe,CAgDjB;AAGD,OAAO,EAAE,eAAe,EAAE,CAAC"}
+{"version":3,"file":"migration.d.ts","sourceRoot":"","sources":["../../src/migration/migration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AASH,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,eAAe,EACpB,eAAe,EAGhB,MAAM,YAAY,CAAC;AAEpB,gDAAgD;AAChD,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,aAAa,CAAC;IACpB,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,UAAU,EAAE,MAAM,CAAC;IACnB;;;;;;OAMG;IACH,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IAEnB,gBAAgB,EAAE,MAAM,CAAC;IACzB,eAAe,EAAE,UAAU,CAAC;IAE5B,gBAAgB,EAAE,MAAM,CAAC;IACzB,8CAA8C;IAC9C,oBAAoB,EAAE,MAAM,CAAC;IAC7B,eAAe,EAAE,UAAU,CAAC;IAE5B,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,UAAU,CAAC;IAE1B,6BAA6B;IAC7B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,6BAA6B;IAC7B,aAAa,CAAC,EAAE,UAAU,CAAC;IAE3B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,qBAAqB,GAC3B,eAAe,CAgDjB;AAGD,OAAO,EAAE,eAAe,EAAE,CAAC"}

package/dist/migration/migration.js

@@ -26,10 +26,10 @@ export function composeMigrationRecord(input) {
         new_identity_key_id: input.newIdentityKeyId,
         new_identity_public_key: input.newIdentityPublicKey,
         migrated_at: input.migratedAt,
-        forwarding_window_until: input.forwardingWindowUntil === undefined ||
-            input.forwardingWindowUntil === ""
+        notice_window_until: input.noticeWindowUntil === undefined ||
+            input.noticeWindowUntil === ""
             ? null
-            : input.forwardingWindowUntil,
+            : input.noticeWindowUntil,
         mode: input.mode,
         old_identity_signature: { algorithm: "", key_id: "", value: "" },
         new_identity_signature: { algorithm: "", key_id: "", value: "" },

package/dist/migration/migration.js.map

@@ -1 +1 @@
-{"version":3,"file":"migration.js","sourceRoot":"","sources":["../../src/migration/migration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EACL,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,aAAa,EACb,eAAe,GAChB,MAAM,WAAW,CAAC;AACnB,OAAO,EAGL,eAAe,EACf,mBAAmB,EACnB,sBAAsB,GACvB,MAAM,YAAY,CAAC;AAqCpB;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CACpC,KAA4B;IAE5B,MAAM,CAAC,GAAoB;QACzB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,sBAAsB;QAC/B,SAAS,EAAE,KAAK,CAAC,QAAQ;QACzB,WAAW,EAAE,KAAK,CAAC,UAAU;QAC7B,WAAW,EAAE,KAAK,CAAC,UAAU;QAC7B,mBAAmB,EAAE,KAAK,CAAC,gBAAgB;QAC3C,mBAAmB,EAAE,KAAK,CAAC,gBAAgB;QAC3C,uBAAuB,EAAE,KAAK,CAAC,oBAAoB;QACnD,WAAW,EAAE,KAAK,CAAC,UAAU;QAC7B,uBAAuB,EACrB,KAAK,CAAC,qBAAqB,KAAK,SAAS;YACzC,KAAK,CAAC,qBAAqB,KAAK,EAAE;YAChC,CAAC,CAAC,IAAI;YACN,CAAC,CAAC,KAAK,CAAC,qBAAqB;QACjC,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,sBAAsB,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;QAChE,sBAAsB,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;QAChE,oBAAoB,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;QAC9D,oBAAoB,EAAE,IAAI;KAC3B,CAAC;IACF,IAAI,KAAK,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACnC,CAAC,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC;IAClC,CAAC;IACD,iBAAiB,CACf,CAAC,EACD,KAAK,CAAC,gBAAgB,EACtB,KAAK,CAAC,gBAAgB,EACtB,KAAK,CAAC,cAAc,EACpB,KAAK,CAAC,cAAc,CACrB,CAAC;IACF,eAAe,CAAC,CAAC,EAAE,KAAK,CAAC,eAAe,EAAE,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAClE,eAAe,CAAC,CAAC,EAAE,KAAK,CAAC,eAAe,EAAE,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAClE,aAAa,CAAC,CAAC,EAAE,KAAK,CAAC,aAAa,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;IAC5D,IAAI,KAAK,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;QACjC,IACE,KAAK,CAAC,aAAa,KAAK,SAAS;YACjC,KAAK,CAAC,cAAc,KAAK,SAAS;YAClC,KAAK,CAAC,cAAc,KAAK,EAAE,EAC3B,CAAC;YACD,MAAM,IAAI,KAAK,CACb,qEAAqE,CACtE,CAAC;QACJ,CAAC;QACD,aAAa,CAAC,CAAC,EAAE,KAAK,CAAC,aAAa,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,8CAA8C;AAC9C,OAAO,EAAE,eAAe,EAAE,CAAC"}
+{"version":3,"file":"migration.js","sourceRoot":"","sources":["../../src/migration/migration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EACL,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,aAAa,EACb,eAAe,GAChB,MAAM,WAAW,CAAC;AACnB,OAAO,EAGL,eAAe,EACf,mBAAmB,EACnB,sBAAsB,GACvB,MAAM,YAAY,CAAC;AAuCpB;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CACpC,KAA4B;IAE5B,MAAM,CAAC,GAAoB;QACzB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,sBAAsB;QAC/B,SAAS,EAAE,KAAK,CAAC,QAAQ;QACzB,WAAW,EAAE,KAAK,CAAC,UAAU;QAC7B,WAAW,EAAE,KAAK,CAAC,UAAU;QAC7B,mBAAmB,EAAE,KAAK,CAAC,gBAAgB;QAC3C,mBAAmB,EAAE,KAAK,CAAC,gBAAgB;QAC3C,uBAAuB,EAAE,KAAK,CAAC,oBAAoB;QACnD,WAAW,EAAE,KAAK,CAAC,UAAU;QAC7B,mBAAmB,EACjB,KAAK,CAAC,iBAAiB,KAAK,SAAS;YACrC,KAAK,CAAC,iBAAiB,KAAK,EAAE;YAC5B,CAAC,CAAC,IAAI;YACN,CAAC,CAAC,KAAK,CAAC,iBAAiB;QAC7B,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,sBAAsB,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;QAChE,sBAAsB,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;QAChE,oBAAoB,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;QAC9D,oBAAoB,EAAE,IAAI;KAC3B,CAAC;IACF,IAAI,KAAK,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACnC,CAAC,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC;IAClC,CAAC;IACD,iBAAiB,CACf,CAAC,EACD,KAAK,CAAC,gBAAgB,EACtB,KAAK,CAAC,gBAAgB,EACtB,KAAK,CAAC,cAAc,EACpB,KAAK,CAAC,cAAc,CACrB,CAAC;IACF,eAAe,CAAC,CAAC,EAAE,KAAK,CAAC,eAAe,EAAE,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAClE,eAAe,CAAC,CAAC,EAAE,KAAK,CAAC,eAAe,EAAE,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAClE,aAAa,CAAC,CAAC,EAAE,KAAK,CAAC,aAAa,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;IAC5D,IAAI,KAAK,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;QACjC,IACE,KAAK,CAAC,aAAa,KAAK,SAAS;YACjC,KAAK,CAAC,cAAc,KAAK,SAAS;YAClC,KAAK,CAAC,cAAc,KAAK,EAAE,EAC3B,CAAC;YACD,MAAM,IAAI,KAAK,CACb,qEAAqE,CACtE,CAAC;QACJ,CAAC;QACD,aAAa,CAAC,CAAC,EAAE,KAAK,CAAC,aAAa,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,8CAA8C;AAC9C,OAAO,EAAE,eAAe,EAAE,CAAC"}

package/dist/migration/notice.d.ts

@@ -1,10 +1,16 @@
 /**
- * Migration notice messages per MIGRATION.md §4.
+ * Migration notice body construction per MIGRATION.md §5.3.
  *
- * A `SEMP_MIGRATION_NOTICE` is what a server returns to a sender
- * that attempted to deliver to a migrated address. It carries a
- * pointer to the published migration record (URL + record_id) so
- * the sender's stack can fetch and verify it before redirecting.
+ * The migration notice is a body field attached to a
+ * policy_forbidden envelope rejection that the old provider emits
+ * during the migration notice window. It points the sender at the
+ * recipient's new address and at the published migration record
+ * (URL + record_id) so the sender's stack can fetch and verify the
+ * record before redirecting.
+ *
+ * After the notice window elapses the old provider stops attaching
+ * the notice and handles the old address the same way it handles a
+ * non-existent address.
  *
  * @module
  */
@@ -12,22 +18,28 @@ import { type MigrationNotice, type MigrationNoticeRejection, type MigrationReco
 /** Inputs to {@link buildMigrationNotice}. */
 export interface BuildMigrationNoticeInput {
     record: MigrationRecord;
-    /** URL pattern with `{record_id}` placeholder, e.g. `https://old.example/migration/{record_id}`. */
-    recordUrlPattern: string;
-    /** Optional pre-assigned notice id; auto-generated when omitted. */
-    noticeId?: string;
-    /** Wall-clock; defaults to `() => new Date()`. */
-    nowFn?: () => Date;
-    /** Random source for ULID generation. */
-    rand?: (n: number) => Uint8Array;
+    /**
+     * Optional URL template the operator uses to expose published
+     * records (typically
+     * "https://<old-domain>/.well-known/semp/migration/<record_id>"
+     * per §5.3 example). When the template contains the literal
+     * "<record_id>" placeholder the record's ID is substituted;
+     * otherwise the template is used verbatim. Omit to exclude
+     * migration_record_url from the notice.
+     */
+    recordUrlPattern?: string;
 }
 /**
- * Build a {@link MigrationNotice} that points at the published
- * `record`. The notice is unsigned — the recipient sender verifies
- * the underlying record by fetching `record_url` and running
- * `verifyMigrationRecord`.
+ * Build a {@link MigrationNotice} from a published migration
+ * record. The notice is unsigned; the receiving sender verifies
+ * the underlying record by fetching migration_record_url and
+ * running `verifyMigrationRecord`.
  */
 export declare function buildMigrationNotice(input: BuildMigrationNoticeInput): MigrationNotice;
-/** Construct a rejection wrapper to refuse honoring a notice. */
-export declare function newMigrationNoticeRejection(notice: MigrationNotice, reason: string): MigrationNoticeRejection;
+/**
+ * Wrap a {@link MigrationNotice} in the §5.3 SEMP_ENVELOPE
+ * step=rejected response. The reason is a human-readable
+ * description; the spec example uses "Recipient has migrated."
+ */
+export declare function newMigrationNoticeRejection(notice: MigrationNotice, reason?: string): MigrationNoticeRejection;
 //# sourceMappingURL=notice.d.ts.map

package/dist/migration/notice.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"notice.d.ts","sourceRoot":"","sources":["../../src/migration/notice.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EACL,KAAK,eAAe,EACpB,KAAK,wBAAwB,EAC7B,KAAK,eAAe,EAGrB,MAAM,YAAY,CAAC;AAEpB,8CAA8C;AAC9C,MAAM,WAAW,yBAAyB;IACxC,MAAM,EAAE,eAAe,CAAC;IACxB,oGAAoG;IACpG,gBAAgB,EAAE,MAAM,CAAC;IACzB,oEAAoE;IACpE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kDAAkD;IAClD,KAAK,CAAC,EAAE,MAAM,IAAI,CAAC;IACnB,yCAAyC;IACzC,IAAI,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,UAAU,CAAC;CAClC;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,yBAAyB,GAC/B,eAAe,CAuBjB;AAED,iEAAiE;AACjE,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,MAAM,GACb,wBAAwB,CAE1B"}
+{"version":3,"file":"notice.d.ts","sourceRoot":"","sources":["../../src/migration/notice.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EACL,KAAK,eAAe,EACpB,KAAK,wBAAwB,EAC7B,KAAK,eAAe,EAErB,MAAM,YAAY,CAAC;AAEpB,8CAA8C;AAC9C,MAAM,WAAW,yBAAyB;IACxC,MAAM,EAAE,eAAe,CAAC;IACxB;;;;;;;;OAQG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,yBAAyB,GAC/B,eAAe,CAcjB;AAED;;;;GAIG;AACH,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,eAAe,EACvB,MAAM,SAA4B,GACjC,wBAAwB,CAS1B"}

package/dist/migration/notice.js

@@ -1,85 +1,51 @@
 /**
- * Migration notice messages per MIGRATION.md §4.
+ * Migration notice body construction per MIGRATION.md §5.3.
  *
- * A `SEMP_MIGRATION_NOTICE` is what a server returns to a sender
- * that attempted to deliver to a migrated address. It carries a
- * pointer to the published migration record (URL + record_id) so
- * the sender's stack can fetch and verify it before redirecting.
+ * The migration notice is a body field attached to a
+ * policy_forbidden envelope rejection that the old provider emits
+ * during the migration notice window. It points the sender at the
+ * recipient's new address and at the published migration record
+ * (URL + record_id) so the sender's stack can fetch and verify the
+ * record before redirecting.
+ *
+ * After the notice window elapses the old provider stops attaching
+ * the notice and handles the old address the same way it handles a
+ * non-existent address.
  *
  * @module
  */
-import { MigrationNoticeType, MigrationRecordVersion, } from "./types.js";
+import { MigrationRecordVersion, } from "./types.js";
 /**
- * Build a {@link MigrationNotice} that points at the published
- * `record`. The notice is unsigned — the recipient sender verifies
- * the underlying record by fetching `record_url` and running
- * `verifyMigrationRecord`.
+ * Build a {@link MigrationNotice} from a published migration
+ * record. The notice is unsigned; the receiving sender verifies
+ * the underlying record by fetching migration_record_url and
+ * running `verifyMigrationRecord`.
  */
 export function buildMigrationNotice(input) {
-    if (input.recordUrlPattern === "" || !input.recordUrlPattern.includes("{record_id}")) {
-        throw new Error("migration: recordUrlPattern must include {record_id} placeholder");
-    }
-    const recordUrl = input.recordUrlPattern.replace("{record_id}", encodeURIComponent(input.record.record_id));
-    const noticeId = input.noticeId ?? newULID(input.rand);
-    const nowFn = input.nowFn ?? (() => new Date());
-    return {
-        type: MigrationNoticeType,
-        version: MigrationRecordVersion,
-        notice_id: noticeId,
-        record_id: input.record.record_id,
-        record_url: recordUrl,
-        old_address: input.record.old_address,
+    const notice = {
         new_address: input.record.new_address,
-        mode: input.record.mode,
-        issued_at: isoSecond(nowFn()),
+        migration_record_id: input.record.record_id,
     };
-}
-/** Construct a rejection wrapper to refuse honoring a notice. */
-export function newMigrationNoticeRejection(notice, reason) {
-    return { notice, reason };
-}
-// ---------------------------------------------------------------------------
-// Helpers (inlined ULID minter — same as elsewhere in the codebase)
-const ULID_ALPHABET = "0123456789ABCDEFGHJKMNPQRSTVWXYZ";
-function newULID(rand) {
-    const r = rand ?? defaultRand;
-    const bits = new Uint8Array(16);
-    const ms = BigInt(Date.now());
-    bits[0] = Number((ms >> 40n) & 0xffn);
-    bits[1] = Number((ms >> 32n) & 0xffn);
-    bits[2] = Number((ms >> 24n) & 0xffn);
-    bits[3] = Number((ms >> 16n) & 0xffn);
-    bits[4] = Number((ms >> 8n) & 0xffn);
-    bits[5] = Number(ms & 0xffn);
-    const random = r(10);
-    for (let i = 0; i < 10; i++) {
-        bits[6 + i] = random[i] ?? 0;
-    }
-    let u = 0n;
-    for (let i = 0; i < 8; i++) {
-        u = (u << 8n) | BigInt(bits[i] ?? 0);
-    }
-    let u2 = 0n;
-    for (let i = 8; i < 16; i++) {
-        u2 = (u2 << 8n) | BigInt(bits[i] ?? 0);
+    if (input.recordUrlPattern !== undefined && input.recordUrlPattern !== "") {
+        notice.migration_record_url = input.recordUrlPattern.includes("<record_id>")
+            ? input.recordUrlPattern.replaceAll("<record_id>", input.record.record_id)
+            : input.recordUrlPattern;
     }
-    const out = new Array(26);
-    for (let i = 25; i >= 13; i--) {
-        out[i] = ULID_ALPHABET[Number(u2 & 31n)] ?? "0";
-        u2 >>= 5n;
-    }
-    for (let i = 12; i >= 0; i--) {
-        out[i] = ULID_ALPHABET[Number(u & 31n)] ?? "0";
-        u >>= 5n;
-    }
-    return out.join("");
+    return notice;
 }
-function defaultRand(n) {
-    const out = new Uint8Array(n);
-    globalThis.crypto.getRandomValues(out);
-    return out;
-}
-function isoSecond(d) {
-    return d.toISOString().replace(/\.\d{3}Z$/, "Z");
+/**
+ * Wrap a {@link MigrationNotice} in the §5.3 SEMP_ENVELOPE
+ * step=rejected response. The reason is a human-readable
+ * description; the spec example uses "Recipient has migrated."
+ */
+export function newMigrationNoticeRejection(notice, reason = "Recipient has migrated.") {
+    return {
+        type: "SEMP_ENVELOPE",
+        step: "rejected",
+        version: MigrationRecordVersion,
+        reason_code: "policy_forbidden",
+        reason,
+        migration_notice: notice,
+    };
 }
 //# sourceMappingURL=notice.js.map

package/dist/migration/notice.js.map

@@ -1 +1 @@
-{"version":3,"file":"notice.js","sourceRoot":"","sources":["../../src/migration/notice.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAIL,mBAAmB,EACnB,sBAAsB,GACvB,MAAM,YAAY,CAAC;AAepB;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAClC,KAAgC;IAEhC,IAAI,KAAK,CAAC,gBAAgB,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QACrF,MAAM,IAAI,KAAK,CACb,kEAAkE,CACnE,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,KAAK,CAAC,gBAAgB,CAAC,OAAO,CAC9C,aAAa,EACb,kBAAkB,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAC3C,CAAC;IACF,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACvD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IAChD,OAAO;QACL,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,sBAAsB;QAC/B,SAAS,EAAE,QAAQ;QACnB,SAAS,EAAE,KAAK,CAAC,MAAM,CAAC,SAAS;QACjC,UAAU,EAAE,SAAS;QACrB,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,WAAW;QACrC,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,WAAW;QACrC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,IAAI;QACvB,SAAS,EAAE,SAAS,CAAC,KAAK,EAAE,CAAC;KAC9B,CAAC;AACJ,CAAC;AAED,iEAAiE;AACjE,MAAM,UAAU,2BAA2B,CACzC,MAAuB,EACvB,MAAc;IAEd,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;AAC5B,CAAC;AAED,8EAA8E;AAC9E,oEAAoE;AAEpE,MAAM,aAAa,GAAG,kCAAkC,CAAC;AAEzD,SAAS,OAAO,CAAC,IAAgC;IAC/C,MAAM,CAAC,GAAG,IAAI,IAAI,WAAW,CAAC;IAC9B,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IAChC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IAC9B,IAAI,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,EAAE,IAAI,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC;IACtC,IAAI,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,EAAE,IAAI,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC;IACtC,IAAI,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,EAAE,IAAI,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC;IACtC,IAAI,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,EAAE,IAAI,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC;IACtC,IAAI,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC;IACrC,IAAI,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,EAAE,GAAG,KAAK,CAAC,CAAC;IAC7B,MAAM,MAAM,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC;IACrB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5B,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;IACD,IAAI,CAAC,GAAG,EAAE,CAAC;IACX,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACvC,CAAC;IACD,IAAI,EAAE,GAAG,EAAE,CAAC;IACZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5B,EAAE,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACzC,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,KAAK,CAAS,EAAE,CAAC,CAAC;IAClC,KAAK,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC9B,GAAG,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC,MAAM,CAAC,EAAE,GAAG,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC;QAChD,EAAE,KAAK,EAAE,CAAC;IACZ,CAAC;IACD,KAAK,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,GAAG,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC;QAC/C,CAAC,KAAK,EAAE,CAAC;IACX,CAAC;IACD,OAAO,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AACtB,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAC9B,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IACvC,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,SAAS,CAAC,CAAO;IACxB,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;AACnD,CAAC"}
+{"version":3,"file":"notice.js","sourceRoot":"","sources":["../../src/migration/notice.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAIL,sBAAsB,GACvB,MAAM,YAAY,CAAC;AAiBpB;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAClC,KAAgC;IAEhC,MAAM,MAAM,GAAoB;QAC9B,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,WAAW;QACrC,mBAAmB,EAAE,KAAK,CAAC,MAAM,CAAC,SAAS;KAC5C,CAAC;IACF,IAAI,KAAK,CAAC,gBAAgB,KAAK,SAAS,IAAI,KAAK,CAAC,gBAAgB,KAAK,EAAE,EAAE,CAAC;QAC1E,MAAM,CAAC,oBAAoB,GAAG,KAAK,CAAC,gBAAgB,CAAC,QAAQ,CAAC,aAAa,CAAC;YAC1E,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC,UAAU,CAC/B,aAAa,EACb,KAAK,CAAC,MAAM,CAAC,SAAS,CACvB;YACH,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC;IAC7B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,2BAA2B,CACzC,MAAuB,EACvB,MAAM,GAAG,yBAAyB;IAElC,OAAO;QACL,IAAI,EAAE,eAAe;QACrB,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,sBAAsB;QAC/B,WAAW,EAAE,kBAAkB;QAC/B,MAAM;QACN,gBAAgB,EAAE,MAAM;KACzB,CAAC;AACJ,CAAC"}

package/dist/migration/orchestrate.d.ts

@@ -4,11 +4,11 @@
  *
  * The new provider builds a 3-signature submission record and POSTs
  * it to the old provider's migration endpoint. The old provider
- * verifies the three submitted signatures, applies its forwarding
+ * verifies the three submitted signatures, applies its notice
  * policy, registers the §6 lockout, countersigns, persists, and
  * returns the final 4-signature record.
  *
- * Unilateral mode skips the countersign step — the new provider's
+ * Unilateral mode skips the countersign step - the new provider's
  * 3-signature record is the final published form.
  *
  * @module
@@ -31,8 +31,8 @@ export interface BuildSubmissionInput {
     /** Old provider's domain signing fingerprint (cooperative only). */
     oldDomainKeyId?: string;
     mode: MigrationMode;
-    /** Forwarding window in milliseconds. Cooperative mode only. */
-    forwardingWindowMs?: number;
+    /** Notice window in milliseconds. Cooperative mode only. */
+    noticeWindowMs?: number;
     /** ISO 8601 UTC. */
     migratedAt: string;
     /** Optional pre-assigned record_id; auto-generated when omitted. */
@@ -41,9 +41,9 @@ export interface BuildSubmissionInput {
     rand?: (n: number) => Uint8Array;
 }
 /**
- * Construct and apply the new-provider signatures (passes 1–3). In
+ * Construct and apply the new-provider signatures (passes 1-3). In
  * cooperative mode the returned record's `old_domain_signature`
- * slot is prepared but empty — the new provider POSTs the record
+ * slot is prepared but empty - the new provider POSTs the record
  * to the old provider, who runs {@link acceptSubmission} to verify
  * and countersign.
  */
@@ -66,10 +66,10 @@ export interface AcceptSubmissionInput {
     /** Optional clock-skew tolerance. Defaults to 5 minutes. */
     clockSkewMs?: number;
     /**
-     * Optional forwarding-policy hook. Called BEFORE countersigning.
+     * Optional notice-policy hook. Called BEFORE countersigning.
      * Throw to refuse the submission with a structured reason.
      */
-    forwardingPolicy?: (r: MigrationRecord) => Promise<void> | void;
+    noticePolicy?: (r: MigrationRecord) => Promise<void> | void;
     /** Optional persistence layer. */
     store?: PublicationStore;
     /** Optional lockout registry. */
@@ -77,11 +77,11 @@ export interface AcceptSubmissionInput {
 }
 /**
  * Old-provider side of cooperative migration: verify the 3
- * submitted signatures, apply optional forwarding policy, register
+ * submitted signatures, apply optional notice policy, register
  * the §6 lockout, countersign with `old_domain_priv`, persist via
  * the store, and return the 4-sig record.
  *
- * In unilateral mode this throws — there is no countersignature
+ * In unilateral mode this throws - there is no countersignature
  * step in the unilateral flow.
  */
 export declare function acceptSubmission(input: AcceptSubmissionInput): Promise<MigrationRecord>;

package/dist/migration/orchestrate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"orchestrate.d.ts","sourceRoot":"","sources":["../../src/migration/orchestrate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EACL,KAAK,eAAe,EACrB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,KAAK,gBAAgB,EACtB,MAAM,wBAAwB,CAAC;AAWhC,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,eAAe,EAKrB,MAAM,YAAY,CAAC;AAEpB,yCAAyC;AACzC,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,8EAA8E;IAC9E,oBAAoB,EAAE,MAAM,CAAC;IAE7B,eAAe,EAAE,UAAU,CAAC;IAC5B,eAAe,EAAE,UAAU,CAAC;IAE5B,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,UAAU,CAAC;IAE1B,oEAAoE;IACpE,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,IAAI,EAAE,aAAa,CAAC;IAEpB,gEAAgE;IAChE,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAE5B,oBAAoB;IACpB,UAAU,EAAE,MAAM,CAAC;IAEnB,oEAAoE;IACpE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,2CAA2C;IAC3C,IAAI,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,UAAU,CAAC;CAClC;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,oBAAoB,GAC1B,eAAe,CAgFjB;AAED,0CAA0C;AAC1C,MAAM,WAAW,qBAAqB;IACpC,wDAAwD;IACxD,MAAM,EAAE,eAAe,CAAC;IAExB,gFAAgF;IAChF,cAAc,EAAE,UAAU,CAAC;IAE3B,0EAA0E;IAC1E,YAAY,EAAE,UAAU,CAAC;IAEzB,iDAAiD;IACjD,aAAa,EAAE,UAAU,CAAC;IAC1B,cAAc,EAAE,MAAM,CAAC;IAEvB,8DAA8D;IAC9D,GAAG,EAAE,IAAI,CAAC;IAEV,2EAA2E;IAC3E,kBAAkB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAEjC,4DAA4D;IAC5D,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;OAGG;IACH,gBAAgB,CAAC,EAAE,CAAC,CAAC,EAAE,eAAe,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IAEhE,kCAAkC;IAClC,KAAK,CAAC,EAAE,gBAAgB,CAAC;IAEzB,iCAAiC;IACjC,OAAO,CAAC,EAAE,eAAe,CAAC;CAC3B;AAED;;;;;;;;GAQG;AACH,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,qBAAqB,GAC3B,OAAO,CAAC,eAAe,CAAC,CAsD1B;AAED;;;;;GAKG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,MAAM,EAAE,eAAe,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AAE/E,mFAAmF;AACnF,MAAM,WAAW,gBAAgB;IAC/B,uCAAuC;IACvC,WAAW,CAAC,EAAE,cAAc,CAAC;IAC7B,uEAAuE;IACvE,aAAa,CAAC,EAAE,cAAc,CAAC;IAC/B,iEAAiE;IACjE,YAAY,CAAC,EAAE,cAAc,CAAC;CAC/B;AAED;;;GAGG;AACH,wBAAsB,qBAAqB,CACzC,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC,IAAI,CAAC,CAef"}
+{"version":3,"file":"orchestrate.d.ts","sourceRoot":"","sources":["../../src/migration/orchestrate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EACL,KAAK,eAAe,EACrB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,KAAK,gBAAgB,EACtB,MAAM,wBAAwB,CAAC;AAWhC,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,eAAe,EAKrB,MAAM,YAAY,CAAC;AAEpB,yCAAyC;AACzC,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,8EAA8E;IAC9E,oBAAoB,EAAE,MAAM,CAAC;IAE7B,eAAe,EAAE,UAAU,CAAC;IAC5B,eAAe,EAAE,UAAU,CAAC;IAE5B,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,UAAU,CAAC;IAE1B,oEAAoE;IACpE,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,IAAI,EAAE,aAAa,CAAC;IAEpB,4DAA4D;IAC5D,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,oBAAoB;IACpB,UAAU,EAAE,MAAM,CAAC;IAEnB,oEAAoE;IACpE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,2CAA2C;IAC3C,IAAI,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,UAAU,CAAC;CAClC;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,oBAAoB,GAC1B,eAAe,CAgFjB;AAED,0CAA0C;AAC1C,MAAM,WAAW,qBAAqB;IACpC,wDAAwD;IACxD,MAAM,EAAE,eAAe,CAAC;IAExB,gFAAgF;IAChF,cAAc,EAAE,UAAU,CAAC;IAE3B,0EAA0E;IAC1E,YAAY,EAAE,UAAU,CAAC;IAEzB,iDAAiD;IACjD,aAAa,EAAE,UAAU,CAAC;IAC1B,cAAc,EAAE,MAAM,CAAC;IAEvB,8DAA8D;IAC9D,GAAG,EAAE,IAAI,CAAC;IAEV,2EAA2E;IAC3E,kBAAkB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAEjC,4DAA4D;IAC5D,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,CAAC,EAAE,eAAe,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IAE5D,kCAAkC;IAClC,KAAK,CAAC,EAAE,gBAAgB,CAAC;IAEzB,iCAAiC;IACjC,OAAO,CAAC,EAAE,eAAe,CAAC;CAC3B;AAED;;;;;;;;GAQG;AACH,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,qBAAqB,GAC3B,OAAO,CAAC,eAAe,CAAC,CAsD1B;AAED;;;;;GAKG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,MAAM,EAAE,eAAe,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AAE/E,mFAAmF;AACnF,MAAM,WAAW,gBAAgB;IAC/B,uCAAuC;IACvC,WAAW,CAAC,EAAE,cAAc,CAAC;IAC7B,uEAAuE;IACvE,aAAa,CAAC,EAAE,cAAc,CAAC;IAC/B,iEAAiE;IACjE,YAAY,CAAC,EAAE,cAAc,CAAC;CAC/B;AAED;;;GAGG;AACH,wBAAsB,qBAAqB,CACzC,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC,IAAI,CAAC,CAef"}