@synthaer/resonance 0.1.0

package/dist/pki.js

@@ -0,0 +1,502 @@
+/**
+ * PKI Certificate Chain Integration for Local MCP
+ *
+ * Trust chain: Hedonistic Root CA -> Synthaer Intermediate CA -> Local MCP Cert -> Agent Certs
+ *
+ * On first launch:
+ *   1. Generate Ed25519 keypair
+ *   2. Create CSR (Certificate Signing Request)
+ *   3. Send CSR to Synthaer Cloud PKI for signing
+ *   4. Receive signed certificate chaining to Synthaer CA
+ *   5. Use this cert to sign all local operations
+ *
+ * Each agent gets its own cert signed by the local cert.
+ * All writes go through cloud for ratification (content signed by agent cert -> local cert -> cloud signing key).
+ */
+import crypto from 'node:crypto';
+import { readFile, writeFile, mkdir, access, constants } from 'node:fs/promises';
+import { join } from 'node:path';
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+const IDENTITY_DIR = 'identity';
+const AGENTS_DIR = 'agents';
+const PRIVATE_KEY_FILE = 'local.key';
+const PUBLIC_KEY_FILE = 'local.pub';
+const CSR_FILE = 'local.csr';
+const CERT_FILE = 'local.crt';
+const MACHINE_ID_FILE = 'machine-id';
+const AGENT_KEY_FILE = 'agent.key';
+const AGENT_PUB_FILE = 'agent.pub';
+const AGENT_CERT_FILE = 'agent.crt';
+const SIGNING_ALGORITHM = 'Ed25519';
+/** Default validity for local MCP certs (used by cloud during signing). */
+export const CERT_VALIDITY_DAYS = 365;
+const AGENT_CERT_VALIDITY_DAYS = 90;
+// ---------------------------------------------------------------------------
+// File helpers
+// ---------------------------------------------------------------------------
+async function fileExists(path) {
+    try {
+        await access(path, constants.F_OK);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function ensureDir(path) {
+    await mkdir(path, { recursive: true });
+}
+// ---------------------------------------------------------------------------
+// Machine ID
+// ---------------------------------------------------------------------------
+async function getOrCreateMachineId(identityDir) {
+    const machineIdPath = join(identityDir, MACHINE_ID_FILE);
+    if (await fileExists(machineIdPath)) {
+        const existing = await readFile(machineIdPath, 'utf-8');
+        return existing.trim();
+    }
+    const machineId = crypto.randomUUID();
+    await writeFile(machineIdPath, machineId, { mode: 0o600 });
+    return machineId;
+}
+// ---------------------------------------------------------------------------
+// Key generation
+// ---------------------------------------------------------------------------
+function generateEd25519Keypair() {
+    const { privateKey, publicKey } = crypto.generateKeyPairSync('ed25519');
+    return { privateKey, publicKey };
+}
+function exportPrivateKeyPem(key) {
+    return key.export({ type: 'pkcs8', format: 'pem' });
+}
+function exportPublicKeyPem(key) {
+    return key.export({ type: 'spki', format: 'pem' });
+}
+function importPrivateKeyPem(pem) {
+    return crypto.createPrivateKey({ key: pem, format: 'pem', type: 'pkcs8' });
+}
+function importPublicKeyPem(pem) {
+    return crypto.createPublicKey({ key: pem, format: 'pem', type: 'spki' });
+}
+// ---------------------------------------------------------------------------
+// CSR generation
+// ---------------------------------------------------------------------------
+/**
+ * Build a CSR-like structure. Node.js does not have a built-in X.509 CSR
+ * generator, so we produce a JSON-encoded CSR that contains the public key
+ * in SPKI PEM, the machine ID, and a self-signature proving possession of
+ * the private key. The cloud PKI endpoint accepts this format.
+ */
+export function createCSR(machineId, publicKey, privateKey) {
+    const publicKeyPem = exportPublicKeyPem(publicKey);
+    const csrPayload = {
+        version: 1,
+        subject: `CN=local-mcp-${machineId},O=Synthaer User`,
+        machineId,
+        publicKey: publicKeyPem,
+        requestedAt: new Date().toISOString(),
+    };
+    const payloadBytes = Buffer.from(JSON.stringify(csrPayload), 'utf-8');
+    const signature = crypto.sign(null, payloadBytes, privateKey);
+    const csr = {
+        payload: csrPayload,
+        signature: signature.toString('base64'),
+        signatureAlgorithm: SIGNING_ALGORITHM,
+    };
+    return JSON.stringify(csr, null, 2);
+}
+/**
+ * Validate that a CSR is self-consistent: the signature matches the
+ * public key embedded in the payload.
+ */
+export function validateCSR(csrJson) {
+    try {
+        const csr = JSON.parse(csrJson);
+        const publicKey = importPublicKeyPem(csr.payload.publicKey);
+        const payloadBytes = Buffer.from(JSON.stringify(csr.payload), 'utf-8');
+        const signature = Buffer.from(csr.signature, 'base64');
+        return crypto.verify(null, payloadBytes, publicKey, signature);
+    }
+    catch {
+        return false;
+    }
+}
+// ---------------------------------------------------------------------------
+// Certificate helpers
+// ---------------------------------------------------------------------------
+/**
+ * Compute SHA-256 fingerprint of a PEM-encoded certificate or public key.
+ */
+export function computeFingerprint(pem) {
+    return crypto.createHash('sha256').update(pem).digest('hex');
+}
+/**
+ * Build a locally-signed certificate. This produces a JSON-based certificate
+ * structure that can be verified against the signing key. When the cloud PKI
+ * issues real X.509 certs, this format will be superseded, but the interface
+ * remains the same.
+ */
+export function issueCertificate(subject, subjectPublicKey, issuerPrivateKey, issuerSubject, validityDays, extensions) {
+    const now = new Date();
+    const expiresAt = new Date(now.getTime() + validityDays * 24 * 60 * 60 * 1000);
+    const serialNumber = crypto.randomUUID();
+    const subjectPem = exportPublicKeyPem(subjectPublicKey);
+    const certPayload = {
+        version: 1,
+        serialNumber,
+        subject,
+        issuer: issuerSubject,
+        publicKey: subjectPem,
+        validFrom: now.toISOString(),
+        validTo: expiresAt.toISOString(),
+        extensions: extensions ?? {},
+        fingerprint: computeFingerprint(subjectPem),
+    };
+    const payloadBytes = Buffer.from(JSON.stringify(certPayload), 'utf-8');
+    const signature = crypto.sign(null, payloadBytes, issuerPrivateKey);
+    const cert = {
+        payload: certPayload,
+        signature: signature.toString('base64'),
+        signatureAlgorithm: SIGNING_ALGORITHM,
+    };
+    return JSON.stringify(cert, null, 2);
+}
+/**
+ * Parse a certificate and return structured info.
+ */
+export function parseCertificate(certJson) {
+    try {
+        const cert = JSON.parse(certJson);
+        return {
+            subject: cert.payload.subject,
+            issuer: cert.payload.issuer,
+            validFrom: cert.payload.validFrom,
+            validTo: cert.payload.validTo,
+            fingerprint: cert.payload.fingerprint,
+            serialNumber: cert.payload.serialNumber,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Verify a certificate was signed by the given issuer public key.
+ */
+export function verifyCertificateSignature(certJson, issuerPublicKey) {
+    try {
+        const cert = JSON.parse(certJson);
+        const payloadBytes = Buffer.from(JSON.stringify(cert.payload), 'utf-8');
+        const signature = Buffer.from(cert.signature, 'base64');
+        return crypto.verify(null, payloadBytes, issuerPublicKey, signature);
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Check if a certificate is expired.
+ */
+export function isCertificateExpired(certJson) {
+    const info = parseCertificate(certJson);
+    if (!info)
+        return true;
+    return new Date(info.validTo) < new Date();
+}
+// ---------------------------------------------------------------------------
+// Content signing
+// ---------------------------------------------------------------------------
+/**
+ * Sign arbitrary content with a private key. Returns the signature,
+ * fingerprint of the signing cert, algorithm, and timestamp.
+ */
+export function signContent(content, privateKey, fingerprint) {
+    const contentHash = crypto.createHash('sha256').update(content, 'utf-8').digest();
+    const signature = crypto.sign(null, contentHash, privateKey);
+    return {
+        signature: signature.toString('base64'),
+        fingerprint,
+        algorithm: SIGNING_ALGORITHM,
+        timestamp: new Date().toISOString(),
+    };
+}
+/**
+ * Verify a content signature against a public key.
+ */
+export function verifyContentSignature(content, sig, publicKey) {
+    try {
+        const contentHash = crypto.createHash('sha256').update(content, 'utf-8').digest();
+        const signature = Buffer.from(sig.signature, 'base64');
+        return crypto.verify(null, contentHash, publicKey, signature);
+    }
+    catch {
+        return false;
+    }
+}
+// ---------------------------------------------------------------------------
+// Certificate chain verification
+// ---------------------------------------------------------------------------
+/**
+ * Verify a full certificate chain. Each certificate in the chain must be
+ * signed by the next certificate's public key. The last certificate in the
+ * chain is the root/CA and must be self-signed or trusted.
+ *
+ * @param chain - Array of JSON certificate strings, from leaf to root
+ * @returns true if the entire chain is valid
+ */
+export function verifyCertificateChain(chain) {
+    if (chain.length === 0)
+        return false;
+    for (let i = 0; i < chain.length - 1; i++) {
+        const current = chain[i];
+        const issuer = chain[i + 1];
+        if (!current || !issuer)
+            return false;
+        // Extract issuer's public key
+        try {
+            const issuerCert = JSON.parse(issuer);
+            const issuerPublicKey = importPublicKeyPem(issuerCert.payload.publicKey);
+            if (!verifyCertificateSignature(current, issuerPublicKey)) {
+                return false;
+            }
+        }
+        catch {
+            return false;
+        }
+    }
+    return true;
+}
+// ---------------------------------------------------------------------------
+// PKI initialization
+// ---------------------------------------------------------------------------
+/**
+ * Initialize the local PKI identity. On first run, generates a keypair and
+ * CSR. On subsequent runs, loads the existing identity. If a signed
+ * certificate exists and is not expired, uses it. If expired, the caller
+ * should request re-signing.
+ */
+export async function initializePKI(config) {
+    const identityDir = join(config.dataDir, IDENTITY_DIR);
+    await ensureDir(identityDir);
+    const privateKeyPath = join(identityDir, PRIVATE_KEY_FILE);
+    const publicKeyPath = join(identityDir, PUBLIC_KEY_FILE);
+    const csrPath = join(identityDir, CSR_FILE);
+    const certPath = join(identityDir, CERT_FILE);
+    const machineId = await getOrCreateMachineId(identityDir);
+    let privateKey;
+    let publicKey;
+    if (await fileExists(privateKeyPath)) {
+        // Load existing keypair
+        const privateKeyPem = await readFile(privateKeyPath, 'utf-8');
+        const publicKeyPem = await readFile(publicKeyPath, 'utf-8');
+        privateKey = importPrivateKeyPem(privateKeyPem);
+        publicKey = importPublicKeyPem(publicKeyPem);
+    }
+    else {
+        // Generate new keypair
+        const keypair = generateEd25519Keypair();
+        privateKey = keypair.privateKey;
+        publicKey = keypair.publicKey;
+        await writeFile(privateKeyPath, exportPrivateKeyPem(privateKey), { mode: 0o600 });
+        await writeFile(publicKeyPath, exportPublicKeyPem(publicKey), { mode: 0o644 });
+    }
+    // Generate/load CSR
+    let csr;
+    if (await fileExists(csrPath)) {
+        csr = await readFile(csrPath, 'utf-8');
+    }
+    else {
+        csr = createCSR(machineId, publicKey, privateKey);
+        await writeFile(csrPath, csr, { mode: 0o644 });
+    }
+    // Load certificate if it exists
+    let certificate = null;
+    let fingerprint = null;
+    let issuedAt = null;
+    let expiresAt = null;
+    if (await fileExists(certPath)) {
+        certificate = await readFile(certPath, 'utf-8');
+        const info = parseCertificate(certificate);
+        if (info) {
+            fingerprint = info.fingerprint;
+            issuedAt = new Date(info.validFrom);
+            expiresAt = new Date(info.validTo);
+            // If expired, null out the certificate so caller knows to re-request
+            if (isCertificateExpired(certificate)) {
+                certificate = null;
+                fingerprint = null;
+                issuedAt = null;
+                expiresAt = null;
+            }
+        }
+    }
+    return {
+        privateKey,
+        publicKey,
+        certificate,
+        fingerprint,
+        machineId,
+        csr,
+        issuedAt,
+        expiresAt,
+    };
+}
+// ---------------------------------------------------------------------------
+// Cloud certificate signing
+// ---------------------------------------------------------------------------
+/**
+ * Send CSR to the Synthaer Cloud PKI for signing. The cloud validates the
+ * CSR, signs with the Synthaer Intermediate CA, and returns the signed
+ * certificate in JSON format.
+ *
+ * @param csr - The CSR string (JSON format from createCSR)
+ * @param authToken - JWT from Synthaer Auth
+ * @param cloudUrl - Base URL of the cloud PKI (e.g., https://api.synthaer.ai)
+ * @param dataDir - Local data directory for saving the signed cert
+ * @returns The signed certificate as a JSON string
+ */
+export async function requestCertificateSigning(csr, authToken, cloudUrl, dataDir) {
+    const csrParsed = JSON.parse(csr);
+    const machineId = csrParsed.payload.machineId;
+    const response = await fetch(`${cloudUrl}/api/v1/pki/sign-csr`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'Authorization': `Bearer ${authToken}`,
+        },
+        body: JSON.stringify({ csr, machineId }),
+    });
+    if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`Cloud PKI signing failed (${response.status}): ${errorText}`);
+    }
+    const result = await response.json();
+    const certificate = result.certificate;
+    // Save the signed certificate
+    const certPath = join(dataDir, IDENTITY_DIR, CERT_FILE);
+    await ensureDir(join(dataDir, IDENTITY_DIR));
+    await writeFile(certPath, certificate, { mode: 0o644 });
+    return certificate;
+}
+/**
+ * Fetch the Synthaer CA bundle from the cloud PKI endpoint.
+ * This is a public endpoint (no auth required).
+ */
+export async function fetchCABundle(cloudUrl) {
+    const response = await fetch(`${cloudUrl}/api/v1/pki/ca-bundle`);
+    if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`Failed to fetch CA bundle (${response.status}): ${errorText}`);
+    }
+    return response.json();
+}
+// ---------------------------------------------------------------------------
+// Agent certificate issuance
+// ---------------------------------------------------------------------------
+/**
+ * Create a certificate for a specific agent, signed by the local MCP's
+ * identity. Each agent gets its own keypair and certificate, stored
+ * under {dataDir}/agents/{agentId}/.
+ */
+export async function createAgentCertificate(agentId, platform, identity, dataDir) {
+    if (!identity.certificate || !identity.fingerprint) {
+        throw new Error('Local identity must have a signed certificate before issuing agent certs');
+    }
+    const agentDir = join(dataDir, AGENTS_DIR, agentId);
+    await ensureDir(agentDir);
+    const agentKeyPath = join(agentDir, AGENT_KEY_FILE);
+    const agentPubPath = join(agentDir, AGENT_PUB_FILE);
+    const agentCertPath = join(agentDir, AGENT_CERT_FILE);
+    let agentPrivateKey;
+    let agentPublicKey;
+    // Load or generate agent keypair
+    if (await fileExists(agentKeyPath)) {
+        const keyPem = await readFile(agentKeyPath, 'utf-8');
+        const pubPem = await readFile(agentPubPath, 'utf-8');
+        agentPrivateKey = importPrivateKeyPem(keyPem);
+        agentPublicKey = importPublicKeyPem(pubPem);
+    }
+    else {
+        const keypair = generateEd25519Keypair();
+        agentPrivateKey = keypair.privateKey;
+        agentPublicKey = keypair.publicKey;
+        await writeFile(agentKeyPath, exportPrivateKeyPem(agentPrivateKey), { mode: 0o600 });
+        await writeFile(agentPubPath, exportPublicKeyPem(agentPublicKey), { mode: 0o644 });
+    }
+    // Extract local identity subject for issuer field
+    const localCertInfo = parseCertificate(identity.certificate);
+    const issuerSubject = localCertInfo?.subject ?? `CN=local-mcp-${identity.machineId},O=Synthaer User`;
+    // Issue agent certificate signed by local identity
+    const agentSubject = `CN=agent-${agentId},O=Synthaer Agent,L=${platform}`;
+    const certificate = issueCertificate(agentSubject, agentPublicKey, identity.privateKey, issuerSubject, AGENT_CERT_VALIDITY_DAYS, { agentId, platform, parentFingerprint: identity.fingerprint });
+    await writeFile(agentCertPath, certificate, { mode: 0o644 });
+    const certInfo = parseCertificate(certificate);
+    return {
+        agentId,
+        platform,
+        privateKey: agentPrivateKey,
+        publicKey: agentPublicKey,
+        certificate,
+        fingerprint: certInfo?.fingerprint ?? computeFingerprint(exportPublicKeyPem(agentPublicKey)),
+        parentFingerprint: identity.fingerprint,
+        issuedAt: certInfo ? new Date(certInfo.validFrom) : new Date(),
+        expiresAt: certInfo ? new Date(certInfo.validTo) : new Date(Date.now() + AGENT_CERT_VALIDITY_DAYS * 24 * 60 * 60 * 1000),
+    };
+}
+/**
+ * Load an existing agent identity from disk.
+ */
+export async function loadAgentIdentity(agentId, dataDir) {
+    const agentDir = join(dataDir, AGENTS_DIR, agentId);
+    const agentKeyPath = join(agentDir, AGENT_KEY_FILE);
+    const agentPubPath = join(agentDir, AGENT_PUB_FILE);
+    const agentCertPath = join(agentDir, AGENT_CERT_FILE);
+    if (!(await fileExists(agentKeyPath)) || !(await fileExists(agentCertPath))) {
+        return null;
+    }
+    const keyPem = await readFile(agentKeyPath, 'utf-8');
+    const pubPem = await readFile(agentPubPath, 'utf-8');
+    const certificate = await readFile(agentCertPath, 'utf-8');
+    const privateKey = importPrivateKeyPem(keyPem);
+    const publicKey = importPublicKeyPem(pubPem);
+    const certInfo = parseCertificate(certificate);
+    if (!certInfo)
+        return null;
+    // Extract agent metadata from cert extensions
+    const certParsed = JSON.parse(certificate);
+    return {
+        agentId: certParsed.payload.extensions.agentId ?? agentId,
+        platform: certParsed.payload.extensions.platform ?? 'unknown',
+        privateKey,
+        publicKey,
+        certificate,
+        fingerprint: certInfo.fingerprint,
+        parentFingerprint: certParsed.payload.extensions.parentFingerprint ?? '',
+        issuedAt: new Date(certInfo.validFrom),
+        expiresAt: new Date(certInfo.validTo),
+    };
+}
+// ---------------------------------------------------------------------------
+// Ratification signing
+// ---------------------------------------------------------------------------
+/**
+ * Build a ratification payload: content signed by agent cert, with the
+ * local identity cert attached for chain verification.
+ */
+export function buildRatificationPayload(content, agentIdentity, localIdentity) {
+    if (!localIdentity.certificate || !localIdentity.fingerprint) {
+        throw new Error('Local identity must have a signed certificate for ratification');
+    }
+    const agentSignature = signContent(content, agentIdentity.privateKey, agentIdentity.fingerprint);
+    const localSignature = signContent(content, localIdentity.privateKey, localIdentity.fingerprint);
+    return {
+        content,
+        agentSignature,
+        localSignature,
+        agentCertificate: agentIdentity.certificate,
+        localCertificate: localIdentity.certificate,
+    };
+}
+//# sourceMappingURL=pki.js.map

package/dist/pki.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pki.js","sourceRoot":"","sources":["../src/pki.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACjF,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAmDjC,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,MAAM,YAAY,GAAG,UAAU,CAAC;AAChC,MAAM,UAAU,GAAG,QAAQ,CAAC;AAC5B,MAAM,gBAAgB,GAAG,WAAW,CAAC;AACrC,MAAM,eAAe,GAAG,WAAW,CAAC;AACpC,MAAM,QAAQ,GAAG,WAAW,CAAC;AAC7B,MAAM,SAAS,GAAG,WAAW,CAAC;AAC9B,MAAM,eAAe,GAAG,YAAY,CAAC;AACrC,MAAM,cAAc,GAAG,WAAW,CAAC;AACnC,MAAM,cAAc,GAAG,WAAW,CAAC;AACnC,MAAM,eAAe,GAAG,WAAW,CAAC;AAEpC,MAAM,iBAAiB,GAAG,SAAS,CAAC;AACpC,2EAA2E;AAC3E,MAAM,CAAC,MAAM,kBAAkB,GAAG,GAAG,CAAC;AACtC,MAAM,wBAAwB,GAAG,EAAE,CAAC;AAEpC,8EAA8E;AAC9E,eAAe;AACf,8EAA8E;AAE9E,KAAK,UAAU,UAAU,CAAC,IAAY;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,IAAY;IACnC,MAAM,KAAK,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;AACzC,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,KAAK,UAAU,oBAAoB,CAAC,WAAmB;IACrD,MAAM,aAAa,GAAG,IAAI,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;IACzD,IAAI,MAAM,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACpC,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QACxD,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAC;IACzB,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IACtC,MAAM,SAAS,CAAC,aAAa,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC3D,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E,SAAS,sBAAsB;IAC7B,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;IACxE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;AACnC,CAAC;AAED,SAAS,mBAAmB,CAAC,GAAqB;IAChD,OAAO,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;AAChE,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAqB;IAC/C,OAAO,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;AAC/D,CAAC;AAED,SAAS,mBAAmB,CAAC,GAAW;IACtC,OAAO,MAAM,CAAC,gBAAgB,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAW;IACrC,OAAO,MAAM,CAAC,eAAe,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;AAC3E,CAAC;AAED,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,UAAU,SAAS,CACvB,SAAiB,EACjB,SAA2B,EAC3B,UAA4B;IAE5B,MAAM,YAAY,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;IACnD,MAAM,UAAU,GAAG;QACjB,OAAO,EAAE,CAAC;QACV,OAAO,EAAE,gBAAgB,SAAS,kBAAkB;QACpD,SAAS;QACT,SAAS,EAAE,YAAY;QACvB,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACtC,CAAC;IAEF,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC,CAAC;IACtE,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,EAAE,UAAU,CAAC,CAAC;IAE9D,MAAM,GAAG,GAAG;QACV,OAAO,EAAE,UAAU;QACnB,SAAS,EAAE,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACvC,kBAAkB,EAAE,iBAAiB;KACtC,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,OAAe;IACzC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAI7B,CAAC;QAEF,MAAM,SAAS,GAAG,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC5D,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC,CAAC;QACvE,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAEvD,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,YAAY,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC/D,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAe,EACf,gBAAkC,EAClC,gBAAkC,EAClC,aAAqB,EACrB,YAAoB,EACpB,UAAoC;IAEpC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,YAAY,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC/E,MAAM,YAAY,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IACzC,MAAM,UAAU,GAAG,kBAAkB,CAAC,gBAAgB,CAAC,CAAC;IAExD,MAAM,WAAW,GAAG;QAClB,OAAO,EAAE,CAAC;QACV,YAAY;QACZ,OAAO;QACP,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,UAAU;QACrB,SAAS,EAAE,GAAG,CAAC,WAAW,EAAE;QAC5B,OAAO,EAAE,SAAS,CAAC,WAAW,EAAE;QAChC,UAAU,EAAE,UAAU,IAAI,EAAE;QAC5B,WAAW,EAAE,kBAAkB,CAAC,UAAU,CAAC;KAC5C,CAAC;IAEF,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,EAAE,OAAO,CAAC,CAAC;IACvE,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,EAAE,gBAAgB,CAAC,CAAC;IAEpE,MAAM,IAAI,GAAG;QACX,OAAO,EAAE,WAAW;QACpB,SAAS,EAAE,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACvC,kBAAkB,EAAE,iBAAiB;KACtC,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB;IAC/C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAS/B,CAAC;QACF,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO;YAC7B,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM;YAC3B,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS;YACjC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO;YAC7B,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,WAAW;YACrC,YAAY,EAAE,IAAI,CAAC,OAAO,CAAC,YAAY;SACxC,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,0BAA0B,CAAC,QAAgB,EAAE,eAAiC;IAC5F,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAG/B,CAAC;QACF,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC,CAAC;QACxE,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QACxD,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,YAAY,EAAE,eAAe,EAAE,SAAS,CAAC,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,QAAgB;IACnD,MAAM,IAAI,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IACxC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC;AAC7C,CAAC;AAED,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,OAAe,EAAE,UAA4B,EAAE,WAAmB;IAC5F,MAAM,WAAW,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;IAClF,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;IAE7D,OAAO;QACL,SAAS,EAAE,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACvC,WAAW;QACX,SAAS,EAAE,iBAAiB;QAC5B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAe,EAAE,GAAqB,EAAE,SAA2B;IACxG,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;QAClF,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QACvD,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;IAChE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,iCAAiC;AACjC,8EAA8E;AAE9E;;;;;;;GAOG;AACH,MAAM,UAAU,sBAAsB,CAAC,KAAe;IACpD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAErC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACzB,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC5B,IAAI,CAAC,OAAO,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAEtC,8BAA8B;QAC9B,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAuC,CAAC;YAC5E,MAAM,eAAe,GAAG,kBAAkB,CAAC,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACzE,IAAI,CAAC,0BAA0B,CAAC,OAAO,EAAE,eAAe,CAAC,EAAE,CAAC;gBAC1D,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,MAAiB;IACnD,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IACvD,MAAM,SAAS,CAAC,WAAW,CAAC,CAAC;IAE7B,MAAM,cAAc,GAAG,IAAI,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC;IAC3D,MAAM,aAAa,GAAG,IAAI,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;IACzD,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;IAE9C,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,WAAW,CAAC,CAAC;IAE1D,IAAI,UAA4B,CAAC;IACjC,IAAI,SAA2B,CAAC;IAEhC,IAAI,MAAM,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QACrC,wBAAwB;QACxB,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;QAC9D,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QAC5D,UAAU,GAAG,mBAAmB,CAAC,aAAa,CAAC,CAAC;QAChD,SAAS,GAAG,kBAAkB,CAAC,YAAY,CAAC,CAAC;IAC/C,CAAC;SAAM,CAAC;QACN,uBAAuB;QACvB,MAAM,OAAO,GAAG,sBAAsB,EAAE,CAAC;QACzC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QAChC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QAE9B,MAAM,SAAS,CAAC,cAAc,EAAE,mBAAmB,CAAC,UAAU,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAClF,MAAM,SAAS,CAAC,aAAa,EAAE,kBAAkB,CAAC,SAAS,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACjF,CAAC;IAED,oBAAoB;IACpB,IAAI,GAAW,CAAC;IAChB,IAAI,MAAM,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9B,GAAG,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACzC,CAAC;SAAM,CAAC;QACN,GAAG,GAAG,SAAS,CAAC,SAAS,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;QAClD,MAAM,SAAS,CAAC,OAAO,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACjD,CAAC;IAED,gCAAgC;IAChC,IAAI,WAAW,GAAkB,IAAI,CAAC;IACtC,IAAI,WAAW,GAAkB,IAAI,CAAC;IACtC,IAAI,QAAQ,GAAgB,IAAI,CAAC;IACjC,IAAI,SAAS,GAAgB,IAAI,CAAC;IAElC,IAAI,MAAM,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC/B,WAAW,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAChD,MAAM,IAAI,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;QAC3C,IAAI,IAAI,EAAE,CAAC;YACT,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;YAC/B,QAAQ,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACpC,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEnC,qEAAqE;YACrE,IAAI,oBAAoB,CAAC,WAAW,CAAC,EAAE,CAAC;gBACtC,WAAW,GAAG,IAAI,CAAC;gBACnB,WAAW,GAAG,IAAI,CAAC;gBACnB,QAAQ,GAAG,IAAI,CAAC;gBAChB,SAAS,GAAG,IAAI,CAAC;YACnB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,UAAU;QACV,SAAS;QACT,WAAW;QACX,WAAW;QACX,SAAS;QACT,GAAG;QACH,QAAQ;QACR,SAAS;KACV,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,4BAA4B;AAC5B,8EAA8E;AAE9E;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,GAAW,EACX,SAAiB,EACjB,QAAgB,EAChB,OAAe;IAEf,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAuC,CAAC;IACxE,MAAM,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC;IAE9C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,sBAAsB,EAAE;QAC9D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,eAAe,EAAE,UAAU,SAAS,EAAE;SACvC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,CAAC;KACzC,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,CAAC,MAAM,MAAM,SAAS,EAAE,CAAC,CAAC;IACjF,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;IAChE,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;IAEvC,8BAA8B;IAC9B,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC;IACxD,MAAM,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC;IAC7C,MAAM,SAAS,CAAC,QAAQ,EAAE,WAAW,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAExD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,QAAgB;IAClD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,uBAAuB,CAAC,CAAC;IAEjE,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,8BAA8B,QAAQ,CAAC,MAAM,MAAM,SAAS,EAAE,CAAC,CAAC;IAClF,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAAyD,CAAC;AAChF,CAAC;AAED,8EAA8E;AAC9E,6BAA6B;AAC7B,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,OAAe,EACf,QAAgB,EAChB,QAAuB,EACvB,OAAe;IAEf,IAAI,CAAC,QAAQ,CAAC,WAAW,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QACnD,MAAM,IAAI,KAAK,CAAC,0EAA0E,CAAC,CAAC;IAC9F,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;IACpD,MAAM,SAAS,CAAC,QAAQ,CAAC,CAAC;IAE1B,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;IACpD,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;IACpD,MAAM,aAAa,GAAG,IAAI,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAEtD,IAAI,eAAiC,CAAC;IACtC,IAAI,cAAgC,CAAC;IAErC,iCAAiC;IACjC,IAAI,MAAM,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QACrD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QACrD,eAAe,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAC9C,cAAc,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC;SAAM,CAAC;QACN,MAAM,OAAO,GAAG,sBAAsB,EAAE,CAAC;QACzC,eAAe,GAAG,OAAO,CAAC,UAAU,CAAC;QACrC,cAAc,GAAG,OAAO,CAAC,SAAS,CAAC;QACnC,MAAM,SAAS,CAAC,YAAY,EAAE,mBAAmB,CAAC,eAAe,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACrF,MAAM,SAAS,CAAC,YAAY,EAAE,kBAAkB,CAAC,cAAc,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACrF,CAAC;IAED,kDAAkD;IAClD,MAAM,aAAa,GAAG,gBAAgB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC7D,MAAM,aAAa,GAAG,aAAa,EAAE,OAAO,IAAI,gBAAgB,QAAQ,CAAC,SAAS,kBAAkB,CAAC;IAErG,mDAAmD;IACnD,MAAM,YAAY,GAAG,YAAY,OAAO,uBAAuB,QAAQ,EAAE,CAAC;IAC1E,MAAM,WAAW,GAAG,gBAAgB,CAClC,YAAY,EACZ,cAAc,EACd,QAAQ,CAAC,UAAU,EACnB,aAAa,EACb,wBAAwB,EACxB,EAAE,OAAO,EAAE,QAAQ,EAAE,iBAAiB,EAAE,QAAQ,CAAC,WAAW,EAAE,CAC/D,CAAC;IAEF,MAAM,SAAS,CAAC,aAAa,EAAE,WAAW,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAE7D,MAAM,QAAQ,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;IAE/C,OAAO;QACL,OAAO;QACP,QAAQ;QACR,UAAU,EAAE,eAAe;QAC3B,SAAS,EAAE,cAAc;QACzB,WAAW;QACX,WAAW,EAAE,QAAQ,EAAE,WAAW,IAAI,kBAAkB,CAAC,kBAAkB,CAAC,cAAc,CAAC,CAAC;QAC5F,iBAAiB,EAAE,QAAQ,CAAC,WAAW;QACvC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE;QAC9D,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,wBAAwB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;KACzH,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAAe,EACf,OAAe;IAEf,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;IACpD,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;IACpD,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;IACpD,MAAM,aAAa,GAAG,IAAI,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAEtD,IAAI,CAAC,CAAC,MAAM,UAAU,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,UAAU,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;QAC5E,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IACrD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IACrD,MAAM,WAAW,GAAG,MAAM,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;IAE3D,MAAM,UAAU,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC/C,MAAM,SAAS,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAC7C,MAAM,QAAQ,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;IAE/C,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,8CAA8C;IAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAExC,CAAC;IAEF,OAAO;QACL,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,IAAI,OAAO;QACzD,QAAQ,EAAE,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ,IAAI,SAAS;QAC7D,UAAU;QACV,SAAS;QACT,WAAW;QACX,WAAW,EAAE,QAAQ,CAAC,WAAW;QACjC,iBAAiB,EAAE,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,iBAAiB,IAAI,EAAE;QACxE,QAAQ,EAAE,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;QACtC,SAAS,EAAE,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;KACtC,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CACtC,OAAe,EACf,aAA4B,EAC5B,aAA4B;IAQ5B,IAAI,CAAC,aAAa,CAAC,WAAW,IAAI,CAAC,aAAa,CAAC,WAAW,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;IACpF,CAAC;IAED,MAAM,cAAc,GAAG,WAAW,CAAC,OAAO,EAAE,aAAa,CAAC,UAAU,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;IACjG,MAAM,cAAc,GAAG,WAAW,CAAC,OAAO,EAAE,aAAa,CAAC,UAAU,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;IAEjG,OAAO;QACL,OAAO;QACP,cAAc;QACd,cAAc;QACd,gBAAgB,EAAE,aAAa,CAAC,WAAW;QAC3C,gBAAgB,EAAE,aAAa,CAAC,WAAW;KAC5C,CAAC;AACJ,CAAC"}

package/dist/ratification.d.ts

@@ -0,0 +1,125 @@
+/**
+ * Ratification Flow — wires PKI signing into the DIKW pipeline.
+ *
+ * Flow:
+ *   1. Agent writes knowledge/experience locally (stored immediately)
+ *   2. Content signed by agent cert + local identity cert (dual signatures)
+ *   3. Async message queued to Resonance Cloud with both signatures
+ *   4. Cloud verifies the chain (agent -> local -> Synthaer CA -> Root)
+ *   5. Cloud system-signs with the appropriate CI signer
+ *   6. Cloud stores both signatures on the entry
+ *   7. SSE notification sent back with cloud ratification signature
+ *   8. Local updates its record — entry is now "ratified"
+ */
+import type { PKIConfig, LocalIdentity, AgentIdentity, ContentSignature } from './pki.js';
+export type RatificationStatus = 'pending' | 'submitted' | 'ratified' | 'rejected';
+export interface RatificationPayload {
+    operation: string;
+    contentHash: string;
+    agentSignature: ContentSignature;
+    localSignature: ContentSignature;
+    agentCertificate: string;
+    localCertificate: string;
+    timestamp: string;
+    nonce: string;
+}
+export interface QueueEntry {
+    id: string;
+    payload: RatificationPayload;
+    status: RatificationStatus;
+    recordId: string;
+    recordTable: string;
+    attempts: number;
+    lastAttemptAt: string | null;
+    nextRetryAt: string | null;
+    cloudSignature: ContentSignature | null;
+    createdAt: string;
+    updatedAt: string;
+    errorMessage: string | null;
+}
+export interface RatificationResponse {
+    entryId: string;
+    status: 'ratified' | 'rejected';
+    cloudSignature?: ContentSignature;
+    reason?: string;
+}
+export interface RatificationManagerOptions {
+    config: PKIConfig;
+    localIdentity: LocalIdentity;
+    cloudBaseUrl: string;
+    authToken: string;
+    maxRetries?: number;
+    baseRetryDelayMs?: number;
+}
+export interface SignerMapping {
+    signer: string;
+    layerCode: string;
+}
+/**
+ * Map a Resonance MCP operation name to its designated CI signer.
+ * Returns null for operations that do not require ratification.
+ */
+export declare function mapOperationToSigner(operation: string): SignerMapping | null;
+/**
+ * Build the ratification payload sent to cloud. The content itself is NOT
+ * included — only its SHA-256 hash, plus the dual signatures and certs.
+ */
+export declare function buildRatificationPayload(operation: string, content: string, agentSignature: ContentSignature, localSignature: ContentSignature, agentCertificate: string, localCertificate: string): RatificationPayload;
+export declare class RatificationManager {
+    private queue;
+    private loaded;
+    private readonly config;
+    private readonly localIdentity;
+    private readonly cloudBaseUrl;
+    private readonly authToken;
+    private readonly maxRetries;
+    private readonly baseRetryDelayMs;
+    constructor(options: RatificationManagerOptions);
+    /**
+     * Load persisted queue from disk. Safe to call multiple times.
+     */
+    loadQueue(): Promise<void>;
+    /**
+     * Return a snapshot of the current queue.
+     */
+    getQueue(): ReadonlyArray<QueueEntry>;
+    /**
+     * Get a single queue entry by ID.
+     */
+    getEntry(id: string): QueueEntry | undefined;
+    /**
+     * Sign content with both agent and local identity certs, build the
+     * ratification payload, and add it to the queue for async cloud submission.
+     */
+    signAndQueue(operation: string, content: string, agentIdentity: AgentIdentity, recordId: string, recordTable: string): Promise<string>;
+    /**
+     * Process all pending/retryable queue entries by sending them to cloud.
+     * Returns the number of entries that were submitted.
+     */
+    processQueue(): Promise<{
+        submitted: number;
+        ratified: number;
+        rejected: number;
+        errors: number;
+    }>;
+    /**
+     * Handle a ratification response (e.g., from SSE push or manual poll).
+     * Updates the queue entry and returns whether the entry was found.
+     */
+    handleRatificationResponse(response: RatificationResponse): boolean;
+    /**
+     * Persist current queue state to disk.
+     */
+    persistQueue(): Promise<void>;
+    /**
+     * Get all entries with a given status.
+     */
+    getEntriesByStatus(status: RatificationStatus): QueueEntry[];
+    /**
+     * Remove completed (ratified/rejected) entries older than the given age.
+     */
+    pruneCompleted(maxAgeMs: number): Promise<number>;
+    private applyResponse;
+    private submitToCloud;
+}
+//# sourceMappingURL=ratification.d.ts.map

package/dist/ratification.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ratification.d.ts","sourceRoot":"","sources":["../src/ratification.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAKH,OAAO,KAAK,EAAE,SAAS,EAAE,aAAa,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAO1F,MAAM,MAAM,kBAAkB,GAAG,SAAS,GAAG,WAAW,GAAG,UAAU,GAAG,UAAU,CAAC;AAEnF,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,gBAAgB,CAAC;IACjC,cAAc,EAAE,gBAAgB,CAAC;IACjC,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,mBAAmB,CAAC;IAC7B,MAAM,EAAE,kBAAkB,CAAC;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,cAAc,EAAE,gBAAgB,GAAG,IAAI,CAAC;IACxC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,UAAU,GAAG,UAAU,CAAC;IAChC,cAAc,CAAC,EAAE,gBAAgB,CAAC;IAClC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,0BAA0B;IACzC,MAAM,EAAE,SAAS,CAAC;IAClB,aAAa,EAAE,aAAa,CAAC;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAMD,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AA0DD;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,CAE5E;AAMD;;;GAGG;AACH,wBAAgB,wBAAwB,CACtC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,cAAc,EAAE,gBAAgB,EAChC,cAAc,EAAE,gBAAgB,EAChC,gBAAgB,EAAE,MAAM,EACxB,gBAAgB,EAAE,MAAM,GACvB,mBAAmB,CAYrB;AA4BD,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,KAAK,CAAoB;IACjC,OAAO,CAAC,MAAM,CAAS;IAEvB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAY;IACnC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAgB;IAC9C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;gBAE9B,OAAO,EAAE,0BAA0B;IAS/C;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;IAMhC;;OAEG;IACH,QAAQ,IAAI,aAAa,CAAC,UAAU,CAAC;IAIrC;;OAEG;IACH,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS;IAI5C;;;OAGG;IACG,YAAY,CAChB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,aAAa,EAAE,aAAa,EAC5B,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,MAAM,CAAC;IAwClB;;;OAGG;IACG,YAAY,IAAI,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IA2CxG;;;OAGG;IACH,0BAA0B,CAAC,QAAQ,EAAE,oBAAoB,GAAG,OAAO;IAUnE;;OAEG;IACG,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IAInC;;OAEG;IACH,kBAAkB,CAAC,MAAM,EAAE,kBAAkB,GAAG,UAAU,EAAE;IAI5D;;OAEG;IACG,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAgBvD,OAAO,CAAC,aAAa;YAaP,aAAa;CA4B5B"}