@the-ai-company/cbio-node-runtime 0.33.0 → 1.0.0

package/dist/vault-core/index.d.ts

@@ -0,0 +1,6 @@
+export { createVaultCore, DefaultVaultCore } from "./core.js";
+export { VaultCoreError } from "./errors.js";
+export { createDefaultVaultCoreDependencies, type CreateDefaultVaultCoreDependenciesOptions, type DefaultPolicyEngineOptions, DefaultPolicyEngine, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, type SignatureAgentProofVerifierOptions, SignatureAgentProofVerifier, SystemClock, } from "./defaults.js";
+export { createPersistentVaultCoreDependencies, FileAuditLog as PersistentVaultAuditLog, FileCapabilityRevocationRegistry as PersistentVaultCapabilityRevocationRegistry, FileCustomHttpFlowRegistry as PersistentVaultCustomHttpFlowRegistry, FileRateLimitStore as PersistentVaultRateLimitStore, FileReplayGuard as PersistentVaultReplayGuard, FileSecretCustody as PersistentVaultSecretCustody, FileSecretRepository as PersistentVaultSecretRepository, } from "./persistence.js";
+export type { AgentCapability, AgentIdentityRecord, AgentProof, OwnerAuditRequest, OwnerRegisterAgentIdentityCommand, OwnerRegisterCustomHttpFlowCommand, OwnerRegisterOwnerIdentityCommand, OwnerIdentityRecord, CustomHttpFlowDefinition, OwnerProof, AuditEntry, AuditQuery, DispatchAuthorization, DispatchInstruction, DispatchRequest, DispatchResult, IssuerWriteSecretCommand, OwnerWriteSecretCommand, SecretAlias, SecretId, SecretRecord, SecretVersion, VaultPrincipal, VaultPrincipalKind, VaultTargetBinding, VaultWriteSecretCommand, VaultId, } from "./contracts.js";
+export type { AgentIdentityRegistry, AgentProofVerifier, AuditLog, Clock, IdGenerator, OwnerIdentityRegistry, OwnerProofVerifier, PolicyEngine, RateLimitStore, ReplayGuard, CustomHttpFlowRegistry, SecretRepository, SecretCustody, TrustedExecutor, VaultCore, VaultCoreDependencies, CapabilityRevocationRegistry, } from "./ports.js";

package/dist/vault-core/index.js

@@ -0,0 +1,5 @@
+export { createVaultCore, DefaultVaultCore } from "./core.js";
+export { VaultCoreError } from "./errors.js";
+export { createDefaultVaultCoreDependencies, DefaultPolicyEngine, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, SignatureAgentProofVerifier, SystemClock, } from "./defaults.js";
+export { createPersistentVaultCoreDependencies, FileAuditLog as PersistentVaultAuditLog, FileCapabilityRevocationRegistry as PersistentVaultCapabilityRevocationRegistry, FileCustomHttpFlowRegistry as PersistentVaultCustomHttpFlowRegistry, FileRateLimitStore as PersistentVaultRateLimitStore, FileReplayGuard as PersistentVaultReplayGuard, FileSecretCustody as PersistentVaultSecretCustody, FileSecretRepository as PersistentVaultSecretRepository, } from "./persistence.js";
+//# sourceMappingURL=index.js.map

package/dist/vault-core/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/vault-core/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EACL,kCAAkC,EAGlC,mBAAmB,EACnB,oBAAoB,EACpB,6BAA6B,EAC7B,oCAAoC,EACpC,8BAA8B,EAC9B,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,6BAA6B,EAC7B,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,EACjB,2BAA2B,EAE3B,2BAA2B,EAC3B,WAAW,GACZ,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,qCAAqC,EACrC,YAAY,IAAI,uBAAuB,EACvC,gCAAgC,IAAI,2CAA2C,EAC/E,0BAA0B,IAAI,qCAAqC,EACnE,kBAAkB,IAAI,6BAA6B,EACnD,eAAe,IAAI,0BAA0B,EAC7C,iBAAiB,IAAI,4BAA4B,EACjD,oBAAoB,IAAI,+BAA+B,GACxD,MAAM,kBAAkB,CAAC"}

package/dist/vault-core/persistence.d.ts

@@ -0,0 +1,87 @@
+import type { IStorageProvider } from "../storage/provider.js";
+import type { AuditEntry, AuditQuery, VaultId, CustomHttpFlowDefinition, SecretAlias, SecretId, SecretRecord } from "./contracts.js";
+import type { AuditLog, CapabilityRevocationRegistry, CustomHttpFlowRegistry, RateLimitStore, ReplayGuard, SecretCustody, SecretRepository } from "./ports.js";
+import { createDefaultVaultCoreDependencies, type CreateDefaultVaultCoreDependenciesOptions } from "./defaults.js";
+import type { DispatchRequest } from "./contracts.js";
+export declare class FileSecretRepository implements SecretRepository {
+    private readonly _storage;
+    private readonly _key;
+    private readonly _lockKey;
+    constructor(_storage: IStorageProvider, _key?: string, _lockKey?: string);
+    private loadState;
+    save(record: SecretRecord): Promise<void>;
+    delete(secretId: SecretId): Promise<void>;
+    getByAlias(alias: SecretAlias): Promise<SecretRecord | null>;
+    getById(secretId: SecretId): Promise<SecretRecord | null>;
+}
+export declare class FileAuditLog implements AuditLog {
+    private readonly _storage;
+    private readonly _key;
+    private readonly _lockKey;
+    constructor(_storage: IStorageProvider, _key?: string, _lockKey?: string);
+    private hash;
+    private verifyEnvelopeChain;
+    private loadEntries;
+    append(entry: AuditEntry): Promise<void>;
+    query(query: AuditQuery): Promise<readonly AuditEntry[]>;
+}
+export declare class FileSecretCustody implements SecretCustody {
+    private readonly _storage;
+    private readonly _custodyKey;
+    private readonly _keyPrefix;
+    constructor(_storage: IStorageProvider, _custodyKey: string, _keyPrefix?: string);
+    private key;
+    store(secretId: SecretId, plaintext: string): Promise<void>;
+    load(secretId: SecretId): Promise<string | null>;
+    delete(secretId: SecretId): Promise<void>;
+}
+export declare class FileReplayGuard implements ReplayGuard {
+    private readonly _storage;
+    private readonly _key;
+    private readonly _lockKey;
+    private readonly _ttlMs;
+    constructor(_storage: IStorageProvider, _key?: string, _lockKey?: string, _ttlMs?: number);
+    assertNotReplayed(request: DispatchRequest): Promise<void>;
+}
+export declare class FileRateLimitStore implements RateLimitStore {
+    private readonly _storage;
+    private readonly _key;
+    private readonly _lockKey;
+    constructor(_storage: IStorageProvider, _key?: string, _lockKey?: string);
+    consume(key: string, maxRequests: number, windowMs: number, nowMs: number): Promise<void>;
+}
+export declare class FileCapabilityRevocationRegistry implements CapabilityRevocationRegistry {
+    private readonly _storage;
+    private readonly _key;
+    private readonly _lockKey;
+    constructor(_storage: IStorageProvider, _key?: string, _lockKey?: string);
+    private compositeKey;
+    get(vaultId: VaultId, agentId: string, capabilityId: string): Promise<number>;
+    revoke(vaultId: VaultId, agentId: string, capabilityId: string): Promise<number>;
+}
+export declare class FileCustomHttpFlowRegistry implements CustomHttpFlowRegistry {
+    private readonly _storage;
+    private readonly _key;
+    private readonly _lockKey;
+    constructor(_storage: IStorageProvider, _key?: string, _lockKey?: string);
+    private loadState;
+    register(flow: CustomHttpFlowDefinition): Promise<void>;
+    get(vaultId: VaultId, flowId: string): Promise<CustomHttpFlowDefinition | null>;
+}
+export declare function createPersistentVaultCoreDependencies(storage: IStorageProvider, options?: CreateDefaultVaultCoreDependenciesOptions): {
+    vaultId: ReturnType<typeof createDefaultVaultCoreDependencies>["vaultId"];
+    secrets: FileSecretRepository;
+    custody: FileSecretCustody;
+    policy: ReturnType<typeof createDefaultVaultCoreDependencies>["policy"];
+    audit: FileAuditLog;
+    executor: ReturnType<typeof createDefaultVaultCoreDependencies>["executor"];
+    agentIdentities: ReturnType<typeof createDefaultVaultCoreDependencies>["agentIdentities"];
+    ownerIdentities: ReturnType<typeof createDefaultVaultCoreDependencies>["ownerIdentities"];
+    proofVerifier: ReturnType<typeof createDefaultVaultCoreDependencies>["proofVerifier"];
+    ownerProofVerifier: ReturnType<typeof createDefaultVaultCoreDependencies>["ownerProofVerifier"];
+    replayGuard: ReplayGuard;
+    capabilityRevocations: CapabilityRevocationRegistry;
+    customFlows: CustomHttpFlowRegistry;
+    clock: ReturnType<typeof createDefaultVaultCoreDependencies>["clock"];
+    ids: ReturnType<typeof createDefaultVaultCoreDependencies>["ids"];
+};

package/dist/vault-core/persistence.js

@@ -0,0 +1,309 @@
+import { sealBlob, unsealBlob } from "../sealed/seal.js";
+import { DefaultPolicyEngine, createDefaultVaultCoreDependencies, } from "./defaults.js";
+import { createHash } from "node:crypto";
+import { VaultCoreError } from "./errors.js";
+function serializeJson(value) {
+    return Buffer.from(JSON.stringify(value, null, 2), "utf8");
+}
+async function readJson(storage, key, fallback) {
+    const payload = await storage.read(key);
+    if (!payload) {
+        return fallback;
+    }
+    return JSON.parse(payload.toString("utf8"));
+}
+async function withStorageLock(storage, key, task) {
+    if (storage.withLock) {
+        return storage.withLock(key, task);
+    }
+    return task();
+}
+export class FileSecretRepository {
+    _storage;
+    _key;
+    _lockKey;
+    constructor(_storage, _key = "vault/secrets.json", _lockKey = "vault/locks/secrets") {
+        this._storage = _storage;
+        this._key = _key;
+        this._lockKey = _lockKey;
+    }
+    async loadState() {
+        return readJson(this._storage, this._key, { records: [] });
+    }
+    async save(record) {
+        await withStorageLock(this._storage, this._lockKey, async () => {
+            const state = await this.loadState();
+            const next = state.records.filter((candidate) => candidate.secretId.value !== record.secretId.value);
+            next.push(record);
+            await this._storage.write(this._key, serializeJson({ records: next }));
+        });
+    }
+    async delete(secretId) {
+        await withStorageLock(this._storage, this._lockKey, async () => {
+            const state = await this.loadState();
+            const next = state.records.filter((candidate) => candidate.secretId.value !== secretId.value);
+            await this._storage.write(this._key, serializeJson({ records: next }));
+        });
+    }
+    async getByAlias(alias) {
+        const state = await this.loadState();
+        return state.records.find((record) => record.alias.value === alias.value) ?? null;
+    }
+    async getById(secretId) {
+        const state = await this.loadState();
+        return state.records.find((record) => record.secretId.value === secretId.value) ?? null;
+    }
+}
+export class FileAuditLog {
+    _storage;
+    _key;
+    _lockKey;
+    constructor(_storage, _key = "vault/audit.jsonl", _lockKey = "vault/locks/audit") {
+        this._storage = _storage;
+        this._key = _key;
+        this._lockKey = _lockKey;
+    }
+    hash(value) {
+        return createHash("sha256").update(value).digest("hex");
+    }
+    verifyEnvelopeChain(lines) {
+        const entries = [];
+        let previousHash = "GENESIS";
+        for (const line of lines) {
+            const parsed = JSON.parse(line);
+            if (!parsed.entry || typeof parsed.prevHash !== "string" || typeof parsed.hash !== "string") {
+                throw new Error("audit chain malformed");
+            }
+            const payload = JSON.stringify({
+                prevHash: parsed.prevHash,
+                entry: parsed.entry,
+            });
+            const expectedHash = this.hash(payload);
+            if (parsed.prevHash !== previousHash || parsed.hash !== expectedHash) {
+                throw new Error("audit chain verification failed");
+            }
+            previousHash = parsed.hash;
+            entries.push(parsed.entry);
+        }
+        return entries;
+    }
+    async loadEntries() {
+        const payload = await this._storage.read(this._key);
+        if (!payload) {
+            return [];
+        }
+        const lines = payload.toString("utf8").split("\n").filter(Boolean);
+        return this.verifyEnvelopeChain(lines);
+    }
+    async append(entry) {
+        await withStorageLock(this._storage, this._lockKey, async () => {
+            const payload = await this._storage.read(this._key);
+            const lines = payload ? payload.toString("utf8").split("\n").filter(Boolean) : [];
+            this.verifyEnvelopeChain(lines);
+            const previousHash = lines.length
+                ? JSON.parse(lines[lines.length - 1]).hash
+                : "GENESIS";
+            const nextEnvelope = {
+                prevHash: previousHash,
+                entry,
+                hash: this.hash(JSON.stringify({ prevHash: previousHash, entry })),
+            };
+            const contents = [...lines, JSON.stringify(nextEnvelope)].join("\n") + "\n";
+            await this._storage.write(this._key, Buffer.from(contents, "utf8"));
+        });
+    }
+    async query(query) {
+        const entries = await this.loadEntries();
+        return entries.filter((entry) => {
+            if (query.actorId && entry.actor.id !== query.actorId)
+                return false;
+            if (query.secretAlias && entry.secretAlias !== query.secretAlias)
+                return false;
+            if (query.requestId && entry.requestId !== query.requestId)
+                return false;
+            if (query.since && entry.occurredAt < query.since)
+                return false;
+            return true;
+        });
+    }
+}
+export class FileSecretCustody {
+    _storage;
+    _custodyKey;
+    _keyPrefix;
+    constructor(_storage, _custodyKey, _keyPrefix = "vault/custody") {
+        this._storage = _storage;
+        this._custodyKey = _custodyKey;
+        this._keyPrefix = _keyPrefix;
+    }
+    key(secretId) {
+        return `${this._keyPrefix}/${secretId.value}.sealed`;
+    }
+    async store(secretId, plaintext) {
+        await withStorageLock(this._storage, `${this.key(secretId)}:lock`, async () => {
+            const sealed = sealBlob({
+                version: "v1.0",
+                secrets: {
+                    material: plaintext,
+                },
+                secretMetadata: {
+                    secretId: secretId.value,
+                },
+            }, this._custodyKey);
+            await this._storage.write(this.key(secretId), Buffer.from(sealed, "utf8"));
+        });
+    }
+    async load(secretId) {
+        const payload = await this._storage.read(this.key(secretId));
+        if (!payload) {
+            return null;
+        }
+        const unsealed = unsealBlob(payload.toString("utf8"), this._custodyKey);
+        return unsealed.secrets.material ?? null;
+    }
+    async delete(secretId) {
+        await withStorageLock(this._storage, `${this.key(secretId)}:lock`, async () => {
+            await this._storage.delete(this.key(secretId));
+        });
+    }
+}
+export class FileReplayGuard {
+    _storage;
+    _key;
+    _lockKey;
+    _ttlMs;
+    constructor(_storage, _key = "vault/security/replay.json", _lockKey = "vault/locks/replay", _ttlMs = 5 * 60 * 1000) {
+        this._storage = _storage;
+        this._key = _key;
+        this._lockKey = _lockKey;
+        this._ttlMs = _ttlMs;
+    }
+    async assertNotReplayed(request) {
+        await withStorageLock(this._storage, this._lockKey, async () => {
+            const now = Date.now();
+            const state = await readJson(this._storage, this._key, { seen: {} });
+            const nextSeen = {};
+            for (const [key, seenAt] of Object.entries(state.seen)) {
+                if (now - seenAt <= this._ttlMs) {
+                    nextSeen[key] = seenAt;
+                }
+            }
+            const replayKey = `${request.agent.id}:${request.requestId}`;
+            if (replayKey in nextSeen) {
+                throw new VaultCoreError("request replay detected", "VAULT_DISPATCH_DENIED");
+            }
+            nextSeen[replayKey] = now;
+            await this._storage.write(this._key, serializeJson({ seen: nextSeen }));
+        });
+    }
+}
+export class FileRateLimitStore {
+    _storage;
+    _key;
+    _lockKey;
+    constructor(_storage, _key = "vault/security/rate-limits.json", _lockKey = "vault/locks/rate-limits") {
+        this._storage = _storage;
+        this._key = _key;
+        this._lockKey = _lockKey;
+    }
+    async consume(key, maxRequests, windowMs, nowMs) {
+        await withStorageLock(this._storage, this._lockKey, async () => {
+            const state = await readJson(this._storage, this._key, { buckets: {} });
+            const nextBuckets = {};
+            for (const [bucketKey, bucket] of Object.entries(state.buckets)) {
+                if (nowMs < bucket.resetAt) {
+                    nextBuckets[bucketKey] = bucket;
+                }
+            }
+            const current = nextBuckets[key];
+            if (!current || nowMs >= current.resetAt) {
+                nextBuckets[key] = {
+                    count: 1,
+                    resetAt: nowMs + windowMs,
+                };
+            }
+            else {
+                if (current.count >= maxRequests) {
+                    throw new VaultCoreError("capability rate limit exceeded", "VAULT_DISPATCH_DENIED");
+                }
+                current.count += 1;
+            }
+            await this._storage.write(this._key, serializeJson({ buckets: nextBuckets }));
+        });
+    }
+}
+export class FileCapabilityRevocationRegistry {
+    _storage;
+    _key;
+    _lockKey;
+    constructor(_storage, _key = "vault/security/revocations.json", _lockKey = "vault/locks/revocations") {
+        this._storage = _storage;
+        this._key = _key;
+        this._lockKey = _lockKey;
+    }
+    compositeKey(vaultId, agentId, capabilityId) {
+        return `${vaultId.value}:${agentId}:${capabilityId}`;
+    }
+    async get(vaultId, agentId, capabilityId) {
+        const state = await readJson(this._storage, this._key, { versions: {} });
+        return state.versions[this.compositeKey(vaultId, agentId, capabilityId)] ?? 0;
+    }
+    async revoke(vaultId, agentId, capabilityId) {
+        return withStorageLock(this._storage, this._lockKey, async () => {
+            const state = await readJson(this._storage, this._key, { versions: {} });
+            const key = this.compositeKey(vaultId, agentId, capabilityId);
+            const next = (state.versions[key] ?? 0) + 1;
+            state.versions[key] = next;
+            await this._storage.write(this._key, serializeJson(state));
+            return next;
+        });
+    }
+}
+export class FileCustomHttpFlowRegistry {
+    _storage;
+    _key;
+    _lockKey;
+    constructor(_storage, _key = "vault/custom-flows.json", _lockKey = "vault/locks/custom-flows") {
+        this._storage = _storage;
+        this._key = _key;
+        this._lockKey = _lockKey;
+    }
+    async loadState() {
+        return readJson(this._storage, this._key, { flows: [] });
+    }
+    async register(flow) {
+        await withStorageLock(this._storage, this._lockKey, async () => {
+            const state = await this.loadState();
+            const next = state.flows.filter((candidate) => candidate.flowId !== flow.flowId);
+            next.push(flow);
+            await this._storage.write(this._key, serializeJson({ flows: next }));
+        });
+    }
+    async get(vaultId, flowId) {
+        const state = await this.loadState();
+        return state.flows.find((flow) => flow.vaultId.value === vaultId.value && flow.flowId === flowId) ?? null;
+    }
+}
+export function createPersistentVaultCoreDependencies(storage, options = {}) {
+    if (!options.custodyKey) {
+        throw new Error("persistent vault dependencies require custodyKey");
+    }
+    const defaults = createDefaultVaultCoreDependencies(options);
+    const capabilityRevocations = new FileCapabilityRevocationRegistry(storage);
+    const customFlows = new FileCustomHttpFlowRegistry(storage);
+    return {
+        ...defaults,
+        secrets: new FileSecretRepository(storage),
+        custody: new FileSecretCustody(storage, options.custodyKey),
+        audit: new FileAuditLog(storage),
+        policy: new DefaultPolicyEngine({
+            ...(options.policy ?? {}),
+            capabilityRevocationRegistry: capabilityRevocations,
+            rateLimitStore: new FileRateLimitStore(storage),
+        }),
+        replayGuard: new FileReplayGuard(storage, "vault/security/replay.json", "vault/locks/replay", options.proofVerifier?.maxSkewMs ?? (5 * 60 * 1000)),
+        capabilityRevocations,
+        customFlows,
+    };
+}
+//# sourceMappingURL=persistence.js.map

package/dist/vault-core/persistence.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"persistence.js","sourceRoot":"","sources":["../../src/vault-core/persistence.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAmBzD,OAAO,EACL,mBAAmB,EACnB,kCAAkC,GAEnC,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAuB7C,SAAS,aAAa,CAAC,KAAc;IACnC,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;AAC7D,CAAC;AAED,KAAK,UAAU,QAAQ,CAAI,OAAyB,EAAE,GAAW,EAAE,QAAW;IAC5E,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACxC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAM,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,eAAe,CAAI,OAAyB,EAAE,GAAW,EAAE,IAAsB;IAC9F,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,OAAO,CAAC,QAAQ,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACrC,CAAC;IACD,OAAO,IAAI,EAAE,CAAC;AAChB,CAAC;AAED,MAAM,OAAO,oBAAoB;IAEZ;IACA;IACA;IAHnB,YACmB,QAA0B,EAC1B,OAAO,oBAAoB,EAC3B,WAAW,qBAAqB;QAFhC,aAAQ,GAAR,QAAQ,CAAkB;QAC1B,SAAI,GAAJ,IAAI,CAAuB;QAC3B,aAAQ,GAAR,QAAQ,CAAwB;IAChD,CAAC;IAEI,KAAK,CAAC,SAAS;QACrB,OAAO,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,MAAoB;QAC7B,MAAM,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;YACrC,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,KAAK,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YACrG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAClB,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,aAAa,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACzE,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,QAAkB;QAC7B,MAAM,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;YACrC,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,KAAK,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC9F,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,aAAa,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACzE,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,KAAkB;QACjC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACrC,OAAO,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,KAAK,KAAK,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC;IACpF,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,QAAkB;QAC9B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACrC,OAAO,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,KAAK,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC;IAC1F,CAAC;CACF;AAED,MAAM,OAAO,YAAY;IAEJ;IACA;IACA;IAHnB,YACmB,QAA0B,EAC1B,OAAO,mBAAmB,EAC1B,WAAW,mBAAmB;QAF9B,aAAQ,GAAR,QAAQ,CAAkB;QAC1B,SAAI,GAAJ,IAAI,CAAsB;QAC1B,aAAQ,GAAR,QAAQ,CAAsB;IAC9C,CAAC;IAEI,IAAI,CAAC,KAAa;QACxB,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC;IAEO,mBAAmB,CAAC,KAAe;QACzC,MAAM,OAAO,GAAiB,EAAE,CAAC;QACjC,IAAI,YAAY,GAAG,SAAS,CAAC;QAC7B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAA6D,CAAC;YAC5F,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC5F,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;YAC3C,CAAC;YACD,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC;gBAC7B,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,KAAK,EAAE,MAAM,CAAC,KAAK;aACpB,CAAC,CAAC;YACH,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACxC,IAAI,MAAM,CAAC,QAAQ,KAAK,YAAY,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBACrE,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;YACrD,CAAC;YACD,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC;YAC3B,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC7B,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,KAAK,CAAC,WAAW;QACvB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,EAAE,CAAC;QACZ,CAAC;QACD,MAAM,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACnE,OAAO,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAiB;QAC5B,MAAM,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpD,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAClF,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;YAChC,MAAM,YAAY,GAAG,KAAK,CAAC,MAAM;gBAC/B,CAAC,CAAE,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAsB,CAAC,IAAI;gBAChE,CAAC,CAAC,SAAS,CAAC;YACd,MAAM,YAAY,GAAG;gBACnB,QAAQ,EAAE,YAAY;gBACtB,KAAK;gBACL,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,CAAC;aACnE,CAAC;YACF,MAAM,QAAQ,GAAG,CAAC,GAAG,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;YAC5E,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;QACtE,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,KAAiB;QAC3B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;QACzC,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YAC9B,IAAI,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,KAAK,CAAC,EAAE,KAAK,KAAK,CAAC,OAAO;gBAAE,OAAO,KAAK,CAAC;YACpE,IAAI,KAAK,CAAC,WAAW,IAAI,KAAK,CAAC,WAAW,KAAK,KAAK,CAAC,WAAW;gBAAE,OAAO,KAAK,CAAC;YAC/E,IAAI,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,SAAS,KAAK,KAAK,CAAC,SAAS;gBAAE,OAAO,KAAK,CAAC;YACzE,IAAI,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC,KAAK;gBAAE,OAAO,KAAK,CAAC;YAChE,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,OAAO,iBAAiB;IAET;IACA;IACA;IAHnB,YACmB,QAA0B,EAC1B,WAAmB,EACnB,aAAa,eAAe;QAF5B,aAAQ,GAAR,QAAQ,CAAkB;QAC1B,gBAAW,GAAX,WAAW,CAAQ;QACnB,eAAU,GAAV,UAAU,CAAkB;IAC5C,CAAC;IAEI,GAAG,CAAC,QAAkB;QAC5B,OAAO,GAAG,IAAI,CAAC,UAAU,IAAI,QAAQ,CAAC,KAAK,SAAS,CAAC;IACvD,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,QAAkB,EAAE,SAAiB;QAC/C,MAAM,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,KAAK,IAAI,EAAE;YAC5E,MAAM,MAAM,GAAG,QAAQ,CACrB;gBACE,OAAO,EAAE,MAAM;gBACf,OAAO,EAAE;oBACP,QAAQ,EAAE,SAAS;iBACpB;gBACD,cAAc,EAAE;oBACd,QAAQ,EAAE,QAAQ,CAAC,KAAK;iBACzB;aACF,EACD,IAAI,CAAC,WAAW,CACjB,CAAC;YACF,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;QAC7E,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,QAAkB;QAC3B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC7D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QACxE,OAAO,QAAQ,CAAC,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,QAAkB;QAC7B,MAAM,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,KAAK,IAAI,EAAE;YAC5E,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,OAAO,eAAe;IAEP;IACA;IACA;IACA;IAJnB,YACmB,QAA0B,EAC1B,OAAO,4BAA4B,EACnC,WAAW,oBAAoB,EAC/B,SAAS,CAAC,GAAG,EAAE,GAAG,IAAI;QAHtB,aAAQ,GAAR,QAAQ,CAAkB;QAC1B,SAAI,GAAJ,IAAI,CAA+B;QACnC,aAAQ,GAAR,QAAQ,CAAuB;QAC/B,WAAM,GAAN,MAAM,CAAgB;IACtC,CAAC;IAEJ,KAAK,CAAC,iBAAiB,CAAC,OAAwB;QAC9C,MAAM,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAc,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;YAClF,MAAM,QAAQ,GAA2B,EAAE,CAAC;YAC5C,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvD,IAAI,GAAG,GAAG,MAAM,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;oBAChC,QAAQ,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC;gBACzB,CAAC;YACH,CAAC;YACD,MAAM,SAAS,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,EAAE,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YAC7D,IAAI,SAAS,IAAI,QAAQ,EAAE,CAAC;gBAC1B,MAAM,IAAI,cAAc,CAAC,yBAAyB,EAAE,uBAAuB,CAAC,CAAC;YAC/E,CAAC;YACD,QAAQ,CAAC,SAAS,CAAC,GAAG,GAAG,CAAC;YAC1B,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,aAAa,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;QAC1E,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,OAAO,kBAAkB;IAEV;IACA;IACA;IAHnB,YACmB,QAA0B,EAC1B,OAAO,iCAAiC,EACxC,WAAW,yBAAyB;QAFpC,aAAQ,GAAR,QAAQ,CAAkB;QAC1B,SAAI,GAAJ,IAAI,CAAoC;QACxC,aAAQ,GAAR,QAAQ,CAA4B;IACpD,CAAC;IAEJ,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,WAAmB,EAAE,QAAgB,EAAE,KAAa;QAC7E,MAAM,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAiB,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC;YACxF,MAAM,WAAW,GAAuD,EAAE,CAAC;YAC3E,KAAK,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;gBAChE,IAAI,KAAK,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;oBAC3B,WAAW,CAAC,SAAS,CAAC,GAAG,MAAM,CAAC;gBAClC,CAAC;YACH,CAAC;YACD,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;YACjC,IAAI,CAAC,OAAO,IAAI,KAAK,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;gBACzC,WAAW,CAAC,GAAG,CAAC,GAAG;oBACjB,KAAK,EAAE,CAAC;oBACR,OAAO,EAAE,KAAK,GAAG,QAAQ;iBAC1B,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,IAAI,OAAO,CAAC,KAAK,IAAI,WAAW,EAAE,CAAC;oBACjC,MAAM,IAAI,cAAc,CAAC,gCAAgC,EAAE,uBAAuB,CAAC,CAAC;gBACtF,CAAC;gBACD,OAAO,CAAC,KAAK,IAAI,CAAC,CAAC;YACrB,CAAC;YACD,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,aAAa,CAAC,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC;QAChF,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,OAAO,gCAAgC;IAExB;IACA;IACA;IAHnB,YACmB,QAA0B,EAC1B,OAAO,iCAAiC,EACxC,WAAW,yBAAyB;QAFpC,aAAQ,GAAR,QAAQ,CAAkB;QAC1B,SAAI,GAAJ,IAAI,CAAoC;QACxC,aAAQ,GAAR,QAAQ,CAA4B;IACpD,CAAC;IAEI,YAAY,CAAC,OAAgB,EAAE,OAAe,EAAE,YAAoB;QAC1E,OAAO,GAAG,OAAO,CAAC,KAAK,IAAI,OAAO,IAAI,YAAY,EAAE,CAAC;IACvD,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAgB,EAAE,OAAe,EAAE,YAAoB;QAC/D,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAkB,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;QAC1F,OAAO,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC;IAChF,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAgB,EAAE,OAAe,EAAE,YAAoB;QAClE,OAAO,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC9D,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAkB,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;YAC1F,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;YAC9D,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YAC5C,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;YAC3B,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC;YAC3D,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,OAAO,0BAA0B;IAElB;IACA;IACA;IAHnB,YACmB,QAA0B,EAC1B,OAAO,yBAAyB,EAChC,WAAW,0BAA0B;QAFrC,aAAQ,GAAR,QAAQ,CAAkB;QAC1B,SAAI,GAAJ,IAAI,CAA4B;QAChC,aAAQ,GAAR,QAAQ,CAA6B;IACrD,CAAC;IAEI,KAAK,CAAC,SAAS;QACrB,OAAO,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;IAC3D,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,IAA8B;QAC3C,MAAM,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;YACrC,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,CAAC,CAAC;YACjF,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChB,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,aAAa,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACvE,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAgB,EAAE,MAAc;QACxC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACrC,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,KAAK,OAAO,CAAC,KAAK,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC;IAC5G,CAAC;CACF;AAED,MAAM,UAAU,qCAAqC,CACnD,OAAyB,EACzB,UAAqD,EAAE;IAkBvD,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IACD,MAAM,QAAQ,GAAG,kCAAkC,CAAC,OAAO,CAAC,CAAC;IAC7D,MAAM,qBAAqB,GAAG,IAAI,gCAAgC,CAAC,OAAO,CAAC,CAAC;IAC5E,MAAM,WAAW,GAAG,IAAI,0BAA0B,CAAC,OAAO,CAAC,CAAC;IAC5D,OAAO;QACL,GAAG,QAAQ;QACX,OAAO,EAAE,IAAI,oBAAoB,CAAC,OAAO,CAAC;QAC1C,OAAO,EAAE,IAAI,iBAAiB,CAAC,OAAO,EAAE,OAAO,CAAC,UAAU,CAAC;QAC3D,KAAK,EAAE,IAAI,YAAY,CAAC,OAAO,CAAC;QAChC,MAAM,EAAE,IAAI,mBAAmB,CAAC;YAC9B,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;YACzB,4BAA4B,EAAE,qBAAqB;YACnD,cAAc,EAAE,IAAI,kBAAkB,CAAC,OAAO,CAAC;SAChD,CAAC;QACF,WAAW,EAAE,IAAI,eAAe,CAC9B,OAAO,EACP,4BAA4B,EAC5B,oBAAoB,EACpB,OAAO,CAAC,aAAa,EAAE,SAAS,IAAI,CAAC,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CACpD;QACD,qBAAqB;QACrB,WAAW;KACZ,CAAC;AACJ,CAAC"}

package/dist/vault-core/ports.d.ts

@@ -0,0 +1,101 @@
+import type { AuditEntry, AuditQuery, AgentIdentityRecord, OwnerIdentityRecord, OwnerAuditRequest, OwnerRegisterAgentIdentityCommand, OwnerRegisterCustomHttpFlowCommand, OwnerRegisterOwnerIdentityCommand, CustomHttpFlowDefinition, DispatchInstruction, DispatchRequest, DispatchResult, SecretAlias, SecretId, SecretRecord, VaultPrincipal, VaultWriteSecretCommand, VaultId } from "./contracts.js";
+export interface SecretRepository {
+    save(record: SecretRecord): Promise<void>;
+    delete(secretId: SecretId): Promise<void>;
+    getByAlias(alias: SecretAlias): Promise<SecretRecord | null>;
+    getById(secretId: SecretId): Promise<SecretRecord | null>;
+}
+export interface SecretCustody {
+    store(secretId: SecretId, plaintext: string): Promise<void>;
+    load(secretId: SecretId): Promise<string | null>;
+    delete(secretId: SecretId): Promise<void>;
+}
+export interface PolicyEngine {
+    authorizeWrite(command: VaultWriteSecretCommand): Promise<void>;
+    authorizeDispatch(request: DispatchRequest, record?: SecretRecord | null): Promise<void>;
+}
+export interface AuditLog {
+    append(entry: AuditEntry): Promise<void>;
+    query(query: AuditQuery): Promise<readonly AuditEntry[]>;
+}
+export interface TrustedExecutor {
+    dispatch(instruction: DispatchInstruction, secret: {
+        record: SecretRecord;
+        plaintext: string;
+    }): Promise<DispatchResult>;
+}
+export interface Clock {
+    nowIso(): string;
+}
+export interface IdGenerator {
+    newSecretId(): SecretId;
+    newVersion(): {
+        value: string;
+    };
+    newAuditEntryId(): string;
+}
+export interface AgentProofVerifier {
+    verify(request: DispatchRequest): Promise<void>;
+}
+export interface AgentIdentityRegistry {
+    register(identity: AgentIdentityRecord): Promise<void>;
+    get(vaultId: VaultId, agentId: string): Promise<AgentIdentityRecord | null>;
+}
+export interface OwnerIdentityRegistry {
+    register(identity: OwnerIdentityRecord): Promise<void>;
+    get(vaultId: VaultId, ownerId: string): Promise<OwnerIdentityRecord | null>;
+    hasAny(vaultId: VaultId): Promise<boolean>;
+}
+export interface ReplayGuard {
+    assertNotReplayed(request: DispatchRequest): Promise<void>;
+}
+export interface RateLimitStore {
+    consume(key: string, maxRequests: number, windowMs: number, nowMs: number): Promise<void>;
+}
+export interface CapabilityRevocationRegistry {
+    get(vaultId: VaultId, agentId: string, capabilityId: string): Promise<number> | number;
+    revoke(vaultId: VaultId, agentId: string, capabilityId: string): Promise<number> | number;
+}
+export interface OwnerProofVerifier {
+    verifyWrite(command: Extract<VaultWriteSecretCommand, {
+        kind: "owner.write_secret";
+    }>): Promise<void>;
+    verifyAudit(request: OwnerAuditRequest): Promise<void>;
+    verifyRegisterAgentIdentity(command: OwnerRegisterAgentIdentityCommand): Promise<void>;
+    verifyRegisterOwnerIdentity(command: OwnerRegisterOwnerIdentityCommand): Promise<void>;
+    verifyRegisterCustomFlow(command: OwnerRegisterCustomHttpFlowCommand): Promise<void>;
+}
+export interface CustomHttpFlowRegistry {
+    register(flow: CustomHttpFlowDefinition): Promise<void>;
+    get(vaultId: VaultId, flowId: string): Promise<CustomHttpFlowDefinition | null>;
+}
+export interface VaultCoreDependencies {
+    vaultId: VaultId;
+    secrets: SecretRepository;
+    custody: SecretCustody;
+    policy: PolicyEngine;
+    audit: AuditLog;
+    executor: TrustedExecutor;
+    proofVerifier: AgentProofVerifier;
+    agentIdentities: AgentIdentityRegistry;
+    ownerProofVerifier: OwnerProofVerifier;
+    ownerIdentities: OwnerIdentityRegistry;
+    customFlows: CustomHttpFlowRegistry;
+    replayGuard: ReplayGuard;
+    clock: Clock;
+    ids: IdGenerator;
+}
+export interface VaultCore {
+    readonly vaultId: VaultId;
+    writeSecret(command: VaultWriteSecretCommand): Promise<SecretRecord>;
+    authorizeDispatch(request: DispatchRequest): Promise<import("./contracts.js").DispatchAuthorization>;
+    dispatchSecret(request: DispatchRequest): Promise<DispatchResult>;
+    bootstrapOwnerIdentity(identity: OwnerIdentityRecord): Promise<void>;
+    registerAgentIdentity(command: OwnerRegisterAgentIdentityCommand): Promise<void>;
+    registerOwnerIdentity(command: OwnerRegisterOwnerIdentityCommand): Promise<void>;
+    registerCustomFlow(command: OwnerRegisterCustomHttpFlowCommand): Promise<void>;
+    storeCustomFlowSecret(flow: CustomHttpFlowDefinition, alias: string, plaintext: string): Promise<SecretRecord>;
+    getAudit(actor: VaultPrincipal & {
+        kind: "owner";
+    }, query: AuditQuery, request?: Omit<OwnerAuditRequest, "actor" | "query" | "vaultId">): Promise<readonly AuditEntry[]>;
+}

package/dist/vault-core/ports.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=ports.js.map

package/dist/vault-core/ports.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ports.js","sourceRoot":"","sources":["../../src/vault-core/ports.ts"],"names":[],"mappings":""}

package/dist/vault-ingress/defaults.d.ts

@@ -0,0 +1,14 @@
+import type { AgentDispatchTransport } from "../clients/agent/index.js";
+import type { AgentCapability } from "../vault-core/index.js";
+import type { VaultCapabilityResolver, VaultService } from "./index.js";
+export declare class InMemoryVaultCapabilityResolver implements VaultCapabilityResolver {
+    private readonly _capabilities;
+    set(capability: AgentCapability): void;
+    resolve(vaultId: import("../vault-core/index.js").VaultId, agentId: string, capabilityId: string): Promise<AgentCapability>;
+}
+export declare class LocalVaultTransport implements AgentDispatchTransport {
+    private readonly _vault;
+    private readonly _capabilityId;
+    constructor(_vault: VaultService, _capabilityId: string);
+    dispatch(request: import("../vault-core/index.js").DispatchRequest): Promise<import("../vault-core/index.js").DispatchResult>;
+}

package/dist/vault-ingress/defaults.js

@@ -0,0 +1,41 @@
+export class InMemoryVaultCapabilityResolver {
+    _capabilities = new Map();
+    set(capability) {
+        this._capabilities.set(`${capability.vaultId.value}:${capability.agentId}:${capability.capabilityId}`, capability);
+    }
+    async resolve(vaultId, agentId, capabilityId) {
+        const capability = this._capabilities.get(`${vaultId.value}:${agentId}:${capabilityId}`);
+        if (!capability) {
+            throw new Error("VAULT_CAPABILITY_NOT_FOUND");
+        }
+        return capability;
+    }
+}
+export class LocalVaultTransport {
+    _vault;
+    _capabilityId;
+    constructor(_vault, _capabilityId) {
+        this._vault = _vault;
+        this._capabilityId = _capabilityId;
+    }
+    async dispatch(request) {
+        const response = await this._vault.handleAgentDispatch({
+            vaultId: request.vaultId.value,
+            requestId: request.requestId,
+            requestedAt: request.requestedAt,
+            agentId: request.agent.id,
+            capabilityId: this._capabilityId,
+            secretAlias: request.secretAlias,
+            targetUrl: request.targetUrl,
+            method: request.method,
+            headers: request.headers,
+            body: request.body,
+            proof: { signature: request.proof.signature },
+        });
+        if (!response.ok) {
+            throw new Error(`${response.error.code}:${response.error.message}`);
+        }
+        return response.result;
+    }
+}
+//# sourceMappingURL=defaults.js.map

package/dist/vault-ingress/defaults.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"defaults.js","sourceRoot":"","sources":["../../src/vault-ingress/defaults.ts"],"names":[],"mappings":"AAIA,MAAM,OAAO,+BAA+B;IACzB,aAAa,GAAG,IAAI,GAAG,EAA2B,CAAC;IAEpE,GAAG,CAAC,UAA2B;QAC7B,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,KAAK,IAAI,UAAU,CAAC,OAAO,IAAI,UAAU,CAAC,YAAY,EAAE,EAAE,UAAU,CAAC,CAAC;IACrH,CAAC;IAED,KAAK,CAAC,OAAO,CACX,OAAiD,EACjD,OAAe,EACf,YAAoB;QAEpB,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,KAAK,IAAI,OAAO,IAAI,YAAY,EAAE,CAAC,CAAC;QACzF,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAChD,CAAC;QACD,OAAO,UAAU,CAAC;IACpB,CAAC;CACF;AAED,MAAM,OAAO,mBAAmB;IAEX;IACA;IAFnB,YACmB,MAAoB,EACpB,aAAqB;QADrB,WAAM,GAAN,MAAM,CAAc;QACpB,kBAAa,GAAb,aAAa,CAAQ;IACrC,CAAC;IAEJ,KAAK,CAAC,QAAQ,CACZ,OAAyD;QAEzD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC;YACrD,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK;YAC9B,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,EAAE;YACzB,YAAY,EAAE,IAAI,CAAC,aAAa;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,KAAK,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,SAAS,EAAE;SAC9C,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACtE,CAAC;QACD,OAAO,QAAQ,CAAC,MAAM,CAAC;IACzB,CAAC;CACF"}

package/dist/vault-ingress/flow-factories.d.ts

@@ -0,0 +1,24 @@
+import type { CustomHttpFlowDefinition } from "../vault-core/index.js";
+export interface OwnerHttpFlowBoundary {
+    mode: "acquire_secret" | "send_secret" | "bidirectional_secret";
+    targetUrl: string;
+    method: string;
+    responseVisibility: "passthrough" | "shape_only";
+    responseSecret?: {
+        kind: "json_field";
+        field: string;
+        storeAlias: string;
+    };
+}
+export declare function createOwnerHttpFlowBoundary(boundary: OwnerHttpFlowBoundary): OwnerHttpFlowBoundary;
+export declare function createStandardAcquireBoundary(input: {
+    targetUrl: string;
+    method?: string;
+    responseField: "access_token" | "refresh_token" | "id_token";
+    storeAlias: string;
+}): OwnerHttpFlowBoundary;
+export declare function createStandardDispatchBoundary(input: {
+    targetUrl: string;
+    method: string;
+}): OwnerHttpFlowBoundary;
+export declare function toOwnerHttpFlowBoundary(flow: Pick<CustomHttpFlowDefinition, "mode" | "targetUrl" | "method" | "responseVisibility" | "responseSecret">): OwnerHttpFlowBoundary;