@vess-id/vess 0.2.0-alpha.1

package/dist/gateway/gateway-client.js

@@ -0,0 +1,501 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AgentdGatewayClient = exports.GatewayNetworkError = void 0;
+const credential_errors_1 = require("../utils/credential-errors");
+/**
+ * Custom error for network-level failures (connection refused, DNS, timeout).
+ * Used by ExecutionEngine to distinguish network issues from code bugs.
+ */
+class GatewayNetworkError extends Error {
+    cause;
+    constructor(message, cause) {
+        super(message);
+        this.cause = cause;
+        this.name = 'GatewayNetworkError';
+    }
+}
+exports.GatewayNetworkError = GatewayNetworkError;
+class AgentdGatewayClient {
+    baseUrl;
+    getSessionToken;
+    onTokenRefreshed;
+    /** Shared promise for deduplicating concurrent token refresh attempts */
+    refreshPromise = null;
+    constructor(baseUrl, getSessionToken, onTokenRefreshed) {
+        this.baseUrl = baseUrl;
+        this.getSessionToken = getSessionToken;
+        this.onTokenRefreshed = onTokenRefreshed;
+    }
+    buildHeaders() {
+        return {
+            'Content-Type': 'application/json',
+            'X-Device-Session-Token': this.getSessionToken(),
+        };
+    }
+    /**
+     * Wrap fetch calls to convert network errors into GatewayNetworkError.
+     */
+    async fetchWithNetworkError(url, init) {
+        try {
+            return await fetch(url, init);
+        }
+        catch (err) {
+            throw new GatewayNetworkError(`Network error calling ${url}: ${err instanceof Error ? err.message : String(err)}`, err);
+        }
+    }
+    /**
+     * Wrap fetch calls with automatic retry on 401 (token expired).
+     * On 401, attempts to refresh the token and retry the original request.
+     * Does NOT apply to refreshToken itself (to avoid infinite loops).
+     */
+    async fetchWithAuthRetry(url, options) {
+        const response = await this.fetchWithNetworkError(url, options);
+        if (response.status === 401 && this.onTokenRefreshed) {
+            try {
+                // Deduplicate concurrent refreshes — only one refresh in flight at a time
+                if (!this.refreshPromise) {
+                    this.refreshPromise = this.refreshToken().finally(() => {
+                        this.refreshPromise = null;
+                    });
+                }
+                const result = await this.refreshPromise;
+                try {
+                    this.onTokenRefreshed(result.deviceSessionToken);
+                }
+                catch {
+                    // onTokenRefreshed failed (e.g. Keychain write error) — continue with retry anyway
+                }
+                // Retry with new token
+                const retryOptions = {
+                    ...options,
+                    headers: {
+                        ...options.headers,
+                        'X-Device-Session-Token': result.deviceSessionToken,
+                    },
+                };
+                return this.fetchWithNetworkError(url, retryOptions);
+            }
+            catch {
+                // Refresh failed — token may be expired beyond recovery
+                process.stderr.write('[vess] Session token refresh failed. Run "vess login" to re-authenticate.\n');
+                return response;
+            }
+        }
+        return response;
+    }
+    /**
+     * Refresh the device session token.
+     * POST /api/v1/device/refresh
+     * NOTE: Uses fetchWithNetworkError (not fetchWithAuthRetry) to avoid infinite loops.
+     */
+    async refreshToken() {
+        const url = `${this.baseUrl}/api/v1/device/refresh`;
+        const response = await this.fetchWithNetworkError(url, {
+            method: 'POST',
+            headers: this.buildHeaders(),
+            signal: AbortSignal.timeout(10000),
+        });
+        if (!response.ok) {
+            throw new Error(`refreshToken failed: ${response.status}`);
+        }
+        const result = await response.json();
+        return result.data;
+    }
+    // ===========================================================================
+    // v1/agentd/ endpoints
+    // ===========================================================================
+    /**
+     * Issue nonce for VP replay prevention.
+     * POST /api/v1/agentd/nonce
+     */
+    async issueNonce(agentDid) {
+        const url = `${this.baseUrl}/api/v1/agentd/nonce`;
+        const response = await this.fetchWithAuthRetry(url, {
+            method: 'POST',
+            headers: this.buildHeaders(),
+            body: JSON.stringify({ agentDid }),
+            signal: AbortSignal.timeout(10000),
+        });
+        if (!response.ok) {
+            throw new Error(`issueNonce failed: ${response.status}`);
+        }
+        const result = await response.json();
+        return result.data;
+    }
+    /**
+     * Auto-issue VC when grant has autoApprove enabled.
+     * POST /api/v1/agentd/vc/auto-issue
+     */
+    async autoIssueVC(params) {
+        const url = `${this.baseUrl}/api/v1/agentd/vc/auto-issue`;
+        const response = await this.fetchWithAuthRetry(url, {
+            method: 'POST',
+            headers: this.buildHeaders(),
+            body: JSON.stringify(params),
+            signal: AbortSignal.timeout(10000),
+        });
+        if (!response.ok) {
+            throw new Error(`autoIssueVC failed: ${response.status}`);
+        }
+        const result = await response.json();
+        const data = result.data;
+        // API returns null when no auto-issue is available
+        if (!data || !data.autoIssued) {
+            return null;
+        }
+        // Guard: autoIssued=true but credential missing (edge case)
+        if (!data.credential) {
+            return null;
+        }
+        // API returns flat format: { credential: "jwt-string", expiresAt: "ISO-string", ... }
+        // Normalize to AutoIssueVCResult: { credential: { jwt, expiresAt (epoch ms) }, ... }
+        const expiresAt = typeof data.expiresAt === 'string'
+            ? Date.parse(data.expiresAt)
+            : (data.credential?.expiresAt ?? data.expiresAt);
+        // Guard: unparseable expiresAt
+        if (typeof expiresAt !== 'number' || Number.isNaN(expiresAt)) {
+            return null;
+        }
+        return {
+            autoIssued: data.autoIssued,
+            credential: {
+                jwt: typeof data.credential === 'string' ? data.credential : data.credential?.jwt,
+                expiresAt,
+            },
+            actions: data.actions ?? [],
+            ...(data.resources?.length ? { resources: data.resources } : {}),
+            ...(data.metadata != null ? { metadata: data.metadata } : {}),
+        };
+    }
+    /**
+     * Find approved requests by subjectDid.
+     * GET /api/v1/agentd/vc/approved?subjectDid=...
+     */
+    async findApprovedRequests(subjectDid) {
+        const url = `${this.baseUrl}/api/v1/agentd/vc/approved?subjectDid=${encodeURIComponent(subjectDid)}`;
+        const response = await this.fetchWithAuthRetry(url, {
+            method: 'GET',
+            headers: this.buildHeaders(),
+            signal: AbortSignal.timeout(10000),
+        });
+        if (!response.ok) {
+            throw new Error(`findApprovedRequests failed: ${response.status}`);
+        }
+        const result = await response.json();
+        // API returns flat format per item: { credential: "jwt-string", vcExpiresAt: "ISO-string", ... }
+        // Normalize each item to ApprovedRequest: { credential: { jwt, expiresAt (epoch ms) } | undefined }
+        return result.data.map((item) => {
+            const resources = item.resources;
+            // If credential is already in nested format, pass through
+            if (item.credential && typeof item.credential === 'object' && 'jwt' in item.credential) {
+                return { id: item.id, actions: item.actions, credential: item.credential, resources };
+            }
+            // Flat format: credential is a raw JWT string, vcExpiresAt is a separate field
+            if (typeof item.credential === 'string' && item.credential) {
+                const expiresAt = typeof item.vcExpiresAt === 'string'
+                    ? Date.parse(item.vcExpiresAt)
+                    : undefined;
+                return {
+                    id: item.id,
+                    actions: item.actions,
+                    credential: {
+                        jwt: item.credential,
+                        expiresAt: (typeof expiresAt === 'number' && !Number.isNaN(expiresAt)) ? expiresAt : 0,
+                    },
+                    resources,
+                };
+            }
+            // No credential (null/undefined)
+            return { id: item.id, actions: item.actions, resources };
+        });
+    }
+    /**
+     * Check VC revocation status by jti.
+     * GET /api/v1/agentd/vc/status/:jti
+     */
+    async checkVCStatus(jti) {
+        const url = `${this.baseUrl}/api/v1/agentd/vc/status/${encodeURIComponent(jti)}`;
+        const response = await this.fetchWithAuthRetry(url, {
+            method: 'GET',
+            headers: this.buildHeaders(),
+            signal: AbortSignal.timeout(10000),
+        });
+        if (!response.ok) {
+            return { valid: false, reason: `VC status check failed: ${response.status}` };
+        }
+        const result = await response.json();
+        return result.data;
+    }
+    /**
+     * VP verify + grant authorization check (gateway_verified_local).
+     * POST /api/v1/agentd/vp/verify-authorize
+     */
+    async verifyAndAuthorize(vpJwt, challenge, domain, action, holderDid) {
+        const url = `${this.baseUrl}/api/v1/agentd/vp/verify-authorize`;
+        const response = await this.fetchWithAuthRetry(url, {
+            method: 'POST',
+            headers: this.buildHeaders(),
+            body: JSON.stringify({ vpJwt, challenge, domain, action, holderDid }),
+            signal: AbortSignal.timeout(10000),
+        });
+        if (!response.ok) {
+            return { authorized: false, reason: `VP verify-authorize failed: ${response.status}` };
+        }
+        const result = await response.json();
+        return result.data;
+    }
+    // ===========================================================================
+    // api/v1/ endpoints (spec Appendix B)
+    // ===========================================================================
+    /**
+     * Register an agent in the API Agent table so it appears in agents.html / timeline.html.
+     * POST /api/v1/agents/create
+     *
+     * Requires X-Project-Id header for ProjectRoleGuard.
+     * Treats 409 Conflict as success (idempotent — agent already exists).
+     */
+    async registerAgent(params) {
+        const url = `${this.baseUrl}/api/v1/agents/create`;
+        const response = await this.fetchWithAuthRetry(url, {
+            method: 'POST',
+            headers: {
+                ...this.buildHeaders(),
+                'X-Project-Id': params.projectId,
+            },
+            body: JSON.stringify({
+                agentDid: params.agentDid,
+                name: params.name,
+                type: params.type,
+                publicKey: params.publicKey,
+                deviceInfo: params.deviceInfo,
+            }),
+            signal: AbortSignal.timeout(10000),
+        });
+        // 409 Conflict = agent already registered — treat as success
+        if (response.status === 409) {
+            return {
+                id: '',
+                did: params.agentDid,
+                name: params.name,
+                type: params.type,
+                status: 'active',
+            };
+        }
+        if (!response.ok) {
+            const body = await response.text().catch(() => '');
+            throw new Error(`registerAgent failed: ${response.status} ${response.statusText} - ${body}`);
+        }
+        const result = await response.json();
+        return result.agent;
+    }
+    /**
+     * Inline Grant + VC issuance (spec §6.2).
+     * POST /api/v1/grant/quick-approve
+     */
+    async quickApprove(params) {
+        const url = `${this.baseUrl}/api/v1/grant/quick-approve`;
+        const response = await this.fetchWithAuthRetry(url, {
+            method: 'POST',
+            headers: this.buildHeaders(),
+            body: JSON.stringify(params),
+            signal: AbortSignal.timeout(10000),
+        });
+        if (!response.ok) {
+            const body = await response.text().catch(() => '');
+            throw new Error(`quickApprove failed: ${response.status} ${response.statusText} - ${body}`);
+        }
+        const result = await response.json();
+        if (!result.success) {
+            throw new Error(`quickApprove failed: ${JSON.stringify(result)}`);
+        }
+        // Enrich resources with provider derived from the first action
+        const data = result.data;
+        const provider = params.actions[0]?.split('.')[0] || '';
+        data.resources = data.grant?.resources?.map((r) => ({ ...r, provider }));
+        return data;
+    }
+    /**
+     * Create an OOB approval request for high-risk actions.
+     * POST /api/v1/agentd/approval/request
+     */
+    async createApprovalRequest(params) {
+        const url = `${this.baseUrl}/api/v1/agentd/approval/request`;
+        const response = await this.fetchWithAuthRetry(url, {
+            method: 'POST',
+            headers: this.buildHeaders(),
+            body: JSON.stringify(params),
+            signal: AbortSignal.timeout(10000),
+        });
+        if (!response.ok) {
+            const text = await response.text().catch(() => '');
+            throw new Error(`createApprovalRequest failed: ${response.status} ${text}`);
+        }
+        const result = await response.json();
+        return result.data;
+    }
+    /**
+     * Poll the status of an OOB approval request.
+     * GET /api/v1/agentd/approval/:requestId/status
+     */
+    async getApprovalStatus(requestId) {
+        const url = `${this.baseUrl}/api/v1/agentd/approval/${encodeURIComponent(requestId)}/status`;
+        const response = await this.fetchWithAuthRetry(url, {
+            method: 'GET',
+            headers: this.buildHeaders(),
+            signal: AbortSignal.timeout(10000),
+        });
+        if (!response.ok) {
+            const text = await response.text().catch(() => '');
+            throw new Error(`getApprovalStatus failed: ${response.status} ${text}`);
+        }
+        const result = await response.json();
+        return result.data;
+    }
+    /**
+     * One-time grant atomic consumption (spec §6.2).
+     * POST /api/v1/grant/consume
+     */
+    async consumeGrant(grantId) {
+        const url = `${this.baseUrl}/api/v1/grant/consume`;
+        const response = await this.fetchWithAuthRetry(url, {
+            method: 'POST',
+            headers: this.buildHeaders(),
+            body: JSON.stringify({ grantId }),
+            signal: AbortSignal.timeout(10000),
+        });
+        if (!response.ok) {
+            return { consumed: false, reason: `consumeGrant failed: ${response.status}` };
+        }
+        const result = await response.json();
+        return result.data;
+    }
+    /**
+     * SaaS tool execution via Gateway (VP in Authorization header).
+     * POST /api/v1/tool/invoke
+     */
+    async invokeTool(params) {
+        const url = `${this.baseUrl}/api/v1/tool/invoke`;
+        const response = await this.fetchWithAuthRetry(url, {
+            method: 'POST',
+            headers: {
+                ...this.buildHeaders(),
+                'Authorization': `Bearer ${params.vpJwt}`,
+                'x-holder-did': params.holderDid,
+                'x-auth-challenge': params.vpChallenge,
+            },
+            body: JSON.stringify({
+                tool: params.action.split('.')[0],
+                action: params.action,
+                params: params.parameters,
+                holderDid: params.holderDid,
+                vpChallenge: params.vpChallenge,
+                vpDomain: params.vpDomain,
+            }),
+            signal: AbortSignal.timeout(30000),
+        });
+        if (!response.ok) {
+            const body = await response.text().catch(() => '');
+            // Parse structured error codes (e.g., RESOURCE_MISMATCH, CREDENTIAL_INVALID)
+            try {
+                const parsed = JSON.parse(body);
+                if (parsed.code === 'RESOURCE_MISMATCH') {
+                    return {
+                        success: false,
+                        error: parsed.message || `invokeTool failed: ${response.status}`,
+                        errorCode: 'RESOURCE_MISMATCH',
+                        allowedResources: parsed.allowedResources,
+                        requestedResource: parsed.requestedResource,
+                    };
+                }
+            }
+            catch { /* not JSON or no code field, fall through */ }
+            // Detect credential-invalid errors (expired VC, invalid VP, etc.)
+            // NOTE: Any 401 from invokeTool is treated as credential-invalid since this endpoint
+            // is always VP-authenticated — non-VC auth failures cannot occur here.
+            const errorMessage = body;
+            const isCredentialInvalid = response.status === 401 ||
+                (0, credential_errors_1.isCredentialInvalidError)(errorMessage);
+            if (isCredentialInvalid) {
+                return {
+                    success: false,
+                    error: errorMessage || `invokeTool failed: ${response.status}`,
+                    errorCode: 'CREDENTIAL_INVALID',
+                };
+            }
+            return { success: false, error: `invokeTool failed: ${response.status} - ${body}` };
+        }
+        const result = await response.json();
+        return result;
+    }
+    /**
+     * Resolve a human-readable resource identifier to its canonical ID.
+     * POST /api/v1/agentd/resource/resolve
+     */
+    async resolveResource(params) {
+        const url = `${this.baseUrl}/api/v1/agentd/resource/resolve`;
+        const response = await this.fetchWithAuthRetry(url, {
+            method: 'POST',
+            headers: this.buildHeaders(),
+            body: JSON.stringify(params),
+            signal: AbortSignal.timeout(10000),
+        });
+        if (!response.ok) {
+            throw new Error(`resolveResource failed: ${response.status}`);
+        }
+        const result = await response.json();
+        return result.data;
+    }
+    // ===========================================================================
+    // Existing endpoints
+    // ===========================================================================
+    /**
+     * Fetch org-level policy for a project (spec §7.6).
+     */
+    async fetchOrgPolicy(projectId) {
+        const url = `${this.baseUrl}/api/v1/grant/policy/${encodeURIComponent(projectId)}`;
+        const response = await this.fetchWithAuthRetry(url, {
+            method: 'GET',
+            headers: this.buildHeaders(),
+            signal: AbortSignal.timeout(10000),
+        });
+        if (!response.ok) {
+            throw new Error(`fetchOrgPolicy failed: ${response.status}`);
+        }
+        const result = await response.json();
+        return result.data;
+    }
+    /**
+     * Verify a VP with the Gateway (spec §7.4 gateway_verified_local).
+     * @deprecated Use verifyAndAuthorize instead for full VP+grant check.
+     */
+    async verifyVP(vpJwt, nonce, domain) {
+        const url = `${this.baseUrl}/api/v1/vp/verify`;
+        const response = await this.fetchWithAuthRetry(url, {
+            method: 'POST',
+            headers: this.buildHeaders(),
+            body: JSON.stringify({ vpJwt, nonce, domain }),
+            signal: AbortSignal.timeout(10000),
+        });
+        if (!response.ok) {
+            return { valid: false, reason: `VP verification failed: ${response.status}` };
+        }
+        return await response.json();
+    }
+    /**
+     * Check if Gateway is reachable.
+     */
+    async isReachable() {
+        try {
+            const response = await fetch(`${this.baseUrl}/health`, {
+                method: 'GET',
+                signal: AbortSignal.timeout(5000),
+            });
+            return response.ok;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+exports.AgentdGatewayClient = AgentdGatewayClient;
+//# sourceMappingURL=gateway-client.js.map

package/dist/gateway/gateway-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gateway-client.js","sourceRoot":"","sources":["../../src/gateway/gateway-client.ts"],"names":[],"mappings":";;;AAAA,kEAAqE;AAwKrE;;;GAGG;AACH,MAAa,mBAAoB,SAAQ,KAAK;IACC;IAA7C,YAAY,OAAe,EAAkB,KAAe;QAC1D,KAAK,CAAC,OAAO,CAAC,CAAA;QAD6B,UAAK,GAAL,KAAK,CAAU;QAE1D,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAA;IACnC,CAAC;CACF;AALD,kDAKC;AAED,MAAa,mBAAmB;IAKX;IACA;IACA;IANnB,yEAAyE;IACjE,cAAc,GAAsE,IAAI,CAAA;IAEhG,YACmB,OAAe,EACf,eAA6B,EAC7B,gBAA6C;QAF7C,YAAO,GAAP,OAAO,CAAQ;QACf,oBAAe,GAAf,eAAe,CAAc;QAC7B,qBAAgB,GAAhB,gBAAgB,CAA6B;IAC7D,CAAC;IAEI,YAAY;QAClB,OAAO;YACL,cAAc,EAAE,kBAAkB;YAClC,wBAAwB,EAAE,IAAI,CAAC,eAAe,EAAE;SACjD,CAAA;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,qBAAqB,CAAC,GAAW,EAAE,IAAiB;QAChE,IAAI,CAAC;YACH,OAAO,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;QAC/B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,mBAAmB,CAC3B,yBAAyB,GAAG,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACnF,GAAG,CACJ,CAAA;QACH,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,kBAAkB,CAAC,GAAW,EAAE,OAAoB;QAChE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAC/D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACrD,IAAI,CAAC;gBACH,0EAA0E;gBAC1E,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;oBACzB,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE;wBACrD,IAAI,CAAC,cAAc,GAAG,IAAI,CAAA;oBAC5B,CAAC,CAAC,CAAA;gBACJ,CAAC;gBACD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAA;gBACxC,IAAI,CAAC;oBACH,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAA;gBAClD,CAAC;gBAAC,MAAM,CAAC;oBACP,mFAAmF;gBACrF,CAAC;gBACD,uBAAuB;gBACvB,MAAM,YAAY,GAAG;oBACnB,GAAG,OAAO;oBACV,OAAO,EAAE;wBACP,GAAG,OAAO,CAAC,OAAiC;wBAC5C,wBAAwB,EAAE,MAAM,CAAC,kBAAkB;qBACpD;iBACF,CAAA;gBACD,OAAO,IAAI,CAAC,qBAAqB,CAAC,GAAG,EAAE,YAAY,CAAC,CAAA;YACtD,CAAC;YAAC,MAAM,CAAC;gBACP,wDAAwD;gBACxD,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,6EAA6E,CAC9E,CAAA;gBACD,OAAO,QAAQ,CAAA;YACjB,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,YAAY;QAChB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,wBAAwB,CAAA;QACnD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,GAAG,EAAE;YACrD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE;YAC5B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAA;QACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,wBAAwB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC5D,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAmF,CAAA;QACrH,OAAO,MAAM,CAAC,IAAI,CAAA;IACpB,CAAC;IAED,8EAA8E;IAC9E,uBAAuB;IACvB,8EAA8E;IAE9E;;;OAGG;IACH,KAAK,CAAC,UAAU,CAAC,QAAgB;QAC/B,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,sBAAsB,CAAA;QACjD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAClD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE;YAC5B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,CAAC;YAClC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAA;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,sBAAsB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC1D,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAmD,CAAA;QACrF,OAAO,MAAM,CAAC,IAAI,CAAA;IACpB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,WAAW,CAAC,MAAyB;QACzC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,8BAA8B,CAAA;QACzD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAClD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE;YAC5B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;YAC5B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAA;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,uBAAuB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC3D,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAqC,CAAA;QACvE,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAA;QAExB,mDAAmD;QACnD,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAA;QACb,CAAC;QAED,4DAA4D;QAC5D,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,OAAO,IAAI,CAAA;QACb,CAAC;QAED,sFAAsF;QACtF,qFAAqF;QACrF,MAAM,SAAS,GAAG,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ;YAClD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC;YAC5B,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,IAAI,IAAI,CAAC,SAAS,CAAC,CAAA;QAElD,+BAA+B;QAC/B,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;YAC7D,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO;YACL,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,UAAU,EAAE;gBACV,GAAG,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG;gBACjF,SAAS;aACV;YACD,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,EAAE;YAC3B,GAAG,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAChE,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC9D,CAAA;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,oBAAoB,CAAC,UAAkB;QAC3C,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,yCAAyC,kBAAkB,CAAC,UAAU,CAAC,EAAE,CAAA;QACpG,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAClD,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE;YAC5B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAA;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,gCAAgC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QACpE,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAuC,CAAA;QAEzE,iGAAiG;QACjG,oGAAoG;QACpG,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAS,EAAmB,EAAE;YACpD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAyC,CAAA;YAEhE,0DAA0D;YAC1D,IAAI,IAAI,CAAC,UAAU,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,IAAI,KAAK,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBACvF,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,SAAS,EAAE,CAAA;YACvF,CAAC;YAED,+EAA+E;YAC/E,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBAC3D,MAAM,SAAS,GAAG,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ;oBACpD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC;oBAC9B,CAAC,CAAC,SAAS,CAAA;gBACb,OAAO;oBACL,EAAE,EAAE,IAAI,CAAC,EAAE;oBACX,OAAO,EAAE,IAAI,CAAC,OAAO;oBACrB,UAAU,EAAE;wBACV,GAAG,EAAE,IAAI,CAAC,UAAU;wBACpB,SAAS,EAAE,CAAC,OAAO,SAAS,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;qBACvF;oBACD,SAAS;iBACV,CAAA;YACH,CAAC;YAED,iCAAiC;YACjC,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,CAAA;QAC1D,CAAC,CAAC,CAAA;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,aAAa,CAAC,GAAW;QAC7B,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,4BAA4B,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAA;QAChF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAClD,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE;YAC5B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAA;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,2BAA2B,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAA;QAC/E,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAqE,CAAA;QACvG,OAAO,MAAM,CAAC,IAAI,CAAA;IACpB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,kBAAkB,CACtB,KAAa,EACb,SAAiB,EACjB,MAAc,EACd,MAAc,EACd,SAAiB;QAEjB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,oCAAoC,CAAA;QAC/D,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAClD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE;YAC5B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;YACrE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAA;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAA;QACxF,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAuD,CAAA;QACzF,OAAO,MAAM,CAAC,IAAI,CAAA;IACpB,CAAC;IAED,8EAA8E;IAC9E,sCAAsC;IACtC,8EAA8E;IAE9E;;;;;;OAMG;IACH,KAAK,CAAC,aAAa,CAAC,MAA2B;QAC7C,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,uBAAuB,CAAA;QAClD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAClD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,GAAG,IAAI,CAAC,YAAY,EAAE;gBACtB,cAAc,EAAE,MAAM,CAAC,SAAS;aACjC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,UAAU,EAAE,MAAM,CAAC,UAAU;aAC9B,CAAC;YACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAA;QAEF,6DAA6D;QAC7D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO;gBACL,EAAE,EAAE,EAAE;gBACN,GAAG,EAAE,MAAM,CAAC,QAAQ;gBACpB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,MAAM,EAAE,QAAQ;aACjB,CAAA;QACH,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAA;YAClD,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,MAAM,IAAI,EAAE,CAAC,CAAA;QAC9F,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAsD,CAAA;QACxF,OAAO,MAAM,CAAC,KAAK,CAAA;IACrB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAAC,MAA0B;QAC3C,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,6BAA6B,CAAA;QACxD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAClD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE;YAC5B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;YAC5B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAA;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAA;YAClD,MAAM,IAAI,KAAK,CAAC,wBAAwB,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,MAAM,IAAI,EAAE,CAAC,CAAA;QAC7F,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAoD,CAAA;QACtF,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,wBAAwB,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;QACnE,CAAC;QAED,+DAA+D;QAC/D,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAA;QACxB,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;QACvD,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,KAAK,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAA;QAE7E,OAAO,IAAI,CAAA;IACb,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,qBAAqB,CAAC,MAAmC;QAC7D,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,iCAAiC,CAAA;QAC5D,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAClD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE;YAC5B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;YAC5B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAA;QACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAA;YAClD,MAAM,IAAI,KAAK,CAAC,iCAAiC,QAAQ,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAA;QAC7E,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6D,CAAA;QAC/F,OAAO,MAAM,CAAC,IAAI,CAAA;IACpB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,iBAAiB,CAAC,SAAiB;QACvC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,2BAA2B,kBAAkB,CAAC,SAAS,CAAC,SAAS,CAAA;QAC5F,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAClD,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE;YAC5B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAA;QACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAA;YAClD,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAA;QACzE,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAsD,CAAA;QACxF,OAAO,MAAM,CAAC,IAAI,CAAA;IACpB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAAC,OAAe;QAChC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,uBAAuB,CAAA;QAClD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAClD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE;YAC5B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,CAAC;YACjC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAA;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,wBAAwB,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAA;QAC/E,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAoD,CAAA;QACtF,OAAO,MAAM,CAAC,IAAI,CAAA;IACpB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,UAAU,CAAC,MAAwB;QACvC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,qBAAqB,CAAA;QAChD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAClD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,GAAG,IAAI,CAAC,YAAY,EAAE;gBACtB,eAAe,EAAE,UAAU,MAAM,CAAC,KAAK,EAAE;gBACzC,cAAc,EAAE,MAAM,CAAC,SAAS;gBAChC,kBAAkB,EAAE,MAAM,CAAC,WAAW;aACvC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;gBACjC,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,MAAM,EAAE,MAAM,CAAC,UAAU;gBACzB,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,QAAQ,EAAE,MAAM,CAAC,QAAQ;aAC1B,CAAC;YACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAA;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAA;YAClD,6EAA6E;YAC7E,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;gBAC/B,IAAI,MAAM,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;oBACxC,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,MAAM,CAAC,OAAO,IAAI,sBAAsB,QAAQ,CAAC,MAAM,EAAE;wBAChE,SAAS,EAAE,mBAAmB;wBAC9B,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;wBACzC,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;qBAC5C,CAAA;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC,CAAC,6CAA6C,CAAC,CAAC;YAEzD,kEAAkE;YAClE,qFAAqF;YACrF,uEAAuE;YACvE,MAAM,YAAY,GAAG,IAAI,CAAA;YACzB,MAAM,mBAAmB,GACvB,QAAQ,CAAC,MAAM,KAAK,GAAG;gBACvB,IAAA,4CAAwB,EAAC,YAAY,CAAC,CAAA;YAExC,IAAI,mBAAmB,EAAE,CAAC;gBACxB,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,YAAY,IAAI,sBAAsB,QAAQ,CAAC,MAAM,EAAE;oBAC9D,SAAS,EAAE,oBAAoB;iBAChC,CAAA;YACH,CAAC;YAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,QAAQ,CAAC,MAAM,MAAM,IAAI,EAAE,EAAE,CAAA;QACrF,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAsB,CAAA;QACxD,OAAO,MAAM,CAAA;IACf,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,eAAe,CAAC,MAKrB;QACC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,iCAAiC,CAAA;QAC5D,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAClD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE;YAC5B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;YAC5B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAA;QACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,2BAA2B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC/D,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAuD,CAAA;QACzF,OAAO,MAAM,CAAC,IAAI,CAAA;IACpB,CAAC;IAED,8EAA8E;IAC9E,qBAAqB;IACrB,8EAA8E;IAE9E;;OAEG;IACH,KAAK,CAAC,cAAc,CAAC,SAAiB;QACpC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,wBAAwB,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAAA;QAClF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAClD,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE;YAC5B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAA;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,0BAA0B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC9D,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAqC,CAAA;QACvE,OAAO,MAAM,CAAC,IAAI,CAAA;IACpB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,QAAQ,CAAC,KAAa,EAAE,KAAa,EAAE,MAAc;QACzD,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,mBAAmB,CAAA;QAC9C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAClD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE;YAC5B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;YAC9C,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAA;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,2BAA2B,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAA;QAC/E,CAAC;QAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAyC,CAAA;IACrE,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW;QACf,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,SAAS,EAAE;gBACrD,MAAM,EAAE,KAAK;gBACb,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;aAClC,CAAC,CAAA;YACF,OAAO,QAAQ,CAAC,EAAE,CAAA;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;CACF;AAtiBD,kDAsiBC"}

package/dist/identity/agent-identity.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Agent Identity resolver — manages Agent DIDs per project × client (spec §4.2).
+ *
+ * Each (projectId, clientName) pair gets its own Agent DID.
+ * Private keys stored in OS Keychain, metadata in SQLite `keys` table.
+ * Agent DID signs VPs (KB-JWT iss = Agent DID).
+ * Root DID is used ONLY for device enrollment.
+ */
+import Database from 'better-sqlite3';
+import { KeyManager } from './key-manager';
+export interface AgentIdentity {
+    agentDid: string;
+    privateKeyJwk: string;
+    projectId: string;
+    clientName: string;
+}
+export declare class AgentIdentityResolver {
+    private readonly keyManager;
+    private readonly db;
+    private readonly rootDid;
+    constructor(keyManager: KeyManager, db: Database.Database, rootDid: string);
+    /**
+     * Get or create an Agent DID for the given project × client combination.
+     * If one already exists in SQLite (status=active), reuse it.
+     * Otherwise, generate a new Agent DID and store in Keychain + SQLite.
+     */
+    resolveAgentIdentity(projectId: string, clientName: string): Promise<AgentIdentity>;
+}
+//# sourceMappingURL=agent-identity.d.ts.map

package/dist/identity/agent-identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-identity.d.ts","sourceRoot":"","sources":["../../src/identity/agent-identity.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,QAAQ,MAAM,gBAAgB,CAAA;AAErC,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAA;AAG1C,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAA;IAChB,aAAa,EAAE,MAAM,CAAA;IACrB,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,EAAE,MAAM,CAAA;CACnB;AAED,qBAAa,qBAAqB;IAE9B,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,EAAE;IACnB,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAFP,UAAU,EAAE,UAAU,EACtB,EAAE,EAAE,QAAQ,CAAC,QAAQ,EACrB,OAAO,EAAE,MAAM;IAGlC;;;;OAIG;IACG,oBAAoB,CACxB,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,aAAa,CAAC;CA2C1B"}

package/dist/identity/agent-identity.js

@@ -0,0 +1,54 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AgentIdentityResolver = void 0;
+const crypto_1 = require("crypto");
+const key_manager_1 = require("./key-manager");
+const did_manager_1 = require("./did-manager");
+class AgentIdentityResolver {
+    keyManager;
+    db;
+    rootDid;
+    constructor(keyManager, db, rootDid) {
+        this.keyManager = keyManager;
+        this.db = db;
+        this.rootDid = rootDid;
+    }
+    /**
+     * Get or create an Agent DID for the given project × client combination.
+     * If one already exists in SQLite (status=active), reuse it.
+     * Otherwise, generate a new Agent DID and store in Keychain + SQLite.
+     */
+    async resolveAgentIdentity(projectId, clientName) {
+        // Check SQLite for existing agent key
+        const existing = this.db.prepare("SELECT did FROM keys WHERE project_id = ? AND client_name = ? AND key_type = 'agent' AND status = 'active'").get(projectId, clientName);
+        if (existing) {
+            // Load private key from Keychain
+            const privateKeyJwk = this.keyManager.getAgentKey(projectId, clientName);
+            if (privateKeyJwk) {
+                return {
+                    agentDid: existing.did,
+                    privateKeyJwk,
+                    projectId,
+                    clientName,
+                };
+            }
+            // Key missing from Keychain but exists in DB — regenerate
+        }
+        // Generate new Agent DID
+        const { did: agentDid, privateKeyJwk, publicKeyJwk } = await did_manager_1.DIDManager.generateAgentDID();
+        // Store private key in OS Keychain
+        this.keyManager.storeAgentKey(projectId, clientName, privateKeyJwk);
+        // Store metadata in SQLite (no private key material)
+        const id = (0, crypto_1.randomUUID)();
+        const keychainRef = key_manager_1.KeyManager.getKeychainRef('agent', projectId, clientName);
+        this.db.prepare(`
+      INSERT OR REPLACE INTO keys (
+        id, did, key_type, public_key, keychain_ref, storage_type,
+        parent_did, project_id, client_name, status, created_at
+      ) VALUES (?, ?, 'agent', ?, ?, 'keychain', ?, ?, ?, 'active', ?)
+    `).run(id, agentDid, JSON.stringify(publicKeyJwk), keychainRef, this.rootDid, projectId, clientName, Date.now());
+        return { agentDid, privateKeyJwk, projectId, clientName };
+    }
+}
+exports.AgentIdentityResolver = AgentIdentityResolver;
+//# sourceMappingURL=agent-identity.js.map

package/dist/identity/agent-identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-identity.js","sourceRoot":"","sources":["../../src/identity/agent-identity.ts"],"names":[],"mappings":";;;AASA,mCAAmC;AACnC,+CAA0C;AAC1C,+CAA0C;AAS1C,MAAa,qBAAqB;IAEb;IACA;IACA;IAHnB,YACmB,UAAsB,EACtB,EAAqB,EACrB,OAAe;QAFf,eAAU,GAAV,UAAU,CAAY;QACtB,OAAE,GAAF,EAAE,CAAmB;QACrB,YAAO,GAAP,OAAO,CAAQ;IAC/B,CAAC;IAEJ;;;;OAIG;IACH,KAAK,CAAC,oBAAoB,CACxB,SAAiB,EACjB,UAAkB;QAElB,sCAAsC;QACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC9B,4GAA4G,CAC7G,CAAC,GAAG,CAAC,SAAS,EAAE,UAAU,CAAgC,CAAA;QAE3D,IAAI,QAAQ,EAAE,CAAC;YACb,iCAAiC;YACjC,MAAM,aAAa,GAAG,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,SAAS,EAAE,UAAU,CAAC,CAAA;YACxE,IAAI,aAAa,EAAE,CAAC;gBAClB,OAAO;oBACL,QAAQ,EAAE,QAAQ,CAAC,GAAG;oBACtB,aAAa;oBACb,SAAS;oBACT,UAAU;iBACX,CAAA;YACH,CAAC;YACD,0DAA0D;QAC5D,CAAC;QAED,yBAAyB;QACzB,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,aAAa,EAAE,YAAY,EAAE,GAClD,MAAM,wBAAU,CAAC,gBAAgB,EAAE,CAAA;QAErC,mCAAmC;QACnC,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,SAAS,EAAE,UAAU,EAAE,aAAa,CAAC,CAAA;QAEnE,qDAAqD;QACrD,MAAM,EAAE,GAAG,IAAA,mBAAU,GAAE,CAAA;QACvB,MAAM,WAAW,GAAG,wBAAU,CAAC,cAAc,CAAC,OAAO,EAAE,SAAS,EAAE,UAAU,CAAC,CAAA;QAE7E,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;KAKf,CAAC,CAAC,GAAG,CACJ,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE,WAAW,EACvD,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,CAChD,CAAA;QAED,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,SAAS,EAAE,UAAU,EAAE,CAAA;IAC3D,CAAC;CACF;AA1DD,sDA0DC"}

package/dist/identity/did-manager.d.ts

@@ -0,0 +1,17 @@
+export interface DIDGenerationResult {
+    did: string;
+    privateKeyJwk: string;
+    publicKeyJwk: {
+        kty: string;
+        crv?: string;
+        x?: string;
+        y?: string;
+        alg?: string;
+    };
+}
+export declare class DIDManager {
+    static generateRootDID(): Promise<DIDGenerationResult>;
+    static generateAgentDID(): Promise<DIDGenerationResult>;
+    private static generateDID;
+}
+//# sourceMappingURL=did-manager.d.ts.map

package/dist/identity/did-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"did-manager.d.ts","sourceRoot":"","sources":["../../src/identity/did-manager.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,mBAAmB;IAClC,GAAG,EAAE,MAAM,CAAA;IACX,aAAa,EAAE,MAAM,CAAA;IACrB,YAAY,EAAE;QACZ,GAAG,EAAE,MAAM,CAAA;QACX,GAAG,CAAC,EAAE,MAAM,CAAA;QACZ,CAAC,CAAC,EAAE,MAAM,CAAA;QACV,CAAC,CAAC,EAAE,MAAM,CAAA;QACV,GAAG,CAAC,EAAE,MAAM,CAAA;KACb,CAAA;CACF;AAED,qBAAa,UAAU;WACR,eAAe,IAAI,OAAO,CAAC,mBAAmB,CAAC;WAI/C,gBAAgB,IAAI,OAAO,CAAC,mBAAmB,CAAC;mBAIxC,WAAW;CAgBjC"}