@viewportai/daemon 0.5.2 → 0.6.0

package/dist/security/epoch-enrollment.js

@@ -0,0 +1,290 @@
+import { transportFetch } from '../cli/network.js';
+import { configDir } from '../core/config.js';
+import { createLocalDeviceEnrollmentKeyMaterial, getActiveLocalUserEpoch, getLocalDeviceEnrollment, upsertLocalDeviceEnrollment, upsertLocalUserEpoch, } from './epoch-store.js';
+import { DEVICE_ENROLLMENT_SCHEMA, signDeviceEnrollmentRequest, signUserEpochDeviceMaterialization, TRUSTED_EDGE_CRYPTO_PROTOCOL_HEADER, TRUSTED_EDGE_CRYPTO_PROTOCOL_VERSION, unwrapJsonFromX25519Envelope, userEpochDeviceMaterializationPayload, wrapJsonForX25519Recipient, } from './epoch-protocol.js';
+export async function requestDeviceEpochEnrollment(options) {
+    const material = createLocalDeviceEnrollmentKeyMaterial({
+        workspaceId: options.target.workspaceId,
+        deviceId: options.deviceId,
+        deviceLabel: options.deviceLabel,
+    });
+    const requestPayload = {
+        schema: DEVICE_ENROLLMENT_SCHEMA,
+        workspaceId: options.target.workspaceId,
+        deviceId: options.deviceId,
+        deviceLabel: options.deviceLabel,
+        encryptionPublicKeyJwk: material.enrollment.encryptionPublicKeyJwk,
+        signingPublicKeyJwk: material.enrollment.signingPublicKeyJwk,
+        nonce: material.enrollment.nonce,
+    };
+    const signedRequest = signDeviceEnrollmentRequest({
+        payload: requestPayload,
+        signingPrivateKeyJwk: material.enrollment.signingPrivateKeyJwk,
+    });
+    const payload = await postJson(options.fetchImpl ?? transportFetch, `${runtimeBaseUrl(options.target)}/crypto/device-enrollments`, {
+        credential: options.target.credential,
+        device_id: options.deviceId,
+        device_label: options.deviceLabel,
+        encryption_public_key_jwk: material.enrollment.encryptionPublicKeyJwk,
+        signing_public_key_jwk: material.enrollment.signingPublicKeyJwk,
+        nonce: material.enrollment.nonce,
+        request_payload: signedRequest.payload,
+        request_signature: signedRequest.signature,
+    }, options.target);
+    const data = enrollmentPayload(payload);
+    return upsertLocalDeviceEnrollment({
+        workspaceId: data.workspace_id,
+        enrollmentId: data.id,
+        userId: String(data.user_id),
+        deviceId: data.device_id,
+        deviceLabel: data.device_label,
+        status: data.status,
+        encryptionPublicKeyJwk: data.encryption_public_key_jwk,
+        encryptionPrivateKeyJwk: material.enrollment.encryptionPrivateKeyJwk,
+        signingPublicKeyJwk: data.signing_public_key_jwk,
+        signingPrivateKeyJwk: material.enrollment.signingPrivateKeyJwk,
+        fingerprint: data.fingerprint,
+        nonce: data.nonce,
+    }, options.home ?? configDir());
+}
+export async function listDeviceEpochEnrollments(options) {
+    const payload = await getJson(options.fetchImpl ?? transportFetch, `${runtimeBaseUrl(options.target)}/crypto/device-enrollments`, options.target);
+    const response = record(payload, 'device enrollments response');
+    const data = response.data;
+    if (!Array.isArray(data)) {
+        throw new Error('Device enrollment response did not include data array.');
+    }
+    return data.map((item) => enrollmentPayload({ data: item }));
+}
+export async function approveDeviceEpochEnrollment(options) {
+    const epoch = await getActiveLocalUserEpoch(options.target.workspaceId, options.home);
+    if (!epoch?.platformEpochId) {
+        throw new Error('Active local user epoch with platform id is required before approving a device.');
+    }
+    const enrollment = await fetchEnrollment(options);
+    const aad = userEpochDeviceGrantAad({ epoch, enrollment });
+    const encryptedPayload = wrapJsonForX25519Recipient({
+        recipientPublicKeyJwk: enrollment.encryption_public_key_jwk,
+        aad,
+        payload: {
+            schema: 'viewport.user_epoch_device_material/v1',
+            workspaceId: epoch.workspaceId,
+            userId: epoch.userId,
+            platformEpochId: epoch.platformEpochId,
+            epoch: epoch.epoch,
+            fingerprint: epoch.fingerprint,
+            encryptionPublicKeyJwk: epoch.encryptionPublicKeyJwk,
+            encryptionPrivateKeyJwk: epoch.encryptionPrivateKeyJwk,
+            signingPublicKeyJwk: epoch.signingPublicKeyJwk,
+            signingPrivateKeyJwk: epoch.signingPrivateKeyJwk,
+            previousEpochFingerprint: epoch.previousEpochFingerprint ?? null,
+        },
+    });
+    const response = await postJson(options.fetchImpl ?? transportFetch, `${runtimeBaseUrl(options.target)}/crypto/device-enrollments/${encodeURIComponent(options.enrollmentId)}/approve`, {
+        credential: options.target.credential,
+        user_crypto_epoch_id: epoch.platformEpochId,
+        aad,
+        encrypted_payload: encryptedPayload,
+    }, options.target);
+    return enrollmentPayload(response);
+}
+export async function acceptDeviceEpochEnrollment(options) {
+    const enrollment = await fetchEnrollment(options);
+    const localEnrollment = await getLocalDeviceEnrollment(options.target.workspaceId, enrollment.id, options.home);
+    if (!localEnrollment) {
+        throw new Error('Local pending device enrollment key material was not found.');
+    }
+    const grant = (enrollment.grants ?? []).find((item) => item.recipient_fingerprint === localEnrollment.fingerprint);
+    if (!grant) {
+        throw new Error('No encrypted user epoch grant is available for this device enrollment.');
+    }
+    const payload = unwrapJsonFromX25519Envelope({
+        recipientPrivateKeyJwk: localEnrollment.encryptionPrivateKeyJwk,
+        envelope: grant.encrypted_payload,
+        aad: grant.aad,
+    });
+    const material = materialPayload(payload);
+    const receipt = signUserEpochDeviceMaterialization({
+        payload: userEpochDeviceMaterializationPayload({
+            workspaceId: material.workspaceId,
+            userId: material.userId,
+            enrollmentId: enrollment.id,
+            grantId: grant.id,
+            userCryptoEpochId: material.platformEpochId,
+            userEpochFingerprint: material.fingerprint,
+            recipientFingerprint: grant.recipient_fingerprint,
+        }),
+        signingPrivateKeyJwk: material.signingPrivateKeyJwk,
+        signedByUserEpochFingerprint: material.fingerprint,
+    });
+    const epoch = await upsertLocalUserEpoch({
+        workspaceId: material.workspaceId,
+        userId: material.userId,
+        platformEpochId: material.platformEpochId,
+        epoch: material.epoch,
+        schema: 'viewport.user_crypto_epoch/v1',
+        status: 'active',
+        encryptionPublicKeyJwk: material.encryptionPublicKeyJwk,
+        encryptionPrivateKeyJwk: material.encryptionPrivateKeyJwk,
+        signingPublicKeyJwk: material.signingPublicKeyJwk,
+        signingPrivateKeyJwk: material.signingPrivateKeyJwk,
+        fingerprint: material.fingerprint,
+        previousEpochFingerprint: material.previousEpochFingerprint,
+    }, options.home ?? configDir());
+    await upsertLocalDeviceEnrollment({
+        ...localEnrollment,
+        status: 'accepted',
+    }, options.home ?? configDir());
+    await postJson(options.fetchImpl ?? transportFetch, `${runtimeBaseUrl(options.target)}/crypto/device-enrollments/${encodeURIComponent(enrollment.id)}/materialized`, {
+        credential: options.target.credential,
+        grant_id: grant.id,
+        receipt,
+    }, options.target);
+    return epoch;
+}
+function userEpochDeviceGrantAad(input) {
+    return {
+        schema: 'viewport.user_epoch_device_grant_aad/v1',
+        workspaceId: input.epoch.workspaceId,
+        userId: input.epoch.userId,
+        platformEpochId: input.epoch.platformEpochId ?? null,
+        epochFingerprint: input.epoch.fingerprint,
+        enrollmentId: input.enrollment.id,
+        recipientFingerprint: input.enrollment.fingerprint,
+    };
+}
+async function fetchEnrollment(options) {
+    const payload = await getJson(options.fetchImpl ?? transportFetch, `${runtimeBaseUrl(options.target)}/crypto/device-enrollments/${encodeURIComponent(options.enrollmentId)}`, options.target);
+    return enrollmentPayload(payload);
+}
+function runtimeBaseUrl(target) {
+    return `${target.serverUrl.replace(/\/+$/, '')}/api/runtime/workspaces/${encodeURIComponent(target.workspaceId)}`;
+}
+async function postJson(fetchImpl, url, body, transportOptions = {}) {
+    const response = await fetchImpl(url, {
+        method: 'POST',
+        headers: trustedEdgeCryptoHeaders({ 'content-type': 'application/json' }),
+        body: JSON.stringify(body),
+        timeoutMs: 5_000,
+        tlsVerify: transportOptions.tlsVerify,
+        caCertPath: transportOptions.caCertPath,
+        tlsPins: transportOptions.tlsPins,
+    });
+    const payload = await response.json().catch(() => null);
+    if (!response.ok)
+        throw new Error(responseError(payload, response));
+    return payload;
+}
+async function getJson(fetchImpl, url, transportOptions) {
+    const requestUrl = new URL(url);
+    requestUrl.searchParams.set('credential', transportOptions.credential);
+    const response = await fetchImpl(requestUrl.toString(), {
+        method: 'GET',
+        headers: trustedEdgeCryptoHeaders(),
+        timeoutMs: 5_000,
+        tlsVerify: transportOptions.tlsVerify,
+        caCertPath: transportOptions.caCertPath,
+        tlsPins: transportOptions.tlsPins,
+    });
+    const payload = await response.json().catch(() => null);
+    if (!response.ok)
+        throw new Error(responseError(payload, response));
+    return payload;
+}
+function trustedEdgeCryptoHeaders(extra = {}) {
+    return {
+        accept: 'application/json',
+        [TRUSTED_EDGE_CRYPTO_PROTOCOL_HEADER]: TRUSTED_EDGE_CRYPTO_PROTOCOL_VERSION,
+        ...extra,
+    };
+}
+function responseError(payload, response) {
+    const message = payload && typeof payload === 'object' && 'message' in payload
+        ? String(payload.message)
+        : `${response.status} ${response.statusText}`;
+    return `Device enrollment sync failed: ${message}`;
+}
+function enrollmentPayload(payload) {
+    const data = objectField(payload, 'data');
+    return {
+        id: stringField(data, 'id'),
+        workspace_id: stringField(data, 'workspace_id'),
+        user_id: numberOrStringField(data, 'user_id'),
+        device_id: stringField(data, 'device_id'),
+        device_label: stringField(data, 'device_label'),
+        encryption_public_key_jwk: objectField(data, 'encryption_public_key_jwk'),
+        signing_public_key_jwk: objectField(data, 'signing_public_key_jwk'),
+        fingerprint: stringField(data, 'fingerprint'),
+        nonce: stringField(data, 'nonce'),
+        status: statusField(data, 'status'),
+        grants: Array.isArray(data.grants) ? data.grants.map((item) => deviceGrantPayload(item)) : [],
+    };
+}
+function deviceGrantPayload(value) {
+    const data = record(value, 'grant');
+    return {
+        id: stringField(data, 'id'),
+        user_crypto_epoch_id: stringField(data, 'user_crypto_epoch_id'),
+        recipient_fingerprint: stringField(data, 'recipient_fingerprint'),
+        aad: objectField(data, 'aad'),
+        encrypted_payload: objectField(data, 'encrypted_payload'),
+    };
+}
+function materialPayload(value) {
+    const data = record(value, 'material');
+    return {
+        workspaceId: stringField(data, 'workspaceId'),
+        userId: stringField(data, 'userId'),
+        platformEpochId: stringField(data, 'platformEpochId'),
+        epoch: numberField(data, 'epoch'),
+        fingerprint: stringField(data, 'fingerprint'),
+        encryptionPublicKeyJwk: objectField(data, 'encryptionPublicKeyJwk'),
+        encryptionPrivateKeyJwk: objectField(data, 'encryptionPrivateKeyJwk'),
+        signingPublicKeyJwk: objectField(data, 'signingPublicKeyJwk'),
+        signingPrivateKeyJwk: objectField(data, 'signingPrivateKeyJwk'),
+        previousEpochFingerprint: typeof data.previousEpochFingerprint === 'string' ? data.previousEpochFingerprint : null,
+    };
+}
+function objectField(value, field) {
+    const data = record(value, 'response');
+    const child = data[field];
+    if (!child || typeof child !== 'object' || Array.isArray(child)) {
+        throw new Error(`Device enrollment response did not include ${field}`);
+    }
+    return child;
+}
+function record(value, label) {
+    if (!value || typeof value !== 'object' || Array.isArray(value)) {
+        throw new Error(`Expected ${label} object.`);
+    }
+    return value;
+}
+function stringField(value, field) {
+    const child = value[field];
+    if (typeof child !== 'string' || child.trim().length === 0) {
+        throw new Error(`Device enrollment response did not include ${field}`);
+    }
+    return child;
+}
+function numberField(value, field) {
+    const child = value[field];
+    if (typeof child !== 'number') {
+        throw new Error(`Device enrollment response did not include numeric ${field}`);
+    }
+    return child;
+}
+function numberOrStringField(value, field) {
+    const child = value[field];
+    if (typeof child !== 'number' && typeof child !== 'string') {
+        throw new Error(`Device enrollment response did not include ${field}`);
+    }
+    return child;
+}
+function statusField(value, field) {
+    const child = stringField(value, field);
+    if (child !== 'pending' && child !== 'approved' && child !== 'accepted' && child !== 'revoked') {
+        throw new Error(`Unsupported device enrollment status: ${child}`);
+    }
+    return child;
+}
+//# sourceMappingURL=epoch-enrollment.js.map

package/dist/security/epoch-enrollment.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"epoch-enrollment.js","sourceRoot":"","sources":["../../src/security/epoch-enrollment.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAsB,MAAM,mBAAmB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EACL,sCAAsC,EACtC,uBAAuB,EACvB,wBAAwB,EACxB,2BAA2B,EAC3B,oBAAoB,GAGrB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,wBAAwB,EACxB,2BAA2B,EAC3B,kCAAkC,EAClC,mCAAmC,EACnC,oCAAoC,EACpC,4BAA4B,EAC5B,qCAAqC,EACrC,0BAA0B,GAG3B,MAAM,qBAAqB,CAAC;AAyB7B,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAAC,OAMlD;IACC,MAAM,QAAQ,GAAG,sCAAsC,CAAC;QACtD,WAAW,EAAE,OAAO,CAAC,MAAM,CAAC,WAAW;QACvC,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,WAAW,EAAE,OAAO,CAAC,WAAW;KACjC,CAAC,CAAC;IACH,MAAM,cAAc,GAAG;QACrB,MAAM,EAAE,wBAAwB;QAChC,WAAW,EAAE,OAAO,CAAC,MAAM,CAAC,WAAW;QACvC,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,sBAAsB,EAAE,QAAQ,CAAC,UAAU,CAAC,sBAAsB;QAClE,mBAAmB,EAAE,QAAQ,CAAC,UAAU,CAAC,mBAAmB;QAC5D,KAAK,EAAE,QAAQ,CAAC,UAAU,CAAC,KAAK;KACxB,CAAC;IACX,MAAM,aAAa,GAAG,2BAA2B,CAAC;QAChD,OAAO,EAAE,cAAc;QACvB,oBAAoB,EAAE,QAAQ,CAAC,UAAU,CAAC,oBAAoB;KAC/D,CAAC,CAAC;IACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAC5B,OAAO,CAAC,SAAS,IAAI,cAAc,EACnC,GAAG,cAAc,CAAC,OAAO,CAAC,MAAM,CAAC,4BAA4B,EAC7D;QACE,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU;QACrC,SAAS,EAAE,OAAO,CAAC,QAAQ;QAC3B,YAAY,EAAE,OAAO,CAAC,WAAW;QACjC,yBAAyB,EAAE,QAAQ,CAAC,UAAU,CAAC,sBAAsB;QACrE,sBAAsB,EAAE,QAAQ,CAAC,UAAU,CAAC,mBAAmB;QAC/D,KAAK,EAAE,QAAQ,CAAC,UAAU,CAAC,KAAK;QAChC,eAAe,EAAE,aAAa,CAAC,OAAO;QACtC,iBAAiB,EAAE,aAAa,CAAC,SAAS;KAC3C,EACD,OAAO,CAAC,MAAM,CACf,CAAC;IACF,MAAM,IAAI,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAExC,OAAO,2BAA2B,CAChC;QACE,WAAW,EAAE,IAAI,CAAC,YAAY;QAC9B,YAAY,EAAE,IAAI,CAAC,EAAE;QACrB,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;QAC5B,QAAQ,EAAE,IAAI,CAAC,SAAS;QACxB,WAAW,EAAE,IAAI,CAAC,YAAY;QAC9B,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,sBAAsB,EAAE,IAAI,CAAC,yBAAyB;QACtD,uBAAuB,EAAE,QAAQ,CAAC,UAAU,CAAC,uBAAuB;QACpE,mBAAmB,EAAE,IAAI,CAAC,sBAAsB;QAChD,oBAAoB,EAAE,QAAQ,CAAC,UAAU,CAAC,oBAAoB;QAC9D,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,KAAK,EAAE,IAAI,CAAC,KAAK;KAClB,EACD,OAAO,CAAC,IAAI,IAAI,SAAS,EAAE,CAC5B,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAAC,OAGhD;IACC,MAAM,OAAO,GAAG,MAAM,OAAO,CAC3B,OAAO,CAAC,SAAS,IAAI,cAAc,EACnC,GAAG,cAAc,CAAC,OAAO,CAAC,MAAM,CAAC,4BAA4B,EAC7D,OAAO,CAAC,MAAM,CACf,CAAC;IACF,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,EAAE,6BAA6B,CAAC,CAAC;IAChE,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC;IAC3B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;IAC5E,CAAC;IACD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,iBAAiB,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AAC/D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAAC,OAKlD;IACC,MAAM,KAAK,GAAG,MAAM,uBAAuB,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IACtF,IAAI,CAAC,KAAK,EAAE,eAAe,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CACb,iFAAiF,CAClF,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,CAAC;IAClD,MAAM,GAAG,GAAG,uBAAuB,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;IAC3D,MAAM,gBAAgB,GAAG,0BAA0B,CAAC;QAClD,qBAAqB,EAAE,UAAU,CAAC,yBAAyB;QAC3D,GAAG;QACH,OAAO,EAAE;YACP,MAAM,EAAE,wCAAwC;YAChD,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,eAAe,EAAE,KAAK,CAAC,eAAe;YACtC,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,sBAAsB,EAAE,KAAK,CAAC,sBAAsB;YACpD,uBAAuB,EAAE,KAAK,CAAC,uBAAuB;YACtD,mBAAmB,EAAE,KAAK,CAAC,mBAAmB;YAC9C,oBAAoB,EAAE,KAAK,CAAC,oBAAoB;YAChD,wBAAwB,EAAE,KAAK,CAAC,wBAAwB,IAAI,IAAI;SACjE;KACF,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAC7B,OAAO,CAAC,SAAS,IAAI,cAAc,EACnC,GAAG,cAAc,CAAC,OAAO,CAAC,MAAM,CAAC,8BAA8B,kBAAkB,CAC/E,OAAO,CAAC,YAAY,CACrB,UAAU,EACX;QACE,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU;QACrC,oBAAoB,EAAE,KAAK,CAAC,eAAe;QAC3C,GAAG;QACH,iBAAiB,EAAE,gBAAgB;KACpC,EACD,OAAO,CAAC,MAAM,CACf,CAAC;IACF,OAAO,iBAAiB,CAAC,QAAQ,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAAC,OAKjD;IACC,MAAM,UAAU,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,CAAC;IAClD,MAAM,eAAe,GAAG,MAAM,wBAAwB,CACpD,OAAO,CAAC,MAAM,CAAC,WAAW,EAC1B,UAAU,CAAC,EAAE,EACb,OAAO,CAAC,IAAI,CACb,CAAC;IACF,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACjF,CAAC;IACD,MAAM,KAAK,GAAG,CAAC,UAAU,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,CAC1C,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,qBAAqB,KAAK,eAAe,CAAC,WAAW,CACrE,CAAC;IACF,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAC;IAC5F,CAAC;IACD,MAAM,OAAO,GAAG,4BAA4B,CAAC;QAC3C,sBAAsB,EAAE,eAAe,CAAC,uBAAuB;QAC/D,QAAQ,EAAE,KAAK,CAAC,iBAAiB;QACjC,GAAG,EAAE,KAAK,CAAC,GAAG;KACf,CAAC,CAAC;IACH,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAG,kCAAkC,CAAC;QACjD,OAAO,EAAE,qCAAqC,CAAC;YAC7C,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,YAAY,EAAE,UAAU,CAAC,EAAE;YAC3B,OAAO,EAAE,KAAK,CAAC,EAAE;YACjB,iBAAiB,EAAE,QAAQ,CAAC,eAAe;YAC3C,oBAAoB,EAAE,QAAQ,CAAC,WAAW;YAC1C,oBAAoB,EAAE,KAAK,CAAC,qBAAqB;SAClD,CAAC;QACF,oBAAoB,EAAE,QAAQ,CAAC,oBAAoB;QACnD,4BAA4B,EAAE,QAAQ,CAAC,WAAW;KACnD,CAAC,CAAC;IACH,MAAM,KAAK,GAAG,MAAM,oBAAoB,CACtC;QACE,WAAW,EAAE,QAAQ,CAAC,WAAW;QACjC,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,eAAe,EAAE,QAAQ,CAAC,eAAe;QACzC,KAAK,EAAE,QAAQ,CAAC,KAAK;QACrB,MAAM,EAAE,+BAA+B;QACvC,MAAM,EAAE,QAAQ;QAChB,sBAAsB,EAAE,QAAQ,CAAC,sBAAsB;QACvD,uBAAuB,EAAE,QAAQ,CAAC,uBAAuB;QACzD,mBAAmB,EAAE,QAAQ,CAAC,mBAAmB;QACjD,oBAAoB,EAAE,QAAQ,CAAC,oBAAoB;QACnD,WAAW,EAAE,QAAQ,CAAC,WAAW;QACjC,wBAAwB,EAAE,QAAQ,CAAC,wBAAwB;KAC5D,EACD,OAAO,CAAC,IAAI,IAAI,SAAS,EAAE,CAC5B,CAAC;IACF,MAAM,2BAA2B,CAC/B;QACE,GAAG,eAAe;QAClB,MAAM,EAAE,UAAU;KACnB,EACD,OAAO,CAAC,IAAI,IAAI,SAAS,EAAE,CAC5B,CAAC;IACF,MAAM,QAAQ,CACZ,OAAO,CAAC,SAAS,IAAI,cAAc,EACnC,GAAG,cAAc,CAAC,OAAO,CAAC,MAAM,CAAC,8BAA8B,kBAAkB,CAC/E,UAAU,CAAC,EAAE,CACd,eAAe,EAChB;QACE,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU;QACrC,QAAQ,EAAE,KAAK,CAAC,EAAE;QAClB,OAAO;KACR,EACD,OAAO,CAAC,MAAM,CACf,CAAC;IACF,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,uBAAuB,CAAC,KAGhC;IACC,OAAO;QACL,MAAM,EAAE,yCAAyC;QACjD,WAAW,EAAE,KAAK,CAAC,KAAK,CAAC,WAAW;QACpC,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,MAAM;QAC1B,eAAe,EAAE,KAAK,CAAC,KAAK,CAAC,eAAe,IAAI,IAAI;QACpD,gBAAgB,EAAE,KAAK,CAAC,KAAK,CAAC,WAAW;QACzC,YAAY,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE;QACjC,oBAAoB,EAAE,KAAK,CAAC,UAAU,CAAC,WAAW;KACnD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,OAI9B;IACC,MAAM,OAAO,GAAG,MAAM,OAAO,CAC3B,OAAO,CAAC,SAAS,IAAI,cAAc,EACnC,GAAG,cAAc,CAAC,OAAO,CAAC,MAAM,CAAC,8BAA8B,kBAAkB,CAC/E,OAAO,CAAC,YAAY,CACrB,EAAE,EACH,OAAO,CAAC,MAAM,CACf,CAAC;IACF,OAAO,iBAAiB,CAAC,OAAO,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,cAAc,CAAC,MAA6B;IACnD,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,2BAA2B,kBAAkB,CACzF,MAAM,CAAC,WAAW,CACnB,EAAE,CAAC;AACN,CAAC;AAED,KAAK,UAAU,QAAQ,CACrB,SAAgC,EAChC,GAAW,EACX,IAA6B,EAC7B,mBAII,EAAE;IAEN,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE;QACpC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,wBAAwB,CAAC,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;QACzE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;QAC1B,SAAS,EAAE,KAAK;QAChB,SAAS,EAAE,gBAAgB,CAAC,SAAS;QACrC,UAAU,EAAE,gBAAgB,CAAC,UAAU;QACvC,OAAO,EAAE,gBAAgB,CAAC,OAAO;KAClC,CAAC,CAAC;IACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACxD,IAAI,CAAC,QAAQ,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;IACpE,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,OAAO,CACpB,SAAgC,EAChC,GAAW,EACX,gBAAuC;IAEvC,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IAChC,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,EAAE,gBAAgB,CAAC,UAAU,CAAC,CAAC;IACvE,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,UAAU,CAAC,QAAQ,EAAE,EAAE;QACtD,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,wBAAwB,EAAE;QACnC,SAAS,EAAE,KAAK;QAChB,SAAS,EAAE,gBAAgB,CAAC,SAAS;QACrC,UAAU,EAAE,gBAAgB,CAAC,UAAU;QACvC,OAAO,EAAE,gBAAgB,CAAC,OAAO;KAClC,CAAC,CAAC;IACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACxD,IAAI,CAAC,QAAQ,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;IACpE,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,wBAAwB,CAAC,QAAgC,EAAE;IAClE,OAAO;QACL,MAAM,EAAE,kBAAkB;QAC1B,CAAC,mCAAmC,CAAC,EAAE,oCAAoC;QAC3E,GAAG,KAAK;KACT,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,OAAgB,EAAE,QAAkB;IACzD,MAAM,OAAO,GACX,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,SAAS,IAAI,OAAO;QAC5D,CAAC,CAAC,MAAM,CAAE,OAAiC,CAAC,OAAO,CAAC;QACpD,CAAC,CAAC,GAAG,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;IAClD,OAAO,kCAAkC,OAAO,EAAE,CAAC;AACrD,CAAC;AAED,SAAS,iBAAiB,CAAC,OAAgB;IACzC,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC1C,OAAO;QACL,EAAE,EAAE,WAAW,CAAC,IAAI,EAAE,IAAI,CAAC;QAC3B,YAAY,EAAE,WAAW,CAAC,IAAI,EAAE,cAAc,CAAC;QAC/C,OAAO,EAAE,mBAAmB,CAAC,IAAI,EAAE,SAAS,CAAC;QAC7C,SAAS,EAAE,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC;QACzC,YAAY,EAAE,WAAW,CAAC,IAAI,EAAE,cAAc,CAAC;QAC/C,yBAAyB,EAAE,WAAW,CAAC,IAAI,EAAE,2BAA2B,CAAc;QACtF,sBAAsB,EAAE,WAAW,CAAC,IAAI,EAAE,wBAAwB,CAAc;QAChF,WAAW,EAAE,WAAW,CAAC,IAAI,EAAE,aAAa,CAAC;QAC7C,KAAK,EAAE,WAAW,CAAC,IAAI,EAAE,OAAO,CAAC;QACjC,MAAM,EAAE,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC;QACnC,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE;KAC9F,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAc;IACxC,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACpC,OAAO;QACL,EAAE,EAAE,WAAW,CAAC,IAAI,EAAE,IAAI,CAAC;QAC3B,oBAAoB,EAAE,WAAW,CAAC,IAAI,EAAE,sBAAsB,CAAC;QAC/D,qBAAqB,EAAE,WAAW,CAAC,IAAI,EAAE,uBAAuB,CAAC;QACjE,GAAG,EAAE,WAAW,CAAC,IAAI,EAAE,KAAK,CAAc;QAC1C,iBAAiB,EAAE,WAAW,CAAC,IAAI,EAAE,mBAAmB,CAAkC;KAC3F,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,KAAgB;IAYvC,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IACvC,OAAO;QACL,WAAW,EAAE,WAAW,CAAC,IAAI,EAAE,aAAa,CAAC;QAC7C,MAAM,EAAE,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC;QACnC,eAAe,EAAE,WAAW,CAAC,IAAI,EAAE,iBAAiB,CAAC;QACrD,KAAK,EAAE,WAAW,CAAC,IAAI,EAAE,OAAO,CAAC;QACjC,WAAW,EAAE,WAAW,CAAC,IAAI,EAAE,aAAa,CAAC;QAC7C,sBAAsB,EAAE,WAAW,CAAC,IAAI,EAAE,wBAAwB,CAAc;QAChF,uBAAuB,EAAE,WAAW,CAAC,IAAI,EAAE,yBAAyB,CAAc;QAClF,mBAAmB,EAAE,WAAW,CAAC,IAAI,EAAE,qBAAqB,CAAc;QAC1E,oBAAoB,EAAE,WAAW,CAAC,IAAI,EAAE,sBAAsB,CAAc;QAC5E,wBAAwB,EACtB,OAAO,IAAI,CAAC,wBAAwB,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC,CAAC,IAAI;KAC3F,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,KAAc,EAAE,KAAa;IAChD,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IACvC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1B,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,8CAA8C,KAAK,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,KAAgC,CAAC;AAC1C,CAAC;AAED,SAAS,MAAM,CAAC,KAAc,EAAE,KAAa;IAC3C,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,YAAY,KAAK,UAAU,CAAC,CAAC;IAC/C,CAAC;IACD,OAAO,KAAgC,CAAC;AAC1C,CAAC;AAED,SAAS,WAAW,CAAC,KAA8B,EAAE,KAAa;IAChE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;IAC3B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,8CAA8C,KAAK,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,WAAW,CAAC,KAA8B,EAAE,KAAa;IAChE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;IAC3B,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,sDAAsD,KAAK,EAAE,CAAC,CAAC;IACjF,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,mBAAmB,CAAC,KAA8B,EAAE,KAAa;IACxE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;IAC3B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,8CAA8C,KAAK,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,WAAW,CAClB,KAA8B,EAC9B,KAAa;IAEb,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IACxC,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,UAAU,IAAI,KAAK,KAAK,UAAU,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QAC/F,MAAM,IAAI,KAAK,CAAC,yCAAyC,KAAK,EAAE,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/security/epoch-protocol.d.ts

@@ -0,0 +1,181 @@
+export declare const USER_EPOCH_SCHEMA = "viewport.user_crypto_epoch/v1";
+export declare const TEAM_EPOCH_SCHEMA = "viewport.team_crypto_epoch/v1";
+export declare const DEVICE_ENROLLMENT_SCHEMA = "viewport.device_enrollment/v1";
+export declare const RESOURCE_GRANT_SCHEMA = "viewport.resource_key_grant/v1";
+export declare const WRAPPED_KEY_ENVELOPE_SCHEMA = "viewport.wrapped_key_envelope/v1";
+export declare const TRUSTED_EDGE_CRYPTO_PROTOCOL_HEADER = "X-Viewport-Crypto-Protocol";
+export declare const TRUSTED_EDGE_CRYPTO_PROTOCOL_VERSION = "viewport.trusted_edge_crypto/v2";
+export type JsonValue = null | boolean | number | string | JsonValue[] | {
+    [key: string]: JsonValue;
+};
+export interface EpochDescriptor {
+    schema: typeof USER_EPOCH_SCHEMA | typeof TEAM_EPOCH_SCHEMA;
+    workspaceId: string;
+    subjectType: 'user' | 'team';
+    subjectId: string;
+    epoch: number;
+    encryptionPublicKeyJwk: JsonValue;
+    signingPublicKeyJwk: JsonValue;
+    previousEpochFingerprint?: string | null;
+    createdAt: string;
+}
+export interface DeviceEnrollmentRequest {
+    schema: typeof DEVICE_ENROLLMENT_SCHEMA;
+    workspaceId: string;
+    deviceId: string;
+    deviceLabel: string;
+    encryptionPublicKeyJwk: JsonValue;
+    signingPublicKeyJwk: JsonValue;
+    nonce: string;
+}
+export interface SignedDeviceEnrollmentRequest {
+    payload: DeviceEnrollmentRequest;
+    signature: string;
+}
+export interface UserEpochDeviceMaterializationPayload {
+    schema: 'viewport.user_epoch_device_materialization/v1';
+    workspaceId: string;
+    userId: string;
+    enrollmentId: string;
+    grantId: string;
+    userCryptoEpochId: string;
+    userEpochFingerprint: string;
+    recipientFingerprint: string;
+}
+export interface SignedUserEpochDeviceMaterialization {
+    payload: UserEpochDeviceMaterializationPayload;
+    signature: string;
+    signedByUserEpochFingerprint: string;
+}
+export interface TeamEpochMemberMaterializationPayload {
+    schema: 'viewport.team_epoch_member_materialization/v1';
+    workspaceId: string;
+    grantId: string;
+    teamCryptoEpochId: string;
+    teamEpochFingerprint: string;
+    recipientUserCryptoEpochId: string;
+    recipientUserEpochFingerprint: string;
+}
+export interface SignedTeamEpochMemberMaterialization {
+    payload: TeamEpochMemberMaterializationPayload;
+    signature: string;
+    signedByTeamEpochFingerprint: string;
+}
+export interface ContextGrantMaterializationPayload {
+    schema: 'viewport.context_vault_grant_materialization/v1';
+    workspaceId: string;
+    contextResourceId: string;
+    grantEventId: string;
+    recipientName: string;
+    keyEpoch: number | null;
+}
+export interface SignedContextGrantMaterialization {
+    payload: ContextGrantMaterializationPayload;
+    signature: string;
+    signedByEpochFingerprint: string;
+}
+export interface SignedEpochTransition {
+    payload: EpochTransitionPayload;
+    signature: string;
+    signedByEpochFingerprint: string;
+}
+export interface WrappedKeyEnvelope {
+    schema: typeof WRAPPED_KEY_ENVELOPE_SCHEMA;
+    alg: 'x25519-hkdf-sha256-aes-256-gcm';
+    ephemeralPublicKeyJwk: JsonValue;
+    iv: string;
+    ciphertext: string;
+    tag: string;
+    aadDigest: string;
+    createdAt: string;
+}
+export interface EpochTransitionPayload {
+    schema: 'viewport.epoch_transition/v1';
+    workspaceId: string;
+    subjectType: 'user' | 'team';
+    subjectId: string;
+    fromEpoch: number;
+    fromEpochFingerprint: string;
+    toEpoch: number;
+    toEpochFingerprint: string;
+    reason: 'initial' | 'device_enrolled' | 'device_revoked' | 'member_added' | 'member_revoked' | 'manual_rotation' | 'recovery';
+    createdAt: string;
+}
+export declare function canonicalJson(value: unknown): string;
+export declare function sha256Base64Url(value: string | Buffer): string;
+export declare function fingerprintPayload(value: JsonValue): string;
+export declare function epochFingerprint(epoch: EpochDescriptor): string;
+export declare function deviceEnrollmentFingerprint(request: DeviceEnrollmentRequest): string;
+export declare function signDeviceEnrollmentRequest(input: {
+    payload: DeviceEnrollmentRequest;
+    signingPrivateKeyJwk: JsonValue;
+}): SignedDeviceEnrollmentRequest;
+export declare function userEpochDeviceMaterializationPayload(input: {
+    workspaceId: string;
+    userId: string;
+    enrollmentId: string;
+    grantId: string;
+    userCryptoEpochId: string;
+    userEpochFingerprint: string;
+    recipientFingerprint: string;
+}): UserEpochDeviceMaterializationPayload;
+export declare function signUserEpochDeviceMaterialization(input: {
+    payload: UserEpochDeviceMaterializationPayload;
+    signingPrivateKeyJwk: JsonValue;
+    signedByUserEpochFingerprint: string;
+}): SignedUserEpochDeviceMaterialization;
+export declare function teamEpochMemberMaterializationPayload(input: {
+    workspaceId: string;
+    grantId: string;
+    teamCryptoEpochId: string;
+    teamEpochFingerprint: string;
+    recipientUserCryptoEpochId: string;
+    recipientUserEpochFingerprint: string;
+}): TeamEpochMemberMaterializationPayload;
+export declare function signTeamEpochMemberMaterialization(input: {
+    payload: TeamEpochMemberMaterializationPayload;
+    signingPrivateKeyJwk: JsonValue;
+    signedByTeamEpochFingerprint: string;
+}): SignedTeamEpochMemberMaterialization;
+export declare function contextGrantMaterializationPayload(input: {
+    workspaceId: string;
+    contextResourceId: string;
+    grantEventId: string;
+    recipientName: string;
+    keyEpoch: number | null;
+}): ContextGrantMaterializationPayload;
+export declare function signContextGrantMaterialization(input: {
+    payload: ContextGrantMaterializationPayload;
+    signingPrivateKeyJwk: JsonValue;
+    signedByEpochFingerprint: string;
+}): SignedContextGrantMaterialization;
+export declare function epochTransitionPayload(input: {
+    from: EpochDescriptor;
+    to: EpochDescriptor;
+    reason: EpochTransitionPayload['reason'];
+    createdAt: string;
+}): EpochTransitionPayload;
+export declare function signEpochTransition(input: {
+    payload: EpochTransitionPayload;
+    signingPrivateKeyJwk: JsonValue;
+    signedByEpochFingerprint: string;
+}): SignedEpochTransition;
+export declare function verifyEpochTransition(input: {
+    signed: SignedEpochTransition;
+    signingPublicKeyJwk: JsonValue;
+    expectedFromEpochFingerprint: string;
+    expectedToEpochFingerprint: string;
+}): boolean;
+export declare function wrapJsonForX25519Recipient(input: {
+    recipientPublicKeyJwk: JsonValue;
+    payload: JsonValue;
+    aad: JsonValue;
+    createdAt?: string;
+}): WrappedKeyEnvelope;
+export declare function unwrapJsonFromX25519Envelope(input: {
+    recipientPrivateKeyJwk: JsonValue;
+    envelope: WrappedKeyEnvelope;
+    aad: JsonValue;
+}): JsonValue;
+export declare function assertNoPrivateKeyMaterial(value: JsonValue, path?: string): void;
+//# sourceMappingURL=epoch-protocol.d.ts.map

package/dist/security/epoch-protocol.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"epoch-protocol.d.ts","sourceRoot":"","sources":["../../src/security/epoch-protocol.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,iBAAiB,kCAAkC,CAAC;AACjE,eAAO,MAAM,iBAAiB,kCAAkC,CAAC;AACjE,eAAO,MAAM,wBAAwB,kCAAkC,CAAC;AACxE,eAAO,MAAM,qBAAqB,mCAAmC,CAAC;AACtE,eAAO,MAAM,2BAA2B,qCAAqC,CAAC;AAC9E,eAAO,MAAM,mCAAmC,+BAA+B,CAAC;AAChF,eAAO,MAAM,oCAAoC,oCAAoC,CAAC;AAEtF,MAAM,MAAM,SAAS,GACjB,IAAI,GACJ,OAAO,GACP,MAAM,GACN,MAAM,GACN,SAAS,EAAE,GACX;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,CAAA;CAAE,CAAC;AAEjC,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,OAAO,iBAAiB,GAAG,OAAO,iBAAiB,CAAC;IAC5D,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,GAAG,MAAM,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,sBAAsB,EAAE,SAAS,CAAC;IAClC,mBAAmB,EAAE,SAAS,CAAC;IAC/B,wBAAwB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,uBAAuB;IACtC,MAAM,EAAE,OAAO,wBAAwB,CAAC;IACxC,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,sBAAsB,EAAE,SAAS,CAAC;IAClC,mBAAmB,EAAE,SAAS,CAAC;IAC/B,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,6BAA6B;IAC5C,OAAO,EAAE,uBAAuB,CAAC;IACjC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,qCAAqC;IACpD,MAAM,EAAE,+CAA+C,CAAC;IACxD,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oBAAoB,EAAE,MAAM,CAAC;IAC7B,oBAAoB,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,oCAAoC;IACnD,OAAO,EAAE,qCAAqC,CAAC;IAC/C,SAAS,EAAE,MAAM,CAAC;IAClB,4BAA4B,EAAE,MAAM,CAAC;CACtC;AAED,MAAM,WAAW,qCAAqC;IACpD,MAAM,EAAE,+CAA+C,CAAC;IACxD,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oBAAoB,EAAE,MAAM,CAAC;IAC7B,0BAA0B,EAAE,MAAM,CAAC;IACnC,6BAA6B,EAAE,MAAM,CAAC;CACvC;AAED,MAAM,WAAW,oCAAoC;IACnD,OAAO,EAAE,qCAAqC,CAAC;IAC/C,SAAS,EAAE,MAAM,CAAC;IAClB,4BAA4B,EAAE,MAAM,CAAC;CACtC;AAED,MAAM,WAAW,kCAAkC;IACjD,MAAM,EAAE,iDAAiD,CAAC;IAC1D,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAED,MAAM,WAAW,iCAAiC;IAChD,OAAO,EAAE,kCAAkC,CAAC;IAC5C,SAAS,EAAE,MAAM,CAAC;IAClB,wBAAwB,EAAE,MAAM,CAAC;CAClC;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,sBAAsB,CAAC;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,wBAAwB,EAAE,MAAM,CAAC;CAClC;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,OAAO,2BAA2B,CAAC;IAC3C,GAAG,EAAE,gCAAgC,CAAC;IACtC,qBAAqB,EAAE,SAAS,CAAC;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,MAAM,CAAC;IACnB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,8BAA8B,CAAC;IACvC,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,GAAG,MAAM,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,MAAM,EACF,SAAS,GACT,iBAAiB,GACjB,gBAAgB,GAChB,cAAc,GACd,gBAAgB,GAChB,iBAAiB,GACjB,UAAU,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAiBD,wBAAgB,aAAa,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAEpD;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAE9D;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,SAAS,GAAG,MAAM,CAE3D;AAED,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,eAAe,GAAG,MAAM,CAW/D;AAED,wBAAgB,2BAA2B,CAAC,OAAO,EAAE,uBAAuB,GAAG,MAAM,CAYpF;AAED,wBAAgB,2BAA2B,CAAC,KAAK,EAAE;IACjD,OAAO,EAAE,uBAAuB,CAAC;IACjC,oBAAoB,EAAE,SAAS,CAAC;CACjC,GAAG,6BAA6B,CAWhC;AAED,wBAAgB,qCAAqC,CAAC,KAAK,EAAE;IAC3D,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oBAAoB,EAAE,MAAM,CAAC;IAC7B,oBAAoB,EAAE,MAAM,CAAC;CAC9B,GAAG,qCAAqC,CAWxC;AAED,wBAAgB,kCAAkC,CAAC,KAAK,EAAE;IACxD,OAAO,EAAE,qCAAqC,CAAC;IAC/C,oBAAoB,EAAE,SAAS,CAAC;IAChC,4BAA4B,EAAE,MAAM,CAAC;CACtC,GAAG,oCAAoC,CAYvC;AAED,wBAAgB,qCAAqC,CAAC,KAAK,EAAE;IAC3D,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oBAAoB,EAAE,MAAM,CAAC;IAC7B,0BAA0B,EAAE,MAAM,CAAC;IACnC,6BAA6B,EAAE,MAAM,CAAC;CACvC,GAAG,qCAAqC,CAUxC;AAED,wBAAgB,kCAAkC,CAAC,KAAK,EAAE;IACxD,OAAO,EAAE,qCAAqC,CAAC;IAC/C,oBAAoB,EAAE,SAAS,CAAC;IAChC,4BAA4B,EAAE,MAAM,CAAC;CACtC,GAAG,oCAAoC,CAYvC;AAED,wBAAgB,kCAAkC,CAAC,KAAK,EAAE;IACxD,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB,GAAG,kCAAkC,CASrC;AAED,wBAAgB,+BAA+B,CAAC,KAAK,EAAE;IACrD,OAAO,EAAE,kCAAkC,CAAC;IAC5C,oBAAoB,EAAE,SAAS,CAAC;IAChC,wBAAwB,EAAE,MAAM,CAAC;CAClC,GAAG,iCAAiC,CAYpC;AAED,wBAAgB,sBAAsB,CAAC,KAAK,EAAE;IAC5C,IAAI,EAAE,eAAe,CAAC;IACtB,EAAE,EAAE,eAAe,CAAC;IACpB,MAAM,EAAE,sBAAsB,CAAC,QAAQ,CAAC,CAAC;IACzC,SAAS,EAAE,MAAM,CAAC;CACnB,GAAG,sBAAsB,CA0BzB;AAED,wBAAgB,mBAAmB,CAAC,KAAK,EAAE;IACzC,OAAO,EAAE,sBAAsB,CAAC;IAChC,oBAAoB,EAAE,SAAS,CAAC;IAChC,wBAAwB,EAAE,MAAM,CAAC;CAClC,GAAG,qBAAqB,CAaxB;AAED,wBAAgB,qBAAqB,CAAC,KAAK,EAAE;IAC3C,MAAM,EAAE,qBAAqB,CAAC;IAC9B,mBAAmB,EAAE,SAAS,CAAC;IAC/B,4BAA4B,EAAE,MAAM,CAAC;IACrC,0BAA0B,EAAE,MAAM,CAAC;CACpC,GAAG,OAAO,CAeV;AAED,wBAAgB,0BAA0B,CAAC,KAAK,EAAE;IAChD,qBAAqB,EAAE,SAAS,CAAC;IACjC,OAAO,EAAE,SAAS,CAAC;IACnB,GAAG,EAAE,SAAS,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GAAG,kBAAkB,CA8BrB;AAED,wBAAgB,4BAA4B,CAAC,KAAK,EAAE;IAClD,sBAAsB,EAAE,SAAS,CAAC;IAClC,QAAQ,EAAE,kBAAkB,CAAC;IAC7B,GAAG,EAAE,SAAS,CAAC;CAChB,GAAG,SAAS,CAmCZ;AAED,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,SAAM,GAAG,IAAI,CAa7E"}