@viewportai/daemon 0.5.3 → 0.6.0

package/dist/security/epoch-recovery.js

@@ -0,0 +1,314 @@
+import crypto from 'node:crypto';
+import { transportFetch } from '../cli/network.js';
+import { configDir } from '../core/config.js';
+import { getActiveLocalUserEpoch, upsertLocalUserEpoch, } from './epoch-store.js';
+import { canonicalJson, fingerprintPayload, TRUSTED_EDGE_CRYPTO_PROTOCOL_HEADER, TRUSTED_EDGE_CRYPTO_PROTOCOL_VERSION, } from './epoch-protocol.js';
+import { rotateUserCryptoEpoch } from './epoch-sync.js';
+export const USER_EPOCH_RECOVERY_BACKUP_SCHEMA = 'viewport.user_epoch_recovery_backup/v1';
+const USER_EPOCH_RECOVERY_PAYLOAD_SCHEMA = 'viewport.user_epoch_recovery_payload/v1';
+const USER_EPOCH_RECOVERY_ENVELOPE_SCHEMA = 'viewport.user_epoch_recovery_envelope/v1';
+const RECOVERY_KDF = 'scrypt-sha256/v1';
+export function generateUserEpochRecoveryKey() {
+    return `vprk_${crypto.randomBytes(32).toString('base64url')}`;
+}
+export async function createUserEpochRecoveryBackup(options) {
+    const epoch = await getActiveLocalUserEpoch(options.target.workspaceId, options.home);
+    if (!epoch?.platformEpochId) {
+        throw new Error('Active local user epoch with platform id is required before backup.');
+    }
+    const payload = {
+        schema: USER_EPOCH_RECOVERY_PAYLOAD_SCHEMA,
+        workspaceId: epoch.workspaceId,
+        userId: epoch.userId,
+        userCryptoEpochId: epoch.platformEpochId,
+        userEpochFingerprint: epoch.fingerprint,
+        epoch: {
+            workspaceId: epoch.workspaceId,
+            userId: epoch.userId,
+            platformEpochId: epoch.platformEpochId,
+            epoch: epoch.epoch,
+            schema: epoch.schema,
+            status: 'active',
+            encryptionPublicKeyJwk: epoch.encryptionPublicKeyJwk,
+            encryptionPrivateKeyJwk: epoch.encryptionPrivateKeyJwk,
+            signingPublicKeyJwk: epoch.signingPublicKeyJwk,
+            signingPrivateKeyJwk: epoch.signingPrivateKeyJwk,
+            fingerprint: epoch.fingerprint,
+            previousEpochFingerprint: epoch.previousEpochFingerprint ?? null,
+        },
+    };
+    const kdfParams = recoveryKdfParams();
+    const aad = recoveryAad(payload);
+    const encryptedPayload = encryptRecoveryPayload({
+        recoveryKey: options.recoveryKey,
+        kdfParams,
+        aad,
+        payload,
+    });
+    const response = await postJson(options.fetchImpl ?? transportFetch, `${runtimeBaseUrl(options.target)}/crypto/user-key-backups`, {
+        credential: options.target.credential,
+        schema: USER_EPOCH_RECOVERY_BACKUP_SCHEMA,
+        user_crypto_epoch_id: epoch.platformEpochId,
+        kdf: RECOVERY_KDF,
+        kdf_params: kdfParams,
+        encrypted_payload: encryptedPayload,
+    }, options.target);
+    return userKeyBackupResponse(response);
+}
+export async function restoreUserEpochFromRecoveryBackup(options) {
+    const fetchImpl = options.fetchImpl ?? transportFetch;
+    const backup = userKeyBackupResponse(await getJson(fetchImpl, `${runtimeBaseUrl(options.target)}/crypto/user-key-backups/latest`, options.target));
+    const payload = decryptRecoveryPayload({
+        recoveryKey: options.recoveryKey,
+        kdfParams: backup.kdf_params,
+        envelope: backup.encrypted_payload,
+    });
+    if (payload.workspaceId !== options.target.workspaceId ||
+        payload.userCryptoEpochId !== backup.user_crypto_epoch_id ||
+        payload.userEpochFingerprint !== payload.epoch.fingerprint) {
+        throw new Error('Recovery backup payload does not match the backup metadata.');
+    }
+    const restoredEpoch = await upsertLocalUserEpoch(payload.epoch, options.home ?? configDir());
+    const rotatedEpoch = await rotateUserCryptoEpoch({
+        target: options.target,
+        reason: 'recovery',
+        home: options.home,
+        fetchImpl,
+    });
+    const rotatedBackup = await createUserEpochRecoveryBackup({
+        target: options.target,
+        recoveryKey: options.recoveryKey,
+        home: options.home,
+        fetchImpl,
+    });
+    return { backup, restoredEpoch, rotatedEpoch, rotatedBackup };
+}
+function encryptRecoveryPayload(input) {
+    const iv = crypto.randomBytes(12);
+    const aad = Buffer.from(canonicalJson(input.aad));
+    const cipher = crypto.createCipheriv('aes-256-gcm', deriveRecoveryKey(input.recoveryKey, input.kdfParams), iv);
+    cipher.setAAD(aad);
+    const ciphertext = Buffer.concat([
+        cipher.update(Buffer.from(canonicalJson(input.payload))),
+        cipher.final(),
+    ]);
+    return {
+        schema: USER_EPOCH_RECOVERY_ENVELOPE_SCHEMA,
+        alg: 'aes-256-gcm',
+        aad: input.aad,
+        iv: iv.toString('base64url'),
+        ciphertext: ciphertext.toString('base64url'),
+        tag: cipher.getAuthTag().toString('base64url'),
+        aadDigest: fingerprintPayload(input.aad),
+        createdAt: new Date().toISOString(),
+    };
+}
+function decryptRecoveryPayload(input) {
+    if (input.envelope.schema !== USER_EPOCH_RECOVERY_ENVELOPE_SCHEMA) {
+        throw new Error('Unsupported recovery envelope schema.');
+    }
+    if (input.envelope.alg !== 'aes-256-gcm') {
+        throw new Error('Unsupported recovery envelope algorithm.');
+    }
+    const aad = input.envelope.aad;
+    const decipher = crypto.createDecipheriv('aes-256-gcm', deriveRecoveryKey(input.recoveryKey, input.kdfParams), Buffer.from(input.envelope.iv, 'base64url'));
+    decipher.setAAD(Buffer.from(canonicalJson(aad)));
+    decipher.setAuthTag(Buffer.from(input.envelope.tag, 'base64url'));
+    const plaintext = Buffer.concat([
+        decipher.update(Buffer.from(input.envelope.ciphertext, 'base64url')),
+        decipher.final(),
+    ]);
+    const payload = recoveryBackupPayload(JSON.parse(plaintext.toString('utf8')));
+    const expectedAad = recoveryAad(payload);
+    if (input.envelope.aadDigest !== fingerprintPayload(expectedAad)) {
+        throw new Error('Recovery backup AAD mismatch.');
+    }
+    return payload;
+}
+function recoveryAad(payload) {
+    return {
+        schema: USER_EPOCH_RECOVERY_BACKUP_SCHEMA,
+        workspaceId: payload.workspaceId,
+        userId: payload.userId,
+        userCryptoEpochId: payload.userCryptoEpochId,
+        userEpochFingerprint: payload.userEpochFingerprint,
+    };
+}
+function recoveryKdfParams() {
+    return {
+        salt: crypto.randomBytes(16).toString('base64url'),
+        keyLength: 32,
+        N: 32768,
+        r: 8,
+        p: 1,
+    };
+}
+function deriveRecoveryKey(recoveryKey, params) {
+    return crypto.scryptSync(recoveryKey, Buffer.from(params.salt, 'base64url'), params.keyLength, {
+        N: params.N,
+        r: params.r,
+        p: params.p,
+        maxmem: 128 * 1024 * 1024,
+    });
+}
+function runtimeBaseUrl(target) {
+    return `${target.serverUrl.replace(/\/+$/, '')}/api/runtime/workspaces/${encodeURIComponent(target.workspaceId)}`;
+}
+async function getJson(fetchImpl, url, transportOptions) {
+    const requestUrl = new URL(url);
+    requestUrl.searchParams.set('credential', transportOptions.credential);
+    const response = await fetchImpl(requestUrl.toString(), {
+        method: 'GET',
+        headers: trustedEdgeCryptoHeaders(),
+        timeoutMs: 5_000,
+        tlsVerify: transportOptions.tlsVerify,
+        caCertPath: transportOptions.caCertPath,
+        tlsPins: transportOptions.tlsPins,
+    });
+    const payload = await response.json().catch(() => null);
+    if (!response.ok) {
+        const message = payload && typeof payload === 'object' && 'message' in payload
+            ? String(payload.message)
+            : `${response.status} ${response.statusText}`;
+        throw new Error(`Recovery backup sync failed: ${message}`);
+    }
+    return payload;
+}
+async function postJson(fetchImpl, url, body, transportOptions) {
+    const response = await fetchImpl(url, {
+        method: 'POST',
+        headers: trustedEdgeCryptoHeaders({ 'content-type': 'application/json' }),
+        body: JSON.stringify(body),
+        timeoutMs: 5_000,
+        tlsVerify: transportOptions.tlsVerify,
+        caCertPath: transportOptions.caCertPath,
+        tlsPins: transportOptions.tlsPins,
+    });
+    const payload = await response.json().catch(() => null);
+    if (!response.ok) {
+        const message = payload && typeof payload === 'object' && 'message' in payload
+            ? String(payload.message)
+            : `${response.status} ${response.statusText}`;
+        throw new Error(`Recovery backup sync failed: ${message}`);
+    }
+    return payload;
+}
+function trustedEdgeCryptoHeaders(extra = {}) {
+    return {
+        accept: 'application/json',
+        [TRUSTED_EDGE_CRYPTO_PROTOCOL_HEADER]: TRUSTED_EDGE_CRYPTO_PROTOCOL_VERSION,
+        ...extra,
+    };
+}
+function userKeyBackupResponse(value) {
+    const data = objectField(value, 'data');
+    const schema = stringField(data, 'schema');
+    const kdf = stringField(data, 'kdf');
+    if (schema !== USER_EPOCH_RECOVERY_BACKUP_SCHEMA) {
+        throw new Error(`Unsupported recovery backup schema: ${schema}`);
+    }
+    if (kdf !== RECOVERY_KDF) {
+        throw new Error(`Unsupported recovery backup KDF: ${kdf}`);
+    }
+    return {
+        id: stringField(data, 'id'),
+        workspace_id: stringField(data, 'workspace_id'),
+        user_id: numberOrStringField(data, 'user_id'),
+        user_crypto_epoch_id: stringField(data, 'user_crypto_epoch_id'),
+        schema,
+        status: stringField(data, 'status'),
+        kdf,
+        kdf_params: recoveryKdfParamsResponse(objectField(data, 'kdf_params')),
+        encrypted_payload: recoveryEnvelope(objectField(data, 'encrypted_payload')),
+        created_at: typeof data.created_at === 'string' ? data.created_at : null,
+    };
+}
+function recoveryKdfParamsResponse(value) {
+    return {
+        salt: stringField(value, 'salt'),
+        keyLength: numberField(value, 'keyLength'),
+        N: numberField(value, 'N'),
+        r: numberField(value, 'r'),
+        p: numberField(value, 'p'),
+    };
+}
+function recoveryEnvelope(value) {
+    return {
+        schema: expectLiteral(stringField(value, 'schema'), USER_EPOCH_RECOVERY_ENVELOPE_SCHEMA, 'recovery envelope schema'),
+        alg: expectLiteral(stringField(value, 'alg'), 'aes-256-gcm', 'recovery envelope algorithm'),
+        aad: (value.aad ?? null),
+        iv: stringField(value, 'iv'),
+        ciphertext: stringField(value, 'ciphertext'),
+        tag: stringField(value, 'tag'),
+        aadDigest: stringField(value, 'aadDigest'),
+        createdAt: stringField(value, 'createdAt'),
+    };
+}
+function recoveryBackupPayload(value) {
+    const data = objectValue(value);
+    return {
+        schema: expectLiteral(stringField(data, 'schema'), USER_EPOCH_RECOVERY_PAYLOAD_SCHEMA, 'recovery payload schema'),
+        workspaceId: stringField(data, 'workspaceId'),
+        userId: stringField(data, 'userId'),
+        userCryptoEpochId: stringField(data, 'userCryptoEpochId'),
+        userEpochFingerprint: stringField(data, 'userEpochFingerprint'),
+        epoch: localUserEpochPayload(objectField(data, 'epoch')),
+    };
+}
+function localUserEpochPayload(data) {
+    return {
+        workspaceId: stringField(data, 'workspaceId'),
+        userId: stringField(data, 'userId'),
+        platformEpochId: typeof data.platformEpochId === 'string' ? data.platformEpochId : null,
+        epoch: numberField(data, 'epoch'),
+        schema: 'viewport.user_crypto_epoch/v1',
+        status: 'active',
+        encryptionPublicKeyJwk: objectField(data, 'encryptionPublicKeyJwk'),
+        encryptionPrivateKeyJwk: objectField(data, 'encryptionPrivateKeyJwk'),
+        signingPublicKeyJwk: objectField(data, 'signingPublicKeyJwk'),
+        signingPrivateKeyJwk: objectField(data, 'signingPrivateKeyJwk'),
+        fingerprint: stringField(data, 'fingerprint'),
+        previousEpochFingerprint: typeof data.previousEpochFingerprint === 'string' ? data.previousEpochFingerprint : null,
+    };
+}
+function objectField(value, field) {
+    const object = objectValue(value);
+    const child = object[field];
+    if (!child || typeof child !== 'object' || Array.isArray(child)) {
+        throw new Error(`Recovery backup response did not include ${field}`);
+    }
+    return child;
+}
+function objectValue(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value)) {
+        throw new Error('Expected recovery backup object.');
+    }
+    return value;
+}
+function stringField(value, field) {
+    const child = value[field];
+    if (typeof child !== 'string' || child.trim().length === 0) {
+        throw new Error(`Recovery backup response did not include ${field}`);
+    }
+    return child;
+}
+function numberField(value, field) {
+    const child = value[field];
+    if (typeof child !== 'number') {
+        throw new Error(`Recovery backup response did not include numeric ${field}`);
+    }
+    return child;
+}
+function numberOrStringField(value, field) {
+    const child = value[field];
+    if (typeof child !== 'number' && typeof child !== 'string') {
+        throw new Error(`Recovery backup response did not include ${field}`);
+    }
+    return child;
+}
+function expectLiteral(value, expected, label) {
+    if (value !== expected)
+        throw new Error(`Unsupported ${label}: ${value}`);
+    return expected;
+}
+//# sourceMappingURL=epoch-recovery.js.map

package/dist/security/epoch-recovery.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"epoch-recovery.js","sourceRoot":"","sources":["../../src/security/epoch-recovery.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EACL,uBAAuB,EACvB,oBAAoB,GAErB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,aAAa,EACb,kBAAkB,EAClB,mCAAmC,EACnC,oCAAoC,GAErC,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,qBAAqB,EAA8B,MAAM,iBAAiB,CAAC;AAEpF,MAAM,CAAC,MAAM,iCAAiC,GAAG,wCAAwC,CAAC;AAC1F,MAAM,kCAAkC,GAAG,yCAAyC,CAAC;AACrF,MAAM,mCAAmC,GAAG,0CAA0C,CAAC;AACvF,MAAM,YAAY,GAAG,kBAAkB,CAAC;AA2CxC,MAAM,UAAU,4BAA4B;IAC1C,OAAO,QAAQ,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;AAChE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,6BAA6B,CAAC,OAKnD;IACC,MAAM,KAAK,GAAG,MAAM,uBAAuB,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IACtF,IAAI,CAAC,KAAK,EAAE,eAAe,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAC;IACzF,CAAC;IAED,MAAM,OAAO,GAA0B;QACrC,MAAM,EAAE,kCAAkC;QAC1C,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,iBAAiB,EAAE,KAAK,CAAC,eAAe;QACxC,oBAAoB,EAAE,KAAK,CAAC,WAAW;QACvC,KAAK,EAAE;YACL,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,eAAe,EAAE,KAAK,CAAC,eAAe;YACtC,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,QAAQ;YAChB,sBAAsB,EAAE,KAAK,CAAC,sBAAsB;YACpD,uBAAuB,EAAE,KAAK,CAAC,uBAAuB;YACtD,mBAAmB,EAAE,KAAK,CAAC,mBAAmB;YAC9C,oBAAoB,EAAE,KAAK,CAAC,oBAAoB;YAChD,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,wBAAwB,EAAE,KAAK,CAAC,wBAAwB,IAAI,IAAI;SACjE;KACF,CAAC;IACF,MAAM,SAAS,GAAG,iBAAiB,EAAE,CAAC;IACtC,MAAM,GAAG,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IACjC,MAAM,gBAAgB,GAAG,sBAAsB,CAAC;QAC9C,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,SAAS;QACT,GAAG;QACH,OAAO;KACR,CAAC,CAAC;IACH,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAC7B,OAAO,CAAC,SAAS,IAAI,cAAc,EACnC,GAAG,cAAc,CAAC,OAAO,CAAC,MAAM,CAAC,0BAA0B,EAC3D;QACE,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU;QACrC,MAAM,EAAE,iCAAiC;QACzC,oBAAoB,EAAE,KAAK,CAAC,eAAe;QAC3C,GAAG,EAAE,YAAY;QACjB,UAAU,EAAE,SAAS;QACrB,iBAAiB,EAAE,gBAAgB;KACpC,EACD,OAAO,CAAC,MAAM,CACf,CAAC;IAEF,OAAO,qBAAqB,CAAC,QAAQ,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kCAAkC,CAAC,OAKxD;IAMC,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,cAAc,CAAC;IACtD,MAAM,MAAM,GAAG,qBAAqB,CAClC,MAAM,OAAO,CACX,SAAS,EACT,GAAG,cAAc,CAAC,OAAO,CAAC,MAAM,CAAC,iCAAiC,EAClE,OAAO,CAAC,MAAM,CACf,CACF,CAAC;IACF,MAAM,OAAO,GAAG,sBAAsB,CAAC;QACrC,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,SAAS,EAAE,MAAM,CAAC,UAAU;QAC5B,QAAQ,EAAE,MAAM,CAAC,iBAAiB;KACnC,CAAC,CAAC;IACH,IACE,OAAO,CAAC,WAAW,KAAK,OAAO,CAAC,MAAM,CAAC,WAAW;QAClD,OAAO,CAAC,iBAAiB,KAAK,MAAM,CAAC,oBAAoB;QACzD,OAAO,CAAC,oBAAoB,KAAK,OAAO,CAAC,KAAK,CAAC,WAAW,EAC1D,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACjF,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,oBAAoB,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,IAAI,SAAS,EAAE,CAAC,CAAC;IAC7F,MAAM,YAAY,GAAG,MAAM,qBAAqB,CAAC;QAC/C,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,MAAM,EAAE,UAAU;QAClB,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,SAAS;KACV,CAAC,CAAC;IACH,MAAM,aAAa,GAAG,MAAM,6BAA6B,CAAC;QACxD,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,SAAS;KACV,CAAC,CAAC;IAEH,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC;AAChE,CAAC;AAED,SAAS,sBAAsB,CAAC,KAK/B;IACC,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAClC,aAAa,EACb,iBAAiB,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,EACrD,EAAE,CACH,CAAC;IACF,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACnB,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC;QAC/B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QACxD,MAAM,CAAC,KAAK,EAAE;KACf,CAAC,CAAC;IAEH,OAAO;QACL,MAAM,EAAE,mCAAmC;QAC3C,GAAG,EAAE,aAAa;QAClB,GAAG,EAAE,KAAK,CAAC,GAAG;QACd,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC5B,UAAU,EAAE,UAAU,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC5C,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC9C,SAAS,EAAE,kBAAkB,CAAC,KAAK,CAAC,GAAG,CAAC;QACxC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAAC,KAI/B;IACC,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,KAAK,mCAAmC,EAAE,CAAC;QAClE,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,KAAK,aAAa,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IACD,MAAM,GAAG,GAAG,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC;IAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CACtC,aAAa,EACb,iBAAiB,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,EACrD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,EAAE,WAAW,CAAC,CAC5C,CAAC;IACF,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACjD,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,CAAC;IAClE,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;QACpE,QAAQ,CAAC,KAAK,EAAE;KACjB,CAAC,CAAC;IACH,MAAM,OAAO,GAAG,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC9E,MAAM,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IACzC,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,KAAK,kBAAkB,CAAC,WAAW,CAAC,EAAE,CAAC;QACjE,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,WAAW,CAAC,OAA8B;IACjD,OAAO;QACL,MAAM,EAAE,iCAAiC;QACzC,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;QAC5C,oBAAoB,EAAE,OAAO,CAAC,oBAAoB;KACnD,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB;IACxB,OAAO;QACL,IAAI,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;QAClD,SAAS,EAAE,EAAE;QACb,CAAC,EAAE,KAAK;QACR,CAAC,EAAE,CAAC;QACJ,CAAC,EAAE,CAAC;KACL,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,WAAmB,EAAE,MAAyB;IACvE,OAAO,MAAM,CAAC,UAAU,CAAC,WAAW,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC,EAAE,MAAM,CAAC,SAAS,EAAE;QAC7F,CAAC,EAAE,MAAM,CAAC,CAAC;QACX,CAAC,EAAE,MAAM,CAAC,CAAC;QACX,CAAC,EAAE,MAAM,CAAC,CAAC;QACX,MAAM,EAAE,GAAG,GAAG,IAAI,GAAG,IAAI;KAC1B,CAAC,CAAC;AACL,CAAC;AAED,SAAS,cAAc,CAAC,MAA6B;IACnD,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,2BAA2B,kBAAkB,CACzF,MAAM,CAAC,WAAW,CACnB,EAAE,CAAC;AACN,CAAC;AAED,KAAK,UAAU,OAAO,CACpB,SAAgC,EAChC,GAAW,EACX,gBAAuC;IAEvC,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IAChC,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,EAAE,gBAAgB,CAAC,UAAU,CAAC,CAAC;IACvE,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,UAAU,CAAC,QAAQ,EAAE,EAAE;QACtD,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,wBAAwB,EAAE;QACnC,SAAS,EAAE,KAAK;QAChB,SAAS,EAAE,gBAAgB,CAAC,SAAS;QACrC,UAAU,EAAE,gBAAgB,CAAC,UAAU;QACvC,OAAO,EAAE,gBAAgB,CAAC,OAAO;KAClC,CAAC,CAAC;IACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACxD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,OAAO,GACX,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,SAAS,IAAI,OAAO;YAC5D,CAAC,CAAC,MAAM,CAAE,OAAiC,CAAC,OAAO,CAAC;YACpD,CAAC,CAAC,GAAG,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,gCAAgC,OAAO,EAAE,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,QAAQ,CACrB,SAAgC,EAChC,GAAW,EACX,IAA6B,EAC7B,gBAAuC;IAEvC,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE;QACpC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,wBAAwB,CAAC,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;QACzE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;QAC1B,SAAS,EAAE,KAAK;QAChB,SAAS,EAAE,gBAAgB,CAAC,SAAS;QACrC,UAAU,EAAE,gBAAgB,CAAC,UAAU;QACvC,OAAO,EAAE,gBAAgB,CAAC,OAAO;KAClC,CAAC,CAAC;IACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACxD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,OAAO,GACX,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,SAAS,IAAI,OAAO;YAC5D,CAAC,CAAC,MAAM,CAAE,OAAiC,CAAC,OAAO,CAAC;YACpD,CAAC,CAAC,GAAG,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,gCAAgC,OAAO,EAAE,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,wBAAwB,CAAC,QAAgC,EAAE;IAClE,OAAO;QACL,MAAM,EAAE,kBAAkB;QAC1B,CAAC,mCAAmC,CAAC,EAAE,oCAAoC;QAC3E,GAAG,KAAK;KACT,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAc;IAC3C,MAAM,IAAI,GAAG,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACrC,IAAI,MAAM,KAAK,iCAAiC,EAAE,CAAC;QACjD,MAAM,IAAI,KAAK,CAAC,uCAAuC,MAAM,EAAE,CAAC,CAAC;IACnE,CAAC;IACD,IAAI,GAAG,KAAK,YAAY,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,oCAAoC,GAAG,EAAE,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO;QACL,EAAE,EAAE,WAAW,CAAC,IAAI,EAAE,IAAI,CAAC;QAC3B,YAAY,EAAE,WAAW,CAAC,IAAI,EAAE,cAAc,CAAC;QAC/C,OAAO,EAAE,mBAAmB,CAAC,IAAI,EAAE,SAAS,CAAC;QAC7C,oBAAoB,EAAE,WAAW,CAAC,IAAI,EAAE,sBAAsB,CAAC;QAC/D,MAAM;QACN,MAAM,EAAE,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC;QACnC,GAAG;QACH,UAAU,EAAE,yBAAyB,CAAC,WAAW,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;QACtE,iBAAiB,EAAE,gBAAgB,CAAC,WAAW,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;QAC3E,UAAU,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI;KACzE,CAAC;AACJ,CAAC;AAED,SAAS,yBAAyB,CAAC,KAA8B;IAC/D,OAAO;QACL,IAAI,EAAE,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC;QAChC,SAAS,EAAE,WAAW,CAAC,KAAK,EAAE,WAAW,CAAC;QAC1C,CAAC,EAAE,WAAW,CAAC,KAAK,EAAE,GAAG,CAAC;QAC1B,CAAC,EAAE,WAAW,CAAC,KAAK,EAAE,GAAG,CAAC;QAC1B,CAAC,EAAE,WAAW,CAAC,KAAK,EAAE,GAAG,CAAC;KAC3B,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,KAA8B;IACtD,OAAO;QACL,MAAM,EAAE,aAAa,CACnB,WAAW,CAAC,KAAK,EAAE,QAAQ,CAAC,EAC5B,mCAAmC,EACnC,0BAA0B,CAC3B;QACD,GAAG,EAAE,aAAa,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,EAAE,aAAa,EAAE,6BAA6B,CAAC;QAC3F,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,IAAI,IAAI,CAAc;QACrC,EAAE,EAAE,WAAW,CAAC,KAAK,EAAE,IAAI,CAAC;QAC5B,UAAU,EAAE,WAAW,CAAC,KAAK,EAAE,YAAY,CAAC;QAC5C,GAAG,EAAE,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC;QAC9B,SAAS,EAAE,WAAW,CAAC,KAAK,EAAE,WAAW,CAAC;QAC1C,SAAS,EAAE,WAAW,CAAC,KAAK,EAAE,WAAW,CAAC;KAC3C,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAc;IAC3C,MAAM,IAAI,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IAChC,OAAO;QACL,MAAM,EAAE,aAAa,CACnB,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC,EAC3B,kCAAkC,EAClC,yBAAyB,CAC1B;QACD,WAAW,EAAE,WAAW,CAAC,IAAI,EAAE,aAAa,CAAC;QAC7C,MAAM,EAAE,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC;QACnC,iBAAiB,EAAE,WAAW,CAAC,IAAI,EAAE,mBAAmB,CAAC;QACzD,oBAAoB,EAAE,WAAW,CAAC,IAAI,EAAE,sBAAsB,CAAC;QAC/D,KAAK,EAAE,qBAAqB,CAAC,WAAW,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;KACzD,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAC5B,IAA6B;IAE7B,OAAO;QACL,WAAW,EAAE,WAAW,CAAC,IAAI,EAAE,aAAa,CAAC;QAC7C,MAAM,EAAE,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC;QACnC,eAAe,EAAE,OAAO,IAAI,CAAC,eAAe,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI;QACvF,KAAK,EAAE,WAAW,CAAC,IAAI,EAAE,OAAO,CAAC;QACjC,MAAM,EAAE,+BAA+B;QACvC,MAAM,EAAE,QAAQ;QAChB,sBAAsB,EAAE,WAAW,CAAC,IAAI,EAAE,wBAAwB,CAAc;QAChF,uBAAuB,EAAE,WAAW,CAAC,IAAI,EAAE,yBAAyB,CAAc;QAClF,mBAAmB,EAAE,WAAW,CAAC,IAAI,EAAE,qBAAqB,CAAc;QAC1E,oBAAoB,EAAE,WAAW,CAAC,IAAI,EAAE,sBAAsB,CAAc;QAC5E,WAAW,EAAE,WAAW,CAAC,IAAI,EAAE,aAAa,CAAC;QAC7C,wBAAwB,EACtB,OAAO,IAAI,CAAC,wBAAwB,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC,CAAC,IAAI;KAC3F,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,KAAc,EAAE,KAAa;IAChD,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IAClC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAC5B,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,4CAA4C,KAAK,EAAE,CAAC,CAAC;IACvE,CAAC;IACD,OAAO,KAAgC,CAAC;AAC1C,CAAC;AAED,SAAS,WAAW,CAAC,KAAc;IACjC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,KAAgC,CAAC;AAC1C,CAAC;AAED,SAAS,WAAW,CAAC,KAA8B,EAAE,KAAa;IAChE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;IAC3B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,4CAA4C,KAAK,EAAE,CAAC,CAAC;IACvE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,WAAW,CAAC,KAA8B,EAAE,KAAa;IAChE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;IAC3B,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,oDAAoD,KAAK,EAAE,CAAC,CAAC;IAC/E,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,mBAAmB,CAAC,KAA8B,EAAE,KAAa;IACxE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;IAC3B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,4CAA4C,KAAK,EAAE,CAAC,CAAC;IACvE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa,CAAyB,KAAa,EAAE,QAAW,EAAE,KAAa;IACtF,IAAI,KAAK,KAAK,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,eAAe,KAAK,KAAK,KAAK,EAAE,CAAC,CAAC;IAC1E,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/security/epoch-store.d.ts

@@ -0,0 +1,111 @@
+import { TEAM_EPOCH_SCHEMA, USER_EPOCH_SCHEMA, type EpochDescriptor, type JsonValue } from './epoch-protocol.js';
+export interface LocalUserCryptoEpoch {
+    workspaceId: string;
+    userId: string;
+    platformEpochId?: string | null;
+    epoch: number;
+    schema: typeof USER_EPOCH_SCHEMA;
+    status: 'active' | 'superseded' | 'revoked';
+    encryptionPublicKeyJwk: JsonValue;
+    encryptionPrivateKeyJwk: JsonValue;
+    signingPublicKeyJwk: JsonValue;
+    signingPrivateKeyJwk: JsonValue;
+    fingerprint: string;
+    previousEpochFingerprint?: string | null;
+    createdAt: string;
+    updatedAt: string;
+}
+export interface LocalTeamCryptoEpoch {
+    workspaceId: string;
+    teamId: string;
+    platformTeamId?: string | null;
+    platformEpochId?: string | null;
+    epoch: number;
+    schema: typeof TEAM_EPOCH_SCHEMA;
+    status: 'active' | 'superseded' | 'revoked';
+    encryptionPublicKeyJwk: JsonValue;
+    encryptionPrivateKeyJwk: JsonValue;
+    signingPublicKeyJwk: JsonValue;
+    signingPrivateKeyJwk: JsonValue;
+    fingerprint: string;
+    previousEpochFingerprint?: string | null;
+    createdAt: string;
+    updatedAt: string;
+}
+export interface LocalDeviceEnrollment {
+    workspaceId: string;
+    enrollmentId?: string | null;
+    userId?: string | null;
+    deviceId: string;
+    deviceLabel: string;
+    status: 'pending' | 'approved' | 'accepted' | 'revoked';
+    encryptionPublicKeyJwk: JsonValue;
+    encryptionPrivateKeyJwk: JsonValue;
+    signingPublicKeyJwk: JsonValue;
+    signingPrivateKeyJwk: JsonValue;
+    fingerprint: string;
+    nonce: string;
+    createdAt: string;
+    updatedAt: string;
+}
+export interface LocalPublicEpochPin {
+    workspaceId: string;
+    subjectType: 'user' | 'team';
+    subjectId: string;
+    platformEpochId: string;
+    epoch: number;
+    schema: typeof USER_EPOCH_SCHEMA | typeof TEAM_EPOCH_SCHEMA;
+    fingerprint: string;
+    encryptionPublicKeyJwk: JsonValue;
+    signingPublicKeyJwk: JsonValue;
+    previousEpochFingerprint?: string | null;
+    continuityPayload?: JsonValue | null;
+    continuitySignature?: string | null;
+    signedByEpochFingerprint?: string | null;
+    createdAt: string;
+    updatedAt: string;
+}
+export declare function getActiveLocalUserEpoch(workspaceId: string, home?: string): Promise<LocalUserCryptoEpoch | null>;
+export declare function getActiveLocalTeamEpoch(workspaceId: string, teamId: string, home?: string): Promise<LocalTeamCryptoEpoch | null>;
+export declare function listActiveLocalTeamEpochs(workspaceId: string, home?: string): Promise<LocalTeamCryptoEpoch[]>;
+export declare function getLocalTeamEpochByPlatformId(workspaceId: string, platformEpochId: string, home?: string): Promise<LocalTeamCryptoEpoch | null>;
+export declare function getLocalUserEpochByPlatformId(workspaceId: string, platformEpochId: string, home?: string): Promise<LocalUserCryptoEpoch | null>;
+export declare function getLocalDeviceEnrollment(workspaceId: string, enrollmentIdOrFingerprint: string, home?: string): Promise<LocalDeviceEnrollment | null>;
+export declare function upsertLocalUserEpoch(input: Omit<LocalUserCryptoEpoch, 'createdAt' | 'updatedAt'>, home?: string): Promise<LocalUserCryptoEpoch>;
+export declare function upsertLocalTeamEpoch(input: Omit<LocalTeamCryptoEpoch, 'createdAt' | 'updatedAt'>, home?: string): Promise<LocalTeamCryptoEpoch>;
+export declare function upsertLocalDeviceEnrollment(input: Omit<LocalDeviceEnrollment, 'createdAt' | 'updatedAt'>, home?: string): Promise<LocalDeviceEnrollment>;
+export declare function getLocalPublicEpochPin(input: {
+    workspaceId: string;
+    subjectType: 'user' | 'team';
+    subjectId: string;
+}, home?: string): Promise<LocalPublicEpochPin | null>;
+export declare function upsertLocalPublicEpochPin(input: Omit<LocalPublicEpochPin, 'createdAt' | 'updatedAt'>, home?: string): Promise<LocalPublicEpochPin>;
+export declare function createLocalUserEpochKeyMaterial(input: {
+    workspaceId: string;
+    userId?: string;
+    epoch?: number;
+    previousEpochFingerprint?: string | null;
+}): {
+    descriptor: EpochDescriptor;
+    encryptionPrivateKeyJwk: JsonValue;
+    signingPrivateKeyJwk: JsonValue;
+};
+export declare function createLocalTeamEpochKeyMaterial(input: {
+    workspaceId: string;
+    teamId: string;
+    epoch?: number;
+    previousEpochFingerprint?: string | null;
+}): {
+    descriptor: EpochDescriptor;
+    encryptionPrivateKeyJwk: JsonValue;
+    signingPrivateKeyJwk: JsonValue;
+};
+export declare function createLocalDeviceEnrollmentKeyMaterial(input: {
+    workspaceId: string;
+    deviceId: string;
+    deviceLabel: string;
+    nonce?: string;
+}): {
+    enrollment: Omit<LocalDeviceEnrollment, 'enrollmentId' | 'userId' | 'fingerprint' | 'status' | 'createdAt' | 'updatedAt'>;
+};
+//# sourceMappingURL=epoch-store.d.ts.map

package/dist/security/epoch-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"epoch-store.d.ts","sourceRoot":"","sources":["../../src/security/epoch-store.ts"],"names":[],"mappings":"AAIA,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,KAAK,eAAe,EACpB,KAAK,SAAS,EACf,MAAM,qBAAqB,CAAC;AAI7B,MAAM,WAAW,oBAAoB;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,OAAO,iBAAiB,CAAC;IACjC,MAAM,EAAE,QAAQ,GAAG,YAAY,GAAG,SAAS,CAAC;IAC5C,sBAAsB,EAAE,SAAS,CAAC;IAClC,uBAAuB,EAAE,SAAS,CAAC;IACnC,mBAAmB,EAAE,SAAS,CAAC;IAC/B,oBAAoB,EAAE,SAAS,CAAC;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,wBAAwB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,oBAAoB;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,OAAO,iBAAiB,CAAC;IACjC,MAAM,EAAE,QAAQ,GAAG,YAAY,GAAG,SAAS,CAAC;IAC5C,sBAAsB,EAAE,SAAS,CAAC;IAClC,uBAAuB,EAAE,SAAS,CAAC;IACnC,mBAAmB,EAAE,SAAS,CAAC;IAC/B,oBAAoB,EAAE,SAAS,CAAC;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,wBAAwB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,qBAAqB;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS,CAAC;IACxD,sBAAsB,EAAE,SAAS,CAAC;IAClC,uBAAuB,EAAE,SAAS,CAAC;IACnC,mBAAmB,EAAE,SAAS,CAAC;IAC/B,oBAAoB,EAAE,SAAS,CAAC;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,GAAG,MAAM,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,EAAE,MAAM,CAAC;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,OAAO,iBAAiB,GAAG,OAAO,iBAAiB,CAAC;IAC5D,WAAW,EAAE,MAAM,CAAC;IACpB,sBAAsB,EAAE,SAAS,CAAC;IAClC,mBAAmB,EAAE,SAAS,CAAC;IAC/B,wBAAwB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzC,iBAAiB,CAAC,EAAE,SAAS,GAAG,IAAI,CAAC;IACrC,mBAAmB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,wBAAwB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAUD,wBAAsB,uBAAuB,CAC3C,WAAW,EAAE,MAAM,EACnB,IAAI,SAAc,GACjB,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAOtC;AAED,wBAAsB,uBAAuB,CAC3C,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,MAAM,EACd,IAAI,SAAc,GACjB,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAYtC;AAED,wBAAsB,yBAAyB,CAC7C,WAAW,EAAE,MAAM,EACnB,IAAI,SAAc,GACjB,OAAO,CAAC,oBAAoB,EAAE,CAAC,CAKjC;AAED,wBAAsB,6BAA6B,CACjD,WAAW,EAAE,MAAM,EACnB,eAAe,EAAE,MAAM,EACvB,IAAI,SAAc,GACjB,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAUtC;AAED,wBAAsB,6BAA6B,CACjD,WAAW,EAAE,MAAM,EACnB,eAAe,EAAE,MAAM,EACvB,IAAI,SAAc,GACjB,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAUtC;AAED,wBAAsB,wBAAwB,CAC5C,WAAW,EAAE,MAAM,EACnB,yBAAyB,EAAE,MAAM,EACjC,IAAI,SAAc,GACjB,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAUvC;AAED,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,IAAI,CAAC,oBAAoB,EAAE,WAAW,GAAG,WAAW,CAAC,EAC5D,IAAI,SAAc,GACjB,OAAO,CAAC,oBAAoB,CAAC,CAsB/B;AAED,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,IAAI,CAAC,oBAAoB,EAAE,WAAW,GAAG,WAAW,CAAC,EAC5D,IAAI,SAAc,GACjB,OAAO,CAAC,oBAAoB,CAAC,CA0B/B;AAED,wBAAsB,2BAA2B,CAC/C,KAAK,EAAE,IAAI,CAAC,qBAAqB,EAAE,WAAW,GAAG,WAAW,CAAC,EAC7D,IAAI,SAAc,GACjB,OAAO,CAAC,qBAAqB,CAAC,CAmBhC;AAED,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE;IACL,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,GAAG,MAAM,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;CACnB,EACD,IAAI,SAAc,GACjB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CAYrC;AAED,wBAAsB,yBAAyB,CAC7C,KAAK,EAAE,IAAI,CAAC,mBAAmB,EAAE,WAAW,GAAG,WAAW,CAAC,EAC3D,IAAI,SAAc,GACjB,OAAO,CAAC,mBAAmB,CAAC,CAoB9B;AAED,wBAAgB,+BAA+B,CAAC,KAAK,EAAE;IACrD,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,wBAAwB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1C,GAAG;IACF,UAAU,EAAE,eAAe,CAAC;IAC5B,uBAAuB,EAAE,SAAS,CAAC;IACnC,oBAAoB,EAAE,SAAS,CAAC;CACjC,CAoBA;AAED,wBAAgB,+BAA+B,CAAC,KAAK,EAAE;IACrD,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,wBAAwB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1C,GAAG;IACF,UAAU,EAAE,eAAe,CAAC;IAC5B,uBAAuB,EAAE,SAAS,CAAC;IACnC,oBAAoB,EAAE,SAAS,CAAC;CACjC,CAoBA;AAED,wBAAgB,sCAAsC,CAAC,KAAK,EAAE;IAC5D,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GAAG;IACF,UAAU,EAAE,IAAI,CACd,qBAAqB,EACrB,cAAc,GAAG,QAAQ,GAAG,aAAa,GAAG,QAAQ,GAAG,WAAW,GAAG,WAAW,CACjF,CAAC;CACH,CAgBA"}