@vorim/verify 0.1.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.ts +52 -3
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +291 -5
- package/dist/index.js.map +1 -1
- package/dist/types.d.ts +99 -0
- package/dist/types.d.ts.map +1 -1
- package/package.json +3 -2
package/dist/index.d.ts
CHANGED
|
@@ -29,6 +29,34 @@ export declare function canonicalPayloadV0(event: {
|
|
|
29
29
|
output_hash?: string | null;
|
|
30
30
|
result: string;
|
|
31
31
|
}): string;
|
|
32
|
+
/**
|
|
33
|
+
* VAIP v1 canonical bytes for audit-event signing (RFC 8785 JCS).
|
|
34
|
+
*
|
|
35
|
+
* Signs the full event object excluding `signature` (the field being
|
|
36
|
+
* computed) and `canonical_form` (metadata about the recipe). Covers
|
|
37
|
+
* replayable-evidence fields and metadata — anything v0 missed.
|
|
38
|
+
*
|
|
39
|
+
* Must produce byte-identical output to:
|
|
40
|
+
* - @vorim/sdk `canonicalPayloadV1` (TypeScript SDK)
|
|
41
|
+
* - vorim Python SDK `canonical_payload_v1`
|
|
42
|
+
* - @vorim/shared-types `canonicalPayloadV1` (server)
|
|
43
|
+
*
|
|
44
|
+
* Locked by the cross-language parity script in scripts/check-replay-parity.sh.
|
|
45
|
+
*/
|
|
46
|
+
export declare function canonicalPayloadV1(event: BundleEvent): string;
|
|
47
|
+
/**
|
|
48
|
+
* RFC 8785 JSON Canonicalization Scheme, sufficient subset for audit
|
|
49
|
+
* event values. Identical algorithm to the SDK and shared-types
|
|
50
|
+
* implementations; the cross-language parity script enforces it.
|
|
51
|
+
*
|
|
52
|
+
* - Object keys sorted lexicographically (UTF-16 code units).
|
|
53
|
+
* - No whitespace between tokens.
|
|
54
|
+
* - Integer numbers via .toString(); finite non-integer floats per
|
|
55
|
+
* ECMAScript Number.toString shortest-round-trip. Rejects NaN/Infinity.
|
|
56
|
+
* - Strings: JSON-escape per RFC 8259 § 7.
|
|
57
|
+
* - Arrays preserve order. undefined values dropped from objects.
|
|
58
|
+
*/
|
|
59
|
+
export declare function jcsCanonicalise(value: unknown): string;
|
|
32
60
|
/**
|
|
33
61
|
* Verify the SHA-256 manifest over `{ events, agents }`. Returns null if
|
|
34
62
|
* the bundle has no manifest field (older exports). Manifest format is
|
|
@@ -40,9 +68,14 @@ export declare function verifyManifest(bundle: AuditBundle): {
|
|
|
40
68
|
actual: string | null;
|
|
41
69
|
};
|
|
42
70
|
/**
|
|
43
|
-
* Verify a single Ed25519 signature
|
|
44
|
-
*
|
|
45
|
-
*
|
|
71
|
+
* Verify a single Ed25519 signature.
|
|
72
|
+
*
|
|
73
|
+
* Dispatches on the event's `canonical_form` field to pick the right
|
|
74
|
+
* recipe (v0 pipe-joined, or v1 RFC 8785 JCS). Missing/null defaults to
|
|
75
|
+
* v0 for backward-compat with events signed before v1 was registered.
|
|
76
|
+
*
|
|
77
|
+
* `signature` is the `ed25519:<base64>` form the SDK produces; the
|
|
78
|
+
* prefix is stripped before decoding.
|
|
46
79
|
*/
|
|
47
80
|
export declare function verifyEventSignature(event: BundleEvent, publicKeyPem: string): {
|
|
48
81
|
ok: boolean;
|
|
@@ -64,4 +97,20 @@ export declare function verifyEventSignature(event: BundleEvent, publicKeyPem: s
|
|
|
64
97
|
* reader can make their own call.
|
|
65
98
|
*/
|
|
66
99
|
export declare function verifyBundle(bundle: AuditBundle): VerifyReport;
|
|
100
|
+
/**
|
|
101
|
+
* Verify a single delegation chain token against the bundle's agent
|
|
102
|
+
* public keys. Walks every link, checking signature, parent_link_hash,
|
|
103
|
+
* depth, scope subset, expiry, and delegator-known-to-bundle.
|
|
104
|
+
*
|
|
105
|
+
* Returns a `DelegationChainResult` with a single verdict. The verdict
|
|
106
|
+
* is the FIRST failure found, in this priority order:
|
|
107
|
+
* 1. delegation_unverifiable (no links)
|
|
108
|
+
* 2. delegation_unknown_agent (delegator pubkey missing)
|
|
109
|
+
* 3. delegation_invalid_signature
|
|
110
|
+
* 4. delegation_chain_broken (depth or parent_link_hash mismatch)
|
|
111
|
+
* 5. delegation_scope_exceeded
|
|
112
|
+
* 6. delegation_expired
|
|
113
|
+
* 7. delegation_valid (clean)
|
|
114
|
+
*/
|
|
115
|
+
export declare function verifyDelegationChain(token: import('./types.js').DelegationChainTokenBundleEntry, agentMap: Map<string, import('./types.js').BundleAgent>, now?: Date): import('./types.js').DelegationChainResult;
|
|
67
116
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EACV,WAAW,EAEX,WAAW,EAEX,YAAY,EACb,MAAM,YAAY,CAAC;AAEpB,YAAY,EACV,WAAW,EACX,WAAW,EACX,WAAW,EACX,WAAW,EACX,YAAY,EACZ,YAAY,GACb,MAAM,YAAY,CAAC;AAEpB;;;;;;;;;;;;GAYG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE;IACxC,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,MAAM,EAAE,MAAM,CAAC;CAChB,GAAG,MAAM,CAST;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,WAAW,GAAG;IACnD,EAAE,EAAE,OAAO,GAAG,IAAI,CAAC;IACnB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB,CAKA;AAED
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EACV,WAAW,EAEX,WAAW,EAEX,YAAY,EACb,MAAM,YAAY,CAAC;AAEpB,YAAY,EACV,WAAW,EACX,WAAW,EACX,WAAW,EACX,WAAW,EACX,YAAY,EACZ,YAAY,GACb,MAAM,YAAY,CAAC;AAEpB;;;;;;;;;;;;GAYG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE;IACxC,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,MAAM,EAAE,MAAM,CAAC;CAChB,GAAG,MAAM,CAST;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,WAAW,GAAG,MAAM,CAG7D;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CA4BtD;AAYD;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,WAAW,GAAG;IACnD,EAAE,EAAE,OAAO,GAAG,IAAI,CAAC;IACnB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB,CAKA;AAED;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,WAAW,EAClB,YAAY,EAAE,MAAM,GACnB;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CA6BlC;AAYD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,WAAW,GAAG,YAAY,CA4L9D;AASD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,OAAO,YAAY,EAAE,+BAA+B,EAC3D,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,YAAY,EAAE,WAAW,CAAC,EACvD,GAAG,GAAE,IAAiB,GACrB,OAAO,YAAY,EAAE,qBAAqB,CAsF5C"}
|
package/dist/index.js
CHANGED
|
@@ -30,6 +30,72 @@ export function canonicalPayloadV0(event) {
|
|
|
30
30
|
event.result,
|
|
31
31
|
].join('|');
|
|
32
32
|
}
|
|
33
|
+
/**
|
|
34
|
+
* VAIP v1 canonical bytes for audit-event signing (RFC 8785 JCS).
|
|
35
|
+
*
|
|
36
|
+
* Signs the full event object excluding `signature` (the field being
|
|
37
|
+
* computed) and `canonical_form` (metadata about the recipe). Covers
|
|
38
|
+
* replayable-evidence fields and metadata — anything v0 missed.
|
|
39
|
+
*
|
|
40
|
+
* Must produce byte-identical output to:
|
|
41
|
+
* - @vorim/sdk `canonicalPayloadV1` (TypeScript SDK)
|
|
42
|
+
* - vorim Python SDK `canonical_payload_v1`
|
|
43
|
+
* - @vorim/shared-types `canonicalPayloadV1` (server)
|
|
44
|
+
*
|
|
45
|
+
* Locked by the cross-language parity script in scripts/check-replay-parity.sh.
|
|
46
|
+
*/
|
|
47
|
+
export function canonicalPayloadV1(event) {
|
|
48
|
+
const { signature: _sig, canonical_form: _cf, ...rest } = event;
|
|
49
|
+
return jcsCanonicalise(rest);
|
|
50
|
+
}
|
|
51
|
+
/**
|
|
52
|
+
* RFC 8785 JSON Canonicalization Scheme, sufficient subset for audit
|
|
53
|
+
* event values. Identical algorithm to the SDK and shared-types
|
|
54
|
+
* implementations; the cross-language parity script enforces it.
|
|
55
|
+
*
|
|
56
|
+
* - Object keys sorted lexicographically (UTF-16 code units).
|
|
57
|
+
* - No whitespace between tokens.
|
|
58
|
+
* - Integer numbers via .toString(); finite non-integer floats per
|
|
59
|
+
* ECMAScript Number.toString shortest-round-trip. Rejects NaN/Infinity.
|
|
60
|
+
* - Strings: JSON-escape per RFC 8259 § 7.
|
|
61
|
+
* - Arrays preserve order. undefined values dropped from objects.
|
|
62
|
+
*/
|
|
63
|
+
export function jcsCanonicalise(value) {
|
|
64
|
+
if (value === null)
|
|
65
|
+
return 'null';
|
|
66
|
+
if (value === true)
|
|
67
|
+
return 'true';
|
|
68
|
+
if (value === false)
|
|
69
|
+
return 'false';
|
|
70
|
+
if (typeof value === 'number') {
|
|
71
|
+
if (!Number.isFinite(value)) {
|
|
72
|
+
throw new Error('jcsCanonicalise: NaN and Infinity are not JCS-valid');
|
|
73
|
+
}
|
|
74
|
+
return value.toString();
|
|
75
|
+
}
|
|
76
|
+
if (typeof value === 'string') {
|
|
77
|
+
return JSON.stringify(value);
|
|
78
|
+
}
|
|
79
|
+
if (Array.isArray(value)) {
|
|
80
|
+
return '[' + value.map(jcsCanonicalise).join(',') + ']';
|
|
81
|
+
}
|
|
82
|
+
if (typeof value === 'object') {
|
|
83
|
+
const obj = value;
|
|
84
|
+
const keys = Object.keys(obj).filter(k => obj[k] !== undefined).sort();
|
|
85
|
+
const parts = keys.map(k => JSON.stringify(k) + ':' + jcsCanonicalise(obj[k]));
|
|
86
|
+
return '{' + parts.join(',') + '}';
|
|
87
|
+
}
|
|
88
|
+
throw new Error(`jcsCanonicalise: unsupported value type: ${typeof value}`);
|
|
89
|
+
}
|
|
90
|
+
/**
|
|
91
|
+
* Compute the canonical bytes for an event based on its `canonical_form`
|
|
92
|
+
* field. Missing/null defaults to v0 for backward-compat with events
|
|
93
|
+
* signed before v1 was registered.
|
|
94
|
+
*/
|
|
95
|
+
function canonicalBytesForEvent(event) {
|
|
96
|
+
const form = event.canonical_form ?? 'v0';
|
|
97
|
+
return form === 'v1' ? canonicalPayloadV1(event) : canonicalPayloadV0(event);
|
|
98
|
+
}
|
|
33
99
|
/**
|
|
34
100
|
* Verify the SHA-256 manifest over `{ events, agents }`. Returns null if
|
|
35
101
|
* the bundle has no manifest field (older exports). Manifest format is
|
|
@@ -43,9 +109,14 @@ export function verifyManifest(bundle) {
|
|
|
43
109
|
return { ok: actual === bundle.manifest, expected: bundle.manifest, actual };
|
|
44
110
|
}
|
|
45
111
|
/**
|
|
46
|
-
* Verify a single Ed25519 signature
|
|
47
|
-
*
|
|
48
|
-
*
|
|
112
|
+
* Verify a single Ed25519 signature.
|
|
113
|
+
*
|
|
114
|
+
* Dispatches on the event's `canonical_form` field to pick the right
|
|
115
|
+
* recipe (v0 pipe-joined, or v1 RFC 8785 JCS). Missing/null defaults to
|
|
116
|
+
* v0 for backward-compat with events signed before v1 was registered.
|
|
117
|
+
*
|
|
118
|
+
* `signature` is the `ed25519:<base64>` form the SDK produces; the
|
|
119
|
+
* prefix is stripped before decoding.
|
|
49
120
|
*/
|
|
50
121
|
export function verifyEventSignature(event, publicKeyPem) {
|
|
51
122
|
const sig = event.signature;
|
|
@@ -71,7 +142,7 @@ export function verifyEventSignature(event, publicKeyPem) {
|
|
|
71
142
|
reason: `unparseable public key: ${e.message}`,
|
|
72
143
|
};
|
|
73
144
|
}
|
|
74
|
-
const payload = Buffer.from(
|
|
145
|
+
const payload = Buffer.from(canonicalBytesForEvent(event), 'utf-8');
|
|
75
146
|
try {
|
|
76
147
|
return { ok: cryptoVerify(null, payload, pubKey, sigBytes) };
|
|
77
148
|
}
|
|
@@ -177,11 +248,87 @@ export function verifyBundle(bundle) {
|
|
|
177
248
|
};
|
|
178
249
|
for (const r of events)
|
|
179
250
|
counts[r.verdict]++;
|
|
251
|
+
// ── Hash-chained ingest validation ─────────────────────────────────
|
|
252
|
+
//
|
|
253
|
+
// For each agent's chain (events in bundle order), check whether the
|
|
254
|
+
// event's `prev_event_hash` matches SHA-256(canonical bytes of the
|
|
255
|
+
// previous event for the same agent). Empty prev_event_hash on the
|
|
256
|
+
// first event = chain start (intact). Empty after a predecessor =
|
|
257
|
+
// chain_restart (informational). Mismatch = chain_broken (fails ok).
|
|
258
|
+
//
|
|
259
|
+
// anyChained is true if any event in the bundle carries
|
|
260
|
+
// `prev_event_hash` — that's how we know the issuer was using chained
|
|
261
|
+
// ingest. Without any chained events the chain counts are suppressed
|
|
262
|
+
// from the final report.
|
|
263
|
+
const rawEvents = bundle.events ?? [];
|
|
264
|
+
const chainCounts = { intact: 0, restart: 0, broken: 0 };
|
|
265
|
+
const anyChained = rawEvents.some(e => e.prev_event_hash != null);
|
|
266
|
+
const lastBytesHashByAgent = new Map();
|
|
267
|
+
for (let i = 0; i < rawEvents.length; i++) {
|
|
268
|
+
const e = rawEvents[i];
|
|
269
|
+
const agentId = eventAgentId(e);
|
|
270
|
+
if (!agentId)
|
|
271
|
+
continue;
|
|
272
|
+
const prevField = e.prev_event_hash;
|
|
273
|
+
const previousHash = lastBytesHashByAgent.get(agentId);
|
|
274
|
+
if (prevField) {
|
|
275
|
+
if (!previousHash) {
|
|
276
|
+
// Event claims to be chained but we have no predecessor for this
|
|
277
|
+
// agent in the bundle. Likely a partial bundle (sub-range export).
|
|
278
|
+
// Treat as broken: the prev_event_hash references something we
|
|
279
|
+
// can't verify.
|
|
280
|
+
events[i].chain = 'chain_broken';
|
|
281
|
+
events[i].reason = events[i].reason ?? 'prev_event_hash set but no predecessor in bundle';
|
|
282
|
+
chainCounts.broken++;
|
|
283
|
+
}
|
|
284
|
+
else if (prevField === previousHash) {
|
|
285
|
+
events[i].chain = 'chain_intact';
|
|
286
|
+
chainCounts.intact++;
|
|
287
|
+
}
|
|
288
|
+
else {
|
|
289
|
+
events[i].chain = 'chain_broken';
|
|
290
|
+
events[i].reason = events[i].reason ?? `prev_event_hash mismatch (expected ${previousHash}, got ${prevField})`;
|
|
291
|
+
chainCounts.broken++;
|
|
292
|
+
}
|
|
293
|
+
}
|
|
294
|
+
else if (previousHash && anyChained) {
|
|
295
|
+
// Predecessor exists but this event has no prev_event_hash:
|
|
296
|
+
// SDK restart or chainEvents toggled off mid-stream. Only count
|
|
297
|
+
// as a restart when the bundle has chained events at all.
|
|
298
|
+
events[i].chain = 'chain_restart';
|
|
299
|
+
chainCounts.restart++;
|
|
300
|
+
}
|
|
301
|
+
else if (anyChained) {
|
|
302
|
+
// Chain head (no predecessor + no prev_event_hash), within a
|
|
303
|
+
// chained bundle: counted as intact.
|
|
304
|
+
events[i].chain = 'chain_intact';
|
|
305
|
+
chainCounts.intact++;
|
|
306
|
+
}
|
|
307
|
+
// Else: non-chained bundle, no chain verdict on this event.
|
|
308
|
+
// Update the per-agent rolling hash with this event's canonical bytes.
|
|
309
|
+
lastBytesHashByAgent.set(agentId, sha256Hex(canonicalBytesForEvent(e)));
|
|
310
|
+
}
|
|
311
|
+
// ── Delegation chain verification (VAIP -02 § 5) ───────────────────
|
|
312
|
+
const tokens = bundle.delegation_tokens ?? [];
|
|
313
|
+
const delegations = tokens.map(t => verifyDelegationChain(t, agentMap));
|
|
314
|
+
const delegationCounts = { valid: 0, invalid: 0, unverifiable: 0 };
|
|
315
|
+
for (const d of delegations) {
|
|
316
|
+
if (d.verdict === 'delegation_valid')
|
|
317
|
+
delegationCounts.valid++;
|
|
318
|
+
else if (d.verdict === 'delegation_unverifiable')
|
|
319
|
+
delegationCounts.unverifiable++;
|
|
320
|
+
else if (d.verdict === 'delegation_unknown_agent')
|
|
321
|
+
delegationCounts.unverifiable++;
|
|
322
|
+
else
|
|
323
|
+
delegationCounts.invalid++;
|
|
324
|
+
}
|
|
180
325
|
const manifest = verifyManifest(bundle);
|
|
181
326
|
const ok = counts.bad_signature === 0 &&
|
|
182
327
|
counts.malformed_signature === 0 &&
|
|
328
|
+
chainCounts.broken === 0 &&
|
|
329
|
+
delegationCounts.invalid === 0 &&
|
|
183
330
|
manifest.ok !== false;
|
|
184
|
-
|
|
331
|
+
const base = {
|
|
185
332
|
bundle_version: typeof bundle.bundle_version === 'string' ? bundle.bundle_version : null,
|
|
186
333
|
manifest_ok: manifest.ok,
|
|
187
334
|
manifest_expected: manifest.expected,
|
|
@@ -195,5 +342,144 @@ export function verifyBundle(bundle) {
|
|
|
195
342
|
events,
|
|
196
343
|
ok,
|
|
197
344
|
};
|
|
345
|
+
if (anyChained) {
|
|
346
|
+
base.chain_intact = chainCounts.intact;
|
|
347
|
+
base.chain_restart = chainCounts.restart;
|
|
348
|
+
base.chain_broken = chainCounts.broken;
|
|
349
|
+
}
|
|
350
|
+
if (tokens.length > 0) {
|
|
351
|
+
base.delegations = delegations;
|
|
352
|
+
base.delegation_valid = delegationCounts.valid;
|
|
353
|
+
base.delegation_invalid = delegationCounts.invalid;
|
|
354
|
+
base.delegation_unverifiable = delegationCounts.unverifiable;
|
|
355
|
+
}
|
|
356
|
+
return base;
|
|
357
|
+
}
|
|
358
|
+
/** Synchronous SHA-256 hex digest of a UTF-8 string, prefixed `sha256:`. */
|
|
359
|
+
function sha256Hex(s) {
|
|
360
|
+
return 'sha256:' + createHash('sha256').update(s).digest('hex');
|
|
361
|
+
}
|
|
362
|
+
// ─── Delegation chain verification (VAIP -02 § 5) ─────────────────────────
|
|
363
|
+
/**
|
|
364
|
+
* Verify a single delegation chain token against the bundle's agent
|
|
365
|
+
* public keys. Walks every link, checking signature, parent_link_hash,
|
|
366
|
+
* depth, scope subset, expiry, and delegator-known-to-bundle.
|
|
367
|
+
*
|
|
368
|
+
* Returns a `DelegationChainResult` with a single verdict. The verdict
|
|
369
|
+
* is the FIRST failure found, in this priority order:
|
|
370
|
+
* 1. delegation_unverifiable (no links)
|
|
371
|
+
* 2. delegation_unknown_agent (delegator pubkey missing)
|
|
372
|
+
* 3. delegation_invalid_signature
|
|
373
|
+
* 4. delegation_chain_broken (depth or parent_link_hash mismatch)
|
|
374
|
+
* 5. delegation_scope_exceeded
|
|
375
|
+
* 6. delegation_expired
|
|
376
|
+
* 7. delegation_valid (clean)
|
|
377
|
+
*/
|
|
378
|
+
export function verifyDelegationChain(token, agentMap, now = new Date()) {
|
|
379
|
+
const chainId = token.chain_id;
|
|
380
|
+
const depth = token.links.length;
|
|
381
|
+
if (depth === 0) {
|
|
382
|
+
return {
|
|
383
|
+
chain_id: chainId,
|
|
384
|
+
verdict: 'delegation_unverifiable',
|
|
385
|
+
depth: 0,
|
|
386
|
+
reason: 'no signed links in chain (server-side enforcement only)',
|
|
387
|
+
};
|
|
388
|
+
}
|
|
389
|
+
// Walk links in depth order.
|
|
390
|
+
for (let i = 0; i < token.links.length; i++) {
|
|
391
|
+
const { claims, signature } = token.links[i];
|
|
392
|
+
// Chain identity sanity.
|
|
393
|
+
if (claims.chain_id !== chainId) {
|
|
394
|
+
return {
|
|
395
|
+
chain_id: chainId, depth, verdict: 'delegation_chain_broken',
|
|
396
|
+
reason: `link ${i + 1}'s claims.chain_id (${claims.chain_id}) does not match bundle chain_id (${chainId})`,
|
|
397
|
+
};
|
|
398
|
+
}
|
|
399
|
+
// Depth sanity.
|
|
400
|
+
if (claims.depth !== i + 1) {
|
|
401
|
+
return {
|
|
402
|
+
chain_id: chainId, depth, verdict: 'delegation_chain_broken',
|
|
403
|
+
reason: `link ${i + 1} has claims.depth=${claims.depth}; expected ${i + 1}`,
|
|
404
|
+
};
|
|
405
|
+
}
|
|
406
|
+
// Parent link hash.
|
|
407
|
+
if (i === 0) {
|
|
408
|
+
if (claims.parent_link_hash !== null) {
|
|
409
|
+
return {
|
|
410
|
+
chain_id: chainId, depth, verdict: 'delegation_chain_broken',
|
|
411
|
+
reason: `root link must have parent_link_hash=null; got ${claims.parent_link_hash}`,
|
|
412
|
+
};
|
|
413
|
+
}
|
|
414
|
+
}
|
|
415
|
+
else {
|
|
416
|
+
const parentClaims = token.links[i - 1].claims;
|
|
417
|
+
const expectedParentHash = sha256Hex(jcsCanonicalise(parentClaims));
|
|
418
|
+
if (claims.parent_link_hash !== expectedParentHash) {
|
|
419
|
+
return {
|
|
420
|
+
chain_id: chainId, depth, verdict: 'delegation_chain_broken',
|
|
421
|
+
reason: `link ${i + 1}.parent_link_hash mismatch (expected ${expectedParentHash}, got ${claims.parent_link_hash})`,
|
|
422
|
+
};
|
|
423
|
+
}
|
|
424
|
+
// Scope subset: this link's scopes ⊆ parent's scopes.
|
|
425
|
+
for (const scope of claims.scopes) {
|
|
426
|
+
if (!parentClaims.scopes.includes(scope)) {
|
|
427
|
+
return {
|
|
428
|
+
chain_id: chainId, depth, verdict: 'delegation_scope_exceeded',
|
|
429
|
+
reason: `link ${i + 1} grants scope "${scope}" which parent did not have`,
|
|
430
|
+
};
|
|
431
|
+
}
|
|
432
|
+
}
|
|
433
|
+
}
|
|
434
|
+
// Expiry.
|
|
435
|
+
if (claims.valid_until && new Date(claims.valid_until) < now) {
|
|
436
|
+
return {
|
|
437
|
+
chain_id: chainId, depth, verdict: 'delegation_expired',
|
|
438
|
+
reason: `link ${i + 1} (delegator=${claims.delegator}) expired at ${claims.valid_until}`,
|
|
439
|
+
};
|
|
440
|
+
}
|
|
441
|
+
// Signature.
|
|
442
|
+
const delegatorAgent = agentMap.get(claims.delegator);
|
|
443
|
+
if (!delegatorAgent) {
|
|
444
|
+
return {
|
|
445
|
+
chain_id: chainId, depth, verdict: 'delegation_unknown_agent',
|
|
446
|
+
reason: `delegator ${claims.delegator} not in bundle.agents[]; cannot verify link ${i + 1}`,
|
|
447
|
+
};
|
|
448
|
+
}
|
|
449
|
+
const sigOk = verifyDelegationSignatureWithKey(claims, signature, delegatorAgent.public_key);
|
|
450
|
+
if (!sigOk.ok) {
|
|
451
|
+
return {
|
|
452
|
+
chain_id: chainId, depth, verdict: 'delegation_invalid_signature',
|
|
453
|
+
reason: `link ${i + 1} signature does not verify: ${sigOk.reason}`,
|
|
454
|
+
};
|
|
455
|
+
}
|
|
456
|
+
}
|
|
457
|
+
return { chain_id: chainId, verdict: 'delegation_valid', depth };
|
|
458
|
+
}
|
|
459
|
+
function verifyDelegationSignatureWithKey(claims, signature, publicKeyPem) {
|
|
460
|
+
const stripped = signature.startsWith('ed25519:') ? signature.slice('ed25519:'.length) : signature;
|
|
461
|
+
let sigBytes;
|
|
462
|
+
try {
|
|
463
|
+
sigBytes = Buffer.from(stripped, 'base64');
|
|
464
|
+
}
|
|
465
|
+
catch {
|
|
466
|
+
return { ok: false, reason: 'malformed base64 signature' };
|
|
467
|
+
}
|
|
468
|
+
if (sigBytes.length === 0)
|
|
469
|
+
return { ok: false, reason: 'empty signature' };
|
|
470
|
+
let pubKey;
|
|
471
|
+
try {
|
|
472
|
+
pubKey = createPublicKey(publicKeyPem);
|
|
473
|
+
}
|
|
474
|
+
catch (e) {
|
|
475
|
+
return { ok: false, reason: `unparseable public key: ${e.message}` };
|
|
476
|
+
}
|
|
477
|
+
const payload = Buffer.from(jcsCanonicalise(claims), 'utf-8');
|
|
478
|
+
try {
|
|
479
|
+
return { ok: cryptoVerify(null, payload, pubKey, sigBytes) };
|
|
480
|
+
}
|
|
481
|
+
catch (e) {
|
|
482
|
+
return { ok: false, reason: `verify error: ${e.message}` };
|
|
483
|
+
}
|
|
198
484
|
}
|
|
199
485
|
//# sourceMappingURL=index.js.map
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,IAAI,YAAY,EAAE,MAAM,aAAa,CAAC;AAkBlF;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAOlC;IACC,OAAO;QACL,KAAK,CAAC,UAAU;QAChB,KAAK,CAAC,MAAM;QACZ,KAAK,CAAC,QAAQ,IAAI,EAAE;QACpB,KAAK,CAAC,UAAU,IAAI,EAAE;QACtB,KAAK,CAAC,WAAW,IAAI,EAAE;QACvB,KAAK,CAAC,MAAM;KACb,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,MAAmB;IAKhD,IAAI,CAAC,MAAM,CAAC,QAAQ;QAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IACxE,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9E,MAAM,MAAM,GAAG,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC3E,OAAO,EAAE,EAAE,EAAE,MAAM,KAAK,MAAM,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC;AAC/E,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAClC,KAAkB,EAClB,YAAoB;IAEpB,MAAM,GAAG,GAAG,KAAK,CAAC,SAAS,CAAC;IAC5B,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;IAEvD,MAAM,QAAQ,GAAG,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACjF,IAAI,QAAgB,CAAC;IACrB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAC;IAC7D,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IAE3E,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,eAAe,CAAC,YAAY,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,2BAA4B,CAAW,CAAC,OAAO,EAAE;SAC1D,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC,CAAC;IAChE,IAAI,CAAC;QACH,OAAO,EAAE,EAAE,EAAE,YAAY,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,CAAC;IAC/D,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAkB,CAAW,CAAC,OAAO,EAAE,EAAE,CAAC;IACxE,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,KAAkB;IACtC,mEAAmE;IACnE,oEAAoE;IACpE,OAAO,CACL,CAAC,OAAO,KAAK,CAAC,YAAY,KAAK,QAAQ,IAAI,KAAK,CAAC,YAAY,CAAC;QAC9D,CAAC,OAAO,KAAK,CAAC,QAAQ,KAAK,QAAQ,IAAI,KAAK,CAAC,QAAQ,CAAC;QACtD,IAAI,CACL,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,YAAY,CAAC,MAAmB;IAC9C,MAAM,QAAQ,GAAG,IAAI,GAAG,CACtB,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAChD,CAAC;IAEF,MAAM,MAAM,GAAkB,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;QAC1D,MAAM,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;QAChC,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;QAEvE,IAAI,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;YACjB,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,OAAO;gBACjB,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,OAAO,EAAE,UAAU;aACpB,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,OAAO,EAAE,eAAe;gBACxB,MAAM,EAAE,uBAAuB;aAChC,CAAC;QACJ,CAAC;QAED,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACpC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,OAAO;gBACjB,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,OAAO,EAAE,eAAe;gBACxB,MAAM,EAAE,oCAAoC,OAAO,EAAE;aACtD,CAAC;QACJ,CAAC;QAED,MAAM,CAAC,GAAG,oBAAoB,CAAC,CAAC,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC;QACpD,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC;YACT,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,OAAO;gBACjB,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,OAAO,EAAE,UAAU;aACpB,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,wBAAwB,CAAC,EAAE,CAAC;YAC9D,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,OAAO;gBACjB,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,OAAO,EAAE,qBAAqB;gBAC9B,MAAM,EAAE,CAAC,CAAC,MAAM;aACjB,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,EAAE,CAAC;YACnF,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,OAAO;gBACjB,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,OAAO,EAAE,qBAAqB;gBAC9B,MAAM,EAAE,CAAC,CAAC,MAAM;aACjB,CAAC;QACJ,CAAC;QACD,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,CAAC,CAAC,MAAM;SACjB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG;QACb,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,CAAC;QACX,aAAa,EAAE,CAAC;QAChB,aAAa,EAAE,CAAC;QAChB,mBAAmB,EAAE,CAAC;KACvB,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,MAAM;QAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAE5C,MAAM,QAAQ,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,MAAM,EAAE,GACN,MAAM,CAAC,aAAa,KAAK,CAAC;QAC1B,MAAM,CAAC,mBAAmB,KAAK,CAAC;QAChC,QAAQ,CAAC,EAAE,KAAK,KAAK,CAAC;IAExB,OAAO;QACL,cAAc,EACZ,OAAO,MAAM,CAAC,cAAc,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI;QAC1E,WAAW,EAAE,QAAQ,CAAC,EAAE;QACxB,iBAAiB,EAAE,QAAQ,CAAC,QAAQ;QACpC,eAAe,EAAE,QAAQ,CAAC,MAAM;QAChC,WAAW,EAAE,MAAM,CAAC,MAAM;QAC1B,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,aAAa,EAAE,MAAM,CAAC,aAAa;QACnC,aAAa,EAAE,MAAM,CAAC,aAAa;QACnC,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;QAC/C,MAAM;QACN,EAAE;KACH,CAAC;AACJ,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,IAAI,YAAY,EAAE,MAAM,aAAa,CAAC;AAkBlF;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAOlC;IACC,OAAO;QACL,KAAK,CAAC,UAAU;QAChB,KAAK,CAAC,MAAM;QACZ,KAAK,CAAC,QAAQ,IAAI,EAAE;QACpB,KAAK,CAAC,UAAU,IAAI,EAAE;QACtB,KAAK,CAAC,WAAW,IAAI,EAAE;QACvB,KAAK,CAAC,MAAM;KACb,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAkB;IACnD,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,KAA8C,CAAC;IACzG,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC;AAC/B,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,eAAe,CAAC,KAAc;IAC5C,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAClC,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAClC,IAAI,KAAK,KAAK,KAAK;QAAE,OAAO,OAAO,CAAC;IAEpC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;QACzE,CAAC;QACD,OAAO,KAAK,CAAC,QAAQ,EAAE,CAAC;IAC1B,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IAC1D,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,KAAgC,CAAC;QAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC,IAAI,EAAE,CAAC;QACvE,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,GAAG,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/E,OAAO,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IACrC,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,4CAA4C,OAAO,KAAK,EAAE,CAAC,CAAC;AAC9E,CAAC;AAED;;;;GAIG;AACH,SAAS,sBAAsB,CAAC,KAAkB;IAChD,MAAM,IAAI,GAAI,KAAa,CAAC,cAAc,IAAI,IAAI,CAAC;IACnD,OAAO,IAAI,KAAK,IAAI,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;AAC/E,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,MAAmB;IAKhD,IAAI,CAAC,MAAM,CAAC,QAAQ;QAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IACxE,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9E,MAAM,MAAM,GAAG,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC3E,OAAO,EAAE,EAAE,EAAE,MAAM,KAAK,MAAM,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC;AAC/E,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,oBAAoB,CAClC,KAAkB,EAClB,YAAoB;IAEpB,MAAM,GAAG,GAAG,KAAK,CAAC,SAAS,CAAC;IAC5B,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;IAEvD,MAAM,QAAQ,GAAG,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACjF,IAAI,QAAgB,CAAC;IACrB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAC;IAC7D,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IAE3E,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,eAAe,CAAC,YAAY,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,2BAA4B,CAAW,CAAC,OAAO,EAAE;SAC1D,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,sBAAsB,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC,CAAC;IACpE,IAAI,CAAC;QACH,OAAO,EAAE,EAAE,EAAE,YAAY,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,CAAC;IAC/D,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAkB,CAAW,CAAC,OAAO,EAAE,EAAE,CAAC;IACxE,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,KAAkB;IACtC,mEAAmE;IACnE,oEAAoE;IACpE,OAAO,CACL,CAAC,OAAO,KAAK,CAAC,YAAY,KAAK,QAAQ,IAAI,KAAK,CAAC,YAAY,CAAC;QAC9D,CAAC,OAAO,KAAK,CAAC,QAAQ,KAAK,QAAQ,IAAI,KAAK,CAAC,QAAQ,CAAC;QACtD,IAAI,CACL,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,YAAY,CAAC,MAAmB;IAC9C,MAAM,QAAQ,GAAG,IAAI,GAAG,CACtB,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAChD,CAAC;IAEF,MAAM,MAAM,GAAkB,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;QAC1D,MAAM,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;QAChC,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;QAEvE,IAAI,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;YACjB,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,OAAO;gBACjB,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,OAAO,EAAE,UAAU;aACpB,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,OAAO,EAAE,eAAe;gBACxB,MAAM,EAAE,uBAAuB;aAChC,CAAC;QACJ,CAAC;QAED,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACpC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,OAAO;gBACjB,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,OAAO,EAAE,eAAe;gBACxB,MAAM,EAAE,oCAAoC,OAAO,EAAE;aACtD,CAAC;QACJ,CAAC;QAED,MAAM,CAAC,GAAG,oBAAoB,CAAC,CAAC,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC;QACpD,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC;YACT,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,OAAO;gBACjB,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,OAAO,EAAE,UAAU;aACpB,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,wBAAwB,CAAC,EAAE,CAAC;YAC9D,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,OAAO;gBACjB,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,OAAO,EAAE,qBAAqB;gBAC9B,MAAM,EAAE,CAAC,CAAC,MAAM;aACjB,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,EAAE,CAAC;YACnF,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,OAAO;gBACjB,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,OAAO,EAAE,qBAAqB;gBAC9B,MAAM,EAAE,CAAC,CAAC,MAAM;aACjB,CAAC;QACJ,CAAC;QACD,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,CAAC,CAAC,MAAM;SACjB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG;QACb,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,CAAC;QACX,aAAa,EAAE,CAAC;QAChB,aAAa,EAAE,CAAC;QAChB,mBAAmB,EAAE,CAAC;KACvB,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,MAAM;QAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAE5C,sEAAsE;IACtE,EAAE;IACF,qEAAqE;IACrE,mEAAmE;IACnE,mEAAmE;IACnE,kEAAkE;IAClE,qEAAqE;IACrE,EAAE;IACF,wDAAwD;IACxD,sEAAsE;IACtE,qEAAqE;IACrE,yBAAyB;IACzB,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;IACtC,MAAM,WAAW,GAAG,EAAE,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;IACzD,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAE,CAAS,CAAC,eAAe,IAAI,IAAI,CAAC,CAAC;IAC3E,MAAM,oBAAoB,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,MAAM,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;QACvB,MAAM,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;QAChC,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,MAAM,SAAS,GAAI,CAAS,CAAC,eAA4C,CAAC;QAC1E,MAAM,YAAY,GAAG,oBAAoB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAEvD,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,iEAAiE;gBACjE,mEAAmE;gBACnE,+DAA+D;gBAC/D,gBAAgB;gBAChB,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,cAAc,CAAC;gBACjC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,kDAAkD,CAAC;gBAC1F,WAAW,CAAC,MAAM,EAAE,CAAC;YACvB,CAAC;iBAAM,IAAI,SAAS,KAAK,YAAY,EAAE,CAAC;gBACtC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,cAAc,CAAC;gBACjC,WAAW,CAAC,MAAM,EAAE,CAAC;YACvB,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,cAAc,CAAC;gBACjC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,sCAAsC,YAAY,SAAS,SAAS,GAAG,CAAC;gBAC/G,WAAW,CAAC,MAAM,EAAE,CAAC;YACvB,CAAC;QACH,CAAC;aAAM,IAAI,YAAY,IAAI,UAAU,EAAE,CAAC;YACtC,4DAA4D;YAC5D,gEAAgE;YAChE,0DAA0D;YAC1D,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,eAAe,CAAC;YAClC,WAAW,CAAC,OAAO,EAAE,CAAC;QACxB,CAAC;aAAM,IAAI,UAAU,EAAE,CAAC;YACtB,6DAA6D;YAC7D,qCAAqC;YACrC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,cAAc,CAAC;YACjC,WAAW,CAAC,MAAM,EAAE,CAAC;QACvB,CAAC;QACD,4DAA4D;QAE5D,uEAAuE;QACvE,oBAAoB,CAAC,GAAG,CAAC,OAAO,EAAE,SAAS,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1E,CAAC;IAED,sEAAsE;IACtE,MAAM,MAAM,GAAG,MAAM,CAAC,iBAAiB,IAAI,EAAE,CAAC;IAC9C,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,qBAAqB,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IACxE,MAAM,gBAAgB,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC;IACnE,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC5B,IAAI,CAAC,CAAC,OAAO,KAAK,kBAAkB;YAAE,gBAAgB,CAAC,KAAK,EAAE,CAAC;aAC1D,IAAI,CAAC,CAAC,OAAO,KAAK,yBAAyB;YAAE,gBAAgB,CAAC,YAAY,EAAE,CAAC;aAC7E,IAAI,CAAC,CAAC,OAAO,KAAK,0BAA0B;YAAE,gBAAgB,CAAC,YAAY,EAAE,CAAC;;YAC9E,gBAAgB,CAAC,OAAO,EAAE,CAAC;IAClC,CAAC;IAED,MAAM,QAAQ,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,MAAM,EAAE,GACN,MAAM,CAAC,aAAa,KAAK,CAAC;QAC1B,MAAM,CAAC,mBAAmB,KAAK,CAAC;QAChC,WAAW,CAAC,MAAM,KAAK,CAAC;QACxB,gBAAgB,CAAC,OAAO,KAAK,CAAC;QAC9B,QAAQ,CAAC,EAAE,KAAK,KAAK,CAAC;IAExB,MAAM,IAAI,GAAiB;QACzB,cAAc,EACZ,OAAO,MAAM,CAAC,cAAc,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI;QAC1E,WAAW,EAAE,QAAQ,CAAC,EAAE;QACxB,iBAAiB,EAAE,QAAQ,CAAC,QAAQ;QACpC,eAAe,EAAE,QAAQ,CAAC,MAAM;QAChC,WAAW,EAAE,MAAM,CAAC,MAAM;QAC1B,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,aAAa,EAAE,MAAM,CAAC,aAAa;QACnC,aAAa,EAAE,MAAM,CAAC,aAAa;QACnC,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;QAC/C,MAAM;QACN,EAAE;KACH,CAAC;IACF,IAAI,UAAU,EAAE,CAAC;QACf,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC,MAAM,CAAC;QACvC,IAAI,CAAC,aAAa,GAAG,WAAW,CAAC,OAAO,CAAC;QACzC,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC,MAAM,CAAC;IACzC,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,gBAAgB,GAAG,gBAAgB,CAAC,KAAK,CAAC;QAC/C,IAAI,CAAC,kBAAkB,GAAG,gBAAgB,CAAC,OAAO,CAAC;QACnD,IAAI,CAAC,uBAAuB,GAAG,gBAAgB,CAAC,YAAY,CAAC;IAC/D,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,4EAA4E;AAC5E,SAAS,SAAS,CAAC,CAAS;IAC1B,OAAO,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAClE,CAAC;AAED,6EAA6E;AAE7E;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,qBAAqB,CACnC,KAA2D,EAC3D,QAAuD,EACvD,MAAY,IAAI,IAAI,EAAE;IAEtB,MAAM,OAAO,GAAG,KAAK,CAAC,QAAQ,CAAC;IAC/B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC;IAEjC,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;QAChB,OAAO;YACL,QAAQ,EAAE,OAAO;YACjB,OAAO,EAAE,yBAAyB;YAClC,KAAK,EAAE,CAAC;YACR,MAAM,EAAE,yDAAyD;SAClE,CAAC;IACJ,CAAC;IAED,6BAA6B;IAC7B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5C,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAE7C,yBAAyB;QACzB,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YAChC,OAAO;gBACL,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,yBAAyB;gBAC5D,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,uBAAuB,MAAM,CAAC,QAAQ,qCAAqC,OAAO,GAAG;aAC3G,CAAC;QACJ,CAAC;QACD,gBAAgB;QAChB,IAAI,MAAM,CAAC,KAAK,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YAC3B,OAAO;gBACL,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,yBAAyB;gBAC5D,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,qBAAqB,MAAM,CAAC,KAAK,cAAc,CAAC,GAAG,CAAC,EAAE;aAC5E,CAAC;QACJ,CAAC;QAED,oBAAoB;QACpB,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACZ,IAAI,MAAM,CAAC,gBAAgB,KAAK,IAAI,EAAE,CAAC;gBACrC,OAAO;oBACL,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,yBAAyB;oBAC5D,MAAM,EAAE,kDAAkD,MAAM,CAAC,gBAAgB,EAAE;iBACpF,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC;YAC/C,MAAM,kBAAkB,GAAG,SAAS,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC,CAAC;YACpE,IAAI,MAAM,CAAC,gBAAgB,KAAK,kBAAkB,EAAE,CAAC;gBACnD,OAAO;oBACL,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,yBAAyB;oBAC5D,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,wCAAwC,kBAAkB,SAAS,MAAM,CAAC,gBAAgB,GAAG;iBACnH,CAAC;YACJ,CAAC;YACD,sDAAsD;YACtD,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBAClC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;oBACzC,OAAO;wBACL,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,2BAA2B;wBAC9D,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,kBAAkB,KAAK,6BAA6B;qBAC1E,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,UAAU;QACV,IAAI,MAAM,CAAC,WAAW,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,GAAG,GAAG,EAAE,CAAC;YAC7D,OAAO;gBACL,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,oBAAoB;gBACvD,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,SAAS,gBAAgB,MAAM,CAAC,WAAW,EAAE;aACzF,CAAC;QACJ,CAAC;QAED,aAAa;QACb,MAAM,cAAc,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACtD,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,OAAO;gBACL,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,0BAA0B;gBAC7D,MAAM,EAAE,aAAa,MAAM,CAAC,SAAS,+CAA+C,CAAC,GAAG,CAAC,EAAE;aAC5F,CAAC;QACJ,CAAC;QACD,MAAM,KAAK,GAAG,gCAAgC,CAAC,MAAM,EAAE,SAAS,EAAE,cAAc,CAAC,UAAU,CAAC,CAAC;QAC7F,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;YACd,OAAO;gBACL,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,8BAA8B;gBACjE,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,+BAA+B,KAAK,CAAC,MAAM,EAAE;aACnE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,CAAC;AACnE,CAAC;AAED,SAAS,gCAAgC,CACvC,MAAiD,EACjD,SAAiB,EACjB,YAAoB;IAEpB,MAAM,QAAQ,GAAG,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACnG,IAAI,QAAgB,CAAC;IACrB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAC;IAC7D,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IAC3E,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,eAAe,CAAC,YAAY,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,2BAA4B,CAAW,CAAC,OAAO,EAAE,EAAE,CAAC;IAClF,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,CAAC;IAC9D,IAAI,CAAC;QACH,OAAO,EAAE,EAAE,EAAE,YAAY,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,CAAC;IAC/D,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAkB,CAAW,CAAC,OAAO,EAAE,EAAE,CAAC;IACxE,CAAC;AACH,CAAC"}
|
package/dist/types.d.ts
CHANGED
|
@@ -11,14 +11,48 @@ export interface AuditBundle {
|
|
|
11
11
|
manifest?: string;
|
|
12
12
|
events: BundleEvent[];
|
|
13
13
|
agents: BundleAgent[];
|
|
14
|
+
/**
|
|
15
|
+
* Signed delegation chain tokens (VAIP -02 § 5). One entry per
|
|
16
|
+
* unique delegation_chain_id referenced by events in the bundle.
|
|
17
|
+
* A chain with empty `links` is one that was created without a
|
|
18
|
+
* signed link (server-side enforced but not offline-verifiable);
|
|
19
|
+
* the verifier reports such chains as `delegation_unverifiable`.
|
|
20
|
+
*/
|
|
21
|
+
delegation_tokens?: DelegationChainTokenBundleEntry[];
|
|
14
22
|
event_count?: number;
|
|
15
23
|
agent_count?: number;
|
|
24
|
+
delegation_chain_count?: number;
|
|
16
25
|
from?: string;
|
|
17
26
|
to?: string;
|
|
18
27
|
org_id?: string;
|
|
19
28
|
generated_at?: string;
|
|
20
29
|
[key: string]: unknown;
|
|
21
30
|
}
|
|
31
|
+
/** One delegation chain token as embedded in a bundle. */
|
|
32
|
+
export interface DelegationChainTokenBundleEntry {
|
|
33
|
+
v: 0;
|
|
34
|
+
chain_id: string;
|
|
35
|
+
links: DelegationSignedLink[];
|
|
36
|
+
}
|
|
37
|
+
/** A signed link inside a delegation chain token. */
|
|
38
|
+
export interface DelegationSignedLink {
|
|
39
|
+
claims: DelegationLinkClaims;
|
|
40
|
+
signature: string;
|
|
41
|
+
}
|
|
42
|
+
/** Claims structure (VAIP -02 § 5). Mirrors `@vorim/shared-types`. */
|
|
43
|
+
export interface DelegationLinkClaims {
|
|
44
|
+
v: 0;
|
|
45
|
+
type: 'vaip-delegation-link';
|
|
46
|
+
chain_id: string;
|
|
47
|
+
depth: number;
|
|
48
|
+
delegator: string;
|
|
49
|
+
delegate: string;
|
|
50
|
+
scopes: string[];
|
|
51
|
+
max_chain_depth: number;
|
|
52
|
+
valid_from: string;
|
|
53
|
+
valid_until: string | null;
|
|
54
|
+
parent_link_hash: string | null;
|
|
55
|
+
}
|
|
22
56
|
export interface BundleEvent {
|
|
23
57
|
event_id?: string;
|
|
24
58
|
agent_id_str?: string;
|
|
@@ -31,6 +65,20 @@ export interface BundleEvent {
|
|
|
31
65
|
result: string;
|
|
32
66
|
signature?: string | null;
|
|
33
67
|
timestamp?: string;
|
|
68
|
+
model_version?: string | null;
|
|
69
|
+
tool_catalogue_hash?: string | null;
|
|
70
|
+
system_prompt_hash?: string | null;
|
|
71
|
+
prev_event_hash?: string | null;
|
|
72
|
+
/**
|
|
73
|
+
* Which canonical-form recipe the signature was computed over.
|
|
74
|
+
* Missing/null ↔ 'v0' (the pipe-joined six-field form), preserving
|
|
75
|
+
* compatibility with events signed before v1 was registered.
|
|
76
|
+
*/
|
|
77
|
+
canonical_form?: 'v0' | 'v1' | null;
|
|
78
|
+
on_behalf_of?: string | null;
|
|
79
|
+
delegator_agent_id?: string | null;
|
|
80
|
+
delegation_chain_id?: string | null;
|
|
81
|
+
delegation_depth?: number | null;
|
|
34
82
|
[key: string]: unknown;
|
|
35
83
|
}
|
|
36
84
|
export interface BundleAgent {
|
|
@@ -41,12 +89,30 @@ export interface BundleAgent {
|
|
|
41
89
|
name?: string;
|
|
42
90
|
}
|
|
43
91
|
export type EventVerdict = 'verified' | 'unsigned' | 'bad_signature' | 'unknown_agent' | 'malformed_signature';
|
|
92
|
+
/** Per-agent chain validation outcome (independent of signature verdict). */
|
|
93
|
+
export type ChainVerdict = 'chain_intact' | 'chain_restart' | 'chain_broken';
|
|
94
|
+
/** Per-delegation-chain validation outcome (VAIP -02 § 5). */
|
|
95
|
+
export type DelegationChainVerdict = 'delegation_valid' | 'delegation_invalid_signature' | 'delegation_chain_broken' | 'delegation_scope_exceeded' | 'delegation_expired' | 'delegation_unknown_agent' | 'delegation_unverifiable';
|
|
96
|
+
export interface DelegationChainResult {
|
|
97
|
+
chain_id: string;
|
|
98
|
+
verdict: DelegationChainVerdict;
|
|
99
|
+
/** Depth of the chain (number of links). */
|
|
100
|
+
depth: number;
|
|
101
|
+
/** When the verdict is not `delegation_valid`, the human-readable reason. */
|
|
102
|
+
reason?: string;
|
|
103
|
+
}
|
|
44
104
|
export interface EventResult {
|
|
45
105
|
event_id?: string;
|
|
46
106
|
agent_id: string | null;
|
|
47
107
|
action: string;
|
|
48
108
|
verdict: EventVerdict;
|
|
49
109
|
reason?: string;
|
|
110
|
+
/**
|
|
111
|
+
* Chain validation outcome for this event. Only populated when the
|
|
112
|
+
* bundle contains at least one event with a `prev_event_hash` field;
|
|
113
|
+
* otherwise undefined (no chain to validate).
|
|
114
|
+
*/
|
|
115
|
+
chain?: ChainVerdict;
|
|
50
116
|
}
|
|
51
117
|
export interface VerifyReport {
|
|
52
118
|
bundle_version: string | null;
|
|
@@ -59,6 +125,39 @@ export interface VerifyReport {
|
|
|
59
125
|
bad_signature: number;
|
|
60
126
|
unknown_agent: number;
|
|
61
127
|
malformed_signature: number;
|
|
128
|
+
/**
|
|
129
|
+
* Number of events whose `prev_event_hash` matched the predecessor's
|
|
130
|
+
* canonical bytes for the same agent. Includes the head of each chain
|
|
131
|
+
* (no predecessor) when no prev_event_hash is set. Only counted when
|
|
132
|
+
* the bundle contains any chained events.
|
|
133
|
+
*/
|
|
134
|
+
chain_intact?: number;
|
|
135
|
+
/**
|
|
136
|
+
* Number of events that have no `prev_event_hash` but a predecessor
|
|
137
|
+
* exists in the bundle for the same agent. Informational, not a
|
|
138
|
+
* failure: chain restarts happen on SDK process restart.
|
|
139
|
+
*/
|
|
140
|
+
chain_restart?: number;
|
|
141
|
+
/**
|
|
142
|
+
* Number of events whose `prev_event_hash` did NOT match the
|
|
143
|
+
* predecessor's canonical-bytes hash. A non-zero count fails the
|
|
144
|
+
* bundle.
|
|
145
|
+
*/
|
|
146
|
+
chain_broken?: number;
|
|
147
|
+
/**
|
|
148
|
+
* Per-delegation-chain verdicts (one per unique delegation_chain_id
|
|
149
|
+
* referenced by events in the bundle). Suppressed when the bundle
|
|
150
|
+
* has no delegation chains. A `delegation_invalid_signature`,
|
|
151
|
+
* `delegation_chain_broken`, `delegation_scope_exceeded`, or
|
|
152
|
+
* `delegation_expired` verdict on any chain fails the bundle;
|
|
153
|
+
* `delegation_unknown_agent` and `delegation_unverifiable` do not
|
|
154
|
+
* (they are surfaced for the reader to make their own call).
|
|
155
|
+
*/
|
|
156
|
+
delegations?: DelegationChainResult[];
|
|
157
|
+
/** Convenience counts. */
|
|
158
|
+
delegation_valid?: number;
|
|
159
|
+
delegation_invalid?: number;
|
|
160
|
+
delegation_unverifiable?: number;
|
|
62
161
|
events: EventResult[];
|
|
63
162
|
ok: boolean;
|
|
64
163
|
}
|
package/dist/types.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,MAAM,WAAW,WAAW;IAC1B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,WAAW,EAAE,CAAC;IACtB,MAAM,EAAE,WAAW,EAAE,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,MAAM,WAAW,WAAW;IAC1B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,WAAW,EAAE,CAAC;IACtB,MAAM,EAAE,WAAW,EAAE,CAAC;IACtB;;;;;;OAMG;IACH,iBAAiB,CAAC,EAAE,+BAA+B,EAAE,CAAC;IACtD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,0DAA0D;AAC1D,MAAM,WAAW,+BAA+B;IAC9C,CAAC,EAAE,CAAC,CAAC;IACL,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,oBAAoB,EAAE,CAAC;CAC/B;AAED,qDAAqD;AACrD,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,oBAAoB,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,sEAAsE;AACtE,MAAM,WAAW,oBAAoB;IACnC,CAAC,EAAE,CAAC,CAAC;IACL,IAAI,EAAE,sBAAsB,CAAC;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;CACjC;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,mBAAmB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,kBAAkB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC;;;;OAIG;IACH,cAAc,CAAC,EAAE,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC;IAEpC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,kBAAkB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,mBAAmB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,MAAM,YAAY,GACpB,UAAU,GACV,UAAU,GACV,eAAe,GACf,eAAe,GACf,qBAAqB,CAAC;AAE1B,6EAA6E;AAC7E,MAAM,MAAM,YAAY,GACpB,cAAc,GACd,eAAe,GACf,cAAc,CAAC;AAEnB,8DAA8D;AAC9D,MAAM,MAAM,sBAAsB,GAC9B,kBAAkB,GAClB,8BAA8B,GAC9B,yBAAyB,GACzB,2BAA2B,GAC3B,oBAAoB,GACpB,0BAA0B,GAC1B,yBAAyB,CAAC;AAE9B,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,sBAAsB,CAAC;IAChC,4CAA4C;IAC5C,KAAK,EAAE,MAAM,CAAC;IACd,6EAA6E;IAC7E,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,YAAY,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,KAAK,CAAC,EAAE,YAAY,CAAC;CACtB;AAED,MAAM,WAAW,YAAY;IAC3B,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,WAAW,EAAE,OAAO,GAAG,IAAI,CAAC;IAC5B,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,CAAC;IAC5B;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;;;;;OAQG;IACH,WAAW,CAAC,EAAE,qBAAqB,EAAE,CAAC;IACtC,0BAA0B;IAC1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,MAAM,EAAE,WAAW,EAAE,CAAC;IACtB,EAAE,EAAE,OAAO,CAAC;CACb"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@vorim/verify",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.3.0",
|
|
4
4
|
"description": "Offline verifier for Vorim audit bundles — no network, no Vorim API call, no telemetry.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.js",
|
|
@@ -22,7 +22,8 @@
|
|
|
22
22
|
"scripts": {
|
|
23
23
|
"build": "tsc",
|
|
24
24
|
"test": "vitest run",
|
|
25
|
-
"typecheck": "tsc --noEmit"
|
|
25
|
+
"typecheck": "tsc --noEmit",
|
|
26
|
+
"prepublishOnly": "npm run typecheck && npm run test && npm run build"
|
|
26
27
|
},
|
|
27
28
|
"dependencies": {},
|
|
28
29
|
"devDependencies": {
|