@vurb/core 3.7.13 → 3.8.0

package/dist/handoff/DelegationToken.d.ts

@@ -0,0 +1,58 @@
+import type { HandoffStateStore } from './index.js';
+/**
+ * JWT-inspired claims embedded in the delegation token.
+ *
+ * @property iss         - Issuer URL (usually the gateway origin)
+ * @property sub         - Scope identifier (e.g. `'finance_scope'`)
+ * @property iat         - Issued-at Unix timestamp (seconds)
+ * @property exp         - Expiry Unix timestamp (seconds)
+ * @property tid         - Unique transaction ID for distributed tracing
+ * @property state       - Inline carry-over state (< 2 KB)
+ * @property state_id    - Claim-Check reference when state was externalized
+ * @property traceparent - W3C Trace Context header for distributed tracing
+ */
+export interface DelegationClaims {
+    iss: string;
+    sub: string;
+    iat: number;
+    exp: number;
+    tid: string;
+    state?: Record<string, unknown>;
+    state_id?: string;
+    traceparent?: string;
+}
+/** Thrown by {@link verifyDelegationToken} on invalid or expired tokens. */
+export declare class HandoffAuthError extends Error {
+    readonly code: 'MISSING_DELEGATION_TOKEN' | 'INVALID_DELEGATION_TOKEN' | 'EXPIRED_DELEGATION_TOKEN' | 'INVALID_SIGNATURE';
+    constructor(code: 'MISSING_DELEGATION_TOKEN' | 'INVALID_DELEGATION_TOKEN' | 'EXPIRED_DELEGATION_TOKEN' | 'INVALID_SIGNATURE', message: string);
+}
+/**
+ * Mint a signed HMAC-SHA256 delegation token.
+ *
+ * If `carryOverState` exceeds 2 KB, the state is persisted in `store`
+ * and only the resulting `state_id` UUID is embedded in the token.
+ *
+ * @param scope          - Scope identifier (e.g. `'finance'`)
+ * @param ttlSeconds     - Token lifetime in seconds
+ * @param secret         - HMAC signing secret (minimum 32 chars recommended)
+ * @param issuer         - Issuer identifier (gateway URL or name)
+ * @param carryOverState - Optional semantic context to carry to the upstream
+ * @param store          - Required when `carryOverState` may exceed 2 KB
+ * @param traceparent    - W3C traceparent for distributed tracing
+ * @returns Signed token string: `base64url(claims).base64url(sig)`
+ */
+export declare function mintDelegationToken(scope: string, ttlSeconds: number, secret: string, issuer?: string, carryOverState?: Record<string, unknown>, store?: HandoffStateStore, traceparent?: string): Promise<string>;
+/**
+ * Verify a delegation token and return its claims.
+ *
+ * - Validates HMAC signature (constant-time)
+ * - Validates expiry (`exp`)
+ * - Hydrates `carryOverState` from store when `state_id` is present (Claim-Check retrieval)
+ *
+ * @param raw    - Raw token produced by {@link mintDelegationToken}
+ * @param secret - HMAC signing secret (must match the mint secret)
+ * @param store  - Required if the token may contain a `state_id`
+ * @throws {@link HandoffAuthError} on any validation failure
+ */
+export declare function verifyDelegationToken(raw: string, secret: string, store?: HandoffStateStore): Promise<DelegationClaims>;
+//# sourceMappingURL=DelegationToken.d.ts.map

package/dist/handoff/DelegationToken.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"DelegationToken.d.ts","sourceRoot":"","sources":["../../src/handoff/DelegationToken.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAgBpD;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,gBAAgB;IAC7B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;CACxB;AAMD,4EAA4E;AAC5E,qBAAa,gBAAiB,SAAQ,KAAK;aAEnB,IAAI,EACd,0BAA0B,GAC1B,0BAA0B,GAC1B,0BAA0B,GAC1B,mBAAmB;gBAJT,IAAI,EACd,0BAA0B,GAC1B,0BAA0B,GAC1B,0BAA0B,GAC1B,mBAAmB,EACzB,OAAO,EAAE,MAAM;CAKtB;AA4CD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,mBAAmB,CACrC,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,EACd,MAAM,SAAiB,EACvB,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,CAAC,EAAE,iBAAiB,EACzB,WAAW,CAAC,EAAE,MAAM,GACrB,OAAO,CAAC,MAAM,CAAC,CAiCjB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,qBAAqB,CACvC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,iBAAiB,GAC1B,OAAO,CAAC,gBAAgB,CAAC,CA0E3B"}

package/dist/handoff/DelegationToken.js

@@ -0,0 +1,186 @@
+/**
+ * Federated Handoff Protocol — Delegation Token
+ *
+ * HMAC-SHA256 token for zero-trust delegation between gateway and
+ * upstream micro-servers. Uses Node.js native `crypto` — no external deps.
+ *
+ * Claim-Check Pattern: if `carryOverState` exceeds 2 KB, the state is
+ * persisted in a {@link HandoffStateStore} and only the `state_id` UUID
+ * is embedded in the token, keeping HTTP headers within safe limits.
+ *
+ * @module
+ */
+import { createHmac, randomUUID, timingSafeEqual as cryptoTimingSafeEqual } from 'node:crypto';
+// ============================================================================
+// Constants
+// ============================================================================
+/** Maximum bytes allowed inline in the token before Claim-Check kicks in. */
+const CLAIM_CHECK_THRESHOLD_BYTES = 2048;
+/** Separator between the base64url token body and the HMAC signature. */
+const TOKEN_SEP = '.';
+// ============================================================================
+// Errors
+// ============================================================================
+/** Thrown by {@link verifyDelegationToken} on invalid or expired tokens. */
+export class HandoffAuthError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.code = code;
+        this.name = 'HandoffAuthError';
+    }
+}
+// ============================================================================
+// Internal helpers
+// ============================================================================
+function encodePayload(claims) {
+    return Buffer.from(JSON.stringify(claims), 'utf8').toString('base64url');
+}
+function decodePayload(encoded) {
+    return JSON.parse(Buffer.from(encoded, 'base64url').toString('utf8'));
+}
+function sign(payload, secret) {
+    return createHmac('sha256', secret).update(payload).digest('base64url');
+}
+function byteLength(obj) {
+    return Buffer.byteLength(JSON.stringify(obj), 'utf8');
+}
+/**
+ * Constant-time string comparison to prevent timing side-channel attacks.
+ *
+ * Uses Node.js native `crypto.timingSafeEqual` instead of a manual loop.
+ * V8's JIT can optimise a manual loop and leak the signature length via timing
+ * when the two strings have different lengths.
+ *
+ * `crypto.timingSafeEqual` requires equal-length Buffers, so we check lengths
+ * first (leaking that the lengths differ, but NOT the expected length).
+ */
+function timingSafeEqual(a, b) {
+    const bufA = Buffer.from(a, 'utf8');
+    const bufB = Buffer.from(b, 'utf8');
+    // Length mismatch exits early — this only leaks "they differ", not which is longer.
+    if (bufA.length !== bufB.length)
+        return false;
+    return cryptoTimingSafeEqual(bufA, bufB);
+}
+// ============================================================================
+// Public API
+// ============================================================================
+/**
+ * Mint a signed HMAC-SHA256 delegation token.
+ *
+ * If `carryOverState` exceeds 2 KB, the state is persisted in `store`
+ * and only the resulting `state_id` UUID is embedded in the token.
+ *
+ * @param scope          - Scope identifier (e.g. `'finance'`)
+ * @param ttlSeconds     - Token lifetime in seconds
+ * @param secret         - HMAC signing secret (minimum 32 chars recommended)
+ * @param issuer         - Issuer identifier (gateway URL or name)
+ * @param carryOverState - Optional semantic context to carry to the upstream
+ * @param store          - Required when `carryOverState` may exceed 2 KB
+ * @param traceparent    - W3C traceparent for distributed tracing
+ * @returns Signed token string: `base64url(claims).base64url(sig)`
+ */
+export async function mintDelegationToken(scope, ttlSeconds, secret, issuer = 'vurb-gateway', carryOverState, store, traceparent) {
+    const now = Math.floor(Date.now() / 1000);
+    const claims = {
+        iss: issuer,
+        sub: scope,
+        iat: now,
+        exp: now + ttlSeconds,
+        tid: randomUUID(),
+    };
+    if (traceparent) {
+        claims.traceparent = traceparent;
+    }
+    if (carryOverState !== undefined) {
+        if (byteLength(carryOverState) > CLAIM_CHECK_THRESHOLD_BYTES) {
+            if (!store) {
+                throw new Error('[vurb/core] carryOverState exceeds 2 KB but no HandoffStateStore was provided. ' +
+                    'Pass a store to SwarmGatewayConfig.stateStore.');
+            }
+            const stateId = randomUUID();
+            await store.set(stateId, carryOverState, ttlSeconds + 60);
+            claims.state_id = stateId;
+        }
+        else {
+            claims.state = carryOverState;
+        }
+    }
+    const payload = encodePayload(claims);
+    const sig = sign(payload, secret);
+    return `${payload}${TOKEN_SEP}${sig}`;
+}
+/**
+ * Verify a delegation token and return its claims.
+ *
+ * - Validates HMAC signature (constant-time)
+ * - Validates expiry (`exp`)
+ * - Hydrates `carryOverState` from store when `state_id` is present (Claim-Check retrieval)
+ *
+ * @param raw    - Raw token produced by {@link mintDelegationToken}
+ * @param secret - HMAC signing secret (must match the mint secret)
+ * @param store  - Required if the token may contain a `state_id`
+ * @throws {@link HandoffAuthError} on any validation failure
+ */
+export async function verifyDelegationToken(raw, secret, store) {
+    const sep = raw.lastIndexOf(TOKEN_SEP);
+    if (sep === -1) {
+        throw new HandoffAuthError('INVALID_DELEGATION_TOKEN', 'Malformed token: missing signature separator.');
+    }
+    const payload = raw.slice(0, sep);
+    const providedSig = raw.slice(sep + 1);
+    const expectedSig = sign(payload, secret);
+    if (!timingSafeEqual(providedSig, expectedSig)) {
+        throw new HandoffAuthError('INVALID_SIGNATURE', 'Delegation token signature is invalid.');
+    }
+    let claims;
+    try {
+        claims = decodePayload(payload);
+    }
+    catch {
+        throw new HandoffAuthError('INVALID_DELEGATION_TOKEN', 'Delegation token payload could not be decoded.');
+    }
+    const now = Math.floor(Date.now() / 1000);
+    if (claims.exp < now) {
+        throw new HandoffAuthError('EXPIRED_DELEGATION_TOKEN', `Delegation token expired at ${new Date(claims.exp * 1000).toISOString()}.`);
+    }
+    // Claim-Check: hydrate state from store
+    if (claims.state_id) {
+        if (!store) {
+            throw new HandoffAuthError('INVALID_DELEGATION_TOKEN', 'Token contains state_id but no HandoffStateStore was provided.');
+        }
+        // Use the two-phase get+delete pattern only when both optional methods exist
+        // on the store. Fall back to the atomic `getAndDelete` for stores that implement
+        // the minimum interface (only `set` + `getAndDelete`).
+        // Without this check, calling `store.get()` on a minimal store would throw
+        // "store.get is not a function" at runtime — a silent crash invisible in TS.
+        let state;
+        if (typeof store.get === 'function' && typeof store.delete === 'function') {
+            // Two-phase: read first, delete only after data is safely in claims.state
+            state = await store.get(claims.state_id);
+            if (state !== undefined) {
+                claims.state = state;
+                await store.delete(claims.state_id);
+            }
+        }
+        else {
+            // Atomic fallback: getAndDelete cannot lose data between read and delete
+            state = await store.getAndDelete(claims.state_id);
+            if (state !== undefined) {
+                claims.state = state;
+            }
+        }
+        // If state_id was present but the store returned nothing, the state has
+        // either expired (TTL elapsed) or was already consumed (replay attempt).
+        // Silently continuing would give the upstream an empty context — the correct
+        // behaviour is to reject the token so the caller gets a clear signal.
+        if (state === undefined) {
+            throw new HandoffAuthError('EXPIRED_DELEGATION_TOKEN', 'Delegation token carry-over state has expired or was already consumed. ' +
+                'Initiate a new handoff.');
+        }
+        delete claims.state_id;
+    }
+    return claims;
+}
+//# sourceMappingURL=DelegationToken.js.map

package/dist/handoff/DelegationToken.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"DelegationToken.js","sourceRoot":"","sources":["../../src/handoff/DelegationToken.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,eAAe,IAAI,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAG/F,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,6EAA6E;AAC7E,MAAM,2BAA2B,GAAG,IAAI,CAAC;AAEzC,yEAAyE;AACzE,MAAM,SAAS,GAAG,GAAG,CAAC;AA6BtB,+EAA+E;AAC/E,SAAS;AACT,+EAA+E;AAE/E,4EAA4E;AAC5E,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAEnB;IADpB,YACoB,IAIS,EACzB,OAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAC;QAPC,SAAI,GAAJ,IAAI,CAIK;QAIzB,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACnC,CAAC;CACJ;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E,SAAS,aAAa,CAAC,MAAwB;IAC3C,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,aAAa,CAAC,OAAe;IAClC,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAqB,CAAC;AAC9F,CAAC;AAED,SAAS,IAAI,CAAC,OAAe,EAAE,MAAc;IACzC,OAAO,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AAC5E,CAAC;AAED,SAAS,UAAU,CAAC,GAAY;IAC5B,OAAO,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC;AAC1D,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,eAAe,CAAC,CAAS,EAAE,CAAS;IACzC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACpC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACpC,oFAAoF;IACpF,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC9C,OAAO,qBAAqB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AAC7C,CAAC;AAED,+EAA+E;AAC/E,aAAa;AACb,+EAA+E;AAE/E;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACrC,KAAa,EACb,UAAkB,EAClB,MAAc,EACd,MAAM,GAAG,cAAc,EACvB,cAAwC,EACxC,KAAyB,EACzB,WAAoB;IAEpB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAqB;QAC7B,GAAG,EAAE,MAAM;QACX,GAAG,EAAE,KAAK;QACV,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,UAAU;QACrB,GAAG,EAAE,UAAU,EAAE;KACpB,CAAC;IAEF,IAAI,WAAW,EAAE,CAAC;QACd,MAAM,CAAC,WAAW,GAAG,WAAW,CAAC;IACrC,CAAC;IAED,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;QAC/B,IAAI,UAAU,CAAC,cAAc,CAAC,GAAG,2BAA2B,EAAE,CAAC;YAC3D,IAAI,CAAC,KAAK,EAAE,CAAC;gBACT,MAAM,IAAI,KAAK,CACX,iFAAiF;oBACjF,gDAAgD,CACnD,CAAC;YACN,CAAC;YACD,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;YAC7B,MAAM,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,cAAc,EAAE,UAAU,GAAG,EAAE,CAAC,CAAC;YAC1D,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC;QAC9B,CAAC;aAAM,CAAC;YACJ,MAAM,CAAC,KAAK,GAAG,cAAc,CAAC;QAClC,CAAC;IACL,CAAC;IAED,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAClC,OAAO,GAAG,OAAO,GAAG,SAAS,GAAG,GAAG,EAAE,CAAC;AAC1C,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACvC,GAAW,EACX,MAAc,EACd,KAAyB;IAEzB,MAAM,GAAG,GAAG,GAAG,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;IACvC,IAAI,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC;QACb,MAAM,IAAI,gBAAgB,CAAC,0BAA0B,EAAE,+CAA+C,CAAC,CAAC;IAC5G,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAClC,MAAM,WAAW,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;IACvC,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAE1C,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,WAAW,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,gBAAgB,CAAC,mBAAmB,EAAE,wCAAwC,CAAC,CAAC;IAC9F,CAAC;IAED,IAAI,MAAwB,CAAC;IAC7B,IAAI,CAAC;QACD,MAAM,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACL,MAAM,IAAI,gBAAgB,CAAC,0BAA0B,EAAE,gDAAgD,CAAC,CAAC;IAC7G,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,MAAM,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;QACnB,MAAM,IAAI,gBAAgB,CACtB,0BAA0B,EAC1B,+BAA+B,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,GAAG,CAC9E,CAAC;IACN,CAAC;IAED,wCAAwC;IACxC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QAClB,IAAI,CAAC,KAAK,EAAE,CAAC;YACT,MAAM,IAAI,gBAAgB,CACtB,0BAA0B,EAC1B,gEAAgE,CACnE,CAAC;QACN,CAAC;QACD,6EAA6E;QAC7E,iFAAiF;QACjF,uDAAuD;QACvD,2EAA2E;QAC3E,6EAA6E;QAC7E,IAAI,KAA0C,CAAC;QAC/C,IAAI,OAAO,KAAK,CAAC,GAAG,KAAK,UAAU,IAAI,OAAO,KAAK,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YACxE,0EAA0E;YAC1E,KAAK,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACzC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACtB,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC;gBACrB,MAAM,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACxC,CAAC;QACL,CAAC;aAAM,CAAC;YACJ,yEAAyE;YACzE,KAAK,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAClD,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACtB,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC;YACzB,CAAC;QACL,CAAC;QAED,wEAAwE;QACxE,yEAAyE;QACzE,6EAA6E;QAC7E,sEAAsE;QACtE,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACtB,MAAM,IAAI,gBAAgB,CACtB,0BAA0B,EAC1B,yEAAyE;gBACzE,yBAAyB,CAC5B,CAAC;QACN,CAAC;QAED,OAAO,MAAM,CAAC,QAAQ,CAAC;IAC3B,CAAC;IAED,OAAO,MAAM,CAAC;AAClB,CAAC"}

package/dist/handoff/HandoffStateStore.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Federated Handoff Protocol (FHP) — HandoffStateStore
+ *
+ * Interface e implementação padrão para o padrão Claim-Check.
+ * Extender com adaptadores de plataforma (ex: `@vurb/cloudflare`).
+ *
+ * @module
+ */
+import type { HandoffStateStore } from './index.js';
+/**
+ * In-memory implementation of {@link HandoffStateStore}.
+ *
+ * **Default for Node.js stateful processes.**
+ * Not suitable for edge/serverless where each request runs in a fresh isolate.
+ * For those environments, implement `HandoffStateStore` using your platform's
+ * KV store (e.g. Cloudflare KV via `@vurb/cloudflare`).
+ *
+ * TTL is enforced lazily on `getAndDelete` — no background timers or
+ * memory leaks from expired entries that are never retrieved.
+ *
+ * @example
+ * ```typescript
+ * import { SwarmGateway } from '@vurb/swarm';
+ * import { InMemoryHandoffStateStore } from '@vurb/core';
+ *
+ * const gateway = new SwarmGateway({
+ *     registry: { finance: 'http://finance-agent:8081' },
+ *     delegationSecret: process.env.VURB_DELEGATION_SECRET!,
+ *     stateStore: new InMemoryHandoffStateStore(),
+ * });
+ * ```
+ */
+export declare class InMemoryHandoffStateStore implements HandoffStateStore {
+    private readonly _store;
+    set(stateId: string, state: Record<string, unknown>, ttlSeconds: number): Promise<void>;
+    getAndDelete(stateId: string): Promise<Record<string, unknown> | undefined>;
+    /**
+     * Read without deleting (non-atomic, use for two-phase pattern).
+     * Falls back gracefully if the stateId has expired.
+     *
+     * Expired entries are pruned on access (lazy TTL cleanup),
+     * consistent with `getAndDelete`. Without this, expired entries would accumulate
+     * in the Map indefinitely if `get()` was called but the data was already expired
+     * (e.g. a slow upstream that delayed token verification past the TTL window).
+     */
+    get(stateId: string): Promise<Record<string, unknown> | undefined>;
+    /** delete without reading. No-op if the key does not exist. */
+    delete(stateId: string): Promise<void>;
+    /** Current number of entries in the store (useful for testing). */
+    get size(): number;
+}
+//# sourceMappingURL=HandoffStateStore.d.ts.map

package/dist/handoff/HandoffStateStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"HandoffStateStore.d.ts","sourceRoot":"","sources":["../../src/handoff/HandoffStateStore.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAOpD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,qBAAa,yBAA0B,YAAW,iBAAiB;IAC/D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiC;IAElD,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOvF,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,CAAC;IAejF;;;;;;;;OAQG;IACG,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,CAAC;IAUxE,+DAA+D;IACzD,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI5C,mEAAmE;IACnE,IAAI,IAAI,IAAI,MAAM,CAEjB;CACJ"}

package/dist/handoff/HandoffStateStore.js

@@ -0,0 +1,73 @@
+/**
+ * In-memory implementation of {@link HandoffStateStore}.
+ *
+ * **Default for Node.js stateful processes.**
+ * Not suitable for edge/serverless where each request runs in a fresh isolate.
+ * For those environments, implement `HandoffStateStore` using your platform's
+ * KV store (e.g. Cloudflare KV via `@vurb/cloudflare`).
+ *
+ * TTL is enforced lazily on `getAndDelete` — no background timers or
+ * memory leaks from expired entries that are never retrieved.
+ *
+ * @example
+ * ```typescript
+ * import { SwarmGateway } from '@vurb/swarm';
+ * import { InMemoryHandoffStateStore } from '@vurb/core';
+ *
+ * const gateway = new SwarmGateway({
+ *     registry: { finance: 'http://finance-agent:8081' },
+ *     delegationSecret: process.env.VURB_DELEGATION_SECRET!,
+ *     stateStore: new InMemoryHandoffStateStore(),
+ * });
+ * ```
+ */
+export class InMemoryHandoffStateStore {
+    _store = new Map();
+    async set(stateId, state, ttlSeconds) {
+        this._store.set(stateId, {
+            state,
+            expiresAt: Date.now() + ttlSeconds * 1000,
+        });
+    }
+    async getAndDelete(stateId) {
+        const entry = this._store.get(stateId);
+        if (!entry)
+            return undefined;
+        // Check TTL BEFORE deleting: if an entry is expired it was never valid for use,
+        // so we clean it up and return undefined. Lazy cleanup — no background timer needed.
+        if (Date.now() > entry.expiresAt) {
+            this._store.delete(stateId); // lazy TTL cleanup — no background timer
+            return undefined;
+        }
+        this._store.delete(stateId);
+        return entry.state;
+    }
+    /**
+     * Read without deleting (non-atomic, use for two-phase pattern).
+     * Falls back gracefully if the stateId has expired.
+     *
+     * Expired entries are pruned on access (lazy TTL cleanup),
+     * consistent with `getAndDelete`. Without this, expired entries would accumulate
+     * in the Map indefinitely if `get()` was called but the data was already expired
+     * (e.g. a slow upstream that delayed token verification past the TTL window).
+     */
+    async get(stateId) {
+        const entry = this._store.get(stateId);
+        if (!entry)
+            return undefined;
+        if (Date.now() > entry.expiresAt) {
+            this._store.delete(stateId); // lazy TTL cleanup — consistent with getAndDelete
+            return undefined;
+        }
+        return entry.state;
+    }
+    /** delete without reading. No-op if the key does not exist. */
+    async delete(stateId) {
+        this._store.delete(stateId);
+    }
+    /** Current number of entries in the store (useful for testing). */
+    get size() {
+        return this._store.size;
+    }
+}
+//# sourceMappingURL=HandoffStateStore.js.map

package/dist/handoff/HandoffStateStore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"HandoffStateStore.js","sourceRoot":"","sources":["../../src/handoff/HandoffStateStore.ts"],"names":[],"mappings":"AAeA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,OAAO,yBAAyB;IACjB,MAAM,GAAG,IAAI,GAAG,EAAsB,CAAC;IAExD,KAAK,CAAC,GAAG,CAAC,OAAe,EAAE,KAA8B,EAAE,UAAkB;QACzE,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE;YACrB,KAAK;YACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,GAAG,IAAI;SAC5C,CAAC,CAAC;IACP,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,OAAe;QAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAC;QAE7B,gFAAgF;QAChF,qFAAqF;QACrF,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YAC/B,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,yCAAyC;YACtE,OAAO,SAAS,CAAC;QACrB,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC5B,OAAO,KAAK,CAAC,KAAK,CAAC;IACvB,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,GAAG,CAAC,OAAe;QACrB,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAC;QAC7B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YAC/B,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,kDAAkD;YAC/E,OAAO,SAAS,CAAC;QACrB,CAAC;QACD,OAAO,KAAK,CAAC,KAAK,CAAC;IACvB,CAAC;IAED,+DAA+D;IAC/D,KAAK,CAAC,MAAM,CAAC,OAAe;QACxB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAChC,CAAC;IAED,mEAAmE;IACnE,IAAI,IAAI;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;IAC5B,CAAC;CACJ"}

package/dist/handoff/index.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Federated Handoff Protocol (FHP) — Core Barrel
+ *
+ * Exporta todas as primitivas FHP que pertencem ao `@vurb/core`:
+ *
+ * - **Tipos de dados**: `HandoffPayload`, `HandoffResponse`, `HandoffStateStore`
+ * - **Guards e factories**: `isHandoffResponse`, `handoff`
+ * - **Crypto**: `mintDelegationToken`, `verifyDelegationToken`, `DelegationClaims`, `HandoffAuthError`
+ * - **Store**: `InMemoryHandoffStateStore`
+ * - **Middleware zero-trust**: `requireGatewayClearance`, `GatewayClearanceContext`
+ */
+export type { HandoffPayload, HandoffResponse } from '../core/response.js';
+export { isHandoffResponse, handoff } from '../core/response.js';
+/** @see {@link HandoffStateStore} */
+export type { 
+/**
+ * Pluggable persistence interface for the Claim-Check pattern.
+ *
+ * When `carryOverState` exceeds 2 KB, the SwarmGateway persists
+ * it under a UUID key and embeds only the key inside the HMAC token,
+ * keeping HTTP headers within safe limits (< 8 KB nginx/ALB limit).
+ *
+ * Default implementation: {@link InMemoryHandoffStateStore}.
+ * Platform adapters: implement this interface (e.g. `@vurb/cloudflare`).
+ */
+HandoffStateStore, } from './types.js';
+export { InMemoryHandoffStateStore } from './HandoffStateStore.js';
+export { mintDelegationToken, verifyDelegationToken, HandoffAuthError, } from './DelegationToken.js';
+export type { DelegationClaims } from './DelegationToken.js';
+export { requireGatewayClearance } from './middleware.js';
+export type { GatewayClearanceContext } from './middleware.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/handoff/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/handoff/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC3E,OAAO,EAAE,iBAAiB,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAGjE,qCAAqC;AACrC,YAAY;AACR;;;;;;;;;GASG;AACH,iBAAiB,GACpB,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AAGnE,OAAO,EACH,mBAAmB,EACnB,qBAAqB,EACrB,gBAAgB,GACnB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAG7D,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAC1D,YAAY,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/handoff/index.js

@@ -0,0 +1,19 @@
+/**
+ * Federated Handoff Protocol (FHP) — Core Barrel
+ *
+ * Exporta todas as primitivas FHP que pertencem ao `@vurb/core`:
+ *
+ * - **Tipos de dados**: `HandoffPayload`, `HandoffResponse`, `HandoffStateStore`
+ * - **Guards e factories**: `isHandoffResponse`, `handoff`
+ * - **Crypto**: `mintDelegationToken`, `verifyDelegationToken`, `DelegationClaims`, `HandoffAuthError`
+ * - **Store**: `InMemoryHandoffStateStore`
+ * - **Middleware zero-trust**: `requireGatewayClearance`, `GatewayClearanceContext`
+ */
+export { isHandoffResponse, handoff } from '../core/response.js';
+// ── Store padrão ─────────────────────────────────────────────────────────────
+export { InMemoryHandoffStateStore } from './HandoffStateStore.js';
+// ── Delegation Token (mint/verify, HMAC-SHA256 puro) ─────────────────────────
+export { mintDelegationToken, verifyDelegationToken, HandoffAuthError, } from './DelegationToken.js';
+// ── Middleware zero-trust (para micro-servidores upstream) ───────────────────
+export { requireGatewayClearance } from './middleware.js';
+//# sourceMappingURL=index.js.map

package/dist/handoff/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/handoff/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,OAAO,EAAE,iBAAiB,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAkBjE,gFAAgF;AAChF,OAAO,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AAEnE,gFAAgF;AAChF,OAAO,EACH,mBAAmB,EACnB,qBAAqB,EACrB,gBAAgB,GACnB,MAAM,sBAAsB,CAAC;AAG9B,gFAAgF;AAChF,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/handoff/middleware.d.ts

@@ -0,0 +1,36 @@
+import type { HandoffStateStore } from './index.js';
+/**
+ * Properties injected into the handler context by `requireGatewayClearance`.
+ *
+ * Merge with your own context type via intersection:
+ * ```typescript
+ * type AppContext = BaseContext & GatewayClearanceContext;
+ * ```
+ */
+export interface GatewayClearanceContext {
+    /** Carry-over state from the gateway (inline or hydrated via Claim-Check). */
+    handoffState: Record<string, unknown>;
+    /** Delegation scope — the `sub` claim of the token (e.g. `'finance'`). */
+    handoffScope: string;
+    /** Transaction ID for distributed tracing (correlates with gateway spans). */
+    handoffTid: string;
+    /** W3C traceparent header, if present in the token. */
+    handoffTraceparent?: string;
+}
+/**
+ * Zero-trust middleware que valida o token de delegação HMAC.
+ *
+ * Lê o header `x-vurb-delegation` do `extra` do pedido MCP,
+ * verifica a assinatura HMAC-SHA256 e o TTL, e injeta
+ * {@link GatewayClearanceContext} no contexto do handler.
+ *
+ * @param secret - Segredo HMAC partilhado entre o gateway e o micro-servidor.
+ *                 Deve corresponder a `SwarmGatewayConfig.delegationSecret`.
+ * @param store  - Store opcional para hidratação do Claim-Check (necessário quando
+ *                 `carryOverState` pode exceder 2 KB).
+ *
+ * @throws {@link HandoffAuthError} — traduzido para erro `FORBIDDEN` pelo framework
+ *         se não for capturado pelo handler.
+ */
+export declare function requireGatewayClearance(secret: string, store?: HandoffStateStore): (ctx: unknown) => Promise<GatewayClearanceContext>;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/handoff/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/handoff/middleware.ts"],"names":[],"mappings":"AA0BA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAMpD;;;;;;;GAOG;AACH,MAAM,WAAW,uBAAuB;IACpC,8EAA8E;IAC9E,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACtC,0EAA0E;IAC1E,YAAY,EAAE,MAAM,CAAC;IACrB,8EAA8E;IAC9E,UAAU,EAAE,MAAM,CAAC;IACnB,uDAAuD;IACvD,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAMD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,uBAAuB,CACnC,MAAM,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,iBAAiB,IAGX,KAAK,OAAO,KAAG,OAAO,CAAC,uBAAuB,CAAC,CA6BhE"}

package/dist/handoff/middleware.js

@@ -0,0 +1,118 @@
+/**
+ * Federated Handoff Protocol — Zero-Trust Middleware
+ *
+ * Middleware para micro-servidores upstream.
+ * Rejeita qualquer pedido sem um token de delegação HMAC válido
+ * emitido por um SwarmGateway autorizado.
+ *
+ * @example
+ * ```typescript
+ * import { requireGatewayClearance } from '@vurb/core';
+ *
+ * export const refund = f.tool('finance.refund')
+ *     .use(requireGatewayClearance(process.env.VURB_DELEGATION_SECRET!))
+ *     .withString('invoiceId', 'Invoice ID')
+ *     .handle(async (input, ctx) => {
+ *         // ctx.handoffState       — carry-over state from the gateway
+ *         // ctx.handoffScope       — delegation scope (e.g. 'finance')
+ *         // ctx.handoffTid         — transaction ID for tracing
+ *         // ctx.handoffTraceparent — W3C traceparent, if present
+ *         return success(await stripe.refund(input.invoiceId));
+ *     });
+ * ```
+ *
+ * @module
+ */
+import { verifyDelegationToken, HandoffAuthError } from './DelegationToken.js';
+// ============================================================================
+// Middleware factory
+// ============================================================================
+/**
+ * Zero-trust middleware que valida o token de delegação HMAC.
+ *
+ * Lê o header `x-vurb-delegation` do `extra` do pedido MCP,
+ * verifica a assinatura HMAC-SHA256 e o TTL, e injeta
+ * {@link GatewayClearanceContext} no contexto do handler.
+ *
+ * @param secret - Segredo HMAC partilhado entre o gateway e o micro-servidor.
+ *                 Deve corresponder a `SwarmGatewayConfig.delegationSecret`.
+ * @param store  - Store opcional para hidratação do Claim-Check (necessário quando
+ *                 `carryOverState` pode exceder 2 KB).
+ *
+ * @throws {@link HandoffAuthError} — traduzido para erro `FORBIDDEN` pelo framework
+ *         se não for capturado pelo handler.
+ */
+export function requireGatewayClearance(secret, store) {
+    return async (ctx) => {
+        const raw = extractDelegationHeader(ctx);
+        if (!raw) {
+            throw new HandoffAuthError('MISSING_DELEGATION_TOKEN', 'This tool requires a delegation token from the SwarmGateway. ' +
+                'Direct access without a gateway is not permitted.');
+        }
+        let claims;
+        try {
+            claims = await verifyDelegationToken(raw, secret, store);
+        }
+        catch (err) {
+            if (err instanceof HandoffAuthError)
+                throw err;
+            throw new HandoffAuthError('INVALID_DELEGATION_TOKEN', `Invalid token: ${err.message}`);
+        }
+        return {
+            handoffState: claims.state ?? {},
+            handoffScope: claims.sub,
+            handoffTid: claims.tid,
+            ...(claims.traceparent ? { handoffTraceparent: claims.traceparent } : {}),
+        };
+    };
+}
+// ============================================================================
+// Header extraction — duck-typed, transport-agnostic
+// ============================================================================
+/**
+ * Extract the delegation header value from the MCP handler context.
+ * Header lookup is case-insensitive (HTTP/1.1 RFC 7230 §3.2).
+ *
+ * HTTP proxies (nginx, Cloudflare, AWS ALB) may normalize headers to
+ * Title-Case (`X-Vurb-Delegation`) or strip them. A case-insensitive scan
+ * with `toLowerCase()` ensures the token is found regardless of normalization.
+ */
+function extractDelegationHeader(ctx) {
+    if (!ctx || typeof ctx !== 'object')
+        return undefined;
+    const c = ctx;
+    // MCP SDK extra: extra.requestInfo.headers['x-vurb-delegation']
+    const requestInfo = c['requestInfo'];
+    if (requestInfo && typeof requestInfo === 'object') {
+        const h = requestInfo['headers'];
+        const val = findHeaderCaseInsensitive(h, 'x-vurb-delegation');
+        if (val !== undefined)
+            return val;
+    }
+    // Fallback: ctx.headers (plain HTTP / custom transports)
+    const val = findHeaderCaseInsensitive(c['headers'], 'x-vurb-delegation');
+    if (val !== undefined)
+        return val;
+    return undefined;
+}
+/**
+ * Case-insensitive lookup of `headerName` in a headers map.
+ * Returns the value as a string if found, or `undefined`.
+ */
+function findHeaderCaseInsensitive(headers, headerName) {
+    if (!headers || typeof headers !== 'object')
+        return undefined;
+    const h = headers;
+    const lower = headerName.toLowerCase();
+    // Fast path: exact key (most common — MCP SDK always uses lowercase)
+    if (typeof h[lower] === 'string')
+        return h[lower];
+    // Slow path: scan all keys case-insensitively (proxy-normalized headers)
+    for (const key of Object.keys(h)) {
+        if (key.toLowerCase() === lower && typeof h[key] === 'string') {
+            return h[key];
+        }
+    }
+    return undefined;
+}
+//# sourceMappingURL=middleware.js.map

package/dist/handoff/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/handoff/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,OAAO,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AA0B/E,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,uBAAuB,CACnC,MAAc,EACd,KAAyB;IAGzB,OAAO,KAAK,EAAE,GAAY,EAAoC,EAAE;QAC5D,MAAM,GAAG,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAC;QAEzC,IAAI,CAAC,GAAG,EAAE,CAAC;YACP,MAAM,IAAI,gBAAgB,CACtB,0BAA0B,EAC1B,+DAA+D;gBAC/D,mDAAmD,CACtD,CAAC;QACN,CAAC;QAED,IAAI,MAAM,CAAC;QACX,IAAI,CAAC;YACD,MAAM,GAAG,MAAM,qBAAqB,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;QAC7D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACX,IAAI,GAAG,YAAY,gBAAgB;gBAAE,MAAM,GAAG,CAAC;YAC/C,MAAM,IAAI,gBAAgB,CACtB,0BAA0B,EAC1B,kBAAmB,GAAa,CAAC,OAAO,EAAE,CAC7C,CAAC;QACN,CAAC;QAED,OAAO;YACH,YAAY,EAAG,MAAM,CAAC,KAAK,IAAI,EAAE;YACjC,YAAY,EAAG,MAAM,CAAC,GAAG;YACzB,UAAU,EAAK,MAAM,CAAC,GAAG;YACzB,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,kBAAkB,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACjD,CAAC;IACjC,CAAC,CAAC;AACN,CAAC;AAED,+EAA+E;AAC/E,qDAAqD;AACrD,+EAA+E;AAE/E;;;;;;;GAOG;AACH,SAAS,uBAAuB,CAAC,GAAY;IACzC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAC;IACtD,MAAM,CAAC,GAAG,GAA8B,CAAC;IAEzC,gEAAgE;IAChE,MAAM,WAAW,GAAG,CAAC,CAAC,aAAa,CAAC,CAAC;IACrC,IAAI,WAAW,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;QACjD,MAAM,CAAC,GAAI,WAAuC,CAAC,SAAS,CAAC,CAAC;QAC9D,MAAM,GAAG,GAAG,yBAAyB,CAAC,CAAC,EAAE,mBAAmB,CAAC,CAAC;QAC9D,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,GAAG,CAAC;IACtC,CAAC;IAED,yDAAyD;IACzD,MAAM,GAAG,GAAG,yBAAyB,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,mBAAmB,CAAC,CAAC;IACzE,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,GAAG,CAAC;IAElC,OAAO,SAAS,CAAC;AACrB,CAAC;AAED;;;GAGG;AACH,SAAS,yBAAyB,CAC9B,OAAgB,EAChB,UAAkB;IAElB,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAC;IAC9D,MAAM,CAAC,GAAG,OAAkC,CAAC;IAC7C,MAAM,KAAK,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;IACvC,qEAAqE;IACrE,IAAI,OAAO,CAAC,CAAC,KAAK,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAC,KAAK,CAAW,CAAC;IAC5D,yEAAyE;IACzE,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/B,IAAI,GAAG,CAAC,WAAW,EAAE,KAAK,KAAK,IAAI,OAAO,CAAC,CAAC,GAAG,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC5D,OAAO,CAAC,CAAC,GAAG,CAAW,CAAC;QAC5B,CAAC;IACL,CAAC;IACD,OAAO,SAAS,CAAC;AACrB,CAAC"}