@waiaas/daemon 2.0.0-rc.1

package/dist/infrastructure/keystore/crypto.d.ts

@@ -0,0 +1,62 @@
+/**
+ * AES-256-GCM encryption/decryption with Argon2id key derivation.
+ *
+ * Design reference: 26-keystore-spec.md sections 2-3.
+ * - Argon2id: m=65536 (64 MiB), t=3, p=4, hashLength=32
+ * - AES-256-GCM: 12-byte IV, 16-byte authTag
+ * - Salt: 16-byte CSPRNG
+ */
+/** KDF parameters matching doc 26 specification. */
+export declare const KDF_PARAMS: {
+    readonly memoryCost: 65536;
+    readonly timeCost: 3;
+    readonly parallelism: 4;
+    readonly hashLength: 32;
+};
+/** Encrypted data structure for keystore JSON serialization. */
+export interface EncryptedData {
+    /** 12-byte AES-GCM nonce */
+    iv: Buffer;
+    /** Encrypted ciphertext (same length as plaintext for GCM stream cipher) */
+    ciphertext: Buffer;
+    /** 16-byte GCM authentication tag */
+    authTag: Buffer;
+    /** 16-byte CSPRNG salt for Argon2id */
+    salt: Buffer;
+    /** KDF parameters for self-describing keystore files */
+    kdfparams: {
+        memoryCost: number;
+        timeCost: number;
+        parallelism: number;
+        hashLength: number;
+    };
+}
+/**
+ * Derive a 32-byte AES-256 key from a password using Argon2id.
+ *
+ * @param password - Master password
+ * @param salt - Optional 16-byte salt. If not provided, generates a new CSPRNG salt.
+ * @returns 32-byte derived key and the salt used
+ */
+export declare function deriveKey(password: string, salt?: Buffer): Promise<{
+    key: Buffer;
+    salt: Buffer;
+}>;
+/**
+ * Encrypt plaintext with AES-256-GCM using an Argon2id-derived key.
+ *
+ * @param plaintext - Data to encrypt (e.g., private key bytes)
+ * @param password - Master password for key derivation
+ * @returns Encrypted data with all parameters needed for decryption
+ */
+export declare function encrypt(plaintext: Buffer, password: string): Promise<EncryptedData>;
+/**
+ * Decrypt AES-256-GCM ciphertext using an Argon2id-derived key.
+ *
+ * @param encrypted - Encrypted data with IV, authTag, salt, and KDF params
+ * @param password - Master password for key derivation
+ * @returns Decrypted plaintext buffer
+ * @throws WAIaaSError with INVALID_MASTER_PASSWORD if authTag verification fails
+ */
+export declare function decrypt(encrypted: EncryptedData, password: string): Promise<Buffer>;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/infrastructure/keystore/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/keystore/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAMH,oDAAoD;AACpD,eAAO,MAAM,UAAU;;;;;CAKb,CAAC;AAEX,gEAAgE;AAChE,MAAM,WAAW,aAAa;IAC5B,4BAA4B;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,4EAA4E;IAC5E,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,IAAI,EAAE,MAAM,CAAC;IACb,wDAAwD;IACxD,SAAS,EAAE;QACT,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;CACH;AAED;;;;;;GAMG;AACH,wBAAsB,SAAS,CAC7B,QAAQ,EAAE,MAAM,EAChB,IAAI,CAAC,EAAE,MAAM,GACZ,OAAO,CAAC;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC,CAcxC;AAED;;;;;;GAMG;AACH,wBAAsB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAkBzF;AAED;;;;;;;GAOG;AACH,wBAAsB,OAAO,CAAC,SAAS,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAiBzF"}

package/dist/infrastructure/keystore/crypto.js

@@ -0,0 +1,89 @@
+/**
+ * AES-256-GCM encryption/decryption with Argon2id key derivation.
+ *
+ * Design reference: 26-keystore-spec.md sections 2-3.
+ * - Argon2id: m=65536 (64 MiB), t=3, p=4, hashLength=32
+ * - AES-256-GCM: 12-byte IV, 16-byte authTag
+ * - Salt: 16-byte CSPRNG
+ */
+import { randomBytes, createCipheriv, createDecipheriv } from 'node:crypto';
+import argon2 from 'argon2';
+import { WAIaaSError } from '@waiaas/core';
+/** KDF parameters matching doc 26 specification. */
+export const KDF_PARAMS = {
+    memoryCost: 65536, // 64 MiB
+    timeCost: 3,
+    parallelism: 4,
+    hashLength: 32,
+};
+/**
+ * Derive a 32-byte AES-256 key from a password using Argon2id.
+ *
+ * @param password - Master password
+ * @param salt - Optional 16-byte salt. If not provided, generates a new CSPRNG salt.
+ * @returns 32-byte derived key and the salt used
+ */
+export async function deriveKey(password, salt) {
+    const actualSalt = salt ?? randomBytes(16);
+    const rawHash = await argon2.hash(password, {
+        type: argon2.argon2id,
+        memoryCost: KDF_PARAMS.memoryCost,
+        timeCost: KDF_PARAMS.timeCost,
+        parallelism: KDF_PARAMS.parallelism,
+        hashLength: KDF_PARAMS.hashLength,
+        salt: actualSalt,
+        raw: true,
+    });
+    return { key: Buffer.from(rawHash), salt: actualSalt };
+}
+/**
+ * Encrypt plaintext with AES-256-GCM using an Argon2id-derived key.
+ *
+ * @param plaintext - Data to encrypt (e.g., private key bytes)
+ * @param password - Master password for key derivation
+ * @returns Encrypted data with all parameters needed for decryption
+ */
+export async function encrypt(plaintext, password) {
+    const iv = randomBytes(12); // GCM 96-bit nonce
+    const { key, salt } = await deriveKey(password);
+    const cipher = createCipheriv('aes-256-gcm', key, iv);
+    const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    // Zero the derived key from memory
+    key.fill(0);
+    return {
+        iv,
+        ciphertext,
+        authTag,
+        salt,
+        kdfparams: { ...KDF_PARAMS },
+    };
+}
+/**
+ * Decrypt AES-256-GCM ciphertext using an Argon2id-derived key.
+ *
+ * @param encrypted - Encrypted data with IV, authTag, salt, and KDF params
+ * @param password - Master password for key derivation
+ * @returns Decrypted plaintext buffer
+ * @throws WAIaaSError with INVALID_MASTER_PASSWORD if authTag verification fails
+ */
+export async function decrypt(encrypted, password) {
+    const { key } = await deriveKey(password, encrypted.salt);
+    try {
+        const decipher = createDecipheriv('aes-256-gcm', key, encrypted.iv);
+        decipher.setAuthTag(encrypted.authTag);
+        const plaintext = Buffer.concat([decipher.update(encrypted.ciphertext), decipher.final()]);
+        return plaintext;
+    }
+    catch (error) {
+        throw new WAIaaSError('INVALID_MASTER_PASSWORD', {
+            message: 'Decryption failed: wrong password or corrupted data (GCM authTag mismatch)',
+            cause: error instanceof Error ? error : undefined,
+        });
+    }
+    finally {
+        // Zero the derived key from memory
+        key.fill(0);
+    }
+}
+//# sourceMappingURL=crypto.js.map

package/dist/infrastructure/keystore/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../../src/infrastructure/keystore/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC5E,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAE3C,oDAAoD;AACpD,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,UAAU,EAAE,KAAK,EAAE,SAAS;IAC5B,QAAQ,EAAE,CAAC;IACX,WAAW,EAAE,CAAC;IACd,UAAU,EAAE,EAAE;CACN,CAAC;AAqBX;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,QAAgB,EAChB,IAAa;IAEb,MAAM,UAAU,GAAG,IAAI,IAAI,WAAW,CAAC,EAAE,CAAC,CAAC;IAE3C,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE;QAC1C,IAAI,EAAE,MAAM,CAAC,QAAQ;QACrB,UAAU,EAAE,UAAU,CAAC,UAAU;QACjC,QAAQ,EAAE,UAAU,CAAC,QAAQ;QAC7B,WAAW,EAAE,UAAU,CAAC,WAAW;QACnC,UAAU,EAAE,UAAU,CAAC,UAAU;QACjC,IAAI,EAAE,UAAU;QAChB,GAAG,EAAE,IAAI;KACV,CAAC,CAAC;IAEH,OAAO,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;AACzD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,SAAiB,EAAE,QAAgB;IAC/D,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC,mBAAmB;IAC/C,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,CAAC;IAEhD,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAEpC,mCAAmC;IACnC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAEZ,OAAO;QACL,EAAE;QACF,UAAU;QACV,OAAO;QACP,IAAI;QACJ,SAAS,EAAE,EAAE,GAAG,UAAU,EAAE;KAC7B,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,SAAwB,EAAE,QAAgB;IACtE,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC;IAE1D,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,SAAS,CAAC,EAAE,CAAC,CAAC;QACpE,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACvC,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC3F,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,WAAW,CAAC,yBAAyB,EAAE;YAC/C,OAAO,EAAE,4EAA4E;YACrF,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;SAClD,CAAC,CAAC;IACL,CAAC;YAAS,CAAC;QACT,mCAAmC;QACnC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/infrastructure/keystore/index.d.ts

@@ -0,0 +1,4 @@
+export { deriveKey, encrypt, decrypt, KDF_PARAMS, type EncryptedData } from './crypto.js';
+export { allocateGuarded, writeToGuarded, zeroAndRelease, isAvailable } from './memory.js';
+export { LocalKeyStore, type KeystoreFileV1 } from './keystore.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/infrastructure/keystore/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/keystore/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,aAAa,EAAE,MAAM,aAAa,CAAC;AAC1F,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC3F,OAAO,EAAE,aAAa,EAAE,KAAK,cAAc,EAAE,MAAM,eAAe,CAAC"}

package/dist/infrastructure/keystore/index.js

@@ -0,0 +1,5 @@
+// Keystore module - AES-256-GCM encryption with Argon2id KDF and sodium guarded memory
+export { deriveKey, encrypt, decrypt, KDF_PARAMS } from './crypto.js';
+export { allocateGuarded, writeToGuarded, zeroAndRelease, isAvailable } from './memory.js';
+export { LocalKeyStore } from './keystore.js';
+//# sourceMappingURL=index.js.map

package/dist/infrastructure/keystore/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/infrastructure/keystore/index.ts"],"names":[],"mappings":"AAAA,uFAAuF;AAEvF,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAsB,MAAM,aAAa,CAAC;AAC1F,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC3F,OAAO,EAAE,aAAa,EAAuB,MAAM,eAAe,CAAC"}

package/dist/infrastructure/keystore/keystore.d.ts

@@ -0,0 +1,115 @@
+/**
+ * LocalKeyStore - encrypted keystore with guarded memory.
+ *
+ * Implements ILocalKeyStore from @waiaas/core.
+ * Design reference: 26-keystore-spec.md.
+ *
+ * - Generates Ed25519 key pairs (Solana) using sodium-native
+ * - Generates secp256k1 key pairs (EVM) using crypto.randomBytes + viem
+ * - Encrypts private keys with AES-256-GCM + Argon2id KDF
+ * - Stores as per-wallet JSON keystore files (format v1)
+ * - Protects decrypted keys in sodium guarded memory
+ * - Atomic file writes (write-then-rename pattern)
+ */
+import type { ILocalKeyStore, ChainType } from '@waiaas/core';
+/** Keystore file format v1 JSON structure. */
+export interface KeystoreFileV1 {
+    version: 1;
+    id: string;
+    chain: string;
+    network: string;
+    /** Cryptographic curve. Defaults to 'ed25519' for backward compat with pre-v1.4.1 files. */
+    curve: 'ed25519' | 'secp256k1';
+    publicKey: string;
+    crypto: {
+        cipher: 'aes-256-gcm';
+        cipherparams: {
+            iv: string;
+        };
+        ciphertext: string;
+        authTag: string;
+        kdf: 'argon2id';
+        kdfparams: {
+            salt: string;
+            memoryCost: number;
+            timeCost: number;
+            parallelism: number;
+            hashLength: number;
+        };
+    };
+    metadata: {
+        name: string;
+        createdAt: string;
+        lastUnlockedAt: string | null;
+    };
+}
+/**
+ * Local keystore implementation with AES-256-GCM encryption,
+ * Argon2id KDF, and sodium guarded memory protection.
+ */
+export declare class LocalKeyStore implements ILocalKeyStore {
+    private readonly keystoreDir;
+    /** Map from guarded buffer identity to walletId for tracking */
+    private readonly guardedKeys;
+    constructor(keystoreDir: string);
+    /**
+     * Generate a key pair for the given chain and store encrypted with master password.
+     *
+     * For Solana: generates Ed25519 keypair via sodium crypto_sign_keypair.
+     * The full 64-byte secret key (seed + public) is encrypted.
+     *
+     * For Ethereum (EVM): generates secp256k1 private key via crypto.randomBytes(32).
+     * Derives EIP-55 checksum address using viem privateKeyToAccount.
+     * The 32-byte private key is encrypted.
+     *
+     * @returns publicKey (base58 for Solana, 0x EIP-55 for EVM) and encrypted private key bytes
+     */
+    generateKeyPair(walletId: string, chain: ChainType, network: string, masterPassword: string): Promise<{
+        publicKey: string;
+        encryptedPrivateKey: Uint8Array;
+    }>;
+    /**
+     * Generate an Ed25519 keypair for Solana using sodium-native.
+     */
+    private generateEd25519KeyPair;
+    /**
+     * Generate a secp256k1 keypair for EVM chains.
+     * Uses crypto.randomBytes(32) for CSPRNG entropy and viem for EIP-55 address derivation.
+     */
+    private generateSecp256k1KeyPair;
+    /**
+     * Decrypt private key from keystore file and store in guarded memory.
+     *
+     * @returns Guarded buffer containing the decrypted private key (readonly)
+     */
+    decryptPrivateKey(walletId: string, masterPassword: string): Promise<Uint8Array>;
+    /**
+     * Release a decrypted key from guarded memory (zero-fill).
+     */
+    releaseKey(key: Uint8Array): void;
+    /**
+     * Check if a keystore file exists for the given wallet.
+     */
+    hasKey(walletId: string): Promise<boolean>;
+    /**
+     * Delete keystore file and release any loaded key from memory.
+     */
+    deleteKey(walletId: string): Promise<void>;
+    /**
+     * Lock all keys -- zero and release all guarded buffers.
+     * Called during daemon shutdown.
+     */
+    lockAll(): void;
+    /**
+     * Check if sodium-native guarded memory is available.
+     */
+    get sodiumAvailable(): boolean;
+    private keystorePath;
+    /**
+     * Write keystore file atomically using write-then-rename pattern.
+     * Sets file permission to 0600 (owner read/write only).
+     */
+    private writeKeystoreFile;
+    private readKeystoreFile;
+}
+//# sourceMappingURL=keystore.d.ts.map

package/dist/infrastructure/keystore/keystore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keystore.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/keystore/keystore.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAMH,OAAO,KAAK,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAc9D,8CAA8C;AAC9C,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,CAAC,CAAC;IACX,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,4FAA4F;IAC5F,KAAK,EAAE,SAAS,GAAG,WAAW,CAAC;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE;QACN,MAAM,EAAE,aAAa,CAAC;QACtB,YAAY,EAAE;YAAE,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC;QAC7B,UAAU,EAAE,MAAM,CAAC;QACnB,OAAO,EAAE,MAAM,CAAC;QAChB,GAAG,EAAE,UAAU,CAAC;QAChB,SAAS,EAAE;YACT,IAAI,EAAE,MAAM,CAAC;YACb,UAAU,EAAE,MAAM,CAAC;YACnB,QAAQ,EAAE,MAAM,CAAC;YACjB,WAAW,EAAE,MAAM,CAAC;YACpB,UAAU,EAAE,MAAM,CAAC;SACpB,CAAC;KACH,CAAC;IACF,QAAQ,EAAE;QACR,IAAI,EAAE,MAAM,CAAC;QACb,SAAS,EAAE,MAAM,CAAC;QAClB,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;KAC/B,CAAC;CACH;AAED;;;GAGG;AACH,qBAAa,aAAc,YAAW,cAAc;IAClD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,gEAAgE;IAChE,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAkC;gBAElD,WAAW,EAAE,MAAM;IAI/B;;;;;;;;;;;OAWG;IACG,eAAe,CACnB,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,SAAS,EAChB,OAAO,EAAE,MAAM,EACf,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,mBAAmB,EAAE,UAAU,CAAA;KAAE,CAAC;IAclE;;OAEG;YACW,sBAAsB;IAwDpC;;;OAGG;YACW,wBAAwB;IAwDtC;;;;OAIG;IACG,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IA8BtF;;OAEG;IACH,UAAU,CAAC,GAAG,EAAE,UAAU,GAAG,IAAI;IAiBjC;;OAEG;IACG,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAShD;;OAEG;IACG,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAoBhD;;;OAGG;IACH,OAAO,IAAI,IAAI;IAOf;;OAEG;IACH,IAAI,eAAe,IAAI,OAAO,CAE7B;IAID,OAAO,CAAC,YAAY;IAIpB;;;OAGG;YACW,iBAAiB;YASjB,gBAAgB;CA4B/B"}

package/dist/infrastructure/keystore/keystore.js

@@ -0,0 +1,327 @@
+/**
+ * LocalKeyStore - encrypted keystore with guarded memory.
+ *
+ * Implements ILocalKeyStore from @waiaas/core.
+ * Design reference: 26-keystore-spec.md.
+ *
+ * - Generates Ed25519 key pairs (Solana) using sodium-native
+ * - Generates secp256k1 key pairs (EVM) using crypto.randomBytes + viem
+ * - Encrypts private keys with AES-256-GCM + Argon2id KDF
+ * - Stores as per-wallet JSON keystore files (format v1)
+ * - Protects decrypted keys in sodium guarded memory
+ * - Atomic file writes (write-then-rename pattern)
+ */
+import { randomBytes, randomUUID } from 'node:crypto';
+import { writeFile, readFile, unlink, stat, rename } from 'node:fs/promises';
+import { createRequire } from 'node:module';
+import { join, dirname } from 'node:path';
+import { WAIaaSError } from '@waiaas/core';
+import { privateKeyToAccount } from 'viem/accounts';
+import { encrypt, decrypt, KDF_PARAMS } from './crypto.js';
+import { allocateGuarded, writeToGuarded, zeroAndRelease, isAvailable } from './memory.js';
+const require = createRequire(import.meta.url);
+function loadSodium() {
+    return require('sodium-native');
+}
+/**
+ * Local keystore implementation with AES-256-GCM encryption,
+ * Argon2id KDF, and sodium guarded memory protection.
+ */
+export class LocalKeyStore {
+    keystoreDir;
+    /** Map from guarded buffer identity to walletId for tracking */
+    guardedKeys = new Map();
+    constructor(keystoreDir) {
+        this.keystoreDir = keystoreDir;
+    }
+    /**
+     * Generate a key pair for the given chain and store encrypted with master password.
+     *
+     * For Solana: generates Ed25519 keypair via sodium crypto_sign_keypair.
+     * The full 64-byte secret key (seed + public) is encrypted.
+     *
+     * For Ethereum (EVM): generates secp256k1 private key via crypto.randomBytes(32).
+     * Derives EIP-55 checksum address using viem privateKeyToAccount.
+     * The 32-byte private key is encrypted.
+     *
+     * @returns publicKey (base58 for Solana, 0x EIP-55 for EVM) and encrypted private key bytes
+     */
+    async generateKeyPair(walletId, chain, network, masterPassword) {
+        if (chain === 'ethereum') {
+            return this.generateSecp256k1KeyPair(walletId, network, masterPassword);
+        }
+        if (chain === 'solana') {
+            return this.generateEd25519KeyPair(walletId, network, masterPassword);
+        }
+        throw new WAIaaSError('CHAIN_NOT_SUPPORTED', {
+            message: `Key generation for chain '${chain}' is not supported. Supported: 'solana', 'ethereum'.`,
+        });
+    }
+    /**
+     * Generate an Ed25519 keypair for Solana using sodium-native.
+     */
+    async generateEd25519KeyPair(walletId, network, masterPassword) {
+        const sodium = loadSodium();
+        // Generate Ed25519 keypair using sodium
+        const publicKeyBuf = Buffer.alloc(sodium.crypto_sign_PUBLICKEYBYTES);
+        const secretKeyBuf = Buffer.alloc(sodium.crypto_sign_SECRETKEYBYTES);
+        sodium.crypto_sign_keypair(publicKeyBuf, secretKeyBuf);
+        // Encode public key as base58
+        const publicKey = encodeBase58(publicKeyBuf);
+        // Encrypt the 64-byte secret key
+        const encrypted = await encrypt(secretKeyBuf, masterPassword);
+        // Zero the plaintext secret key immediately
+        sodium.sodium_memzero(secretKeyBuf);
+        // Build keystore file v1
+        const keystoreFile = {
+            version: 1,
+            id: randomUUID(),
+            chain: 'solana',
+            network,
+            curve: 'ed25519',
+            publicKey,
+            crypto: {
+                cipher: 'aes-256-gcm',
+                cipherparams: { iv: encrypted.iv.toString('hex') },
+                ciphertext: encrypted.ciphertext.toString('hex'),
+                authTag: encrypted.authTag.toString('hex'),
+                kdf: 'argon2id',
+                kdfparams: {
+                    salt: encrypted.salt.toString('hex'),
+                    ...KDF_PARAMS,
+                },
+            },
+            metadata: {
+                name: walletId,
+                createdAt: new Date().toISOString(),
+                lastUnlockedAt: null,
+            },
+        };
+        // Write keystore file atomically (write-then-rename)
+        await this.writeKeystoreFile(walletId, keystoreFile);
+        return {
+            publicKey,
+            encryptedPrivateKey: new Uint8Array(encrypted.ciphertext),
+        };
+    }
+    /**
+     * Generate a secp256k1 keypair for EVM chains.
+     * Uses crypto.randomBytes(32) for CSPRNG entropy and viem for EIP-55 address derivation.
+     */
+    async generateSecp256k1KeyPair(walletId, network, masterPassword) {
+        const sodium = loadSodium();
+        // Generate 32-byte random private key via CSPRNG
+        const privateKeyBuf = randomBytes(32);
+        // Derive EIP-55 checksum address using viem
+        const hexKey = `0x${privateKeyBuf.toString('hex')}`;
+        const account = privateKeyToAccount(hexKey);
+        const publicKey = account.address; // EIP-55 checksum address
+        // Encrypt the 32-byte private key
+        const encrypted = await encrypt(privateKeyBuf, masterPassword);
+        // Zero the plaintext private key immediately
+        sodium.sodium_memzero(privateKeyBuf);
+        // Build keystore file v1
+        const keystoreFile = {
+            version: 1,
+            id: randomUUID(),
+            chain: 'ethereum',
+            network,
+            curve: 'secp256k1',
+            publicKey,
+            crypto: {
+                cipher: 'aes-256-gcm',
+                cipherparams: { iv: encrypted.iv.toString('hex') },
+                ciphertext: encrypted.ciphertext.toString('hex'),
+                authTag: encrypted.authTag.toString('hex'),
+                kdf: 'argon2id',
+                kdfparams: {
+                    salt: encrypted.salt.toString('hex'),
+                    ...KDF_PARAMS,
+                },
+            },
+            metadata: {
+                name: walletId,
+                createdAt: new Date().toISOString(),
+                lastUnlockedAt: null,
+            },
+        };
+        // Write keystore file atomically (write-then-rename)
+        await this.writeKeystoreFile(walletId, keystoreFile);
+        return {
+            publicKey,
+            encryptedPrivateKey: new Uint8Array(encrypted.ciphertext),
+        };
+    }
+    /**
+     * Decrypt private key from keystore file and store in guarded memory.
+     *
+     * @returns Guarded buffer containing the decrypted private key (readonly)
+     */
+    async decryptPrivateKey(walletId, masterPassword) {
+        const keystoreFile = await this.readKeystoreFile(walletId);
+        const encrypted = {
+            iv: Buffer.from(keystoreFile.crypto.cipherparams.iv, 'hex'),
+            ciphertext: Buffer.from(keystoreFile.crypto.ciphertext, 'hex'),
+            authTag: Buffer.from(keystoreFile.crypto.authTag, 'hex'),
+            salt: Buffer.from(keystoreFile.crypto.kdfparams.salt, 'hex'),
+            kdfparams: keystoreFile.crypto.kdfparams,
+        };
+        const plaintext = await decrypt(encrypted, masterPassword);
+        // Store in guarded memory
+        const guarded = allocateGuarded(plaintext.length);
+        writeToGuarded(guarded, plaintext);
+        // Zero the plaintext Buffer
+        plaintext.fill(0);
+        // Track the guarded buffer
+        this.guardedKeys.set(guarded, walletId);
+        // Update lastUnlockedAt
+        keystoreFile.metadata.lastUnlockedAt = new Date().toISOString();
+        await this.writeKeystoreFile(walletId, keystoreFile);
+        return new Uint8Array(guarded.buffer, guarded.byteOffset, guarded.byteLength);
+    }
+    /**
+     * Release a decrypted key from guarded memory (zero-fill).
+     */
+    releaseKey(key) {
+        // Find the guarded buffer that backs this Uint8Array
+        for (const [guarded] of this.guardedKeys) {
+            if (guarded.buffer === key.buffer &&
+                guarded.byteOffset === key.byteOffset &&
+                guarded.byteLength === key.byteLength) {
+                zeroAndRelease(guarded);
+                this.guardedKeys.delete(guarded);
+                return;
+            }
+        }
+        // If not found in guardedKeys (e.g., fallback buffer), zero it manually
+        key.fill(0);
+    }
+    /**
+     * Check if a keystore file exists for the given wallet.
+     */
+    async hasKey(walletId) {
+        try {
+            await stat(this.keystorePath(walletId));
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Delete keystore file and release any loaded key from memory.
+     */
+    async deleteKey(walletId) {
+        // Release from memory if loaded
+        for (const [guarded, id] of this.guardedKeys) {
+            if (id === walletId) {
+                zeroAndRelease(guarded);
+                this.guardedKeys.delete(guarded);
+            }
+        }
+        // Delete file
+        try {
+            await unlink(this.keystorePath(walletId));
+        }
+        catch (error) {
+            // Ignore if file doesn't exist
+            if (error.code !== 'ENOENT') {
+                throw error;
+            }
+        }
+    }
+    /**
+     * Lock all keys -- zero and release all guarded buffers.
+     * Called during daemon shutdown.
+     */
+    lockAll() {
+        for (const [guarded] of this.guardedKeys) {
+            zeroAndRelease(guarded);
+        }
+        this.guardedKeys.clear();
+    }
+    /**
+     * Check if sodium-native guarded memory is available.
+     */
+    get sodiumAvailable() {
+        return isAvailable();
+    }
+    // --- Private helpers ---
+    keystorePath(walletId) {
+        return join(this.keystoreDir, `${walletId}.json`);
+    }
+    /**
+     * Write keystore file atomically using write-then-rename pattern.
+     * Sets file permission to 0600 (owner read/write only).
+     */
+    async writeKeystoreFile(walletId, data) {
+        const targetPath = this.keystorePath(walletId);
+        const tempPath = join(dirname(targetPath), `.${walletId}.json.tmp`);
+        const json = JSON.stringify(data, null, 2);
+        await writeFile(tempPath, json, { encoding: 'utf-8', mode: 0o600 });
+        await rename(tempPath, targetPath);
+    }
+    async readKeystoreFile(walletId) {
+        const filePath = this.keystorePath(walletId);
+        let content;
+        try {
+            content = await readFile(filePath, 'utf-8');
+        }
+        catch (error) {
+            if (error.code === 'ENOENT') {
+                throw new WAIaaSError('WALLET_NOT_FOUND', {
+                    message: `Keystore file not found for wallet '${walletId}'`,
+                });
+            }
+            throw error;
+        }
+        const parsed = JSON.parse(content);
+        if (parsed.version !== 1) {
+            throw new WAIaaSError('KEYSTORE_LOCKED', {
+                message: `Unsupported keystore version: ${String(parsed.version)}`,
+            });
+        }
+        // Backward compat: files created before v1.4.1 lack the curve field
+        if (!parsed.curve) {
+            parsed.curve = 'ed25519';
+        }
+        return parsed;
+    }
+}
+// --- Base58 encoding (Bitcoin alphabet) ---
+const BASE58_ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
+/**
+ * Encode a Buffer as Base58 string (Solana public key format).
+ */
+function encodeBase58(buf) {
+    // Count leading zeros
+    let zeroes = 0;
+    for (let i = 0; i < buf.length && buf[i] === 0; i++) {
+        zeroes++;
+    }
+    // Convert to base58
+    const size = Math.ceil((buf.length * 138) / 100) + 1;
+    const b58 = new Uint8Array(size);
+    let length = 0;
+    for (let i = zeroes; i < buf.length; i++) {
+        let carry = buf[i];
+        let j = 0;
+        for (let k = size - 1; k >= 0 && (carry !== 0 || j < length); k--, j++) {
+            carry += 256 * (b58[k] ?? 0);
+            b58[k] = carry % 58;
+            carry = Math.floor(carry / 58);
+        }
+        length = j;
+    }
+    // Build string
+    let str = '1'.repeat(zeroes);
+    let leadingZeros = true;
+    for (let i = 0; i < size; i++) {
+        if (leadingZeros && b58[i] === 0)
+            continue;
+        leadingZeros = false;
+        str += BASE58_ALPHABET[b58[i]];
+    }
+    return str || '1';
+}
+//# sourceMappingURL=keystore.js.map

package/dist/infrastructure/keystore/keystore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keystore.js","sourceRoot":"","sources":["../../../src/infrastructure/keystore/keystore.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC7E,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAE1C,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC3C,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAsB,MAAM,aAAa,CAAC;AAC/E,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAI3F,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAE/C,SAAS,UAAU;IACjB,OAAO,OAAO,CAAC,eAAe,CAAiB,CAAC;AAClD,CAAC;AAgCD;;;GAGG;AACH,MAAM,OAAO,aAAa;IACP,WAAW,CAAS;IACrC,gEAAgE;IAC/C,WAAW,GAAwB,IAAI,GAAG,EAAE,CAAC;IAE9D,YAAY,WAAmB;QAC7B,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;IACjC,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,eAAe,CACnB,QAAgB,EAChB,KAAgB,EAChB,OAAe,EACf,cAAsB;QAEtB,IAAI,KAAK,KAAK,UAAU,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,wBAAwB,CAAC,QAAQ,EAAE,OAAO,EAAE,cAAc,CAAC,CAAC;QAC1E,CAAC;QAED,IAAI,KAAK,KAAK,QAAQ,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC,sBAAsB,CAAC,QAAQ,EAAE,OAAO,EAAE,cAAc,CAAC,CAAC;QACxE,CAAC;QAED,MAAM,IAAI,WAAW,CAAC,qBAAqB,EAAE;YAC3C,OAAO,EAAE,6BAA6B,KAAK,sDAAsD;SAClG,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,sBAAsB,CAClC,QAAgB,EAChB,OAAe,EACf,cAAsB;QAEtB,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;QAE5B,wCAAwC;QACxC,MAAM,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,0BAA0B,CAAC,CAAC;QACrE,MAAM,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,0BAA0B,CAAC,CAAC;QACrE,MAAM,CAAC,mBAAmB,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;QAEvD,8BAA8B;QAC9B,MAAM,SAAS,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;QAE7C,iCAAiC;QACjC,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC;QAE9D,4CAA4C;QAC5C,MAAM,CAAC,cAAc,CAAC,YAAY,CAAC,CAAC;QAEpC,yBAAyB;QACzB,MAAM,YAAY,GAAmB;YACnC,OAAO,EAAE,CAAC;YACV,EAAE,EAAE,UAAU,EAAE;YAChB,KAAK,EAAE,QAAQ;YACf,OAAO;YACP,KAAK,EAAE,SAAS;YAChB,SAAS;YACT,MAAM,EAAE;gBACN,MAAM,EAAE,aAAa;gBACrB,YAAY,EAAE,EAAE,EAAE,EAAE,SAAS,CAAC,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE;gBAClD,UAAU,EAAE,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAChD,OAAO,EAAE,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAC1C,GAAG,EAAE,UAAU;gBACf,SAAS,EAAE;oBACT,IAAI,EAAE,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;oBACpC,GAAG,UAAU;iBACd;aACF;YACD,QAAQ,EAAE;gBACR,IAAI,EAAE,QAAQ;gBACd,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,cAAc,EAAE,IAAI;aACrB;SACF,CAAC;QAEF,qDAAqD;QACrD,MAAM,IAAI,CAAC,iBAAiB,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QAErD,OAAO;YACL,SAAS;YACT,mBAAmB,EAAE,IAAI,UAAU,CAAC,SAAS,CAAC,UAAU,CAAC;SAC1D,CAAC;IACJ,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,wBAAwB,CACpC,QAAgB,EAChB,OAAe,EACf,cAAsB;QAEtB,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;QAE5B,iDAAiD;QACjD,MAAM,aAAa,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;QAEtC,4CAA4C;QAC5C,MAAM,MAAM,GAAG,KAAK,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAmB,CAAC;QACrE,MAAM,OAAO,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,0BAA0B;QAE7D,kCAAkC;QAClC,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;QAE/D,6CAA6C;QAC7C,MAAM,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC;QAErC,yBAAyB;QACzB,MAAM,YAAY,GAAmB;YACnC,OAAO,EAAE,CAAC;YACV,EAAE,EAAE,UAAU,EAAE;YAChB,KAAK,EAAE,UAAU;YACjB,OAAO;YACP,KAAK,EAAE,WAAW;YAClB,SAAS;YACT,MAAM,EAAE;gBACN,MAAM,EAAE,aAAa;gBACrB,YAAY,EAAE,EAAE,EAAE,EAAE,SAAS,CAAC,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE;gBAClD,UAAU,EAAE,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAChD,OAAO,EAAE,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAC1C,GAAG,EAAE,UAAU;gBACf,SAAS,EAAE;oBACT,IAAI,EAAE,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;oBACpC,GAAG,UAAU;iBACd;aACF;YACD,QAAQ,EAAE;gBACR,IAAI,EAAE,QAAQ;gBACd,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,cAAc,EAAE,IAAI;aACrB;SACF,CAAC;QAEF,qDAAqD;QACrD,MAAM,IAAI,CAAC,iBAAiB,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QAErD,OAAO;YACL,SAAS;YACT,mBAAmB,EAAE,IAAI,UAAU,CAAC,SAAS,CAAC,UAAU,CAAC;SAC1D,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,iBAAiB,CAAC,QAAgB,EAAE,cAAsB;QAC9D,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAE3D,MAAM,SAAS,GAAkB;YAC/B,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,EAAE,KAAK,CAAC;YAC3D,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,UAAU,EAAE,KAAK,CAAC;YAC9D,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC;YACxD,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC;YAC5D,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,SAAS;SACzC,CAAC;QAEF,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;QAE3D,0BAA0B;QAC1B,MAAM,OAAO,GAAG,eAAe,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAClD,cAAc,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAEnC,4BAA4B;QAC5B,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAElB,2BAA2B;QAC3B,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAExC,wBAAwB;QACxB,YAAY,CAAC,QAAQ,CAAC,cAAc,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAChE,MAAM,IAAI,CAAC,iBAAiB,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QAErD,OAAO,IAAI,UAAU,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IAChF,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,GAAe;QACxB,qDAAqD;QACrD,KAAK,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACzC,IACE,OAAO,CAAC,MAAM,KAAK,GAAG,CAAC,MAAM;gBAC7B,OAAO,CAAC,UAAU,KAAK,GAAG,CAAC,UAAU;gBACrC,OAAO,CAAC,UAAU,KAAK,GAAG,CAAC,UAAU,EACrC,CAAC;gBACD,cAAc,CAAC,OAAO,CAAC,CAAC;gBACxB,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;gBACjC,OAAO;YACT,CAAC;QACH,CAAC;QACD,wEAAwE;QACxE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACd,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,QAAgB;QAC3B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC;YACxC,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAS,CAAC,QAAgB;QAC9B,gCAAgC;QAChC,KAAK,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YAC7C,IAAI,EAAE,KAAK,QAAQ,EAAE,CAAC;gBACpB,cAAc,CAAC,OAAO,CAAC,CAAC;gBACxB,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QAED,cAAc;QACd,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC5C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,+BAA+B;YAC/B,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACvD,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,OAAO;QACL,KAAK,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACzC,cAAc,CAAC,OAAO,CAAC,CAAC;QAC1B,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,IAAI,eAAe;QACjB,OAAO,WAAW,EAAE,CAAC;IACvB,CAAC;IAED,0BAA0B;IAElB,YAAY,CAAC,QAAgB;QACnC,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,QAAQ,OAAO,CAAC,CAAC;IACpD,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,iBAAiB,CAAC,QAAgB,EAAE,IAAoB;QACpE,MAAM,UAAU,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,IAAI,QAAQ,WAAW,CAAC,CAAC;QAEpE,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAC3C,MAAM,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACpE,MAAM,MAAM,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IACrC,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAAC,QAAgB;QAC7C,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC7C,IAAI,OAAe,CAAC;QACpB,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACvD,MAAM,IAAI,WAAW,CAAC,kBAAkB,EAAE;oBACxC,OAAO,EAAE,uCAAuC,QAAQ,GAAG;iBAC5D,CAAC,CAAC;YACL,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAmB,CAAC;QACrD,IAAI,MAAM,CAAC,OAAO,KAAK,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,WAAW,CAAC,iBAAiB,EAAE;gBACvC,OAAO,EAAE,iCAAiC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE;aACnE,CAAC,CAAC;QACL,CAAC;QAED,oEAAoE;QACpE,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,CAAC,KAAK,GAAG,SAAS,CAAC;QAC3B,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED,6CAA6C;AAE7C,MAAM,eAAe,GAAG,4DAA4D,CAAC;AAErF;;GAEG;AACH,SAAS,YAAY,CAAC,GAAW;IAC/B,sBAAsB;IACtB,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACpD,MAAM,EAAE,CAAC;IACX,CAAC;IAED,oBAAoB;IACpB,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACrD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,KAAK,IAAI,CAAC,GAAG,MAAM,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,IAAI,KAAK,GAAG,GAAG,CAAC,CAAC,CAAE,CAAC;QACpB,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,KAAK,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YACvE,KAAK,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;YAC7B,GAAG,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,EAAE,CAAC;YACpB,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC;QACjC,CAAC;QACD,MAAM,GAAG,CAAC,CAAC;IACb,CAAC;IAED,eAAe;IACf,IAAI,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC7B,IAAI,YAAY,GAAG,IAAI,CAAC;IACxB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC;QAC9B,IAAI,YAAY,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC;YAAE,SAAS;QAC3C,YAAY,GAAG,KAAK,CAAC;QACrB,GAAG,IAAI,eAAe,CAAC,GAAG,CAAC,CAAC,CAAE,CAAC,CAAC;IAClC,CAAC;IAED,OAAO,GAAG,IAAI,GAAG,CAAC;AACpB,CAAC"}