@witnium-tech/witniumchain 0.2.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/README.md +104 -28
  2. package/dist/index.d.mts +4301 -130
  3. package/dist/index.d.ts +4301 -130
  4. package/dist/index.js +722 -52
  5. package/dist/index.js.map +1 -1
  6. package/dist/index.mjs +715 -49
  7. package/dist/index.mjs.map +1 -1
  8. package/package.json +7 -4
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/errors.ts","../src/client.ts","../src/admin-client.ts","../src/org-client.ts"],"names":[],"mappings":";;;AAQO,IAAM,uBAAA,GAAN,cAAsC,KAAA,CAAM;AAAA,EACxC,MAAA;AAAA,EACA,UAAA;AAAA,EACA,IAAA;AAAA,EAET,YAAY,IAAA,EAKT;AACD,IAAA,KAAA,CAAM,KAAK,OAAO,CAAA;AAClB,IAAA,IAAA,CAAK,IAAA,GAAO,yBAAA;AACZ,IAAA,IAAA,CAAK,SAAS,IAAA,CAAK,MAAA;AACnB,IAAA,IAAA,CAAK,aAAa,IAAA,CAAK,UAAA;AACvB,IAAA,IAAA,CAAK,IAAA,GAAO,KAAK,IAAA,IAAQ,IAAA;AAAA,EAC3B;AACF;;;AC8LO,IAAM,wBAAN,MAA4B;AAAA,EAChB,OAAA;AAAA,EACA,GAAA;AAAA,EACA,OAAA;AAAA,EACA,SAAA;AAAA;AAAA,EAGR,aAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA,IAAA;AAAA;AAAA,EAEA,KAAA;AAAA,EAET,YAAY,MAAA,EAAqC;AAC/C,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,MAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,IAC9D;AACA,IAAA,IAAA,CAAK,GAAA,GAAM,MAAA;AACX,IAAA,IAAA,CAAK,OAAA,GAAU,MAAA,CAAO,OAAA,CAAQ,OAAA,CAAQ,OAAO,EAAE,CAAA;AAC/C,IAAA,IAAA,CAAK,OAAA,GAAU,OAAO,OAAA,IAAW,GAAA;AACjC,IAAA,IAAA,CAAK,SAAA,GAAY,MAAA,CAAO,KAAA,IAAS,UAAA,CAAW,KAAA;AAC5C,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACnB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AACA,IAAA,IAAA,CAAK,aAAA,GAAgB,IAAI,aAAA,CAAc,IAAI,CAAA;AAC3C,IAAA,IAAA,CAAK,aAAA,GAAgB,IAAI,aAAA,CAAc,IAAI,CAAA;AAC3C,IAAA,IAAA,CAAK,IAAA,GAAO,IAAI,WAAA,CAAY,IAAI,CAAA;AAChC,IAAA,IAAA,CAAK,KAAA,GAAQ,IAAI,cAAA,CAAe,IAAI,CAAA;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,EAAA,GAA+B;AAC7B,IAAA,OAAO,KAAK,UAAA,EAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAMA,OAAO,IAAA,EAA8C;AACnD,IAAA,OAAO,IAAA,CAAK,IAAI,MAAA,EAAQ,iBAAA,EAAmB,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAA;AAAA,EACrE;AAAA,EAEA,YAAY,KAAA,EAA6C;AACvD,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,KAAA,EAAO,iBAAA,EAAmB;AAAA,MACxC,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,EAAE,KAAA;AAAM,KAChB,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,IAAA,EAA4C;AAChD,IAAA,OAAO,IAAA,CAAK,IAAI,MAAA,EAAQ,gBAAA,EAAkB,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAA;AAAA,EACpE;AAAA,EAEA,MAAA,GAAkC;AAChC,IAAA,OAAO,KAAK,GAAA,CAAI,MAAA,EAAQ,mBAAmB,EAAE,IAAA,EAAM,UAAU,CAAA;AAAA,EAC/D;AAAA,EAEA,eAAe,IAAA,EAA8D;AAC3E,IAAA,OAAO,IAAA,CAAK,IAAI,MAAA,EAAQ,0BAAA,EAA4B,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAA;AAAA,EAC9E;AAAA,EAEA,cAAc,IAAA,EAA4D;AACxE,IAAA,OAAO,IAAA,CAAK,IAAI,MAAA,EAAQ,yBAAA,EAA2B,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAA;AAAA,EAC7E;AAAA;AAAA;AAAA;AAAA,EAMA,sBAAsB,IAAA,EAAkD;AACtE,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,sBAAA,EAAwB;AAAA,MAC9C,IAAA,EAAM,eAAA;AAAA,MACN;AAAA,KACD,CAAA;AAAA,EACH;AAAA,EAEA,mBAAA,GAA+C;AAC7C,IAAA,OAAO,KAAK,GAAA,CAAI,KAAA,EAAO,sBAAsB,EAAE,IAAA,EAAM,iBAAiB,CAAA;AAAA,EACxE;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,QAAA,GAAuC;AACrC,IAAA,OAAO,KAAK,GAAA,CAAI,KAAA,EAAO,eAAe,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC7D;AAAA,EAEA,cAAc,IAAA,EAAsD;AAClE,IAAA,OAAO,IAAA,CAAK,IAAI,MAAA,EAAQ,mBAAA,EAAqB,EAAE,IAAA,EAAM,WAAA,EAAa,MAAM,CAAA;AAAA,EAC1E;AAAA,EAEA,YAAA,GAA2C;AACzC,IAAA,OAAO,KAAK,GAAA,CAAI,KAAA,EAAO,qBAAqB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EACnE;AAAA;AAAA;AAAA;AAAA,EAMA,mBACE,IAAA,EACqC;AACrC,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,yBAAA,EAA2B;AAAA,MACjD,IAAA,EAAM,YAAA;AAAA,MACN;AAAA,KACD,CAAA;AAAA,EACH;AAAA,EAEA,iBAAA,CACE,IACA,IAAA,EACiC;AACjC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,OAAA;AAAA,MACA,CAAA,wBAAA,EAA2B,kBAAA,CAAmB,EAAE,CAAC,CAAA,aAAA,CAAA;AAAA,MACjD,EAAE,IAAA,EAAM,YAAA,EAAc,IAAA;AAAK,KAC7B;AAAA,EACF;AAAA,EAEA,mBAAmB,EAAA,EAAiD;AAClE,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,OAAA;AAAA,MACA,CAAA,wBAAA,EAA2B,kBAAA,CAAmB,EAAE,CAAC,CAAA,OAAA,CAAA;AAAA,MACjD,EAAE,MAAM,YAAA;AAAa,KACvB;AAAA,EACF;AAAA,EAEA,gBAAgB,EAAA,EAA2C;AACzD,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,CAAA,wBAAA,EAA2B,kBAAA,CAAmB,EAAE,CAAC,CAAA,WAAA,CAAA;AAAA,MACjD,EAAE,MAAM,YAAA;AAAa,KACvB;AAAA,EACF;AAAA,EAEA,gBAAA,CACE,IACA,IAAA,EACgC;AAChC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,CAAA,wBAAA,EAA2B,kBAAA,CAAmB,EAAE,CAAC,CAAA,eAAA,CAAA;AAAA,MACjD,EAAE,IAAA,EAAM,YAAA,EAAc,IAAA;AAAK,KAC7B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,kBAAkB,KAAA,EAGqB;AACrC,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,KAAA,EAAO,6BAAA,EAA+B;AAAA,MACpD,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,SAAS;AAAC,KAClB,CAAA;AAAA,EACH;AAAA,EAEA,oBACE,IAAA,EACuC;AACvC,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,6BAAA,EAA+B;AAAA,MACrD,IAAA,EAAM,WAAA;AAAA,MACN;AAAA,KACD,CAAA;AAAA,EACH;AAAA,EAEA,kBAAA,CACE,IACA,IAAA,EACqC;AACrC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,CAAA,4BAAA,EAA+B,kBAAA,CAAmB,EAAE,CAAC,CAAA,OAAA,CAAA;AAAA,MACrD,EAAE,IAAA,EAAM,WAAA,EAAa,IAAA;AAAK,KAC5B;AAAA,EACF;AAAA,EAEA,mBAAmB,EAAA,EAAiD;AAClE,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,QAAA;AAAA,MACA,CAAA,4BAAA,EAA+B,kBAAA,CAAmB,EAAE,CAAC,CAAA,CAAA;AAAA,MACrD,EAAE,MAAM,WAAA;AAAY,KACtB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,IAAA,CAAK,MAAmB,SAAA,EAA2C;AACjE,IAAA,MAAM,OAAA,GAAU,SAAA,GAAY,EAAE,cAAA,EAAgB,WAAU,GAAI,MAAA;AAC5D,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY;AAAA,MAClC,IAAA,EAAM,WAAA;AAAA,MACN,IAAA;AAAA,MACA,GAAI,OAAA,GAAU,EAAE,OAAA,KAAY;AAAC,KAC9B,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAMA,kBACE,IAAA,EACoC;AACpC,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,yBAAA,EAA2B;AAAA,MACjD,IAAA,EAAM,QAAA;AAAA,MACN;AAAA,KACD,CAAA;AAAA,EACH;AAAA,EAEA,cAAc,IAAA,EAA4D;AACxE,IAAA,OAAO,IAAA,CAAK,IAAI,MAAA,EAAQ,UAAA,EAAY,EAAE,IAAA,EAAM,eAAA,EAAiB,MAAM,CAAA;AAAA,EACrE;AAAA,EAEA,iBACE,IAAA,EACmC;AACnC,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,iBAAA,EAAmB;AAAA,MACzC,IAAA,EAAM,eAAA;AAAA,MACN;AAAA,KACD,CAAA;AAAA,EACH;AAAA,EAEA,cAAc,IAAA,EAA4C;AACxD,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,qBAAA,EAAuB;AAAA,MAC7C,IAAA,EAAM,eAAA;AAAA,MACN;AAAA,KACD,CAAA;AAAA,EACH;AAAA,EAEA,gBAAgB,IAAA,EAAgD;AAC9D,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,uBAAA,EAAyB;AAAA,MAC/C,IAAA,EAAM,eAAA;AAAA,MACN;AAAA,KACD,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAMA,cAAA,CACE,eAAA,EACA,IAAA,EACA,cAAA,EACiC;AAKjC,IAAA,MAAM,GAAA,GAAM,kBAAkB,UAAA,EAAW;AACzC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,CAAA,cAAA,EAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,kBAAA,CAAA;AAAA,MACpD,EAAE,MAAM,eAAA,EAAiB,IAAA,EAAM,SAAS,EAAE,iBAAA,EAAmB,KAAI;AAAE,KACrE;AAAA,EACF;AAAA,EAEA,WAAA,CACE,eAAA,EACA,SAAA,EACA,IAAA,EAC8B;AAC9B,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,iBAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,WAAA,EAAc,kBAAA,CAAmB,SAAS,CAAC,CAAA,KAAA,CAAA;AAAA,MAC/F,EAAE,IAAA,EAAM,eAAA,EAAiB,IAAA;AAAK,KAChC;AAAA,EACF;AAAA,EAEA,eAAA,CACE,iBACA,SAAA,EACkC;AAClC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,iBAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,WAAA,EAAc,kBAAA,CAAmB,SAAS,CAAC,CAAA,SAAA,CAAA;AAAA,MAC/F,EAAE,MAAM,eAAA;AAAgB,KAC1B;AAAA,EACF;AAAA,EAEA,aAAA,CACE,eAAA,EACA,SAAA,EACA,IAAA,EACA,cAAA,EACgC;AAChC,IAAA,MAAM,GAAA,GAAM,kBAAkB,UAAA,EAAW;AACzC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,iBAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,WAAA,EAAc,kBAAA,CAAmB,SAAS,CAAC,CAAA,OAAA,CAAA;AAAA,MAC/F,EAAE,MAAM,eAAA,EAAiB,IAAA,EAAM,SAAS,EAAE,iBAAA,EAAmB,KAAI;AAAE,KACrE;AAAA,EACF;AAAA,EAEA,UAAA,CACE,iBACA,SAAA,EAC6B;AAC7B,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,KAAA;AAAA,MACA,iBAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,WAAA,EAAc,kBAAA,CAAmB,SAAS,CAAC,CAAA,CAAA;AAAA,MAC/F,EAAE,MAAM,QAAA;AAAS,KACnB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeA,gBAAA,CACE,eAAA,EACA,IAAA,EACA,cAAA,EACmC;AACnC,IAAA,MAAM,GAAA,GAAM,kBAAkB,UAAA,EAAW;AACzC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,CAAA,cAAA,EAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,kBAAA,CAAA;AAAA,MACpD,EAAE,MAAM,WAAA,EAAa,IAAA,EAAM,SAAS,EAAE,iBAAA,EAAmB,KAAI;AAAE,KACjE;AAAA,EACF;AAAA,EAEA,aAAA,CACE,eAAA,EACA,QAAA,EACA,IAAA,EACoC;AACpC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,iBAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,WAAA,EAAc,kBAAA,CAAmB,QAAQ,CAAC,CAAA,KAAA,CAAA;AAAA,MAC9F,EAAE,IAAA,EAAM,WAAA,EAAa,IAAA;AAAK,KAC5B;AAAA,EACF;AAAA,EAEA,iBAAA,CACE,iBACA,QAAA,EACoC;AACpC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,iBAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,WAAA,EAAc,kBAAA,CAAmB,QAAQ,CAAC,CAAA,SAAA,CAAA;AAAA,MAC9F,EAAE,MAAM,WAAA;AAAY,KACtB;AAAA,EACF;AAAA,EAEA,eAAA,CACE,eAAA,EACA,SAAA,EACA,IAAA,EACA,cAAA,EACkC;AAClC,IAAA,MAAM,GAAA,GAAM,kBAAkB,UAAA,EAAW;AACzC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,iBAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,WAAA,EAAc,kBAAA,CAAmB,SAAS,CAAC,CAAA,OAAA,CAAA;AAAA,MAC/F,EAAE,MAAM,WAAA,EAAa,IAAA,EAAM,SAAS,EAAE,iBAAA,EAAmB,KAAI;AAAE,KACjE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,UAAA,GAAuC;AACrC,IAAA,OAAO,KAAK,GAAA,CAAI,KAAA,EAAO,eAAe,EAAE,IAAA,EAAM,iBAAiB,CAAA;AAAA,EACjE;AAAA,EAEA,SAAA,GAAqC;AACnC,IAAA,OAAO,KAAK,GAAA,CAAI,KAAA,EAAO,sBAAsB,EAAE,IAAA,EAAM,iBAAiB,CAAA;AAAA,EACxE;AAAA;AAAA;AAAA;AAAA,EAMA,iBAAA,GAAwD;AACtD,IAAA,OAAO,KAAK,GAAA,CAAI,KAAA,EAAO,sBAAsB,EAAE,IAAA,EAAM,iBAAiB,CAAA;AAAA,EACxE;AAAA,EAEA,mBAAmB,GAAA,EAA4B;AAC7C,IAAA,OAAO,KAAK,GAAA,CAAI,QAAA,EAAU,sBAAsB,kBAAA,CAAmB,GAAG,CAAC,CAAA,CAAA,EAAI;AAAA,MACzE,IAAA,EAAM,eAAA;AAAA,MACN,eAAA,EAAiB;AAAA,KAClB,CAAA;AAAA,EACH;AAAA,EAEA,sBAAA,GAAwC;AACtC,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,QAAA,EAAU,oBAAA,EAAsB;AAAA,MAC9C,IAAA,EAAM,eAAA;AAAA,MACN,eAAA,EAAiB;AAAA,KAClB,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAMA,UAAA,GAA0C;AACxC,IAAA,OAAO,KAAK,GAAA,CAAI,KAAA,EAAO,gBAAgB,EAAE,IAAA,EAAM,UAAU,CAAA;AAAA,EAC3D;AAAA,EAEA,WAAA,GAA4C;AAC1C,IAAA,OAAO,KAAK,GAAA,CAAI,KAAA,EAAO,iBAAiB,EAAE,IAAA,EAAM,UAAU,CAAA;AAAA,EAC5D;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,GAAA,CACZ,MAAA,EACA,IAAA,EACA,IAAA,EACY;AACZ,IAAA,MAAM,GAAA,GAAM,IAAA,CAAK,QAAA,CAAS,IAAA,EAAM,KAAK,KAAK,CAAA;AAC1C,IAAA,MAAM,OAAA,GAAkC;AAAA,MACtC,MAAA,EAAQ,kBAAA;AAAA,MACR,GAAI,IAAA,CAAK,OAAA,IAAW;AAAC,KACvB;AAEA,IAAA,IAAI,IAAA,CAAK,SAAS,MAAA,EAAW;AAC3B,MAAA,OAAA,CAAQ,cAAc,CAAA,GAAI,kBAAA;AAAA,IAC5B;AAEA,IAAA,MAAM,UAAA,GACJ,KAAK,IAAA,KAAS,MAAA,GAAY,KAAK,SAAA,CAAU,IAAA,CAAK,IAAI,CAAA,GAAI,MAAA;AAExD,IAAA,MAAM,IAAA,CAAK,UAAU,OAAA,EAAS,IAAA,CAAK,MAAM,MAAA,EAAQ,IAAA,EAAM,cAAc,EAAE,CAAA;AAEvE,IAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,IAAA,MAAM,QAAQ,UAAA,CAAW,MAAM,WAAW,KAAA,EAAM,EAAG,KAAK,OAAO,CAAA;AAE/D,IAAA,IAAI,GAAA;AACJ,IAAA,IAAI;AACF,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,SAAA,CAAU,GAAA,EAAK;AAAA,QAC9B,MAAA;AAAA,QACA,OAAA;AAAA,QACA,IAAA,EAAM,UAAA;AAAA,QACN,QAAQ,UAAA,CAAW,MAAA;AAAA;AAAA;AAAA,QAGnB,WAAA,EAAa;AAAA,OACd,CAAA;AAAA,IACH,SAAS,GAAA,EAAK;AACZ,MAAA,MAAM,IAAI,uBAAA,CAAwB;AAAA,QAChC,MAAA,EAAQ,CAAA;AAAA,QACR,OAAA,EACE,GAAA,YAAe,KAAA,GACX,CAAA,yBAAA,EAA4B,IAAA,CAAK,OAAO,CAAA,EAAA,EAAK,GAAA,CAAI,OAAO,CAAA,CAAA,GACxD,CAAA,yBAAA,EAA4B,IAAA,CAAK,OAAO,CAAA;AAAA,OAC/C,CAAA;AAAA,IACH,CAAA,SAAE;AACA,MAAA,YAAA,CAAa,KAAK,CAAA;AAAA,IACpB;AAEA,IAAA,IAAI,KAAK,eAAA,EAAiB;AACxB,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,MAAM,MAAM,IAAA,CAAK,UAAA,CAAW,GAAG,CAAA;AAAA,MACjC;AACA,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,IAAA,IAAI,MAAA,GAAkB,IAAA;AACtB,IAAA,IAAI,IAAA,CAAK,SAAS,CAAA,EAAG;AACnB,MAAA,IAAI;AACF,QAAA,MAAA,GAAS,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA,MAC1B,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AAEA,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,MAAA,MAAM,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,MAAA,EAAQ,QAAQ,IAAI,CAAA;AAAA,IACnD;AAEA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEQ,QAAA,CACN,MACA,KAAA,EACQ;AACR,IAAA,IAAI,CAAC,KAAA,EAAO,OAAO,GAAG,IAAA,CAAK,OAAO,GAAG,IAAI,CAAA,CAAA;AACzC,IAAA,MAAM,EAAA,GAAK,IAAI,eAAA,EAAgB;AAC/B,IAAA,KAAA,MAAW,CAAC,CAAA,EAAG,CAAC,KAAK,MAAA,CAAO,OAAA,CAAQ,KAAK,CAAA,EAAG;AAC1C,MAAA,IAAI,MAAM,MAAA,EAAW,EAAA,CAAG,IAAI,CAAA,EAAG,MAAA,CAAO,CAAC,CAAC,CAAA;AAAA,IAC1C;AACA,IAAA,MAAM,MAAA,GAAS,GAAG,QAAA,EAAS;AAC3B,IAAA,OAAO,MAAA,GAAS,CAAA,EAAG,IAAA,CAAK,OAAO,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,MAAM,CAAA,CAAA,GAAK,CAAA,EAAG,IAAA,CAAK,OAAO,GAAG,IAAI,CAAA,CAAA;AAAA,EAC7E;AAAA,EAEA,MAAc,SAAA,CACZ,OAAA,EACA,IAAA,EACA,MAAA,EACA,MACA,UAAA,EACe;AACf,IAAA,QAAQ,IAAA;AAAM,MACZ,KAAK,QAAA;AACH,QAAA;AAAA,MACF,KAAK,eAAA,EAAiB;AACpB,QAAA,IAAI,IAAA,CAAK,IAAI,aAAA,EAAe;AAI1B,UAAA,OAAA,CAAQ,QAAQ,CAAA,GAAI,CAAA,YAAA,EAAe,IAAA,CAAK,IAAI,aAAa,CAAA,CAAA;AAAA,QAC3D;AACA,QAAA;AAAA,MACF;AAAA,MACA,KAAK,WAAA,EAAa;AAChB,QAAA,IAAI,CAAC,IAAA,CAAK,GAAA,CAAI,WAAA,EAAa;AACzB,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,uBAAA,EAA0B,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA,yEAAA;AAAA,WAC1C;AAAA,QACF;AACA,QAAA,OAAA,CAAQ,eAAe,CAAA,GAAI,CAAA,OAAA,EAAU,IAAA,CAAK,IAAI,WAAW,CAAA,CAAA;AACzD,QAAA;AAAA,MACF;AAAA,MACA,KAAK,WAAA,EAAa;AAChB,QAAA,IAAI,CAAC,IAAA,CAAK,GAAA,CAAI,SAAA,EAAW;AACvB,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,uBAAA,EAA0B,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA,yEAAA;AAAA,WAC1C;AAAA,QACF;AACA,QAAA,OAAA,CAAQ,eAAe,CAAA,GAAI,CAAA,OAAA,EAAU,IAAA,CAAK,IAAI,SAAS,CAAA,CAAA;AACvD,QAAA;AAAA,MACF;AAAA,MACA,KAAK,YAAA,EAAc;AACjB,QAAA,IAAI,CAAC,IAAA,CAAK,GAAA,CAAI,UAAA,EAAY;AACxB,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,uBAAA,EAA0B,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA,iEAAA;AAAA,WAC1C;AAAA,QACF;AACA,QAAA,OAAA,CAAQ,eAAe,CAAA,GAAI,CAAA,OAAA,EAAU,IAAA,CAAK,IAAI,UAAU,CAAA,CAAA;AACxD,QAAA;AAAA,MACF;AAAA,MACA,KAAK,eAAA,EAAiB;AACpB,QAAA,IAAI,CAAC,IAAA,CAAK,GAAA,CAAI,aAAA,EAAe;AAC3B,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,uBAAA,EAA0B,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA,6EAAA;AAAA,WAC1C;AAAA,QACF;AACA,QAAA,MAAM,SAAA,GAAY,KAAK,KAAA,CAAM,IAAA,CAAK,KAAI,GAAI,GAAI,EAAE,QAAA,EAAS;AACzD,QAAA,MAAM,QAAA,GAAW,MAAM,SAAA,CAAU,UAAU,CAAA;AAI3C,QAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,iBAAiB,CAAA,IAAK,EAAA;AAC9C,QAAA,MAAM,SAAA,GAAY,CAAA,EAAG,MAAA,CAAO,WAAA,EAAa;AAAA,EAAK,IAAI;AAAA,EAAK,SAAS;AAAA,EAAK,OAAO;AAAA,EAAK,QAAQ,CAAA,CAAA;AACzF,QAAA,MAAM,YAAY,MAAM,IAAA,CAAK,GAAA,CAAI,aAAA,CAAc,KAAK,SAAS,CAAA;AAC7D,QAAA,OAAA,CAAQ,eAAe,CAAA,GAAI,IAAA,CAAK,GAAA,CAAI,aAAA,CAAc,YAAA;AAClD,QAAA,OAAA,CAAQ,qBAAqB,CAAA,GAAI,SAAA;AACjC,QAAA,OAAA,CAAQ,qBAAqB,CAAA,GAAI,SAAA;AACjC,QAAA;AAAA,MACF;AAAA;AACF,EACF;AAAA,EAEQ,aAAA,CACN,MAAA,EACA,MAAA,EACA,OAAA,EACyB;AACzB,IAAA,MAAM,IAAA,GAAO,MAAA;AAGb,IAAA,MAAM,OAAA,GAAU,MAAM,OAAA,CAAQ,IAAA,EAAM,OAAO,CAAA,GACvC,IAAA,CAAM,QAAQ,IAAA,CAAK,IAAI,IACvB,OAAO,IAAA,EAAM,YAAY,QAAA,GACvB,IAAA,CAAM,UACN,IAAA,EAAM,KAAA,IAAS,QAAQ,MAAM,CAAA,CAAA;AACnC,IAAA,OAAO,IAAI,uBAAA,CAAwB;AAAA,MACjC,MAAA;AAAA,MACA,OAAA;AAAA,MACA,YAAY,IAAA,EAAM,KAAA;AAAA,MAClB,MAAM,MAAA,IAAU;AAAA,KACjB,CAAA;AAAA,EACH;AAAA,EAEA,MAAc,WAAW,GAAA,EAAiD;AACxE,IAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,IAAA,IAAI,MAAA,GAAkB,IAAA;AACtB,IAAA,IAAI,IAAA,CAAK,SAAS,CAAA,EAAG;AACnB,MAAA,IAAI;AACF,QAAA,MAAA,GAAS,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA,MAC1B,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AACA,IAAA,OAAO,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,MAAA,EAAQ,QAAQ,IAAI,CAAA;AAAA,EACpD;AACF;AAaO,IAAM,gBAAN,MAAoB;AAAA,EACzB,YAA6B,MAAA,EAA+B;AAA/B,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAAgC;AAAA,EAAhC,MAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAO7B,UAAU,IAAA,EAAkD;AAC1D,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,qBAAA,CAAsB,IAAI,CAAA;AAAA,EAC/C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAA,GAAkC;AAChC,IAAA,OAAO,IAAA,CAAK,OAAO,mBAAA,EAAoB;AAAA,EACzC;AAAA;AAAA,EAGA,SAAA,GAAqC;AACnC,IAAA,OAAO,IAAA,CAAK,OAAO,SAAA,EAAU;AAAA,EAC/B;AACF;AAGO,IAAM,gBAAN,MAAoB;AAAA,EACzB,YAA6B,MAAA,EAA+B;AAA/B,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAAgC;AAAA,EAAhC,MAAA;AAAA;AAAA,EAG7B,KAAK,KAAA,EAGkC;AACrC,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,iBAAA,CAAkB,KAAK,CAAA;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAmBA,MAAM,UACJ,IAAA,EACsC;AACtC,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,MAAA,CAAO,mBAAA,CAAoB;AAAA,MACjD,iBAAiB,IAAA,CAAK;AAAA,KACvB,CAAA;AACD,IAAA,MAAM,iBAAiB,MAAM,IAAA,CAAK,WAAA,CAAY,IAAA,CAAK,KAAK,aAAa,CAAA;AACrE,IAAA,IAAI,GAAA,GAAM,MAAM,IAAA,CAAK,MAAA,CAAO,mBAAmB,IAAA,CAAK,EAAA,EAAI,EAAE,cAAA,EAAgB,CAAA;AAE1E,IAAA,IAAI,CAAC,IAAI,SAAA,EAAW;AAClB,MAAA,MAAM,QAAA,GAAW,KAAK,cAAA,IAAkB,GAAA;AACxC,MAAA,MAAM,OAAA,GAAU,KAAK,aAAA,IAAiB,GAAA;AACtC,MAAA,MAAM,QAAA,GAAW,IAAA,CAAK,GAAA,EAAI,GAAI,OAAA;AAC9B,MAAA,OAAO,CAAC,GAAA,CAAI,SAAA,IAAa,IAAA,CAAK,GAAA,KAAQ,QAAA,EAAU;AAC9C,QAAA,MAAM,MAAM,QAAQ,CAAA;AACpB,QAAA,GAAA,GAAM,MAAM,IAAA,CAAK,MAAA,CAAO,mBAAmB,IAAA,CAAK,EAAA,EAAI,EAAE,CAAA;AAAA,MACxD;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACL,IAAI,IAAA,CAAK,EAAA;AAAA,MACT,WAAW,IAAA,CAAK,SAAA;AAAA,MAChB,iBAAiB,GAAA,CAAI,eAAA;AAAA,MACrB,WAAW,GAAA,CAAI,SAAA;AAAA,MACf,aAAa,GAAA,CAAI;AAAA,KACnB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAO,EAAA,EAAiD;AACtD,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,kBAAA,CAAmB,EAAE,CAAA;AAAA,EAC1C;AACF;AAUO,IAAM,cAAN,MAAkB;AAAA,EACvB,YAA6B,MAAA,EAA+B;AAA/B,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAAgC;AAAA,EAAhC,MAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAO7B,MAAM,IAAA,GAAgD;AACpD,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,MAAA,CAAO,UAAA,EAAW;AAC7C,IAAA,OAAO,OAAA,CAAQ,WAAA;AAAA,EACjB;AAAA,EAEA,IAAI,IAAA,EAA4D;AAC9D,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,aAAA,CAAc,IAAI,CAAA;AAAA,EACvC;AAAA,EAEA,OAAO,IAAA,EAAkE;AACvE,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,gBAAA,CAAiB,IAAI,CAAA;AAAA,EAC1C;AACF;AAGO,IAAM,iBAAN,MAAqB;AAAA,EACjB,QAAA;AAAA,EACT,YAAY,MAAA,EAA+B;AACzC,IAAA,IAAA,CAAK,QAAA,GAAW,IAAI,aAAA,CAAc,MAAM,CAAA;AAAA,EAC1C;AACF;AAEO,IAAM,gBAAN,MAAoB;AAAA,EACzB,YAA6B,MAAA,EAA+B;AAA/B,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAAgC;AAAA,EAAhC,MAAA;AAAA,EAE7B,IAAA,GAA2C;AACzC,IAAA,OAAO,IAAA,CAAK,OAAO,iBAAA,EAAkB;AAAA,EACvC;AAAA,EAEA,OAAO,GAAA,EAA4B;AACjC,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,kBAAA,CAAmB,GAAG,CAAA;AAAA,EAC3C;AAAA,EAEA,SAAA,GAA2B;AACzB,IAAA,OAAO,IAAA,CAAK,OAAO,sBAAA,EAAuB;AAAA,EAC5C;AACF;AAEA,SAAS,MAAM,EAAA,EAA2B;AACxC,EAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,YAAY,UAAA,CAAW,OAAA,EAAS,EAAE,CAAC,CAAA;AACzD;AAOA,SAAS,UAAA,GAAqB;AAC5B,EAAA,MAAM,IAAK,UAAA,CAA0D,MAAA;AACrE,EAAA,IAAI,CAAC,GAAG,UAAA,EAAY;AAClB,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AACA,EAAA,OAAO,EAAE,UAAA,EAAW;AACtB;AAMA,eAAe,UAAU,KAAA,EAAgC;AACvD,EAAA,MAAM,MAAA,GAAU,WAAsD,MAAA,EAClE,MAAA;AACJ,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AACA,EAAA,MAAM,IAAA,GAAO,IAAI,WAAA,EAAY,CAAE,OAAO,KAAK,CAAA;AAC3C,EAAA,MAAM,MAAA,GAAS,MAAM,MAAA,CAAO,MAAA,CAAO,WAAW,IAAI,CAAA;AAClD,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAM,CAAA;AACnC,EAAA,IAAI,GAAA,GAAM,EAAA;AACV,EAAA,KAAA,MAAW,CAAA,IAAK,OAAO,GAAA,IAAO,CAAA,CAAE,SAAS,EAAE,CAAA,CAAE,QAAA,CAAS,CAAA,EAAG,GAAG,CAAA;AAC5D,EAAA,OAAO,GAAA;AACT;;;ACr+BO,IAAM,6BAAN,MAAiC;AAAA,EACrB,KAAA;AAAA,EAEjB,YAAY,MAAA,EAA0C;AACpD,IAAA,IAAI,CAAC,OAAO,UAAA,EAAY;AACtB,MAAA,MAAM,IAAI,MAAM,oDAAoD,CAAA;AAAA,IACtE;AACA,IAAA,IAAA,CAAK,KAAA,GAAQ,IAAI,qBAAA,CAAsB;AAAA,MACrC,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,YAAY,MAAA,CAAO,UAAA;AAAA,MACnB,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,OAAO,MAAA,CAAO;AAAA,KACf,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,mBACE,IAAA,EACqC;AACrC,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,kBAAA,CAAmB,IAAI,CAAA;AAAA,EAC3C;AAAA;AAAA,EAGA,cAAA,CACE,OACA,WAAA,EACiC;AACjC,IAAA,OAAO,KAAK,KAAA,CAAM,iBAAA,CAAkB,KAAA,EAAO,EAAE,aAAa,CAAA;AAAA,EAC5D;AAAA;AAAA,EAGA,YAAY,KAAA,EAAoD;AAC9D,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,kBAAA,CAAmB,KAAK,CAAA;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,aAAa,KAAA,EAA8C;AACzD,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,eAAA,CAAgB,KAAK,CAAA;AAAA,EACzC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,aAAA,CACE,KAAA,EACA,KAAA,EACA,IAAA,EACgC;AAChC,IAAA,OAAO,KAAK,KAAA,CAAM,gBAAA,CAAiB,OAAO,EAAE,KAAA,EAAO,MAAM,CAAA;AAAA,EAC3D;AACF;;;ACrEO,IAAM,2BAAN,MAA+B;AAAA,EACnB,KAAA;AAAA;AAAA,EAER,KAAA;AAAA,EAET,YAAY,MAAA,EAAwC;AAClD,IAAA,IAAI,CAAC,OAAO,SAAA,EAAW;AACrB,MAAA,MAAM,IAAI,MAAM,iDAAiD,CAAA;AAAA,IACnE;AACA,IAAA,IAAA,CAAK,KAAA,GAAQ,IAAI,qBAAA,CAAsB;AAAA,MACrC,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,WAAW,MAAA,CAAO,SAAA;AAAA,MAClB,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,OAAO,MAAA,CAAO;AAAA,KACf,CAAA;AACD,IAAA,IAAA,CAAK,KAAA,GAAQ,IAAI,QAAA,CAAS,IAAA,CAAK,KAAK,CAAA;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,EAAA,GAAiC;AAC/B,IAAA,OAAO,IAAA,CAAK,MAAM,QAAA,EAAS;AAAA,EAC7B;AACF;AAGO,IAAM,WAAN,MAAe;AAAA,EACpB,YAA6B,KAAA,EAA8B;AAA9B,IAAA,IAAA,CAAA,KAAA,GAAA,KAAA;AAAA,EAA+B;AAAA,EAA/B,KAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAM7B,OAAO,IAAA,EAAsD;AAC3D,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,IAAI,CAAA;AAAA,EACtC;AAAA;AAAA,EAGA,IAAA,GAAmC;AACjC,IAAA,OAAO,IAAA,CAAK,MAAM,YAAA,EAAa;AAAA,EACjC;AACF","file":"index.js","sourcesContent":["/**\n * Error thrown for any non-2xx response from the accounts API.\n *\n * The accounts service emits NestJS-style HttpException bodies — typically\n * `{ statusCode: number; error: string; message: string | string[] }`. Both\n * shapes are forwarded as `body`; the more useful fields are surfaced as\n * top-level properties.\n */\nexport class WitniumAccountsApiError extends Error {\n readonly status: number;\n readonly errorLabel: string | undefined;\n readonly body: unknown;\n\n constructor(args: {\n status: number;\n message: string;\n errorLabel?: string | undefined;\n body?: unknown;\n }) {\n super(args.message);\n this.name = 'WitniumAccountsApiError';\n this.status = args.status;\n this.errorLabel = args.errorLabel;\n this.body = args.body ?? null;\n }\n}\n","/**\n * WitniumAccountsClient — typed HTTP client for the WitniumChain accounts API.\n *\n * This is the v1 \"shell\" client: one low-level method per OpenAPI route.\n * Thread 4 (per docs/PLAN-PHASE-C-HARDEN-SURFACES.md) will layer three\n * higher-level clients on top — `WitniumAccountsClient` (end-user),\n * `WitniumAccountsOrgClient` (org admin), `WitniumAccountsAdminClient`\n * (sysadmin) — with ergonomic helpers for signup, subscriptions,\n * delegated-key provisioning, Stripe Connect onboarding, etc.\n *\n * Auth model — five distinct credentials, each used by a known subset of\n * routes. Configure whichever you'll actually use; methods that need a\n * credential you didn't supply throw at call time.\n *\n * - sessionCookie — `wac_session` value for browser-cookie routes.\n * - accessToken — OAuth Bearer JWT for end-user API.\n * - orgApiKey — `wcorg_live_…` for org admin.\n * - adminToken — sysadmin token.\n * - signedRequest — Ed25519 signer for SDK signed-request routes\n * (witnesses propose/sign/finalize/revoke). The SDK\n * does the canonical-message construction; you supply\n * only the public key + signing callback.\n *\n * Every request/response type is derived from the published OpenAPI spec.\n * A CI drift test in the accounts repo asserts the spec matches what the\n * deployed server serves; another asserts the regenerated SDK types match\n * the committed `src/generated/openapi.ts`.\n */\n\nimport { WitniumAccountsApiError } from './errors';\nimport type {\n // Auth\n SignupRequest,\n SignupResponse,\n VerifyEmailResponse,\n LoginRequest,\n LoginResponse,\n LogoutResponse,\n ForgotPasswordRequest,\n ForgotPasswordResponse,\n ResetPasswordRequest,\n ResetPasswordResponse,\n // Billing\n CheckoutRequest,\n CheckoutResponse,\n PortalResponse,\n // Orgs\n PublicOrgResponse,\n CreateUserRequest,\n CreateUserResponse,\n ListUsersResponse,\n // Admin\n CreateOrganizationRequest,\n CreateOrganizationResponse,\n SetAccountTypeRequest,\n SetAccountTypeResponse,\n VerifyOrganizationResponse,\n RotateApiKeyResponse,\n AdjustCreditsRequest,\n AdjustCreditsResponse,\n // Delegated keys\n ListDelegatedKeysResponse,\n PrepareDelegatedKeyRequest,\n PreparedDelegatedKeyResponse,\n SubmitDelegatedKeyRequest,\n SubmitDelegatedKeyResponse,\n RevokeDelegatedKeyResponse,\n // Sign\n SignRequest,\n SignResponse,\n // Contracts\n ProvisionContractRequest,\n ProvisionContractResponse,\n AddSigningKeyRequest,\n AddSigningKeyResponse,\n RevokeSigningKeyRequest,\n RevokeSigningKeyResponse,\n PauseRequest,\n PauseResponse,\n UnpauseRequest,\n UnpauseResponse,\n // Witnesses (v1 — legacy v3 proxy)\n ProposeWitnessRequest,\n ProposeWitnessResponse,\n SignWitnessRequest,\n SignWitnessResponse,\n FinalizeWitnessResponse,\n RevokeWitnessRequest,\n RevokeWitnessResponse,\n GetWitnessResponse,\n // v5 Witnesses (metered proxy)\n ProposeWitnessV5Request,\n ProposeWitnessV5Response,\n SubmitSignatureV5Request,\n SubmitSignatureV5Response,\n FinalizeWitnessV5Response,\n RevokeWitnessV5Request,\n RevokeWitnessV5Response,\n // Users\n AccountResponse,\n LedgerResponse,\n // OAuth\n ListOauthSessionsResponse,\n // Health\n HealthLiveResponse,\n HealthReadyResponse,\n} from './types';\n\nexport interface SignedRequestSigner {\n /** Ed25519 public key as 64-char hex (no 0x prefix). Sent in X-Witnium-Key. */\n publicKeyHex: string;\n /**\n * Sign the canonical message\n * `<METHOD>\\n<PATH>\\n<TIMESTAMP>\\n<IDEMPOTENCY-KEY>\\n<sha256(body) hex>`\n * (empty string when the Idempotency-Key header is absent) and return\n * the 128-char hex Ed25519 signature. The SDK builds the canonical\n * message; the caller only needs to apply the private key.\n */\n sign: (canonicalMessage: string) => Promise<string>;\n}\n\n/**\n * Owner-Ed25519 signer used by {@link WitniumAccountsClient.delegatedKeys.provision}.\n *\n * Structurally identical to {@link SignedRequestSigner} — both are\n * `{ publicKeyHex, sign(message) }` — but kept as a distinct type so the\n * semantic role (owner key for delegated-key authorisation vs. signed-request\n * headers) is explicit at the call site.\n *\n * The `sign` callback receives the raw `messageToSign` string returned by the\n * server's prepare step (canonical JSON of the addSigningKey intent); the\n * caller's job is to apply their owner private key and return the 128-hex\n * Ed25519 signature.\n */\nexport interface OwnerSigner {\n /** Owner Ed25519 public key as 64-char hex (no 0x prefix). */\n publicKeyHex: string;\n /** Sign the `messageToSign` string and return the 128-char hex signature. */\n sign: (messageToSign: string) => Promise<string>;\n}\n\n/**\n * Arguments to the one-call delegated-key provisioning flow.\n *\n * The SDK orchestrates prepare → owner-sign → submit → poll-until-confirmed.\n * The caller supplies the contract address, an owner signer, and optional\n * polling tuning. Returns the final delegated-key record after the on-chain\n * `addSigningKey` tx confirms (or the polling budget is exhausted).\n */\nexport interface ProvisionDelegatedKeyArgs {\n /** EIP-55 / lowercase contract address the delegated key will be bound to. */\n contractAddress: string;\n /** Owner Ed25519 signer for the addSigningKey intent. */\n ownerSigner: OwnerSigner;\n /**\n * Polling interval in ms between submit re-polls when the first submit\n * didn't confirm within the server's 8 s budget. Default 2000.\n */\n pollIntervalMs?: number;\n /**\n * Total polling budget in ms (including the first submit). Default 60000.\n * On timeout the method returns the last-known status with `confirmed: false`\n * so the caller can decide whether to keep polling or surface the txHash.\n */\n pollTimeoutMs?: number;\n}\n\nexport interface ProvisionDelegatedKeyResult {\n /** Server-assigned delegated-key id (UUID). */\n id: string;\n /** Delegated key's Ed25519 public key, 64 hex (this is what's now on-chain). */\n publicKey: string;\n /** chain-api `addSigningKey` tx hash. */\n transactionHash: string;\n /** `true` if the tx mined within `pollTimeoutMs`. */\n confirmed: boolean;\n /** Block number, populated once `confirmed === true`. */\n blockNumber?: number;\n}\n\nexport interface WitniumAccountsClientConfig {\n /** Base URL, e.g. `https://auth.witniumchain.com`. Trailing slash optional. */\n baseUrl: string;\n /** Session cookie value (the `wac_session` cookie's body, not the full header). */\n sessionCookie?: string;\n /** OAuth 2.1 access token (Bearer JWT). */\n accessToken?: string;\n /** Organisation API key (`wcorg_live_…`). */\n orgApiKey?: string;\n /** System-admin token (`Authorization: Bearer <ADMIN_TOKEN>`). */\n adminToken?: string;\n /** Ed25519 signer for SDK signed-request routes (witness write ops). */\n signedRequest?: SignedRequestSigner;\n /** Per-request timeout in milliseconds. Default 30000. */\n timeout?: number;\n /** Alternate fetch implementation (e.g. for tests). Default `globalThis.fetch`. */\n fetch?: typeof fetch;\n}\n\ntype AuthMode =\n | 'SessionCookie'\n | 'BearerJWT'\n | 'OrgApiKey'\n | 'AdminToken'\n | 'SignedRequest'\n | 'Public';\n\ninterface RequestOpts {\n body?: unknown;\n query?: Record<string, string | number | undefined>;\n headers?: Record<string, string>;\n auth: AuthMode;\n expectNoContent?: boolean;\n}\n\nexport class WitniumAccountsClient {\n private readonly baseUrl: string;\n private readonly cfg: WitniumAccountsClientConfig;\n private readonly timeout: number;\n private readonly fetchImpl: typeof fetch;\n\n /** Subscriptions / billing helpers. See {@link Subscriptions}. */\n readonly subscriptions: Subscriptions;\n /** Delegated-key namespace including the one-call {@link DelegatedKeys.provision} flow. */\n readonly delegatedKeys: DelegatedKeys;\n /** Owner signing-key management (list / add / revoke). */\n readonly keys: SigningKeys;\n /** OAuth session management. Accessed as `client.oauth.sessions.*`. */\n readonly oauth: OauthNamespace;\n\n constructor(config: WitniumAccountsClientConfig) {\n if (!config.baseUrl) {\n throw new Error('WitniumAccountsClient: baseUrl is required');\n }\n this.cfg = config;\n this.baseUrl = config.baseUrl.replace(/\\/$/, '');\n this.timeout = config.timeout ?? 30000;\n this.fetchImpl = config.fetch ?? globalThis.fetch;\n if (!this.fetchImpl) {\n throw new Error(\n 'WitniumAccountsClient: no fetch implementation available. Pass `config.fetch`.',\n );\n }\n this.subscriptions = new Subscriptions(this);\n this.delegatedKeys = new DelegatedKeys(this);\n this.keys = new SigningKeys(this);\n this.oauth = new OauthNamespace(this);\n }\n\n /**\n * Convenience alias for {@link getAccount} — returns the authenticated\n * user's profile, the org they belong to, and their signing keys.\n */\n me(): Promise<AccountResponse> {\n return this.getAccount();\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Auth (/v1/auth/*)\n // ────────────────────────────────────────────────────────────────────────\n\n signup(body: SignupRequest): Promise<SignupResponse> {\n return this.req('POST', '/v1/auth/signup', { auth: 'Public', body });\n }\n\n verifyEmail(token: string): Promise<VerifyEmailResponse> {\n return this.req('GET', '/v1/auth/verify', {\n auth: 'Public',\n query: { token },\n });\n }\n\n login(body: LoginRequest): Promise<LoginResponse> {\n return this.req('POST', '/v1/auth/login', { auth: 'Public', body });\n }\n\n logout(): Promise<LogoutResponse> {\n return this.req('POST', '/v1/auth/logout', { auth: 'Public' });\n }\n\n forgotPassword(body: ForgotPasswordRequest): Promise<ForgotPasswordResponse> {\n return this.req('POST', '/v1/auth/forgot-password', { auth: 'Public', body });\n }\n\n resetPassword(body: ResetPasswordRequest): Promise<ResetPasswordResponse> {\n return this.req('POST', '/v1/auth/reset-password', { auth: 'Public', body });\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Billing (/v1/billing/*)\n // ────────────────────────────────────────────────────────────────────────\n\n createCheckoutSession(body: CheckoutRequest): Promise<CheckoutResponse> {\n return this.req('POST', '/v1/billing/checkout', {\n auth: 'SessionCookie',\n body,\n });\n }\n\n createPortalSession(): Promise<PortalResponse> {\n return this.req('GET', '/v1/billing/portal', { auth: 'SessionCookie' });\n }\n\n // Webhook endpoint is intentionally NOT exposed: only Stripe should call it.\n\n // ────────────────────────────────────────────────────────────────────────\n // Orgs (/v1/orgs/me/*)\n // ────────────────────────────────────────────────────────────────────────\n\n getMyOrg(): Promise<PublicOrgResponse> {\n return this.req('GET', '/v1/orgs/me', { auth: 'OrgApiKey' });\n }\n\n createOrgUser(body: CreateUserRequest): Promise<CreateUserResponse> {\n return this.req('POST', '/v1/orgs/me/users', { auth: 'OrgApiKey', body });\n }\n\n listOrgUsers(): Promise<ListUsersResponse> {\n return this.req('GET', '/v1/orgs/me/users', { auth: 'OrgApiKey' });\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Admin (/v1/admin/organizations/*)\n // ────────────────────────────────────────────────────────────────────────\n\n createOrganization(\n body: CreateOrganizationRequest,\n ): Promise<CreateOrganizationResponse> {\n return this.req('POST', '/v1/admin/organizations', {\n auth: 'AdminToken',\n body,\n });\n }\n\n setOrgAccountType(\n id: string,\n body: SetAccountTypeRequest,\n ): Promise<SetAccountTypeResponse> {\n return this.req(\n 'PATCH',\n `/v1/admin/organizations/${encodeURIComponent(id)}/account-type`,\n { auth: 'AdminToken', body },\n );\n }\n\n verifyOrganization(id: string): Promise<VerifyOrganizationResponse> {\n return this.req(\n 'PATCH',\n `/v1/admin/organizations/${encodeURIComponent(id)}/verify`,\n { auth: 'AdminToken' },\n );\n }\n\n rotateOrgApiKey(id: string): Promise<RotateApiKeyResponse> {\n return this.req(\n 'POST',\n `/v1/admin/organizations/${encodeURIComponent(id)}/rotate-key`,\n { auth: 'AdminToken' },\n );\n }\n\n adjustOrgCredits(\n id: string,\n body: AdjustCreditsRequest,\n ): Promise<AdjustCreditsResponse> {\n return this.req(\n 'POST',\n `/v1/admin/organizations/${encodeURIComponent(id)}/adjust-credits`,\n { auth: 'AdminToken', body },\n );\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Delegated keys (/v1/users/me/delegated-keys/*)\n // ────────────────────────────────────────────────────────────────────────\n\n listDelegatedKeys(query?: {\n contractAddress?: string;\n active?: 'true' | 'false';\n }): Promise<ListDelegatedKeysResponse> {\n return this.req('GET', '/v1/users/me/delegated-keys', {\n auth: 'BearerJWT',\n query: query ?? {},\n });\n }\n\n prepareDelegatedKey(\n body: PrepareDelegatedKeyRequest,\n ): Promise<PreparedDelegatedKeyResponse> {\n return this.req('POST', '/v1/users/me/delegated-keys', {\n auth: 'BearerJWT',\n body,\n });\n }\n\n submitDelegatedKey(\n id: string,\n body: SubmitDelegatedKeyRequest,\n ): Promise<SubmitDelegatedKeyResponse> {\n return this.req(\n 'POST',\n `/v1/users/me/delegated-keys/${encodeURIComponent(id)}/submit`,\n { auth: 'BearerJWT', body },\n );\n }\n\n revokeDelegatedKey(id: string): Promise<RevokeDelegatedKeyResponse> {\n return this.req(\n 'DELETE',\n `/v1/users/me/delegated-keys/${encodeURIComponent(id)}`,\n { auth: 'BearerJWT' },\n );\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Sign (/v1/sign)\n // ────────────────────────────────────────────────────────────────────────\n\n sign(body: SignRequest, requestId?: string): Promise<SignResponse> {\n const headers = requestId ? { 'x-request-id': requestId } : undefined;\n return this.req('POST', '/v1/sign', {\n auth: 'BearerJWT',\n body,\n ...(headers ? { headers } : {}),\n });\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Contracts (/v1/contracts/* + /v1/keys/*)\n // ────────────────────────────────────────────────────────────────────────\n\n provisionContract(\n body: ProvisionContractRequest,\n ): Promise<ProvisionContractResponse> {\n return this.req('POST', '/v1/contracts/provision', {\n auth: 'Public',\n body,\n });\n }\n\n addSigningKey(body: AddSigningKeyRequest): Promise<AddSigningKeyResponse> {\n return this.req('POST', '/v1/keys', { auth: 'SessionCookie', body });\n }\n\n revokeSigningKey(\n body: RevokeSigningKeyRequest,\n ): Promise<RevokeSigningKeyResponse> {\n return this.req('POST', '/v1/keys/revoke', {\n auth: 'SessionCookie',\n body,\n });\n }\n\n pauseContract(body: PauseRequest): Promise<PauseResponse> {\n return this.req('POST', '/v1/contracts/pause', {\n auth: 'SessionCookie',\n body,\n });\n }\n\n unpauseContract(body: UnpauseRequest): Promise<UnpauseResponse> {\n return this.req('POST', '/v1/contracts/unpause', {\n auth: 'SessionCookie',\n body,\n });\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Witnesses (/v1/contracts/{addr}/witnesses/*)\n // ────────────────────────────────────────────────────────────────────────\n\n proposeWitness(\n contractAddress: string,\n body: ProposeWitnessRequest,\n idempotencyKey?: string,\n ): Promise<ProposeWitnessResponse> {\n // Idempotency-Key is required by the server (it's part of the signed\n // canonical so retries can't replay with a different key). Generate\n // one if the caller didn't supply one — every propose is therefore\n // implicitly idempotent.\n const key = idempotencyKey ?? randomUUID();\n return this.req(\n 'POST',\n `/v1/contracts/${encodeURIComponent(contractAddress)}/witnesses/propose`,\n { auth: 'SignedRequest', body, headers: { 'idempotency-key': key } },\n );\n }\n\n signWitness(\n contractAddress: string,\n witnessId: string,\n body: SignWitnessRequest,\n ): Promise<SignWitnessResponse> {\n return this.req(\n 'POST',\n `/v1/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(witnessId)}/sign`,\n { auth: 'SignedRequest', body },\n );\n }\n\n finalizeWitness(\n contractAddress: string,\n witnessId: string,\n ): Promise<FinalizeWitnessResponse> {\n return this.req(\n 'POST',\n `/v1/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(witnessId)}/finalize`,\n { auth: 'SignedRequest' },\n );\n }\n\n revokeWitness(\n contractAddress: string,\n witnessId: string,\n body: RevokeWitnessRequest,\n idempotencyKey?: string,\n ): Promise<RevokeWitnessResponse> {\n const key = idempotencyKey ?? randomUUID();\n return this.req(\n 'POST',\n `/v1/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(witnessId)}/revoke`,\n { auth: 'SignedRequest', body, headers: { 'idempotency-key': key } },\n );\n }\n\n getWitness(\n contractAddress: string,\n witnessId: string,\n ): Promise<GetWitnessResponse> {\n return this.req(\n 'GET',\n `/v1/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(witnessId)}`,\n { auth: 'Public' },\n );\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // v5 Witnesses (/v5/contracts/{addr}/witnesses/*)\n //\n // The v5 write surface is a metered proxy in accounts: every billable\n // call (propose, revoke) reserves a credit; sign/finalize forward to\n // chain-api with the admin token. Auth is OAuth Bearer; the URL\n // contract must match the user's bound contract.\n //\n // The propose/revoke methods auto-generate an Idempotency-Key when the\n // caller doesn't supply one — server side that header is part of the\n // billing identity and is required.\n // ────────────────────────────────────────────────────────────────────────\n\n proposeWitnessV5(\n contractAddress: string,\n body: ProposeWitnessV5Request,\n idempotencyKey?: string,\n ): Promise<ProposeWitnessV5Response> {\n const key = idempotencyKey ?? randomUUID();\n return this.req(\n 'POST',\n `/v5/contracts/${encodeURIComponent(contractAddress)}/witnesses/propose`,\n { auth: 'BearerJWT', body, headers: { 'idempotency-key': key } },\n );\n }\n\n signWitnessV5(\n contractAddress: string,\n intentId: string,\n body: SubmitSignatureV5Request,\n ): Promise<SubmitSignatureV5Response> {\n return this.req(\n 'POST',\n `/v5/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(intentId)}/sign`,\n { auth: 'BearerJWT', body },\n );\n }\n\n finalizeWitnessV5(\n contractAddress: string,\n intentId: string,\n ): Promise<FinalizeWitnessV5Response> {\n return this.req(\n 'POST',\n `/v5/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(intentId)}/finalize`,\n { auth: 'BearerJWT' },\n );\n }\n\n revokeWitnessV5(\n contractAddress: string,\n witnessId: string,\n body: RevokeWitnessV5Request,\n idempotencyKey?: string,\n ): Promise<RevokeWitnessV5Response> {\n const key = idempotencyKey ?? randomUUID();\n return this.req(\n 'POST',\n `/v5/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(witnessId)}/revoke`,\n { auth: 'BearerJWT', body, headers: { 'idempotency-key': key } },\n );\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Users / account (/v1/account/*)\n // ────────────────────────────────────────────────────────────────────────\n\n getAccount(): Promise<AccountResponse> {\n return this.req('GET', '/v1/account', { auth: 'SessionCookie' });\n }\n\n getLedger(): Promise<LedgerResponse> {\n return this.req('GET', '/v1/account/ledger', { auth: 'SessionCookie' });\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // OAuth sessions (/v1/oauth/sessions*)\n // ────────────────────────────────────────────────────────────────────────\n\n listOauthSessions(): Promise<ListOauthSessionsResponse> {\n return this.req('GET', '/v1/oauth/sessions', { auth: 'SessionCookie' });\n }\n\n revokeOauthSession(jti: string): Promise<void> {\n return this.req('DELETE', `/v1/oauth/sessions/${encodeURIComponent(jti)}`, {\n auth: 'SessionCookie',\n expectNoContent: true,\n });\n }\n\n revokeAllOauthSessions(): Promise<void> {\n return this.req('DELETE', '/v1/oauth/sessions', {\n auth: 'SessionCookie',\n expectNoContent: true,\n });\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Health (/health/*)\n // ────────────────────────────────────────────────────────────────────────\n\n healthLive(): Promise<HealthLiveResponse> {\n return this.req('GET', '/health/live', { auth: 'Public' });\n }\n\n healthReady(): Promise<HealthReadyResponse> {\n return this.req('GET', '/health/ready', { auth: 'Public' });\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Internal: fetch wrapper that maps non-2xx → WitniumAccountsApiError\n // and applies the configured credential to the request.\n // ────────────────────────────────────────────────────────────────────────\n\n private async req<T>(\n method: string,\n path: string,\n opts: RequestOpts,\n ): Promise<T> {\n const url = this.buildUrl(path, opts.query);\n const headers: Record<string, string> = {\n accept: 'application/json',\n ...(opts.headers ?? {}),\n };\n\n if (opts.body !== undefined) {\n headers['content-type'] = 'application/json';\n }\n\n const bodyString =\n opts.body !== undefined ? JSON.stringify(opts.body) : undefined;\n\n await this.applyAuth(headers, opts.auth, method, path, bodyString ?? '');\n\n const controller = new AbortController();\n const timer = setTimeout(() => controller.abort(), this.timeout);\n\n let res: Response;\n try {\n res = await this.fetchImpl(url, {\n method,\n headers,\n body: bodyString,\n signal: controller.signal,\n // Send cookies cross-origin when the consumer is a browser using\n // SessionCookie auth via document.cookie.\n credentials: 'include',\n });\n } catch (err) {\n throw new WitniumAccountsApiError({\n status: 0,\n message:\n err instanceof Error\n ? `Network error contacting ${this.baseUrl}: ${err.message}`\n : `Network error contacting ${this.baseUrl}`,\n });\n } finally {\n clearTimeout(timer);\n }\n\n if (opts.expectNoContent) {\n if (!res.ok) {\n throw await this.toApiError(res);\n }\n return undefined as T;\n }\n\n const text = await res.text();\n let parsed: unknown = null;\n if (text.length > 0) {\n try {\n parsed = JSON.parse(text);\n } catch {\n // Non-JSON body. Carry raw text in the error if !ok.\n }\n }\n\n if (!res.ok) {\n throw this.parseApiError(res.status, parsed, text);\n }\n\n return parsed as T;\n }\n\n private buildUrl(\n path: string,\n query: Record<string, string | number | undefined> | undefined,\n ): string {\n if (!query) return `${this.baseUrl}${path}`;\n const qs = new URLSearchParams();\n for (const [k, v] of Object.entries(query)) {\n if (v !== undefined) qs.set(k, String(v));\n }\n const suffix = qs.toString();\n return suffix ? `${this.baseUrl}${path}?${suffix}` : `${this.baseUrl}${path}`;\n }\n\n private async applyAuth(\n headers: Record<string, string>,\n auth: AuthMode,\n method: string,\n path: string,\n bodyString: string,\n ): Promise<void> {\n switch (auth) {\n case 'Public':\n return;\n case 'SessionCookie': {\n if (this.cfg.sessionCookie) {\n // In Node the SDK has to send the cookie itself; in a browser the\n // browser will attach it from document.cookie when credentials:\n // 'include' is set. Set the header anyway — it's safe in both.\n headers['cookie'] = `wac_session=${this.cfg.sessionCookie}`;\n }\n return;\n }\n case 'BearerJWT': {\n if (!this.cfg.accessToken) {\n throw new Error(\n `WitniumAccountsClient: ${method} ${path} requires an OAuth access token. Pass \\`accessToken\\` to the constructor.`,\n );\n }\n headers['authorization'] = `Bearer ${this.cfg.accessToken}`;\n return;\n }\n case 'OrgApiKey': {\n if (!this.cfg.orgApiKey) {\n throw new Error(\n `WitniumAccountsClient: ${method} ${path} requires an organisation API key. Pass \\`orgApiKey\\` to the constructor.`,\n );\n }\n headers['authorization'] = `Bearer ${this.cfg.orgApiKey}`;\n return;\n }\n case 'AdminToken': {\n if (!this.cfg.adminToken) {\n throw new Error(\n `WitniumAccountsClient: ${method} ${path} requires an admin token. Pass \\`adminToken\\` to the constructor.`,\n );\n }\n headers['authorization'] = `Bearer ${this.cfg.adminToken}`;\n return;\n }\n case 'SignedRequest': {\n if (!this.cfg.signedRequest) {\n throw new Error(\n `WitniumAccountsClient: ${method} ${path} requires a signed-request signer. Pass \\`signedRequest\\` to the constructor.`,\n );\n }\n const timestamp = Math.floor(Date.now() / 1000).toString();\n const bodyHash = await sha256Hex(bodyString);\n // Idempotency-Key is part of the signed canonical so a captured\n // signed request can't be replayed with a different key. Empty\n // string when absent; the server uses the same convention.\n const idemKey = headers['idempotency-key'] ?? '';\n const canonical = `${method.toUpperCase()}\\n${path}\\n${timestamp}\\n${idemKey}\\n${bodyHash}`;\n const signature = await this.cfg.signedRequest.sign(canonical);\n headers['x-witnium-key'] = this.cfg.signedRequest.publicKeyHex;\n headers['x-witnium-timestamp'] = timestamp;\n headers['x-witnium-signature'] = signature;\n return;\n }\n }\n }\n\n private parseApiError(\n status: number,\n parsed: unknown,\n rawText: string,\n ): WitniumAccountsApiError {\n const body = parsed as\n | { error?: string; message?: string | string[] }\n | null;\n const message = Array.isArray(body?.message)\n ? body!.message.join('; ')\n : typeof body?.message === 'string'\n ? body!.message\n : body?.error ?? `HTTP ${status}`;\n return new WitniumAccountsApiError({\n status,\n message,\n errorLabel: body?.error,\n body: parsed ?? rawText,\n });\n }\n\n private async toApiError(res: Response): Promise<WitniumAccountsApiError> {\n const text = await res.text();\n let parsed: unknown = null;\n if (text.length > 0) {\n try {\n parsed = JSON.parse(text);\n } catch {\n // ignore — surface raw text\n }\n }\n return this.parseApiError(res.status, parsed, text);\n }\n}\n\n// ============================================================================\n// End-user namespace classes\n// ============================================================================\n//\n// Lightweight facades over the low-level methods on WitniumAccountsClient.\n// They exist to give the end-user surface a discoverable shape\n// (`client.subscriptions.subscribe(...)` rather than the route-shaped\n// `client.createCheckoutSession(...)`) while keeping the low-level methods\n// available as escape hatches.\n\n/** `client.subscriptions.*` — Stripe Checkout + portal + credit ledger. */\nexport class Subscriptions {\n constructor(private readonly client: WitniumAccountsClient) {}\n\n /**\n * Start a Stripe Checkout session for the supplied price. Returns the\n * hosted Checkout URL; redirect the user to it. Stripe's\n * `checkout.session.completed` webhook grants credits on success.\n */\n subscribe(body: CheckoutRequest): Promise<CheckoutResponse> {\n return this.client.createCheckoutSession(body);\n }\n\n /**\n * Open the Stripe Billing Portal for the calling user's org. Returns the\n * hosted portal URL — redirect the user there for subscription /\n * payment-method management.\n */\n manage(): Promise<PortalResponse> {\n return this.client.createPortalSession();\n }\n\n /** Recent credit-ledger entries (most recent 200). */\n getLedger(): Promise<LedgerResponse> {\n return this.client.getLedger();\n }\n}\n\n/** `client.delegatedKeys.*` — list, one-call provision, and revoke. */\nexport class DelegatedKeys {\n constructor(private readonly client: WitniumAccountsClient) {}\n\n /** List the caller's delegated keys, optionally filtered by contract or active flag. */\n list(query?: {\n contractAddress?: string;\n active?: 'true' | 'false';\n }): Promise<ListDelegatedKeysResponse> {\n return this.client.listDelegatedKeys(query);\n }\n\n /**\n * One-call delegated-key provisioning: prepare → owner-sign → submit →\n * poll until the on-chain `addSigningKey` tx confirms (or the polling\n * budget elapses). The server mints the delegated key in Vault; the caller\n * never sees its private key.\n *\n * Failure modes that surface as thrown {@link WitniumAccountsApiError}:\n * - 409 from prepare → an active key already exists for this contract;\n * caller must revoke the existing one first.\n * - 400 from submit → ownerSignature didn't verify against the prepared\n * message (wrong owner key, or the on-chain nonce shifted between\n * prepare and submit and the caller must re-provision).\n *\n * Returns `confirmed: false` (without throwing) when the on-chain tx is\n * still pending after `pollTimeoutMs` — caller can keep polling via\n * {@link list} or chain-api's receipt endpoint.\n */\n async provision(\n args: ProvisionDelegatedKeyArgs,\n ): Promise<ProvisionDelegatedKeyResult> {\n const prep = await this.client.prepareDelegatedKey({\n contractAddress: args.contractAddress,\n });\n const ownerSignature = await args.ownerSigner.sign(prep.messageToSign);\n let res = await this.client.submitDelegatedKey(prep.id, { ownerSignature });\n\n if (!res.confirmed) {\n const interval = args.pollIntervalMs ?? 2000;\n const timeout = args.pollTimeoutMs ?? 60000;\n const deadline = Date.now() + timeout;\n while (!res.confirmed && Date.now() < deadline) {\n await sleep(interval);\n res = await this.client.submitDelegatedKey(prep.id, {});\n }\n }\n\n return {\n id: prep.id,\n publicKey: prep.publicKey,\n transactionHash: res.transactionHash,\n confirmed: res.confirmed,\n blockNumber: res.blockNumber,\n };\n }\n\n /**\n * Locally revoke a delegated key. Wipes the Vault Transit key and sets\n * `revoked_at` on the row. The on-chain trust record persists — the caller\n * must invoke `WitnessRegistryV3.revokeSigningKey` with their owner key to\n * fully un-trust the key on the contract.\n */\n revoke(id: string): Promise<RevokeDelegatedKeyResponse> {\n return this.client.revokeDelegatedKey(id);\n }\n}\n\n/**\n * `client.keys.*` — owner signing-key management (add / revoke + a list\n * helper derived from {@link WitniumAccountsClient.getAccount}).\n *\n * Distinct from {@link DelegatedKeys} — those are Vault-held keys minted by\n * the server for delegated signing. The methods here manage the owner's own\n * signing keys registered against their contract.\n */\nexport class SigningKeys {\n constructor(private readonly client: WitniumAccountsClient) {}\n\n /**\n * The signing keys attached to the calling user's contract. There is no\n * dedicated list endpoint; this method calls {@link\n * WitniumAccountsClient.getAccount} and returns the `signingKeys` slice.\n */\n async list(): Promise<AccountResponse['signingKeys']> {\n const account = await this.client.getAccount();\n return account.signingKeys;\n }\n\n add(body: AddSigningKeyRequest): Promise<AddSigningKeyResponse> {\n return this.client.addSigningKey(body);\n }\n\n revoke(body: RevokeSigningKeyRequest): Promise<RevokeSigningKeyResponse> {\n return this.client.revokeSigningKey(body);\n }\n}\n\n/** `client.oauth.sessions.*` — list and revoke active OAuth sessions. */\nexport class OauthNamespace {\n readonly sessions: OauthSessions;\n constructor(client: WitniumAccountsClient) {\n this.sessions = new OauthSessions(client);\n }\n}\n\nexport class OauthSessions {\n constructor(private readonly client: WitniumAccountsClient) {}\n\n list(): Promise<ListOauthSessionsResponse> {\n return this.client.listOauthSessions();\n }\n\n revoke(jti: string): Promise<void> {\n return this.client.revokeOauthSession(jti);\n }\n\n revokeAll(): Promise<void> {\n return this.client.revokeAllOauthSessions();\n }\n}\n\nfunction sleep(ms: number): Promise<void> {\n return new Promise((resolve) => setTimeout(resolve, ms));\n}\n\n/**\n * RFC 4122 v4 UUID using the platform Crypto API. Available in modern\n * browsers and Node 19+. We surface a helpful error message if absent so\n * the SDK's behavior is debuggable in stripped-down test environments.\n */\nfunction randomUUID(): string {\n const c = (globalThis as { crypto?: { randomUUID?: () => string } }).crypto;\n if (!c?.randomUUID) {\n throw new Error(\n 'WitniumAccountsClient: globalThis.crypto.randomUUID is required (Node 19+ or modern browser). Polyfill for older runtimes.',\n );\n }\n return c.randomUUID();\n}\n\n/**\n * Compute lowercase hex of sha256(input bytes) using SubtleCrypto.\n * Requires a runtime with `crypto.subtle` — modern browsers and Node 18+.\n */\nasync function sha256Hex(input: string): Promise<string> {\n const subtle = (globalThis as { crypto?: { subtle?: SubtleCrypto } }).crypto\n ?.subtle;\n if (!subtle) {\n throw new Error(\n 'WitniumAccountsClient: SubtleCrypto is not available. Polyfill `globalThis.crypto.subtle` for SignedRequest auth.',\n );\n }\n const data = new TextEncoder().encode(input);\n const digest = await subtle.digest('SHA-256', data);\n const bytes = new Uint8Array(digest);\n let out = '';\n for (const b of bytes) out += b.toString(16).padStart(2, '0');\n return out;\n}\n","/**\n * WitniumAccountsAdminClient — system-admin facade over the accounts API.\n *\n * Wraps the five `/v1/admin/organizations/*` routes that mint orgs, flip\n * account types, verify emails, rotate API keys, and apply manual credit\n * adjustments. This is the client our internal admin frontend and ops scripts\n * consume — there is no UI surface here, just typed RPC.\n *\n * Auth is AdminToken (the `BEARER_TOKEN` env value on the server side).\n * Construction throws if `adminToken` is missing; the underlying HTTP client\n * would throw at call time, but failing at construction surfaces config bugs\n * in the wiring step rather than the first request.\n */\nimport { WitniumAccountsClient } from './client';\nimport type {\n CreateOrganizationRequest,\n CreateOrganizationResponse,\n SetAccountTypeResponse,\n VerifyOrganizationResponse,\n RotateApiKeyResponse,\n AdjustCreditsResponse,\n} from './types';\n\nexport interface WitniumAccountsAdminClientConfig {\n /** Base URL, e.g. `https://auth.witniumchain.com`. Trailing slash optional. */\n baseUrl: string;\n /** System-admin token (`Authorization: Bearer <ADMIN_TOKEN>`). */\n adminToken: string;\n /** Per-request timeout in milliseconds. Default 30000. */\n timeout?: number;\n /** Alternate fetch implementation (e.g. for tests). Default `globalThis.fetch`. */\n fetch?: typeof fetch;\n}\n\nexport type AccountType = 'metered' | 'unlimited';\n\nexport class WitniumAccountsAdminClient {\n private readonly inner: WitniumAccountsClient;\n\n constructor(config: WitniumAccountsAdminClientConfig) {\n if (!config.adminToken) {\n throw new Error('WitniumAccountsAdminClient: adminToken is required');\n }\n this.inner = new WitniumAccountsClient({\n baseUrl: config.baseUrl,\n adminToken: config.adminToken,\n timeout: config.timeout,\n fetch: config.fetch,\n });\n }\n\n /**\n * Mint a new organisation. The returned `apiKey` is shown ONCE — the server\n * only retains its SHA-256 hash. Persist it before the response leaves\n * scope; there is no recovery path.\n *\n * @param body Organisation seed: name, email, optional accountType and\n * signup credit grant, optional skip-email-verification flag.\n */\n createOrganization(\n body: CreateOrganizationRequest,\n ): Promise<CreateOrganizationResponse> {\n return this.inner.createOrganization(body);\n }\n\n /** Flip an org between `metered` (Stripe checkout + credit ledger) and `unlimited` (flat-fee). */\n setAccountType(\n orgId: string,\n accountType: AccountType,\n ): Promise<SetAccountTypeResponse> {\n return this.inner.setOrgAccountType(orgId, { accountType });\n }\n\n /** Mark an org's email as verified. Prerequisite for the org to create users. */\n verifyEmail(orgId: string): Promise<VerifyOrganizationResponse> {\n return this.inner.verifyOrganization(orgId);\n }\n\n /**\n * Rotate the org's API key. The previous `wcorg_live_…` is invalidated and\n * the new key is returned ONCE — same one-time-secret semantics as\n * {@link createOrganization}.\n */\n rotateApiKey(orgId: string): Promise<RotateApiKeyResponse> {\n return this.inner.rotateOrgApiKey(orgId);\n }\n\n /**\n * Apply a signed credit delta to an org's ledger. Positive `delta` grants\n * credits (goodwill, migration backfill); negative claws them back.\n * Recorded as `reason: adjustment` with the supplied `note`.\n *\n * Use sparingly — this bypasses Stripe and should be auditable from the\n * `note` alone.\n */\n adjustCredits(\n orgId: string,\n delta: number,\n note?: string,\n ): Promise<AdjustCreditsResponse> {\n return this.inner.adjustOrgCredits(orgId, { delta, note });\n }\n}\n","/**\n * WitniumAccountsOrgClient — org-admin facade over the accounts API.\n *\n * Wraps the three `/v1/orgs/me/*` routes that org admins use to read their\n * own org profile and manage their users. This is the client B2B2C apps and\n * customer-admin dashboards consume — auth is the `wcorg_live_…` API key\n * minted via `WitniumAccountsAdminClient.createOrganization` or returned by\n * a subsequent `rotateApiKey`.\n *\n * The surface is intentionally minimal — the underlying API only exposes\n * profile read + user create + user list. Anything more powerful (provision\n * credits, change account type, verify email) requires the sysadmin\n * `AdminToken` and therefore lives on `WitniumAccountsAdminClient`.\n */\nimport { WitniumAccountsClient } from './client';\nimport type {\n PublicOrgResponse,\n CreateUserRequest,\n CreateUserResponse,\n ListUsersResponse,\n} from './types';\n\nexport interface WitniumAccountsOrgClientConfig {\n /** Base URL, e.g. `https://auth.witniumchain.com`. Trailing slash optional. */\n baseUrl: string;\n /** Organisation API key (`wcorg_live_…`). */\n orgApiKey: string;\n /** Per-request timeout in milliseconds. Default 30000. */\n timeout?: number;\n /** Alternate fetch implementation (e.g. for tests). Default `globalThis.fetch`. */\n fetch?: typeof fetch;\n}\n\nexport class WitniumAccountsOrgClient {\n private readonly inner: WitniumAccountsClient;\n /** User-management namespace — `client.users.create/list`. */\n readonly users: OrgUsers;\n\n constructor(config: WitniumAccountsOrgClientConfig) {\n if (!config.orgApiKey) {\n throw new Error('WitniumAccountsOrgClient: orgApiKey is required');\n }\n this.inner = new WitniumAccountsClient({\n baseUrl: config.baseUrl,\n orgApiKey: config.orgApiKey,\n timeout: config.timeout,\n fetch: config.fetch,\n });\n this.users = new OrgUsers(this.inner);\n }\n\n /**\n * The org's own profile — name, email, account type, cached credit\n * balance (null for `unlimited` accounts), and the `isPersonal` flag.\n *\n * Note: a 401 here usually means the API key was rotated; rotate-key\n * invalidates the previous one.\n */\n me(): Promise<PublicOrgResponse> {\n return this.inner.getMyOrg();\n }\n}\n\n/** `client.users.*` — create + list users in the org. */\nexport class OrgUsers {\n constructor(private readonly inner: WitniumAccountsClient) {}\n\n /**\n * Provision a new user inside the org. Requires the org's email to have\n * been verified (sysadmin gate) — otherwise the server returns 403.\n */\n create(body: CreateUserRequest): Promise<CreateUserResponse> {\n return this.inner.createOrgUser(body);\n }\n\n /** List the org's users. */\n list(): Promise<ListUsersResponse> {\n return this.inner.listOrgUsers();\n }\n}\n"]}
1
+ {"version":3,"sources":["../src/errors.ts","../src/pkce.ts","../src/client.ts","../src/admin-client.ts","../src/org-client.ts"],"names":[],"mappings":";;;AAQO,IAAM,oBAAA,GAAN,cAAmC,KAAA,CAAM;AAAA,EACrC,MAAA;AAAA,EACA,UAAA;AAAA,EACA,IAAA;AAAA,EAET,YAAY,IAAA,EAKT;AACD,IAAA,KAAA,CAAM,KAAK,OAAO,CAAA;AAClB,IAAA,IAAA,CAAK,IAAA,GAAO,sBAAA;AACZ,IAAA,IAAA,CAAK,SAAS,IAAA,CAAK,MAAA;AACnB,IAAA,IAAA,CAAK,aAAa,IAAA,CAAK,UAAA;AACvB,IAAA,IAAA,CAAK,IAAA,GAAO,KAAK,IAAA,IAAQ,IAAA;AAAA,EAC3B;AACF;;;ACCA,IAAM,cAAA,GAAiB,oBAAA;AAQhB,SAAS,sBAAA,GAA8C;AAC5D,EAAA,MAAM,UAAW,UAAA,CAA4C,cAAA;AAC7D,EAAA,IAAI,CAAC,OAAA,EAAS;AACZ,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KAEF;AAAA,EACF;AACA,EAAA,OAAO;AAAA,IACL,GAAA,CAAI,UAAU,QAAA,EAAU;AACtB,MAAA,OAAA,CAAQ,OAAA,CAAQ,cAAA,GAAiB,QAAA,EAAU,QAAQ,CAAA;AAAA,IACrD,CAAA;AAAA,IACA,IAAI,QAAA,EAAU;AACZ,MAAA,OAAO,OAAA,CAAQ,OAAA,CAAQ,cAAA,GAAiB,QAAQ,CAAA;AAAA,IAClD,CAAA;AAAA,IACA,OAAO,QAAA,EAAU;AACf,MAAA,OAAA,CAAQ,UAAA,CAAW,iBAAiB,QAAQ,CAAA;AAAA,IAC9C;AAAA,GACF;AACF;AASO,SAAS,oBAAA,GAA+B;AAC7C,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,EAAE,CAAA;AAC/B,EAAA,SAAA,EAAU,CAAE,gBAAgB,KAAK,CAAA;AACjC,EAAA,OAAO,gBAAgB,KAAK,CAAA;AAC9B;AAMA,eAAsB,oBAAoB,QAAA,EAAmC;AAC3E,EAAA,MAAM,IAAA,GAAO,IAAI,WAAA,EAAY,CAAE,OAAO,QAAQ,CAAA;AAC9C,EAAA,MAAM,SAAS,MAAM,SAAA,GAAY,MAAA,CAAO,MAAA,CAAO,WAAW,IAAI,CAAA;AAC9D,EAAA,OAAO,eAAA,CAAgB,IAAI,UAAA,CAAW,MAAM,CAAC,CAAA;AAC/C;AAQO,SAAS,aAAA,GAAwB;AACtC,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,EAAE,CAAA;AAC/B,EAAA,SAAA,EAAU,CAAE,gBAAgB,KAAK,CAAA;AACjC,EAAA,OAAO,gBAAgB,KAAK,CAAA;AAC9B;AAEA,SAAS,gBAAgB,KAAA,EAA2B;AAClD,EAAA,IAAI,MAAA,GAAS,EAAA;AACb,EAAA,KAAA,MAAW,CAAA,IAAK,KAAA,EAAO,MAAA,IAAU,MAAA,CAAO,aAAa,CAAC,CAAA;AACtD,EAAA,MAAM,GAAA,GACJ,OAAO,IAAA,KAAS,UAAA,GACZ,IAAA,CAAK,MAAM,CAAA,GACX,MAAA,CAAO,IAAA,CAAK,MAAA,EAAQ,QAAQ,CAAA,CAAE,SAAS,QAAQ,CAAA;AACrD,EAAA,OAAO,GAAA,CAAI,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AACtE;AAEA,SAAS,SAAA,GAAoB;AAC3B,EAAA,MAAM,IAAK,UAAA,CAAmC,MAAA;AAC9C,EAAA,IAAI,CAAC,CAAA,IAAK,CAAC,EAAE,MAAA,IAAU,CAAC,EAAE,eAAA,EAAiB;AACzC,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KAEF;AAAA,EACF;AACA,EAAA,OAAO,CAAA;AACT;;;AC0PO,IAAM,qBAAN,MAAyB;AAAA,EACb,OAAA;AAAA,EACA,YAAA;AAAA,EACA,GAAA;AAAA,EACA,OAAA;AAAA,EACA,SAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOT,WAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,gBAAA,GAAmB,KAAA;AAAA,EACV,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAKT,aAAA,uBAAoB,GAAA,EAAqC;AAAA,EAChD,eAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAKT,cAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,eAAA;AAAA;AAAA,EAGC,aAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA,IAAA;AAAA;AAAA,EAEA,KAAA;AAAA;AAAA,EAEA,GAAA;AAAA,EAET,YAAY,MAAA,EAAkC;AAC5C,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,MAAA,MAAM,IAAI,MAAM,yCAAyC,CAAA;AAAA,IAC3D;AACA,IAAA,IAAA,CAAK,GAAA,GAAM,MAAA;AACX,IAAA,IAAA,CAAK,OAAA,GAAU,MAAA,CAAO,OAAA,CAAQ,OAAA,CAAQ,OAAO,EAAE,CAAA;AAC/C,IAAA,IAAA,CAAK,YAAA,GAAe,MAAA,CAAO,YAAA,EAAc,OAAA,CAAQ,OAAO,EAAE,CAAA;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAO,OAAA,IAAW,GAAA;AACjC,IAAA,IAAA,CAAK,SAAA,GAAY,MAAA,CAAO,KAAA,IAAS,UAAA,CAAW,KAAA;AAC5C,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACnB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AACA,IAAA,IAAA,CAAK,cAAc,MAAA,CAAO,WAAA;AAC1B,IAAA,IAAA,CAAK,gBAAgB,MAAA,CAAO,aAAA;AAC5B,IAAA,IAAA,CAAK,kBAAkB,MAAA,CAAO,eAAA;AAC9B,IAAA,IAAA,CAAK,aAAA,GAAgB,IAAI,aAAA,CAAc,IAAI,CAAA;AAC3C,IAAA,IAAA,CAAK,aAAA,GAAgB,IAAI,aAAA,CAAc,IAAI,CAAA;AAC3C,IAAA,IAAA,CAAK,IAAA,GAAO,IAAI,WAAA,CAAY,IAAI,CAAA;AAChC,IAAA,IAAA,CAAK,KAAA,GAAQ,IAAI,cAAA,CAAe,IAAI,CAAA;AACpC,IAAA,IAAA,CAAK,GAAA,GAAM,IAAI,YAAA,CAAa,IAAI,CAAA;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,EAAA,GAA+B;AAC7B,IAAA,OAAO,KAAK,UAAA,EAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAMA,OAAO,IAAA,EAA8C;AACnD,IAAA,OAAO,IAAA,CAAK,IAAI,MAAA,EAAQ,iBAAA,EAAmB,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAA;AAAA,EACrE;AAAA,EAEA,YAAY,KAAA,EAA6C;AACvD,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,KAAA,EAAO,iBAAA,EAAmB;AAAA,MACxC,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,EAAE,KAAA;AAAM,KAChB,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,IAAA,EAA4C;AAChD,IAAA,OAAO,IAAA,CAAK,IAAI,MAAA,EAAQ,gBAAA,EAAkB,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAA;AAAA,EACpE;AAAA,EAEA,MAAA,GAAkC;AAChC,IAAA,OAAO,KAAK,GAAA,CAAI,MAAA,EAAQ,mBAAmB,EAAE,IAAA,EAAM,UAAU,CAAA;AAAA,EAC/D;AAAA,EAEA,eAAe,IAAA,EAA8D;AAC3E,IAAA,OAAO,IAAA,CAAK,IAAI,MAAA,EAAQ,0BAAA,EAA4B,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAA;AAAA,EAC9E;AAAA,EAEA,cAAc,IAAA,EAA4D;AACxE,IAAA,OAAO,IAAA,CAAK,IAAI,MAAA,EAAQ,yBAAA,EAA2B,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAA;AAAA,EAC7E;AAAA;AAAA;AAAA;AAAA,EAMA,sBAAsB,IAAA,EAAkD;AACtE,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,sBAAA,EAAwB;AAAA,MAC9C,IAAA,EAAM,eAAA;AAAA,MACN;AAAA,KACD,CAAA;AAAA,EACH;AAAA,EAEA,mBAAA,GAA+C;AAC7C,IAAA,OAAO,KAAK,GAAA,CAAI,KAAA,EAAO,sBAAsB,EAAE,IAAA,EAAM,iBAAiB,CAAA;AAAA,EACxE;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,QAAA,GAAuC;AACrC,IAAA,OAAO,KAAK,GAAA,CAAI,KAAA,EAAO,eAAe,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC7D;AAAA,EAEA,cAAc,IAAA,EAAsD;AAClE,IAAA,OAAO,IAAA,CAAK,IAAI,MAAA,EAAQ,mBAAA,EAAqB,EAAE,IAAA,EAAM,WAAA,EAAa,MAAM,CAAA;AAAA,EAC1E;AAAA,EAEA,YAAA,GAA2C;AACzC,IAAA,OAAO,KAAK,GAAA,CAAI,KAAA,EAAO,qBAAqB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EACnE;AAAA;AAAA;AAAA;AAAA,EAMA,mBACE,IAAA,EACqC;AACrC,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,yBAAA,EAA2B;AAAA,MACjD,IAAA,EAAM,YAAA;AAAA,MACN;AAAA,KACD,CAAA;AAAA,EACH;AAAA,EAEA,iBAAA,CACE,IACA,IAAA,EACiC;AACjC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,OAAA;AAAA,MACA,CAAA,wBAAA,EAA2B,kBAAA,CAAmB,EAAE,CAAC,CAAA,aAAA,CAAA;AAAA,MACjD,EAAE,IAAA,EAAM,YAAA,EAAc,IAAA;AAAK,KAC7B;AAAA,EACF;AAAA,EAEA,mBAAmB,EAAA,EAAiD;AAClE,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,OAAA;AAAA,MACA,CAAA,wBAAA,EAA2B,kBAAA,CAAmB,EAAE,CAAC,CAAA,OAAA,CAAA;AAAA,MACjD,EAAE,MAAM,YAAA;AAAa,KACvB;AAAA,EACF;AAAA,EAEA,gBAAgB,EAAA,EAA2C;AACzD,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,CAAA,wBAAA,EAA2B,kBAAA,CAAmB,EAAE,CAAC,CAAA,WAAA,CAAA;AAAA,MACjD,EAAE,MAAM,YAAA;AAAa,KACvB;AAAA,EACF;AAAA,EAEA,gBAAA,CACE,IACA,IAAA,EACgC;AAChC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,CAAA,wBAAA,EAA2B,kBAAA,CAAmB,EAAE,CAAC,CAAA,eAAA,CAAA;AAAA,MACjD,EAAE,IAAA,EAAM,YAAA,EAAc,IAAA;AAAK,KAC7B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,kBAAkB,KAAA,EAGqB;AACrC,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,KAAA,EAAO,6BAAA,EAA+B;AAAA,MACpD,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,SAAS;AAAC,KAClB,CAAA;AAAA,EACH;AAAA,EAEA,oBACE,IAAA,EACuC;AACvC,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,6BAAA,EAA+B;AAAA,MACrD,IAAA,EAAM,WAAA;AAAA,MACN;AAAA,KACD,CAAA;AAAA,EACH;AAAA,EAEA,kBAAA,CACE,IACA,IAAA,EACqC;AACrC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,CAAA,4BAAA,EAA+B,kBAAA,CAAmB,EAAE,CAAC,CAAA,OAAA,CAAA;AAAA,MACrD,EAAE,IAAA,EAAM,WAAA,EAAa,IAAA;AAAK,KAC5B;AAAA,EACF;AAAA,EAEA,mBAAmB,EAAA,EAAiD;AAClE,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,QAAA;AAAA,MACA,CAAA,4BAAA,EAA+B,kBAAA,CAAmB,EAAE,CAAC,CAAA,CAAA;AAAA,MACrD,EAAE,MAAM,WAAA;AAAY,KACtB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,IAAA,CAAK,MAAmB,SAAA,EAA2C;AACjE,IAAA,MAAM,OAAA,GAAU,SAAA,GAAY,EAAE,cAAA,EAAgB,WAAU,GAAI,MAAA;AAC5D,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY;AAAA,MAClC,IAAA,EAAM,WAAA;AAAA,MACN,IAAA;AAAA,MACA,GAAI,OAAA,GAAU,EAAE,OAAA,KAAY;AAAC,KAC9B,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAMA,kBACE,IAAA,EACoC;AACpC,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,yBAAA,EAA2B;AAAA,MACjD,IAAA,EAAM,QAAA;AAAA,MACN;AAAA,KACD,CAAA;AAAA,EACH;AAAA,EAEA,cAAc,IAAA,EAA4D;AACxE,IAAA,OAAO,IAAA,CAAK,IAAI,MAAA,EAAQ,UAAA,EAAY,EAAE,IAAA,EAAM,eAAA,EAAiB,MAAM,CAAA;AAAA,EACrE;AAAA,EAEA,iBACE,IAAA,EACmC;AACnC,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,iBAAA,EAAmB;AAAA,MACzC,IAAA,EAAM,eAAA;AAAA,MACN;AAAA,KACD,CAAA;AAAA,EACH;AAAA,EAEA,cAAc,IAAA,EAA4C;AACxD,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,qBAAA,EAAuB;AAAA,MAC7C,IAAA,EAAM,eAAA;AAAA,MACN;AAAA,KACD,CAAA;AAAA,EACH;AAAA,EAEA,gBAAgB,IAAA,EAAgD;AAC9D,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,uBAAA,EAAyB;AAAA,MAC/C,IAAA,EAAM,eAAA;AAAA,MACN;AAAA,KACD,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,cAAA,CACJ,eAAA,EACA,IAAA,EACA,cAAA,EACiC;AAOjC,IAAA,MAAM,MACJ,cAAA,IACC,MAAM,aAAA,CAAc,YAAA,EAAc,iBAAiB,IAAI,CAAA;AAC1D,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,CAAA,cAAA,EAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,kBAAA,CAAA;AAAA,MACpD,EAAE,MAAM,eAAA,EAAiB,IAAA,EAAM,SAAS,EAAE,iBAAA,EAAmB,KAAI;AAAE,KACrE;AAAA,EACF;AAAA,EAEA,WAAA,CACE,eAAA,EACA,SAAA,EACA,IAAA,EAC8B;AAC9B,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,iBAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,WAAA,EAAc,kBAAA,CAAmB,SAAS,CAAC,CAAA,KAAA,CAAA;AAAA,MAC/F,EAAE,IAAA,EAAM,eAAA,EAAiB,IAAA;AAAK,KAChC;AAAA,EACF;AAAA,EAEA,eAAA,CACE,iBACA,SAAA,EACkC;AAClC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,iBAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,WAAA,EAAc,kBAAA,CAAmB,SAAS,CAAC,CAAA,SAAA,CAAA;AAAA,MAC/F,EAAE,MAAM,eAAA;AAAgB,KAC1B;AAAA,EACF;AAAA,EAEA,MAAM,aAAA,CACJ,eAAA,EACA,SAAA,EACA,MACA,cAAA,EACgC;AAChC,IAAA,MAAM,GAAA,GACJ,kBACC,MAAM,aAAA,CAAc,aAAa,eAAA,EAAiB,EAAE,SAAA,EAAW,IAAA,EAAM,CAAA;AACxE,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,iBAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,WAAA,EAAc,kBAAA,CAAmB,SAAS,CAAC,CAAA,OAAA,CAAA;AAAA,MAC/F,EAAE,MAAM,eAAA,EAAiB,IAAA,EAAM,SAAS,EAAE,iBAAA,EAAmB,KAAI;AAAE,KACrE;AAAA,EACF;AAAA,EAEA,UAAA,CACE,iBACA,SAAA,EAC6B;AAC7B,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,KAAA;AAAA,MACA,iBAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,WAAA,EAAc,kBAAA,CAAmB,SAAS,CAAC,CAAA,CAAA;AAAA,MAC/F,EAAE,MAAM,QAAA;AAAS,KACnB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBA,MAAM,gBAAA,CACJ,eAAA,EACA,IAAA,EACA,cAAA,EACmC;AACnC,IAAA,MAAM,MACJ,cAAA,IACC,MAAM,aAAA,CAAc,YAAA,EAAc,iBAAiB,IAAI,CAAA;AAC1D,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,CAAA,cAAA,EAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,kBAAA,CAAA;AAAA,MACpD,EAAE,MAAM,WAAA,EAAa,IAAA,EAAM,SAAS,EAAE,iBAAA,EAAmB,KAAI;AAAE,KACjE;AAAA,EACF;AAAA,EAEA,aAAA,CACE,eAAA,EACA,QAAA,EACA,IAAA,EACoC;AACpC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,iBAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,WAAA,EAAc,kBAAA,CAAmB,QAAQ,CAAC,CAAA,KAAA,CAAA;AAAA,MAC9F,EAAE,IAAA,EAAM,WAAA,EAAa,IAAA;AAAK,KAC5B;AAAA,EACF;AAAA,EAEA,iBAAA,CACE,iBACA,QAAA,EACoC;AACpC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,iBAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,WAAA,EAAc,kBAAA,CAAmB,QAAQ,CAAC,CAAA,SAAA,CAAA;AAAA,MAC9F,EAAE,MAAM,WAAA;AAAY,KACtB;AAAA,EACF;AAAA,EAEA,MAAM,eAAA,CACJ,eAAA,EACA,SAAA,EACA,MACA,cAAA,EACkC;AAClC,IAAA,MAAM,GAAA,GACJ,kBACC,MAAM,aAAA,CAAc,aAAa,eAAA,EAAiB,EAAE,SAAA,EAAW,IAAA,EAAM,CAAA;AACxE,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,MAAA;AAAA,MACA,iBAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,WAAA,EAAc,kBAAA,CAAmB,SAAS,CAAC,CAAA,OAAA,CAAA;AAAA,MAC/F,EAAE,MAAM,WAAA,EAAa,IAAA,EAAM,SAAS,EAAE,iBAAA,EAAmB,KAAI;AAAE,KACjE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,UAAA,GAAuC;AACrC,IAAA,OAAO,KAAK,GAAA,CAAI,KAAA,EAAO,eAAe,EAAE,IAAA,EAAM,iBAAiB,CAAA;AAAA,EACjE;AAAA,EAEA,SAAA,GAAqC;AACnC,IAAA,OAAO,KAAK,GAAA,CAAI,KAAA,EAAO,sBAAsB,EAAE,IAAA,EAAM,iBAAiB,CAAA;AAAA,EACxE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,UAAA,GAA0C;AACxC,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,6BAAA,EAA+B;AAAA,MACrD,IAAA,EAAM;AAAA,KACP,CAAA;AAAA,EACH;AAAA,EAEA,YAAY,IAAA,EAAwD;AAClE,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,8BAAA,EAAgC;AAAA,MACtD,IAAA,EAAM,eAAA;AAAA,MACN;AAAA,KACD,CAAA;AAAA,EACH;AAAA,EAEA,WAAA,GAA4C;AAC1C,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,QAAA,EAAU,sBAAA,EAAwB;AAAA,MAChD,IAAA,EAAM;AAAA,KACP,CAAA;AAAA,EACH;AAAA,EAEA,uBAAA,GAAoE;AAClE,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,MAAA,EAAQ,2CAAA,EAA6C;AAAA,MACnE,IAAA,EAAM;AAAA,KACP,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAMA,iBAAA,GAAwD;AACtD,IAAA,OAAO,KAAK,GAAA,CAAI,KAAA,EAAO,sBAAsB,EAAE,IAAA,EAAM,iBAAiB,CAAA;AAAA,EACxE;AAAA,EAEA,mBAAmB,GAAA,EAA4B;AAC7C,IAAA,OAAO,KAAK,GAAA,CAAI,QAAA,EAAU,sBAAsB,kBAAA,CAAmB,GAAG,CAAC,CAAA,CAAA,EAAI;AAAA,MACzE,IAAA,EAAM,eAAA;AAAA,MACN,eAAA,EAAiB;AAAA,KAClB,CAAA;AAAA,EACH;AAAA,EAEA,sBAAA,GAAwC;AACtC,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,QAAA,EAAU,oBAAA,EAAsB;AAAA,MAC9C,IAAA,EAAM,eAAA;AAAA,MACN,eAAA,EAAiB;AAAA,KAClB,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAMA,UAAA,GAA0C;AACxC,IAAA,OAAO,KAAK,GAAA,CAAI,KAAA,EAAO,gBAAgB,EAAE,IAAA,EAAM,UAAU,CAAA;AAAA,EAC3D;AAAA,EAEA,WAAA,GAA4C;AAC1C,IAAA,OAAO,KAAK,GAAA,CAAI,KAAA,EAAO,iBAAiB,EAAE,IAAA,EAAM,UAAU,CAAA;AAAA,EAC5D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAmBA,gBAAgB,eAAA,EAAwD;AACtE,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,KAAA;AAAA,MACA,CAAA,cAAA,EAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,KAAA,CAAA;AAAA,MACpD,EAAE,IAAA,EAAM,WAAA,EAAa,OAAA,EAAS,OAAA;AAAQ,KACxC;AAAA,EACF;AAAA,EAEA,wBACE,eAAA,EACiC;AACjC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,KAAA;AAAA,MACA,CAAA,cAAA,EAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,OAAA,CAAA;AAAA,MACpD,EAAE,IAAA,EAAM,WAAA,EAAa,OAAA,EAAS,OAAA;AAAQ,KACxC;AAAA,EACF;AAAA,EAEA,eAAA,CACE,iBACA,MAAA,EACgC;AAChC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,KAAA;AAAA,MACA,CAAA,cAAA,EAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,UAAA,CAAA;AAAA,MACpD,EAAE,IAAA,EAAM,WAAA,EAAa,OAAA,EAAS,OAAA,EAAS,OAAO,MAAA;AAAO,KACvD;AAAA,EACF;AAAA,EAEA,YAAA,CACE,iBACA,SAAA,EACkC;AAClC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,KAAA;AAAA,MACA,iBAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,WAAA,EAAc,kBAAA,CAAmB,SAAS,CAAC,CAAA,CAAA;AAAA,MAC/F,EAAE,IAAA,EAAM,WAAA,EAAa,OAAA,EAAS,OAAA;AAAQ,KACxC;AAAA,EACF;AAAA,EAEA,sBAAA,CACE,iBACA,MAAA,EACyC;AACzC,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,KAAA;AAAA,MACA,iBAAiB,kBAAA,CAAmB,eAAe,CAAC,CAAA,cAAA,EAAiB,kBAAA,CAAmB,MAAM,CAAC,CAAA,CAAA;AAAA,MAC/F,EAAE,IAAA,EAAM,WAAA,EAAa,OAAA,EAAS,OAAA;AAAQ,KACxC;AAAA,EACF;AAAA,EAEA,eAAe,MAAA,EAAiD;AAC9D,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,KAAA;AAAA,MACA,CAAA,iBAAA,EAAoB,kBAAA,CAAmB,MAAM,CAAC,CAAA,CAAA;AAAA,MAC9C,EAAE,IAAA,EAAM,WAAA,EAAa,OAAA,EAAS,OAAA;AAAQ,KACxC;AAAA,EACF;AAAA,EAEA,iBAAiB,OAAA,EAAoD;AACnE,IAAA,OAAO,IAAA,CAAK,GAAA;AAAA,MACV,KAAA;AAAA,MACA,CAAA,YAAA,EAAe,kBAAA,CAAmB,OAAO,CAAC,CAAA,QAAA,CAAA;AAAA,MAC1C,EAAE,IAAA,EAAM,WAAA,EAAa,OAAA,EAAS,OAAA;AAAQ,KACxC;AAAA,EACF;AAAA,EAEA,oBAAA,GAA2D;AACzD,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,KAAA,EAAO,wBAAA,EAA0B;AAAA,MAC/C,IAAA,EAAM,WAAA;AAAA,MACN,OAAA,EAAS;AAAA,KACV,CAAA;AAAA,EACH;AAAA,EAEA,sBAAsB,MAAA,EAMkB;AACtC,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,KAAA,EAAO,yBAAA,EAA2B;AAAA,MAChD,IAAA,EAAM,WAAA;AAAA,MACN,OAAA,EAAS,OAAA;AAAA,MACT,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA8CA,MAAM,gBACJ,IAAA,EACgC;AAChC,IAAA,IAAI,CAAC,KAAK,aAAA,EAAe;AACvB,MAAA,MAAM,IAAI,oBAAA,CAAqB;AAAA,QAC7B,MAAA,EAAQ,CAAA;AAAA,QACR,OAAA,EACE;AAAA,OACH,CAAA;AAAA,IACH;AACA,IAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,cAAA,EAAe;AAC5C,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,IAAS,aAAA,EAAc;AAC1C,IAAA,MAAM,WAAW,oBAAA,EAAqB;AACtC,IAAA,MAAM,SAAA,GAAY,MAAM,mBAAA,CAAoB,QAAQ,CAAA;AACpD,IAAA,MAAM,KAAA,GAAA,CAAS,KAAK,KAAA,IAAS,CAAC,UAAU,SAAA,EAAW,OAAO,CAAA,EAAG,IAAA,CAAK,GAAG,CAAA;AAErE,IAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,SAAA,CAAU,sBAAsB,CAAA;AACpD,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,eAAA,EAAiB,MAAM,CAAA;AAC5C,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,WAAA,EAAa,IAAA,CAAK,aAAa,CAAA;AACpD,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,cAAA,EAAgB,IAAA,CAAK,WAAW,CAAA;AACrD,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAA,EAAS,KAAK,CAAA;AACnC,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAA,EAAS,KAAK,CAAA;AACnC,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,gBAAA,EAAkB,SAAS,CAAA;AAChD,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,uBAAA,EAAyB,MAAM,CAAA;AACpD,IAAA,IAAI,KAAK,MAAA,EAAQ,GAAA,CAAI,aAAa,GAAA,CAAI,QAAA,EAAU,KAAK,MAAM,CAAA;AAE3D,IAAA,IAAA,CAAK,wBAAA,EAAyB,CAAE,GAAA,CAAI,KAAA,EAAO,QAAQ,CAAA;AACnD,IAAA,IAAA,CAAK,cAAc,GAAA,CAAI,KAAA,EAAO,EAAE,WAAA,EAAa,IAAA,CAAK,aAAa,CAAA;AAE/D,IAAA,OAAO,EAAE,gBAAA,EAAkB,GAAA,CAAI,QAAA,IAAY,KAAA,EAAM;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAoBA,MAAM,mBACJ,WAAA,EAC6B;AAC7B,IAAA,IAAI,CAAC,KAAK,aAAA,EAAe;AACvB,MAAA,MAAM,IAAI,oBAAA,CAAqB;AAAA,QAC7B,MAAA,EAAQ,CAAA;AAAA,QACR,OAAA,EACE;AAAA,OACH,CAAA;AAAA,IACH;AAEA,IAAA,MAAM,MAAM,WAAA,YAAuB,GAAA,GAAM,WAAA,GAAc,IAAI,IAAI,WAAW,CAAA;AAC1E,IAAA,MAAM,IAAA,GAAO,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,MAAM,CAAA;AACxC,IAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAO,CAAA;AAC1C,IAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAO,CAAA;AAC1C,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,MAAM,IAAI,oBAAA,CAAqB;AAAA,QAC7B,MAAA,EAAQ,CAAA;AAAA,QACR,SAAS,CAAA,gCAAA,EAAmC,KAAK,CAAA,EAC/C,GAAA,CAAI,aAAa,GAAA,CAAI,mBAAmB,CAAA,GACpC,CAAA,EAAA,EAAK,IAAI,YAAA,CAAa,GAAA,CAAI,mBAAmB,CAAC,MAC9C,EACN,CAAA,CAAA;AAAA,QACA,UAAA,EAAY;AAAA,OACb,CAAA;AAAA,IACH;AACA,IAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,KAAA,EAAO;AACnB,MAAA,MAAM,IAAI,oBAAA,CAAqB;AAAA,QAC7B,MAAA,EAAQ,CAAA;AAAA,QACR,OAAA,EACE;AAAA,OACH,CAAA;AAAA,IACH;AACA,IAAA,MAAM,OAAA,GAAU,KAAK,wBAAA,EAAyB;AAC9C,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,GAAA,CAAI,KAAK,CAAA;AAClC,IAAA,IAAI,CAAC,QAAA,EAAU;AACb,MAAA,MAAM,IAAI,oBAAA,CAAqB;AAAA,QAC7B,MAAA,EAAQ,CAAA;AAAA,QACR,OAAA,EACE;AAAA,OACH,CAAA;AAAA,IACH;AACA,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,KAAK,CAAA;AAC5C,IAAA,IAAI,CAAC,OAAA,EAAS;AAIZ,MAAA,OAAA,CAAQ,OAAO,KAAK,CAAA;AACpB,MAAA,MAAM,IAAI,oBAAA,CAAqB;AAAA,QAC7B,MAAA,EAAQ,CAAA;AAAA,QACR,OAAA,EACE;AAAA,OACH,CAAA;AAAA,IACH;AAEA,IAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,cAAA,EAAe;AAC5C,IAAA,MAAM,IAAA,GAAO,IAAI,eAAA,EAAgB;AACjC,IAAA,IAAA,CAAK,GAAA,CAAI,cAAc,oBAAoB,CAAA;AAC3C,IAAA,IAAA,CAAK,GAAA,CAAI,QAAQ,IAAI,CAAA;AACrB,IAAA,IAAA,CAAK,GAAA,CAAI,cAAA,EAAgB,OAAA,CAAQ,WAAW,CAAA;AAC5C,IAAA,IAAA,CAAK,GAAA,CAAI,WAAA,EAAa,IAAA,CAAK,aAAa,CAAA;AACxC,IAAA,IAAA,CAAK,GAAA,CAAI,iBAAiB,QAAQ,CAAA;AAElC,IAAA,MAAM,SAAS,MAAM,IAAA,CAAK,iBAAA,CAAkB,SAAA,CAAU,gBAAgB,IAAI,CAAA;AAC1E,IAAA,OAAA,CAAQ,OAAO,KAAK,CAAA;AACpB,IAAA,IAAA,CAAK,aAAA,CAAc,OAAO,KAAK,CAAA;AAC/B,IAAA,OAAO,IAAA,CAAK,qBAAqB,MAAM,CAAA;AAAA,EACzC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBA,MAAM,kBAAA,GAAkD;AACtD,IAAA,IAAI,IAAA,CAAK,eAAA,EAAiB,OAAO,IAAA,CAAK,eAAA;AACtC,IAAA,IAAA,CAAK,mBAAmB,YAAY;AAClC,MAAA,IAAI;AACF,QAAA,OAAO,MAAM,KAAK,0BAAA,EAA2B;AAAA,MAC/C,CAAA,SAAE;AACA,QAAA,IAAA,CAAK,eAAA,GAAkB,MAAA;AAAA,MACzB;AAAA,IACF,CAAA,GAAG;AACH,IAAA,OAAO,IAAA,CAAK,eAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,OAAA,GAAgB;AACd,IAAA,IAAA,CAAK,WAAA,GAAc,MAAA;AACnB,IAAA,IAAA,CAAK,YAAA,GAAe,MAAA;AAMpB,IAAA,IAAA,CAAK,gBAAA,GAAmB,KAAA;AACxB,IAAA,IAAA,CAAK,cAAc,KAAA,EAAM;AAAA,EAK3B;AAAA;AAAA;AAAA;AAAA,EAMQ,wBAAA,GAAgD;AACtD,IAAA,IAAI,IAAA,CAAK,eAAA,EAAiB,OAAO,IAAA,CAAK,eAAA;AACtC,IAAA,OAAO,sBAAA,EAAuB;AAAA,EAChC;AAAA,EAEA,MAAc,cAAA,GAA6C;AACzD,IAAA,IAAI,IAAA,CAAK,cAAA,EAAgB,OAAO,IAAA,CAAK,cAAA;AACrC,IAAA,IAAA,CAAK,kBAAkB,YAAY;AACjC,MAAA,MAAM,GAAA,GAAM,CAAA,EAAG,IAAA,CAAK,OAAO,CAAA,iCAAA,CAAA;AAC3B,MAAA,IAAI,GAAA;AACJ,MAAA,IAAI;AACF,QAAA,GAAA,GAAM,MAAM,IAAA,CAAK,SAAA,CAAU,GAAA,EAAK;AAAA,UAC9B,MAAA,EAAQ,KAAA;AAAA,UACR,OAAA,EAAS,EAAE,MAAA,EAAQ,kBAAA;AAAmB,SACvC,CAAA;AAAA,MACH,SAAS,GAAA,EAAK;AACZ,QAAA,IAAA,CAAK,cAAA,GAAiB,MAAA;AACtB,QAAA,MAAM,IAAI,oBAAA,CAAqB;AAAA,UAC7B,MAAA,EAAQ,CAAA;AAAA,UACR,SACE,GAAA,YAAe,KAAA,GACX,CAAA,6BAAA,EAAgC,GAAA,CAAI,OAAO,CAAA,CAAA,GAC3C;AAAA,SACP,CAAA;AAAA,MACH;AACA,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,IAAA,CAAK,cAAA,GAAiB,MAAA;AACtB,QAAA,MAAM,IAAI,oBAAA,CAAqB;AAAA,UAC7B,QAAQ,GAAA,CAAI,MAAA;AAAA,UACZ,OAAA,EAAS,CAAA,kCAAA,EAAqC,GAAA,CAAI,MAAM,CAAA;AAAA,SACzD,CAAA;AAAA,MACH;AACA,MAAA,MAAM,MAAA,GAAU,MAAM,GAAA,CAAI,IAAA,EAAK;AAC/B,MAAA,IAAI,CAAC,MAAA,CAAO,sBAAA,IAA0B,CAAC,OAAO,cAAA,EAAgB;AAC5D,QAAA,IAAA,CAAK,cAAA,GAAiB,MAAA;AACtB,QAAA,MAAM,IAAI,oBAAA,CAAqB;AAAA,UAC7B,MAAA,EAAQ,CAAA;AAAA,UACR,OAAA,EACE;AAAA,SACH,CAAA;AAAA,MACH;AACA,MAAA,OAAO;AAAA,QACL,wBAAwB,MAAA,CAAO,sBAAA;AAAA,QAC/B,gBAAgB,MAAA,CAAO,cAAA;AAAA,QACvB,MAAA,EAAQ,MAAA,CAAO,MAAA,IAAU,IAAA,CAAK;AAAA,OAChC;AAAA,IACF,CAAA,GAAG;AACH,IAAA,OAAO,IAAA,CAAK,cAAA;AAAA,EACd;AAAA,EAEA,MAAc,iBAAA,CACZ,QAAA,EACA,IAAA,EACwB;AACxB,IAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,IAAA,MAAM,QAAQ,UAAA,CAAW,MAAM,WAAW,KAAA,EAAM,EAAG,KAAK,OAAO,CAAA;AAC/D,IAAA,IAAI,GAAA;AACJ,IAAA,IAAI;AACF,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,SAAA,CAAU,QAAA,EAAU;AAAA,QACnC,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,MAAA,EAAQ,kBAAA;AAAA,UACR,cAAA,EAAgB;AAAA,SAClB;AAAA,QACA,IAAA,EAAM,KAAK,QAAA,EAAS;AAAA,QACpB,QAAQ,UAAA,CAAW,MAAA;AAAA;AAAA;AAAA,QAGnB,WAAA,EAAa;AAAA,OACd,CAAA;AAAA,IACH,SAAS,GAAA,EAAK;AACZ,MAAA,MAAM,IAAI,oBAAA,CAAqB;AAAA,QAC7B,MAAA,EAAQ,CAAA;AAAA,QACR,SACE,GAAA,YAAe,KAAA,GACX,CAAA,6BAAA,EAAgC,GAAA,CAAI,OAAO,CAAA,CAAA,GAC3C;AAAA,OACP,CAAA;AAAA,IACH,CAAA,SAAE;AACA,MAAA,YAAA,CAAa,KAAK,CAAA;AAAA,IACpB;AAEA,IAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,IAAA,IAAI,MAAA,GAAkB,IAAA;AACtB,IAAA,IAAI,IAAA,CAAK,SAAS,CAAA,EAAG;AACnB,MAAA,IAAI;AACF,QAAA,MAAA,GAAS,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA,MAC1B,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AACA,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,MAAA,MAAM,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,MAAA,EAAQ,QAAQ,IAAI,CAAA;AAAA,IACnD;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEQ,qBAAqB,MAAA,EAA2C;AACtE,IAAA,IAAI,CAAC,OAAO,YAAA,EAAc;AACxB,MAAA,MAAM,IAAI,oBAAA,CAAqB;AAAA,QAC7B,MAAA,EAAQ,CAAA;AAAA,QACR,OAAA,EAAS;AAAA,OACV,CAAA;AAAA,IACH;AACA,IAAA,IAAA,CAAK,cAAc,MAAA,CAAO,YAAA;AAC1B,IAAA,IAAI,OAAO,aAAA,EAAe;AAGxB,MAAA,IAAA,CAAK,eAAe,MAAA,CAAO,aAAA;AAAA,IAC7B,CAAA,MAAO;AAIL,MAAA,IAAA,CAAK,YAAA,GAAe,MAAA;AACpB,MAAA,IAAA,CAAK,gBAAA,GAAmB,IAAA;AAAA,IAC1B;AAGA,IAAA,MAAM,aAAa,OAAO,MAAA,CAAO,UAAA,KAAe,QAAA,GAAW,OAAO,UAAA,GAAa,IAAA;AAC/E,IAAA,MAAM,YAAY,IAAA,CAAK,KAAA,CAAM,KAAK,GAAA,EAAI,GAAI,GAAI,CAAA,GAAI,UAAA;AAClD,IAAA,OAAO,EAAE,WAAA,EAAa,MAAA,CAAO,YAAA,EAAc,SAAA,EAAU;AAAA,EACvD;AAAA,EAEA,MAAc,0BAAA,GAA0D;AACtE,IAAA,IAAI,CAAC,KAAK,aAAA,EAAe;AACvB,MAAA,MAAM,IAAI,oBAAA,CAAqB;AAAA,QAC7B,MAAA,EAAQ,CAAA;AAAA,QACR,OAAA,EACE;AAAA,OACH,CAAA;AAAA,IACH;AACA,IAAA,IAAI,CAAC,IAAA,CAAK,YAAA,IAAgB,CAAC,KAAK,gBAAA,EAAkB;AAChD,MAAA,MAAM,IAAI,oBAAA,CAAqB;AAAA,QAC7B,MAAA,EAAQ,CAAA;AAAA,QACR,OAAA,EACE;AAAA,OACH,CAAA;AAAA,IACH;AACA,IAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,cAAA,EAAe;AAC5C,IAAA,MAAM,IAAA,GAAO,IAAI,eAAA,EAAgB;AACjC,IAAA,IAAA,CAAK,GAAA,CAAI,cAAc,eAAe,CAAA;AACtC,IAAA,IAAA,CAAK,GAAA,CAAI,WAAA,EAAa,IAAA,CAAK,aAAa,CAAA;AACxC,IAAA,IAAI,KAAK,YAAA,EAAc;AAGrB,MAAA,IAAA,CAAK,GAAA,CAAI,eAAA,EAAiB,IAAA,CAAK,YAAY,CAAA;AAAA,IAC7C;AAKA,IAAA,IAAI;AACF,MAAA,MAAM,SAAS,MAAM,IAAA,CAAK,iBAAA,CAAkB,SAAA,CAAU,gBAAgB,IAAI,CAAA;AAC1E,MAAA,OAAO,IAAA,CAAK,qBAAqB,MAAM,CAAA;AAAA,IACzC,SAAS,GAAA,EAAK;AAOZ,MAAA,IAAA,CAAK,WAAA,GAAc,MAAA;AACnB,MAAA,IAAA,CAAK,YAAA,GAAe,MAAA;AACpB,MAAA,IAAA,CAAK,gBAAA,GAAmB,KAAA;AACxB,MAAA,MAAM,GAAA;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,GAAA,CACZ,MAAA,EACA,IAAA,EACA,IAAA,EACY;AAMZ,IAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,kBAAA,CAAmB,IAAA,EAAM,KAAK,KAAK,CAAA;AAC9D,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,cAAA,CAAe,IAAA,CAAK,OAAO,CAAA;AAC7C,IAAA,MAAM,GAAA,GAAM,CAAA,EAAG,IAAI,CAAA,EAAG,aAAa,CAAA,CAAA;AACnC,IAAA,MAAM,OAAA,GAAkC;AAAA,MACtC,MAAA,EAAQ,kBAAA;AAAA,MACR,GAAI,IAAA,CAAK,OAAA,IAAW;AAAC,KACvB;AAEA,IAAA,IAAI,IAAA,CAAK,SAAS,MAAA,EAAW;AAC3B,MAAA,OAAA,CAAQ,cAAc,CAAA,GAAI,kBAAA;AAAA,IAC5B;AAEA,IAAA,MAAM,UAAA,GACJ,KAAK,IAAA,KAAS,MAAA,GAAY,KAAK,SAAA,CAAU,IAAA,CAAK,IAAI,CAAA,GAAI,MAAA;AAExD,IAAA,MAAM,IAAA,CAAK,SAAA;AAAA,MACT,OAAA;AAAA,MACA,IAAA,CAAK,IAAA;AAAA,MACL,MAAA;AAAA,MACA,aAAA;AAAA,MACA,UAAA,IAAc;AAAA,KAChB;AAEA,IAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,IAAA,MAAM,QAAQ,UAAA,CAAW,MAAM,WAAW,KAAA,EAAM,EAAG,KAAK,OAAO,CAAA;AAE/D,IAAA,IAAI,GAAA;AACJ,IAAA,IAAI;AACF,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,SAAA,CAAU,GAAA,EAAK;AAAA,QAC9B,MAAA;AAAA,QACA,OAAA;AAAA,QACA,IAAA,EAAM,UAAA;AAAA,QACN,QAAQ,UAAA,CAAW,MAAA;AAAA;AAAA;AAAA,QAGnB,WAAA,EAAa;AAAA,OACd,CAAA;AAAA,IACH,SAAS,GAAA,EAAK;AACZ,MAAA,MAAM,IAAI,oBAAA,CAAqB;AAAA,QAC7B,MAAA,EAAQ,CAAA;AAAA,QACR,OAAA,EACE,GAAA,YAAe,KAAA,GACX,CAAA,yBAAA,EAA4B,IAAI,KAAK,GAAA,CAAI,OAAO,CAAA,CAAA,GAChD,CAAA,yBAAA,EAA4B,IAAI,CAAA;AAAA,OACvC,CAAA;AAAA,IACH,CAAA,SAAE;AACA,MAAA,YAAA,CAAa,KAAK,CAAA;AAAA,IACpB;AAEA,IAAA,IAAI,KAAK,eAAA,EAAiB;AACxB,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,IAAI,MAAM,IAAA,CAAK,qBAAA,CAAsB,GAAA,EAAK,IAAI,CAAA,EAAG;AAC/C,UAAA,OAAO,IAAA,CAAK,IAAO,MAAA,EAAQ,IAAA,EAAM,EAAE,GAAG,IAAA,EAAM,QAAA,EAAU,IAAA,EAAM,CAAA;AAAA,QAC9D;AACA,QAAA,MAAM,MAAM,IAAA,CAAK,UAAA,CAAW,GAAG,CAAA;AAAA,MACjC;AACA,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,IAAA,IAAI,MAAA,GAAkB,IAAA;AACtB,IAAA,IAAI,IAAA,CAAK,SAAS,CAAA,EAAG;AACnB,MAAA,IAAI;AACF,QAAA,MAAA,GAAS,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA,MAC1B,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AAEA,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,MAAA,IAAI,MAAM,IAAA,CAAK,2BAAA,CAA4B,IAAI,MAAA,EAAQ,MAAA,EAAQ,IAAI,CAAA,EAAG;AACpE,QAAA,OAAO,IAAA,CAAK,IAAO,MAAA,EAAQ,IAAA,EAAM,EAAE,GAAG,IAAA,EAAM,QAAA,EAAU,IAAA,EAAM,CAAA;AAAA,MAC9D;AACA,MAAA,MAAM,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,MAAA,EAAQ,QAAQ,IAAI,CAAA;AAAA,IACnD;AAEA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAmBA,MAAc,qBAAA,CACZ,GAAA,EACA,IAAA,EACkB;AAClB,IAAA,IAAI,IAAA,CAAK,UAAU,OAAO,KAAA;AAC1B,IAAA,IAAI,IAAA,CAAK,IAAA,KAAS,WAAA,EAAa,OAAO,KAAA;AACtC,IAAA,IAAI,GAAA,CAAI,MAAA,KAAW,GAAA,EAAK,OAAO,KAAA;AAC/B,IAAA,IAAI,CAAC,IAAA,CAAK,YAAA,IAAgB,CAAC,IAAA,CAAK,kBAAkB,OAAO,KAAA;AACzD,IAAA,IAAI;AACF,MAAA,MAAM,KAAK,kBAAA,EAAmB;AAC9B,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,KAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAc,2BAAA,CACZ,MAAA,EACA,MAAA,EACA,IAAA,EACkB;AAClB,IAAA,IAAI,IAAA,CAAK,UAAU,OAAO,KAAA;AAC1B,IAAA,IAAI,IAAA,CAAK,IAAA,KAAS,WAAA,EAAa,OAAO,KAAA;AACtC,IAAA,IAAI,MAAA,KAAW,KAAK,OAAO,KAAA;AAC3B,IAAA,IAAI,CAAC,IAAA,CAAK,YAAA,IAAgB,CAAC,IAAA,CAAK,kBAAkB,OAAO,KAAA;AACzD,IAAA,MAAM,IAAA,GAAO,MAAA;AACb,IAAA,MAAM,QAAQ,OAAO,IAAA,EAAM,KAAA,KAAU,QAAA,GAAW,KAAK,KAAA,GAAQ,MAAA;AAC7D,IAAA,IAAI,KAAA,KAAU,MAAA,IAAa,KAAA,KAAU,eAAA,IAAmB,UAAU,eAAA,EAAiB;AACjF,MAAA,OAAO,KAAA;AAAA,IACT;AACA,IAAA,IAAI;AACF,MAAA,MAAM,KAAK,kBAAA,EAAmB;AAC9B,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AAIN,MAAA,OAAO,KAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,eAAe,OAAA,EAAmD;AACxE,IAAA,IAAI,YAAY,OAAA,EAAS;AACvB,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACtB,QAAA,MAAM,IAAI,oBAAA,CAAqB;AAAA,UAC7B,MAAA,EAAQ,CAAA;AAAA,UACR,OAAA,EACE;AAAA,SACH,CAAA;AAAA,MACH;AACA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IACd;AACA,IAAA,OAAO,IAAA,CAAK,OAAA;AAAA,EACd;AAAA,EAEQ,kBAAA,CACN,MACA,KAAA,EACQ;AACR,IAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AACnB,IAAA,MAAM,EAAA,GAAK,IAAI,eAAA,EAAgB;AAC/B,IAAA,KAAA,MAAW,CAAC,CAAA,EAAG,CAAC,KAAK,MAAA,CAAO,OAAA,CAAQ,KAAK,CAAA,EAAG;AAC1C,MAAA,IAAI,MAAM,MAAA,EAAW,EAAA,CAAG,IAAI,CAAA,EAAG,MAAA,CAAO,CAAC,CAAC,CAAA;AAAA,IAC1C;AACA,IAAA,MAAM,MAAA,GAAS,GAAG,QAAA,EAAS;AAC3B,IAAA,OAAO,MAAA,GAAS,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,MAAM,CAAA,CAAA,GAAK,IAAA;AAAA,EACxC;AAAA,EAEA,MAAc,SAAA,CACZ,OAAA,EACA,IAAA,EACA,MAAA,EACA,MACA,UAAA,EACe;AACf,IAAA,QAAQ,IAAA;AAAM,MACZ,KAAK,QAAA;AACH,QAAA;AAAA,MACF,KAAK,eAAA,EAAiB;AACpB,QAAA,IAAI,IAAA,CAAK,IAAI,aAAA,EAAe;AAI1B,UAAA,OAAA,CAAQ,QAAQ,CAAA,GAAI,CAAA,YAAA,EAAe,IAAA,CAAK,IAAI,aAAa,CAAA,CAAA;AAAA,QAC3D;AACA,QAAA;AAAA,MACF;AAAA,MACA,KAAK,WAAA,EAAa;AAChB,QAAA,IAAI,CAAC,KAAK,WAAA,EAAa;AACrB,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,oBAAA,EAAuB,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA,2IAAA;AAAA,WACvC;AAAA,QACF;AACA,QAAA,OAAA,CAAQ,eAAe,CAAA,GAAI,CAAA,OAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAA;AACrD,QAAA;AAAA,MACF;AAAA,MACA,KAAK,WAAA,EAAa;AAChB,QAAA,IAAI,CAAC,IAAA,CAAK,GAAA,CAAI,SAAA,EAAW;AACvB,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,oBAAA,EAAuB,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA,yEAAA;AAAA,WACvC;AAAA,QACF;AACA,QAAA,OAAA,CAAQ,eAAe,CAAA,GAAI,CAAA,OAAA,EAAU,IAAA,CAAK,IAAI,SAAS,CAAA,CAAA;AACvD,QAAA;AAAA,MACF;AAAA,MACA,KAAK,YAAA,EAAc;AACjB,QAAA,IAAI,CAAC,IAAA,CAAK,GAAA,CAAI,UAAA,EAAY;AACxB,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,oBAAA,EAAuB,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA,iEAAA;AAAA,WACvC;AAAA,QACF;AACA,QAAA,OAAA,CAAQ,eAAe,CAAA,GAAI,CAAA,OAAA,EAAU,IAAA,CAAK,IAAI,UAAU,CAAA,CAAA;AACxD,QAAA;AAAA,MACF;AAAA,MACA,KAAK,eAAA,EAAiB;AACpB,QAAA,IAAI,CAAC,IAAA,CAAK,GAAA,CAAI,aAAA,EAAe;AAC3B,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,oBAAA,EAAuB,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA,6EAAA;AAAA,WACvC;AAAA,QACF;AACA,QAAA,MAAM,SAAA,GAAY,KAAK,KAAA,CAAM,IAAA,CAAK,KAAI,GAAI,GAAI,EAAE,QAAA,EAAS;AACzD,QAAA,MAAM,QAAA,GAAW,MAAM,SAAA,CAAU,UAAU,CAAA;AAS3C,QAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,iBAAiB,CAAA,IAAK,EAAA;AAC9C,QAAA,MAAM,SAAA,GAAY,CAAA,EAAG,MAAA,CAAO,WAAA,EAAa;AAAA,EAAK,IAAI;AAAA,EAAK,SAAS;AAAA,EAAK,OAAO;AAAA,EAAK,QAAQ,CAAA,CAAA;AACzF,QAAA,MAAM,YAAY,MAAM,IAAA,CAAK,GAAA,CAAI,aAAA,CAAc,KAAK,SAAS,CAAA;AAC7D,QAAA,OAAA,CAAQ,eAAe,CAAA,GAAI,IAAA,CAAK,GAAA,CAAI,aAAA,CAAc,YAAA;AAClD,QAAA,OAAA,CAAQ,qBAAqB,CAAA,GAAI,SAAA;AACjC,QAAA,OAAA,CAAQ,qBAAqB,CAAA,GAAI,SAAA;AACjC,QAAA;AAAA,MACF;AAAA;AACF,EACF;AAAA,EAEQ,aAAA,CACN,MAAA,EACA,MAAA,EACA,OAAA,EACsB;AACtB,IAAA,MAAM,IAAA,GAAO,MAAA;AAGb,IAAA,MAAM,OAAA,GAAU,MAAM,OAAA,CAAQ,IAAA,EAAM,OAAO,CAAA,GACvC,IAAA,CAAM,QAAQ,IAAA,CAAK,IAAI,IACvB,OAAO,IAAA,EAAM,YAAY,QAAA,GACvB,IAAA,CAAM,UACN,IAAA,EAAM,KAAA,IAAS,QAAQ,MAAM,CAAA,CAAA;AACnC,IAAA,OAAO,IAAI,oBAAA,CAAqB;AAAA,MAC9B,MAAA;AAAA,MACA,OAAA;AAAA,MACA,YAAY,IAAA,EAAM,KAAA;AAAA,MAClB,MAAM,MAAA,IAAU;AAAA,KACjB,CAAA;AAAA,EACH;AAAA,EAEA,MAAc,WAAW,GAAA,EAA8C;AACrE,IAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,IAAA,IAAI,MAAA,GAAkB,IAAA;AACtB,IAAA,IAAI,IAAA,CAAK,SAAS,CAAA,EAAG;AACnB,MAAA,IAAI;AACF,QAAA,MAAA,GAAS,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA,MAC1B,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AACA,IAAA,OAAO,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,MAAA,EAAQ,QAAQ,IAAI,CAAA;AAAA,EACpD;AACF;AAaO,IAAM,gBAAN,MAAoB;AAAA,EACzB,YAA6B,MAAA,EAA4B;AAA5B,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAA6B;AAAA,EAA7B,MAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAO7B,UAAU,IAAA,EAAkD;AAC1D,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,qBAAA,CAAsB,IAAI,CAAA;AAAA,EAC/C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAA,GAAkC;AAChC,IAAA,OAAO,IAAA,CAAK,OAAO,mBAAA,EAAoB;AAAA,EACzC;AAAA;AAAA,EAGA,SAAA,GAAqC;AACnC,IAAA,OAAO,IAAA,CAAK,OAAO,SAAA,EAAU;AAAA,EAC/B;AACF;AAGO,IAAM,gBAAN,MAAoB;AAAA,EACzB,YAA6B,MAAA,EAA4B;AAA5B,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAA6B;AAAA,EAA7B,MAAA;AAAA;AAAA,EAG7B,KAAK,KAAA,EAGkC;AACrC,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,iBAAA,CAAkB,KAAK,CAAA;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAmBA,MAAM,UACJ,IAAA,EACsC;AACtC,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,MAAA,CAAO,mBAAA,CAAoB;AAAA,MACjD,iBAAiB,IAAA,CAAK;AAAA,KACvB,CAAA;AACD,IAAA,MAAM,iBAAiB,MAAM,IAAA,CAAK,WAAA,CAAY,IAAA,CAAK,KAAK,aAAa,CAAA;AACrE,IAAA,IAAI,GAAA,GAAM,MAAM,IAAA,CAAK,MAAA,CAAO,mBAAmB,IAAA,CAAK,EAAA,EAAI,EAAE,cAAA,EAAgB,CAAA;AAE1E,IAAA,IAAI,CAAC,IAAI,SAAA,EAAW;AAClB,MAAA,MAAM,QAAA,GAAW,KAAK,cAAA,IAAkB,GAAA;AACxC,MAAA,MAAM,OAAA,GAAU,KAAK,aAAA,IAAiB,GAAA;AACtC,MAAA,MAAM,QAAA,GAAW,IAAA,CAAK,GAAA,EAAI,GAAI,OAAA;AAC9B,MAAA,OAAO,CAAC,GAAA,CAAI,SAAA,IAAa,IAAA,CAAK,GAAA,KAAQ,QAAA,EAAU;AAC9C,QAAA,MAAM,MAAM,QAAQ,CAAA;AACpB,QAAA,GAAA,GAAM,MAAM,IAAA,CAAK,MAAA,CAAO,mBAAmB,IAAA,CAAK,EAAA,EAAI,EAAE,CAAA;AAAA,MACxD;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACL,IAAI,IAAA,CAAK,EAAA;AAAA,MACT,WAAW,IAAA,CAAK,SAAA;AAAA,MAChB,iBAAiB,GAAA,CAAI,eAAA;AAAA,MACrB,WAAW,GAAA,CAAI,SAAA;AAAA,MACf,aAAa,GAAA,CAAI;AAAA,KACnB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAO,EAAA,EAAiD;AACtD,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,kBAAA,CAAmB,EAAE,CAAA;AAAA,EAC1C;AACF;AAUO,IAAM,cAAN,MAAkB;AAAA,EACvB,YAA6B,MAAA,EAA4B;AAA5B,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAA6B;AAAA,EAA7B,MAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAO7B,MAAM,IAAA,GAAgD;AACpD,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,MAAA,CAAO,UAAA,EAAW;AAC7C,IAAA,OAAO,OAAA,CAAQ,WAAA;AAAA,EACjB;AAAA,EAEA,IAAI,IAAA,EAA4D;AAC9D,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,aAAA,CAAc,IAAI,CAAA;AAAA,EACvC;AAAA,EAEA,OAAO,IAAA,EAAkE;AACvE,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,gBAAA,CAAiB,IAAI,CAAA;AAAA,EAC1C;AACF;AAGO,IAAM,iBAAN,MAAqB;AAAA,EACjB,QAAA;AAAA,EACT,YAAY,MAAA,EAA4B;AACtC,IAAA,IAAA,CAAK,QAAA,GAAW,IAAI,aAAA,CAAc,MAAM,CAAA;AAAA,EAC1C;AACF;AAEO,IAAM,gBAAN,MAAoB;AAAA,EACzB,YAA6B,MAAA,EAA4B;AAA5B,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAA6B;AAAA,EAA7B,MAAA;AAAA,EAE7B,IAAA,GAA2C;AACzC,IAAA,OAAO,IAAA,CAAK,OAAO,iBAAA,EAAkB;AAAA,EACvC;AAAA,EAEA,OAAO,GAAA,EAA4B;AACjC,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,kBAAA,CAAmB,GAAG,CAAA;AAAA,EAC3C;AAAA,EAEA,SAAA,GAA2B;AACzB,IAAA,OAAO,IAAA,CAAK,OAAO,sBAAA,EAAuB;AAAA,EAC5C;AACF;AASO,IAAM,eAAN,MAAmB;AAAA,EACf,IAAA;AAAA,EACA,aAAA;AAAA,EACT,YAAY,MAAA,EAA4B;AACtC,IAAA,IAAA,CAAK,IAAA,GAAO,IAAI,OAAA,CAAQ,MAAM,CAAA;AAC9B,IAAA,IAAA,CAAK,aAAA,GAAgB,IAAI,gBAAA,CAAiB,MAAM,CAAA;AAAA,EAClD;AACF;AAEO,IAAM,UAAN,MAAc;AAAA,EACnB,YAA6B,MAAA,EAA4B;AAA5B,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAA6B;AAAA,EAA7B,MAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAS7B,MAAA,GAAsC;AACpC,IAAA,OAAO,IAAA,CAAK,OAAO,UAAA,EAAW;AAAA,EAChC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,QAAQ,IAAA,EAA4C;AAClD,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,WAAA,CAAY,EAAE,MAAM,CAAA;AAAA,EACzC;AAAA;AAAA,EAGA,OAAA,GAAwC;AACtC,IAAA,OAAO,IAAA,CAAK,OAAO,WAAA,EAAY;AAAA,EACjC;AACF;AAEO,IAAM,mBAAN,MAAuB;AAAA,EAC5B,YAA6B,MAAA,EAA4B;AAA5B,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAA6B;AAAA,EAA7B,MAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAM7B,UAAA,GAAuD;AACrD,IAAA,OAAO,IAAA,CAAK,OAAO,uBAAA,EAAwB;AAAA,EAC7C;AACF;AAEA,SAAS,MAAM,EAAA,EAA2B;AACxC,EAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,YAAY,UAAA,CAAW,OAAA,EAAS,EAAE,CAAC,CAAA;AACzD;AAQA,SAAS,gBAAgB,KAAA,EAAwB;AAC/C,EAAA,IAAI,KAAA,KAAU,QAAQ,OAAO,KAAA,KAAU,UAAU,OAAO,IAAA,CAAK,UAAU,KAAK,CAAA;AAC5E,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACxB,IAAA,OAAO,MAAM,KAAA,CAAM,GAAA,CAAI,eAAe,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,GAAI,GAAA;AAAA,EACtD;AACA,EAAA,MAAM,GAAA,GAAM,KAAA;AACZ,EAAA,MAAM,IAAA,GAAO,MAAA,CAAO,IAAA,CAAK,GAAG,EAAE,IAAA,EAAK;AACnC,EAAA,OACE,MACA,IAAA,CAAK,GAAA,CAAI,CAAC,CAAA,KAAM,IAAA,CAAK,UAAU,CAAC,CAAA,GAAI,GAAA,GAAM,eAAA,CAAgB,IAAI,CAAC,CAAC,CAAC,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,GAC3E,GAAA;AAEJ;AAWA,eAAe,aAAA,CACb,SAAA,EACA,eAAA,EACA,IAAA,EACiB;AACjB,EAAA,MAAM,SAAA,GAAY,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,eAAA,CAAgB,aAAa,CAAA,CAAA,EAAI,eAAA,CAAgB,IAAI,CAAC,CAAA,CAAA;AACxF,EAAA,OAAO,MAAM,UAAU,SAAS,CAAA;AAClC;AAMA,eAAe,UAAU,KAAA,EAAgC;AACvD,EAAA,MAAM,MAAA,GAAU,WAAsD,MAAA,EAClE,MAAA;AACJ,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AACA,EAAA,MAAM,IAAA,GAAO,IAAI,WAAA,EAAY,CAAE,OAAO,KAAK,CAAA;AAC3C,EAAA,MAAM,MAAA,GAAS,MAAM,MAAA,CAAO,MAAA,CAAO,WAAW,IAAI,CAAA;AAClD,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAM,CAAA;AACnC,EAAA,IAAI,GAAA,GAAM,EAAA;AACV,EAAA,KAAA,MAAW,CAAA,IAAK,OAAO,GAAA,IAAO,CAAA,CAAE,SAAS,EAAE,CAAA,CAAE,QAAA,CAAS,CAAA,EAAG,GAAG,CAAA;AAC5D,EAAA,OAAO,GAAA;AACT;;;ACp4DO,IAAM,0BAAN,MAA8B;AAAA,EAClB,KAAA;AAAA,EAEjB,YAAY,MAAA,EAAuC;AACjD,IAAA,IAAI,CAAC,OAAO,UAAA,EAAY;AACtB,MAAA,MAAM,IAAI,MAAM,iDAAiD,CAAA;AAAA,IACnE;AACA,IAAA,IAAA,CAAK,KAAA,GAAQ,IAAI,kBAAA,CAAmB;AAAA,MAClC,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,YAAY,MAAA,CAAO,UAAA;AAAA,MACnB,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,OAAO,MAAA,CAAO;AAAA,KACf,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,mBACE,IAAA,EACqC;AACrC,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,kBAAA,CAAmB,IAAI,CAAA;AAAA,EAC3C;AAAA;AAAA,EAGA,cAAA,CACE,OACA,WAAA,EACiC;AACjC,IAAA,OAAO,KAAK,KAAA,CAAM,iBAAA,CAAkB,KAAA,EAAO,EAAE,aAAa,CAAA;AAAA,EAC5D;AAAA;AAAA,EAGA,YAAY,KAAA,EAAoD;AAC9D,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,kBAAA,CAAmB,KAAK,CAAA;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,aAAa,KAAA,EAA8C;AACzD,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,eAAA,CAAgB,KAAK,CAAA;AAAA,EACzC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,aAAA,CACE,KAAA,EACA,KAAA,EACA,IAAA,EACgC;AAChC,IAAA,OAAO,KAAK,KAAA,CAAM,gBAAA,CAAiB,OAAO,EAAE,KAAA,EAAO,MAAM,CAAA;AAAA,EAC3D;AACF;;;ACrEO,IAAM,wBAAN,MAA4B;AAAA,EAChB,KAAA;AAAA;AAAA,EAER,KAAA;AAAA,EAET,YAAY,MAAA,EAAqC;AAC/C,IAAA,IAAI,CAAC,OAAO,SAAA,EAAW;AACrB,MAAA,MAAM,IAAI,MAAM,8CAA8C,CAAA;AAAA,IAChE;AACA,IAAA,IAAA,CAAK,KAAA,GAAQ,IAAI,kBAAA,CAAmB;AAAA,MAClC,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,WAAW,MAAA,CAAO,SAAA;AAAA,MAClB,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,OAAO,MAAA,CAAO;AAAA,KACf,CAAA;AACD,IAAA,IAAA,CAAK,KAAA,GAAQ,IAAI,QAAA,CAAS,IAAA,CAAK,KAAK,CAAA;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,EAAA,GAAiC;AAC/B,IAAA,OAAO,IAAA,CAAK,MAAM,QAAA,EAAS;AAAA,EAC7B;AACF;AAGO,IAAM,WAAN,MAAe;AAAA,EACpB,YAA6B,KAAA,EAA2B;AAA3B,IAAA,IAAA,CAAA,KAAA,GAAA,KAAA;AAAA,EAA4B;AAAA,EAA5B,KAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAM7B,OAAO,IAAA,EAAsD;AAC3D,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,IAAI,CAAA;AAAA,EACtC;AAAA;AAAA,EAGA,IAAA,GAAmC;AACjC,IAAA,OAAO,IAAA,CAAK,MAAM,YAAA,EAAa;AAAA,EACjC;AACF","file":"index.js","sourcesContent":["/**\n * Error thrown for any non-2xx response from the accounts API.\n *\n * The accounts service emits NestJS-style HttpException bodies — typically\n * `{ statusCode: number; error: string; message: string | string[] }`. Both\n * shapes are forwarded as `body`; the more useful fields are surfaced as\n * top-level properties.\n */\nexport class WitniumchainApiError extends Error {\n readonly status: number;\n readonly errorLabel: string | undefined;\n readonly body: unknown;\n\n constructor(args: {\n status: number;\n message: string;\n errorLabel?: string | undefined;\n body?: unknown;\n }) {\n super(args.message);\n this.name = 'WitniumchainApiError';\n this.status = args.status;\n this.errorLabel = args.errorLabel;\n this.body = args.body ?? null;\n }\n}\n","/**\n * PKCE (RFC 7636) primitives for the Authorization Code + PKCE OAuth flow.\n *\n * Two functions and one storage interface, all browser-only (the OAuth helpers\n * that consume them only make sense in a browser context — PKCE state has to\n * survive the authorize redirect via sessionStorage or an equivalent).\n *\n * The maths is small: a random verifier, SHA-256 of the verifier base64url-\n * encoded as the challenge, `S256` as the method. The server stores the\n * challenge at /auth time and recomputes it from the verifier at /token time.\n */\n\n/**\n * Storage for the PKCE verifier between `beginOAuthLogin` (which writes) and\n * `completeOAuthLogin` (which reads + clears). Keyed by the OAuth `state`\n * value so concurrent in-flight logins don't collide.\n *\n * Default implementation in {@link defaultVerifierStorage} wraps the browser's\n * `sessionStorage` under namespaced keys. Tests inject a Map-backed mock.\n */\nexport interface PkceVerifierStorage {\n set(stateKey: string, verifier: string): void;\n get(stateKey: string): string | null;\n remove(stateKey: string): void;\n}\n\nconst STORAGE_PREFIX = 'witniumchain.pkce.';\n\n/**\n * Default {@link PkceVerifierStorage} backed by `globalThis.sessionStorage`.\n * Throws at construction time if sessionStorage is unavailable — the SDK\n * shouldn't silently degrade to in-memory storage that loses state across\n * the authorize redirect.\n */\nexport function defaultVerifierStorage(): PkceVerifierStorage {\n const storage = (globalThis as { sessionStorage?: Storage }).sessionStorage;\n if (!storage) {\n throw new Error(\n 'WitniumchainClient: defaultVerifierStorage requires globalThis.sessionStorage. ' +\n 'In a non-browser context, pass `verifierStorage` to the OAuth helpers.',\n );\n }\n return {\n set(stateKey, verifier) {\n storage.setItem(STORAGE_PREFIX + stateKey, verifier);\n },\n get(stateKey) {\n return storage.getItem(STORAGE_PREFIX + stateKey);\n },\n remove(stateKey) {\n storage.removeItem(STORAGE_PREFIX + stateKey);\n },\n };\n}\n\n/**\n * Generate a cryptographically random PKCE code verifier.\n *\n * RFC 7636 requires `code_verifier` to be 43–128 characters of the unreserved\n * URL-safe alphabet `[A-Z][a-z][0-9]-._~`. 64 random bytes → base64url gives\n * 86 characters, comfortably in range and with 512 bits of entropy.\n */\nexport function generateCodeVerifier(): string {\n const bytes = new Uint8Array(64);\n cryptoRef().getRandomValues(bytes);\n return base64UrlEncode(bytes);\n}\n\n/**\n * Derive the PKCE code challenge for `method=S256` from a verifier.\n * Returns the base64url-encoded SHA-256 hash of the verifier bytes.\n */\nexport async function deriveCodeChallenge(verifier: string): Promise<string> {\n const data = new TextEncoder().encode(verifier);\n const digest = await cryptoRef().subtle.digest('SHA-256', data);\n return base64UrlEncode(new Uint8Array(digest));\n}\n\n/**\n * Generate a random state value for CSRF protection on the authorize\n * redirect. 32 bytes → base64url is 43 characters. The SDK uses this as\n * both the OAuth `state` parameter and the storage key for the matching\n * PKCE verifier.\n */\nexport function generateState(): string {\n const bytes = new Uint8Array(32);\n cryptoRef().getRandomValues(bytes);\n return base64UrlEncode(bytes);\n}\n\nfunction base64UrlEncode(bytes: Uint8Array): string {\n let binary = '';\n for (const b of bytes) binary += String.fromCharCode(b);\n const b64 =\n typeof btoa === 'function'\n ? btoa(binary)\n : Buffer.from(binary, 'binary').toString('base64');\n return b64.replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/, '');\n}\n\nfunction cryptoRef(): Crypto {\n const c = (globalThis as { crypto?: Crypto }).crypto;\n if (!c || !c.subtle || !c.getRandomValues) {\n throw new Error(\n 'WitniumchainClient: globalThis.crypto with subtle + getRandomValues is required for PKCE. ' +\n 'Modern browsers and Node 18+ provide this natively.',\n );\n }\n return c;\n}\n","/**\n * WitniumchainClient — typed HTTP client for the WitniumChain API surface.\n *\n * Covers both accounts (identity / billing / OAuth / delegated keys / witness\n * writes via the metered v5 proxy) and chain-api read surfaces (contract\n * info / witness lookup / wallet balance / dashboards). Three convenience\n * clients layer on top — `WitniumchainClient` (end-user),\n * `WitniumchainOrgClient` (org admin), `WitniumchainAdminClient` (sysadmin) —\n * with helpers for signup, subscriptions, and delegated-key provisioning.\n *\n * Stripe surface is intentionally Checkout + Customer Portal ONLY. Witnium is\n * not a marketplace, so there is no Stripe Connect onboarding.\n *\n * Auth model — five distinct credentials, each used by a known subset of\n * routes. Configure whichever you'll actually use; methods that need a\n * credential you didn't supply throw at call time.\n *\n * - sessionCookie — `wac_session` value for browser-cookie routes.\n * - accessToken — OAuth Bearer JWT for end-user API.\n * - orgApiKey — `wcorg_live_…` for org admin.\n * - adminToken — sysadmin token.\n * - signedRequest — Ed25519 signer for SDK signed-request routes\n * (witnesses propose/sign/finalize/revoke). The SDK\n * does the canonical-message construction; you supply\n * only the public key + signing callback.\n *\n * Every request/response type is derived from the published OpenAPI specs of\n * both accounts and chain-api. A CI drift test in each repo asserts the spec\n * matches what the deployed server serves; another asserts the regenerated\n * SDK types match the committed `src/generated/accounts.ts` and\n * `src/generated/chain.ts`.\n */\n\nimport { WitniumchainApiError } from './errors';\nimport {\n defaultVerifierStorage,\n deriveCodeChallenge,\n generateCodeVerifier,\n generateState,\n type PkceVerifierStorage,\n} from './pkce';\nimport type {\n // Auth\n SignupRequest,\n SignupResponse,\n VerifyEmailResponse,\n LoginRequest,\n LoginResponse,\n LogoutResponse,\n ForgotPasswordRequest,\n ForgotPasswordResponse,\n ResetPasswordRequest,\n ResetPasswordResponse,\n // Billing\n CheckoutRequest,\n CheckoutResponse,\n PortalResponse,\n // Orgs\n PublicOrgResponse,\n CreateUserRequest,\n CreateUserResponse,\n ListUsersResponse,\n // Admin\n CreateOrganizationRequest,\n CreateOrganizationResponse,\n SetAccountTypeRequest,\n SetAccountTypeResponse,\n VerifyOrganizationResponse,\n RotateApiKeyResponse,\n AdjustCreditsRequest,\n AdjustCreditsResponse,\n // Delegated keys\n ListDelegatedKeysResponse,\n PrepareDelegatedKeyRequest,\n PreparedDelegatedKeyResponse,\n SubmitDelegatedKeyRequest,\n SubmitDelegatedKeyResponse,\n RevokeDelegatedKeyResponse,\n // Sign\n SignRequest,\n SignResponse,\n // Contracts\n ProvisionContractRequest,\n ProvisionContractResponse,\n AddSigningKeyRequest,\n AddSigningKeyResponse,\n RevokeSigningKeyRequest,\n RevokeSigningKeyResponse,\n PauseRequest,\n PauseResponse,\n UnpauseRequest,\n UnpauseResponse,\n // Witnesses (v1 — legacy v3 proxy)\n ProposeWitnessRequest,\n ProposeWitnessResponse,\n SignWitnessRequest,\n SignWitnessResponse,\n FinalizeWitnessResponse,\n RevokeWitnessRequest,\n RevokeWitnessResponse,\n GetWitnessResponse,\n // MFA (TOTP + recovery codes)\n TotpEnrollResponse,\n TotpConfirmRequest,\n TotpConfirmResponse,\n TotpDisableResponse,\n RecoveryCodesRegenerateResponse,\n // v5 Witnesses (metered proxy)\n ProposeWitnessV5Request,\n ProposeWitnessV5Response,\n SubmitSignatureV5Request,\n SubmitSignatureV5Response,\n FinalizeWitnessV5Response,\n RevokeWitnessV5Request,\n RevokeWitnessV5Response,\n // Users\n AccountResponse,\n LedgerResponse,\n // OAuth\n ListOauthSessionsResponse,\n // Health\n HealthLiveResponse,\n HealthReadyResponse,\n // Chain-api reads\n ContractInfoResponse,\n VerifyContractResponse,\n ListWitnessesResponse,\n GetChainWitnessResponse,\n GetContractTransactionResponse,\n GetTransactionResponse,\n GetWalletBalanceResponse,\n DashboardContractResponse,\n DashboardWitnessesResponse,\n} from './types';\n\nexport interface SignedRequestSigner {\n /** Ed25519 public key as 64-char hex (no 0x prefix). Sent in X-Witnium-Key. */\n publicKeyHex: string;\n /**\n * Sign the canonical message\n * `<METHOD>\\n<PATH>\\n<TIMESTAMP>\\n<IDEMPOTENCY-KEY>\\n<sha256(body) hex>`\n * (empty string when the Idempotency-Key header is absent) and return\n * the 128-char hex Ed25519 signature. The SDK builds the canonical\n * message; the caller only needs to apply the private key.\n */\n sign: (canonicalMessage: string) => Promise<string>;\n}\n\n/**\n * Owner-Ed25519 signer used by {@link WitniumchainClient.delegatedKeys.provision}.\n *\n * Structurally identical to {@link SignedRequestSigner} — both are\n * `{ publicKeyHex, sign(message) }` — but kept as a distinct type so the\n * semantic role (owner key for delegated-key authorisation vs. signed-request\n * headers) is explicit at the call site.\n *\n * The `sign` callback receives the raw `messageToSign` string returned by the\n * server's prepare step (canonical JSON of the addSigningKey intent); the\n * caller's job is to apply their owner private key and return the 128-hex\n * Ed25519 signature.\n */\nexport interface OwnerSigner {\n /** Owner Ed25519 public key as 64-char hex (no 0x prefix). */\n publicKeyHex: string;\n /** Sign the `messageToSign` string and return the 128-char hex signature. */\n sign: (messageToSign: string) => Promise<string>;\n}\n\n/**\n * Arguments to the one-call delegated-key provisioning flow.\n *\n * The SDK orchestrates prepare → owner-sign → submit → poll-until-confirmed.\n * The caller supplies the contract address, an owner signer, and optional\n * polling tuning. Returns the final delegated-key record after the on-chain\n * `addSigningKey` tx confirms (or the polling budget is exhausted).\n */\nexport interface ProvisionDelegatedKeyArgs {\n /** EIP-55 / lowercase contract address the delegated key will be bound to. */\n contractAddress: string;\n /** Owner Ed25519 signer for the addSigningKey intent. */\n ownerSigner: OwnerSigner;\n /**\n * Polling interval in ms between submit re-polls when the first submit\n * didn't confirm within the server's 8 s budget. Default 2000.\n */\n pollIntervalMs?: number;\n /**\n * Total polling budget in ms (including the first submit). Default 60000.\n * On timeout the method returns the last-known status with `confirmed: false`\n * so the caller can decide whether to keep polling or surface the txHash.\n */\n pollTimeoutMs?: number;\n}\n\nexport interface ProvisionDelegatedKeyResult {\n /** Server-assigned delegated-key id (UUID). */\n id: string;\n /** Delegated key's Ed25519 public key, 64 hex (this is what's now on-chain). */\n publicKey: string;\n /** chain-api `addSigningKey` tx hash. */\n transactionHash: string;\n /** `true` if the tx mined within `pollTimeoutMs`. */\n confirmed: boolean;\n /** Block number, populated once `confirmed === true`. */\n blockNumber?: number;\n}\n\nexport interface WitniumchainClientConfig {\n /** Accounts base URL, e.g. `https://auth.witniumchain.com`. Trailing slash optional. */\n baseUrl: string;\n /**\n * Chain-api base URL, e.g. `https://api.witniumchain.com`. Required only if you\n * call chain-api read methods (`getWitness`, `getContractInfo`, etc.). Methods\n * that need it will throw a clear `WitniumchainApiError` at call time if\n * unconfigured. Same `accessToken` is reused — accounts mints OAuth tokens with\n * `aud=https://api.witniumchain.com`, so they're valid against both services.\n */\n chainBaseUrl?: string;\n /** Session cookie value (the `wac_session` cookie's body, not the full header). */\n sessionCookie?: string;\n /**\n * OAuth 2.1 access token (Bearer JWT). The SDK treats this as in-memory\n * mutable state — {@link WitniumchainClient.completeOAuthLogin} and\n * {@link WitniumchainClient.refreshAccessToken} both update it; reads of\n * `BearerJWT`-authed routes pick up the latest value. Pass an initial value\n * if you already have one (e.g. server-side rendering); leave it unset and\n * let `completeOAuthLogin` populate it from the OAuth flow.\n */\n accessToken?: string;\n /**\n * OAuth client id of the registered application using this SDK. Required if\n * you call {@link WitniumchainClient.beginOAuthLogin} OR\n * {@link WitniumchainClient.refreshAccessToken}. Methods that need it will\n * throw a clear `WitniumchainApiError` at call time when unconfigured.\n *\n * Registered via the org-admin OAuth-clients UI (Thread G of Phase AUTH).\n */\n oauthClientId?: string;\n /**\n * Storage adapter for the PKCE verifier between authorize redirect and\n * token exchange. Defaults to a `globalThis.sessionStorage` wrapper —\n * suitable for browser SPAs. Tests inject a Map-backed mock; non-browser\n * callers (Node SSR, native apps with their own storage) supply their own.\n *\n * sessionStorage is the chosen default because it's tab-scoped (resilient\n * to cross-tab interference) and cleared on tab close (no stale verifier\n * persistence). It is NOT localStorage — that would survive tab close and\n * is reachable from any same-origin script, weakening the XSS posture.\n */\n verifierStorage?: PkceVerifierStorage;\n /** Organisation API key (`wcorg_live_…`). */\n orgApiKey?: string;\n /** System-admin token (`Authorization: Bearer <ADMIN_TOKEN>`). */\n adminToken?: string;\n /** Ed25519 signer for SDK signed-request routes (witness write ops). */\n signedRequest?: SignedRequestSigner;\n /** Per-request timeout in milliseconds. Default 30000. */\n timeout?: number;\n /** Alternate fetch implementation (e.g. for tests). Default `globalThis.fetch`. */\n fetch?: typeof fetch;\n}\n\n/**\n * Arguments to {@link WitniumchainClient.beginOAuthLogin}. The OAuth client id\n * is sourced from `WitniumchainClientConfig.oauthClientId` at construction —\n * not repeated here — so the same client can drive multiple authorize calls\n * (e.g. retry on user cancellation) without rethreading the id every time.\n */\nexport interface BeginOAuthLoginArgs {\n /**\n * Where the authorization server should redirect after the user authenticates.\n * Must exactly match one of the redirect URIs registered for the OAuth client.\n * Stored alongside the PKCE verifier so {@link WitniumchainClient.completeOAuthLogin}\n * can rebuild the canonical token-exchange request without the caller having\n * to thread the same URI through twice.\n */\n redirectUri: string;\n /**\n * OAuth scopes to request. Default: `['openid', 'profile', 'email']` — the\n * standard OIDC sign-in trio. Pass a wider list if the caller's tokens need\n * additional scopes (e.g. `witnesses:write`); the authorization server\n * filters out scopes the user isn't allowed to grant.\n */\n scope?: readonly string[];\n /**\n * Custom OAuth `state` value. Default: a freshly-generated 32-byte URL-safe\n * random. Passing a custom value is useful when the caller needs to round-\n * trip application-level context through the redirect (e.g. \"which page was\n * the user on before login\"); the value is otherwise treated as opaque.\n */\n state?: string;\n /**\n * Standard OIDC `prompt` parameter. `'login'` forces the AS to re-prompt for\n * credentials even if the user has a live session; `'none'` asks for silent\n * SSO (returns `login_required` if not possible). Default: unset.\n */\n prompt?: 'login' | 'none';\n}\n\nexport interface BeginOAuthLoginResult {\n /** URL to redirect the user to. The caller does `window.location.assign(...)`. */\n authorizationUrl: string;\n /**\n * The state value bound to this login attempt. Same as the `state` passed\n * in (if any) or a freshly generated one. {@link WitniumchainClient.completeOAuthLogin}\n * validates that the state in the callback URL matches a value it issued.\n */\n state: string;\n}\n\nexport interface OAuthTokenSnapshot {\n /** OAuth Bearer access token. */\n accessToken: string;\n /** Unix seconds at which the access token expires. */\n expiresAt: number;\n}\n\ntype AuthMode =\n | 'SessionCookie'\n | 'BearerJWT'\n | 'OrgApiKey'\n | 'AdminToken'\n | 'SignedRequest'\n | 'Public';\n\ninterface RequestOpts {\n body?: unknown;\n query?: Record<string, string | number | undefined>;\n headers?: Record<string, string>;\n auth: AuthMode;\n expectNoContent?: boolean;\n /**\n * Which service this call targets. Omitted → 'accounts' (the historical\n * default, since the SDK started accounts-only). Set 'chain' on methods that\n * hit chain-api directly — those need `chainBaseUrl` configured.\n */\n service?: 'accounts' | 'chain';\n /**\n * Internal flag: this call is the retry leg of a 401-refresh round trip,\n * don't recurse into a second refresh on another 401. Set only by `req()`\n * itself; never set by call sites.\n */\n _isRetry?: boolean;\n}\n\ninterface DiscoveryDocument {\n authorization_endpoint: string;\n token_endpoint: string;\n issuer: string;\n}\n\ninterface TokenResponse {\n access_token: string;\n refresh_token?: string;\n token_type?: string;\n expires_in?: number;\n scope?: string;\n}\n\nexport class WitniumchainClient {\n private readonly baseUrl: string;\n private readonly chainBaseUrl: string | undefined;\n private readonly cfg: WitniumchainClientConfig;\n private readonly timeout: number;\n private readonly fetchImpl: typeof fetch;\n\n // Mutable OAuth state. Constructor seeds these from the config; the OAuth\n // flow helpers (begin/complete/refresh/signOut) read and rewrite them as\n // the user authenticates and tokens rotate. `applyAuth` reads `accessToken`\n // off this field — never directly off `cfg` — so a token rotated mid-flight\n // (during a 401-retry refresh) is picked up by the very next call.\n private accessToken: string | undefined;\n // Browser SPAs in production receive the refresh token as an HttpOnly cookie\n // (see src/oauth/refresh-cookie.ts on the server), so this field stays\n // `undefined` and the cookie rides via `credentials: 'include'` on every\n // /token call. Non-browser callers (Node SSR, native apps without a cookie\n // jar) get the refresh token in the response body and the SDK stashes it\n // here as a fallback. Either path drives `refreshAccessToken` identically.\n private refreshToken: string | undefined;\n // Sentinel: the most recent token response set an HttpOnly refresh cookie.\n // The SDK can't directly observe an HttpOnly cookie, but the response body\n // tells us indirectly — server strips `refresh_token` when it sets the\n // cookie, so an absent body field on a successful /token response means\n // the cookie path is in use. Used to gate the 401-retry: with a cookie,\n // refresh might work even when the in-memory refresh token is undefined.\n private hasRefreshCookie = false;\n private readonly oauthClientId: string | undefined;\n // The redirect URI the most recent `beginOAuthLogin` issued, alongside the\n // PKCE verifier. `completeOAuthLogin` reads it back so the token-exchange\n // request matches the original /auth request (RFC 6749 §4.1.3 requires\n // redirect_uri at /token to equal the one at /auth). Keyed by state.\n private pendingLogins = new Map<string, { redirectUri: string }>();\n private readonly verifierStorage: PkceVerifierStorage | undefined;\n // Cache of the parsed OIDC discovery document keyed by issuer URL. Saves a\n // round trip on every OAuth call after the first. oidc-provider's discovery\n // doc is static for the life of an issuer; cache is per-client-instance, so\n // it dies with the SDK consumer's lifecycle.\n private discoveryCache: Promise<DiscoveryDocument> | undefined;\n // Single-flight gate for refresh. When a 401 fans out to N concurrent retries\n // (or the consumer calls refreshAccessToken directly while another refresh\n // is mid-flight), all callers await the same in-flight promise — refresh\n // tokens rotate on use (D10), so a second concurrent refresh would race the\n // first and one of them would 401.\n private refreshInFlight: Promise<OAuthTokenSnapshot> | undefined;\n\n /** Subscriptions / billing helpers. See {@link Subscriptions}. */\n readonly subscriptions: Subscriptions;\n /** Delegated-key namespace including the one-call {@link DelegatedKeys.provision} flow. */\n readonly delegatedKeys: DelegatedKeys;\n /** Owner signing-key management (list / add / revoke). */\n readonly keys: SigningKeys;\n /** OAuth session management. Accessed as `client.oauth.sessions.*`. */\n readonly oauth: OauthNamespace;\n /** MFA self-management. Accessed as `client.mfa.totp.*` and `client.mfa.recoveryCodes.*`. */\n readonly mfa: MfaNamespace;\n\n constructor(config: WitniumchainClientConfig) {\n if (!config.baseUrl) {\n throw new Error('WitniumchainClient: baseUrl is required');\n }\n this.cfg = config;\n this.baseUrl = config.baseUrl.replace(/\\/$/, '');\n this.chainBaseUrl = config.chainBaseUrl?.replace(/\\/$/, '');\n this.timeout = config.timeout ?? 30000;\n this.fetchImpl = config.fetch ?? globalThis.fetch;\n if (!this.fetchImpl) {\n throw new Error(\n 'WitniumchainClient: no fetch implementation available. Pass `config.fetch`.',\n );\n }\n this.accessToken = config.accessToken;\n this.oauthClientId = config.oauthClientId;\n this.verifierStorage = config.verifierStorage;\n this.subscriptions = new Subscriptions(this);\n this.delegatedKeys = new DelegatedKeys(this);\n this.keys = new SigningKeys(this);\n this.oauth = new OauthNamespace(this);\n this.mfa = new MfaNamespace(this);\n }\n\n /**\n * Convenience alias for {@link getAccount} — returns the authenticated\n * user's profile, the org they belong to, and their signing keys.\n */\n me(): Promise<AccountResponse> {\n return this.getAccount();\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Auth (/v1/auth/*)\n // ────────────────────────────────────────────────────────────────────────\n\n signup(body: SignupRequest): Promise<SignupResponse> {\n return this.req('POST', '/v1/auth/signup', { auth: 'Public', body });\n }\n\n verifyEmail(token: string): Promise<VerifyEmailResponse> {\n return this.req('GET', '/v1/auth/verify', {\n auth: 'Public',\n query: { token },\n });\n }\n\n login(body: LoginRequest): Promise<LoginResponse> {\n return this.req('POST', '/v1/auth/login', { auth: 'Public', body });\n }\n\n logout(): Promise<LogoutResponse> {\n return this.req('POST', '/v1/auth/logout', { auth: 'Public' });\n }\n\n forgotPassword(body: ForgotPasswordRequest): Promise<ForgotPasswordResponse> {\n return this.req('POST', '/v1/auth/forgot-password', { auth: 'Public', body });\n }\n\n resetPassword(body: ResetPasswordRequest): Promise<ResetPasswordResponse> {\n return this.req('POST', '/v1/auth/reset-password', { auth: 'Public', body });\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Billing (/v1/billing/*)\n // ────────────────────────────────────────────────────────────────────────\n\n createCheckoutSession(body: CheckoutRequest): Promise<CheckoutResponse> {\n return this.req('POST', '/v1/billing/checkout', {\n auth: 'SessionCookie',\n body,\n });\n }\n\n createPortalSession(): Promise<PortalResponse> {\n return this.req('GET', '/v1/billing/portal', { auth: 'SessionCookie' });\n }\n\n // Webhook endpoint is intentionally NOT exposed: only Stripe should call it.\n\n // ────────────────────────────────────────────────────────────────────────\n // Orgs (/v1/orgs/me/*)\n // ────────────────────────────────────────────────────────────────────────\n\n getMyOrg(): Promise<PublicOrgResponse> {\n return this.req('GET', '/v1/orgs/me', { auth: 'OrgApiKey' });\n }\n\n createOrgUser(body: CreateUserRequest): Promise<CreateUserResponse> {\n return this.req('POST', '/v1/orgs/me/users', { auth: 'OrgApiKey', body });\n }\n\n listOrgUsers(): Promise<ListUsersResponse> {\n return this.req('GET', '/v1/orgs/me/users', { auth: 'OrgApiKey' });\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Admin (/v1/admin/organizations/*)\n // ────────────────────────────────────────────────────────────────────────\n\n createOrganization(\n body: CreateOrganizationRequest,\n ): Promise<CreateOrganizationResponse> {\n return this.req('POST', '/v1/admin/organizations', {\n auth: 'AdminToken',\n body,\n });\n }\n\n setOrgAccountType(\n id: string,\n body: SetAccountTypeRequest,\n ): Promise<SetAccountTypeResponse> {\n return this.req(\n 'PATCH',\n `/v1/admin/organizations/${encodeURIComponent(id)}/account-type`,\n { auth: 'AdminToken', body },\n );\n }\n\n verifyOrganization(id: string): Promise<VerifyOrganizationResponse> {\n return this.req(\n 'PATCH',\n `/v1/admin/organizations/${encodeURIComponent(id)}/verify`,\n { auth: 'AdminToken' },\n );\n }\n\n rotateOrgApiKey(id: string): Promise<RotateApiKeyResponse> {\n return this.req(\n 'POST',\n `/v1/admin/organizations/${encodeURIComponent(id)}/rotate-key`,\n { auth: 'AdminToken' },\n );\n }\n\n adjustOrgCredits(\n id: string,\n body: AdjustCreditsRequest,\n ): Promise<AdjustCreditsResponse> {\n return this.req(\n 'POST',\n `/v1/admin/organizations/${encodeURIComponent(id)}/adjust-credits`,\n { auth: 'AdminToken', body },\n );\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Delegated keys (/v1/users/me/delegated-keys/*)\n // ────────────────────────────────────────────────────────────────────────\n\n listDelegatedKeys(query?: {\n contractAddress?: string;\n active?: 'true' | 'false';\n }): Promise<ListDelegatedKeysResponse> {\n return this.req('GET', '/v1/users/me/delegated-keys', {\n auth: 'BearerJWT',\n query: query ?? {},\n });\n }\n\n prepareDelegatedKey(\n body: PrepareDelegatedKeyRequest,\n ): Promise<PreparedDelegatedKeyResponse> {\n return this.req('POST', '/v1/users/me/delegated-keys', {\n auth: 'BearerJWT',\n body,\n });\n }\n\n submitDelegatedKey(\n id: string,\n body: SubmitDelegatedKeyRequest,\n ): Promise<SubmitDelegatedKeyResponse> {\n return this.req(\n 'POST',\n `/v1/users/me/delegated-keys/${encodeURIComponent(id)}/submit`,\n { auth: 'BearerJWT', body },\n );\n }\n\n revokeDelegatedKey(id: string): Promise<RevokeDelegatedKeyResponse> {\n return this.req(\n 'DELETE',\n `/v1/users/me/delegated-keys/${encodeURIComponent(id)}`,\n { auth: 'BearerJWT' },\n );\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Sign (/v1/sign)\n // ────────────────────────────────────────────────────────────────────────\n\n sign(body: SignRequest, requestId?: string): Promise<SignResponse> {\n const headers = requestId ? { 'x-request-id': requestId } : undefined;\n return this.req('POST', '/v1/sign', {\n auth: 'BearerJWT',\n body,\n ...(headers ? { headers } : {}),\n });\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Contracts (/v1/contracts/* + /v1/keys/*)\n // ────────────────────────────────────────────────────────────────────────\n\n provisionContract(\n body: ProvisionContractRequest,\n ): Promise<ProvisionContractResponse> {\n return this.req('POST', '/v1/contracts/provision', {\n auth: 'Public',\n body,\n });\n }\n\n addSigningKey(body: AddSigningKeyRequest): Promise<AddSigningKeyResponse> {\n return this.req('POST', '/v1/keys', { auth: 'SessionCookie', body });\n }\n\n revokeSigningKey(\n body: RevokeSigningKeyRequest,\n ): Promise<RevokeSigningKeyResponse> {\n return this.req('POST', '/v1/keys/revoke', {\n auth: 'SessionCookie',\n body,\n });\n }\n\n pauseContract(body: PauseRequest): Promise<PauseResponse> {\n return this.req('POST', '/v1/contracts/pause', {\n auth: 'SessionCookie',\n body,\n });\n }\n\n unpauseContract(body: UnpauseRequest): Promise<UnpauseResponse> {\n return this.req('POST', '/v1/contracts/unpause', {\n auth: 'SessionCookie',\n body,\n });\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Witnesses (/v1/contracts/{addr}/witnesses/*)\n // ────────────────────────────────────────────────────────────────────────\n\n async proposeWitness(\n contractAddress: string,\n body: ProposeWitnessRequest,\n idempotencyKey?: string,\n ): Promise<ProposeWitnessResponse> {\n // Idempotency-Key is required by the server. Default to a stable\n // body-derived key so that an application-level retry (same\n // arguments) reuses the same key and hits the server-side\n // idempotency cache instead of reserving a second credit. Callers\n // who want a fresh logical witness with the same body must supply\n // their own key.\n const key =\n idempotencyKey ??\n (await deriveBodyKey('v1:propose', contractAddress, body));\n return this.req(\n 'POST',\n `/v1/contracts/${encodeURIComponent(contractAddress)}/witnesses/propose`,\n { auth: 'SignedRequest', body, headers: { 'idempotency-key': key } },\n );\n }\n\n signWitness(\n contractAddress: string,\n witnessId: string,\n body: SignWitnessRequest,\n ): Promise<SignWitnessResponse> {\n return this.req(\n 'POST',\n `/v1/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(witnessId)}/sign`,\n { auth: 'SignedRequest', body },\n );\n }\n\n finalizeWitness(\n contractAddress: string,\n witnessId: string,\n ): Promise<FinalizeWitnessResponse> {\n return this.req(\n 'POST',\n `/v1/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(witnessId)}/finalize`,\n { auth: 'SignedRequest' },\n );\n }\n\n async revokeWitness(\n contractAddress: string,\n witnessId: string,\n body: RevokeWitnessRequest,\n idempotencyKey?: string,\n ): Promise<RevokeWitnessResponse> {\n const key =\n idempotencyKey ??\n (await deriveBodyKey('v1:revoke', contractAddress, { witnessId, body }));\n return this.req(\n 'POST',\n `/v1/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(witnessId)}/revoke`,\n { auth: 'SignedRequest', body, headers: { 'idempotency-key': key } },\n );\n }\n\n getWitness(\n contractAddress: string,\n witnessId: string,\n ): Promise<GetWitnessResponse> {\n return this.req(\n 'GET',\n `/v1/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(witnessId)}`,\n { auth: 'Public' },\n );\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // v5 Witnesses (/v5/contracts/{addr}/witnesses/*)\n //\n // The v5 write surface is a metered proxy in accounts: every billable\n // call (propose, revoke) reserves a credit; sign/finalize forward to\n // chain-api with the admin token. Auth is OAuth Bearer; the URL\n // contract must match the user's bound contract.\n //\n // The propose/revoke methods default Idempotency-Key to a stable hash\n // of the request body so an application-level retry with the same\n // arguments dedupes against the original reservation instead of\n // burning a second credit. Pass an explicit `idempotencyKey` to\n // override (e.g. if you genuinely want two witnesses for the same\n // body).\n // ────────────────────────────────────────────────────────────────────────\n\n async proposeWitnessV5(\n contractAddress: string,\n body: ProposeWitnessV5Request,\n idempotencyKey?: string,\n ): Promise<ProposeWitnessV5Response> {\n const key =\n idempotencyKey ??\n (await deriveBodyKey('v5:propose', contractAddress, body));\n return this.req(\n 'POST',\n `/v5/contracts/${encodeURIComponent(contractAddress)}/witnesses/propose`,\n { auth: 'BearerJWT', body, headers: { 'idempotency-key': key } },\n );\n }\n\n signWitnessV5(\n contractAddress: string,\n intentId: string,\n body: SubmitSignatureV5Request,\n ): Promise<SubmitSignatureV5Response> {\n return this.req(\n 'POST',\n `/v5/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(intentId)}/sign`,\n { auth: 'BearerJWT', body },\n );\n }\n\n finalizeWitnessV5(\n contractAddress: string,\n intentId: string,\n ): Promise<FinalizeWitnessV5Response> {\n return this.req(\n 'POST',\n `/v5/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(intentId)}/finalize`,\n { auth: 'BearerJWT' },\n );\n }\n\n async revokeWitnessV5(\n contractAddress: string,\n witnessId: string,\n body: RevokeWitnessV5Request,\n idempotencyKey?: string,\n ): Promise<RevokeWitnessV5Response> {\n const key =\n idempotencyKey ??\n (await deriveBodyKey('v5:revoke', contractAddress, { witnessId, body }));\n return this.req(\n 'POST',\n `/v5/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(witnessId)}/revoke`,\n { auth: 'BearerJWT', body, headers: { 'idempotency-key': key } },\n );\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Users / account (/v1/account/*)\n // ────────────────────────────────────────────────────────────────────────\n\n getAccount(): Promise<AccountResponse> {\n return this.req('GET', '/v1/account', { auth: 'SessionCookie' });\n }\n\n getLedger(): Promise<LedgerResponse> {\n return this.req('GET', '/v1/account/ledger', { auth: 'SessionCookie' });\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // MFA (/v1/account/mfa/*)\n //\n // SessionCookie auth (self-management). Returns the same shapes the\n // dashboard renders directly; the SDK is also a viable consumer for any\n // Node-side tooling that needs to programmatically enrol a service account.\n //\n // The MFA challenge step that runs inside the OAuth interaction (Thread E)\n // is NOT here — it's a server-rendered HTML form, not a JSON surface.\n // ────────────────────────────────────────────────────────────────────────\n\n enrollTotp(): Promise<TotpEnrollResponse> {\n return this.req('POST', '/v1/account/mfa/totp/enroll', {\n auth: 'SessionCookie',\n });\n }\n\n confirmTotp(body: TotpConfirmRequest): Promise<TotpConfirmResponse> {\n return this.req('POST', '/v1/account/mfa/totp/confirm', {\n auth: 'SessionCookie',\n body,\n });\n }\n\n disableTotp(): Promise<TotpDisableResponse> {\n return this.req('DELETE', '/v1/account/mfa/totp', {\n auth: 'SessionCookie',\n });\n }\n\n regenerateRecoveryCodes(): Promise<RecoveryCodesRegenerateResponse> {\n return this.req('POST', '/v1/account/mfa/recovery-codes/regenerate', {\n auth: 'SessionCookie',\n });\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // OAuth sessions (/v1/oauth/sessions*)\n // ────────────────────────────────────────────────────────────────────────\n\n listOauthSessions(): Promise<ListOauthSessionsResponse> {\n return this.req('GET', '/v1/oauth/sessions', { auth: 'SessionCookie' });\n }\n\n revokeOauthSession(jti: string): Promise<void> {\n return this.req('DELETE', `/v1/oauth/sessions/${encodeURIComponent(jti)}`, {\n auth: 'SessionCookie',\n expectNoContent: true,\n });\n }\n\n revokeAllOauthSessions(): Promise<void> {\n return this.req('DELETE', '/v1/oauth/sessions', {\n auth: 'SessionCookie',\n expectNoContent: true,\n });\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Health (/health/*)\n // ────────────────────────────────────────────────────────────────────────\n\n healthLive(): Promise<HealthLiveResponse> {\n return this.req('GET', '/health/live', { auth: 'Public' });\n }\n\n healthReady(): Promise<HealthReadyResponse> {\n return this.req('GET', '/health/ready', { auth: 'Public' });\n }\n\n // ════════════════════════════════════════════════════════════════════════\n // Chain-api reads (called against chainBaseUrl, e.g. api.witniumchain.com)\n //\n // Routing: every method here passes `service: 'chain'` to `req()`. Calls\n // throw at call time if `chainBaseUrl` wasn't configured.\n //\n // Auth: BearerJWT. The accounts-issued OAuth access token already carries\n // `aud=https://api.witniumchain.com`, so the same `accessToken` works\n // unchanged against both services.\n //\n // What's NOT here: chain-api v5 WRITES (propose/sign/finalize/revoke). Those\n // are proxied by accounts (proposeWitnessV5, etc.) so credits get reserved\n // and idempotency is enforced. See docs/PLAN-PHASE-SDK-UNIFIED.md for the\n // routing rules; calling chain-api writes directly would burn credits\n // without billing them.\n // ════════════════════════════════════════════════════════════════════════\n\n getContractInfo(contractAddress: string): Promise<ContractInfoResponse> {\n return this.req(\n 'GET',\n `/v5/contracts/${encodeURIComponent(contractAddress)}/info`,\n { auth: 'BearerJWT', service: 'chain' },\n );\n }\n\n getContractVerification(\n contractAddress: string,\n ): Promise<VerifyContractResponse> {\n return this.req(\n 'GET',\n `/v5/contracts/${encodeURIComponent(contractAddress)}/verify`,\n { auth: 'BearerJWT', service: 'chain' },\n );\n }\n\n listWitnessesV5(\n contractAddress: string,\n params?: { dataId?: string; limit?: number; offset?: number },\n ): Promise<ListWitnessesResponse> {\n return this.req(\n 'GET',\n `/v5/contracts/${encodeURIComponent(contractAddress)}/witnesses`,\n { auth: 'BearerJWT', service: 'chain', query: params },\n );\n }\n\n getWitnessV5(\n contractAddress: string,\n witnessId: string,\n ): Promise<GetChainWitnessResponse> {\n return this.req(\n 'GET',\n `/v5/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(witnessId)}`,\n { auth: 'BearerJWT', service: 'chain' },\n );\n }\n\n getContractTransaction(\n contractAddress: string,\n txHash: string,\n ): Promise<GetContractTransactionResponse> {\n return this.req(\n 'GET',\n `/v5/contracts/${encodeURIComponent(contractAddress)}/transactions/${encodeURIComponent(txHash)}`,\n { auth: 'BearerJWT', service: 'chain' },\n );\n }\n\n getTransaction(txHash: string): Promise<GetTransactionResponse> {\n return this.req(\n 'GET',\n `/v5/transactions/${encodeURIComponent(txHash)}`,\n { auth: 'BearerJWT', service: 'chain' },\n );\n }\n\n getWalletBalance(address: string): Promise<GetWalletBalanceResponse> {\n return this.req(\n 'GET',\n `/v5/wallets/${encodeURIComponent(address)}/balance`,\n { auth: 'BearerJWT', service: 'chain' },\n );\n }\n\n getDashboardContract(): Promise<DashboardContractResponse> {\n return this.req('GET', '/v5/dashboard/contract', {\n auth: 'BearerJWT',\n service: 'chain',\n });\n }\n\n getDashboardWitnesses(params?: {\n from?: number;\n to?: number;\n timeLock?: 'locked' | 'none';\n limit?: number;\n offset?: number;\n }): Promise<DashboardWitnessesResponse> {\n return this.req('GET', '/v5/dashboard/witnesses', {\n auth: 'BearerJWT',\n service: 'chain',\n query: params,\n });\n }\n\n // ════════════════════════════════════════════════════════════════════════\n // OAuth 2.1 + PKCE flow helpers (Phase AUTH Thread A)\n //\n // Designed for browser SPAs without a backend (\"Sign in with Witnium\" for a\n // Lovable customer). The flow:\n //\n // 1. App calls `beginOAuthLogin({ redirectUri })`, gets a URL, redirects.\n // 2. User authenticates at auth.witniumchain.com, server redirects back\n // to the app's redirectUri with `?code=…&state=…`.\n // 3. App calls `completeOAuthLogin(window.location.href)`, gets back an\n // access token. The SDK stashes it in memory; subsequent `BearerJWT`\n // calls use it transparently.\n // 4. When a `BearerJWT` call returns 401 (token expired), `req()` calls\n // `refreshAccessToken` once and retries. Caller never sees the 401.\n //\n // Access tokens live in memory only — never localStorage. They die on tab\n // close; the refresh token (held in memory today, planned to migrate to an\n // HttpOnly cookie set by /token server-side) survives long enough for a\n // silent refresh on the next /completeOAuthLogin or 401-retry. Refresh\n // tokens rotate on every use, so a single-flight gate avoids racing two\n // concurrent refreshes against the same token.\n //\n // Endpoint discovery: the SDK fetches /.well-known/openid-configuration\n // from `baseUrl` once and reuses the parsed result. oidc-provider's paths\n // (/auth, /token, /jwks, etc.) are not hard-coded — if accounts ever moves\n // them, only the discovery doc has to be right.\n // ════════════════════════════════════════════════════════════════════════\n\n /**\n * Build the authorization-server URL for the start of an OAuth login flow.\n *\n * Generates a fresh PKCE verifier + challenge, stashes the verifier in the\n * configured {@link PkceVerifierStorage} under the `state` key, and returns\n * the URL the caller should redirect the user to. Side-effects:\n *\n * - sessionStorage gets a PKCE entry under `witniumchain.pkce.<state>`.\n * - The client instance remembers the `redirectUri` for this `state`\n * so {@link completeOAuthLogin} can rebuild the matching token request\n * without the caller threading the URI through twice.\n *\n * The caller is responsible for the redirect itself\n * (`window.location.assign(result.authorizationUrl)`); the SDK doesn't\n * touch `window` directly so SSR + non-browser callers are not broken.\n */\n async beginOAuthLogin(\n args: BeginOAuthLoginArgs,\n ): Promise<BeginOAuthLoginResult> {\n if (!this.oauthClientId) {\n throw new WitniumchainApiError({\n status: 0,\n message:\n 'WitniumchainClient: beginOAuthLogin requires `oauthClientId` to be set on the constructor.',\n });\n }\n const discovery = await this.fetchDiscovery();\n const state = args.state ?? generateState();\n const verifier = generateCodeVerifier();\n const challenge = await deriveCodeChallenge(verifier);\n const scope = (args.scope ?? ['openid', 'profile', 'email']).join(' ');\n\n const url = new URL(discovery.authorization_endpoint);\n url.searchParams.set('response_type', 'code');\n url.searchParams.set('client_id', this.oauthClientId);\n url.searchParams.set('redirect_uri', args.redirectUri);\n url.searchParams.set('scope', scope);\n url.searchParams.set('state', state);\n url.searchParams.set('code_challenge', challenge);\n url.searchParams.set('code_challenge_method', 'S256');\n if (args.prompt) url.searchParams.set('prompt', args.prompt);\n\n this.verifierStorageOrDefault().set(state, verifier);\n this.pendingLogins.set(state, { redirectUri: args.redirectUri });\n\n return { authorizationUrl: url.toString(), state };\n }\n\n /**\n * Exchange an authorization-code callback for an access token.\n *\n * Reads `code` and `state` from the callback URL, validates the state\n * against a stored verifier, exchanges the code at the token endpoint,\n * and stores the access token (and refresh token) in the client's\n * in-memory state. Returns the access token + its expiry for callers\n * who want to display the session or schedule a proactive refresh.\n *\n * Throws (without consuming the verifier) when the callback URL is\n * missing `code` or `state`, or when the state has no matching verifier\n * — the latter happens when the user opens an old/forged callback URL,\n * or when sessionStorage was cleared between authorize and callback.\n *\n * The caller is responsible for stripping `code` and `state` from the\n * browser URL afterwards (`window.history.replaceState`) so a refresh\n * doesn't re-trigger the exchange against an already-consumed code.\n */\n async completeOAuthLogin(\n callbackUrl: string | URL,\n ): Promise<OAuthTokenSnapshot> {\n if (!this.oauthClientId) {\n throw new WitniumchainApiError({\n status: 0,\n message:\n 'WitniumchainClient: completeOAuthLogin requires `oauthClientId` to be set on the constructor.',\n });\n }\n\n const url = callbackUrl instanceof URL ? callbackUrl : new URL(callbackUrl);\n const code = url.searchParams.get('code');\n const state = url.searchParams.get('state');\n const error = url.searchParams.get('error');\n if (error) {\n throw new WitniumchainApiError({\n status: 0,\n message: `OAuth authorize returned error: ${error}${\n url.searchParams.get('error_description')\n ? ` (${url.searchParams.get('error_description')})`\n : ''\n }`,\n errorLabel: error,\n });\n }\n if (!code || !state) {\n throw new WitniumchainApiError({\n status: 0,\n message:\n 'WitniumchainClient: callbackUrl missing required `code` and/or `state` parameters.',\n });\n }\n const storage = this.verifierStorageOrDefault();\n const verifier = storage.get(state);\n if (!verifier) {\n throw new WitniumchainApiError({\n status: 0,\n message:\n 'WitniumchainClient: no PKCE verifier stored for this `state`. The login flow either was not started in this tab, was already completed, or the sessionStorage entry was cleared.',\n });\n }\n const pending = this.pendingLogins.get(state);\n if (!pending) {\n // The verifier survived but the redirectUri did not — happens if the\n // caller serialised across page loads. Without redirectUri the token\n // request can't be rebuilt. Surface clearly rather than guess.\n storage.remove(state);\n throw new WitniumchainApiError({\n status: 0,\n message:\n 'WitniumchainClient: PKCE verifier exists but the redirectUri for this `state` was not found in client memory (the client instance was replaced between beginOAuthLogin and completeOAuthLogin).',\n });\n }\n\n const discovery = await this.fetchDiscovery();\n const form = new URLSearchParams();\n form.set('grant_type', 'authorization_code');\n form.set('code', code);\n form.set('redirect_uri', pending.redirectUri);\n form.set('client_id', this.oauthClientId);\n form.set('code_verifier', verifier);\n\n const tokens = await this.postTokenEndpoint(discovery.token_endpoint, form);\n storage.remove(state);\n this.pendingLogins.delete(state);\n return this.persistTokenResponse(tokens);\n }\n\n /**\n * Refresh the access token. Sends `grant_type=refresh_token` to the token\n * endpoint with the in-memory refresh token, and updates `accessToken`\n * (and the rotated refresh token) on success.\n *\n * Concurrent callers — including the 401-retry interceptor inside `req()`\n * fanning out N parallel calls — share a single in-flight refresh promise:\n * refresh tokens rotate on use, so issuing two concurrent refreshes would\n * race and one would 401 with `invalid_grant`.\n *\n * Throws `WitniumchainApiError` if the refresh token is missing (the SDK\n * was constructed without one and `completeOAuthLogin` was never called)\n * or if the AS rejects the refresh (token revoked / expired). On rejection\n * the in-memory tokens are cleared so subsequent BearerJWT calls fail fast\n * instead of retrying with a now-invalid token.\n */\n async refreshAccessToken(): Promise<OAuthTokenSnapshot> {\n if (this.refreshInFlight) return this.refreshInFlight;\n this.refreshInFlight = (async () => {\n try {\n return await this.refreshAccessTokenInternal();\n } finally {\n this.refreshInFlight = undefined;\n }\n })();\n return this.refreshInFlight;\n }\n\n /**\n * End the OAuth session.\n *\n * Clears the in-memory access + refresh tokens. Best-effort revocation of\n * the server-side session would require a server endpoint that accepts a\n * Bearer-token-authenticated DELETE (today's `/v1/oauth/sessions` requires\n * the first-party `wac_session` cookie, see oauth-sessions.controller.ts).\n * That endpoint will arrive with Phase AUTH Thread E; until then,\n * `signOut` clears local state only and the access token's natural TTL\n * (currently 60 min) bounds residual risk if the refresh token is also\n * dropped — which it is, here.\n */\n signOut(): void {\n this.accessToken = undefined;\n this.refreshToken = undefined;\n // Local hint only: the actual HttpOnly cookie lives in the browser and\n // can't be cleared from JS. It expires server-side at its TTL or when\n // a future refresh consumes it. A Bearer-authenticated revocation\n // endpoint that clears the cookie via Set-Cookie Max-Age=0 ships with\n // Thread E; until then, signOut is local-only.\n this.hasRefreshCookie = false;\n this.pendingLogins.clear();\n // Verifier-storage cleanup: any half-completed login is now invalid.\n // We can't enumerate sessionStorage by prefix here without forcing the\n // PkceVerifierStorage interface to be enumerable — let the entries\n // age out (callers can clear sessionStorage themselves on full logout).\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Internal: OAuth flow helpers\n // ────────────────────────────────────────────────────────────────────────\n\n private verifierStorageOrDefault(): PkceVerifierStorage {\n if (this.verifierStorage) return this.verifierStorage;\n return defaultVerifierStorage();\n }\n\n private async fetchDiscovery(): Promise<DiscoveryDocument> {\n if (this.discoveryCache) return this.discoveryCache;\n this.discoveryCache = (async () => {\n const url = `${this.baseUrl}/.well-known/openid-configuration`;\n let res: Response;\n try {\n res = await this.fetchImpl(url, {\n method: 'GET',\n headers: { accept: 'application/json' },\n });\n } catch (err) {\n this.discoveryCache = undefined;\n throw new WitniumchainApiError({\n status: 0,\n message:\n err instanceof Error\n ? `OIDC discovery fetch failed: ${err.message}`\n : 'OIDC discovery fetch failed',\n });\n }\n if (!res.ok) {\n this.discoveryCache = undefined;\n throw new WitniumchainApiError({\n status: res.status,\n message: `OIDC discovery fetch failed: HTTP ${res.status}`,\n });\n }\n const parsed = (await res.json()) as Partial<DiscoveryDocument>;\n if (!parsed.authorization_endpoint || !parsed.token_endpoint) {\n this.discoveryCache = undefined;\n throw new WitniumchainApiError({\n status: 0,\n message:\n 'OIDC discovery doc is missing `authorization_endpoint` or `token_endpoint`.',\n });\n }\n return {\n authorization_endpoint: parsed.authorization_endpoint,\n token_endpoint: parsed.token_endpoint,\n issuer: parsed.issuer ?? this.baseUrl,\n };\n })();\n return this.discoveryCache;\n }\n\n private async postTokenEndpoint(\n endpoint: string,\n form: URLSearchParams,\n ): Promise<TokenResponse> {\n const controller = new AbortController();\n const timer = setTimeout(() => controller.abort(), this.timeout);\n let res: Response;\n try {\n res = await this.fetchImpl(endpoint, {\n method: 'POST',\n headers: {\n accept: 'application/json',\n 'content-type': 'application/x-www-form-urlencoded',\n },\n body: form.toString(),\n signal: controller.signal,\n // Sends the HttpOnly refresh-token cookie when the server starts\n // setting it (planned server-side change); a no-op until then.\n credentials: 'include',\n });\n } catch (err) {\n throw new WitniumchainApiError({\n status: 0,\n message:\n err instanceof Error\n ? `Token endpoint fetch failed: ${err.message}`\n : 'Token endpoint fetch failed',\n });\n } finally {\n clearTimeout(timer);\n }\n\n const text = await res.text();\n let parsed: unknown = null;\n if (text.length > 0) {\n try {\n parsed = JSON.parse(text);\n } catch {\n // Non-JSON body — surface raw text in the error.\n }\n }\n if (!res.ok) {\n throw this.parseApiError(res.status, parsed, text);\n }\n return parsed as TokenResponse;\n }\n\n private persistTokenResponse(tokens: TokenResponse): OAuthTokenSnapshot {\n if (!tokens.access_token) {\n throw new WitniumchainApiError({\n status: 0,\n message: 'Token endpoint response missing `access_token`.',\n });\n }\n this.accessToken = tokens.access_token;\n if (tokens.refresh_token) {\n // Server returned the refresh token in-band (non-browser / dev / cookie\n // path opted out). Stash it for the next refresh call.\n this.refreshToken = tokens.refresh_token;\n } else {\n // No body refresh_token on a successful /token response means the\n // server emitted it as an HttpOnly Set-Cookie. From here on, refresh\n // is driven by `credentials: 'include'` carrying the cookie back.\n this.refreshToken = undefined;\n this.hasRefreshCookie = true;\n }\n // `expires_in` is the canonical TTL (seconds from now); turn it into an\n // absolute expiry to make caller-side proactive-refresh logic trivial.\n const ttlSeconds = typeof tokens.expires_in === 'number' ? tokens.expires_in : 3600;\n const expiresAt = Math.floor(Date.now() / 1000) + ttlSeconds;\n return { accessToken: tokens.access_token, expiresAt };\n }\n\n private async refreshAccessTokenInternal(): Promise<OAuthTokenSnapshot> {\n if (!this.oauthClientId) {\n throw new WitniumchainApiError({\n status: 0,\n message:\n 'WitniumchainClient: refreshAccessToken requires `oauthClientId` to be set on the constructor.',\n });\n }\n if (!this.refreshToken && !this.hasRefreshCookie) {\n throw new WitniumchainApiError({\n status: 0,\n message:\n 'WitniumchainClient: no refresh credential available. Call `completeOAuthLogin` first — the server delivers the refresh token either in the response body (Node) or as an HttpOnly cookie (browser).',\n });\n }\n const discovery = await this.fetchDiscovery();\n const form = new URLSearchParams();\n form.set('grant_type', 'refresh_token');\n form.set('client_id', this.oauthClientId);\n if (this.refreshToken) {\n // In-band refresh token wins over the cookie when both are available\n // (matches server-side precedence in mountRefreshCookieMiddleware).\n form.set('refresh_token', this.refreshToken);\n }\n // When the in-band token is absent, the HttpOnly cookie rides via\n // `credentials: 'include'` inside `postTokenEndpoint` and the server-side\n // refresh-cookie middleware reinjects it as the form field oidc-provider\n // expects.\n try {\n const tokens = await this.postTokenEndpoint(discovery.token_endpoint, form);\n return this.persistTokenResponse(tokens);\n } catch (err) {\n // AS rejected the refresh — token was revoked, expired, or rotated and\n // we sent the stale one. Clear local state so the next BearerJWT call\n // fails with a clean \"no access token\" error rather than re-triggering\n // a refresh that will keep failing. The HttpOnly cookie (if any) stays\n // until it expires server-side — the SDK can't clear it and the server\n // hasn't yet shipped a Bearer-authenticated revocation endpoint.\n this.accessToken = undefined;\n this.refreshToken = undefined;\n this.hasRefreshCookie = false;\n throw err;\n }\n }\n\n // ────────────────────────────────────────────────────────────────────────\n // Internal: fetch wrapper that maps non-2xx → WitniumchainApiError\n // and applies the configured credential to the request.\n // ────────────────────────────────────────────────────────────────────────\n\n private async req<T>(\n method: string,\n path: string,\n opts: RequestOpts,\n ): Promise<T> {\n // pathWithQuery is what gets baked into the URL and what\n // SignedRequest auth signs. Query params are part of the signed\n // canonical so a captured signed request can't be replayed with a\n // tampered query — must match what SignedRequestGuard reads from\n // req.url server-side.\n const pathWithQuery = this.buildPathWithQuery(path, opts.query);\n const base = this.resolveBaseUrl(opts.service);\n const url = `${base}${pathWithQuery}`;\n const headers: Record<string, string> = {\n accept: 'application/json',\n ...(opts.headers ?? {}),\n };\n\n if (opts.body !== undefined) {\n headers['content-type'] = 'application/json';\n }\n\n const bodyString =\n opts.body !== undefined ? JSON.stringify(opts.body) : undefined;\n\n await this.applyAuth(\n headers,\n opts.auth,\n method,\n pathWithQuery,\n bodyString ?? '',\n );\n\n const controller = new AbortController();\n const timer = setTimeout(() => controller.abort(), this.timeout);\n\n let res: Response;\n try {\n res = await this.fetchImpl(url, {\n method,\n headers,\n body: bodyString,\n signal: controller.signal,\n // Send cookies cross-origin when the consumer is a browser using\n // SessionCookie auth via document.cookie.\n credentials: 'include',\n });\n } catch (err) {\n throw new WitniumchainApiError({\n status: 0,\n message:\n err instanceof Error\n ? `Network error contacting ${base}: ${err.message}`\n : `Network error contacting ${base}`,\n });\n } finally {\n clearTimeout(timer);\n }\n\n if (opts.expectNoContent) {\n if (!res.ok) {\n if (await this.shouldRefreshAndRetry(res, opts)) {\n return this.req<T>(method, path, { ...opts, _isRetry: true });\n }\n throw await this.toApiError(res);\n }\n return undefined as T;\n }\n\n const text = await res.text();\n let parsed: unknown = null;\n if (text.length > 0) {\n try {\n parsed = JSON.parse(text);\n } catch {\n // Non-JSON body. Carry raw text in the error if !ok.\n }\n }\n\n if (!res.ok) {\n if (await this.shouldRefreshAndRetryParsed(res.status, parsed, opts)) {\n return this.req<T>(method, path, { ...opts, _isRetry: true });\n }\n throw this.parseApiError(res.status, parsed, text);\n }\n\n return parsed as T;\n }\n\n /**\n * Decide whether a non-2xx response on a `BearerJWT` route should trigger\n * a refresh + single retry. Returns false (no retry) when:\n *\n * - this call IS the retry — never recurse,\n * - the auth mode isn't BearerJWT — refresh only helps Bearer tokens,\n * - the status isn't 401 — refresh doesn't unstick 403/404/500/etc,\n * - we don't have a refresh token in memory — nothing to refresh with,\n * - the response body doesn't look like an expired-token signal.\n *\n * On a positive answer, the method ALSO performs the refresh in-line:\n * the caller just gets back `true` and replays the original request,\n * which picks up the freshly-rotated `accessToken` via `applyAuth`.\n * Refresh failures are swallowed here (the caller falls through to the\n * regular error path); `refreshAccessTokenInternal` already cleared the\n * in-memory tokens so the retry won't have anything to send.\n */\n private async shouldRefreshAndRetry(\n res: Response,\n opts: RequestOpts,\n ): Promise<boolean> {\n if (opts._isRetry) return false;\n if (opts.auth !== 'BearerJWT') return false;\n if (res.status !== 401) return false;\n if (!this.refreshToken && !this.hasRefreshCookie) return false;\n try {\n await this.refreshAccessToken();\n return true;\n } catch {\n return false;\n }\n }\n\n /**\n * Same decision as `shouldRefreshAndRetry` but for the JSON-parsed path,\n * where we have the body. Adds one extra gate: only retry when the parsed\n * body looks like a \"token expired\" signal (`error: 'token_expired'` per\n * the AUTH plan, or `error: 'invalid_token'` per RFC 6750 §3.1). A 401\n * with any other `error` label is a real authn/authz failure that refresh\n * won't fix — surface it instead of burning a refresh token.\n */\n private async shouldRefreshAndRetryParsed(\n status: number,\n parsed: unknown,\n opts: RequestOpts,\n ): Promise<boolean> {\n if (opts._isRetry) return false;\n if (opts.auth !== 'BearerJWT') return false;\n if (status !== 401) return false;\n if (!this.refreshToken && !this.hasRefreshCookie) return false;\n const body = parsed as { error?: unknown } | null | undefined;\n const label = typeof body?.error === 'string' ? body.error : undefined;\n if (label !== undefined && label !== 'token_expired' && label !== 'invalid_token') {\n return false;\n }\n try {\n await this.refreshAccessToken();\n return true;\n } catch {\n // Refresh rejected: `refreshAccessTokenInternal` already cleared the\n // in-memory tokens. Fall through to the regular error path so the\n // caller sees the original 401 and can redirect to login.\n return false;\n }\n }\n\n /**\n * Resolve which base URL to call. Default is accounts (`baseUrl`). When a\n * method opts into 'chain', `chainBaseUrl` must be configured — throw at call\n * time with a clear message rather than fall back silently to accounts (no\n * defaults: a wrong base URL is a real bug and would mask itself as a 404).\n */\n private resolveBaseUrl(service: 'accounts' | 'chain' | undefined): string {\n if (service === 'chain') {\n if (!this.chainBaseUrl) {\n throw new WitniumchainApiError({\n status: 0,\n message:\n 'WitniumchainClient: chain-api method called without `chainBaseUrl` configured. Pass `chainBaseUrl: \"https://api.witniumchain.com\"` (or your environment\\'s chain-api URL) to the client constructor.',\n });\n }\n return this.chainBaseUrl;\n }\n return this.baseUrl;\n }\n\n private buildPathWithQuery(\n path: string,\n query: Record<string, string | number | undefined> | undefined,\n ): string {\n if (!query) return path;\n const qs = new URLSearchParams();\n for (const [k, v] of Object.entries(query)) {\n if (v !== undefined) qs.set(k, String(v));\n }\n const suffix = qs.toString();\n return suffix ? `${path}?${suffix}` : path;\n }\n\n private async applyAuth(\n headers: Record<string, string>,\n auth: AuthMode,\n method: string,\n path: string,\n bodyString: string,\n ): Promise<void> {\n switch (auth) {\n case 'Public':\n return;\n case 'SessionCookie': {\n if (this.cfg.sessionCookie) {\n // In Node the SDK has to send the cookie itself; in a browser the\n // browser will attach it from document.cookie when credentials:\n // 'include' is set. Set the header anyway — it's safe in both.\n headers['cookie'] = `wac_session=${this.cfg.sessionCookie}`;\n }\n return;\n }\n case 'BearerJWT': {\n if (!this.accessToken) {\n throw new Error(\n `WitniumchainClient: ${method} ${path} requires an OAuth access token. Pass \\`accessToken\\` to the constructor, or call \\`beginOAuthLogin\\`/\\`completeOAuthLogin\\` to obtain one.`,\n );\n }\n headers['authorization'] = `Bearer ${this.accessToken}`;\n return;\n }\n case 'OrgApiKey': {\n if (!this.cfg.orgApiKey) {\n throw new Error(\n `WitniumchainClient: ${method} ${path} requires an organisation API key. Pass \\`orgApiKey\\` to the constructor.`,\n );\n }\n headers['authorization'] = `Bearer ${this.cfg.orgApiKey}`;\n return;\n }\n case 'AdminToken': {\n if (!this.cfg.adminToken) {\n throw new Error(\n `WitniumchainClient: ${method} ${path} requires an admin token. Pass \\`adminToken\\` to the constructor.`,\n );\n }\n headers['authorization'] = `Bearer ${this.cfg.adminToken}`;\n return;\n }\n case 'SignedRequest': {\n if (!this.cfg.signedRequest) {\n throw new Error(\n `WitniumchainClient: ${method} ${path} requires a signed-request signer. Pass \\`signedRequest\\` to the constructor.`,\n );\n }\n const timestamp = Math.floor(Date.now() / 1000).toString();\n const bodyHash = await sha256Hex(bodyString);\n // Idempotency-Key is part of the signed canonical so a captured\n // signed request can't be replayed with a different key. Empty\n // string when absent; the server uses the same convention.\n //\n // `path` here is the path-with-query suffix (built by\n // buildPathWithQuery in req()), so the signature binds the\n // query string too — matches what SignedRequestGuard reads\n // from req.url server-side.\n const idemKey = headers['idempotency-key'] ?? '';\n const canonical = `${method.toUpperCase()}\\n${path}\\n${timestamp}\\n${idemKey}\\n${bodyHash}`;\n const signature = await this.cfg.signedRequest.sign(canonical);\n headers['x-witnium-key'] = this.cfg.signedRequest.publicKeyHex;\n headers['x-witnium-timestamp'] = timestamp;\n headers['x-witnium-signature'] = signature;\n return;\n }\n }\n }\n\n private parseApiError(\n status: number,\n parsed: unknown,\n rawText: string,\n ): WitniumchainApiError {\n const body = parsed as\n | { error?: string; message?: string | string[] }\n | null;\n const message = Array.isArray(body?.message)\n ? body!.message.join('; ')\n : typeof body?.message === 'string'\n ? body!.message\n : body?.error ?? `HTTP ${status}`;\n return new WitniumchainApiError({\n status,\n message,\n errorLabel: body?.error,\n body: parsed ?? rawText,\n });\n }\n\n private async toApiError(res: Response): Promise<WitniumchainApiError> {\n const text = await res.text();\n let parsed: unknown = null;\n if (text.length > 0) {\n try {\n parsed = JSON.parse(text);\n } catch {\n // ignore — surface raw text\n }\n }\n return this.parseApiError(res.status, parsed, text);\n }\n}\n\n// ============================================================================\n// End-user namespace classes\n// ============================================================================\n//\n// Lightweight facades over the low-level methods on WitniumchainClient.\n// They exist to give the end-user surface a discoverable shape\n// (`client.subscriptions.subscribe(...)` rather than the route-shaped\n// `client.createCheckoutSession(...)`) while keeping the low-level methods\n// available as escape hatches.\n\n/** `client.subscriptions.*` — Stripe Checkout + portal + credit ledger. */\nexport class Subscriptions {\n constructor(private readonly client: WitniumchainClient) {}\n\n /**\n * Start a Stripe Checkout session for the supplied price. Returns the\n * hosted Checkout URL; redirect the user to it. Stripe's\n * `checkout.session.completed` webhook grants credits on success.\n */\n subscribe(body: CheckoutRequest): Promise<CheckoutResponse> {\n return this.client.createCheckoutSession(body);\n }\n\n /**\n * Open the Stripe Billing Portal for the calling user's org. Returns the\n * hosted portal URL — redirect the user there for subscription /\n * payment-method management.\n */\n manage(): Promise<PortalResponse> {\n return this.client.createPortalSession();\n }\n\n /** Recent credit-ledger entries (most recent 200). */\n getLedger(): Promise<LedgerResponse> {\n return this.client.getLedger();\n }\n}\n\n/** `client.delegatedKeys.*` — list, one-call provision, and revoke. */\nexport class DelegatedKeys {\n constructor(private readonly client: WitniumchainClient) {}\n\n /** List the caller's delegated keys, optionally filtered by contract or active flag. */\n list(query?: {\n contractAddress?: string;\n active?: 'true' | 'false';\n }): Promise<ListDelegatedKeysResponse> {\n return this.client.listDelegatedKeys(query);\n }\n\n /**\n * One-call delegated-key provisioning: prepare → owner-sign → submit →\n * poll until the on-chain `addSigningKey` tx confirms (or the polling\n * budget elapses). The server mints the delegated key in Vault; the caller\n * never sees its private key.\n *\n * Failure modes that surface as thrown {@link WitniumchainApiError}:\n * - 409 from prepare → an active key already exists for this contract;\n * caller must revoke the existing one first.\n * - 400 from submit → ownerSignature didn't verify against the prepared\n * message (wrong owner key, or the on-chain nonce shifted between\n * prepare and submit and the caller must re-provision).\n *\n * Returns `confirmed: false` (without throwing) when the on-chain tx is\n * still pending after `pollTimeoutMs` — caller can keep polling via\n * {@link list} or chain-api's receipt endpoint.\n */\n async provision(\n args: ProvisionDelegatedKeyArgs,\n ): Promise<ProvisionDelegatedKeyResult> {\n const prep = await this.client.prepareDelegatedKey({\n contractAddress: args.contractAddress,\n });\n const ownerSignature = await args.ownerSigner.sign(prep.messageToSign);\n let res = await this.client.submitDelegatedKey(prep.id, { ownerSignature });\n\n if (!res.confirmed) {\n const interval = args.pollIntervalMs ?? 2000;\n const timeout = args.pollTimeoutMs ?? 60000;\n const deadline = Date.now() + timeout;\n while (!res.confirmed && Date.now() < deadline) {\n await sleep(interval);\n res = await this.client.submitDelegatedKey(prep.id, {});\n }\n }\n\n return {\n id: prep.id,\n publicKey: prep.publicKey,\n transactionHash: res.transactionHash,\n confirmed: res.confirmed,\n blockNumber: res.blockNumber,\n };\n }\n\n /**\n * Locally revoke a delegated key. Wipes the Vault Transit key and sets\n * `revoked_at` on the row. The on-chain trust record persists — the caller\n * must invoke `WitnessRegistryV3.revokeSigningKey` with their owner key to\n * fully un-trust the key on the contract.\n */\n revoke(id: string): Promise<RevokeDelegatedKeyResponse> {\n return this.client.revokeDelegatedKey(id);\n }\n}\n\n/**\n * `client.keys.*` — owner signing-key management (add / revoke + a list\n * helper derived from {@link WitniumchainClient.getAccount}).\n *\n * Distinct from {@link DelegatedKeys} — those are Vault-held keys minted by\n * the server for delegated signing. The methods here manage the owner's own\n * signing keys registered against their contract.\n */\nexport class SigningKeys {\n constructor(private readonly client: WitniumchainClient) {}\n\n /**\n * The signing keys attached to the calling user's contract. There is no\n * dedicated list endpoint; this method calls {@link\n * WitniumchainClient.getAccount} and returns the `signingKeys` slice.\n */\n async list(): Promise<AccountResponse['signingKeys']> {\n const account = await this.client.getAccount();\n return account.signingKeys;\n }\n\n add(body: AddSigningKeyRequest): Promise<AddSigningKeyResponse> {\n return this.client.addSigningKey(body);\n }\n\n revoke(body: RevokeSigningKeyRequest): Promise<RevokeSigningKeyResponse> {\n return this.client.revokeSigningKey(body);\n }\n}\n\n/** `client.oauth.sessions.*` — list and revoke active OAuth sessions. */\nexport class OauthNamespace {\n readonly sessions: OauthSessions;\n constructor(client: WitniumchainClient) {\n this.sessions = new OauthSessions(client);\n }\n}\n\nexport class OauthSessions {\n constructor(private readonly client: WitniumchainClient) {}\n\n list(): Promise<ListOauthSessionsResponse> {\n return this.client.listOauthSessions();\n }\n\n revoke(jti: string): Promise<void> {\n return this.client.revokeOauthSession(jti);\n }\n\n revokeAll(): Promise<void> {\n return this.client.revokeAllOauthSessions();\n }\n}\n\n/**\n * `client.mfa.*` — TOTP and recovery-code self-management for the\n * authenticated user. The split into `mfa.totp.*` and `mfa.recoveryCodes.*`\n * mirrors the server-side controller structure and matches the AUTH plan's\n * D8 SDK surface (`client.mfa.totp.enroll/confirm/disable` +\n * `client.mfa.recoveryCodes.regenerate`).\n */\nexport class MfaNamespace {\n readonly totp: MfaTotp;\n readonly recoveryCodes: MfaRecoveryCodes;\n constructor(client: WitniumchainClient) {\n this.totp = new MfaTotp(client);\n this.recoveryCodes = new MfaRecoveryCodes(client);\n }\n}\n\nexport class MfaTotp {\n constructor(private readonly client: WitniumchainClient) {}\n\n /**\n * Start enrolment. Returns the secret + otpauth URL — render the URL as a\n * QR code in your dashboard (any QR library will do; the SDK doesn't bundle\n * one). The enrolment is NOT yet a usable second factor: call\n * {@link confirm} with the first 6-digit code from the authenticator app\n * to activate it AND receive the recovery codes.\n */\n enroll(): Promise<TotpEnrollResponse> {\n return this.client.enrollTotp();\n }\n\n /**\n * Confirm enrolment with the first user-supplied code. Returns the 10\n * single-use recovery codes — show them to the user ONCE; the server never\n * returns them again. Throws `WitniumchainApiError` with status 400 when\n * the code is invalid or the enrolment is already confirmed.\n */\n confirm(code: string): Promise<TotpConfirmResponse> {\n return this.client.confirmTotp({ code });\n }\n\n /** Disable TOTP, wiping both the secret and all recovery codes. */\n disable(): Promise<TotpDisableResponse> {\n return this.client.disableTotp();\n }\n}\n\nexport class MfaRecoveryCodes {\n constructor(private readonly client: WitniumchainClient) {}\n\n /**\n * Issue a fresh set of 10 recovery codes, invalidating the prior ones.\n * Same as `confirm` — codes are returned ONCE and never readable again.\n */\n regenerate(): Promise<RecoveryCodesRegenerateResponse> {\n return this.client.regenerateRecoveryCodes();\n }\n}\n\nfunction sleep(ms: number): Promise<void> {\n return new Promise((resolve) => setTimeout(resolve, ms));\n}\n\n/**\n * Stable canonical JSON: keys sorted at every object level, no\n * whitespace, deterministic ordering. Two callers serialising the same\n * logical body produce the same string regardless of how their objects\n * happened to iterate.\n */\nfunction stableStringify(value: unknown): string {\n if (value === null || typeof value !== 'object') return JSON.stringify(value);\n if (Array.isArray(value)) {\n return '[' + value.map(stableStringify).join(',') + ']';\n }\n const obj = value as Record<string, unknown>;\n const keys = Object.keys(obj).sort();\n return (\n '{' +\n keys.map((k) => JSON.stringify(k) + ':' + stableStringify(obj[k])).join(',') +\n '}'\n );\n}\n\n/**\n * Derive a stable idempotency key from the namespace + URL contract +\n * canonicalised request body. Same arguments → same key, so an\n * application-level retry with identical inputs hits the server-side\n * idempotency cache instead of minting a fresh reservation.\n *\n * Callers who genuinely want a fresh logical witness for an identical\n * body must pass an explicit `idempotencyKey` to override this.\n */\nasync function deriveBodyKey(\n namespace: string,\n contractAddress: string,\n body: unknown,\n): Promise<string> {\n const canonical = `${namespace}|${contractAddress.toLowerCase()}|${stableStringify(body)}`;\n return await sha256Hex(canonical);\n}\n\n/**\n * Compute lowercase hex of sha256(input bytes) using SubtleCrypto.\n * Requires a runtime with `crypto.subtle` — modern browsers and Node 18+.\n */\nasync function sha256Hex(input: string): Promise<string> {\n const subtle = (globalThis as { crypto?: { subtle?: SubtleCrypto } }).crypto\n ?.subtle;\n if (!subtle) {\n throw new Error(\n 'WitniumchainClient: SubtleCrypto is not available. Polyfill `globalThis.crypto.subtle` for SignedRequest auth.',\n );\n }\n const data = new TextEncoder().encode(input);\n const digest = await subtle.digest('SHA-256', data);\n const bytes = new Uint8Array(digest);\n let out = '';\n for (const b of bytes) out += b.toString(16).padStart(2, '0');\n return out;\n}\n","/**\n * WitniumchainAdminClient — system-admin facade over the accounts API.\n *\n * Wraps the five `/v1/admin/organizations/*` routes that mint orgs, flip\n * account types, verify emails, rotate API keys, and apply manual credit\n * adjustments. This is the client our internal admin frontend and ops scripts\n * consume — there is no UI surface here, just typed RPC.\n *\n * Auth is AdminToken (the `BEARER_TOKEN` env value on the server side).\n * Construction throws if `adminToken` is missing; the underlying HTTP client\n * would throw at call time, but failing at construction surfaces config bugs\n * in the wiring step rather than the first request.\n */\nimport { WitniumchainClient } from './client';\nimport type {\n CreateOrganizationRequest,\n CreateOrganizationResponse,\n SetAccountTypeResponse,\n VerifyOrganizationResponse,\n RotateApiKeyResponse,\n AdjustCreditsResponse,\n} from './types';\n\nexport interface WitniumchainAdminClientConfig {\n /** Base URL, e.g. `https://auth.witniumchain.com`. Trailing slash optional. */\n baseUrl: string;\n /** System-admin token (`Authorization: Bearer <ADMIN_TOKEN>`). */\n adminToken: string;\n /** Per-request timeout in milliseconds. Default 30000. */\n timeout?: number;\n /** Alternate fetch implementation (e.g. for tests). Default `globalThis.fetch`. */\n fetch?: typeof fetch;\n}\n\nexport type AccountType = 'metered' | 'unlimited';\n\nexport class WitniumchainAdminClient {\n private readonly inner: WitniumchainClient;\n\n constructor(config: WitniumchainAdminClientConfig) {\n if (!config.adminToken) {\n throw new Error('WitniumchainAdminClient: adminToken is required');\n }\n this.inner = new WitniumchainClient({\n baseUrl: config.baseUrl,\n adminToken: config.adminToken,\n timeout: config.timeout,\n fetch: config.fetch,\n });\n }\n\n /**\n * Mint a new organisation. The returned `apiKey` is shown ONCE — the server\n * only retains its SHA-256 hash. Persist it before the response leaves\n * scope; there is no recovery path.\n *\n * @param body Organisation seed: name, email, optional accountType and\n * signup credit grant, optional skip-email-verification flag.\n */\n createOrganization(\n body: CreateOrganizationRequest,\n ): Promise<CreateOrganizationResponse> {\n return this.inner.createOrganization(body);\n }\n\n /** Flip an org between `metered` (Stripe checkout + credit ledger) and `unlimited` (flat-fee). */\n setAccountType(\n orgId: string,\n accountType: AccountType,\n ): Promise<SetAccountTypeResponse> {\n return this.inner.setOrgAccountType(orgId, { accountType });\n }\n\n /** Mark an org's email as verified. Prerequisite for the org to create users. */\n verifyEmail(orgId: string): Promise<VerifyOrganizationResponse> {\n return this.inner.verifyOrganization(orgId);\n }\n\n /**\n * Rotate the org's API key. The previous `wcorg_live_…` is invalidated and\n * the new key is returned ONCE — same one-time-secret semantics as\n * {@link createOrganization}.\n */\n rotateApiKey(orgId: string): Promise<RotateApiKeyResponse> {\n return this.inner.rotateOrgApiKey(orgId);\n }\n\n /**\n * Apply a signed credit delta to an org's ledger. Positive `delta` grants\n * credits (goodwill, migration backfill); negative claws them back.\n * Recorded as `reason: adjustment` with the supplied `note`.\n *\n * Use sparingly — this bypasses Stripe and should be auditable from the\n * `note` alone.\n */\n adjustCredits(\n orgId: string,\n delta: number,\n note?: string,\n ): Promise<AdjustCreditsResponse> {\n return this.inner.adjustOrgCredits(orgId, { delta, note });\n }\n}\n","/**\n * WitniumchainOrgClient — org-admin facade over the accounts API.\n *\n * Wraps the three `/v1/orgs/me/*` routes that org admins use to read their\n * own org profile and manage their users. This is the client B2B2C apps and\n * customer-admin dashboards consume — auth is the `wcorg_live_…` API key\n * minted via `WitniumchainAdminClient.createOrganization` or returned by\n * a subsequent `rotateApiKey`.\n *\n * The surface is intentionally minimal — the underlying API only exposes\n * profile read + user create + user list. Anything more powerful (provision\n * credits, change account type, verify email) requires the sysadmin\n * `AdminToken` and therefore lives on `WitniumchainAdminClient`.\n */\nimport { WitniumchainClient } from './client';\nimport type {\n PublicOrgResponse,\n CreateUserRequest,\n CreateUserResponse,\n ListUsersResponse,\n} from './types';\n\nexport interface WitniumchainOrgClientConfig {\n /** Base URL, e.g. `https://auth.witniumchain.com`. Trailing slash optional. */\n baseUrl: string;\n /** Organisation API key (`wcorg_live_…`). */\n orgApiKey: string;\n /** Per-request timeout in milliseconds. Default 30000. */\n timeout?: number;\n /** Alternate fetch implementation (e.g. for tests). Default `globalThis.fetch`. */\n fetch?: typeof fetch;\n}\n\nexport class WitniumchainOrgClient {\n private readonly inner: WitniumchainClient;\n /** User-management namespace — `client.users.create/list`. */\n readonly users: OrgUsers;\n\n constructor(config: WitniumchainOrgClientConfig) {\n if (!config.orgApiKey) {\n throw new Error('WitniumchainOrgClient: orgApiKey is required');\n }\n this.inner = new WitniumchainClient({\n baseUrl: config.baseUrl,\n orgApiKey: config.orgApiKey,\n timeout: config.timeout,\n fetch: config.fetch,\n });\n this.users = new OrgUsers(this.inner);\n }\n\n /**\n * The org's own profile — name, email, account type, cached credit\n * balance (null for `unlimited` accounts), and the `isPersonal` flag.\n *\n * Note: a 401 here usually means the API key was rotated; rotate-key\n * invalidates the previous one.\n */\n me(): Promise<PublicOrgResponse> {\n return this.inner.getMyOrg();\n }\n}\n\n/** `client.users.*` — create + list users in the org. */\nexport class OrgUsers {\n constructor(private readonly inner: WitniumchainClient) {}\n\n /**\n * Provision a new user inside the org. Requires the org's email to have\n * been verified (sysadmin gate) — otherwise the server returns 403.\n */\n create(body: CreateUserRequest): Promise<CreateUserResponse> {\n return this.inner.createOrgUser(body);\n }\n\n /** List the org's users. */\n list(): Promise<ListUsersResponse> {\n return this.inner.listOrgUsers();\n }\n}\n"]}