agent-authority 0.1.0

package/dist/behalf.js

@@ -0,0 +1,475 @@
+import { newKeyPair, newId, signBlock, verifyBlock, exportPublicKey, importPublicKey, importPrivateKey, signProof, verifyProof, signMessage, verifyMessage, canonicalJson, } from "./crypto.js";
+import { parse, satisfies, isNarrowing, windowMs, } from "./capability.js";
+import { verify as verifyAudit, GENESIS } from "./audit.js";
+import { MemoryAuditStore, MemoryRevocationStore, MemoryRateStore, } from "./store.js";
+import { Mandate } from "./mandate.js";
+import { unseal } from "./seal.js";
+import { AuthorizationError, BehalfError, IntegrityError, WideningError } from "./errors.js";
+const DURATION_RE = /^(\d+(?:\.\d+)?)(ms|s|m|h|d)$/;
+function toMs(d) {
+    if (typeof d === "number")
+        return d;
+    const m = DURATION_RE.exec(d.trim());
+    if (!m)
+        throw new Error(`invalid duration "${d}" (use e.g. "1h", "10m", "30s")`);
+    const n = Number(m[1]);
+    const unit = { ms: 1, s: 1000, m: 60_000, h: 3_600_000, d: 86_400_000 };
+    return n * unit[m[2]];
+}
+/**
+ * The Behalf engine: holds the issuer keypair and the revocation / audit stores,
+ * and implements the five verbs. Use the default singleton via the static
+ * facade (`Behalf.grant`, ...) or construct an isolated instance with
+ * `createBehalf()`. A verify-only engine (no grant) is made with
+ * `createBehalf({ trust: [issuerPublicKey] })` and a generated throwaway key.
+ */
+export class Behalf {
+    rootKeyPair;
+    agentKey;
+    trusted;
+    revocations;
+    auditStore;
+    rateStore;
+    proofSkewMs;
+    requireNonce;
+    /** Outstanding single-use challenges: nonce → expiry (ms). */
+    nonces = new Map();
+    now;
+    constructor(config = {}) {
+        this.rootKeyPair = config.rootKeyPair ?? newKeyPair();
+        this.agentKey = config.agentKey;
+        this.trusted = new Set(config.trust ?? []);
+        this.trusted.add(exportPublicKey(this.rootKeyPair.publicKey));
+        this.revocations = config.revocations ?? new MemoryRevocationStore();
+        this.auditStore = config.audit ?? new MemoryAuditStore();
+        this.rateStore = config.rate ?? new MemoryRateStore();
+        this.proofSkewMs = config.proofSkewMs ?? 300_000;
+        this.requireNonce = config.requireNonce ?? false;
+        this.now = config.now ?? (() => Date.now());
+    }
+    /**
+     * Issue a single-use challenge nonce. The holder binds it into its possession
+     * proof (`prove(action, { nonce })`); `authorize` consumes it, so that proof
+     * can never be replayed — even within the freshness window.
+     */
+    challenge() {
+        const nonce = newId();
+        this.nonces.set(nonce, this.now() + this.proofSkewMs);
+        return nonce;
+    }
+    /** This engine's issuer public key (base64url SPKI). Share it with verifiers. */
+    get publicKey() {
+        return exportPublicKey(this.rootKeyPair.publicKey);
+    }
+    /**
+     * This engine's agent-identity public key (base64url), or undefined if none is
+     * configured. Hand it to a granter so they can `bindAgent` a mandate to you;
+     * only an engine holding the matching private key can then authorize it.
+     */
+    get agentPublicKey() {
+        return this.agentKey ? exportPublicKey(this.agentKey.publicKey) : undefined;
+    }
+    /** GRANT — a principal authorizes an agent: scoped, capped, short-lived. */
+    grant(opts) {
+        const id = newId();
+        const next = newKeyPair();
+        const block = {
+            caveats: [
+                { t: "principal", principal: opts.principal },
+                { t: "agent", agent: opts.agent },
+                { t: "cap", can: opts.can },
+                { t: "expires", at: this.now() + toMs(opts.expiresIn) },
+                ...(opts.bindAgent ? [{ t: "agentKey", key: opts.bindAgent }] : []),
+            ],
+            nextPub: exportPublicKey(next.publicKey),
+        };
+        const sig = signBlock(this.rootKeyPair.privateKey, block);
+        const token = {
+            v: 2,
+            id,
+            blocks: [block],
+            sigs: [sig],
+            rootPub: this.publicKey,
+        };
+        return new Mandate(token, this, next.privateKey);
+    }
+    /** ATTENUATE — narrow a mandate for a sub-agent. Never widens. */
+    attenuate(token, delegationKey, opts) {
+        if (!delegationKey) {
+            throw new BehalfDelegationError();
+        }
+        this.verifySignature(token);
+        const parentCans = capsFromToken(token);
+        const caveats = [];
+        if (opts.can) {
+            const check = isNarrowing(parentCans, opts.can);
+            if (!check.ok)
+                throw new WideningError(check.offending);
+            caveats.push({ t: "cap", can: opts.can });
+        }
+        if (opts.expiresIn !== undefined) {
+            caveats.push({ t: "expires", at: this.now() + toMs(opts.expiresIn) });
+        }
+        if (opts.agent) {
+            caveats.push({ t: "agent", agent: opts.agent });
+        }
+        if (opts.bindAgent) {
+            caveats.push({ t: "agentKey", key: opts.bindAgent });
+        }
+        // A fresh id makes this link individually revocable; it stays downstream of
+        // the parent, so revoking the parent still kills it.
+        caveats.push({ t: "id", id: newId() });
+        const next = newKeyPair();
+        const block = { caveats, nextPub: exportPublicKey(next.publicKey) };
+        const sig = signBlock(delegationKey, block);
+        const newToken = {
+            v: 2,
+            id: token.id,
+            blocks: [...token.blocks, block],
+            sigs: [...token.sigs, sig],
+            rootPub: token.rootPub,
+        };
+        return new Mandate(newToken, this, next.privateKey);
+    }
+    /**
+     * Mint a possession proof for `token` using `delegationKey` (the holder's
+     * terminal key). Throws if the key is absent — you cannot act on a mandate you
+     * only hold the public token for.
+     */
+    provePossession(token, delegationKey, action, nonce, agentKeys) {
+        const ts = this.now();
+        const agentSigs = (agentKeys ?? []).map((k) => signProof(k, token.id, token.sigs, ts, action, nonce ?? ""));
+        return {
+            ts,
+            sig: signProof(delegationKey, token.id, token.sigs, ts, action, nonce ?? ""),
+            ...(nonce !== undefined ? { nonce } : {}),
+            ...(agentSigs.length ? { agentSigs } : {}),
+        };
+    }
+    /** Holder path: `mandate.authorize()` routes here, minting a PoP from its key. */
+    async authorizeAsHolder(token, action, delegationKey) {
+        if (!delegationKey)
+            throw new BehalfDelegationError();
+        // In-process the engine is its own verifier, so it can self-issue a nonce.
+        const nonce = this.requireNonce ? this.challenge() : undefined;
+        // If this engine carries an agent identity, prove it too, satisfying any
+        // agentKey caveat bound to us.
+        const agentKeys = this.agentKey ? [this.agentKey.privateKey] : [];
+        return this.authorize(token, action, this.provePossession(token, delegationKey, action, nonce, agentKeys));
+    }
+    /**
+     * AUTHORIZE — verify a token, prove the presenter possesses the chain's
+     * terminal key, then check a concrete action. The `proof` is required: it
+     * binds the presenter to the exact (untruncated) chain and a fresh timestamp,
+     * which is what closes trailing-block truncation and stops a serialized token
+     * from being a reusable bearer credential. Produce one with `provePossession`
+     * (or, across the wire, `agent-authority/a2a`'s `present`).
+     */
+    async authorize(token, action, proof) {
+        const chain = chainIds(token);
+        const deny = async (reason) => {
+            await this.auditStore.record({
+                mandateId: chain[chain.length - 1],
+                issuer: token.rootPub,
+                chain,
+                action,
+                decision: "deny",
+                reason,
+            });
+            throw new AuthorizationError(action, reason);
+        };
+        // 1. Signature chain integrity (offline, public-key only).
+        try {
+            this.verifySignature(token);
+        }
+        catch (e) {
+            return deny(e instanceof IntegrityError ? e.message : "invalid signature");
+        }
+        // 2. Proof of possession of the chain's terminal key (anti-truncation).
+        if (!proof)
+            return deny("possession proof required");
+        if (Math.abs(this.now() - proof.ts) > this.proofSkewMs)
+            return deny("stale possession proof");
+        // 2b. Single-use nonce: consumed on first use, so a captured proof can
+        // never be replayed. Mandatory when the engine is configured requireNonce.
+        if (proof.nonce !== undefined) {
+            const expiry = this.nonces.get(proof.nonce);
+            if (expiry === undefined || this.now() > expiry) {
+                return deny("unknown or already-used nonce");
+            }
+            this.nonces.delete(proof.nonce);
+        }
+        else if (this.requireNonce) {
+            return deny("nonce required (request one via challenge())");
+        }
+        const terminal = importPublicKey(token.blocks[token.blocks.length - 1].nextPub);
+        if (!verifyProof(terminal, token.id, token.sigs, proof.ts, action, proof.sig, proof.nonce ?? "")) {
+            return deny("invalid possession proof");
+        }
+        // 2c. Conjunctive agent-identity binding (C3, SVID-style). Every agentKey
+        // caveat in the chain must be satisfied by an agent signature over the same
+        // proof message. A credential thief lacks these private keys and cannot
+        // strip a signed caveat, so the binding cannot be bypassed; appending one's
+        // own binding only adds a further requirement, never removes the original.
+        const agentSigs = proof.agentSigs ?? [];
+        for (const c of allCaveats(token)) {
+            if (c.t !== "agentKey")
+                continue;
+            const agentPub = importPublicKey(c.key);
+            const satisfied = agentSigs.some((s) => verifyProof(agentPub, token.id, token.sigs, proof.ts, action, s, proof.nonce ?? ""));
+            if (!satisfied)
+                return deny("agent identity proof required");
+        }
+        // 3. Revocation + expiry + scope (shared with inspect()).
+        const ev = await this.evaluate(token, action);
+        if (!ev.ok)
+            return deny(ev.reason);
+        // 4. Rate limits (sliding window; shareable via the rate store).
+        if (ev.matched?.rate) {
+            const key = `${chain[0]}|${ev.request.verb}:${ev.request.resource}`;
+            const allowed = await this.rateStore.hit(key, windowMs(ev.matched.rate.per), ev.matched.rate.value, this.now());
+            if (!allowed) {
+                return deny(`rate limit exceeded (${ev.matched.rate.value}/${ev.matched.rate.per})`);
+            }
+        }
+        await this.auditStore.record({
+            mandateId: chain[chain.length - 1],
+            issuer: token.rootPub,
+            chain,
+            action,
+            decision: "allow",
+        });
+    }
+    /**
+     * INSPECT — advisory check of signature, revocation, expiry, and scope WITHOUT
+     * a possession proof. Use for "would this token allow X?" tooling (CLI,
+     * dashboards, `check_authority`). It does NOT prove the caller holds the
+     * mandate, does not consume rate budget, and writes no audit record — never
+     * gate a real action on it; use `authorize` for that.
+     */
+    async inspect(token, action) {
+        const ev = await this.evaluate(token, action);
+        return ev.ok ? { allowed: true } : { allowed: false, reason: ev.reason };
+    }
+    /** Shared signature + revocation + expiry + scope check (no PoP, no side effects). */
+    async evaluate(token, action) {
+        try {
+            this.verifySignature(token);
+        }
+        catch (e) {
+            return { ok: false, reason: e instanceof IntegrityError ? e.message : "invalid signature" };
+        }
+        for (const id of chainIds(token)) {
+            if (await this.revocations.isRevoked(id))
+                return { ok: false, reason: `revoked (${id})` };
+        }
+        const caveats = allCaveats(token);
+        const now = this.now();
+        for (const c of caveats) {
+            if (c.t === "expires" && now > c.at)
+                return { ok: false, reason: "expired" };
+        }
+        let request;
+        try {
+            request = parse(action);
+        }
+        catch (e) {
+            return { ok: false, reason: e.message };
+        }
+        let matched;
+        for (const c of caveats) {
+            if (c.t !== "cap")
+                continue;
+            const grant = c.can.map(parse).find((g) => satisfies(g, request));
+            if (!grant)
+                return { ok: false, reason: `"${action}" not within granted scope` };
+            if (grant.rate)
+                matched = grant;
+        }
+        return { ok: true, matched, request };
+    }
+    /** REVOKE — kill a mandate (and, transitively, everything downstream). */
+    async revoke(id) {
+        await this.revocations.revoke(id);
+    }
+    /** AUDIT — fetch the hash-chained audit trail for a mandate's chain. */
+    async audit(id) {
+        return this.auditStore.forMandate(id);
+    }
+    /** Verify the integrity of the entire audit log. */
+    async verifyAuditLog() {
+        return verifyAudit(await this.auditStore.all());
+    }
+    /**
+     * Sign an anchor over the audit log's current head (C4). Store checkpoints
+     * somewhere the log's writer can't reach (another host, object storage, a
+     * ledger): a later `verifyAuditCheckpoint` then detects tail-deletion and
+     * full-chain rewrites, which the unkeyed hash chain alone cannot.
+     */
+    async checkpointAudit() {
+        const entries = await this.auditStore.all();
+        const head = entries[entries.length - 1];
+        const body = { seq: head?.seq ?? -1, hash: head?.hash ?? GENESIS, ts: this.now() };
+        return {
+            ...body,
+            signer: this.publicKey,
+            sig: signMessage(this.rootKeyPair.privateKey, canonicalJson(body)),
+        };
+    }
+    /**
+     * Verify the log against a previously-taken checkpoint: the checkpoint's
+     * signature must verify under a trusted key, the chain must replay, and the
+     * entry at `checkpoint.seq` must still carry exactly the anchored hash.
+     */
+    async verifyAuditCheckpoint(checkpoint) {
+        if (!this.trusted.has(checkpoint.signer)) {
+            return { ok: false, reason: "checkpoint signer is not trusted" };
+        }
+        const body = { seq: checkpoint.seq, hash: checkpoint.hash, ts: checkpoint.ts };
+        if (!verifyMessage(importPublicKey(checkpoint.signer), canonicalJson(body), checkpoint.sig)) {
+            return { ok: false, reason: "invalid checkpoint signature" };
+        }
+        const entries = await this.auditStore.all();
+        const chain = verifyAudit(entries);
+        if (!chain.ok)
+            return { ...chain, reason: `hash chain broken at seq ${chain.brokenAt}` };
+        if (checkpoint.seq === -1)
+            return { ok: true };
+        const anchored = entries.find((e) => e.seq === checkpoint.seq);
+        if (!anchored || anchored.hash !== checkpoint.hash) {
+            return { ok: false, reason: "anchored entry missing or rewritten (tail deletion / rewrite)" };
+        }
+        return { ok: true };
+    }
+    // ---- Issuer key rotation (B5) ----
+    /**
+     * Rotate the issuer key with overlap: returns a NEW engine with a fresh
+     * keypair that shares this engine's stores/config and still trusts every
+     * previously trusted key (including the old one), so existing mandates keep
+     * verifying while new grants are signed by the new key. Distribute the new
+     * `publicKey` to verifiers, wait out the longest outstanding mandate expiry,
+     * then end the overlap with `untrustKey(oldPublicKey)`.
+     */
+    rotate() {
+        return new Behalf({
+            rootKeyPair: newKeyPair(),
+            agentKey: this.agentKey,
+            trust: [...this.trusted],
+            revocations: this.revocations,
+            audit: this.auditStore,
+            rate: this.rateStore,
+            proofSkewMs: this.proofSkewMs,
+            requireNonce: this.requireNonce,
+            now: this.now,
+        });
+    }
+    /** Currently trusted issuer public keys (own key included). */
+    get trustedKeys() {
+        return [...this.trusted];
+    }
+    /** Trust an additional issuer key (e.g. a peer's, or a pre-staged next key). */
+    trustKey(publicKey) {
+        this.trusted.add(publicKey);
+    }
+    /** End a rotation overlap. Refuses to remove this engine's own key. */
+    untrustKey(publicKey) {
+        if (publicKey === this.publicKey) {
+            throw new BehalfError("cannot untrust this engine's own key");
+        }
+        return this.trusted.delete(publicKey);
+    }
+    /**
+     * Re-hydrate a Mandate from a serialized string. Accepts both forms:
+     * - `serialize()` (public token) → inspect/verify only; cannot authorize,
+     *   prove, or attenuate (no delegation key).
+     * - `serializeWithKey()` (token + delegation key) → a full holder credential
+     *   that can authorize, prove, and attenuate.
+     */
+    import(serialized) {
+        const parsed = JSON.parse(Buffer.from(serialized, "base64url").toString("utf8"));
+        if ("token" in parsed && "key" in parsed) {
+            const token = parsed.token;
+            // The delegation key's public half is the chain's terminal nextPub.
+            const pub = token.blocks[token.blocks.length - 1].nextPub;
+            return new Mandate(token, this, importPrivateKey(parsed.key, pub));
+        }
+        return new Mandate(parsed, this);
+    }
+    /**
+     * Decrypt and import a sealed holder credential (see
+     * `mandate.sealForRecipient`) using the recipient's X25519 sealing keypair.
+     * Equivalent to `import(unseal(sealed, recipient))`.
+     */
+    importSealed(sealed, recipient) {
+        return this.import(unseal(sealed, recipient));
+    }
+    /**
+     * Throws {@link IntegrityError} if the issuer is untrusted or the Ed25519
+     * signature chain does not verify. Pure public-key checks — no secrets.
+     */
+    verifySignature(token) {
+        if (token.v !== 2)
+            throw new IntegrityError(`unsupported token version ${token.v}`);
+        if (!this.trusted.has(token.rootPub))
+            throw new IntegrityError("untrusted issuer");
+        if (token.blocks.length !== token.sigs.length)
+            throw new IntegrityError("malformed token");
+        let signerPub = importPublicKey(token.rootPub);
+        for (let i = 0; i < token.blocks.length; i++) {
+            const block = token.blocks[i];
+            if (!verifyBlock(signerPub, block, token.sigs[i])) {
+                throw new IntegrityError(`signature failed at block ${i}`);
+            }
+            signerPub = importPublicKey(block.nextPub);
+        }
+    }
+    // ---- Static facade over a lazily-created default instance ----
+    static _default;
+    static get default() {
+        return (Behalf._default ??= new Behalf());
+    }
+    /** Replace the default instance (e.g. to inject a persistent store). */
+    static configure(config) {
+        return (Behalf._default = new Behalf(config));
+    }
+    static grant(opts) {
+        return Behalf.default.grant(opts);
+    }
+    static revoke(id) {
+        return Behalf.default.revoke(id);
+    }
+    static audit(id) {
+        return Behalf.default.audit(id);
+    }
+    static import(serialized) {
+        return Behalf.default.import(serialized);
+    }
+}
+/** Thrown when attenuating a mandate that has no in-memory delegation key. */
+export class BehalfDelegationError extends BehalfError {
+    constructor() {
+        super("this mandate cannot be delegated (it was imported without its delegation key)");
+    }
+}
+/** Construct an isolated engine (own key + stores). */
+export function createBehalf(config = {}) {
+    return new Behalf(config);
+}
+function chainIds(token) {
+    const ids = [token.id];
+    for (const c of allCaveats(token))
+        if (c.t === "id")
+            ids.push(c.id);
+    return ids;
+}
+function allCaveats(token) {
+    return token.blocks.flatMap((b) => b.caveats);
+}
+function capsFromToken(token) {
+    let latest = [];
+    for (const c of allCaveats(token))
+        if (c.t === "cap")
+            latest = c.can;
+    return latest;
+}
+//# sourceMappingURL=behalf.js.map

package/dist/behalf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"behalf.js","sourceRoot":"","sources":["../src/behalf.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,UAAU,EACV,KAAK,EACL,SAAS,EACT,WAAW,EACX,eAAe,EACf,eAAe,EACf,gBAAgB,EAChB,SAAS,EACT,WAAW,EACX,WAAW,EACX,aAAa,EACb,aAAa,GAEd,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,KAAK,EACL,SAAS,EACT,WAAW,EACX,QAAQ,GAET,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,MAAM,IAAI,WAAW,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5D,OAAO,EACL,gBAAgB,EAChB,qBAAqB,EACrB,eAAe,GAIhB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,OAAO,EAAe,MAAM,cAAc,CAAC;AACpD,OAAO,EAAE,MAAM,EAAoB,MAAM,WAAW,CAAC;AACrD,OAAO,EAAE,kBAAkB,EAAE,WAAW,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AA0C7F,MAAM,WAAW,GAAG,+BAA+B,CAAC;AAEpD,SAAS,IAAI,CAAC,CAAkB;IAC9B,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAC;IACpC,MAAM,CAAC,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IACrC,IAAI,CAAC,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,iCAAiC,CAAC,CAAC;IACjF,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACvB,MAAM,IAAI,GAA2B,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC;IAChG,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACxB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,OAAO,MAAM;IACA,WAAW,CAAU;IACrB,QAAQ,CAAW;IACnB,OAAO,CAAc;IACrB,WAAW,CAAkB;IAC7B,UAAU,CAAa;IACvB,SAAS,CAAY;IACrB,WAAW,CAAS;IACpB,YAAY,CAAU;IACvC,8DAA8D;IAC7C,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;IACnC,GAAG,CAAe;IAEnC,YAAY,SAAuB,EAAE;QACnC,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,UAAU,EAAE,CAAC;QACtD,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;QAChC,IAAI,CAAC,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;QAC3C,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC;QAC9D,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,IAAI,qBAAqB,EAAE,CAAC;QACrE,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,KAAK,IAAI,IAAI,gBAAgB,EAAE,CAAC;QACzD,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,IAAI,IAAI,IAAI,eAAe,EAAE,CAAC;QACtD,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,OAAO,CAAC;QACjD,IAAI,CAAC,YAAY,GAAG,MAAM,CAAC,YAAY,IAAI,KAAK,CAAC;QACjD,IAAI,CAAC,GAAG,GAAG,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED;;;;OAIG;IACH,SAAS;QACP,MAAM,KAAK,GAAG,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC;QACtD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,iFAAiF;IACjF,IAAI,SAAS;QACX,OAAO,eAAe,CAAC,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;IACrD,CAAC;IAED;;;;OAIG;IACH,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9E,CAAC;IAED,4EAA4E;IAC5E,KAAK,CAAC,IAAkB;QACtB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,GAAG,UAAU,EAAE,CAAC;QAC1B,MAAM,KAAK,GAAU;YACnB,OAAO,EAAE;gBACP,EAAE,CAAC,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE;gBAC7C,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE;gBACjC,EAAE,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE;gBAC3B,EAAE,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE;gBACvD,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,UAAU,EAAE,GAAG,EAAE,IAAI,CAAC,SAAS,EAAY,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;aAC9E;YACD,OAAO,EAAE,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC;SACzC,CAAC;QACF,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QAC1D,MAAM,KAAK,GAAiB;YAC1B,CAAC,EAAE,CAAC;YACJ,EAAE;YACF,MAAM,EAAE,CAAC,KAAK,CAAC;YACf,IAAI,EAAE,CAAC,GAAG,CAAC;YACX,OAAO,EAAE,IAAI,CAAC,SAAS;SACxB,CAAC;QACF,OAAO,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACnD,CAAC;IAED,kEAAkE;IAClE,SAAS,CACP,KAAmB,EACnB,aAAoC,EACpC,IAAsB;QAEtB,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,MAAM,IAAI,qBAAqB,EAAE,CAAC;QACpC,CAAC;QACD,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAE5B,MAAM,UAAU,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;QACxC,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YACb,MAAM,KAAK,GAAG,WAAW,CAAC,UAAU,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,KAAK,CAAC,EAAE;gBAAE,MAAM,IAAI,aAAa,CAAC,KAAK,CAAC,SAAU,CAAC,CAAC;YACzD,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAC5C,CAAC;QACD,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACjC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QACxE,CAAC;QACD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;QAClD,CAAC;QACD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,UAAU,EAAE,GAAG,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;QACvD,CAAC;QACD,4EAA4E;QAC5E,qDAAqD;QACrD,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC;QAEvC,MAAM,IAAI,GAAG,UAAU,EAAE,CAAC;QAC1B,MAAM,KAAK,GAAU,EAAE,OAAO,EAAE,OAAO,EAAE,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3E,MAAM,GAAG,GAAG,SAAS,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;QAE5C,MAAM,QAAQ,GAAiB;YAC7B,CAAC,EAAE,CAAC;YACJ,EAAE,EAAE,KAAK,CAAC,EAAE;YACZ,MAAM,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC;YAChC,IAAI,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,CAAC;YAC1B,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;QACF,OAAO,IAAI,OAAO,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACtD,CAAC;IAED;;;;OAIG;IACH,eAAe,CACb,KAAmB,EACnB,aAAwB,EACxB,MAAc,EACd,KAAc,EACd,SAAuB;QAEvB,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACtB,MAAM,SAAS,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAC5C,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,IAAI,EAAE,CAAC,CAC5D,CAAC;QACF,OAAO;YACL,EAAE;YACF,GAAG,EAAE,SAAS,CAAC,aAAa,EAAE,KAAK,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,IAAI,EAAE,CAAC;YAC5E,GAAG,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACzC,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC3C,CAAC;IACJ,CAAC;IAED,kFAAkF;IAClF,KAAK,CAAC,iBAAiB,CACrB,KAAmB,EACnB,MAAc,EACd,aAAoC;QAEpC,IAAI,CAAC,aAAa;YAAE,MAAM,IAAI,qBAAqB,EAAE,CAAC;QACtD,2EAA2E;QAC3E,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;QAC/D,yEAAyE;QACzE,+BAA+B;QAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAClE,OAAO,IAAI,CAAC,SAAS,CACnB,KAAK,EACL,MAAM,EACN,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,CAAC,CACrE,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,SAAS,CAAC,KAAmB,EAAE,MAAc,EAAE,KAAa;QAChE,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC9B,MAAM,IAAI,GAAG,KAAK,EAAE,MAAc,EAAkB,EAAE;YACpD,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;gBAC3B,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;gBAClC,MAAM,EAAE,KAAK,CAAC,OAAO;gBACrB,KAAK;gBACL,MAAM;gBACN,QAAQ,EAAE,MAAM;gBAChB,MAAM;aACP,CAAC,CAAC;YACH,MAAM,IAAI,kBAAkB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC/C,CAAC,CAAC;QAEF,2DAA2D;QAC3D,IAAI,CAAC;YACH,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,CAAC,YAAY,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC;QAC7E,CAAC;QAED,wEAAwE;QACxE,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC,2BAA2B,CAAC,CAAC;QACrD,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC,wBAAwB,CAAC,CAAC;QAC9F,uEAAuE;QACvE,2EAA2E;QAC3E,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YAC5C,IAAI,MAAM,KAAK,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;gBAChD,OAAO,IAAI,CAAC,+BAA+B,CAAC,CAAC;YAC/C,CAAC;YACD,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAClC,CAAC;aAAM,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC,8CAA8C,CAAC,CAAC;QAC9D,CAAC;QACD,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;QAChF,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,KAAK,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,EAAE,CAAC;YACjG,OAAO,IAAI,CAAC,0BAA0B,CAAC,CAAC;QAC1C,CAAC;QACD,0EAA0E;QAC1E,4EAA4E;QAC5E,wEAAwE;QACxE,4EAA4E;QAC5E,2EAA2E;QAC3E,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,IAAI,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,IAAI,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAClC,IAAI,CAAC,CAAC,CAAC,KAAK,UAAU;gBAAE,SAAS;YACjC,MAAM,QAAQ,GAAG,eAAe,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACxC,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CACrC,WAAW,CAAC,QAAQ,EAAE,KAAK,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,CACpF,CAAC;YACF,IAAI,CAAC,SAAS;gBAAE,OAAO,IAAI,CAAC,+BAA+B,CAAC,CAAC;QAC/D,CAAC;QAED,0DAA0D;QAC1D,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC9C,IAAI,CAAC,EAAE,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC;QAEnC,iEAAiE;QACjE,IAAI,EAAE,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC;YACrB,MAAM,GAAG,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;YACpE,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,CACtC,GAAG,EACH,QAAQ,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAC7B,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,EACrB,IAAI,CAAC,GAAG,EAAE,CACX,CAAC;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,IAAI,CAAC,wBAAwB,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC;YACvF,CAAC;QACH,CAAC;QAED,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;YAC3B,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;YAClC,MAAM,EAAE,KAAK,CAAC,OAAO;YACrB,KAAK;YACL,MAAM;YACN,QAAQ,EAAE,OAAO;SAClB,CAAC,CAAC;IACL,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,OAAO,CAAC,KAAmB,EAAE,MAAc;QAC/C,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC9C,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC;IAC3E,CAAC;IAED,sFAAsF;IAC9E,KAAK,CAAC,QAAQ,CACpB,KAAmB,EACnB,MAAc;QAKd,IAAI,CAAC;YACH,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,YAAY,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,mBAAmB,EAAE,CAAC;QAC9F,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACjC,IAAI,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;gBAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC;QAC5F,CAAC;QACD,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;QAClC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,IAAI,CAAC,CAAC,CAAC,KAAK,SAAS,IAAI,GAAG,GAAG,CAAC,CAAC,EAAE;gBAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;QAC/E,CAAC;QACD,IAAI,OAAmB,CAAC;QACxB,IAAI,CAAC;YACH,OAAO,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QAC1B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAG,CAAW,CAAC,OAAO,EAAE,CAAC;QACrD,CAAC;QACD,IAAI,OAA+B,CAAC;QACpC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,IAAI,CAAC,CAAC,CAAC,KAAK,KAAK;gBAAE,SAAS;YAC5B,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;YAClE,IAAI,CAAC,KAAK;gBAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,MAAM,4BAA4B,EAAE,CAAC;YACjF,IAAI,KAAK,CAAC,IAAI;gBAAE,OAAO,GAAG,KAAK,CAAC;QAClC,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;IACxC,CAAC;IAED,0EAA0E;IAC1E,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACpC,CAAC;IAED,wEAAwE;IACxE,KAAK,CAAC,KAAK,CAAC,EAAU;QACpB,OAAO,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;IACxC,CAAC;IAED,oDAAoD;IACpD,KAAK,CAAC,cAAc;QAClB,OAAO,WAAW,CAAC,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,CAAC;IAClD,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,eAAe;QACnB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;QAC5C,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACzC,MAAM,IAAI,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,IAAI,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QACnF,OAAO;YACL,GAAG,IAAI;YACP,MAAM,EAAE,IAAI,CAAC,SAAS;YACtB,GAAG,EAAE,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC;SACnE,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,qBAAqB,CAAC,UAA2B;QACrD,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YACzC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,kCAAkC,EAAE,CAAC;QACnE,CAAC;QACD,MAAM,IAAI,GAAG,EAAE,GAAG,EAAE,UAAU,CAAC,GAAG,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,EAAE,EAAE,EAAE,UAAU,CAAC,EAAE,EAAE,CAAC;QAC/E,IAAI,CAAC,aAAa,CAAC,eAAe,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,aAAa,CAAC,IAAI,CAAC,EAAE,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5F,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAC;QAC/D,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;QAC5C,MAAM,KAAK,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK,CAAC,EAAE;YAAE,OAAO,EAAE,GAAG,KAAK,EAAE,MAAM,EAAE,4BAA4B,KAAK,CAAC,QAAQ,EAAE,EAAE,CAAC;QACzF,IAAI,UAAU,CAAC,GAAG,KAAK,CAAC,CAAC;YAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QAC/C,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,UAAU,CAAC,GAAG,CAAC,CAAC;QAC/D,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,IAAI,KAAK,UAAU,CAAC,IAAI,EAAE,CAAC;YACnD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,+DAA+D,EAAE,CAAC;QAChG,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;IAED,qCAAqC;IAErC;;;;;;;OAOG;IACH,MAAM;QACJ,OAAO,IAAI,MAAM,CAAC;YAChB,WAAW,EAAE,UAAU,EAAE;YACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,KAAK,EAAE,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC;YACxB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,KAAK,EAAE,IAAI,CAAC,UAAU;YACtB,IAAI,EAAE,IAAI,CAAC,SAAS;YACpB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,GAAG,EAAE,IAAI,CAAC,GAAG;SACd,CAAC,CAAC;IACL,CAAC;IAED,+DAA+D;IAC/D,IAAI,WAAW;QACb,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC;IAC3B,CAAC;IAED,gFAAgF;IAChF,QAAQ,CAAC,SAAiB;QACxB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC9B,CAAC;IAED,uEAAuE;IACvE,UAAU,CAAC,SAAiB;QAC1B,IAAI,SAAS,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;YACjC,MAAM,IAAI,WAAW,CAAC,sCAAsC,CAAC,CAAC;QAChE,CAAC;QACD,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACxC,CAAC;IAED;;;;;;OAMG;IACH,MAAM,CAAC,UAAkB;QACvB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAEvC,CAAC;QACzC,IAAI,OAAO,IAAI,MAAM,IAAI,KAAK,IAAI,MAAM,EAAE,CAAC;YACzC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;YAC3B,oEAAoE;YACpE,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC;YAC1D,OAAO,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;QACrE,CAAC;QACD,OAAO,IAAI,OAAO,CAAC,MAAsB,EAAE,IAAI,CAAC,CAAC;IACnD,CAAC;IAED;;;;OAIG;IACH,YAAY,CAAC,MAAc,EAAE,SAAsB;QACjD,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC;IAChD,CAAC;IAED;;;OAGG;IACH,eAAe,CAAC,KAAmB;QACjC,IAAI,KAAK,CAAC,CAAC,KAAK,CAAC;YAAE,MAAM,IAAI,cAAc,CAAC,6BAA6B,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;QACpF,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC;YAAE,MAAM,IAAI,cAAc,CAAC,kBAAkB,CAAC,CAAC;QACnF,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,KAAK,KAAK,CAAC,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,cAAc,CAAC,iBAAiB,CAAC,CAAC;QAE3F,IAAI,SAAS,GAAG,eAAe,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC/C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC7C,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC9B,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,KAAK,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAClD,MAAM,IAAI,cAAc,CAAC,6BAA6B,CAAC,EAAE,CAAC,CAAC;YAC7D,CAAC;YACD,SAAS,GAAG,eAAe,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;IAED,iEAAiE;IAEzD,MAAM,CAAC,QAAQ,CAAqB;IAC5C,MAAM,KAAK,OAAO;QAChB,OAAO,CAAC,MAAM,CAAC,QAAQ,KAAK,IAAI,MAAM,EAAE,CAAC,CAAC;IAC5C,CAAC;IACD,wEAAwE;IACxE,MAAM,CAAC,SAAS,CAAC,MAAoB;QACnC,OAAO,CAAC,MAAM,CAAC,QAAQ,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;IAChD,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,IAAkB;QAC7B,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC;IACD,MAAM,CAAC,MAAM,CAAC,EAAU;QACtB,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACnC,CAAC;IACD,MAAM,CAAC,KAAK,CAAC,EAAU;QACrB,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAClC,CAAC;IACD,MAAM,CAAC,MAAM,CAAC,UAAkB;QAC9B,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAC3C,CAAC;CACF;AAED,8EAA8E;AAC9E,MAAM,OAAO,qBAAsB,SAAQ,WAAW;IACpD;QACE,KAAK,CAAC,+EAA+E,CAAC,CAAC;IACzF,CAAC;CACF;AAED,uDAAuD;AACvD,MAAM,UAAU,YAAY,CAAC,SAAuB,EAAE;IACpD,OAAO,IAAI,MAAM,CAAC,MAAM,CAAC,CAAC;AAC5B,CAAC;AAED,SAAS,QAAQ,CAAC,KAAmB;IACnC,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACvB,KAAK,MAAM,CAAC,IAAI,UAAU,CAAC,KAAK,CAAC;QAAE,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI;YAAE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACpE,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,UAAU,CAAC,KAAmB;IACrC,OAAO,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;AAChD,CAAC;AAED,SAAS,aAAa,CAAC,KAAmB;IACxC,IAAI,MAAM,GAAa,EAAE,CAAC;IAC1B,KAAK,MAAM,CAAC,IAAI,UAAU,CAAC,KAAK,CAAC;QAAE,IAAI,CAAC,CAAC,CAAC,KAAK,KAAK;YAAE,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC;IACrE,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/capability.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Capability grammar.
+ *
+ *   read:calendar              simple capability
+ *   write:repo/acme-app        resource-scoped (path segments)
+ *   spend:usd<=50              quantitative limit
+ *   send:email rate<=10/h      rate limit
+ *   *                          wildcard (discouraged; lint warns)
+ *
+ * A capability is `<verb>:<resource>[<op><amount>] [<key><op><value>[/<unit>]]`.
+ */
+export type Op = "<=" | ">=" | "<" | ">" | "=";
+export interface Amount {
+    op: Op;
+    value: number;
+}
+export interface Rate {
+    op: Op;
+    value: number;
+    /** Window unit: seconds, minutes, hours, days. Defaults to hours. */
+    per: "s" | "m" | "h" | "d";
+}
+export interface Capability {
+    raw: string;
+    wildcard: boolean;
+    verb: string;
+    resource: string;
+    /** Quantitative constraint on the resource, e.g. usd<=50. */
+    amount?: Amount;
+    /** Rate constraint, e.g. rate<=10/h. */
+    rate?: Rate;
+}
+/** Parse a capability string into structured form. Throws on malformed input. */
+export declare function parse(raw: string): Capability;
+/** Window length in milliseconds for a rate unit. */
+export declare function windowMs(per: Rate["per"]): number;
+/**
+ * Does the `grant` capability permit the `request` action?
+ *
+ * The request is the concrete action being attempted (e.g. `spend:usd=20`); the
+ * grant is the authority held (e.g. `spend:usd<=50`). Rate limits are *not*
+ * evaluated here — they require call history and are enforced by the engine.
+ */
+export declare function satisfies(grant: Capability, request: Capability): boolean;
+/** Convenience: parse both sides then check satisfaction. */
+export declare function permits(grant: string, request: string): boolean;
+/**
+ * Is every capability in `child` covered by some capability in `parent`?
+ * Used to reject widening at attenuation time (the chain enforces it too, but
+ * this gives a clear, early error).
+ */
+export declare function isNarrowing(parent: string[], child: string[]): {
+    ok: boolean;
+    offending?: string;
+};
+//# sourceMappingURL=capability.d.ts.map

package/dist/capability.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"capability.d.ts","sourceRoot":"","sources":["../src/capability.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;GAUG;AAEH,MAAM,MAAM,EAAE,GAAG,IAAI,GAAG,IAAI,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC;AAE/C,MAAM,WAAW,MAAM;IACrB,EAAE,EAAE,EAAE,CAAC;IACP,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,IAAI;IACnB,EAAE,EAAE,EAAE,CAAC;IACP,KAAK,EAAE,MAAM,CAAC;IACd,qEAAqE;IACrE,GAAG,EAAE,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC;CAC5B;AAED,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,OAAO,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,6DAA6D;IAC7D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,wCAAwC;IACxC,IAAI,CAAC,EAAE,IAAI,CAAC;CACb;AAMD,iFAAiF;AACjF,wBAAgB,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAsC7C;AAED,qDAAqD;AACrD,wBAAgB,QAAQ,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,MAAM,CAWjD;AA4BD;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAiBzE;AAED,6DAA6D;AAC7D,wBAAgB,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAE/D;AAED;;;;GAIG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,CAQlG"}