agent-passport-system 1.40.0 → 1.41.0

package/README.md

@@ -7,9 +7,9 @@
 
 > **For AI agents:** visit [aeoess.com/llms.txt](https://aeoess.com/llms.txt) for machine-readable docs.
 
-**Governance infrastructure for AI agents. Gateway evaluation under 2ms.**
+**Enforcement and accountability layer for AI agents. Bring your own identity.**
 
-Authority can only decrease at each transfer point. The gateway is both judge and executor. Every action produces a signed receipt.
+Accepts did:key, did:web, SPIFFE SVIDs, OAuth tokens, and native did:aps. Authority can only decrease at each transfer point. The gateway is both judge and executor. Every action produces a signed receipt. Gateway evaluation under 2ms.
 
 ```bash
 npm install agent-passport-system
@@ -17,10 +17,16 @@ npm install agent-passport-system
 
 ## Quick Start
 
+Lead with the curated essentials. `agent-passport-system/core` exposes the ~25 functions that 90% of integrations need — identity, delegation, enforcement, commerce, reputation, key management. The full `agent-passport-system` root import is unchanged and backward compatible: pull from it when Core does not cover your case.
+
 ```typescript
 import {
-  createPassport, createDelegation, evaluateIntent, commercePreflight
+  createPassport, createDelegation,
+  evaluateIntent, commercePreflight, generateKeyPair
 } from 'agent-passport-system/core'
+
+// Full 936-export API still available — use when Core does not cover your case.
+// import { ... } from 'agent-passport-system'
 ```
 
 ## Core Protocol

package/dist/src/core/behavioral-fingerprint.d.ts

@@ -0,0 +1,186 @@
+import type { FidelityAttestation } from '../types/gateway.js';
+/** Reference to a PDR (Probabilistic Delegation Reliability) score event,
+ *  as defined in Nanook PDR v2.19 §6.3. The pdr.score.v1 wire format is
+ *  not yet a published spec; this interface mirrors the field set the paper
+ *  attributes to NexusGuard's AIP implementation (aip_identity/pdr.py).
+ *
+ *  This is an EXTERNAL reference — the SDK does not produce these scores,
+ *  it only carries them inside a fingerprint envelope. The optional
+ *  signature field is the score's own external signature (e.g. from the
+ *  NexusGuard issuer); verifyBehavioralFingerprint does NOT validate it. */
+export interface PDRScoreRef {
+    source: 'pdr.score.v1';
+    /** Composite PDR score in [0, 1]. Per Nanook §6.3: weighted combination of
+     *  Calibration (0.5), Adaptation (0.2), Robustness (0.3). */
+    scoreOverall: number;
+    /** Calibration sub-score in [0, 1]. Jaccard similarity of claimed vs delivered. */
+    scoreCalibration: number;
+    /** Adaptation sub-score in [0, 1]. Temporal improvement slope. */
+    scoreAdaptation: number;
+    /** Robustness sub-score in [0, 1]. Condition-based variance. */
+    scoreRobustness: number;
+    /** Number of behavioral observations the score is computed over. */
+    observationCount: number;
+    /** Temporal spread of those observations, in days. */
+    windowDays: number;
+    /** Identifier of the issuing PDR scorer (e.g. 'nexusguard-aip-0.5.48'). */
+    issuer: string;
+    /** ISO 8601 timestamp of score issuance. */
+    issuedAt: string;
+    /** Optional external signature from the PDR issuer. NOT validated by
+     *  verifyBehavioralFingerprint — see JSDoc on that function. */
+    signature?: string;
+}
+/** Reference to a within-session constraint compliance score, in the style
+ *  of Saebo et al. arXiv:2603.03456 ("Asymmetric Goal Drift in Coding Agents
+ *  Under Value Conflict"). Measures whether the agent maintained its
+ *  declared value hierarchy under context pressure across a session.
+ *
+ *  Like PDRScoreRef, this is an external reference. The SDK does not
+ *  produce Saebo scores; it carries them inside the envelope so consumers
+ *  that want all three axes have one signed artifact to verify. */
+export interface SaeboScoreRef {
+    source: 'saebo.constraint.v1';
+    /** Compliance score in [0, 1]: 1.0 = no violations across session,
+     *  0.0 = constraint violated on every turn. */
+    complianceScore: number;
+    /** Number of constraint violations observed in the session. */
+    violationCount: number;
+    /** Total turn count of the session being scored. */
+    sessionTurnCount: number;
+    /** Identifier of the issuing constraint scorer. */
+    issuer: string;
+    /** ISO 8601 timestamp of score issuance. */
+    issuedAt: string;
+    /** Optional external signature from the issuer. NOT validated by
+     *  verifyBehavioralFingerprint. */
+    signature?: string;
+}
+/** Three-axis behavioral measurement envelope. Always carries at least one
+ *  HBB FidelityAttestation (axis 1). PDR and Saebo references are optional
+ *  axes — a fingerprint with only fidelity is still well-formed. */
+export interface BehavioralFingerprint {
+    subject: {
+        /** DID of the subject agent being measured (not the measurer). */
+        did: string;
+        /** LLM substrate identifier the subject was running on at measurement
+         *  time (e.g. 'claude-sonnet-4', 'gpt-5-turbo'). */
+        substrate: string;
+    };
+    /** One or more HBB attestations. Multiple attestations are common when
+     *  the substrate-swap protocol from Nanook §8.10 takes pre/post probes. */
+    fidelity: FidelityAttestation[];
+    /** Optional axis 2: PDR cross-session reliability reference. */
+    pdr_ref?: PDRScoreRef;
+    /** Optional axis 3: Saebo within-session constraint compliance reference. */
+    constraint_ref?: SaeboScoreRef;
+    /** Identifier of the party that composed and signed this envelope.
+     *  May or may not be the same party that produced the inner
+     *  FidelityAttestations (which carry their own measuredBy). */
+    measurerId: string;
+    /** Hex-encoded Ed25519 public key of the envelope signer. Embedded so
+     *  third parties can verify offline given only the envelope. */
+    measurerPublicKey: string;
+    /** ISO 8601 timestamp of envelope signing. */
+    signedAt: string;
+    /** Hex-encoded Ed25519 signature over canonicalize({ subject, fidelity,
+     *  pdr_ref, constraint_ref, measurerId, signedAt }). */
+    signature: string;
+}
+/** Result of verifyBehavioralFingerprint. All-or-nothing validity flag plus
+ *  per-field breakdown for diagnostic visibility. */
+export interface FingerprintVerificationResult {
+    /** True iff the envelope signature verifies AND every inner fidelity
+     *  attestation signature verifies under the same public key. */
+    valid: boolean;
+    /** Whether the envelope-level signature verified against measurerPublicKey. */
+    envelopeSignatureValid: boolean;
+    /** One boolean per inner FidelityAttestation, in the same order as
+     *  fp.fidelity. Each entry is the result of verifyFidelityAttestation
+     *  against the provided measurerPublicKey. */
+    innerFidelitySignaturesValid: boolean[];
+    /** Human-readable diagnostic messages. Empty array on success. */
+    errors: string[];
+}
+/** Compose and sign a BehavioralFingerprint envelope.
+ *
+ * Requires at least one FidelityAttestation. The envelope carries pre-built
+ * fidelity attestations as-is — they retain their own measuredBy/signature
+ * fields and stay independently verifiable.
+ *
+ * The signing key is used for the envelope signature only. Inner fidelity
+ * attestations were signed earlier by their own measurers; this function
+ * does not re-sign them.
+ *
+ * @throws if fidelity is empty.
+ *
+ * Reference: Nanook PDR v2.19 §2.2, §8.10. Gap audit §5 rank 2.
+ */
+export declare function createBehavioralFingerprint(subject: {
+    did: string;
+    substrate: string;
+}, fidelity: FidelityAttestation[], opts: {
+    pdr?: PDRScoreRef;
+    constraint?: SaeboScoreRef;
+    measurerId: string;
+    measurerPublicKey: string;
+    signingKey: string;
+    /** Override the signing timestamp. Test fixtures only. */
+    signedAt?: string;
+}): BehavioralFingerprint;
+/** Verify a BehavioralFingerprint envelope.
+ *
+ * Performs two checks:
+ *   1. Envelope signature: verify the envelope's own Ed25519 signature
+ *      against the provided measurerPublicKey.
+ *   2. Inner fidelity signatures: for each FidelityAttestation in
+ *      fp.fidelity, run verifyFidelityAttestation against the SAME
+ *      measurerPublicKey. The per-attestation result is reported in
+ *      innerFidelitySignaturesValid.
+ *
+ * Limitation by design: this function does NOT verify pdr_ref.signature or
+ * constraint_ref.signature. Those are external axes whose issuers may use
+ * different key schemes, signature formats, or canonicalization rules. If
+ * those fields carry signatures, callers must verify them out-of-band with
+ * the appropriate issuer's verification logic. The fingerprint envelope's
+ * own signature still covers the entire pdr_ref / constraint_ref content
+ * as JSON, so tampering with their fields will fail envelope verification.
+ *
+ * Limitation on multi-measurer fidelity attestations: if the inner
+ * attestations were signed by different keys than the envelope, their per-
+ * attestation entries in innerFidelitySignaturesValid will be false. The
+ * envelope itself is still validly signed; callers can re-verify failed
+ * inner attestations against the correct keys via verifyFidelityAttestation.
+ *
+ * The all-or-nothing valid flag is true iff envelope signature is valid
+ * AND every inner fidelity signature is valid under the same key.
+ */
+export declare function verifyBehavioralFingerprint(fp: BehavioralFingerprint, measurerPublicKey: string): FingerprintVerificationResult;
+/** Pure projection helper for a BehavioralFingerprint. Surfaces the top-
+ *  level scalar from each axis without combining them into a single number.
+ *
+ *  The paper's three-axis orthogonality claim (Nanook PDR v2.19 §2.2) is
+ *  untested. This SDK deliberately does NOT bake a combinator policy into
+ *  the projection: callers that want a composite score must compute it
+ *  themselves with their own weighting choices. The function returns the
+ *  raw axis scalars and lets the consumer decide.
+ *
+ *  - fidelityMean: arithmetic mean of fp.fidelity[*].fidelity.score.
+ *    A simple mean is the right default because each FidelityAttestation
+ *    represents one HBB probe under different conditions (e.g. pre vs
+ *    post substrate swap). Confidence-weighting is available inside the
+ *    individual SubstrateFidelity scoring path; the envelope projection
+ *    treats each attestation as one observation.
+ *
+ *  - pdrOverall: scoreOverall from the optional PDR reference, or undefined
+ *    if no PDR axis is present.
+ *
+ *  - constraintCompliance: complianceScore from the optional Saebo
+ *    reference, or undefined if no constraint axis is present.
+ */
+export declare function composeFingerprintAxes(fp: BehavioralFingerprint): {
+    fidelityMean: number;
+    pdrOverall?: number;
+    constraintCompliance?: number;
+};
+//# sourceMappingURL=behavioral-fingerprint.d.ts.map

package/dist/src/core/behavioral-fingerprint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"behavioral-fingerprint.d.ts","sourceRoot":"","sources":["../../../src/core/behavioral-fingerprint.ts"],"names":[],"mappings":"AAkCA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAA;AAI9D;;;;;;;;4EAQ4E;AAC5E,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,cAAc,CAAA;IACtB;iEAC6D;IAC7D,YAAY,EAAE,MAAM,CAAA;IACpB,mFAAmF;IACnF,gBAAgB,EAAE,MAAM,CAAA;IACxB,kEAAkE;IAClE,eAAe,EAAE,MAAM,CAAA;IACvB,gEAAgE;IAChE,eAAe,EAAE,MAAM,CAAA;IACvB,oEAAoE;IACpE,gBAAgB,EAAE,MAAM,CAAA;IACxB,sDAAsD;IACtD,UAAU,EAAE,MAAM,CAAA;IAClB,2EAA2E;IAC3E,MAAM,EAAE,MAAM,CAAA;IACd,4CAA4C;IAC5C,QAAQ,EAAE,MAAM,CAAA;IAChB;oEACgE;IAChE,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAID;;;;;;;mEAOmE;AACnE,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,qBAAqB,CAAA;IAC7B;mDAC+C;IAC/C,eAAe,EAAE,MAAM,CAAA;IACvB,+DAA+D;IAC/D,cAAc,EAAE,MAAM,CAAA;IACtB,oDAAoD;IACpD,gBAAgB,EAAE,MAAM,CAAA;IACxB,mDAAmD;IACnD,MAAM,EAAE,MAAM,CAAA;IACd,4CAA4C;IAC5C,QAAQ,EAAE,MAAM,CAAA;IAChB;uCACmC;IACnC,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAID;;oEAEoE;AACpE,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE;QACP,kEAAkE;QAClE,GAAG,EAAE,MAAM,CAAA;QACX;4DACoD;QACpD,SAAS,EAAE,MAAM,CAAA;KAClB,CAAA;IACD;+EAC2E;IAC3E,QAAQ,EAAE,mBAAmB,EAAE,CAAA;IAC/B,gEAAgE;IAChE,OAAO,CAAC,EAAE,WAAW,CAAA;IACrB,6EAA6E;IAC7E,cAAc,CAAC,EAAE,aAAa,CAAA;IAC9B;;mEAE+D;IAC/D,UAAU,EAAE,MAAM,CAAA;IAClB;oEACgE;IAChE,iBAAiB,EAAE,MAAM,CAAA;IACzB,8CAA8C;IAC9C,QAAQ,EAAE,MAAM,CAAA;IAChB;4DACwD;IACxD,SAAS,EAAE,MAAM,CAAA;CAClB;AAID;qDACqD;AACrD,MAAM,WAAW,6BAA6B;IAC5C;oEACgE;IAChE,KAAK,EAAE,OAAO,CAAA;IACd,+EAA+E;IAC/E,sBAAsB,EAAE,OAAO,CAAA;IAC/B;;kDAE8C;IAC9C,4BAA4B,EAAE,OAAO,EAAE,CAAA;IACvC,kEAAkE;IAClE,MAAM,EAAE,MAAM,EAAE,CAAA;CACjB;AAID;;;;;;;;;;;;;GAaG;AACH,wBAAgB,2BAA2B,CACzC,OAAO,EAAE;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,EAC3C,QAAQ,EAAE,mBAAmB,EAAE,EAC/B,IAAI,EAAE;IACJ,GAAG,CAAC,EAAE,WAAW,CAAA;IACjB,UAAU,CAAC,EAAE,aAAa,CAAA;IAC1B,UAAU,EAAE,MAAM,CAAA;IAClB,iBAAiB,EAAE,MAAM,CAAA;IACzB,UAAU,EAAE,MAAM,CAAA;IAClB,0DAA0D;IAC1D,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB,GACA,qBAAqB,CAoCvB;AAID;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,2BAA2B,CACzC,EAAE,EAAE,qBAAqB,EACzB,iBAAiB,EAAE,MAAM,GACxB,6BAA6B,CAuE/B;AAID;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,sBAAsB,CAAC,EAAE,EAAE,qBAAqB,GAAG;IACjE,YAAY,EAAE,MAAM,CAAA;IACpB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,oBAAoB,CAAC,EAAE,MAAM,CAAA;CAC9B,CAcA"}

package/dist/src/core/behavioral-fingerprint.js

@@ -0,0 +1,214 @@
+// ══════════════════════════════════════════════════════════════════
+// Behavioral Fingerprint — Three-Axis Joint Measurement Envelope
+// ══════════════════════════════════════════════════════════════════
+// Composes three independent behavioral measurement axes into one signed
+// artifact:
+//
+//   Axis 1 (within-session authority-pressure fidelity):
+//     AEOESS Hold/Bend/Break — src/core/fidelity-probe.ts
+//
+//   Axis 2 (cross-session output reliability):
+//     PDR score reference — produced by NexusGuard or any pdr.score.v1 issuer
+//
+//   Axis 3 (within-session constraint compliance under value pressure):
+//     Saebo et al. constraint score reference — produced by an external scorer
+//
+// The envelope does NOT combine the three axes into a single composite
+// score. The orthogonality claim from Nanook PDR v2.19 §2.2 is untested,
+// and baking a combinator policy into the SDK would prejudge that result.
+// composeFingerprintAxes() is a pure projection helper, nothing more.
+//
+// Signing: Ed25519. The envelope signature covers the canonical JSON of
+// {subject, fidelity, pdr_ref, constraint_ref, measurerId, signedAt} —
+// every field except the signature itself. Inner FidelityAttestation
+// objects retain their own signatures (signed by their own measurer); the
+// envelope signature covers them as JSON content but does not replace
+// their independent verifiability.
+//
+// Reference: Nanook PDR v2.19 §2.2 (three-axis framework), §8.10 (joint
+// experiment design), gap audit §3 row 10, gap audit §5 rank 2.
+// ══════════════════════════════════════════════════════════════════
+import { sign, verify } from '../crypto/keys.js';
+import { canonicalize } from './canonical.js';
+import { verifyFidelityAttestation } from './fidelity-probe.js';
+// ── Create ──
+/** Compose and sign a BehavioralFingerprint envelope.
+ *
+ * Requires at least one FidelityAttestation. The envelope carries pre-built
+ * fidelity attestations as-is — they retain their own measuredBy/signature
+ * fields and stay independently verifiable.
+ *
+ * The signing key is used for the envelope signature only. Inner fidelity
+ * attestations were signed earlier by their own measurers; this function
+ * does not re-sign them.
+ *
+ * @throws if fidelity is empty.
+ *
+ * Reference: Nanook PDR v2.19 §2.2, §8.10. Gap audit §5 rank 2.
+ */
+export function createBehavioralFingerprint(subject, fidelity, opts) {
+    if (!Array.isArray(fidelity) || fidelity.length === 0) {
+        throw new Error('createBehavioralFingerprint: at least one fidelity attestation is required');
+    }
+    if (!opts.measurerId || typeof opts.measurerId !== 'string') {
+        throw new Error('createBehavioralFingerprint: measurerId must be a non-empty string');
+    }
+    if (!opts.measurerPublicKey || typeof opts.measurerPublicKey !== 'string') {
+        throw new Error('createBehavioralFingerprint: measurerPublicKey must be a non-empty string');
+    }
+    if (!opts.signingKey || typeof opts.signingKey !== 'string') {
+        throw new Error('createBehavioralFingerprint: signingKey must be a non-empty string');
+    }
+    const signedAt = opts.signedAt ?? new Date().toISOString();
+    // Build the unsigned envelope. Canonicalize will sort keys alphabetically
+    // and strip null/undefined, so PDR/constraint absence produces the same
+    // bytes regardless of property declaration order.
+    const unsigned = {
+        subject,
+        fidelity,
+        ...(opts.pdr ? { pdr_ref: opts.pdr } : {}),
+        ...(opts.constraint ? { constraint_ref: opts.constraint } : {}),
+        measurerId: opts.measurerId,
+        measurerPublicKey: opts.measurerPublicKey,
+        signedAt,
+    };
+    const payload = canonicalize(unsigned);
+    const signature = sign(payload, opts.signingKey);
+    return {
+        ...unsigned,
+        signature,
+    };
+}
+// ── Verify ──
+/** Verify a BehavioralFingerprint envelope.
+ *
+ * Performs two checks:
+ *   1. Envelope signature: verify the envelope's own Ed25519 signature
+ *      against the provided measurerPublicKey.
+ *   2. Inner fidelity signatures: for each FidelityAttestation in
+ *      fp.fidelity, run verifyFidelityAttestation against the SAME
+ *      measurerPublicKey. The per-attestation result is reported in
+ *      innerFidelitySignaturesValid.
+ *
+ * Limitation by design: this function does NOT verify pdr_ref.signature or
+ * constraint_ref.signature. Those are external axes whose issuers may use
+ * different key schemes, signature formats, or canonicalization rules. If
+ * those fields carry signatures, callers must verify them out-of-band with
+ * the appropriate issuer's verification logic. The fingerprint envelope's
+ * own signature still covers the entire pdr_ref / constraint_ref content
+ * as JSON, so tampering with their fields will fail envelope verification.
+ *
+ * Limitation on multi-measurer fidelity attestations: if the inner
+ * attestations were signed by different keys than the envelope, their per-
+ * attestation entries in innerFidelitySignaturesValid will be false. The
+ * envelope itself is still validly signed; callers can re-verify failed
+ * inner attestations against the correct keys via verifyFidelityAttestation.
+ *
+ * The all-or-nothing valid flag is true iff envelope signature is valid
+ * AND every inner fidelity signature is valid under the same key.
+ */
+export function verifyBehavioralFingerprint(fp, measurerPublicKey) {
+    const errors = [];
+    // Validate input shape
+    if (!fp || typeof fp !== 'object') {
+        return {
+            valid: false,
+            envelopeSignatureValid: false,
+            innerFidelitySignaturesValid: [],
+            errors: ['fingerprint is not an object'],
+        };
+    }
+    if (!Array.isArray(fp.fidelity) || fp.fidelity.length === 0) {
+        return {
+            valid: false,
+            envelopeSignatureValid: false,
+            innerFidelitySignaturesValid: [],
+            errors: ['fingerprint must carry at least one fidelity attestation'],
+        };
+    }
+    // Step 1: envelope signature.
+    // Reconstruct the canonical payload exactly as createBehavioralFingerprint
+    // produced it: every field except `signature`. Note that the spread-with-
+    // conditional pattern in create produces no key for absent optional fields,
+    // and canonicalize() strips null/undefined, so the two paths agree.
+    const unsigned = {
+        subject: fp.subject,
+        fidelity: fp.fidelity,
+        ...(fp.pdr_ref !== undefined ? { pdr_ref: fp.pdr_ref } : {}),
+        ...(fp.constraint_ref !== undefined ? { constraint_ref: fp.constraint_ref } : {}),
+        measurerId: fp.measurerId,
+        measurerPublicKey: fp.measurerPublicKey,
+        signedAt: fp.signedAt,
+    };
+    const payload = canonicalize(unsigned);
+    let envelopeSignatureValid = false;
+    try {
+        envelopeSignatureValid = verify(payload, fp.signature, measurerPublicKey);
+    }
+    catch {
+        envelopeSignatureValid = false;
+    }
+    if (!envelopeSignatureValid) {
+        errors.push('envelope signature failed verification');
+    }
+    // Step 2: each inner fidelity attestation under the SAME public key.
+    const innerFidelitySignaturesValid = fp.fidelity.map((att, i) => {
+        let ok = false;
+        try {
+            ok = verifyFidelityAttestation(att, measurerPublicKey);
+        }
+        catch {
+            ok = false;
+        }
+        if (!ok) {
+            errors.push(`inner fidelity attestation ${i} (${att.attestationId ?? 'unknown'}) failed verification`);
+        }
+        return ok;
+    });
+    const allInnerValid = innerFidelitySignaturesValid.every(Boolean);
+    return {
+        valid: envelopeSignatureValid && allInnerValid,
+        envelopeSignatureValid,
+        innerFidelitySignaturesValid,
+        errors,
+    };
+}
+// ── Compose / Project ──
+/** Pure projection helper for a BehavioralFingerprint. Surfaces the top-
+ *  level scalar from each axis without combining them into a single number.
+ *
+ *  The paper's three-axis orthogonality claim (Nanook PDR v2.19 §2.2) is
+ *  untested. This SDK deliberately does NOT bake a combinator policy into
+ *  the projection: callers that want a composite score must compute it
+ *  themselves with their own weighting choices. The function returns the
+ *  raw axis scalars and lets the consumer decide.
+ *
+ *  - fidelityMean: arithmetic mean of fp.fidelity[*].fidelity.score.
+ *    A simple mean is the right default because each FidelityAttestation
+ *    represents one HBB probe under different conditions (e.g. pre vs
+ *    post substrate swap). Confidence-weighting is available inside the
+ *    individual SubstrateFidelity scoring path; the envelope projection
+ *    treats each attestation as one observation.
+ *
+ *  - pdrOverall: scoreOverall from the optional PDR reference, or undefined
+ *    if no PDR axis is present.
+ *
+ *  - constraintCompliance: complianceScore from the optional Saebo
+ *    reference, or undefined if no constraint axis is present.
+ */
+export function composeFingerprintAxes(fp) {
+    if (!fp.fidelity || fp.fidelity.length === 0) {
+        throw new Error('composeFingerprintAxes: fingerprint has no fidelity attestations');
+    }
+    const sum = fp.fidelity.reduce((acc, att) => acc + att.fidelity.score, 0);
+    const fidelityMean = sum / fp.fidelity.length;
+    const result = {
+        fidelityMean,
+    };
+    if (fp.pdr_ref)
+        result.pdrOverall = fp.pdr_ref.scoreOverall;
+    if (fp.constraint_ref)
+        result.constraintCompliance = fp.constraint_ref.complianceScore;
+    return result;
+}
+//# sourceMappingURL=behavioral-fingerprint.js.map

package/dist/src/core/behavioral-fingerprint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"behavioral-fingerprint.js","sourceRoot":"","sources":["../../../src/core/behavioral-fingerprint.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,iEAAiE;AACjE,qEAAqE;AACrE,yEAAyE;AACzE,YAAY;AACZ,EAAE;AACF,yDAAyD;AACzD,0DAA0D;AAC1D,EAAE;AACF,+CAA+C;AAC/C,8EAA8E;AAC9E,EAAE;AACF,wEAAwE;AACxE,+EAA+E;AAC/E,EAAE;AACF,uEAAuE;AACvE,yEAAyE;AACzE,0EAA0E;AAC1E,sEAAsE;AACtE,EAAE;AACF,wEAAwE;AACxE,uEAAuE;AACvE,qEAAqE;AACrE,0EAA0E;AAC1E,sEAAsE;AACtE,mCAAmC;AACnC,EAAE;AACF,wEAAwE;AACxE,gEAAgE;AAChE,qEAAqE;AAErE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAA;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AAC7C,OAAO,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAA;AAsH/D,eAAe;AAEf;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,2BAA2B,CACzC,OAA2C,EAC3C,QAA+B,EAC/B,IAQC;IAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,4EAA4E,CAAC,CAAA;IAC/F,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAA;IACvF,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,iBAAiB,IAAI,OAAO,IAAI,CAAC,iBAAiB,KAAK,QAAQ,EAAE,CAAC;QAC1E,MAAM,IAAI,KAAK,CAAC,2EAA2E,CAAC,CAAA;IAC9F,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAA;IACvF,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;IAE1D,0EAA0E;IAC1E,wEAAwE;IACxE,kDAAkD;IAClD,MAAM,QAAQ,GAAG;QACf,OAAO;QACP,QAAQ;QACR,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/D,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;QACzC,QAAQ;KACT,CAAA;IAED,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAA;IACtC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,CAAA;IAEhD,OAAO;QACL,GAAG,QAAQ;QACX,SAAS;KACe,CAAA;AAC5B,CAAC;AAED,eAAe;AAEf;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,UAAU,2BAA2B,CACzC,EAAyB,EACzB,iBAAyB;IAEzB,MAAM,MAAM,GAAa,EAAE,CAAA;IAE3B,uBAAuB;IACvB,IAAI,CAAC,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ,EAAE,CAAC;QAClC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,sBAAsB,EAAE,KAAK;YAC7B,4BAA4B,EAAE,EAAE;YAChC,MAAM,EAAE,CAAC,8BAA8B,CAAC;SACzC,CAAA;IACH,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5D,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,sBAAsB,EAAE,KAAK;YAC7B,4BAA4B,EAAE,EAAE;YAChC,MAAM,EAAE,CAAC,0DAA0D,CAAC;SACrE,CAAA;IACH,CAAC;IAED,8BAA8B;IAC9B,2EAA2E;IAC3E,0EAA0E;IAC1E,4EAA4E;IAC5E,oEAAoE;IACpE,MAAM,QAAQ,GAAG;QACf,OAAO,EAAE,EAAE,CAAC,OAAO;QACnB,QAAQ,EAAE,EAAE,CAAC,QAAQ;QACrB,GAAG,CAAC,EAAE,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5D,GAAG,CAAC,EAAE,CAAC,cAAc,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,EAAE,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACjF,UAAU,EAAE,EAAE,CAAC,UAAU;QACzB,iBAAiB,EAAE,EAAE,CAAC,iBAAiB;QACvC,QAAQ,EAAE,EAAE,CAAC,QAAQ;KACtB,CAAA;IACD,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAA;IAEtC,IAAI,sBAAsB,GAAG,KAAK,CAAA;IAClC,IAAI,CAAC;QACH,sBAAsB,GAAG,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAA;IAC3E,CAAC;IAAC,MAAM,CAAC;QACP,sBAAsB,GAAG,KAAK,CAAA;IAChC,CAAC;IACD,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAA;IACvD,CAAC;IAED,qEAAqE;IACrE,MAAM,4BAA4B,GAAc,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;QACzE,IAAI,EAAE,GAAG,KAAK,CAAA;QACd,IAAI,CAAC;YACH,EAAE,GAAG,yBAAyB,CAAC,GAAG,EAAE,iBAAiB,CAAC,CAAA;QACxD,CAAC;QAAC,MAAM,CAAC;YACP,EAAE,GAAG,KAAK,CAAA;QACZ,CAAC;QACD,IAAI,CAAC,EAAE,EAAE,CAAC;YACR,MAAM,CAAC,IAAI,CACT,8BAA8B,CAAC,KAAK,GAAG,CAAC,aAAa,IAAI,SAAS,uBAAuB,CAC1F,CAAA;QACH,CAAC;QACD,OAAO,EAAE,CAAA;IACX,CAAC,CAAC,CAAA;IAEF,MAAM,aAAa,GAAG,4BAA4B,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;IAEjE,OAAO;QACL,KAAK,EAAE,sBAAsB,IAAI,aAAa;QAC9C,sBAAsB;QACtB,4BAA4B;QAC5B,MAAM;KACP,CAAA;AACH,CAAC;AAED,0BAA0B;AAE1B;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,sBAAsB,CAAC,EAAyB;IAK9D,IAAI,CAAC,EAAE,CAAC,QAAQ,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAA;IACrF,CAAC;IAED,MAAM,GAAG,GAAG,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,GAAG,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAA;IACzE,MAAM,YAAY,GAAG,GAAG,GAAG,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAA;IAE7C,MAAM,MAAM,GAAiF;QAC3F,YAAY;KACb,CAAA;IACD,IAAI,EAAE,CAAC,OAAO;QAAE,MAAM,CAAC,UAAU,GAAG,EAAE,CAAC,OAAO,CAAC,YAAY,CAAA;IAC3D,IAAI,EAAE,CAAC,cAAc;QAAE,MAAM,CAAC,oBAAoB,GAAG,EAAE,CAAC,cAAc,CAAC,eAAe,CAAA;IACtF,OAAO,MAAM,CAAA;AACf,CAAC"}

package/dist/src/core/denial-domains.js

@@ -1,11 +1,11 @@
 // ══════════════════════════════════════════════════════════════════
 // Denial Domains — Operator-Facing Constraint Grouping
 // ══════════════════════════════════════════════════════════════════
-// The ConstraintVector has 15 facets. That's correct for the machine.
+// The ConstraintVector has 14 facets. That's correct for the machine.
 // For humans it's unusable. This module groups facets into 5 domains
 // and provides a primary + contributing denial format.
 //
-// Consilium Priority 4 — unanimous that 15 facets need grouping.
+// Consilium Priority 4 — unanimous that 14 facets need grouping.
 // Claude: "primary denial reason + count"
 // GPT: "4 master tiers"
 // Gemini: "5 operator-facing domains"

package/dist/src/core/probe-identity.d.ts

@@ -0,0 +1,77 @@
+/** A content-addressable identifier for an evaluation probe. The hash
+ *  is the canonical JSON of the probe digested with the named algorithm.
+ *  Two probes with the same content (regardless of property declaration
+ *  order in the source) produce the same hash. */
+export interface ProbeIdentity {
+    /** Hex-encoded digest. Length depends on algorithm: 64 for sha256, 32 for md5. */
+    hash: string;
+    /** Hash algorithm used. SHA-256 by default; MD5 for Nanook interop. */
+    algorithm: 'sha256' | 'md5';
+    /** ISO 8601 timestamp of when the hash was computed. The only clock read in this module. */
+    computedAt: string;
+}
+/** Result of verifying a probe against an expected hash. The function
+ *  does NOT throw on mismatch; the caller decides what to do. */
+export interface ProbeIdentityVerification {
+    /** True iff computedHash === expectedHash. */
+    match: boolean;
+    /** The hash the caller said the probe should have. */
+    expectedHash: string;
+    /** The hash actually computed from the probe. */
+    computedHash: string;
+    /** Algorithm used for the recomputation. */
+    algorithm: 'sha256' | 'md5';
+}
+/**
+ * Compute a content-addressable identity for an evaluation probe.
+ *
+ * The probe is canonicalized via canonicalize() from canonical.ts (RFC
+ * 8785 JCS) before hashing. This means two probes with the same content
+ * but different property declaration order produce identical hashes,
+ * which is the entire point of the utility — it lets a downstream
+ * scoring system prove that the probe it scored is byte-identical to the
+ * probe the issuer published, even after a JSON round-trip that may have
+ * reordered keys.
+ *
+ * Pure in algorithmic terms: same input + same algorithm always
+ * produces the same hash. The only side effect is the ISO timestamp
+ * captured in computedAt, which is set from new Date(). Callers that
+ * need fully deterministic output (e.g. test fixtures) should compare
+ * the hash field directly and ignore computedAt.
+ *
+ * @param probe  Any JSON-serializable value. Typically a FidelityChallenge
+ *               or similar evaluation probe object.
+ * @param opts.algorithm  'sha256' (default) or 'md5' for Nanook interop.
+ *
+ * Reference: Nanook PDR v2.19 §5.9, gap audit §3 row 16 / §5 rank 7.
+ */
+export declare function computeProbeIdentity(probe: unknown, opts?: {
+    algorithm?: 'sha256' | 'md5';
+}): ProbeIdentity;
+/**
+ * Verify that a probe matches an expected hash.
+ *
+ * Recomputes the hash from the probe via canonicalize() + the chosen
+ * algorithm and compares to the expected hash. Returns a verification
+ * result with both hashes exposed for diagnostic visibility.
+ *
+ * Does NOT throw on mismatch. Callers decide what to do with a false
+ * match: log it, deny the action, fall back to a different probe, etc.
+ * The function is purely informational.
+ *
+ * Algorithm mismatch case: if the caller passes an expectedHash that was
+ * produced under a different algorithm than the one passed via opts
+ * (e.g. expectedHash is a SHA-256 digest but opts.algorithm is 'md5'),
+ * the function recomputes under the requested algorithm and reports
+ * match: false. The function does not try to detect the mismatch
+ * automatically — the algorithm is a caller-provided assertion about how
+ * the expectedHash was originally computed.
+ *
+ * @param probe         Any JSON-serializable value.
+ * @param expectedHash  Hex-encoded digest the caller asserts the probe should produce.
+ * @param opts.algorithm  Algorithm to use for the recomputation. Default 'sha256'.
+ */
+export declare function verifyProbeIdentity(probe: unknown, expectedHash: string, opts?: {
+    algorithm?: 'sha256' | 'md5';
+}): ProbeIdentityVerification;
+//# sourceMappingURL=probe-identity.d.ts.map

package/dist/src/core/probe-identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"probe-identity.d.ts","sourceRoot":"","sources":["../../../src/core/probe-identity.ts"],"names":[],"mappings":"AAoCA;;;kDAGkD;AAClD,MAAM,WAAW,aAAa;IAC5B,kFAAkF;IAClF,IAAI,EAAE,MAAM,CAAA;IACZ,uEAAuE;IACvE,SAAS,EAAE,QAAQ,GAAG,KAAK,CAAA;IAC3B,4FAA4F;IAC5F,UAAU,EAAE,MAAM,CAAA;CACnB;AAED;iEACiE;AACjE,MAAM,WAAW,yBAAyB;IACxC,8CAA8C;IAC9C,KAAK,EAAE,OAAO,CAAA;IACd,sDAAsD;IACtD,YAAY,EAAE,MAAM,CAAA;IACpB,iDAAiD;IACjD,YAAY,EAAE,MAAM,CAAA;IACpB,4CAA4C;IAC5C,SAAS,EAAE,QAAQ,GAAG,KAAK,CAAA;CAC5B;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,OAAO,EACd,IAAI,CAAC,EAAE;IAAE,SAAS,CAAC,EAAE,QAAQ,GAAG,KAAK,CAAA;CAAE,GACtC,aAAa,CASf;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,OAAO,EACd,YAAY,EAAE,MAAM,EACpB,IAAI,CAAC,EAAE;IAAE,SAAS,CAAC,EAAE,QAAQ,GAAG,KAAK,CAAA;CAAE,GACtC,yBAAyB,CAU3B"}

package/dist/src/core/probe-identity.js

@@ -0,0 +1,102 @@
+// Copyright 2024-2026 Tymofii Pidlisnyi. Apache-2.0 license. See LICENSE.
+// ══════════════════════════════════════════════════════════════════
+// Probe Identity — Content-Addressable Hashing for Evaluation Probes
+// ══════════════════════════════════════════════════════════════════
+// Reference: Nanook PDR v2.19 §5.9 (MD5 hash prompt identity verification),
+// gap audit §3 row 16 / §5 rank 7.
+//
+// Nanook §5.9 uses an MD5 hash of the evaluation probe prompt to
+// eliminate input variation as a confound: every scoring run can prove
+// it used byte-identical input. APS has canonical JSON serialization in
+// canonical.ts but no probe-prompt identity verification protocol. This
+// utility ships that protocol.
+//
+// Algorithm choice:
+//   APS defaults to SHA-256 because the rest of the SDK uses it
+//   (canonical.ts, signatures, content hashing). MD5 is available as an
+//   opt-in for interop with Nanook's existing probe bank. Callers pick
+//   via opts.algorithm. Both produce hex strings.
+//
+// Canonicalization:
+//   The point of this utility is that two JSON objects with the same
+//   content but different key declaration order produce the same hash.
+//   canonicalize() from canonical.ts (RFC 8785 JCS) guarantees this by
+//   sorting keys alphabetically and stripping null/undefined. Do NOT use
+//   JSON.stringify() directly — declaration order would leak through.
+//
+// Array semantics:
+//   canonicalize() preserves array order because array order is semantic
+//   in JSON. [1, 2, 3] and [3, 2, 1] produce different hashes. This is
+//   correct: a probe that asks the agent to compute things in a specific
+//   sequence should be a different probe if the sequence changes.
+// ══════════════════════════════════════════════════════════════════
+import { createHash } from 'node:crypto';
+import { canonicalize } from './canonical.js';
+/**
+ * Compute a content-addressable identity for an evaluation probe.
+ *
+ * The probe is canonicalized via canonicalize() from canonical.ts (RFC
+ * 8785 JCS) before hashing. This means two probes with the same content
+ * but different property declaration order produce identical hashes,
+ * which is the entire point of the utility — it lets a downstream
+ * scoring system prove that the probe it scored is byte-identical to the
+ * probe the issuer published, even after a JSON round-trip that may have
+ * reordered keys.
+ *
+ * Pure in algorithmic terms: same input + same algorithm always
+ * produces the same hash. The only side effect is the ISO timestamp
+ * captured in computedAt, which is set from new Date(). Callers that
+ * need fully deterministic output (e.g. test fixtures) should compare
+ * the hash field directly and ignore computedAt.
+ *
+ * @param probe  Any JSON-serializable value. Typically a FidelityChallenge
+ *               or similar evaluation probe object.
+ * @param opts.algorithm  'sha256' (default) or 'md5' for Nanook interop.
+ *
+ * Reference: Nanook PDR v2.19 §5.9, gap audit §3 row 16 / §5 rank 7.
+ */
+export function computeProbeIdentity(probe, opts) {
+    const algorithm = opts?.algorithm ?? 'sha256';
+    const canonical = canonicalize(probe);
+    const hash = createHash(algorithm).update(canonical).digest('hex');
+    return {
+        hash,
+        algorithm,
+        computedAt: new Date().toISOString(),
+    };
+}
+/**
+ * Verify that a probe matches an expected hash.
+ *
+ * Recomputes the hash from the probe via canonicalize() + the chosen
+ * algorithm and compares to the expected hash. Returns a verification
+ * result with both hashes exposed for diagnostic visibility.
+ *
+ * Does NOT throw on mismatch. Callers decide what to do with a false
+ * match: log it, deny the action, fall back to a different probe, etc.
+ * The function is purely informational.
+ *
+ * Algorithm mismatch case: if the caller passes an expectedHash that was
+ * produced under a different algorithm than the one passed via opts
+ * (e.g. expectedHash is a SHA-256 digest but opts.algorithm is 'md5'),
+ * the function recomputes under the requested algorithm and reports
+ * match: false. The function does not try to detect the mismatch
+ * automatically — the algorithm is a caller-provided assertion about how
+ * the expectedHash was originally computed.
+ *
+ * @param probe         Any JSON-serializable value.
+ * @param expectedHash  Hex-encoded digest the caller asserts the probe should produce.
+ * @param opts.algorithm  Algorithm to use for the recomputation. Default 'sha256'.
+ */
+export function verifyProbeIdentity(probe, expectedHash, opts) {
+    const algorithm = opts?.algorithm ?? 'sha256';
+    const canonical = canonicalize(probe);
+    const computedHash = createHash(algorithm).update(canonical).digest('hex');
+    return {
+        match: computedHash === expectedHash,
+        expectedHash,
+        computedHash,
+        algorithm,
+    };
+}
+//# sourceMappingURL=probe-identity.js.map

package/dist/src/core/probe-identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"probe-identity.js","sourceRoot":"","sources":["../../../src/core/probe-identity.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,qEAAqE;AACrE,qEAAqE;AACrE,qEAAqE;AACrE,4EAA4E;AAC5E,mCAAmC;AACnC,EAAE;AACF,iEAAiE;AACjE,uEAAuE;AACvE,wEAAwE;AACxE,wEAAwE;AACxE,+BAA+B;AAC/B,EAAE;AACF,oBAAoB;AACpB,gEAAgE;AAChE,wEAAwE;AACxE,uEAAuE;AACvE,kDAAkD;AAClD,EAAE;AACF,oBAAoB;AACpB,qEAAqE;AACrE,uEAAuE;AACvE,uEAAuE;AACvE,yEAAyE;AACzE,sEAAsE;AACtE,EAAE;AACF,mBAAmB;AACnB,yEAAyE;AACzE,uEAAuE;AACvE,yEAAyE;AACzE,kEAAkE;AAClE,qEAAqE;AAErE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AA4B7C;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,oBAAoB,CAClC,KAAc,EACd,IAAuC;IAEvC,MAAM,SAAS,GAAG,IAAI,EAAE,SAAS,IAAI,QAAQ,CAAA;IAC7C,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,CAAC,CAAA;IACrC,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAClE,OAAO;QACL,IAAI;QACJ,SAAS;QACT,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACrC,CAAA;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,mBAAmB,CACjC,KAAc,EACd,YAAoB,EACpB,IAAuC;IAEvC,MAAM,SAAS,GAAG,IAAI,EAAE,SAAS,IAAI,QAAQ,CAAA;IAC7C,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,CAAC,CAAA;IACrC,MAAM,YAAY,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAC1E,OAAO;QACL,KAAK,EAAE,YAAY,KAAK,YAAY;QACpC,YAAY;QACZ,YAAY;QACZ,SAAS;KACV,CAAA;AACH,CAAC"}