agent-passport-system 2.6.0-alpha.3 → 2.6.0-alpha.4

package/README.md

@@ -119,9 +119,9 @@ Coordination (task lifecycle with 9-state machine), EU AI Act compliance (signed
 
 Forward-looking governance. Published, tested, available.
 
-41 v2 constitutional modules: approval fatigue detection, epistemic isolation, blind evaluation, separation of powers, affected-party standing, circuit breakers, constitutional amendment, authority laundering audit, emergence detection.
+26 v2 constitutional modules: approval fatigue detection, epistemic isolation, blind evaluation, separation of powers, affected-party standing, circuit breakers, constitutional amendment, authority laundering audit, emergence detection.
 
-Wave 1 accountability primitives: Ed25519 ActionReceipt, AuthorityBoundaryReceipt, CustodyReceipt, ContestabilityReceipt, APSBundle. RFC 8785 JCS canonicalized, content-addressed, byte-match across implementations.
+Wave 1 accountability primitives: Ed25519 ActionReceipt, AuthorityBoundaryReceipt, CustodyReceipt, ContestabilityReceipt, APSBundle. RFC 8785 JCS canonicalization for cross-implementation receipts and conformance fixtures, content-addressed, byte-match across implementations.
 
 Institutional governance: charters, offices, federation, reserves, multi-party approvals.
 
@@ -157,6 +157,12 @@ The composition contract specifies how a verifier MUST cross-check per-request s
 - [The Evidence-Safety Gap](https://doi.org/10.5281/zenodo.19914628)
 - IETF Internet-Draft: `draft-pidlisnyi-aps-00`
 
+## Contributing
+
+- [Contribution path](/CONTRIBUTION_PATH.md)
+- [Open problems](/OPEN_PROBLEMS.md)
+- [Governance surfaces](/GOVERNANCE_SURFACES.md)
+
 ## Links
 
 - [aeoess.com](https://aeoess.com) -- Protocol home

package/dist/src/core/action-ref.d.ts

@@ -5,6 +5,11 @@ import type { ActionIntent } from '../types/policy.js';
  * Inputs hashed: agentId, action.type, action.scopeRequired, normalized timestamp.
  * Timestamp defaults to intent.createdAt; falls back to current time.
  *
+ * Canonicalization follows RFC 8785 JCS strictly, per draft-pidlisnyi-aps-00
+ * §4.1: null/undefined-valued keys are preserved (not stripped) so that
+ * cross-engine correlation byte-matches against any other strict-JCS
+ * implementation (x402 ecosystem, AgentGraph CTEF, Nobulex, etc.).
+ *
  * Returns: lowercase hex SHA-256 digest.
  */
 export declare function computeActionRef(intent: Pick<ActionIntent, 'agentId' | 'action' | 'createdAt'>): string;

package/dist/src/core/action-ref.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"action-ref.d.ts","sourceRoot":"","sources":["../../../src/core/action-ref.ts"],"names":[],"mappings":"AAmBA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAEtD;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,IAAI,CAAC,YAAY,EAAE,SAAS,GAAG,QAAQ,GAAG,WAAW,CAAC,GAAG,MAAM,CAQvG;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAE7D"}
+{"version":3,"file":"action-ref.d.ts","sourceRoot":"","sources":["../../../src/core/action-ref.ts"],"names":[],"mappings":"AAoBA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAEtD;;;;;;;;;;;;GAYG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,IAAI,CAAC,YAAY,EAAE,SAAS,GAAG,QAAQ,GAAG,WAAW,CAAC,GAAG,MAAM,CAQvG;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAE7D"}

package/dist/src/core/action-ref.js

@@ -15,18 +15,24 @@
 // systems independently hashing the same request within the same second
 // produce the same action_ref.
 // ══════════════════════════════════════════════════════════════════
-import { canonicalHash, normalizeTimestamp } from './canonical.js';
+import { normalizeTimestamp } from './canonical.js';
+import { canonicalHashJCS } from './canonical-jcs.js';
 /**
  * Compute the content-addressed request identity for an ActionIntent.
  *
  * Inputs hashed: agentId, action.type, action.scopeRequired, normalized timestamp.
  * Timestamp defaults to intent.createdAt; falls back to current time.
  *
+ * Canonicalization follows RFC 8785 JCS strictly, per draft-pidlisnyi-aps-00
+ * §4.1: null/undefined-valued keys are preserved (not stripped) so that
+ * cross-engine correlation byte-matches against any other strict-JCS
+ * implementation (x402 ecosystem, AgentGraph CTEF, Nobulex, etc.).
+ *
  * Returns: lowercase hex SHA-256 digest.
  */
 export function computeActionRef(intent) {
     const ts = intent.createdAt ?? new Date().toISOString();
-    return canonicalHash({
+    return canonicalHashJCS({
         agentId: intent.agentId,
         actionType: intent.action.type,
         scopeRequired: intent.action.scopeRequired,

package/dist/src/core/action-ref.js.map

@@ -1 +1 @@
-{"version":3,"file":"action-ref.js","sourceRoot":"","sources":["../../../src/core/action-ref.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,qEAAqE;AACrE,kDAAkD;AAClD,qEAAqE;AACrE,4CAA4C;AAC5C,qGAAqG;AACrG,8EAA8E;AAC9E,EAAE;AACF,mEAAmE;AACnE,yEAAyE;AACzE,2EAA2E;AAC3E,oCAAoC;AACpC,EAAE;AACF,yEAAyE;AACzE,wEAAwE;AACxE,+BAA+B;AAC/B,qEAAqE;AAErE,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAA;AAGlE;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAA8D;IAC7F,MAAM,EAAE,GAAG,MAAM,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;IACvD,OAAO,aAAa,CAAC;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI;QAC9B,aAAa,EAAE,MAAM,CAAC,MAAM,CAAC,aAAa;QAC1C,SAAS,EAAE,kBAAkB,CAAC,EAAE,CAAC;KAClC,CAAC,CAAA;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,CAAS,EAAE,CAAS;IAClD,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;AAClF,CAAC"}
+{"version":3,"file":"action-ref.js","sourceRoot":"","sources":["../../../src/core/action-ref.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,qEAAqE;AACrE,kDAAkD;AAClD,qEAAqE;AACrE,4CAA4C;AAC5C,qGAAqG;AACrG,8EAA8E;AAC9E,EAAE;AACF,mEAAmE;AACnE,yEAAyE;AACzE,2EAA2E;AAC3E,oCAAoC;AACpC,EAAE;AACF,yEAAyE;AACzE,wEAAwE;AACxE,+BAA+B;AAC/B,qEAAqE;AAErE,OAAO,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAA;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AAGrD;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAA8D;IAC7F,MAAM,EAAE,GAAG,MAAM,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;IACvD,OAAO,gBAAgB,CAAC;QACtB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI;QAC9B,aAAa,EAAE,MAAM,CAAC,MAAM,CAAC,aAAa;QAC1C,SAAS,EAAE,kBAAkB,CAAC,EAAE,CAAC;KAClC,CAAC,CAAA;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,CAAS,EAAE,CAAS;IAClD,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;AAClF,CAAC"}

package/dist/src/core/canonical-jcs.d.ts

@@ -18,6 +18,11 @@ export interface CanonicalizationTestVector {
     sha256_jcs: string;
     sha256_legacy: string;
 }
+/** SHA-256 (lowercase hex) of canonicalizeJCS(obj). Strict-RFC-8785
+ *  counterpart of canonicalHash() from ./canonical.ts. Use this for any
+ *  cross-implementation hash whose conformance pin requires strict JCS
+ *  (e.g. action_ref per draft-pidlisnyi-aps-00 §4.1). */
+export declare function canonicalHashJCS(obj: Record<string, unknown>): string;
 /** Built-in test vectors for cross-language verification */
 export declare function getTestVectors(): CanonicalizationTestVector[];
 //# sourceMappingURL=canonical-jcs.d.ts.map

package/dist/src/core/canonical-jcs.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"canonical-jcs.d.ts","sourceRoot":"","sources":["../../../src/core/canonical-jcs.ts"],"names":[],"mappings":"AAcA;;;;;qEAKqE;AACrE,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAiCtD;AAED;kFACkF;AAClF,wBAAgB,sBAAsB,CACpC,GAAG,EAAE,OAAO,EACZ,eAAe,EAAE,MAAM,GACtB,KAAK,GAAG,QAAQ,GAAG,WAAW,CAMhC;AAYD,mEAAmE;AACnE,MAAM,WAAW,0BAA0B;IACzC,EAAE,EAAE,MAAM,CAAA;IACV,WAAW,EAAE,MAAM,CAAA;IACnB,KAAK,EAAE,OAAO,CAAA;IACd,YAAY,EAAE,MAAM,CAAA;IACpB,eAAe,EAAE,MAAM,CAAA;IACvB,UAAU,EAAE,MAAM,CAAA;IAClB,aAAa,EAAE,MAAM,CAAA;CACtB;AAOD,4DAA4D;AAC5D,wBAAgB,cAAc,IAAI,0BAA0B,EAAE,CAoF7D"}
+{"version":3,"file":"canonical-jcs.d.ts","sourceRoot":"","sources":["../../../src/core/canonical-jcs.ts"],"names":[],"mappings":"AAcA;;;;;qEAKqE;AACrE,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAiCtD;AAED;kFACkF;AAClF,wBAAgB,sBAAsB,CACpC,GAAG,EAAE,OAAO,EACZ,eAAe,EAAE,MAAM,GACtB,KAAK,GAAG,QAAQ,GAAG,WAAW,CAMhC;AAYD,mEAAmE;AACnE,MAAM,WAAW,0BAA0B;IACzC,EAAE,EAAE,MAAM,CAAA;IACV,WAAW,EAAE,MAAM,CAAA;IACnB,KAAK,EAAE,OAAO,CAAA;IACd,YAAY,EAAE,MAAM,CAAA;IACpB,eAAe,EAAE,MAAM,CAAA;IACvB,UAAU,EAAE,MAAM,CAAA;IAClB,aAAa,EAAE,MAAM,CAAA;CACtB;AAOD;;;yDAGyD;AACzD,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAErE;AAED,4DAA4D;AAC5D,wBAAgB,cAAc,IAAI,0BAA0B,EAAE,CAoF7D"}

package/dist/src/core/canonical-jcs.js

@@ -78,6 +78,13 @@ import { createHash } from 'crypto';
 function sha256hex(input) {
     return createHash('sha256').update(input, 'utf-8').digest('hex');
 }
+/** SHA-256 (lowercase hex) of canonicalizeJCS(obj). Strict-RFC-8785
+ *  counterpart of canonicalHash() from ./canonical.ts. Use this for any
+ *  cross-implementation hash whose conformance pin requires strict JCS
+ *  (e.g. action_ref per draft-pidlisnyi-aps-00 §4.1). */
+export function canonicalHashJCS(obj) {
+    return sha256hex(canonicalizeJCS(obj));
+}
 /** Built-in test vectors for cross-language verification */
 export function getTestVectors() {
     const vectors = [];

package/dist/src/core/canonical-jcs.js.map

@@ -1 +1 @@
-{"version":3,"file":"canonical-jcs.js","sourceRoot":"","sources":["../../../src/core/canonical-jcs.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,kEAAkE;AAClE,qEAAqE;AACrE,qEAAqE;AACrE,wEAAwE;AACxE,EAAE;AACF,wBAAwB;AACxB,mDAAmD;AACnD,uDAAuD;AACvD,EAAE;AACF,gEAAgE;AAChE,6DAA6D;AAC7D,qEAAqE;AAErE;;;;;qEAKqE;AACrE,MAAM,UAAU,eAAe,CAAC,KAAc;IAC5C,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,MAAM,CAAA;IAExD,QAAQ,OAAO,KAAK,EAAE,CAAC;QACrB,KAAK,SAAS;YACZ,OAAO,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAA;QACjC,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAA;YAC7E,sEAAsE;YACtE,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;QAC9B,CAAC;QACD,KAAK,QAAQ;YACX,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;QAC9B,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,IAAI,KAAK,YAAY,IAAI;gBAAE,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;YACvD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzB,OAAO,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAA;YACvE,CAAC;YACD,gEAAgE;YAChE,MAAM,GAAG,GAAG,KAAgC,CAAA;YAC5C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAA;YACpC,MAAM,KAAK,GAAa,EAAE,CAAA;YAC1B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAA;gBAClB,sDAAsD;gBACtD,yEAAyE;gBACzE,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,eAAe,CAAC,CAAC,CAAC,EAAE,CAAC,CAAA;YAC5D,CAAC;YACD,OAAO,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAA;QACpC,CAAC;QACD;YACE,MAAM,IAAI,KAAK,CAAC,yBAAyB,OAAO,KAAK,EAAE,CAAC,CAAA;IAC5D,CAAC;AACH,CAAC;AAED;kFACkF;AAClF,MAAM,UAAU,sBAAsB,CACpC,GAAY,EACZ,eAAuB;IAEvB,2EAA2E;IAC3E,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC;QAAE,OAAO,WAAW,CAAA;IAC3C,uEAAuE;IACvE,IAAI,eAAe,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAA;IACnD,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,SAAS,aAAa,CAAC,GAAY;IACjC,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,IAAI,CAAA;IAC7B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,KAAK,CAAA;IAC9D,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,CAAA;IACtD,OAAO,MAAM,CAAC,MAAM,CAAC,GAA8B,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC5D,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,SAAS,IAAI,aAAa,CAAC,CAAC,CAAC,CAAC,CAAA;AACtD,CAAC;AAED,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAA;AAanC,8CAA8C;AAC9C,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;AAClE,CAAC;AAED,4DAA4D;AAC5D,MAAM,UAAU,cAAc;IAC5B,MAAM,OAAO,GAAiC,EAAE,CAAA;IAEhD,SAAS,SAAS,CAAC,EAAU,EAAE,IAAY,EAAE,KAAc,EAAE,GAAW,EAAE,MAAc;QACtF,OAAO,CAAC,IAAI,CAAC;YACX,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,KAAK;YAC5B,YAAY,EAAE,GAAG,EAAE,eAAe,EAAE,MAAM;YAC1C,UAAU,EAAE,SAAS,CAAC,GAAG,CAAC,EAAE,aAAa,EAAE,SAAS,CAAC,MAAM,CAAC;SAC7D,CAAC,CAAA;IACJ,CAAC;IAED,8CAA8C;IAC9C,SAAS,CAAC,QAAQ,EAAE,8CAA8C,EAChE,EAAE,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,EAAE,EACvC,wCAAwC,EACxC,wCAAwC,CAAC,CAAA;IAE3C,0CAA0C;IAC1C,SAAS,CAAC,QAAQ,EAAE,2CAA2C,EAC7D,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,EACvD,wDAAwD,EACxD,wCAAwC,CAAC,CAAA;IAE3C,mBAAmB;IACnB,SAAS,CAAC,QAAQ,EAAE,mCAAmC,EACrD,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,EACjC,kCAAkC,EAClC,kCAAkC,CAAC,CAAA;IAErC,+BAA+B;IAC/B,SAAS,CAAC,QAAQ,EAAE,kCAAkC,EACpD,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,EAChD,gDAAgD,EAChD,mCAAmC,CAAC,CAAA;IAEtC,gCAAgC;IAChC,SAAS,CAAC,QAAQ,EAAE,sDAAsD,EACxE,EAAE,KAAK,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EACvB,sBAAsB,EACtB,sBAAsB,CAAC,CAAA;IAEzB,wBAAwB;IACxB,SAAS,CAAC,QAAQ,EAAE,yCAAyC,EAC3D,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,EAAE,EACnD,oDAAoD,EACpD,oDAAoD,CAAC,CAAA;IAEvD,uBAAuB;IACvB,SAAS,CAAC,QAAQ,EAAE,8BAA8B,EAChD,EAAE,QAAQ,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,EAC9B,+BAA+B,EAC/B,+BAA+B,CAAC,CAAA;IAElC,cAAc;IACd,SAAS,CAAC,QAAQ,EAAE,wBAAwB,EAC1C,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,EAChC,iCAAiC,EACjC,iCAAiC,CAAC,CAAA;IAEpC,uDAAuD;IACvD,SAAS,CAAC,QAAQ,EAAE,4DAA4D,EAC9E;QACE,YAAY,EAAE,YAAY;QAC1B,WAAW,EAAE,sBAAsB;QACnC,WAAW,EAAE,kBAAkB;QAC/B,KAAK,EAAE,CAAC,WAAW,EAAE,mBAAmB,CAAC;QACzC,UAAU,EAAE,GAAG;QACf,oBAAoB,EAAE,IAAI;QAC1B,SAAS,EAAE,sBAAsB;QACjC,SAAS,EAAE,IAAI;QACf,QAAQ,EAAE,CAAC;QACX,YAAY,EAAE,CAAC;QACf,SAAS,EAAE,sBAAsB;KAClC,EACD,iTAAiT,EACjT,oQAAoQ,CAAC,CAAA;IAEvQ,sBAAsB;IACtB,SAAS,CAAC,QAAQ,EAAE,gBAAgB,EAClC,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,EAChC,iCAAiC,EACjC,iCAAiC,CAAC,CAAA;IAEpC,OAAO,OAAO,CAAA;AAChB,CAAC"}
+{"version":3,"file":"canonical-jcs.js","sourceRoot":"","sources":["../../../src/core/canonical-jcs.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,kEAAkE;AAClE,qEAAqE;AACrE,qEAAqE;AACrE,wEAAwE;AACxE,EAAE;AACF,wBAAwB;AACxB,mDAAmD;AACnD,uDAAuD;AACvD,EAAE;AACF,gEAAgE;AAChE,6DAA6D;AAC7D,qEAAqE;AAErE;;;;;qEAKqE;AACrE,MAAM,UAAU,eAAe,CAAC,KAAc;IAC5C,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,MAAM,CAAA;IAExD,QAAQ,OAAO,KAAK,EAAE,CAAC;QACrB,KAAK,SAAS;YACZ,OAAO,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAA;QACjC,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAA;YAC7E,sEAAsE;YACtE,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;QAC9B,CAAC;QACD,KAAK,QAAQ;YACX,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;QAC9B,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,IAAI,KAAK,YAAY,IAAI;gBAAE,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;YACvD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzB,OAAO,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAA;YACvE,CAAC;YACD,gEAAgE;YAChE,MAAM,GAAG,GAAG,KAAgC,CAAA;YAC5C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAA;YACpC,MAAM,KAAK,GAAa,EAAE,CAAA;YAC1B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAA;gBAClB,sDAAsD;gBACtD,yEAAyE;gBACzE,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,eAAe,CAAC,CAAC,CAAC,EAAE,CAAC,CAAA;YAC5D,CAAC;YACD,OAAO,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAA;QACpC,CAAC;QACD;YACE,MAAM,IAAI,KAAK,CAAC,yBAAyB,OAAO,KAAK,EAAE,CAAC,CAAA;IAC5D,CAAC;AACH,CAAC;AAED;kFACkF;AAClF,MAAM,UAAU,sBAAsB,CACpC,GAAY,EACZ,eAAuB;IAEvB,2EAA2E;IAC3E,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC;QAAE,OAAO,WAAW,CAAA;IAC3C,uEAAuE;IACvE,IAAI,eAAe,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAA;IACnD,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,SAAS,aAAa,CAAC,GAAY;IACjC,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,IAAI,CAAA;IAC7B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,KAAK,CAAA;IAC9D,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,CAAA;IACtD,OAAO,MAAM,CAAC,MAAM,CAAC,GAA8B,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC5D,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,SAAS,IAAI,aAAa,CAAC,CAAC,CAAC,CAAC,CAAA;AACtD,CAAC;AAED,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAA;AAanC,8CAA8C;AAC9C,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;AAClE,CAAC;AAED;;;yDAGyD;AACzD,MAAM,UAAU,gBAAgB,CAAC,GAA4B;IAC3D,OAAO,SAAS,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAA;AACxC,CAAC;AAED,4DAA4D;AAC5D,MAAM,UAAU,cAAc;IAC5B,MAAM,OAAO,GAAiC,EAAE,CAAA;IAEhD,SAAS,SAAS,CAAC,EAAU,EAAE,IAAY,EAAE,KAAc,EAAE,GAAW,EAAE,MAAc;QACtF,OAAO,CAAC,IAAI,CAAC;YACX,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,KAAK;YAC5B,YAAY,EAAE,GAAG,EAAE,eAAe,EAAE,MAAM;YAC1C,UAAU,EAAE,SAAS,CAAC,GAAG,CAAC,EAAE,aAAa,EAAE,SAAS,CAAC,MAAM,CAAC;SAC7D,CAAC,CAAA;IACJ,CAAC;IAED,8CAA8C;IAC9C,SAAS,CAAC,QAAQ,EAAE,8CAA8C,EAChE,EAAE,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,EAAE,EACvC,wCAAwC,EACxC,wCAAwC,CAAC,CAAA;IAE3C,0CAA0C;IAC1C,SAAS,CAAC,QAAQ,EAAE,2CAA2C,EAC7D,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,EACvD,wDAAwD,EACxD,wCAAwC,CAAC,CAAA;IAE3C,mBAAmB;IACnB,SAAS,CAAC,QAAQ,EAAE,mCAAmC,EACrD,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,EACjC,kCAAkC,EAClC,kCAAkC,CAAC,CAAA;IAErC,+BAA+B;IAC/B,SAAS,CAAC,QAAQ,EAAE,kCAAkC,EACpD,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,EAChD,gDAAgD,EAChD,mCAAmC,CAAC,CAAA;IAEtC,gCAAgC;IAChC,SAAS,CAAC,QAAQ,EAAE,sDAAsD,EACxE,EAAE,KAAK,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EACvB,sBAAsB,EACtB,sBAAsB,CAAC,CAAA;IAEzB,wBAAwB;IACxB,SAAS,CAAC,QAAQ,EAAE,yCAAyC,EAC3D,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,EAAE,EACnD,oDAAoD,EACpD,oDAAoD,CAAC,CAAA;IAEvD,uBAAuB;IACvB,SAAS,CAAC,QAAQ,EAAE,8BAA8B,EAChD,EAAE,QAAQ,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,EAC9B,+BAA+B,EAC/B,+BAA+B,CAAC,CAAA;IAElC,cAAc;IACd,SAAS,CAAC,QAAQ,EAAE,wBAAwB,EAC1C,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,EAChC,iCAAiC,EACjC,iCAAiC,CAAC,CAAA;IAEpC,uDAAuD;IACvD,SAAS,CAAC,QAAQ,EAAE,4DAA4D,EAC9E;QACE,YAAY,EAAE,YAAY;QAC1B,WAAW,EAAE,sBAAsB;QACnC,WAAW,EAAE,kBAAkB;QAC/B,KAAK,EAAE,CAAC,WAAW,EAAE,mBAAmB,CAAC;QACzC,UAAU,EAAE,GAAG;QACf,oBAAoB,EAAE,IAAI;QAC1B,SAAS,EAAE,sBAAsB;QACjC,SAAS,EAAE,IAAI;QACf,QAAQ,EAAE,CAAC;QACX,YAAY,EAAE,CAAC;QACf,SAAS,EAAE,sBAAsB;KAClC,EACD,iTAAiT,EACjT,oQAAoQ,CAAC,CAAA;IAEvQ,sBAAsB;IACtB,SAAS,CAAC,QAAQ,EAAE,gBAAgB,EAClC,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,EAChC,iCAAiC,EACjC,iCAAiC,CAAC,CAAA;IAEpC,OAAO,OAAO,CAAA;AAChB,CAAC"}

package/dist/src/core/tool-integrity.d.ts

@@ -72,4 +72,223 @@ export declare function verifyToolIntegrity(input: {
         hasWallet: boolean;
     };
 }): ToolIntegrityResult;
+/**
+ * Trust roots (D1). The APS-native DID is the default and needs zero
+ * external dependency — the Ed25519 key is embedded in the did:key /
+ * did:aps identifier itself. `did:web` (domain-anchored) and `raw-key`
+ * are accepted external roots so the integrity claim holds for
+ * real-world registries.
+ */
+export type ToolTrustRoot = {
+    type: 'aps';
+    ref: string;
+} | {
+    type: 'did:web';
+    ref: string;
+} | {
+    type: 'raw-key';
+    ref: string;
+};
+/** Metadata block — description, declared schema, declared permissions. */
+export interface ToolMetadata {
+    description?: string;
+    schema?: unknown;
+    permissions?: string[];
+}
+/**
+ * Signed tool manifest — the artifact a publisher/registry publishes.
+ * Canonical surface for publisher identity, namespace and re-approval.
+ */
+export interface ToolManifest {
+    /** Tool name (matches the name in delegation scope) */
+    toolName: string;
+    /** Optional declared namespace, e.g. `acme/*` */
+    namespace?: string;
+    /** `sha256:` of the implementation (existing semantics) */
+    implementationHash: string;
+    /** `sha256:` of the canonicalized metadata block — DISTINCT from
+     *  implementationHash so a description/schema/permissions change is
+     *  detectable even when the implementation is byte-identical. */
+    metadataHash: string;
+    /** Asserted publisher identity (DID). When present, a publisher check runs. */
+    publisherDid?: string;
+    /** How the publisher key is resolved (D1). Default when absent: APS-native. */
+    trustRoot?: ToolTrustRoot;
+    /** Asserted attestor identity (DID). When present, the manifest signature
+     *  is verified against the RESOLVED attestor key — a caller-supplied
+     *  `attestorPublicKey` cannot override or substitute for it. */
+    attestorDid?: string;
+    /** How the attestor key is resolved (D1). Default when absent: APS-native. */
+    attestorTrustRoot?: ToolTrustRoot;
+    /** Monotonic integer; bumped on every substantive revision. */
+    metadataVersion: number;
+    /** Approval state — `pending-reapproval` blocks verification. */
+    approvalState?: 'approved' | 'pending-reapproval';
+    /** When this manifest was attested */
+    verifiedAt: string;
+    /** Ed25519 attestor signature over the canonical manifest body */
+    signature: string;
+    /** Ed25519 publisher signature over the SAME canonical body, when a
+     *  publisher identity is asserted */
+    publisherSignature?: string;
+}
+/** A signed claim of ownership over a tool-name namespace (anti-typosquat). */
+export interface NamespaceClaim {
+    /** Claimed namespace, e.g. `acme/*` */
+    namespace: string;
+    /** DID of the namespace owner */
+    ownerDid: string;
+    /** How the owner key resolves (D1) */
+    trustRoot: ToolTrustRoot;
+    /** Ed25519 signature by the owner over canonical `{namespace, ownerDid}` */
+    signature: string;
+}
+/** Result of `verifyToolManifest`. */
+export interface ToolManifestResult {
+    /** All checks passed */
+    valid: boolean;
+    /** Attestor signature over the manifest body is valid (against the
+     *  authoritative key — resolved when attestorDid is set, else the
+     *  caller-supplied attestorPublicKey) */
+    attestorSignatureValid: boolean;
+    /** Manifest signature verified against a RESOLVED attestor identity.
+     *  True only when `attestorDid` is asserted, resolves, and the signature
+     *  checks out. False when no attestorDid is asserted (no DID binding). */
+    attestorVerified: boolean;
+    /** How the attestor key was resolved, or `caller-supplied-key` when no
+     *  attestorDid is asserted */
+    attestorResolutionMethod: string;
+    /** Implementation hash matched (true if no current implementation supplied) */
+    implementationVerified: boolean;
+    /** Metadata hash matched (true if no current metadata supplied) */
+    metadataVerified: boolean;
+    /** Publisher signature verified (false when no publisher identity asserted) */
+    publisherVerified: boolean;
+    /** How the publisher key was resolved, or why it was not */
+    publisherResolutionMethod: string;
+    /** Namespace governance passed (true when no claims supplied or no match) */
+    namespaceVerified: boolean;
+    /** Tool name collides with a namespace owned by a different DID */
+    namespaceViolation: boolean;
+    /** Manifest is pending re-approval after a metadata change */
+    reapprovalRequired: boolean;
+    /** Errors */
+    errors: string[];
+}
+/** Optional injected did:web resolver — lets callers (and tests) resolve a
+ *  did:web document without live network access. Defaults to `resolveDIDWeb`. */
+export interface ToolResolveOpts {
+    didWebResolver?: (didWeb: string) => Promise<object>;
+}
+/**
+ * Create a signed tool manifest. The attestor signs the canonical body; if a
+ * publisher private key is supplied, the publisher co-signs the same body.
+ */
+export declare function createToolManifest(input: {
+    toolName: string;
+    namespace?: string;
+    /** Raw implementation content to hash */
+    implementation: string | Buffer;
+    /** Metadata block to hash (distinct from the implementation) */
+    metadata: ToolMetadata;
+    attestorPrivateKey: string;
+    /** Asserted attestor identity (DID) — when set, the manifest carries it and
+     *  verification binds the signature to the resolved attestor key */
+    attestorDid?: string;
+    /** Trust root for resolving the attestor key, optional */
+    attestorTrustRoot?: ToolTrustRoot;
+    /** Asserted publisher identity, optional */
+    publisherDid?: string;
+    /** Trust root for resolving the publisher key, optional */
+    trustRoot?: ToolTrustRoot;
+    /** Publisher private key — when present, the manifest is publisher co-signed */
+    publisherPrivateKey?: string;
+    /** Monotonic metadata version (default 1) */
+    metadataVersion?: number;
+    /** Approval state (default 'approved') */
+    approvalState?: 'approved' | 'pending-reapproval';
+    /** Override timestamp — for deterministic conformance fixtures */
+    verifiedAt?: string;
+}): ToolManifest;
+/**
+ * Verify a tool manifest — attestor signature, optional implementation and
+ * metadata hashes, publisher identity (Part 1b), namespace governance
+ * (Part 2) and re-approval state (Part 3). Async because did:web resolution
+ * is async; the APS-native and raw-key paths resolve synchronously.
+ */
+export declare function verifyToolManifest(input: {
+    manifest: ToolManifest;
+    /** Attestor public key — used ONLY when the manifest asserts no
+     *  `attestorDid`. When `attestorDid` is set the resolved key is
+     *  authoritative and this key cannot override or substitute for it (G1). */
+    attestorPublicKey?: string;
+    /** Current implementation to hash-check, optional */
+    currentImplementation?: string | Buffer;
+    /** Current metadata to hash-check, optional */
+    currentMetadata?: ToolMetadata;
+    /** Known namespace claims — namespace check runs only when supplied */
+    namespaceClaims?: NamespaceClaim[];
+    /** Optional injected did:web resolver (offline use / tests) */
+    didWebResolver?: (didWeb: string) => Promise<object>;
+}): Promise<ToolManifestResult>;
+/** Create a signed namespace ownership claim. */
+export declare function createNamespaceClaim(input: {
+    namespace: string;
+    ownerDid: string;
+    trustRoot: ToolTrustRoot;
+    ownerPrivateKey: string;
+}): NamespaceClaim;
+/**
+ * Verify a namespace claim — resolve the owner key via the claim's own trust
+ * root and check the owner signature over canonical `{namespace, ownerDid}`.
+ * `resolveOpts` carries an optional injected did:web resolver.
+ */
+export declare function verifyNamespaceClaim(claim: NamespaceClaim, resolveOpts?: ToolResolveOpts): Promise<{
+    valid: boolean;
+    ownerVerified: boolean;
+    resolutionMethod: string;
+    errors: string[];
+}>;
+/**
+ * Revise a tool manifest (Part 3). Produces a new manifest re-signed by the
+ * attestor. Hash-delta rule — the concrete link between Part 1a and Part 3:
+ * the revision moves to `pending-reapproval` with `metadataVersion + 1` IFF
+ * the implementation hash OR the metadata hash differs from the previous
+ * manifest. If neither hash changed it is not a substantive revision and the
+ * version / approval state are unchanged.
+ *
+ * The attestor identity (`attestorDid` / `attestorTrustRoot`) is carried
+ * forward. If the previous manifest asserts a `publisherDid`, a
+ * `publisherPrivateKey` MUST be supplied so the publisher field is re-signed
+ * over the revised body — revising a publisher-bearing manifest without it
+ * throws rather than emit a manifest with a stale publisher signature.
+ */
+export declare function reviseToolManifest(prevManifest: ToolManifest, changes: {
+    implementation?: string | Buffer;
+    metadata?: ToolMetadata;
+}, attestorPrivateKey: string, opts?: {
+    verifiedAt?: string;
+    publisherPrivateKey?: string;
+}): ToolManifest;
+/**
+ * Re-approve a manifest pending re-approval (Part 3). Only an attestor can move
+ * `pending-reapproval` -> `approved`.
+ *
+ * The approval is bound to a resolved attestor identity, not merely any
+ * caller-provided keypair: the returned manifest carries `attestorDid` /
+ * `attestorTrustRoot`, and its signature then verifies against the resolved
+ * attestor key in `verifyToolManifest`. If `opts.attestorDid` is omitted the
+ * attestor identity already on the manifest is carried forward.
+ *
+ * If the manifest asserts a `publisherDid`, a `publisherPrivateKey` is required
+ * so the publisher field is re-signed over the approved body. Throws if the
+ * manifest is not pending re-approval, or on a missing required publisher key.
+ */
+export declare function reapproveToolManifest(manifest: ToolManifest, opts: {
+    attestorPrivateKey: string;
+    attestorDid?: string;
+    attestorTrustRoot?: ToolTrustRoot;
+    publisherPrivateKey?: string;
+    verifiedAt?: string;
+}): ToolManifest;
 //# sourceMappingURL=tool-integrity.d.ts.map

package/dist/src/core/tool-integrity.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tool-integrity.d.ts","sourceRoot":"","sources":["../../../src/core/tool-integrity.ts"],"names":[],"mappings":"AAiBA,yCAAyC;AACzC,MAAM,WAAW,iBAAiB;IAChC,0DAA0D;IAC1D,QAAQ,EAAE,MAAM,CAAA;IAChB,uFAAuF;IACvF,kBAAkB,EAAE,MAAM,CAAA;IAC1B,6EAA6E;IAC7E,UAAU,EAAE,MAAM,CAAA;IAClB,2CAA2C;IAC3C,UAAU,EAAE,MAAM,CAAA;IAClB,oFAAoF;IACpF,SAAS,EAAE,MAAM,CAAA;CAClB;AAED;yCACyC;AACzC,MAAM,WAAW,gBAAgB;IAC/B,4CAA4C;IAC5C,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,iCAAiC;IACjC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,gCAAgC;IAChC,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,kDAAkD;IAClD,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,qDAAqD;IACrD,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACjC;AAED,oDAAoD;AACpD,MAAM,WAAW,mBAAmB;IAClC,yCAAyC;IACzC,KAAK,EAAE,OAAO,CAAA;IACd,8CAA8C;IAC9C,sBAAsB,EAAE,OAAO,CAAA;IAC/B,8CAA8C;IAC9C,sBAAsB,EAAE,OAAO,CAAA;IAC/B,yDAAyD;IACzD,eAAe,EAAE,OAAO,CAAA;IACxB,gCAAgC;IAChC,kBAAkB,EAAE,MAAM,EAAE,CAAA;IAC5B,aAAa;IACb,MAAM,EAAE,MAAM,EAAE,CAAA;CACjB;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE;IAC7C,QAAQ,EAAE,MAAM,CAAA;IAChB,6EAA6E;IAC7E,cAAc,EAAE,MAAM,GAAG,MAAM,CAAA;IAC/B,UAAU,EAAE,MAAM,CAAA;IAClB,kBAAkB,EAAE,MAAM,CAAA;CAC3B,GAAG,iBAAiB,CAepB;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE;IACzC,2CAA2C;IAC3C,aAAa,EAAE,iBAAiB,CAAA;IAChC,uDAAuD;IACvD,qBAAqB,EAAE,MAAM,GAAG,MAAM,CAAA;IACtC,uDAAuD;IACvD,iBAAiB,EAAE,MAAM,CAAA;IACzB,sEAAsE;IACtE,YAAY,CAAC,EAAE,gBAAgB,CAAA;IAC/B,sEAAsE;IACtE,iBAAiB,CAAC,EAAE;QAClB,KAAK,EAAE,MAAM,CAAA;QACb,MAAM,EAAE,MAAM,EAAE,CAAA;QAChB,UAAU,EAAE,MAAM,CAAA;QAClB,SAAS,EAAE,OAAO,CAAA;KACnB,CAAA;CACF,GAAG,mBAAmB,CAuDtB"}
+{"version":3,"file":"tool-integrity.d.ts","sourceRoot":"","sources":["../../../src/core/tool-integrity.ts"],"names":[],"mappings":"AAiBA,yCAAyC;AACzC,MAAM,WAAW,iBAAiB;IAChC,0DAA0D;IAC1D,QAAQ,EAAE,MAAM,CAAA;IAChB,uFAAuF;IACvF,kBAAkB,EAAE,MAAM,CAAA;IAC1B,6EAA6E;IAC7E,UAAU,EAAE,MAAM,CAAA;IAClB,2CAA2C;IAC3C,UAAU,EAAE,MAAM,CAAA;IAClB,oFAAoF;IACpF,SAAS,EAAE,MAAM,CAAA;CAClB;AAED;yCACyC;AACzC,MAAM,WAAW,gBAAgB;IAC/B,4CAA4C;IAC5C,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,iCAAiC;IACjC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,gCAAgC;IAChC,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,kDAAkD;IAClD,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,qDAAqD;IACrD,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACjC;AAED,oDAAoD;AACpD,MAAM,WAAW,mBAAmB;IAClC,yCAAyC;IACzC,KAAK,EAAE,OAAO,CAAA;IACd,8CAA8C;IAC9C,sBAAsB,EAAE,OAAO,CAAA;IAC/B,8CAA8C;IAC9C,sBAAsB,EAAE,OAAO,CAAA;IAC/B,yDAAyD;IACzD,eAAe,EAAE,OAAO,CAAA;IACxB,gCAAgC;IAChC,kBAAkB,EAAE,MAAM,EAAE,CAAA;IAC5B,aAAa;IACb,MAAM,EAAE,MAAM,EAAE,CAAA;CACjB;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE;IAC7C,QAAQ,EAAE,MAAM,CAAA;IAChB,6EAA6E;IAC7E,cAAc,EAAE,MAAM,GAAG,MAAM,CAAA;IAC/B,UAAU,EAAE,MAAM,CAAA;IAClB,kBAAkB,EAAE,MAAM,CAAA;CAC3B,GAAG,iBAAiB,CAepB;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE;IACzC,2CAA2C;IAC3C,aAAa,EAAE,iBAAiB,CAAA;IAChC,uDAAuD;IACvD,qBAAqB,EAAE,MAAM,GAAG,MAAM,CAAA;IACtC,uDAAuD;IACvD,iBAAiB,EAAE,MAAM,CAAA;IACzB,sEAAsE;IACtE,YAAY,CAAC,EAAE,gBAAgB,CAAA;IAC/B,sEAAsE;IACtE,iBAAiB,CAAC,EAAE;QAClB,KAAK,EAAE,MAAM,CAAA;QACb,MAAM,EAAE,MAAM,EAAE,CAAA;QAChB,UAAU,EAAE,MAAM,CAAA;QAClB,SAAS,EAAE,OAAO,CAAA;KACnB,CAAA;CACF,GAAG,mBAAmB,CAuDtB;AAiBD;;;;;;GAMG;AACH,MAAM,MAAM,aAAa,GACrB;IAAE,IAAI,EAAE,KAAK,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAC5B;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAChC;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAAA;AAEpC,2EAA2E;AAC3E,MAAM,WAAW,YAAY;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;CACvB;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,uDAAuD;IACvD,QAAQ,EAAE,MAAM,CAAA;IAChB,iDAAiD;IACjD,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,2DAA2D;IAC3D,kBAAkB,EAAE,MAAM,CAAA;IAC1B;;qEAEiE;IACjE,YAAY,EAAE,MAAM,CAAA;IACpB,+EAA+E;IAC/E,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,+EAA+E;IAC/E,SAAS,CAAC,EAAE,aAAa,CAAA;IACzB;;oEAEgE;IAChE,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,8EAA8E;IAC9E,iBAAiB,CAAC,EAAE,aAAa,CAAA;IACjC,+DAA+D;IAC/D,eAAe,EAAE,MAAM,CAAA;IACvB,iEAAiE;IACjE,aAAa,CAAC,EAAE,UAAU,GAAG,oBAAoB,CAAA;IACjD,sCAAsC;IACtC,UAAU,EAAE,MAAM,CAAA;IAClB,kEAAkE;IAClE,SAAS,EAAE,MAAM,CAAA;IACjB;yCACqC;IACrC,kBAAkB,CAAC,EAAE,MAAM,CAAA;CAC5B;AAED,+EAA+E;AAC/E,MAAM,WAAW,cAAc;IAC7B,uCAAuC;IACvC,SAAS,EAAE,MAAM,CAAA;IACjB,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAA;IAChB,sCAAsC;IACtC,SAAS,EAAE,aAAa,CAAA;IACxB,4EAA4E;IAC5E,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,sCAAsC;AACtC,MAAM,WAAW,kBAAkB;IACjC,wBAAwB;IACxB,KAAK,EAAE,OAAO,CAAA;IACd;;6CAEyC;IACzC,sBAAsB,EAAE,OAAO,CAAA;IAC/B;;8EAE0E;IAC1E,gBAAgB,EAAE,OAAO,CAAA;IACzB;kCAC8B;IAC9B,wBAAwB,EAAE,MAAM,CAAA;IAChC,+EAA+E;IAC/E,sBAAsB,EAAE,OAAO,CAAA;IAC/B,mEAAmE;IACnE,gBAAgB,EAAE,OAAO,CAAA;IACzB,+EAA+E;IAC/E,iBAAiB,EAAE,OAAO,CAAA;IAC1B,4DAA4D;IAC5D,yBAAyB,EAAE,MAAM,CAAA;IACjC,6EAA6E;IAC7E,iBAAiB,EAAE,OAAO,CAAA;IAC1B,mEAAmE;IACnE,kBAAkB,EAAE,OAAO,CAAA;IAC3B,8DAA8D;IAC9D,kBAAkB,EAAE,OAAO,CAAA;IAC3B,aAAa;IACb,MAAM,EAAE,MAAM,EAAE,CAAA;CACjB;AAED;iFACiF;AACjF,MAAM,WAAW,eAAe;IAC9B,cAAc,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAA;CACrD;AA6GD;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE;IACxC,QAAQ,EAAE,MAAM,CAAA;IAChB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,yCAAyC;IACzC,cAAc,EAAE,MAAM,GAAG,MAAM,CAAA;IAC/B,gEAAgE;IAChE,QAAQ,EAAE,YAAY,CAAA;IACtB,kBAAkB,EAAE,MAAM,CAAA;IAC1B;wEACoE;IACpE,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,0DAA0D;IAC1D,iBAAiB,CAAC,EAAE,aAAa,CAAA;IACjC,4CAA4C;IAC5C,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,2DAA2D;IAC3D,SAAS,CAAC,EAAE,aAAa,CAAA;IACzB,gFAAgF;IAChF,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B,6CAA6C;IAC7C,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,0CAA0C;IAC1C,aAAa,CAAC,EAAE,UAAU,GAAG,oBAAoB,CAAA;IACjD,kEAAkE;IAClE,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB,GAAG,YAAY,CAoBf;AAED;;;;;GAKG;AACH,wBAAsB,kBAAkB,CAAC,KAAK,EAAE;IAC9C,QAAQ,EAAE,YAAY,CAAA;IACtB;;gFAE4E;IAC5E,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,qDAAqD;IACrD,qBAAqB,CAAC,EAAE,MAAM,GAAG,MAAM,CAAA;IACvC,+CAA+C;IAC/C,eAAe,CAAC,EAAE,YAAY,CAAA;IAC9B,uEAAuE;IACvE,eAAe,CAAC,EAAE,cAAc,EAAE,CAAA;IAClC,+DAA+D;IAC/D,cAAc,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAA;CACrD,GAAG,OAAO,CAAC,kBAAkB,CAAC,CA6G9B;AAED,iDAAiD;AACjD,wBAAgB,oBAAoB,CAAC,KAAK,EAAE;IAC1C,SAAS,EAAE,MAAM,CAAA;IACjB,QAAQ,EAAE,MAAM,CAAA;IAChB,SAAS,EAAE,aAAa,CAAA;IACxB,eAAe,EAAE,MAAM,CAAA;CACxB,GAAG,cAAc,CAQjB;AAED;;;;GAIG;AACH,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,cAAc,EACrB,WAAW,CAAC,EAAE,eAAe,GAC5B,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,aAAa,EAAE,OAAO,CAAC;IAAC,gBAAgB,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,CAYjG;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,kBAAkB,CAChC,YAAY,EAAE,YAAY,EAC1B,OAAO,EAAE;IAAE,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,YAAY,CAAA;CAAE,EACtE,kBAAkB,EAAE,MAAM,EAC1B,IAAI,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,mBAAmB,CAAC,EAAE,MAAM,CAAA;CAAE,GAC3D,YAAY,CAqCd;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,YAAY,EACtB,IAAI,EAAE;IACJ,kBAAkB,EAAE,MAAM,CAAA;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,iBAAiB,CAAC,EAAE,aAAa,CAAA;IACjC,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB,GACA,YAAY,CAwBd"}