agents-chain 0.0.1

package/README.md

@@ -0,0 +1,145 @@
+# agents-chain
+
+Lightweight identity, authentication, and audit layer for AI agent SDKs.
+
+Wrap your OpenAI or Anthropic client with `agents-chain` to get:
+
+- **Ed25519 key-pair identity** per agent instance
+- **JWT-based capability tokens** — every API call is signed and verified
+- **Encrypted in-memory audit log** — AES-256-GCM, queryable at runtime
+- **Zero network calls** — everything runs locally, no external service required
+
+---
+
+## Installation
+
+```bash
+npm install agents-chain
+# or
+pnpm add agents-chain
+```
+
+> Requires Node.js 18+
+
+---
+
+## Quick start
+
+### OpenAI
+
+```ts
+import { AgentsChain } from 'agents-chain';
+import OpenAI from 'openai';
+
+const chain = await AgentsChain.create({
+  agentName: 'summarizer',
+  hostname: 'my-app',
+  capabilities: ['chat.completion'],
+});
+
+const ai = chain.openai(new OpenAI({ apiKey: process.env.OPENAI_API_KEY }));
+
+const response = await ai.chat.completions.create({
+  model: 'gpt-4o',
+  messages: [{ role: 'user', content: 'Summarize the water cycle in one sentence.' }],
+});
+
+console.log(response.choices[0].message.content);
+```
+
+### Anthropic
+
+```ts
+import { AgentsChain } from 'agents-chain';
+import Anthropic from '@anthropic-ai/sdk';
+
+const chain = await AgentsChain.create({
+  agentName: 'classifier',
+  hostname: 'my-app',
+  capabilities: ['messages.create'],
+});
+
+const ai = chain.anthropic(new Anthropic({ apiKey: process.env.ANTHROPIC_API_KEY }));
+
+const response = await ai.messages.create({
+  model: 'claude-sonnet-4-6',
+  max_tokens: 256,
+  messages: [{ role: 'user', content: 'Classify this text as positive or negative: "I love it!"' }],
+});
+
+console.log(response.content[0]);
+```
+
+---
+
+## Configuration
+
+```ts
+const chain = await AgentsChain.create({
+  agentName: string;      // Human-readable name for this agent
+  hostname: string;       // Used to build the agentId: "<hostname>-agent-<32hex>"
+  capabilities: string[]; // List of capability strings this agent is allowed to use
+  encryptionKey?: string; // Optional 64-char hex (32-byte) AES-256-GCM key.
+                          // Omit to generate a random key per session.
+                          // Provide to persist and reload audit logs across restarts.
+});
+```
+
+---
+
+## Audit log
+
+Every API call through a wrapped client is recorded in an encrypted in-memory log.
+
+```ts
+// Get all entries (decrypted)
+const entries = chain.getAuditLog();
+
+// Full snapshot with metadata
+const snapshot = chain.exportAudit();
+// { agentId, entries, exportedAt }
+
+// Summary counts
+const stats = chain.getStats();
+// { agentId, agentName, hostname, totalCalls, successfulCalls, deniedCalls, errorCalls, registeredAt }
+```
+
+Each `AuditEntry` contains:
+
+| Field | Type | Description |
+|---|---|---|
+| `id` | `string` | Unique entry ID |
+| `agentId` | `string` | The agent that made the call |
+| `capability` | `string` | Capability used |
+| `result` | `"success" \| "denied" \| "error"` | Outcome |
+| `timestamp` | `number` | Unix ms |
+| `meta` | `Record<string, unknown>` | Provider-specific metadata |
+
+---
+
+## Identity & crypto utilities
+
+Low-level utilities are exported if you need direct access:
+
+```ts
+import {
+  generateKeyPair,
+  exportPublicKeyJwk,
+  exportPrivateKeyJwk,
+  importPublicKeyJwk,
+  computeJwkThumbprint,
+  signJwt,
+  verifyJwtSignature,
+  decodeJwtUnsafe,
+  generateId,
+  generateAgentId,
+  base64UrlEncode,
+  base64UrlDecode,
+} from 'agents-chain';
+```
+
+---
+
+## License
+
+MIT — [brianmwangidev](https://www.npmjs.com/~brianmwangidev)

package/dist/audit/audit-log.d.ts

@@ -0,0 +1,44 @@
+/**
+ * AuditLog — append-only encrypted log of all capability call attempts.
+ *
+ * Every intercepted call (success, denied, or error) is recorded.
+ * Entries are encrypted with AES-256-GCM before being written to the store,
+ * so even if someone inspects process memory they see only ciphertext.
+ *
+ * The log is append-only within a session. There is no delete API.
+ */
+import type { EncryptedStore } from "../memory/encrypted-store.js";
+import type { AuditEntry, AuditResult } from "../types/audit.js";
+import type { VerifiedCallContext } from "../auth/token-verifier.js";
+export type RecordDeniedOptions = {
+    agentId: string;
+    agentName: string;
+    hostname: string;
+    capability: string;
+    args: Record<string, unknown>;
+    reason: string;
+    jti: string;
+};
+export type RecordCallOptions = {
+    context: VerifiedCallContext;
+    args: Record<string, unknown>;
+    result: Exclude<AuditResult, "denied">;
+    durationMs: number;
+    errorMessage?: string;
+};
+export declare class AuditLog {
+    private readonly store;
+    constructor(store: EncryptedStore);
+    /** Record a denied capability call (before the SDK is touched). */
+    recordDenied(opts: RecordDeniedOptions): AuditEntry;
+    /** Record a completed capability call (success or error). */
+    recordCall(opts: RecordCallOptions): AuditEntry;
+    /** Return all decrypted audit entries for this session. */
+    getAll(): AuditEntry[];
+    /** Return entries filtered by result type. */
+    getByResult(result: AuditResult): AuditEntry[];
+    /** Return entries filtered by capability name. */
+    getByCapability(capability: string): AuditEntry[];
+    get count(): number;
+}
+//# sourceMappingURL=audit-log.d.ts.map

package/dist/audit/audit-log.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-log.d.ts","sourceRoot":"","sources":["../../src/audit/audit-log.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACjE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAIrE,MAAM,MAAM,mBAAmB,GAAG;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACf,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG;IAC5B,OAAO,EAAE,mBAAmB,CAAC;IAC7B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,MAAM,EAAE,OAAO,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IACvC,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC;AAEF,qBAAa,QAAQ;IACL,OAAO,CAAC,QAAQ,CAAC,KAAK;gBAAL,KAAK,EAAE,cAAc;IAElD,mEAAmE;IACnE,YAAY,CAAC,IAAI,EAAE,mBAAmB,GAAG,UAAU;IAkBnD,6DAA6D;IAC7D,UAAU,CAAC,IAAI,EAAE,iBAAiB,GAAG,UAAU;IAkB/C,2DAA2D;IAC3D,MAAM,IAAI,UAAU,EAAE;IAItB,8CAA8C;IAC9C,WAAW,CAAC,MAAM,EAAE,WAAW,GAAG,UAAU,EAAE;IAI9C,kDAAkD;IAClD,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,UAAU,EAAE;IAIjD,IAAI,KAAK,IAAI,MAAM,CAElB;CACJ"}

package/dist/audit/audit-log.js

@@ -0,0 +1,88 @@
+/**
+ * AuditLog — append-only encrypted log of all capability call attempts.
+ *
+ * Every intercepted call (success, denied, or error) is recorded.
+ * Entries are encrypted with AES-256-GCM before being written to the store,
+ * so even if someone inspects process memory they see only ciphertext.
+ *
+ * The log is append-only within a session. There is no delete API.
+ */
+import { generateId } from "../crypto/utils.js";
+const STORE_KEY_LOG = "audit:log";
+export class AuditLog {
+    constructor(store) {
+        this.store = store;
+    }
+    /** Record a denied capability call (before the SDK is touched). */
+    recordDenied(opts) {
+        const entry = {
+            id: generateId("aud"),
+            agentId: opts.agentId,
+            agentName: opts.agentName,
+            hostname: opts.hostname,
+            capability: opts.capability,
+            args: sanitizeArgs(opts.args),
+            result: "denied",
+            denialReason: opts.reason,
+            jti: opts.jti,
+            timestamp: Date.now(),
+            durationMs: 0,
+        };
+        this.store.append(STORE_KEY_LOG, entry);
+        return entry;
+    }
+    /** Record a completed capability call (success or error). */
+    recordCall(opts) {
+        const entry = {
+            id: generateId("aud"),
+            agentId: opts.context.agentId,
+            agentName: opts.context.agentName,
+            hostname: opts.context.hostname,
+            capability: opts.context.capability,
+            args: sanitizeArgs(opts.args),
+            result: opts.result,
+            errorMessage: opts.errorMessage,
+            jti: opts.context.jti,
+            timestamp: Date.now(),
+            durationMs: opts.durationMs,
+        };
+        this.store.append(STORE_KEY_LOG, entry);
+        return entry;
+    }
+    /** Return all decrypted audit entries for this session. */
+    getAll() {
+        return this.store.get(STORE_KEY_LOG) ?? [];
+    }
+    /** Return entries filtered by result type. */
+    getByResult(result) {
+        return this.getAll().filter((e) => e.result === result);
+    }
+    /** Return entries filtered by capability name. */
+    getByCapability(capability) {
+        return this.getAll().filter((e) => e.capability === capability);
+    }
+    get count() {
+        return this.getAll().length;
+    }
+}
+/**
+ * Strip values that look like secrets from args before logging.
+ * Keys matching this pattern are replaced with "[REDACTED]".
+ */
+const SECRET_KEY_PATTERN = /(?:key|secret|token|password|auth|credential|bearer)/i;
+function sanitizeArgs(args) {
+    const out = {};
+    for (const [k, v] of Object.entries(args)) {
+        if (SECRET_KEY_PATTERN.test(k)) {
+            out[k] = "[REDACTED]";
+        }
+        else if (typeof v === "object" && v !== null && !Array.isArray(v)) {
+            out[k] = sanitizeArgs(v);
+        }
+        else {
+            out[k] = v;
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=audit-log.js.map

package/dist/audit/audit-log.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-log.js","sourceRoot":"","sources":["../../src/audit/audit-log.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAKhD,MAAM,aAAa,GAAG,WAAW,CAAC;AAoBlC,MAAM,OAAO,QAAQ;IACjB,YAA6B,KAAqB;QAArB,UAAK,GAAL,KAAK,CAAgB;IAAG,CAAC;IAEtD,mEAAmE;IACnE,YAAY,CAAC,IAAyB;QAClC,MAAM,KAAK,GAAe;YACtB,EAAE,EAAE,UAAU,CAAC,KAAK,CAAC;YACrB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,IAAI,EAAE,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC;YAC7B,MAAM,EAAE,QAAQ;YAChB,YAAY,EAAE,IAAI,CAAC,MAAM;YACzB,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,UAAU,EAAE,CAAC;SAChB,CAAC;QACF,IAAI,CAAC,KAAK,CAAC,MAAM,CAAa,aAAa,EAAE,KAAK,CAAC,CAAC;QACpD,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,6DAA6D;IAC7D,UAAU,CAAC,IAAuB;QAC9B,MAAM,KAAK,GAAe;YACtB,EAAE,EAAE,UAAU,CAAC,KAAK,CAAC;YACrB,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO;YAC7B,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS;YACjC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,QAAQ;YAC/B,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU;YACnC,IAAI,EAAE,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC;YAC7B,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG;YACrB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,UAAU,EAAE,IAAI,CAAC,UAAU;SAC9B,CAAC;QACF,IAAI,CAAC,KAAK,CAAC,MAAM,CAAa,aAAa,EAAE,KAAK,CAAC,CAAC;QACpD,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,2DAA2D;IAC3D,MAAM;QACF,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAe,aAAa,CAAC,IAAI,EAAE,CAAC;IAC7D,CAAC;IAED,8CAA8C;IAC9C,WAAW,CAAC,MAAmB;QAC3B,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;IAC5D,CAAC;IAED,kDAAkD;IAClD,eAAe,CAAC,UAAkB;QAC9B,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,UAAU,CAAC,CAAC;IACpE,CAAC;IAED,IAAI,KAAK;QACL,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC;IAChC,CAAC;CACJ;AAED;;;GAGG;AACH,MAAM,kBAAkB,GAAG,uDAAuD,CAAC;AAEnF,SAAS,YAAY,CAAC,IAA6B;IAC/C,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,IAAI,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7B,GAAG,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC;QAC1B,CAAC;aAAM,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;YAClE,GAAG,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC,CAA4B,CAAC,CAAC;QACxD,CAAC;aAAM,CAAC;YACJ,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACf,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACf,CAAC"}

package/dist/auth/token-builder.d.ts

@@ -0,0 +1,32 @@
+/**
+ * TokenBuilder — creates signed agent+jwt tokens per capability call.
+ *
+ * Security design:
+ * - Every token is single-use: a fresh cryptographically random jti per call.
+ * - TTL is 60 seconds — minimal viable window for a synchronous SDK call.
+ * - The iss claim is the public key thumbprint (not a mutable name string).
+ *   This ties the token cryptographically to the specific keypair.
+ * - The sub is the agentId (<hostname>-agent-<32hex>).
+ * - The aud is the capability name — a token for "chat.completion" cannot
+ *   be presented as authorization for "embedding".
+ */
+import type { AgentIdentity } from "../identity/agent-identity.js";
+export type AgentJwtClaims = {
+    iss: string;
+    sub: string;
+    aud: string;
+    iat: number;
+    exp: number;
+    jti: string;
+    hostname: string;
+    agentName: string;
+};
+export declare class TokenBuilder {
+    private readonly identity;
+    constructor(identity: AgentIdentity);
+    build(capability: string): Promise<{
+        token: string;
+        claims: AgentJwtClaims;
+    }>;
+}
+//# sourceMappingURL=token-builder.d.ts.map

package/dist/auth/token-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-builder.d.ts","sourceRoot":"","sources":["../../src/auth/token-builder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAKH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAC;AAEnE,MAAM,MAAM,cAAc,GAAG;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACrB,CAAC;AAIF,qBAAa,YAAY;IACT,OAAO,CAAC,QAAQ,CAAC,QAAQ;gBAAR,QAAQ,EAAE,aAAa;IAE9C,KAAK,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,cAAc,CAAA;KAAE,CAAC;CAkBtF"}

package/dist/auth/token-builder.js

@@ -0,0 +1,38 @@
+/**
+ * TokenBuilder — creates signed agent+jwt tokens per capability call.
+ *
+ * Security design:
+ * - Every token is single-use: a fresh cryptographically random jti per call.
+ * - TTL is 60 seconds — minimal viable window for a synchronous SDK call.
+ * - The iss claim is the public key thumbprint (not a mutable name string).
+ *   This ties the token cryptographically to the specific keypair.
+ * - The sub is the agentId (<hostname>-agent-<32hex>).
+ * - The aud is the capability name — a token for "chat.completion" cannot
+ *   be presented as authorization for "embedding".
+ */
+import { randomBytes } from "node:crypto";
+import { signJwt } from "../crypto/ed25519.js";
+import { base64UrlEncode } from "../crypto/utils.js";
+const TOKEN_TTL_SECONDS = 60;
+export class TokenBuilder {
+    constructor(identity) {
+        this.identity = identity;
+    }
+    async build(capability) {
+        const nowSeconds = Math.floor(Date.now() / 1000);
+        const jti = base64UrlEncode(randomBytes(16));
+        const claims = {
+            iss: this.identity.thumbprint,
+            sub: this.identity.agentId,
+            aud: capability,
+            iat: nowSeconds,
+            exp: nowSeconds + TOKEN_TTL_SECONDS,
+            jti,
+            hostname: this.identity.registration.hostname,
+            agentName: this.identity.registration.agentName,
+        };
+        const token = await signJwt(claims, this.identity.privateKey, "agent+jwt");
+        return { token, claims };
+    }
+}
+//# sourceMappingURL=token-builder.js.map

package/dist/auth/token-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-builder.js","sourceRoot":"","sources":["../../src/auth/token-builder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAcrD,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAE7B,MAAM,OAAO,YAAY;IACrB,YAA6B,QAAuB;QAAvB,aAAQ,GAAR,QAAQ,CAAe;IAAG,CAAC;IAExD,KAAK,CAAC,KAAK,CAAC,UAAkB;QAC1B,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QACjD,MAAM,GAAG,GAAG,eAAe,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;QAE7C,MAAM,MAAM,GAAmB;YAC3B,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,UAAU;YAC7B,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,OAAO;YAC1B,GAAG,EAAE,UAAU;YACf,GAAG,EAAE,UAAU;YACf,GAAG,EAAE,UAAU,GAAG,iBAAiB;YACnC,GAAG;YACH,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,QAAQ;YAC7C,SAAS,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,SAAS;SAClD,CAAC;QAEF,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;QAC3E,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IAC7B,CAAC;CACJ"}

package/dist/auth/token-verifier.d.ts

@@ -0,0 +1,37 @@
+/**
+ * TokenVerifier — verifies an agent+jwt token against the registered identity.
+ *
+ * Verification steps (must all pass before a capability call proceeds):
+ *
+ * 1. Decode JWT header — confirm typ = "agent+jwt"
+ * 2. Decode payload — extract iss (thumbprint), sub (agentId), aud (capability)
+ * 3. Verify sub matches the registered agentId — no foreign agents
+ * 4. Verify iss matches the registered public key thumbprint — no key swap
+ * 5. Verify aud matches the requested capability — scope-bound token
+ * 6. Import the registered public key and verify the Ed25519 signature
+ * 7. Check exp / iat temporal claims + clock skew
+ * 8. Check jti uniqueness (replay protection) via JtiCache
+ * 9. Verify the agent holds an active grant for the capability
+ *
+ * Steps 3-4 together prevent a valid token issued for a different agent
+ * (or different key) from being presented against this identity.
+ */
+import type { AgentIdentity } from "../identity/agent-identity.js";
+import type { JtiCache } from "../memory/jti-cache.js";
+export type VerifiedCallContext = {
+    agentId: string;
+    agentName: string;
+    hostname: string;
+    capability: string;
+    jti: string;
+    iat: number;
+    exp: number;
+};
+export declare class TokenVerifier {
+    private readonly identity;
+    private readonly jtiCache;
+    constructor(identity: AgentIdentity, jtiCache: JtiCache);
+    verify(token: string, capability: string): Promise<VerifiedCallContext>;
+    private assertTemporal;
+}
+//# sourceMappingURL=token-verifier.d.ts.map

package/dist/auth/token-verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-verifier.d.ts","sourceRoot":"","sources":["../../src/auth/token-verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAC;AACnE,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AAMvD,MAAM,MAAM,mBAAmB,GAAG;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACf,CAAC;AAEF,qBAAa,aAAa;IAElB,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,QAAQ;gBADR,QAAQ,EAAE,aAAa,EACvB,QAAQ,EAAE,QAAQ;IAGjC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAiE7E,OAAO,CAAC,cAAc;CAwBzB"}

package/dist/auth/token-verifier.js

@@ -0,0 +1,86 @@
+/**
+ * TokenVerifier — verifies an agent+jwt token against the registered identity.
+ *
+ * Verification steps (must all pass before a capability call proceeds):
+ *
+ * 1. Decode JWT header — confirm typ = "agent+jwt"
+ * 2. Decode payload — extract iss (thumbprint), sub (agentId), aud (capability)
+ * 3. Verify sub matches the registered agentId — no foreign agents
+ * 4. Verify iss matches the registered public key thumbprint — no key swap
+ * 5. Verify aud matches the requested capability — scope-bound token
+ * 6. Import the registered public key and verify the Ed25519 signature
+ * 7. Check exp / iat temporal claims + clock skew
+ * 8. Check jti uniqueness (replay protection) via JtiCache
+ * 9. Verify the agent holds an active grant for the capability
+ *
+ * Steps 3-4 together prevent a valid token issued for a different agent
+ * (or different key) from being presented against this identity.
+ */
+import { verifyJwtSignature, decodeJwtUnsafe } from "../crypto/ed25519.js";
+import { ChainAuthError } from "../errors/chain-error.js";
+const CLOCK_SKEW_MS = 30000; // 30 seconds tolerance
+const JWT_MAX_AGE_MS = 60000; // 60 seconds — matches TOKEN_TTL_SECONDS
+export class TokenVerifier {
+    constructor(identity, jtiCache) {
+        this.identity = identity;
+        this.jtiCache = jtiCache;
+    }
+    async verify(token, capability) {
+        let unsafeClaims;
+        try {
+            const decoded = decodeJwtUnsafe(token);
+            unsafeClaims = decoded.payload;
+        }
+        catch (err) {
+            throw new ChainAuthError("token_invalid", `JWT decode failed: ${err instanceof Error ? err.message : String(err)}`);
+        }
+        if (unsafeClaims.sub !== this.identity.agentId) {
+            throw new ChainAuthError("agent_not_found", `JWT sub "${unsafeClaims.sub}" does not match registered agentId "${this.identity.agentId}"`);
+        }
+        if (unsafeClaims.iss !== this.identity.thumbprint) {
+            throw new ChainAuthError("token_invalid", "JWT iss does not match registered public key thumbprint — possible key substitution attack");
+        }
+        if (unsafeClaims.aud !== capability) {
+            throw new ChainAuthError("capability_denied", `JWT aud "${unsafeClaims.aud}" does not match requested capability "${capability}"`);
+        }
+        const publicKey = await this.identity.getPublicKey();
+        try {
+            await verifyJwtSignature(token, publicKey, { expectedTyp: "agent+jwt" });
+        }
+        catch (err) {
+            throw new ChainAuthError("token_invalid", `Signature verification failed: ${err instanceof Error ? err.message : String(err)}`);
+        }
+        this.assertTemporal(unsafeClaims);
+        this.jtiCache.assert(this.identity.agentId, unsafeClaims.jti);
+        if (!this.identity.hasCapability(capability)) {
+            throw new ChainAuthError("capability_denied", `Agent "${this.identity.agentId}" does not hold a grant for capability "${capability}"`);
+        }
+        return {
+            agentId: this.identity.agentId,
+            agentName: this.identity.registration.agentName,
+            hostname: this.identity.registration.hostname,
+            capability,
+            jti: unsafeClaims.jti,
+            iat: unsafeClaims.iat,
+            exp: unsafeClaims.exp,
+        };
+    }
+    assertTemporal(claims) {
+        if (typeof claims.iat !== "number" || typeof claims.exp !== "number") {
+            throw new ChainAuthError("token_invalid", "JWT missing iat or exp claims");
+        }
+        const nowMs = Date.now();
+        const iatMs = claims.iat * 1000;
+        const expMs = claims.exp * 1000;
+        if (iatMs > nowMs + CLOCK_SKEW_MS) {
+            throw new ChainAuthError("token_invalid", "JWT iat is in the future — clock skew too large or token pre-generated");
+        }
+        if (expMs < nowMs - CLOCK_SKEW_MS) {
+            throw new ChainAuthError("token_expired", "JWT has expired");
+        }
+        if (expMs - iatMs > JWT_MAX_AGE_MS + CLOCK_SKEW_MS) {
+            throw new ChainAuthError("token_invalid", `JWT lifetime of ${Math.round((expMs - iatMs) / 1000)}s exceeds maximum of ${JWT_MAX_AGE_MS / 1000}s`);
+        }
+    }
+}
+//# sourceMappingURL=token-verifier.js.map

package/dist/auth/token-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-verifier.js","sourceRoot":"","sources":["../../src/auth/token-verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAC3E,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAK1D,MAAM,aAAa,GAAG,KAAM,CAAC,CAAE,uBAAuB;AACtD,MAAM,cAAc,GAAG,KAAM,CAAC,CAAC,yCAAyC;AAYxE,MAAM,OAAO,aAAa;IACtB,YACqB,QAAuB,EACvB,QAAkB;QADlB,aAAQ,GAAR,QAAQ,CAAe;QACvB,aAAQ,GAAR,QAAQ,CAAU;IACpC,CAAC;IAEJ,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,UAAkB;QAC1C,IAAI,YAA4B,CAAC;QACjC,IAAI,CAAC;YACD,MAAM,OAAO,GAAG,eAAe,CAAiB,KAAK,CAAC,CAAC;YACvD,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC;QACnC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACX,MAAM,IAAI,cAAc,CACpB,eAAe,EACf,sBAAsB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC3E,CAAC;QACN,CAAC;QAED,IAAI,YAAY,CAAC,GAAG,KAAK,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;YAC7C,MAAM,IAAI,cAAc,CACpB,iBAAiB,EACjB,YAAY,YAAY,CAAC,GAAG,wCAAwC,IAAI,CAAC,QAAQ,CAAC,OAAO,GAAG,CAC/F,CAAC;QACN,CAAC;QAED,IAAI,YAAY,CAAC,GAAG,KAAK,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,CAAC;YAChD,MAAM,IAAI,cAAc,CACpB,eAAe,EACf,4FAA4F,CAC/F,CAAC;QACN,CAAC;QAED,IAAI,YAAY,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;YAClC,MAAM,IAAI,cAAc,CACpB,mBAAmB,EACnB,YAAY,YAAY,CAAC,GAAG,0CAA0C,UAAU,GAAG,CACtF,CAAC;QACN,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;QACrD,IAAI,CAAC;YACD,MAAM,kBAAkB,CAAiB,KAAK,EAAE,SAAS,EAAE,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC,CAAC;QAC7F,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACX,MAAM,IAAI,cAAc,CACpB,eAAe,EACf,kCAAkC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACvF,CAAC;QACN,CAAC;QAED,IAAI,CAAC,cAAc,CAAC,YAAY,CAAC,CAAC;QAElC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,YAAY,CAAC,GAAG,CAAC,CAAC;QAE9D,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,UAAU,CAAC,EAAE,CAAC;YAC3C,MAAM,IAAI,cAAc,CACpB,mBAAmB,EACnB,UAAU,IAAI,CAAC,QAAQ,CAAC,OAAO,2CAA2C,UAAU,GAAG,CAC1F,CAAC;QACN,CAAC;QAED,OAAO;YACH,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,OAAO;YAC9B,SAAS,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,SAAS;YAC/C,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,QAAQ;YAC7C,UAAU;YACV,GAAG,EAAE,YAAY,CAAC,GAAG;YACrB,GAAG,EAAE,YAAY,CAAC,GAAG;YACrB,GAAG,EAAE,YAAY,CAAC,GAAG;SACxB,CAAC;IACN,CAAC;IAEO,cAAc,CAAC,MAAsB;QACzC,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YACnE,MAAM,IAAI,cAAc,CAAC,eAAe,EAAE,+BAA+B,CAAC,CAAC;QAC/E,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC;QAChC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC;QAEhC,IAAI,KAAK,GAAG,KAAK,GAAG,aAAa,EAAE,CAAC;YAChC,MAAM,IAAI,cAAc,CAAC,eAAe,EAAE,wEAAwE,CAAC,CAAC;QACxH,CAAC;QAED,IAAI,KAAK,GAAG,KAAK,GAAG,aAAa,EAAE,CAAC;YAChC,MAAM,IAAI,cAAc,CAAC,eAAe,EAAE,iBAAiB,CAAC,CAAC;QACjE,CAAC;QAED,IAAI,KAAK,GAAG,KAAK,GAAG,cAAc,GAAG,aAAa,EAAE,CAAC;YACjD,MAAM,IAAI,cAAc,CACpB,eAAe,EACf,mBAAmB,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,GAAG,KAAK,CAAC,GAAG,IAAI,CAAC,wBAAwB,cAAc,GAAG,IAAI,GAAG,CACxG,CAAC;QACN,CAAC;IACL,CAAC;CACJ"}

package/dist/chain.d.ts

@@ -0,0 +1,36 @@
+/**
+ * AgentsChain — the main entry point for the agents-chain package.
+ *
+ * Usage:
+ *
+ *   const chain = await AgentsChain.create({
+ *     agentName: "summarizer",
+ *     hostname: "my-app",        // → agentId: "my-app-agent-<32hex>"
+ *     capabilities: ["chat.completion", "embedding"],
+ *   });
+ *
+ *   const ai = chain.openai(new OpenAI({ apiKey }));
+ *   const result = await ai.chat.completions.create({ model: "gpt-4o", ... });
+ *
+ *   const log = chain.getAuditLog();    // All calls, decrypted
+ *   const stats = chain.getStats();     // Summary counts
+ */
+import type { AgentConfig, ChainStats, AuditSnapshot } from "./types/chain.js";
+import type { AuditEntry } from "./types/audit.js";
+export declare class AgentsChain {
+    private readonly store;
+    private readonly identity;
+    private readonly builder;
+    private readonly verifier;
+    private readonly log;
+    private constructor();
+    static create(config: AgentConfig): Promise<AgentsChain>;
+    openai<T extends object>(client: T): T;
+    anthropic<T extends object>(client: T): T;
+    get agentId(): string;
+    get capabilities(): string[];
+    getAuditLog(): AuditEntry[];
+    exportAudit(): AuditSnapshot;
+    getStats(): ChainStats;
+}
+//# sourceMappingURL=chain.d.ts.map

package/dist/chain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"chain.d.ts","sourceRoot":"","sources":["../src/chain.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAUH,OAAO,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAC/E,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEnD,qBAAa,WAAW;IACpB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAiB;IACvC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAgB;IACzC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAe;IACvC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAgB;IACzC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAW;IAE/B,OAAO;WAcM,MAAM,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;IAa9D,MAAM,CAAC,CAAC,SAAS,MAAM,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC;IAStC,SAAS,CAAC,CAAC,SAAS,MAAM,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC;IASzC,IAAI,OAAO,IAAI,MAAM,CAEpB;IACD,IAAI,YAAY,IAAI,MAAM,EAAE,CAE3B;IACD,WAAW,IAAI,UAAU,EAAE;IAG3B,WAAW,IAAI,aAAa;IAO5B,QAAQ,IAAI,UAAU;CAazB"}

package/dist/chain.js

@@ -0,0 +1,90 @@
+/**
+ * AgentsChain — the main entry point for the agents-chain package.
+ *
+ * Usage:
+ *
+ *   const chain = await AgentsChain.create({
+ *     agentName: "summarizer",
+ *     hostname: "my-app",        // → agentId: "my-app-agent-<32hex>"
+ *     capabilities: ["chat.completion", "embedding"],
+ *   });
+ *
+ *   const ai = chain.openai(new OpenAI({ apiKey }));
+ *   const result = await ai.chat.completions.create({ model: "gpt-4o", ... });
+ *
+ *   const log = chain.getAuditLog();    // All calls, decrypted
+ *   const stats = chain.getStats();     // Summary counts
+ */
+import { EncryptedStore } from "./memory/encrypted-store.js";
+import { JtiCache } from "./memory/jti-cache.js";
+import { AgentIdentity } from "./identity/agent-identity.js";
+import { TokenBuilder } from "./auth/token-builder.js";
+import { TokenVerifier } from "./auth/token-verifier.js";
+import { AuditLog } from "./audit/audit-log.js";
+import { wrapOpenAI } from "./wrappers/openai-wrapper.js";
+import { wrapAnthropic } from "./wrappers/anthropic-wrapper.js";
+export class AgentsChain {
+    constructor(store, identity, builder, verifier, log) {
+        this.store = store;
+        this.identity = identity;
+        this.builder = builder;
+        this.verifier = verifier;
+        this.log = log;
+    }
+    static async create(config) {
+        const store = EncryptedStore.create(config.encryptionKey);
+        const jtiCache = new JtiCache();
+        const identity = await AgentIdentity.create(config, store);
+        const builder = new TokenBuilder(identity);
+        const verifier = new TokenVerifier(identity, jtiCache);
+        const log = new AuditLog(store);
+        return new AgentsChain(store, identity, builder, verifier, log);
+    }
+    // ─── SDK Wrappers ─────────────────────────────────────────────────────────
+    openai(client) {
+        return wrapOpenAI(client, {
+            identity: this.identity,
+            builder: this.builder,
+            verifier: this.verifier,
+            log: this.log,
+        });
+    }
+    anthropic(client) {
+        return wrapAnthropic(client, {
+            identity: this.identity,
+            builder: this.builder,
+            verifier: this.verifier,
+            log: this.log,
+        });
+    }
+    get agentId() {
+        return this.identity.agentId;
+    }
+    get capabilities() {
+        return this.identity.capabilityNames;
+    }
+    getAuditLog() {
+        return this.log.getAll();
+    }
+    exportAudit() {
+        return {
+            agentId: this.identity.agentId,
+            entries: this.log.getAll(),
+            exportedAt: Date.now(),
+        };
+    }
+    getStats() {
+        const entries = this.log.getAll();
+        return {
+            agentId: this.identity.agentId,
+            agentName: this.identity.registration.agentName,
+            hostname: this.identity.registration.hostname,
+            totalCalls: entries.length,
+            successfulCalls: entries.filter((e) => e.result === "success").length,
+            deniedCalls: entries.filter((e) => e.result === "denied").length,
+            errorCalls: entries.filter((e) => e.result === "error").length,
+            registeredAt: this.identity.registration.registeredAt,
+        };
+    }
+}
+//# sourceMappingURL=chain.js.map

package/dist/chain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"chain.js","sourceRoot":"","sources":["../src/chain.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,iCAAiC,CAAC;AAIhE,MAAM,OAAO,WAAW;IAOpB,YACI,KAAqB,EACrB,QAAuB,EACvB,OAAqB,EACrB,QAAuB,EACvB,GAAa;QAEb,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;IACnB,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAmB;QACnC,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QAC1D,MAAM,QAAQ,GAAG,IAAI,QAAQ,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC3C,MAAM,QAAQ,GAAG,IAAI,aAAa,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACvD,MAAM,GAAG,GAAG,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC;QAEhC,OAAO,IAAI,WAAW,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,CAAC,CAAC;IACpE,CAAC;IAED,6EAA6E;IAE7E,MAAM,CAAmB,MAAS;QAC9B,OAAO,UAAU,CAAC,MAAM,EAAE;YACtB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,GAAG,EAAE,IAAI,CAAC,GAAG;SAChB,CAAC,CAAC;IACP,CAAC;IAED,SAAS,CAAmB,MAAS;QACjC,OAAO,aAAa,CAAC,MAAM,EAAE;YACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,GAAG,EAAE,IAAI,CAAC,GAAG;SAChB,CAAC,CAAC;IACP,CAAC;IAED,IAAI,OAAO;QACP,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;IACjC,CAAC;IACD,IAAI,YAAY;QACZ,OAAO,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC;IACzC,CAAC;IACD,WAAW;QACP,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;IAC7B,CAAC;IACD,WAAW;QACP,OAAO;YACH,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,OAAO;YAC9B,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE;YAC1B,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE;SACzB,CAAC;IACN,CAAC;IACD,QAAQ;QACJ,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;QAClC,OAAO;YACH,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,OAAO;YAC9B,SAAS,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,SAAS;YAC/C,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,QAAQ;YAC7C,UAAU,EAAE,OAAO,CAAC,MAAM;YAC1B,eAAe,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM;YACrE,WAAW,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,MAAM;YAChE,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,MAAM;YAC9D,YAAY,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,YAAY;SACxD,CAAC;IACN,CAAC;CACJ"}