aismemory 0.4.0 → 0.5.0

package/dist/__tests__/device-flow-recovery.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/device-flow-recovery.test.js

@@ -0,0 +1,206 @@
+import { createServer } from 'node:http';
+import { spawn } from 'node:child_process';
+import { mkdtempSync, rmSync, existsSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join, resolve } from 'path';
+import { describe, it, expect, beforeAll, afterAll, beforeEach } from 'vitest';
+/**
+ * Regression: when the OAuth device-flow poll rejects (expired_token,
+ * access_denied, or 30-min deadline) the prior aismemory MCP would store the
+ * dead poll on `activeFlow` and every subsequent tool call would re-race
+ * against the rejected promise, propagating the same stale error. The only
+ * recovery was for the user to restart their AI tool — too friction-heavy for
+ * first-time users (they get distracted, the activation drops on the floor).
+ *
+ * After the fix, the MCP marks the flow `dead` on rejection and discards it,
+ * so the next tool call starts a fresh device flow inline and surfaces a new
+ * bond URL — no restart required.
+ *
+ * This test drives the binary against a fake AIS HTTP server that:
+ *   - returns a unique user_code per `/v1/oauth/device/authorize` call
+ *   - returns `expired_token` on the first `/v1/oauth/token` poll
+ * Two consecutive tool calls should produce two DIFFERENT user_codes in the
+ * surfaced bond URLs, proving the dead flow was discarded and replaced.
+ */
+describe('aismemory MCP device-flow recovery', () => {
+    let fakeAisServer;
+    let fakeAisPort = 0;
+    let authorizeCalls = 0;
+    const issuedCodes = [];
+    beforeAll(async () => {
+        fakeAisServer = createServer((req, res) => {
+            req.on('data', () => { });
+            req.on('end', () => {
+                if (req.url === '/v1/oauth/device/authorize' && req.method === 'POST') {
+                    authorizeCalls += 1;
+                    const userCode = `TEST-${String(authorizeCalls).padStart(4, '0')}`;
+                    issuedCodes.push(userCode);
+                    res.writeHead(200, { 'content-type': 'application/json' });
+                    res.end(JSON.stringify({
+                        success: true,
+                        data: {
+                            device_code: `device-${authorizeCalls}`,
+                            user_code: userCode,
+                            verification_uri: `http://127.0.0.1:${fakeAisPort}/activate`,
+                            verification_uri_complete: `http://127.0.0.1:${fakeAisPort}/activate?user_code=${userCode}`,
+                            expires_in: 1800,
+                            interval: 1, // 1s poll → bounded to 5s min by the client
+                            agent_id: `agent-${authorizeCalls}`,
+                            provisional_tenant_id: `tenant-${authorizeCalls}`,
+                            provisional_token: 'provisional',
+                        },
+                    }));
+                    return;
+                }
+                if (req.url === '/v1/oauth/token' && req.method === 'POST') {
+                    // Always reject the poll so the flow dies and recovery kicks in.
+                    res.writeHead(400, { 'content-type': 'application/json' });
+                    res.end(JSON.stringify({ error: 'expired_token' }));
+                    return;
+                }
+                res.writeHead(404);
+                res.end();
+            });
+        });
+        await new Promise((resolveServer) => {
+            fakeAisServer.listen(0, '127.0.0.1', () => {
+                const addr = fakeAisServer.address();
+                if (addr && typeof addr === 'object') {
+                    fakeAisPort = addr.port;
+                }
+                resolveServer();
+            });
+        });
+    });
+    afterAll(async () => {
+        await new Promise((r) => fakeAisServer?.close(() => r()));
+    });
+    beforeEach(() => {
+        authorizeCalls = 0;
+        issuedCodes.length = 0;
+    });
+    it('starts a fresh device flow after the previous one dies', async () => {
+        const distPath = resolve(__dirname, '..', '..', 'dist', 'index.js');
+        if (!existsSync(distPath)) {
+            throw new Error(`dist/index.js missing — run \`pnpm build\` first (looked at ${distPath})`);
+        }
+        const fakeHome = mkdtempSync(join(tmpdir(), 'aismem-recover-'));
+        let proc = null;
+        try {
+            proc = spawn('node', [distPath], {
+                env: {
+                    ...process.env,
+                    HOME: fakeHome,
+                    AIS_URL: `http://127.0.0.1:${fakeAisPort}`,
+                },
+                stdio: ['pipe', 'pipe', 'pipe'],
+            });
+            let stdoutBuf = '';
+            proc.stdout.on('data', (d) => { stdoutBuf += d.toString(); });
+            proc.stderr.on('data', () => { });
+            // 1. Handshake: initialize the MCP transport.
+            proc.stdin.write(JSON.stringify({
+                jsonrpc: '2.0',
+                id: 1,
+                method: 'initialize',
+                params: {
+                    protocolVersion: '2024-11-05',
+                    capabilities: {},
+                    clientInfo: { name: 'recovery-test', version: '0.0.0' },
+                },
+            }) + '\n');
+            await waitFor(() => stdoutBuf.includes('"id":1'), 5000, 'initialize response');
+            // 2. First tool call triggers device flow #1. The poll will reject
+            //    against the fake AIS (expired_token), marking the flow dead.
+            //    The call surfaces BondPendingError with the first user_code.
+            proc.stdin.write(JSON.stringify({
+                jsonrpc: '2.0',
+                id: 2,
+                method: 'tools/call',
+                params: { name: 'whoami', arguments: {} },
+            }) + '\n');
+            await waitFor(() => stdoutBuf.includes('"id":2'), 15000, 'first whoami response');
+            const firstResponse = extractResponseText(stdoutBuf, 2);
+            // Give the poll time to actually reject — soft timeout is 7s, poll
+            // interval is min 5s, so the rejection lands ~5s after the call. We
+            // need that rejection observed before the second call so the `dead`
+            // flag is set when ensureCredentials runs again.
+            await new Promise((r) => setTimeout(r, 8000));
+            // 3. Second tool call — should detect the dead flow, start a fresh
+            //    device flow, and surface a DIFFERENT user_code.
+            proc.stdin.write(JSON.stringify({
+                jsonrpc: '2.0',
+                id: 3,
+                method: 'tools/call',
+                params: { name: 'whoami', arguments: {} },
+            }) + '\n');
+            await waitFor(() => stdoutBuf.includes('"id":3'), 15000, 'second whoami response');
+            const secondResponse = extractResponseText(stdoutBuf, 3);
+            // Recovery proof: more than one device-flow authorize was made. Without
+            // the fix the MCP would re-race the dead poll forever and never call
+            // authorize a second time.
+            expect(authorizeCalls).toBeGreaterThanOrEqual(2);
+            expect(issuedCodes.length).toBeGreaterThanOrEqual(2);
+            // Both tool calls return a bond URL (no misleading "Authentication
+            // timed out" leak from the dead poll's stored rejection).
+            expect(firstResponse).toMatch(/Memory bond required/);
+            expect(secondResponse).toMatch(/Memory bond required/);
+            // The two responses must surface DIFFERENT codes — proving the second
+            // call doesn't keep showing the original (now-dead) code.
+            const firstCode = extractUserCode(firstResponse);
+            const secondCode = extractUserCode(secondResponse);
+            expect(firstCode).toBeTruthy();
+            expect(secondCode).toBeTruthy();
+            expect(firstCode).not.toEqual(secondCode);
+            expect(issuedCodes).toContain(firstCode);
+            expect(issuedCodes).toContain(secondCode);
+        }
+        finally {
+            proc?.kill();
+            try {
+                rmSync(fakeHome, { recursive: true, force: true });
+            }
+            catch { /* ignore */ }
+        }
+    }, 45000);
+});
+function waitFor(predicate, ms, label) {
+    return new Promise((resolveOuter, reject) => {
+        const start = Date.now();
+        const tick = () => {
+            if (predicate()) {
+                resolveOuter();
+                return;
+            }
+            if (Date.now() - start > ms) {
+                reject(new Error(`timeout waiting for ${label}`));
+                return;
+            }
+            setTimeout(tick, 50);
+        };
+        tick();
+    });
+}
+function extractUserCode(responseText) {
+    const match = /TEST-\d{4}/.exec(responseText);
+    return match ? match[0] : null;
+}
+function extractResponseText(buf, id) {
+    // MCP responses are newline-delimited JSON. Find the line with our id and
+    // pull the content[0].text payload out.
+    for (const line of buf.split('\n')) {
+        if (!line.includes(`"id":${id}`))
+            continue;
+        try {
+            const parsed = JSON.parse(line);
+            const text = parsed.result?.content?.[0]?.text;
+            if (typeof text === 'string')
+                return text;
+        }
+        catch {
+            /* malformed line; skip */
+        }
+    }
+    return '';
+}
+//# sourceMappingURL=device-flow-recovery.test.js.map

package/dist/__tests__/device-flow-recovery.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-flow-recovery.test.js","sourceRoot":"","sources":["../../src/__tests__/device-flow-recovery.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAe,MAAM,WAAW,CAAC;AACtD,OAAO,EAAE,KAAK,EAAuC,MAAM,oBAAoB,CAAC;AAChF,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAC1D,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACrC,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAE/E;;;;;;;;;;;;;;;;;GAiBG;AACH,QAAQ,CAAC,oCAAoC,EAAE,GAAG,EAAE;IAClD,IAAI,aAAiC,CAAC;IACtC,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,cAAc,GAAG,CAAC,CAAC;IACvB,MAAM,WAAW,GAAa,EAAE,CAAC;IAEjC,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,aAAa,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YACxC,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE,GAA2C,CAAC,CAAC,CAAC;YAClE,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;gBACjB,IAAI,GAAG,CAAC,GAAG,KAAK,4BAA4B,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;oBACtE,cAAc,IAAI,CAAC,CAAC;oBACpB,MAAM,QAAQ,GAAG,QAAQ,MAAM,CAAC,cAAc,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC;oBACnE,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;oBAC3B,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;oBAC3D,GAAG,CAAC,GAAG,CACL,IAAI,CAAC,SAAS,CAAC;wBACb,OAAO,EAAE,IAAI;wBACb,IAAI,EAAE;4BACJ,WAAW,EAAE,UAAU,cAAc,EAAE;4BACvC,SAAS,EAAE,QAAQ;4BACnB,gBAAgB,EAAE,oBAAoB,WAAW,WAAW;4BAC5D,yBAAyB,EAAE,oBAAoB,WAAW,uBAAuB,QAAQ,EAAE;4BAC3F,UAAU,EAAE,IAAI;4BAChB,QAAQ,EAAE,CAAC,EAAE,4CAA4C;4BACzD,QAAQ,EAAE,SAAS,cAAc,EAAE;4BACnC,qBAAqB,EAAE,UAAU,cAAc,EAAE;4BACjD,iBAAiB,EAAE,aAAa;yBACjC;qBACF,CAAC,CACH,CAAC;oBACF,OAAO;gBACT,CAAC;gBACD,IAAI,GAAG,CAAC,GAAG,KAAK,iBAAiB,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;oBAC3D,iEAAiE;oBACjE,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;oBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC,CAAC;oBACpD,OAAO;gBACT,CAAC;gBACD,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBACnB,GAAG,CAAC,GAAG,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,MAAM,IAAI,OAAO,CAAO,CAAC,aAAa,EAAE,EAAE;YACxC,aAAc,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE;gBACzC,MAAM,IAAI,GAAG,aAAc,CAAC,OAAO,EAAE,CAAC;gBACtC,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;oBACrC,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC;gBAC1B,CAAC;gBACD,aAAa,EAAE,CAAC;YAClB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,KAAK,IAAI,EAAE;QAClB,MAAM,IAAI,OAAO,CAAO,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,EAAE,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,UAAU,CAAC,GAAG,EAAE;QACd,cAAc,GAAG,CAAC,CAAC;QACnB,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;QACtE,MAAM,QAAQ,GAAG,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;QACpE,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,+DAA+D,QAAQ,GAAG,CAAC,CAAC;QAC9F,CAAC;QAED,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC,CAAC;QAChE,IAAI,IAAI,GAA0C,IAAI,CAAC;QAEvD,IAAI,CAAC;YACH,IAAI,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE;gBAC/B,GAAG,EAAE;oBACH,GAAG,OAAO,CAAC,GAAG;oBACd,IAAI,EAAE,QAAQ;oBACd,OAAO,EAAE,oBAAoB,WAAW,EAAE;iBAC3C;gBACD,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAChC,CAAC,CAAC;YAEH,IAAI,SAAS,GAAG,EAAE,CAAC;YACnB,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,GAAG,SAAS,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;YACtE,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE,GAAc,CAAC,CAAC,CAAC;YAE7C,8CAA8C;YAC9C,IAAI,CAAC,KAAK,CAAC,KAAK,CACd,IAAI,CAAC,SAAS,CAAC;gBACb,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE;oBACN,eAAe,EAAE,YAAY;oBAC7B,YAAY,EAAE,EAAE;oBAChB,UAAU,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,OAAO,EAAE;iBACxD;aACF,CAAC,GAAG,IAAI,CACV,CAAC;YACF,MAAM,OAAO,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,qBAAqB,CAAC,CAAC;YAE/E,mEAAmE;YACnE,kEAAkE;YAClE,kEAAkE;YAClE,IAAI,CAAC,KAAK,CAAC,KAAK,CACd,IAAI,CAAC,SAAS,CAAC;gBACb,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE;aAC1C,CAAC,GAAG,IAAI,CACV,CAAC;YACF,MAAM,OAAO,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,KAAK,EAAE,uBAAuB,CAAC,CAAC;YAClF,MAAM,aAAa,GAAG,mBAAmB,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;YAExD,mEAAmE;YACnE,oEAAoE;YACpE,oEAAoE;YACpE,iDAAiD;YACjD,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;YAE9C,mEAAmE;YACnE,qDAAqD;YACrD,IAAI,CAAC,KAAK,CAAC,KAAK,CACd,IAAI,CAAC,SAAS,CAAC;gBACb,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE;aAC1C,CAAC,GAAG,IAAI,CACV,CAAC;YACF,MAAM,OAAO,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,KAAK,EAAE,wBAAwB,CAAC,CAAC;YACnF,MAAM,cAAc,GAAG,mBAAmB,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;YAEzD,wEAAwE;YACxE,qEAAqE;YACrE,2BAA2B;YAC3B,MAAM,CAAC,cAAc,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;YACjD,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;YAErD,mEAAmE;YACnE,0DAA0D;YAC1D,MAAM,CAAC,aAAa,CAAC,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;YACtD,MAAM,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;YAEvD,sEAAsE;YACtE,0DAA0D;YAC1D,MAAM,SAAS,GAAG,eAAe,CAAC,aAAa,CAAC,CAAC;YACjD,MAAM,UAAU,GAAG,eAAe,CAAC,cAAc,CAAC,CAAC;YACnD,MAAM,CAAC,SAAS,CAAC,CAAC,UAAU,EAAE,CAAC;YAC/B,MAAM,CAAC,UAAU,CAAC,CAAC,UAAU,EAAE,CAAC;YAChC,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;YAC1C,MAAM,CAAC,WAAW,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YACzC,MAAM,CAAC,WAAW,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAC5C,CAAC;gBAAS,CAAC;YACT,IAAI,EAAE,IAAI,EAAE,CAAC;YACb,IAAI,CAAC;gBAAC,MAAM,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QACpF,CAAC;IACH,CAAC,EAAE,KAAK,CAAC,CAAC;AACZ,CAAC,CAAC,CAAC;AAEH,SAAS,OAAO,CAAC,SAAwB,EAAE,EAAU,EAAE,KAAa;IAClE,OAAO,IAAI,OAAO,CAAC,CAAC,YAAY,EAAE,MAAM,EAAE,EAAE;QAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,GAAS,EAAE;YACtB,IAAI,SAAS,EAAE,EAAE,CAAC;gBAAC,YAAY,EAAE,CAAC;gBAAC,OAAO;YAAC,CAAC;YAC5C,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,EAAE,EAAE,CAAC;gBAAC,MAAM,CAAC,IAAI,KAAK,CAAC,uBAAuB,KAAK,EAAE,CAAC,CAAC,CAAC;gBAAC,OAAO;YAAC,CAAC;YAC3F,UAAU,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACvB,CAAC,CAAC;QACF,IAAI,EAAE,CAAC;IACT,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,eAAe,CAAC,YAAoB;IAC3C,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC9C,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACjC,CAAC;AAED,SAAS,mBAAmB,CAAC,GAAW,EAAE,EAAU;IAClD,0EAA0E;IAC1E,wCAAwC;IACxC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,EAAE,CAAC;YAAE,SAAS;QAC3C,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAE7B,CAAC;YACF,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC;YAC/C,IAAI,OAAO,IAAI,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;QAC5C,CAAC;QAAC,MAAM,CAAC;YACP,0BAA0B;QAC5B,CAAC;IACH,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/__tests__/key-auth.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/key-auth.test.js

@@ -0,0 +1,284 @@
+/**
+ * Tests for the aismemory key-auth client module.
+ *
+ * Phase 1 DID-based authentication: the client reads an Ed25519 private key
+ * from disk, signs a challenge issued by AIS, and receives an owner JWT.
+ * Replaces the device-flow ceremony for every session after enrollment.
+ *
+ * Tests cover:
+ *   - tryKeyAuth() returns null when no key file is present (so callers can
+ *     gracefully fall back to device flow)
+ *   - tryKeyAuth() round-trips a challenge against a fake AIS and returns
+ *     the resulting owner JWT
+ *   - generateAndSaveKeypair() writes a valid key file
+ *   - readKeyFile() recovers what generateAndSaveKeypair() wrote
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { mkdtempSync, rmSync, existsSync, readFileSync, statSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { createServer } from 'node:http';
+import { createPublicKey, createPrivateKey, verify as edVerify } from 'node:crypto';
+import { tryKeyAuth, generateAndSaveKeypair, readKeyFile, } from '../key-auth.js';
+// ───────────────────────────────────────────────────────────────────────────
+// Test fixtures
+// ───────────────────────────────────────────────────────────────────────────
+const TEST_USER_ID = '454e4306-423e-498d-9b85-24bafbabff9b';
+const TEST_DOMAIN = 'ais.example.com';
+const TEST_USER_DID = `did:web:${TEST_DOMAIN}:users:${TEST_USER_ID}`;
+let tmpKeysDir;
+beforeEach(() => {
+    tmpKeysDir = mkdtempSync(join(tmpdir(), 'aismemory-keys-test-'));
+});
+afterEach(() => {
+    if (existsSync(tmpKeysDir)) {
+        rmSync(tmpKeysDir, { recursive: true, force: true });
+    }
+});
+// ───────────────────────────────────────────────────────────────────────────
+// Key file generation + read
+// ───────────────────────────────────────────────────────────────────────────
+describe('generateAndSaveKeypair', () => {
+    it('writes a Ed25519 key file containing matching public/private bytes', async () => {
+        const result = await generateAndSaveKeypair({
+            userId: TEST_USER_ID,
+            userDid: TEST_USER_DID,
+            keysDir: tmpKeysDir,
+        });
+        expect(result.userId).toBe(TEST_USER_ID);
+        expect(result.userDid).toBe(TEST_USER_DID);
+        expect(result.keyType).toBe('Ed25519');
+        expect(result.publicKey).toMatch(/^[A-Za-z0-9_-]+$/); // base64url
+        expect(result.privateKey).toMatch(/^[A-Za-z0-9_-]+$/);
+        expect(result.publicKeyJwk.kty).toBe('OKP');
+        expect(result.publicKeyJwk.crv).toBe('Ed25519');
+        // File must exist with mode 0600.
+        const path = join(tmpKeysDir, `${TEST_USER_DID}.json`);
+        expect(existsSync(path)).toBe(true);
+        const stat = statSync(path);
+        // Bottom 9 bits = perms. We only assert the user-only invariant
+        // (group/other have no perms). Skip on Windows where this isn't real.
+        if (process.platform !== 'win32') {
+            const perms = stat.mode & 0o777;
+            expect(perms).toBe(0o600);
+        }
+        const onDisk = JSON.parse(readFileSync(path, 'utf-8'));
+        expect(onDisk.userId).toBe(TEST_USER_ID);
+    });
+});
+describe('readKeyFile', () => {
+    it('returns null when no key file is present', () => {
+        const got = readKeyFile({ userDid: TEST_USER_DID, keysDir: tmpKeysDir });
+        expect(got).toBeNull();
+    });
+    it('returns the file we generated', async () => {
+        const written = await generateAndSaveKeypair({
+            userId: TEST_USER_ID,
+            userDid: TEST_USER_DID,
+            keysDir: tmpKeysDir,
+        });
+        const read = readKeyFile({ userDid: TEST_USER_DID, keysDir: tmpKeysDir });
+        expect(read).not.toBeNull();
+        expect(read?.userId).toBe(written.userId);
+        expect(read?.privateKey).toBe(written.privateKey);
+    });
+});
+/**
+ * Spawns a tiny HTTP server that simulates the AIS challenge/did-prove
+ * endpoints. The server actually verifies the Ed25519 signature so we know
+ * the client signed the correct canonical string with the right key.
+ */
+async function startFakeAis(opts) {
+    const issued = { token: '' };
+    const server = createServer((req, res) => {
+        let body = '';
+        req.on('data', (chunk) => (body += chunk));
+        req.on('end', () => {
+            try {
+                if (req.method === 'POST' && req.url === '/v1/auth/challenge') {
+                    const parsed = JSON.parse(body || '{}');
+                    const nonce = `nonce-${Date.now()}-${Math.random().toString(36).slice(2, 10)}`;
+                    const exp = Math.floor(Date.now() / 1000) + (opts.forceExpiredChallenge ? -60 : 60);
+                    // We don't actually HMAC here — the fake just echoes back a marker;
+                    // the real server checks the HMAC, the fake doesn't need to.
+                    res.statusCode = 200;
+                    res.setHeader('Content-Type', 'application/json');
+                    res.end(JSON.stringify({
+                        success: true,
+                        data: { nonce, exp, hmac: `fake-hmac-for:${parsed.userDid}` },
+                    }));
+                    return;
+                }
+                if (req.method === 'POST' && req.url === '/v1/auth/did-prove') {
+                    const parsed = JSON.parse(body || '{}');
+                    if (!parsed.userDid || !parsed.nonce || !parsed.exp || !parsed.signature) {
+                        res.statusCode = 400;
+                        res.end(JSON.stringify({ success: false, error: { code: 'BAD_REQUEST' } }));
+                        return;
+                    }
+                    // Verify the signature against the accepted public key.
+                    const msg = Buffer.from(`${parsed.userDid}\n${parsed.nonce}\n${parsed.exp}`, 'utf8');
+                    const pub = createPublicKey({ key: opts.acceptedJwk, format: 'jwk' });
+                    const ok = edVerify(null, msg, pub, Buffer.from(parsed.signature, 'base64url'));
+                    if (!ok) {
+                        res.statusCode = 401;
+                        res.end(JSON.stringify({ success: false, error: { code: 'INVALID_SIGNATURE' } }));
+                        return;
+                    }
+                    const token = `fake-owner-jwt-${Date.now()}`;
+                    issued.token = token;
+                    res.statusCode = 200;
+                    res.setHeader('Content-Type', 'application/json');
+                    res.end(JSON.stringify({
+                        success: true,
+                        data: {
+                            bearerToken: token,
+                            expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(),
+                        },
+                    }));
+                    return;
+                }
+                res.statusCode = 404;
+                res.end(JSON.stringify({ error: 'not_found' }));
+            }
+            catch (e) {
+                res.statusCode = 500;
+                res.end(JSON.stringify({ error: e.message }));
+            }
+        });
+    });
+    await new Promise((resolve) => server.listen(0, '127.0.0.1', resolve));
+    const addr = server.address();
+    if (!addr || typeof addr === 'string')
+        throw new Error('failed to bind');
+    const url = `http://127.0.0.1:${addr.port}`;
+    return {
+        url,
+        stop: () => new Promise((resolve) => {
+            server.close(() => resolve());
+        }),
+        get lastIssued() {
+            return issued.token || undefined;
+        },
+    };
+}
+describe('tryKeyAuth', () => {
+    it('returns null when no key file is present', async () => {
+        const result = await tryKeyAuth({
+            aisUrl: 'http://unreachable.example.com',
+            keysDir: tmpKeysDir,
+            userDid: TEST_USER_DID,
+        });
+        expect(result).toBeNull();
+    });
+    it('signs a real challenge and returns the issued bearer token', async () => {
+        // 1. Bootstrap a key file on disk.
+        const key = await generateAndSaveKeypair({
+            userId: TEST_USER_ID,
+            userDid: TEST_USER_DID,
+            keysDir: tmpKeysDir,
+        });
+        // 2. Stand up a fake AIS that accepts that exact public key.
+        const ais = await startFakeAis({ acceptedJwk: key.publicKeyJwk });
+        try {
+            // 3. Run the full challenge/prove flow.
+            const result = await tryKeyAuth({
+                aisUrl: ais.url,
+                keysDir: tmpKeysDir,
+                userDid: TEST_USER_DID,
+            });
+            expect(result).not.toBeNull();
+            expect(result?.userId).toBe(TEST_USER_ID);
+            expect(result?.userDid).toBe(TEST_USER_DID);
+            expect(result?.tokenType).toBe('owner');
+            expect(result?.token).toMatch(/^fake-owner-jwt-/);
+            expect(result?.expiresAt).toBeDefined();
+        }
+        finally {
+            await ais.stop();
+        }
+    });
+    it("throws when the server rejects the signature (e.g. user's key was revoked)", async () => {
+        // Generate two keypairs. Client has key A; server only accepts key B.
+        const clientKey = await generateAndSaveKeypair({
+            userId: TEST_USER_ID,
+            userDid: TEST_USER_DID,
+            keysDir: tmpKeysDir,
+        });
+        // Build a different keypair just to get a JWK the fake AIS will reject.
+        const tmpDir2 = mkdtempSync(join(tmpdir(), 'aismemory-otherkey-'));
+        const serverKey = await generateAndSaveKeypair({
+            userId: TEST_USER_ID,
+            userDid: TEST_USER_DID,
+            keysDir: tmpDir2,
+        });
+        // Voiding the unused-var lint while keeping the keypair around for clarity.
+        void clientKey;
+        rmSync(tmpDir2, { recursive: true, force: true });
+        const ais = await startFakeAis({ acceptedJwk: serverKey.publicKeyJwk });
+        try {
+            await expect(tryKeyAuth({
+                aisUrl: ais.url,
+                keysDir: tmpKeysDir,
+                userDid: TEST_USER_DID,
+            })).rejects.toThrow();
+        }
+        finally {
+            await ais.stop();
+        }
+    });
+    it('auto-discovers the userDid when only one key file is present', async () => {
+        // No userDid passed; the helper should pick the lone file.
+        const key = await generateAndSaveKeypair({
+            userId: TEST_USER_ID,
+            userDid: TEST_USER_DID,
+            keysDir: tmpKeysDir,
+        });
+        const ais = await startFakeAis({ acceptedJwk: key.publicKeyJwk });
+        try {
+            const result = await tryKeyAuth({
+                aisUrl: ais.url,
+                keysDir: tmpKeysDir,
+            });
+            expect(result).not.toBeNull();
+            expect(result?.userDid).toBe(TEST_USER_DID);
+        }
+        finally {
+            await ais.stop();
+        }
+    });
+});
+// ───────────────────────────────────────────────────────────────────────────
+// Signing utility — verified by round-trip against Node's crypto
+// ───────────────────────────────────────────────────────────────────────────
+describe('canonical signing format', () => {
+    it("uses '<userDid>\\n<nonce>\\n<exp>' as the message body", async () => {
+        const key = await generateAndSaveKeypair({
+            userId: TEST_USER_ID,
+            userDid: TEST_USER_DID,
+            keysDir: tmpKeysDir,
+        });
+        // Re-derive the public key and verify a sample signature with the
+        // expected canonical form. If the implementation later changes the
+        // canonical bytes, this test breaks loudly.
+        const ais = await startFakeAis({ acceptedJwk: key.publicKeyJwk });
+        try {
+            const result = await tryKeyAuth({
+                aisUrl: ais.url,
+                keysDir: tmpKeysDir,
+                userDid: TEST_USER_DID,
+            });
+            expect(result).not.toBeNull();
+        }
+        finally {
+            await ais.stop();
+        }
+        // Smoke: private key actually loadable.
+        const priv = createPrivateKey({
+            key: { kty: 'OKP', crv: 'Ed25519', x: key.publicKeyJwk.x, d: key.privateKey },
+            format: 'jwk',
+        });
+        expect(priv).toBeDefined();
+    });
+});
+//# sourceMappingURL=key-auth.test.js.map

package/dist/__tests__/key-auth.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-auth.test.js","sourceRoot":"","sources":["../../src/__tests__/key-auth.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAClF,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,IAAI,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEpF,OAAO,EACL,UAAU,EACV,sBAAsB,EACtB,WAAW,GAEZ,MAAM,gBAAgB,CAAC;AAExB,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E,MAAM,YAAY,GAAG,sCAAsC,CAAC;AAC5D,MAAM,WAAW,GAAG,iBAAiB,CAAC;AACtC,MAAM,aAAa,GAAG,WAAW,WAAW,UAAU,YAAY,EAAE,CAAC;AAErE,IAAI,UAAkB,CAAC;AACvB,UAAU,CAAC,GAAG,EAAE;IACd,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,sBAAsB,CAAC,CAAC,CAAC;AACnE,CAAC,CAAC,CAAC;AACH,SAAS,CAAC,GAAG,EAAE;IACb,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,MAAM,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACvD,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,6BAA6B;AAC7B,8EAA8E;AAE9E,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;IACtC,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;QAClF,MAAM,MAAM,GAAG,MAAM,sBAAsB,CAAC;YAC1C,MAAM,EAAE,YAAY;YACpB,OAAO,EAAE,aAAa;YACtB,OAAO,EAAE,UAAU;SACpB,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACzC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC3C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACvC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC,CAAC,YAAY;QAClE,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;QACtD,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAEhD,kCAAkC;QAClC,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,EAAE,GAAG,aAAa,OAAO,CAAC,CAAC;QACvD,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpC,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC5B,gEAAgE;QAChE,sEAAsE;QACtE,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC;YAChC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5B,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAY,CAAC;QAClE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;IAC3B,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,GAAG,GAAG,WAAW,CAAC,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC;QACzE,MAAM,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,OAAO,GAAG,MAAM,sBAAsB,CAAC;YAC3C,MAAM,EAAE,YAAY;YACpB,OAAO,EAAE,aAAa;YACtB,OAAO,EAAE,UAAU;SACpB,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,WAAW,CAAC,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC;QAC1E,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAaH;;;;GAIG;AACH,KAAK,UAAU,YAAY,CAAC,IAK3B;IACC,MAAM,MAAM,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;IAE7B,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACvC,IAAI,IAAI,GAAG,EAAE,CAAC;QACd,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC;QAC3C,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACjB,IAAI,CAAC;gBACH,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,GAAG,CAAC,GAAG,KAAK,oBAAoB,EAAE,CAAC;oBAC9D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,CAAyB,CAAC;oBAChE,MAAM,KAAK,GAAG,SAAS,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;oBAC/E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;oBACpF,oEAAoE;oBACpE,6DAA6D;oBAC7D,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;oBACrB,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;oBAClD,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;wBACrB,OAAO,EAAE,IAAI;wBACb,IAAI,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,iBAAiB,MAAM,CAAC,OAAO,EAAE,EAAE;qBAC9D,CAAC,CAAC,CAAC;oBACJ,OAAO;gBACT,CAAC;gBAED,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,GAAG,CAAC,GAAG,KAAK,oBAAoB,EAAE,CAAC;oBAC9D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,CAKrC,CAAC;oBACF,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;wBACzE,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;wBACrB,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE,CAAC,CAAC,CAAC;wBAC5E,OAAO;oBACT,CAAC;oBACD,wDAAwD;oBACxD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,OAAO,KAAK,MAAM,CAAC,KAAK,KAAK,MAAM,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;oBACrF,MAAM,GAAG,GAAG,eAAe,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,WAAoB,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;oBAC/E,MAAM,EAAE,GAAG,QAAQ,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC,CAAC;oBAChF,IAAI,CAAC,EAAE,EAAE,CAAC;wBACR,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;wBACrB,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,mBAAmB,EAAE,EAAE,CAAC,CAAC,CAAC;wBAClF,OAAO;oBACT,CAAC;oBACD,MAAM,KAAK,GAAG,kBAAkB,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;oBAC7C,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC;oBACrB,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;oBACrB,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;oBAClD,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;wBACrB,OAAO,EAAE,IAAI;wBACb,IAAI,EAAE;4BACJ,WAAW,EAAE,KAAK;4BAClB,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;yBACxE;qBACF,CAAC,CAAC,CAAC;oBACJ,OAAO;gBACT,CAAC;gBAED,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;gBACrB,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC;YAClD,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;gBACrB,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAG,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YAC3D,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;IAC7E,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;IAC9B,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;IACzE,MAAM,GAAG,GAAG,oBAAoB,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5C,OAAO;QACL,GAAG;QACH,IAAI,EAAE,GAAG,EAAE,CACT,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;YAC5B,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;QAChC,CAAC,CAAC;QACJ,IAAI,UAAU;YACZ,OAAO,MAAM,CAAC,KAAK,IAAI,SAAS,CAAC;QACnC,CAAC;KACF,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,YAAY,EAAE,GAAG,EAAE;IAC1B,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QACxD,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC;YAC9B,MAAM,EAAE,gCAAgC;YACxC,OAAO,EAAE,UAAU;YACnB,OAAO,EAAE,aAAa;SACvB,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,KAAK,IAAI,EAAE;QAC1E,mCAAmC;QACnC,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC;YACvC,MAAM,EAAE,YAAY;YACpB,OAAO,EAAE,aAAa;YACtB,OAAO,EAAE,UAAU;SACpB,CAAC,CAAC;QACH,6DAA6D;QAC7D,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,EAAE,WAAW,EAAE,GAAG,CAAC,YAAY,EAAE,CAAC,CAAC;QAClE,IAAI,CAAC;YACH,wCAAwC;YACxC,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC;gBAC9B,MAAM,EAAE,GAAG,CAAC,GAAG;gBACf,OAAO,EAAE,UAAU;gBACnB,OAAO,EAAE,aAAa;aACvB,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YAC9B,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC1C,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;YAC5C,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACxC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;YAClD,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;QAC1C,CAAC;gBAAS,CAAC;YACT,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QACnB,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4EAA4E,EAAE,KAAK,IAAI,EAAE;QAC1F,sEAAsE;QACtE,MAAM,SAAS,GAAG,MAAM,sBAAsB,CAAC;YAC7C,MAAM,EAAE,YAAY;YACpB,OAAO,EAAE,aAAa;YACtB,OAAO,EAAE,UAAU;SACpB,CAAC,CAAC;QACH,wEAAwE;QACxE,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,qBAAqB,CAAC,CAAC,CAAC;QACnE,MAAM,SAAS,GAAG,MAAM,sBAAsB,CAAC;YAC7C,MAAM,EAAE,YAAY;YACpB,OAAO,EAAE,aAAa;YACtB,OAAO,EAAE,OAAO;SACjB,CAAC,CAAC;QACH,4EAA4E;QAC5E,KAAK,SAAS,CAAC;QACf,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAElD,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,EAAE,WAAW,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;QACxE,IAAI,CAAC;YACH,MAAM,MAAM,CACV,UAAU,CAAC;gBACT,MAAM,EAAE,GAAG,CAAC,GAAG;gBACf,OAAO,EAAE,UAAU;gBACnB,OAAO,EAAE,aAAa;aACvB,CAAC,CACH,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACtB,CAAC;gBAAS,CAAC;YACT,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QACnB,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;QAC5E,2DAA2D;QAC3D,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC;YACvC,MAAM,EAAE,YAAY;YACpB,OAAO,EAAE,aAAa;YACtB,OAAO,EAAE,UAAU;SACpB,CAAC,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,EAAE,WAAW,EAAE,GAAG,CAAC,YAAY,EAAE,CAAC,CAAC;QAClE,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC;gBAC9B,MAAM,EAAE,GAAG,CAAC,GAAG;gBACf,OAAO,EAAE,UAAU;aACpB,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YAC9B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC9C,CAAC;gBAAS,CAAC;YACT,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QACnB,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,iEAAiE;AACjE,8EAA8E;AAE9E,QAAQ,CAAC,0BAA0B,EAAE,GAAG,EAAE;IACxC,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;QACtE,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC;YACvC,MAAM,EAAE,YAAY;YACpB,OAAO,EAAE,aAAa;YACtB,OAAO,EAAE,UAAU;SACpB,CAAC,CAAC;QAEH,kEAAkE;QAClE,mEAAmE;QACnE,4CAA4C;QAC5C,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,EAAE,WAAW,EAAE,GAAG,CAAC,YAAY,EAAE,CAAC,CAAC;QAClE,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC;gBAC9B,MAAM,EAAE,GAAG,CAAC,GAAG;gBACf,OAAO,EAAE,UAAU;gBACnB,OAAO,EAAE,aAAa;aACvB,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAChC,CAAC;gBAAS,CAAC;YACT,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QACnB,CAAC;QACD,wCAAwC;QACxC,MAAM,IAAI,GAAG,gBAAgB,CAAC;YAC5B,GAAG,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,CAAC,EAAE,GAAG,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,UAAU,EAAW;YACtF,MAAM,EAAE,KAAK;SACd,CAAC,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAC7B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/cli/enable-key-auth.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/cli/enable-key-auth.js

@@ -0,0 +1,131 @@
+/**
+ * `aismemory enable-key-auth` — one-shot enrollment for DID-based auth.
+ *
+ * Generates an Ed25519 keypair on the user's device, registers the public
+ * key with AIS, and writes the private key to `~/.aismemory/keys/`. After
+ * this runs once per device, every subsequent aismemory session authenticates
+ * silently with the key — no browser, no activation URL.
+ *
+ * Bootstrap requirements: the user needs a working bearer token from the
+ * existing device-flow credentials file (`~/.aismemory/credentials.json`).
+ * If absent, we tell them to run a normal aismemory session once first.
+ *
+ * Usage:
+ *   npx aismemory enable-key-auth
+ *   AIS_URL=https://other.example.com npx aismemory enable-key-auth
+ *
+ * Exit codes:
+ *   0 — key registered + saved
+ *   1 — bootstrap credentials missing or registration failed
+ */
+import { readFileSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+import { generateAndSaveKeypair } from '../key-auth.js';
+const PREFIX = '[aismemory enable-key-auth]';
+function loadBootstrapCreds() {
+    const path = join(homedir(), '.aismemory', 'credentials.json');
+    if (!existsSync(path))
+        return null;
+    try {
+        return JSON.parse(readFileSync(path, 'utf-8'));
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Decode a JWT payload WITHOUT verifying the signature. We trust the token
+ * because it came from our own credentials file — we just need its claims
+ * to know who we are.
+ */
+function decodeJwtPayload(token) {
+    const parts = token.split('.');
+    if (parts.length !== 3)
+        throw new Error('Malformed JWT');
+    const json = Buffer.from(parts[1], 'base64url').toString('utf-8');
+    return JSON.parse(json);
+}
+function log(msg) {
+    process.stderr.write(`${PREFIX} ${msg}\n`);
+}
+async function main() {
+    const aisUrl = process.env['AIS_URL'] ?? 'https://ais.agentsandswarms.ai';
+    // 1. Find a bootstrap bearer token.
+    const creds = loadBootstrapCreds();
+    if (!creds) {
+        log('No bootstrap credentials found at ~/.aismemory/credentials.json');
+        log('Run `npx aismemory` first (and complete the bond URL) to get an initial token,');
+        log('then re-run this command.');
+        process.exit(1);
+    }
+    if (new Date(creds.expiresAt) <= new Date()) {
+        log('Bootstrap credentials at ~/.aismemory/credentials.json have expired.');
+        log('Run `npx aismemory` once to refresh them, then re-run this command.');
+        process.exit(1);
+    }
+    // 2. Extract userId from the JWT.
+    let payload;
+    try {
+        payload = decodeJwtPayload(creds.token);
+    }
+    catch (err) {
+        log(`Failed to decode bootstrap JWT: ${err.message}`);
+        process.exit(1);
+    }
+    const userId = payload.user_id ?? payload.sub;
+    if (!userId) {
+        log('Bootstrap JWT does not carry a user_id claim. This token may be agent-only —');
+        log('claim your agent to a user account first, then re-run.');
+        process.exit(1);
+    }
+    // Derive the userDid. The domain is the host portion of AIS_URL — strip
+    // the protocol so the resulting DID matches what AIS computes server-side.
+    const aisHost = new URL(aisUrl).host;
+    const userDid = `did:web:${aisHost}:users:${userId}`;
+    log(`AIS URL  : ${aisUrl}`);
+    log(`userId   : ${userId}`);
+    log(`userDid  : ${userDid}`);
+    // 3. Generate keypair + write to disk.
+    const label = `${process.env['USER'] ?? 'user'}-${process.platform}`;
+    log('Generating Ed25519 keypair…');
+    const keyFile = await generateAndSaveKeypair({ userId, userDid });
+    // 4. POST public key to AIS.
+    log('Registering public key with AIS…');
+    const res = await fetch(`${aisUrl}/v1/users/me/keys`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            Authorization: `Bearer ${creds.token}`,
+        },
+        body: JSON.stringify({
+            publicKey: keyFile.publicKeyJwk,
+            label,
+        }),
+    });
+    const body = (await res.json().catch(() => ({})));
+    if (!res.ok || !body.success) {
+        // Special-case: 409 = key already registered. Treat as success since we
+        // still wrote the file locally and the server already knows about us.
+        if (res.status === 409) {
+            log('Public key was already registered (server says 409 — duplicate).');
+            log('Local key file is up to date; no further action needed.');
+            process.exit(0);
+        }
+        log(`Failed to register key: HTTP ${res.status} ${body.error?.code ?? ''} ${body.error?.message ?? ''}`);
+        process.exit(1);
+    }
+    log('✓ Public key registered with AIS');
+    log(`  key id : ${body.data?.id ?? '<unknown>'}`);
+    log(`  label  : ${label}`);
+    log('');
+    log('Done. Future aismemory sessions will authenticate silently with this key.');
+    log(`Private key lives at ~/.aismemory/keys/${userDid}.json (mode 0600).`);
+    log('Treat it like an SSH private key — back it up, do not share.');
+    process.exit(0);
+}
+main().catch((err) => {
+    log(`Fatal: ${err instanceof Error ? err.message : String(err)}`);
+    process.exit(1);
+});
+//# sourceMappingURL=enable-key-auth.js.map

package/dist/cli/enable-key-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enable-key-auth.js","sourceRoot":"","sources":["../../src/cli/enable-key-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAElC,OAAO,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AAExD,MAAM,MAAM,GAAG,6BAA6B,CAAC;AAuB7C,SAAS,kBAAkB;IACzB,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,YAAY,EAAE,kBAAkB,CAAC,CAAC;IAC/D,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAmB,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,KAAa;IACrC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;IACzD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACnE,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAe,CAAC;AACxC,CAAC;AAED,SAAS,GAAG,CAAC,GAAW;IACtB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC;AAC7C,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,gCAAgC,CAAC;IAE1E,oCAAoC;IACpC,MAAM,KAAK,GAAG,kBAAkB,EAAE,CAAC;IACnC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,GAAG,CAAC,iEAAiE,CAAC,CAAC;QACvE,GAAG,CAAC,gFAAgF,CAAC,CAAC;QACtF,GAAG,CAAC,2BAA2B,CAAC,CAAC;QACjC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,IAAI,IAAI,EAAE,EAAE,CAAC;QAC5C,GAAG,CAAC,sEAAsE,CAAC,CAAC;QAC5E,GAAG,CAAC,qEAAqE,CAAC,CAAC;QAC3E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,kCAAkC;IAClC,IAAI,OAAmB,CAAC;IACxB,IAAI,CAAC;QACH,OAAO,GAAG,gBAAgB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC1C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,mCAAoC,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACjE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC;IAC9C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,GAAG,CAAC,8EAA8E,CAAC,CAAC;QACpF,GAAG,CAAC,wDAAwD,CAAC,CAAC;QAC9D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,wEAAwE;IACxE,2EAA2E;IAC3E,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC;IACrC,MAAM,OAAO,GAAG,WAAW,OAAO,UAAU,MAAM,EAAE,CAAC;IAErD,GAAG,CAAC,cAAc,MAAM,EAAE,CAAC,CAAC;IAC5B,GAAG,CAAC,cAAc,MAAM,EAAE,CAAC,CAAC;IAC5B,GAAG,CAAC,cAAc,OAAO,EAAE,CAAC,CAAC;IAE7B,uCAAuC;IACvC,MAAM,KAAK,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,MAAM,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;IACrE,GAAG,CAAC,6BAA6B,CAAC,CAAC;IACnC,MAAM,OAAO,GAAG,MAAM,sBAAsB,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;IAElE,6BAA6B;IAC7B,GAAG,CAAC,kCAAkC,CAAC,CAAC;IACxC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,MAAM,mBAAmB,EAAE;QACpD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,aAAa,EAAE,UAAU,KAAK,CAAC,KAAK,EAAE;SACvC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,SAAS,EAAE,OAAO,CAAC,YAAY;YAC/B,KAAK;SACN,CAAC;KACH,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAwB,CAAC;IACzE,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAC7B,wEAAwE;QACxE,sEAAsE;QACtE,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YACvB,GAAG,CAAC,kEAAkE,CAAC,CAAC;YACxE,GAAG,CAAC,yDAAyD,CAAC,CAAC;YAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,GAAG,CACD,gCAAgC,GAAG,CAAC,MAAM,IAAI,IAAI,CAAC,KAAK,EAAE,IAAI,IAAI,EAAE,IAAI,IAAI,CAAC,KAAK,EAAE,OAAO,IAAI,EAAE,EAAE,CACpG,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,GAAG,CAAC,kCAAkC,CAAC,CAAC;IACxC,GAAG,CAAC,cAAc,IAAI,CAAC,IAAI,EAAE,EAAE,IAAI,WAAW,EAAE,CAAC,CAAC;IAClD,GAAG,CAAC,cAAc,KAAK,EAAE,CAAC,CAAC;IAC3B,GAAG,CAAC,EAAE,CAAC,CAAC;IACR,GAAG,CAAC,2EAA2E,CAAC,CAAC;IACjF,GAAG,CAAC,0CAA0C,OAAO,oBAAoB,CAAC,CAAC;IAC3E,GAAG,CAAC,8DAA8D,CAAC,CAAC;IACpE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;IAC5B,GAAG,CAAC,UAAU,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/index.js

@@ -9,6 +9,7 @@
  */
 import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { tryKeyAuth } from './key-auth.js';
 import { CallToolRequestSchema, GetPromptRequestSchema, ListPromptsRequestSchema, ListToolsRequestSchema, } from '@modelcontextprotocol/sdk/types.js';
 import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'fs';
 import { join } from 'path';
@@ -170,14 +171,24 @@ async function startDeviceFlow() {
     stderr(`  Code     : ${user_code}`);
     stderr('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
     const poll = pollForToken(device_code, interval, agent_id, provisional_tenant_id);
-    return {
+    const flow = {
         device_code,
         user_code,
         verification_uri_complete,
         agent_id,
         provisional_tenant_id,
         poll,
+        dead: false,
     };
+    // Mark the flow dead as soon as its poll rejects so the next
+    // `ensureCredentials` call starts a fresh flow. The `.catch` here is purely
+    // for state-tracking — the original rejection is still observed by callers
+    // racing `flow.poll`. We swallow on this branch to suppress unhandled
+    // rejection warnings between rejection and the next ensureCredentials call.
+    poll.catch(() => {
+        flow.dead = true;
+    });
+    return flow;
 }
 async function pollForToken(device_code, interval, agent_id, provisional_tenant_id) {
     const pollInterval = Math.max(interval, 5) * 1000;
@@ -284,7 +295,30 @@ const tools = [
     },
 ];
 // ── MCP Server ──────────────────────────────────────────
+/**
+ * Decode the user_id + tenant_id claims from a (presumed valid) JWT without
+ * verifying the signature. Used to derive bootstrap context after a successful
+ * key-auth handshake — we trust the token because the server just minted it.
+ */
+function decodeJwtClaims(token) {
+    const parts = token.split('.');
+    if (parts.length !== 3)
+        return {};
+    try {
+        const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf-8'));
+        return { userId: payload.user_id ?? payload.sub, tenantId: payload.tenant_id };
+    }
+    catch {
+        return {};
+    }
+}
 async function main() {
+    // Subcommand dispatch — `aismemory enable-key-auth` runs the enrollment
+    // CLI and exits, never touching the MCP server. Other subcommands TBD.
+    if (process.argv[2] === 'enable-key-auth') {
+        await import('./cli/enable-key-auth.js');
+        return; // CLI calls process.exit() itself
+    }
     // Lazy-auth state. We connect the MCP transport before the user has approved
     // the device flow so Claude Code's 30s connection timeout is not blocked on
     // human approval. The first tool call surfaces the bond URL via its result.
@@ -292,22 +326,68 @@ async function main() {
     let activeFlow = null;
     let postAuthDone = false;
     // Created here so `agent_load` and post-auth setup can reference it via closure.
-    const server = new Server({ name: 'aismemory', version: '0.4.0' }, { capabilities: { tools: {}, prompts: {} } });
+    const server = new Server({ name: 'aismemory', version: '0.5.0' }, { capabilities: { tools: {}, prompts: {} } });
     /**
      * Wait briefly for the in-flight device-flow poll to complete. If the user
      * has already approved, this returns the fresh credentials. If not, throws
      * BondPendingError so the calling tool returns the bond URL to the agent.
+     *
+     * Recovery: if the previous flow's poll rejected (expired_token,
+     * access_denied, 30-min deadline, etc.), the dead flow is discarded and a
+     * new device flow is started inline — the user gets a fresh bond URL on
+     * the next tool call without having to restart the MCP process.
      */
     async function ensureCredentials(softTimeoutMs = 7000) {
         if (creds)
             return creds;
-        if (!activeFlow)
+        // ── Key auth (Phase 1 DID auth) ───────────────────────────────────────
+        // If the user has enrolled a private key for this device, sign a
+        // server-issued challenge and skip the device-flow ceremony entirely.
+        // tryKeyAuth() returns null if no key file is present (clean fallback
+        // to device flow) and throws only on real failures (e.g. server says
+        // INVALID_SIGNATURE). On throw we log and continue to device flow —
+        // device flow is the recovery path for "user wiped their key file".
+        try {
+            const keyResult = await tryKeyAuth({ aisUrl: AIS_URL });
+            if (keyResult) {
+                const claims = decodeJwtClaims(keyResult.token);
+                const tenantId = claims.tenantId ?? '';
+                const resolved = await resolveAgent(keyResult.token, '', tenantId);
+                creds = {
+                    token: keyResult.token,
+                    agentId: resolved.agentId,
+                    tenantId: resolved.tenantId || tenantId,
+                    expiresAt: keyResult.expiresAt,
+                };
+                saveCredentials(creds);
+                stderr('Authenticated via DID key auth (no browser required)');
+                if (!postAuthDone) {
+                    postAuthDone = true;
+                    void runPostAuth(creds);
+                }
+                return creds;
+            }
+        }
+        catch (err) {
+            stderr(`Key auth failed: ${err instanceof Error ? err.message : String(err)}. Falling back to device flow.`);
+        }
+        if (!activeFlow || activeFlow.dead) {
             activeFlow = await startDeviceFlow();
+        }
         const sentinel = Symbol('bond-pending');
-        const got = await Promise.race([
-            activeFlow.poll,
-            new Promise((r) => setTimeout(() => r(sentinel), softTimeoutMs)),
-        ]);
+        let got;
+        try {
+            got = await Promise.race([
+                activeFlow.poll,
+                new Promise((r) => setTimeout(() => r(sentinel), softTimeoutMs)),
+            ]);
+        }
+        catch {
+            // Poll rejected (deadline / expired / denied). Start a fresh flow
+            // immediately and surface its new bond URL — no restart required.
+            activeFlow = await startDeviceFlow();
+            throw new BondPendingError(activeFlow.verification_uri_complete, activeFlow.user_code);
+        }
         if (got === sentinel) {
             throw new BondPendingError(activeFlow.verification_uri_complete, activeFlow.user_code);
         }

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA;;;;;;;GAOG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,wBAAwB,EACxB,sBAAsB,GAEvB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACnE,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAGtE,2DAA2D;AAE3D,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,gCAAgC,CAAC;AAC3E,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,YAAY,CAAC,CAAC;AAChD,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAC;AASvD,2DAA2D;AAE3D,SAAS,eAAe;IACtB,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;QACzC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAgB,CAAC;QAC1E,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,IAAI,IAAI,EAAE,EAAE,CAAC;YAC3C,MAAM,CAAC,iDAAiD,CAAC,CAAC;YAC1D,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,KAAkB;IACzC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1C,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,2DAA2D;AAE3D,SAAS,MAAM,CAAC,GAAW;IACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC;AAC/C,CAAC;AAED,KAAK,UAAU,OAAO,CAAC,IAAY,EAAE,IAAa,EAAE,KAAc;IAChE,MAAM,OAAO,GAA2B,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;IAC/E,IAAI,KAAK;QAAE,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,KAAK,EAAE,CAAC;IACxD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,GAAG,IAAI,EAAE,EAAE;QAC3C,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;KAC3B,CAAC,CAAC;IACH,OAAO,GAAG,CAAC,IAAI,EAAE,CAAC;AACpB,CAAC;AAED,KAAK,UAAU,MAAM,CAAC,IAAY,EAAE,KAAa;IAC/C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,GAAG,IAAI,EAAE,EAAE;QAC3C,OAAO,EAAE,EAAE,eAAe,EAAE,UAAU,KAAK,EAAE,EAAE;KAChD,CAAC,CAAC;IACH,OAAO,GAAG,CAAC,IAAI,EAAE,CAAC;AACpB,CAAC;AA2CD,KAAK,UAAU,mBAAmB,CAAC,KAAa,EAAE,KAAa;IAC7D,MAAM,UAAU,GAAG,CAAC,MAAM,MAAM,CAAC,qBAAqB,kBAAkB,CAAC,KAAK,CAAC,EAAE,EAAE,KAAK,CAAC,CAAyB,CAAC;IACnH,IAAI,UAAU,CAAC,IAAI,EAAE,MAAM,KAAK,UAAU,IAAI,UAAU,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QACpE,OAAO,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC;IAC/B,CAAC;IACD,IAAI,UAAU,CAAC,IAAI,EAAE,MAAM,KAAK,WAAW,EAAE,CAAC;QAC5C,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC;QAC/E,MAAM,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,IAAI,sCAAsC,KAAK,WAAW,GAAG,qCAAqC,CAAC,CAAC;IAC7I,CAAC;IACD,IAAI,UAAU,CAAC,IAAI,EAAE,MAAM,KAAK,WAAW,EAAE,CAAC;QAC5C,MAAM,SAAS,GAAG,UAAU,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7E,MAAM,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,IAAI,+BAA+B,KAAK,gCAAgC,SAAS,IAAI,QAAQ,EAAE,CAAC,CAAC;IAC1I,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,MAAM,MAAM,CAAC,YAAY,EAAE,KAAK,CAAC,CAAsB,CAAC;IACzE,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,MAAM,IAAI,EAAE,CAAC;IAC1C,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAC3B,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,KAAK,CACzE,CAAC;IACF,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzD,MAAM,IAAI,KAAK,CACb,+BAA+B,KAAK,gCAAgC,SAAS,IAAI,QAAQ,EAAE,CAC5F,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CACb,sCAAsC,KAAK,WAAW,OAAO;aAC1D,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;aAClB,IAAI,CAAC,IAAI,CAAC,qCAAqC,CACnD,CAAC;IACJ,CAAC;IACD,OAAO,OAAO,CAAC,CAAC,CAAE,CAAC;AACrB,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,YAAY,CAAC,KAAa,EAAE,eAAuB,EAAE,gBAAwB;IAC1F,wCAAwC;IACxC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAC/C,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,CAAC,kCAAkC,UAAU,EAAE,CAAC,CAAC;QACvD,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,gBAAgB,EAAE,CAAC;IAC7D,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,YAAY,EAAE,KAAK,CAAsB,CAAC;QACnE,MAAM,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,IAAI,EAAE,CAAC;QAE5E,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,MAAM,CAAC,8CAA8C,eAAe,EAAE,CAAC,CAAC;YACxE,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,gBAAgB,EAAE,CAAC;QAClE,CAAC;QAED,0CAA0C;QAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;QAC9C,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;YACjF,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,CAAC,gBAAgB,KAAK,CAAC,IAAI,4BAA4B,CAAC,CAAC;gBAC/D,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,EAAE,QAAQ,EAAE,gBAAgB,EAAE,CAAC;YAC3D,CAAC;YACD,MAAM,CAAC,4BAA4B,OAAO,2BAA2B,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC/G,CAAC;QAED,+BAA+B;QAC/B,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,CAAE,CAAC;QAC1B,MAAM,CAAC,gCAAgC,MAAM,CAAC,IAAI,MAAM,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC;QACtE,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,MAAM,CAAC,YAAY,MAAM,CAAC,MAAM,wDAAwD,CAAC,CAAC;YAC1F,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;gBACvB,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,EAAE,QAAQ,EAAE,gBAAgB,EAAE,CAAC;IAC5D,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,CAAC,2CAA2C,eAAe,EAAE,CAAC,CAAC;QACrE,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,gBAAgB,EAAE,CAAC;IAClE,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,gBAAiB,SAAQ,KAAK;IAEN;IAAyC;IAD5D,WAAW,GAAG,IAAI,CAAC;IAC5B,YAA4B,eAAuB,EAAkB,QAAgB;QACnF,KAAK,CACH,2BAA2B;YACzB,UAAU,eAAe,IAAI;YAC7B,SAAS,QAAQ,MAAM;YACvB,iFAAiF,CACpF,CAAC;QANwB,oBAAe,GAAf,eAAe,CAAQ;QAAkB,aAAQ,GAAR,QAAQ,CAAQ;QAOnF,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AAYD,KAAK,UAAU,eAAe;IAC5B,MAAM,CAAC,4BAA4B,CAAC,CAAC;IAErC,MAAM,OAAO,GAAG,CAAC,MAAM,OAAO,CAAC,4BAA4B,EAAE;QAC3D,IAAI,EAAE,SAAS,OAAO,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,MAAM,EAAE;KACtD,CAAC,CAAuB,CAAC;IAE1B,IAAI,CAAC,OAAO,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,0BAA0B,OAAO,CAAC,KAAK,EAAE,OAAO,IAAI,eAAe,EAAE,CAAC,CAAC;IACzF,CAAC;IAED,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,yBAAyB,EAAE,QAAQ,EAAE,QAAQ,EAAE,qBAAqB,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAEtH,MAAM,CAAC,EAAE,CAAC,CAAC;IACX,MAAM,CAAC,wDAAwD,CAAC,CAAC;IACjE,MAAM,CAAC,oCAAoC,CAAC,CAAC;IAC7C,MAAM,CAAC,wDAAwD,CAAC,CAAC;IACjE,MAAM,CAAC,gBAAgB,yBAAyB,EAAE,CAAC,CAAC;IACpD,MAAM,CAAC,gBAAgB,SAAS,EAAE,CAAC,CAAC;IACpC,MAAM,CAAC,wDAAwD,CAAC,CAAC;IAEjE,MAAM,IAAI,GAAG,YAAY,CAAC,WAAW,EAAE,QAAQ,EAAE,QAAQ,EAAE,qBAAqB,CAAC,CAAC;IAElF,OAAO;QACL,WAAW;QACX,SAAS;QACT,yBAAyB;QACzB,QAAQ;QACR,qBAAqB;QACrB,IAAI;KACL,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,WAAmB,EACnB,QAAgB,EAChB,QAAgB,EAChB,qBAA6B;IAE7B,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC;IAClD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,SAAS;IAEvD,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;QAC7B,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC;QAEtD,MAAM,OAAO,GAAG,CAAC,MAAM,OAAO,CAAC,iBAAiB,EAAE,EAAE,WAAW,EAAE,CAAC,CAAsB,CAAC;QAEzF,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;YAC7F,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,YAAY,EAAE,QAAQ,EAAE,qBAAqB,CAAC,CAAC;YACxG,MAAM,KAAK,GAAgB;gBACzB,KAAK,EAAE,OAAO,CAAC,YAAY;gBAC3B,OAAO;gBACP,QAAQ;gBACR,SAAS;aACV,CAAC;YACF,eAAe,CAAC,KAAK,CAAC,CAAC;YACvB,MAAM,CAAC,6BAA6B,CAAC,CAAC;YACtC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,OAAO,CAAC,KAAK,KAAK,uBAAuB;YAAE,SAAS;QACxD,IAAI,OAAO,CAAC,KAAK,KAAK,WAAW,EAAE,CAAC;YAClC,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;YAC9C,SAAS;QACX,CAAC;QACD,IAAI,OAAO,CAAC,KAAK,KAAK,eAAe;YAAE,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QACvF,IAAI,OAAO,CAAC,KAAK,KAAK,eAAe;YAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IACrG,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;AAC9C,CAAC;AAED,IAAI,YAAY,GAAwB,IAAI,CAAC;AAC7C,MAAM,eAAe,GAAG,IAAI,eAAe,EAAE,CAAC;AAE9C,2DAA2D;AAE3D,MAAM,KAAK,GAAW;IACpB;QACE,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE,kEAAkE;QAC/E,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,6BAA6B,EAAE;gBACvE,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,WAAW,EAAE,aAAa,EAAE;gBAClH,UAAU,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,WAAW,EAAE,+BAA+B,EAAE;aACrG;YACD,QAAQ,EAAE,CAAC,SAAS,CAAC;SACtB;KACF;IACD;QACE,IAAI,EAAE,QAAQ;QACd,WAAW,EAAE,4CAA4C;QACzD,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,cAAc,EAAE;gBACtD,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,0BAA0B,EAAE;gBAClE,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,WAAW,EAAE,gBAAgB,EAAE;aACtH;YACD,QAAQ,EAAE,CAAC,OAAO,CAAC;SACpB;KACF;IACD;QACE,IAAI,EAAE,QAAQ;QACd,WAAW,EAAE,kEAAkE;QAC/E,WAAW,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,EAAE;KAChD;IACD;QACE,IAAI,EAAE,cAAc;QACpB,WAAW,EAAE,8FAA8F;QAC3G,WAAW,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,EAAE;KAChD;IACD;QACE,IAAI,EAAE,OAAO;QACb,WAAW,EAAE,iGAAiG;QAC9G,WAAW,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,EAAE;KAChD;IACD;QACE,IAAI,EAAE,SAAS;QACf,WAAW,EAAE,gFAAgF;QAC7F,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,+CAA+C,EAAE;gBACzF,YAAY,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,WAAW,EAAE,gCAAgC,EAAE;aAC1G;SACF;KACF;IACD;QACE,IAAI,EAAE,YAAY;QAClB,WAAW,EACT,wKAAwK;YACxK,iMAAiM;QACnM,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,KAAK,EAAE;oBACL,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,kEAAkE;iBAChF;aACF;YACD,QAAQ,EAAE,CAAC,OAAO,CAAC;SACpB;KACF;CACF,CAAC;AAEF,2DAA2D;AAE3D,KAAK,UAAU,IAAI;IACjB,6EAA6E;IAC7E,4EAA4E;IAC5E,4EAA4E;IAC5E,IAAI,KAAK,GAAuB,eAAe,EAAE,CAAC;IAClD,IAAI,UAAU,GAA4B,IAAI,CAAC;IAC/C,IAAI,YAAY,GAAG,KAAK,CAAC;IAEzB,iFAAiF;IACjF,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,EAAE,EACvC,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,EAAE,CAC7C,CAAC;IAEF;;;;OAIG;IACH,KAAK,UAAU,iBAAiB,CAAC,aAAa,GAAG,IAAI;QACnD,IAAI,KAAK;YAAE,OAAO,KAAK,CAAC;QACxB,IAAI,CAAC,UAAU;YAAE,UAAU,GAAG,MAAM,eAAe,EAAE,CAAC;QAEtD,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CAAC,CAAC;QACxC,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAgC;YAC5D,UAAU,CAAC,IAAI;YACf,IAAI,OAAO,CAAkB,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,aAAa,CAAC,CAAC;SAClF,CAAC,CAAC;QAEH,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;YACrB,MAAM,IAAI,gBAAgB,CAAC,UAAU,CAAC,yBAAyB,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC;QACzF,CAAC;QAED,KAAK,GAAG,GAAG,CAAC;QACZ,UAAU,GAAG,IAAI,CAAC;QAClB,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,YAAY,GAAG,IAAI,CAAC;YACpB,KAAK,WAAW,CAAC,KAAK,CAAC,CAAC;QAC1B,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,4EAA4E;IAC5E,KAAK,UAAU,WAAW,CAAC,CAAc;QACvC,IAAI,CAAC;YACH,YAAY,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;YAClE,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,CACJ,iBAAiB,YAAY,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY,CAAC,cAAc,CAAC,MAAM,cAAc,YAAY,CAAC,KAAK,CAAC,MAAM,SAAS,CACnI,CAAC;gBACF,MAAM,CAAC,YAAY,CAAC,EAAE,MAAM,EAAE,oCAAoC,EAAE,CAAC,CAAC;YACxE,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,gEAAgE,CAAC,CAAC;YAC3E,CAAC;YAED,iBAAiB,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,QAAuB,EAAE,EAAE;gBACzE,IAAI,YAAY,EAAE,CAAC;oBACjB,YAAY,CAAC,cAAc,GAAG,QAAQ,CAAC;gBACzC,CAAC;gBACD,MAAM,CAAC,YAAY,CAAC,EAAE,MAAM,EAAE,oCAAoC,EAAE,CAAC,CAAC;gBACtE,MAAM,CAAC,mBAAmB,QAAQ,CAAC,MAAM,WAAW,CAAC,CAAC;YACxD,CAAC,CAAC,CAAC;YAEH,gBAAgB,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,KAAK,EAAE,eAAe,EAAE,GAAG,EAAE;gBAClE,gBAAgB,EAAE,CAAC;gBACnB,MAAM,CAAC,uBAAuB,CAAC,CAAC;YAClC,CAAC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,CAAC,2BAA2B,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAClF,CAAC;IACH,CAAC;IAED,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IAE1E,MAAM,CAAC,iBAAiB,CAAC,wBAAwB,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;QAC9D,OAAO,EAAE,YAAY;YACnB,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,gBAAgB,EAAE,WAAW,EAAE,qDAAqD,EAAE,CAAC;YAClG,CAAC,CAAC,EAAE;KACP,CAAC,CAAC,CAAC;IAEJ,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;QAC5D,QAAQ,EAAE,CAAC;gBACT,IAAI,EAAE,MAAe;gBACrB,OAAO,EAAE,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,cAAc,CAAC,YAAY,CAAC,EAAE;aACvE,CAAC;KACH,CAAC,CAAC,CAAC;IAEJ,MAAM,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;QAChE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;QACjD,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAA4B,CAAC;QAClD,eAAe,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;QAEpC,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,MAAM,iBAAiB,EAAE,CAAC;YACpC,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;YACtB,oEAAoE;YACpE,IAAI,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC;YAExB,IAAI,MAAe,CAAC;YAEpB,QAAQ,IAAI,EAAE,CAAC;gBACb,KAAK,UAAU;oBACb,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,OAAO,SAAS,EAAE;wBACrD,OAAO,EAAE,CAAC,CAAC,SAAS,CAAC;wBACrB,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,SAAS;wBAC5B,UAAU,EAAE,CAAC,CAAC,YAAY,CAAC,IAAI,GAAG;qBACnC,EAAE,KAAK,CAAC,CAAC;oBACV,eAAe,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;oBAC/D,MAAM;gBAER,KAAK,QAAQ,CAAC,CAAC,CAAC;oBACd,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;oBACrC,IAAI,CAAC,CAAC,OAAO,CAAC;wBAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;oBACxD,IAAI,CAAC,CAAC,OAAO,CAAC;wBAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;oBACxD,IAAI,CAAC,CAAC,MAAM,CAAC;wBAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;oBACtD,MAAM,GAAG,MAAM,MAAM,CAAC,cAAc,OAAO,WAAW,MAAM,EAAE,EAAE,KAAK,CAAC,CAAC;oBACvE,MAAM;gBACR,CAAC;gBAED,KAAK,QAAQ;oBACX,MAAM,GAAG,MAAM,MAAM,CAAC,cAAc,OAAO,EAAE,EAAE,KAAK,CAAC,CAAC;oBACtD,MAAM;gBAER,KAAK,cAAc;oBACjB,MAAM,GAAG,MAAM,MAAM,CAAC,cAAc,OAAO,eAAe,EAAE,KAAK,CAAC,CAAC;oBACnE,MAAM;gBAER,KAAK,OAAO;oBACV,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,OAAO,QAAQ,EAAE,EAAE,EAAE,KAAK,CAAC,CAAC;oBACjE,MAAM;gBAER,KAAK,SAAS;oBACZ,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,OAAO,UAAU,EAAE;wBACtD,OAAO,EAAE,CAAC,CAAC,SAAS,CAAC,IAAI,eAAe;wBACxC,YAAY,EAAE,CAAC,CAAC,cAAc,CAAC,IAAI,EAAE;qBACtC,EAAE,KAAK,CAAC,CAAC;oBACV,MAAM;gBAER,KAAK,YAAY,CAAC,CAAC,CAAC;oBAClB,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC9C,IAAI,CAAC,KAAK,EAAE,CAAC;wBACX,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;oBACnD,CAAC;oBACD,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACvD,OAAO,GAAG,MAAM,CAAC,EAAE,CAAC;oBACpB,iEAAiE;oBACjE,IAAI,KAAK,EAAE,CAAC;wBACV,KAAK,GAAG,EAAE,GAAG,KAAK,EAAE,OAAO,EAAE,CAAC;oBAChC,CAAC;oBACD,YAAY,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;oBAC9D,MAAM,CAAC,YAAY,CAAC,EAAE,MAAM,EAAE,oCAAoC,EAAE,CAAC,CAAC;oBACtE,MAAM,CAAC,4BAA4B,MAAM,CAAC,IAAI,MAAM,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC;oBAClE,MAAM,GAAG;wBACP,OAAO,EAAE,IAAI;wBACb,OAAO,EAAE,MAAM,CAAC,EAAE;wBAClB,IAAI,EAAE,MAAM,CAAC,IAAI;wBACjB,GAAG,EAAE,YAAY,EAAE,QAAQ,CAAC,GAAG,IAAI,IAAI;wBACvC,MAAM,EAAE,MAAM,CAAC,MAAM;wBACrB,cAAc,EAAE,YAAY,EAAE,cAAc,CAAC,MAAM,IAAI,CAAC;wBACxD,WAAW,EAAE,YAAY,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;qBAC7C,CAAC;oBACF,MAAM;gBACR,CAAC;gBAED;oBACE,OAAO;wBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,iBAAiB,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC;wBACrF,OAAO,EAAE,IAAI;qBACd,CAAC;YACN,CAAC;YAED,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;aACnE,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YACzE,qEAAqE;YACrE,2DAA2D;YAC3D,IAAI,KAAK,YAAY,gBAAgB,EAAE,CAAC;gBACtC,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;oBAC1C,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;gBACrE,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,4EAA4E;IAC5E,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,MAAM,CAAC,8BAA8B,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAE5E,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,CAAC,0BAA0B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAClD,YAAY,GAAG,IAAI,CAAC;QACpB,KAAK,WAAW,CAAC,KAAK,CAAC,CAAC;IAC1B,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,qEAAqE,CAAC,CAAC;IAChF,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,KAAc,EAAE,EAAE;IAC9B,MAAM,CAAC,UAAU,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC3E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA;;;;;;;GAOG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,wBAAwB,EACxB,sBAAsB,GAEvB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACnE,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAGtE,2DAA2D;AAE3D,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,gCAAgC,CAAC;AAC3E,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,YAAY,CAAC,CAAC;AAChD,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAC;AASvD,2DAA2D;AAE3D,SAAS,eAAe;IACtB,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;QACzC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAgB,CAAC;QAC1E,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,IAAI,IAAI,EAAE,EAAE,CAAC;YAC3C,MAAM,CAAC,iDAAiD,CAAC,CAAC;YAC1D,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,KAAkB;IACzC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1C,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,2DAA2D;AAE3D,SAAS,MAAM,CAAC,GAAW;IACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC;AAC/C,CAAC;AAED,KAAK,UAAU,OAAO,CAAC,IAAY,EAAE,IAAa,EAAE,KAAc;IAChE,MAAM,OAAO,GAA2B,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;IAC/E,IAAI,KAAK;QAAE,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,KAAK,EAAE,CAAC;IACxD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,GAAG,IAAI,EAAE,EAAE;QAC3C,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;KAC3B,CAAC,CAAC;IACH,OAAO,GAAG,CAAC,IAAI,EAAE,CAAC;AACpB,CAAC;AAED,KAAK,UAAU,MAAM,CAAC,IAAY,EAAE,KAAa;IAC/C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,GAAG,IAAI,EAAE,EAAE;QAC3C,OAAO,EAAE,EAAE,eAAe,EAAE,UAAU,KAAK,EAAE,EAAE;KAChD,CAAC,CAAC;IACH,OAAO,GAAG,CAAC,IAAI,EAAE,CAAC;AACpB,CAAC;AA2CD,KAAK,UAAU,mBAAmB,CAAC,KAAa,EAAE,KAAa;IAC7D,MAAM,UAAU,GAAG,CAAC,MAAM,MAAM,CAAC,qBAAqB,kBAAkB,CAAC,KAAK,CAAC,EAAE,EAAE,KAAK,CAAC,CAAyB,CAAC;IACnH,IAAI,UAAU,CAAC,IAAI,EAAE,MAAM,KAAK,UAAU,IAAI,UAAU,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QACpE,OAAO,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC;IAC/B,CAAC;IACD,IAAI,UAAU,CAAC,IAAI,EAAE,MAAM,KAAK,WAAW,EAAE,CAAC;QAC5C,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC;QAC/E,MAAM,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,IAAI,sCAAsC,KAAK,WAAW,GAAG,qCAAqC,CAAC,CAAC;IAC7I,CAAC;IACD,IAAI,UAAU,CAAC,IAAI,EAAE,MAAM,KAAK,WAAW,EAAE,CAAC;QAC5C,MAAM,SAAS,GAAG,UAAU,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7E,MAAM,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,IAAI,+BAA+B,KAAK,gCAAgC,SAAS,IAAI,QAAQ,EAAE,CAAC,CAAC;IAC1I,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,MAAM,MAAM,CAAC,YAAY,EAAE,KAAK,CAAC,CAAsB,CAAC;IACzE,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,MAAM,IAAI,EAAE,CAAC;IAC1C,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAC3B,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,KAAK,CACzE,CAAC;IACF,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzD,MAAM,IAAI,KAAK,CACb,+BAA+B,KAAK,gCAAgC,SAAS,IAAI,QAAQ,EAAE,CAC5F,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CACb,sCAAsC,KAAK,WAAW,OAAO;aAC1D,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;aAClB,IAAI,CAAC,IAAI,CAAC,qCAAqC,CACnD,CAAC;IACJ,CAAC;IACD,OAAO,OAAO,CAAC,CAAC,CAAE,CAAC;AACrB,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,YAAY,CAAC,KAAa,EAAE,eAAuB,EAAE,gBAAwB;IAC1F,wCAAwC;IACxC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAC/C,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,CAAC,kCAAkC,UAAU,EAAE,CAAC,CAAC;QACvD,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,gBAAgB,EAAE,CAAC;IAC7D,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,YAAY,EAAE,KAAK,CAAsB,CAAC;QACnE,MAAM,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,IAAI,EAAE,CAAC;QAE5E,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,MAAM,CAAC,8CAA8C,eAAe,EAAE,CAAC,CAAC;YACxE,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,gBAAgB,EAAE,CAAC;QAClE,CAAC;QAED,0CAA0C;QAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;QAC9C,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;YACjF,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,CAAC,gBAAgB,KAAK,CAAC,IAAI,4BAA4B,CAAC,CAAC;gBAC/D,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,EAAE,QAAQ,EAAE,gBAAgB,EAAE,CAAC;YAC3D,CAAC;YACD,MAAM,CAAC,4BAA4B,OAAO,2BAA2B,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC/G,CAAC;QAED,+BAA+B;QAC/B,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,CAAE,CAAC;QAC1B,MAAM,CAAC,gCAAgC,MAAM,CAAC,IAAI,MAAM,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC;QACtE,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,MAAM,CAAC,YAAY,MAAM,CAAC,MAAM,wDAAwD,CAAC,CAAC;YAC1F,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;gBACvB,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,EAAE,QAAQ,EAAE,gBAAgB,EAAE,CAAC;IAC5D,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,CAAC,2CAA2C,eAAe,EAAE,CAAC,CAAC;QACrE,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,gBAAgB,EAAE,CAAC;IAClE,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,gBAAiB,SAAQ,KAAK;IAEN;IAAyC;IAD5D,WAAW,GAAG,IAAI,CAAC;IAC5B,YAA4B,eAAuB,EAAkB,QAAgB;QACnF,KAAK,CACH,2BAA2B;YACzB,UAAU,eAAe,IAAI;YAC7B,SAAS,QAAQ,MAAM;YACvB,iFAAiF,CACpF,CAAC;QANwB,oBAAe,GAAf,eAAe,CAAQ;QAAkB,aAAQ,GAAR,QAAQ,CAAQ;QAOnF,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AAkBD,KAAK,UAAU,eAAe;IAC5B,MAAM,CAAC,4BAA4B,CAAC,CAAC;IAErC,MAAM,OAAO,GAAG,CAAC,MAAM,OAAO,CAAC,4BAA4B,EAAE;QAC3D,IAAI,EAAE,SAAS,OAAO,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,MAAM,EAAE;KACtD,CAAC,CAAuB,CAAC;IAE1B,IAAI,CAAC,OAAO,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,0BAA0B,OAAO,CAAC,KAAK,EAAE,OAAO,IAAI,eAAe,EAAE,CAAC,CAAC;IACzF,CAAC;IAED,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,yBAAyB,EAAE,QAAQ,EAAE,QAAQ,EAAE,qBAAqB,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAEtH,MAAM,CAAC,EAAE,CAAC,CAAC;IACX,MAAM,CAAC,wDAAwD,CAAC,CAAC;IACjE,MAAM,CAAC,oCAAoC,CAAC,CAAC;IAC7C,MAAM,CAAC,wDAAwD,CAAC,CAAC;IACjE,MAAM,CAAC,gBAAgB,yBAAyB,EAAE,CAAC,CAAC;IACpD,MAAM,CAAC,gBAAgB,SAAS,EAAE,CAAC,CAAC;IACpC,MAAM,CAAC,wDAAwD,CAAC,CAAC;IAEjE,MAAM,IAAI,GAAG,YAAY,CAAC,WAAW,EAAE,QAAQ,EAAE,QAAQ,EAAE,qBAAqB,CAAC,CAAC;IAClF,MAAM,IAAI,GAAqB;QAC7B,WAAW;QACX,SAAS;QACT,yBAAyB;QACzB,QAAQ;QACR,qBAAqB;QACrB,IAAI;QACJ,IAAI,EAAE,KAAK;KACZ,CAAC;IACF,6DAA6D;IAC7D,4EAA4E;IAC5E,2EAA2E;IAC3E,sEAAsE;IACtE,4EAA4E;IAC5E,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE;QACd,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC,CAAC,CAAC;IACH,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,WAAmB,EACnB,QAAgB,EAChB,QAAgB,EAChB,qBAA6B;IAE7B,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC;IAClD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,SAAS;IAEvD,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;QAC7B,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC;QAEtD,MAAM,OAAO,GAAG,CAAC,MAAM,OAAO,CAAC,iBAAiB,EAAE,EAAE,WAAW,EAAE,CAAC,CAAsB,CAAC;QAEzF,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;YAC7F,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,YAAY,EAAE,QAAQ,EAAE,qBAAqB,CAAC,CAAC;YACxG,MAAM,KAAK,GAAgB;gBACzB,KAAK,EAAE,OAAO,CAAC,YAAY;gBAC3B,OAAO;gBACP,QAAQ;gBACR,SAAS;aACV,CAAC;YACF,eAAe,CAAC,KAAK,CAAC,CAAC;YACvB,MAAM,CAAC,6BAA6B,CAAC,CAAC;YACtC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,OAAO,CAAC,KAAK,KAAK,uBAAuB;YAAE,SAAS;QACxD,IAAI,OAAO,CAAC,KAAK,KAAK,WAAW,EAAE,CAAC;YAClC,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;YAC9C,SAAS;QACX,CAAC;QACD,IAAI,OAAO,CAAC,KAAK,KAAK,eAAe;YAAE,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QACvF,IAAI,OAAO,CAAC,KAAK,KAAK,eAAe;YAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IACrG,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;AAC9C,CAAC;AAED,IAAI,YAAY,GAAwB,IAAI,CAAC;AAC7C,MAAM,eAAe,GAAG,IAAI,eAAe,EAAE,CAAC;AAE9C,2DAA2D;AAE3D,MAAM,KAAK,GAAW;IACpB;QACE,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE,kEAAkE;QAC/E,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,6BAA6B,EAAE;gBACvE,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,WAAW,EAAE,aAAa,EAAE;gBAClH,UAAU,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,WAAW,EAAE,+BAA+B,EAAE;aACrG;YACD,QAAQ,EAAE,CAAC,SAAS,CAAC;SACtB;KACF;IACD;QACE,IAAI,EAAE,QAAQ;QACd,WAAW,EAAE,4CAA4C;QACzD,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,cAAc,EAAE;gBACtD,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,0BAA0B,EAAE;gBAClE,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,WAAW,EAAE,gBAAgB,EAAE;aACtH;YACD,QAAQ,EAAE,CAAC,OAAO,CAAC;SACpB;KACF;IACD;QACE,IAAI,EAAE,QAAQ;QACd,WAAW,EAAE,kEAAkE;QAC/E,WAAW,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,EAAE;KAChD;IACD;QACE,IAAI,EAAE,cAAc;QACpB,WAAW,EAAE,8FAA8F;QAC3G,WAAW,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,EAAE;KAChD;IACD;QACE,IAAI,EAAE,OAAO;QACb,WAAW,EAAE,iGAAiG;QAC9G,WAAW,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,EAAE;KAChD;IACD;QACE,IAAI,EAAE,SAAS;QACf,WAAW,EAAE,gFAAgF;QAC7F,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,+CAA+C,EAAE;gBACzF,YAAY,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,WAAW,EAAE,gCAAgC,EAAE;aAC1G;SACF;KACF;IACD;QACE,IAAI,EAAE,YAAY;QAClB,WAAW,EACT,wKAAwK;YACxK,iMAAiM;QACnM,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,KAAK,EAAE;oBACL,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,kEAAkE;iBAChF;aACF;YACD,QAAQ,EAAE,CAAC,OAAO,CAAC;SACpB;KACF;CACF,CAAC;AAEF,2DAA2D;AAE3D;;;;GAIG;AACH,SAAS,eAAe,CAAC,KAAa;IACpC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAI/E,CAAC;QACF,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,OAAO,CAAC,SAAS,EAAE,CAAC;IACjF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,wEAAwE;IACxE,uEAAuE;IACvE,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,iBAAiB,EAAE,CAAC;QAC1C,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;QACzC,OAAO,CAAC,kCAAkC;IAC5C,CAAC;IAED,6EAA6E;IAC7E,4EAA4E;IAC5E,4EAA4E;IAC5E,IAAI,KAAK,GAAuB,eAAe,EAAE,CAAC;IAClD,IAAI,UAAU,GAA4B,IAAI,CAAC;IAC/C,IAAI,YAAY,GAAG,KAAK,CAAC;IAEzB,iFAAiF;IACjF,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,EAAE,EACvC,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,EAAE,CAC7C,CAAC;IAEF;;;;;;;;;OASG;IACH,KAAK,UAAU,iBAAiB,CAAC,aAAa,GAAG,IAAI;QACnD,IAAI,KAAK;YAAE,OAAO,KAAK,CAAC;QAExB,yEAAyE;QACzE,iEAAiE;QACjE,sEAAsE;QACtE,sEAAsE;QACtE,qEAAqE;QACrE,oEAAoE;QACpE,oEAAoE;QACpE,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;YACxD,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,MAAM,GAAG,eAAe,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;gBAChD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;gBACvC,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;gBACnE,KAAK,GAAG;oBACN,KAAK,EAAE,SAAS,CAAC,KAAK;oBACtB,OAAO,EAAE,QAAQ,CAAC,OAAO;oBACzB,QAAQ,EAAE,QAAQ,CAAC,QAAQ,IAAI,QAAQ;oBACvC,SAAS,EAAE,SAAS,CAAC,SAAS;iBAC/B,CAAC;gBACF,eAAe,CAAC,KAAK,CAAC,CAAC;gBACvB,MAAM,CAAC,sDAAsD,CAAC,CAAC;gBAC/D,IAAI,CAAC,YAAY,EAAE,CAAC;oBAClB,YAAY,GAAG,IAAI,CAAC;oBACpB,KAAK,WAAW,CAAC,KAAK,CAAC,CAAC;gBAC1B,CAAC;gBACD,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,oBAAoB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAC/G,CAAC;QAED,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC;YACnC,UAAU,GAAG,MAAM,eAAe,EAAE,CAAC;QACvC,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CAAC,CAAC;QACxC,IAAI,GAAkC,CAAC;QACvC,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAgC;gBACtD,UAAU,CAAC,IAAI;gBACf,IAAI,OAAO,CAAkB,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,aAAa,CAAC,CAAC;aAClF,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,kEAAkE;YAClE,kEAAkE;YAClE,UAAU,GAAG,MAAM,eAAe,EAAE,CAAC;YACrC,MAAM,IAAI,gBAAgB,CAAC,UAAU,CAAC,yBAAyB,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC;QACzF,CAAC;QAED,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;YACrB,MAAM,IAAI,gBAAgB,CAAC,UAAU,CAAC,yBAAyB,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC;QACzF,CAAC;QAED,KAAK,GAAG,GAAG,CAAC;QACZ,UAAU,GAAG,IAAI,CAAC;QAClB,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,YAAY,GAAG,IAAI,CAAC;YACpB,KAAK,WAAW,CAAC,KAAK,CAAC,CAAC;QAC1B,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,4EAA4E;IAC5E,KAAK,UAAU,WAAW,CAAC,CAAc;QACvC,IAAI,CAAC;YACH,YAAY,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;YAClE,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,CACJ,iBAAiB,YAAY,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY,CAAC,cAAc,CAAC,MAAM,cAAc,YAAY,CAAC,KAAK,CAAC,MAAM,SAAS,CACnI,CAAC;gBACF,MAAM,CAAC,YAAY,CAAC,EAAE,MAAM,EAAE,oCAAoC,EAAE,CAAC,CAAC;YACxE,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,gEAAgE,CAAC,CAAC;YAC3E,CAAC;YAED,iBAAiB,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,QAAuB,EAAE,EAAE;gBACzE,IAAI,YAAY,EAAE,CAAC;oBACjB,YAAY,CAAC,cAAc,GAAG,QAAQ,CAAC;gBACzC,CAAC;gBACD,MAAM,CAAC,YAAY,CAAC,EAAE,MAAM,EAAE,oCAAoC,EAAE,CAAC,CAAC;gBACtE,MAAM,CAAC,mBAAmB,QAAQ,CAAC,MAAM,WAAW,CAAC,CAAC;YACxD,CAAC,CAAC,CAAC;YAEH,gBAAgB,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,KAAK,EAAE,eAAe,EAAE,GAAG,EAAE;gBAClE,gBAAgB,EAAE,CAAC;gBACnB,MAAM,CAAC,uBAAuB,CAAC,CAAC;YAClC,CAAC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,CAAC,2BAA2B,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAClF,CAAC;IACH,CAAC;IAED,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IAE1E,MAAM,CAAC,iBAAiB,CAAC,wBAAwB,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;QAC9D,OAAO,EAAE,YAAY;YACnB,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,gBAAgB,EAAE,WAAW,EAAE,qDAAqD,EAAE,CAAC;YAClG,CAAC,CAAC,EAAE;KACP,CAAC,CAAC,CAAC;IAEJ,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;QAC5D,QAAQ,EAAE,CAAC;gBACT,IAAI,EAAE,MAAe;gBACrB,OAAO,EAAE,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,cAAc,CAAC,YAAY,CAAC,EAAE;aACvE,CAAC;KACH,CAAC,CAAC,CAAC;IAEJ,MAAM,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;QAChE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;QACjD,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAA4B,CAAC;QAClD,eAAe,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;QAEpC,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,MAAM,iBAAiB,EAAE,CAAC;YACpC,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;YACtB,oEAAoE;YACpE,IAAI,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC;YAExB,IAAI,MAAe,CAAC;YAEpB,QAAQ,IAAI,EAAE,CAAC;gBACb,KAAK,UAAU;oBACb,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,OAAO,SAAS,EAAE;wBACrD,OAAO,EAAE,CAAC,CAAC,SAAS,CAAC;wBACrB,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,SAAS;wBAC5B,UAAU,EAAE,CAAC,CAAC,YAAY,CAAC,IAAI,GAAG;qBACnC,EAAE,KAAK,CAAC,CAAC;oBACV,eAAe,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;oBAC/D,MAAM;gBAER,KAAK,QAAQ,CAAC,CAAC,CAAC;oBACd,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;oBACrC,IAAI,CAAC,CAAC,OAAO,CAAC;wBAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;oBACxD,IAAI,CAAC,CAAC,OAAO,CAAC;wBAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;oBACxD,IAAI,CAAC,CAAC,MAAM,CAAC;wBAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;oBACtD,MAAM,GAAG,MAAM,MAAM,CAAC,cAAc,OAAO,WAAW,MAAM,EAAE,EAAE,KAAK,CAAC,CAAC;oBACvE,MAAM;gBACR,CAAC;gBAED,KAAK,QAAQ;oBACX,MAAM,GAAG,MAAM,MAAM,CAAC,cAAc,OAAO,EAAE,EAAE,KAAK,CAAC,CAAC;oBACtD,MAAM;gBAER,KAAK,cAAc;oBACjB,MAAM,GAAG,MAAM,MAAM,CAAC,cAAc,OAAO,eAAe,EAAE,KAAK,CAAC,CAAC;oBACnE,MAAM;gBAER,KAAK,OAAO;oBACV,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,OAAO,QAAQ,EAAE,EAAE,EAAE,KAAK,CAAC,CAAC;oBACjE,MAAM;gBAER,KAAK,SAAS;oBACZ,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,OAAO,UAAU,EAAE;wBACtD,OAAO,EAAE,CAAC,CAAC,SAAS,CAAC,IAAI,eAAe;wBACxC,YAAY,EAAE,CAAC,CAAC,cAAc,CAAC,IAAI,EAAE;qBACtC,EAAE,KAAK,CAAC,CAAC;oBACV,MAAM;gBAER,KAAK,YAAY,CAAC,CAAC,CAAC;oBAClB,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC9C,IAAI,CAAC,KAAK,EAAE,CAAC;wBACX,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;oBACnD,CAAC;oBACD,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACvD,OAAO,GAAG,MAAM,CAAC,EAAE,CAAC;oBACpB,iEAAiE;oBACjE,IAAI,KAAK,EAAE,CAAC;wBACV,KAAK,GAAG,EAAE,GAAG,KAAK,EAAE,OAAO,EAAE,CAAC;oBAChC,CAAC;oBACD,YAAY,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;oBAC9D,MAAM,CAAC,YAAY,CAAC,EAAE,MAAM,EAAE,oCAAoC,EAAE,CAAC,CAAC;oBACtE,MAAM,CAAC,4BAA4B,MAAM,CAAC,IAAI,MAAM,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC;oBAClE,MAAM,GAAG;wBACP,OAAO,EAAE,IAAI;wBACb,OAAO,EAAE,MAAM,CAAC,EAAE;wBAClB,IAAI,EAAE,MAAM,CAAC,IAAI;wBACjB,GAAG,EAAE,YAAY,EAAE,QAAQ,CAAC,GAAG,IAAI,IAAI;wBACvC,MAAM,EAAE,MAAM,CAAC,MAAM;wBACrB,cAAc,EAAE,YAAY,EAAE,cAAc,CAAC,MAAM,IAAI,CAAC;wBACxD,WAAW,EAAE,YAAY,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;qBAC7C,CAAC;oBACF,MAAM;gBACR,CAAC;gBAED;oBACE,OAAO;wBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,iBAAiB,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC;wBACrF,OAAO,EAAE,IAAI;qBACd,CAAC;YACN,CAAC;YAED,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;aACnE,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YACzE,qEAAqE;YACrE,2DAA2D;YAC3D,IAAI,KAAK,YAAY,gBAAgB,EAAE,CAAC;gBACtC,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;oBAC1C,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;gBACrE,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,4EAA4E;IAC5E,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,MAAM,CAAC,8BAA8B,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAE5E,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,CAAC,0BAA0B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAClD,YAAY,GAAG,IAAI,CAAC;QACpB,KAAK,WAAW,CAAC,KAAK,CAAC,CAAC;IAC1B,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,qEAAqE,CAAC,CAAC;IAChF,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,KAAc,EAAE,EAAE;IAC9B,MAAM,CAAC,UAAU,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC3E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/key-auth.d.ts

@@ -0,0 +1,66 @@
+/** Public key in JWK form. */
+export interface Ed25519PublicJwk {
+    kty: 'OKP';
+    crv: 'Ed25519';
+    x: string;
+}
+/** Private key file shape persisted at `~/.aismemory/keys/<userDid>.json`. */
+export interface KeyFile {
+    /** Schema version. Bump for breaking changes; readers should refuse unknown versions. */
+    version: 1;
+    userId: string;
+    userDid: string;
+    keyType: 'Ed25519';
+    /** base64url(raw 32-byte private key seed) */
+    privateKey: string;
+    /** base64url(raw 32-byte public key) */
+    publicKey: string;
+    /** Public key in JWK form — kept alongside `publicKey` for convenience. */
+    publicKeyJwk: Ed25519PublicJwk;
+    createdAt: string;
+}
+/** Credentials handed back to the caller after a successful key-auth. */
+export interface KeyAuthCredentials {
+    userId: string;
+    userDid: string;
+    /** Bearer JWT to use in `Authorization: Bearer ...` headers. */
+    token: string;
+    /** ISO timestamp at which `token` will be rejected. */
+    expiresAt: string;
+    tokenType: 'owner';
+}
+/** Read a key file. Returns null if the file is absent. Throws on malformed JSON. */
+export declare function readKeyFile(opts: {
+    userDid: string;
+    keysDir?: string;
+}): KeyFile | null;
+/**
+ * Generate a fresh Ed25519 keypair, write it to disk, and return the result.
+ * The directory is created with mode 0700 and the key file with mode 0600.
+ *
+ * This is called once per device by the `enable-key-auth` CLI bootstrap.
+ */
+export declare function generateAndSaveKeypair(opts: {
+    userId: string;
+    userDid: string;
+    keysDir?: string;
+}): Promise<KeyFile>;
+export interface TryKeyAuthOpts {
+    /** AIS base URL, e.g. `https://ais.agentsandswarms.ai` */
+    aisUrl: string;
+    /** Override the default keys directory (for tests). */
+    keysDir?: string;
+    /**
+     * If supplied, load the key for this specific userDid. Otherwise the
+     * helper auto-discovers a single key file in `keysDir`.
+     */
+    userDid?: string;
+    /** Override fetch (for tests). */
+    fetchImpl?: typeof globalThis.fetch;
+}
+/**
+ * Attempt key-based authentication against AIS. Returns null if no usable
+ * key file exists (caller should fall back to device flow). Throws on any
+ * fatal error (bad signature, network failure, server rejection).
+ */
+export declare function tryKeyAuth(opts: TryKeyAuthOpts): Promise<KeyAuthCredentials | null>;

package/dist/key-auth.js

@@ -0,0 +1,179 @@
+/**
+ * Key-based authentication for the aismemory client.
+ *
+ * Phase 1 of the DID-auth ladder: the user generates an Ed25519 keypair on
+ * their device (via `enable-key-auth`), publishes the public key to AIS once,
+ * and from then on signs server-issued challenges with the private key to
+ * obtain owner JWTs. The browser activate flow is needed only at enrollment.
+ *
+ * Threat model:
+ *   - Private key lives at `~/.aismemory/keys/<userDid>.json`, mode 0600.
+ *     Same handling story as an SSH private key without a passphrase.
+ *   - The server NEVER sees the private key — only the public half.
+ *   - Owner JWTs are NOT persisted; they live in memory for the session.
+ *     When the JWT expires (or AIS rotates JWT_SECRET) the client silently
+ *     re-runs challenge/prove. The user notices nothing.
+ */
+import { generateKeyPairSync, createPrivateKey, sign as edSign, } from 'node:crypto';
+import { mkdirSync, readFileSync, writeFileSync, existsSync, readdirSync, chmodSync, } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+// ───────────────────────────────────────────────────────────────────────────
+// Filesystem helpers
+// ───────────────────────────────────────────────────────────────────────────
+/** Default location for key files. Override via `keysDir` arg in tests. */
+function defaultKeysDir() {
+    return join(homedir(), '.aismemory', 'keys');
+}
+function keyFilePath(userDid, keysDir) {
+    return join(keysDir ?? defaultKeysDir(), `${userDid}.json`);
+}
+/** Read a key file. Returns null if the file is absent. Throws on malformed JSON. */
+export function readKeyFile(opts) {
+    const path = keyFilePath(opts.userDid, opts.keysDir);
+    if (!existsSync(path))
+        return null;
+    const raw = readFileSync(path, 'utf-8');
+    const parsed = JSON.parse(raw);
+    if (parsed.version !== 1) {
+        throw new Error(`Unsupported key file version: ${parsed.version}. Run \`aismemory enable-key-auth\` to re-enroll.`);
+    }
+    return parsed;
+}
+/**
+ * Discover a single key file in `keysDir` when the caller doesn't know which
+ * userDid to load. Common case: the MCP server boots, sees a single key on
+ * disk, and uses it. Returns null if zero or multiple keys are present.
+ */
+function discoverSingleKeyFile(keysDir) {
+    const dir = keysDir ?? defaultKeysDir();
+    if (!existsSync(dir))
+        return null;
+    const entries = readdirSync(dir).filter((f) => f.endsWith('.json'));
+    if (entries.length !== 1)
+        return null;
+    const path = join(dir, entries[0]);
+    const parsed = JSON.parse(readFileSync(path, 'utf-8'));
+    if (parsed.version !== 1)
+        return null;
+    return parsed;
+}
+/**
+ * Generate a fresh Ed25519 keypair, write it to disk, and return the result.
+ * The directory is created with mode 0700 and the key file with mode 0600.
+ *
+ * This is called once per device by the `enable-key-auth` CLI bootstrap.
+ */
+export async function generateAndSaveKeypair(opts) {
+    const dir = opts.keysDir ?? defaultKeysDir();
+    mkdirSync(dir, { recursive: true, mode: 0o700 });
+    const { publicKey, privateKey } = generateKeyPairSync('ed25519');
+    // Export to JWK form so we have a canonical wire shape AND the raw bytes.
+    const publicJwk = publicKey.export({ format: 'jwk' });
+    const privateJwk = privateKey.export({ format: 'jwk' });
+    const file = {
+        version: 1,
+        userId: opts.userId,
+        userDid: opts.userDid,
+        keyType: 'Ed25519',
+        privateKey: privateJwk.d,
+        publicKey: publicJwk.x,
+        publicKeyJwk: { kty: 'OKP', crv: 'Ed25519', x: publicJwk.x },
+        createdAt: new Date().toISOString(),
+    };
+    const path = keyFilePath(opts.userDid, opts.keysDir);
+    writeFileSync(path, JSON.stringify(file, null, 2));
+    // chmod after write — writeFileSync's mode arg is umasked, so explicit
+    // chmod is the only reliable path to 0600 on POSIX.
+    if (process.platform !== 'win32') {
+        chmodSync(path, 0o600);
+    }
+    return file;
+}
+// ───────────────────────────────────────────────────────────────────────────
+// Crypto: sign the canonical challenge string
+// ───────────────────────────────────────────────────────────────────────────
+/**
+ * Sign the canonical challenge bytes with the user's private key. Returns
+ * the signature as a base64url string ready for the wire.
+ *
+ * Canonical form: `<userDid>\n<nonce>\n<exp>` as UTF-8 bytes. Must match the
+ * server's verification (see did-auth.ts in agent-identity-service).
+ */
+function signChallenge(args) {
+    // Import the raw private key bytes back into a Node KeyObject. The JWK
+    // round-trip is the simplest way to do this without depending on PKCS#8
+    // formatting nuances.
+    const priv = createPrivateKey({
+        key: {
+            kty: 'OKP',
+            crv: 'Ed25519',
+            x: args.publicKeyB64,
+            d: args.privateKeyB64,
+        },
+        format: 'jwk',
+    });
+    const msg = Buffer.from(`${args.userDid}\n${args.nonce}\n${args.exp}`, 'utf8');
+    return edSign(null, msg, priv).toString('base64url');
+}
+/**
+ * Attempt key-based authentication against AIS. Returns null if no usable
+ * key file exists (caller should fall back to device flow). Throws on any
+ * fatal error (bad signature, network failure, server rejection).
+ */
+export async function tryKeyAuth(opts) {
+    const fetchImpl = opts.fetchImpl ?? globalThis.fetch;
+    // 1. Locate a key file.
+    let keyFile;
+    if (opts.userDid) {
+        keyFile = readKeyFile({ userDid: opts.userDid, keysDir: opts.keysDir });
+    }
+    else {
+        keyFile = discoverSingleKeyFile(opts.keysDir);
+    }
+    if (!keyFile)
+        return null;
+    // 2. Issue a challenge.
+    const challengeRes = await fetchImpl(`${opts.aisUrl}/v1/auth/challenge`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ userDid: keyFile.userDid }),
+    });
+    const challengeBody = (await challengeRes.json());
+    if (!challengeRes.ok || !challengeBody.success || !challengeBody.data) {
+        throw new Error(`key-auth: challenge failed (${challengeRes.status}): ${challengeBody.error?.message ?? challengeBody.error?.code ?? 'unknown'}`);
+    }
+    const { nonce, exp, hmac } = challengeBody.data;
+    // 3. Sign the canonical message.
+    const signature = signChallenge({
+        privateKeyB64: keyFile.privateKey,
+        publicKeyB64: keyFile.publicKey,
+        userDid: keyFile.userDid,
+        nonce,
+        exp,
+    });
+    // 4. Submit the signed proof.
+    const proveRes = await fetchImpl(`${opts.aisUrl}/v1/auth/did-prove`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+            userDid: keyFile.userDid,
+            nonce,
+            exp,
+            hmac,
+            signature,
+        }),
+    });
+    const proveBody = (await proveRes.json());
+    if (!proveRes.ok || !proveBody.success || !proveBody.data) {
+        throw new Error(`key-auth: did-prove failed (${proveRes.status}): ${proveBody.error?.message ?? proveBody.error?.code ?? 'unknown'}`);
+    }
+    return {
+        userId: keyFile.userId,
+        userDid: keyFile.userDid,
+        token: proveBody.data.bearerToken,
+        expiresAt: proveBody.data.expiresAt,
+        tokenType: 'owner',
+    };
+}
+//# sourceMappingURL=key-auth.js.map

package/dist/key-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-auth.js","sourceRoot":"","sources":["../src/key-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,IAAI,IAAI,MAAM,GAEf,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,SAAS,EACT,YAAY,EACZ,aAAa,EACb,UAAU,EACV,WAAW,EACX,SAAS,GACV,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAwClC,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E,2EAA2E;AAC3E,SAAS,cAAc;IACrB,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,WAAW,CAAC,OAAe,EAAE,OAAgB;IACpD,OAAO,IAAI,CAAC,OAAO,IAAI,cAAc,EAAE,EAAE,GAAG,OAAO,OAAO,CAAC,CAAC;AAC9D,CAAC;AAED,qFAAqF;AACrF,MAAM,UAAU,WAAW,CAAC,IAA2C;IACrE,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;IACrD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAC;IAC1C,IAAI,MAAM,CAAC,OAAO,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,iCAAiC,MAAM,CAAC,OAAO,mDAAmD,CAAC,CAAC;IACtH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,SAAS,qBAAqB,CAAC,OAAgB;IAC7C,MAAM,GAAG,GAAG,OAAO,IAAI,cAAc,EAAE,CAAC;IACxC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAClC,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IACpE,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACtC,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAE,CAAC,CAAC;IACpC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAY,CAAC;IAClE,IAAI,MAAM,CAAC,OAAO,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACtC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,IAI5C;IACC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,IAAI,cAAc,EAAE,CAAC;IAC7C,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAEjD,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;IAEjE,0EAA0E;IAC1E,MAAM,SAAS,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAqB,CAAC;IAC1E,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAqC,CAAC;IAE5F,MAAM,IAAI,GAAY;QACpB,OAAO,EAAE,CAAC;QACV,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,OAAO,EAAE,SAAS;QAClB,UAAU,EAAE,UAAU,CAAC,CAAC;QACxB,SAAS,EAAE,SAAS,CAAC,CAAC;QACtB,YAAY,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,CAAC,EAAE,SAAS,CAAC,CAAC,EAAE;QAC5D,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;IAEF,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;IACrD,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACnD,uEAAuE;IACvE,oDAAoD;IACpD,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACzB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E;;;;;;GAMG;AACH,SAAS,aAAa,CAAC,IAMtB;IACC,uEAAuE;IACvE,wEAAwE;IACxE,sBAAsB;IACtB,MAAM,IAAI,GAAc,gBAAgB,CAAC;QACvC,GAAG,EAAE;YACH,GAAG,EAAE,KAAK;YACV,GAAG,EAAE,SAAS;YACd,CAAC,EAAE,IAAI,CAAC,YAAY;YACpB,CAAC,EAAE,IAAI,CAAC,aAAa;SACb;QACV,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,OAAO,KAAK,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;IAC/E,OAAO,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACvD,CAAC;AAgCD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,IAAoB;IACnD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,UAAU,CAAC,KAAK,CAAC;IAErD,wBAAwB;IACxB,IAAI,OAAuB,CAAC;IAC5B,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,OAAO,GAAG,WAAW,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IAC1E,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,wBAAwB;IACxB,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,GAAG,IAAI,CAAC,MAAM,oBAAoB,EAAE;QACvE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC;KACnD,CAAC,CAAC;IACH,MAAM,aAAa,GAAG,CAAC,MAAM,YAAY,CAAC,IAAI,EAAE,CAAsB,CAAC;IACvE,IAAI,CAAC,YAAY,CAAC,EAAE,IAAI,CAAC,aAAa,CAAC,OAAO,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC;QACtE,MAAM,IAAI,KAAK,CACb,+BAA+B,YAAY,CAAC,MAAM,MAAM,aAAa,CAAC,KAAK,EAAE,OAAO,IAAI,aAAa,CAAC,KAAK,EAAE,IAAI,IAAI,SAAS,EAAE,CACjI,CAAC;IACJ,CAAC;IACD,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,aAAa,CAAC,IAAI,CAAC;IAEhD,iCAAiC;IACjC,MAAM,SAAS,GAAG,aAAa,CAAC;QAC9B,aAAa,EAAE,OAAO,CAAC,UAAU;QACjC,YAAY,EAAE,OAAO,CAAC,SAAS;QAC/B,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,KAAK;QACL,GAAG;KACJ,CAAC,CAAC;IAEH,8BAA8B;IAC9B,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,GAAG,IAAI,CAAC,MAAM,oBAAoB,EAAE;QACnE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,KAAK;YACL,GAAG;YACH,IAAI;YACJ,SAAS;SACV,CAAC;KACH,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAqB,CAAC;IAC9D,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;QAC1D,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,MAAM,MAAM,SAAS,CAAC,KAAK,EAAE,OAAO,IAAI,SAAS,CAAC,KAAK,EAAE,IAAI,IAAI,SAAS,EAAE,CACrH,CAAC;IACJ,CAAC;IAED,OAAO;QACL,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,KAAK,EAAE,SAAS,CAAC,IAAI,CAAC,WAAW;QACjC,SAAS,EAAE,SAAS,CAAC,IAAI,CAAC,SAAS;QACnC,SAAS,EAAE,OAAO;KACnB,CAAC;AACJ,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aismemory",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "Persistent memory for AI agents. MCP server that connects to Agent Identity Service.",
   "type": "module",
   "bin": "dist/index.js",