kavachos 0.0.5 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. package/README.md +170 -37
  2. package/dist/a2a/index.d.ts +2 -2
  3. package/dist/a2a/index.js +2 -2
  4. package/dist/agent/index.d.ts +3 -3
  5. package/dist/agent/index.js +4 -4
  6. package/dist/audit/index.d.ts +2 -2
  7. package/dist/audit/index.js +3 -3
  8. package/dist/auth/index.d.ts +3 -3
  9. package/dist/auth/index.js +4 -4
  10. package/dist/{chunk-62P5FJ34.js → chunk-IEOOSOJ4.js} +74 -32
  11. package/dist/chunk-IEOOSOJ4.js.map +1 -0
  12. package/dist/{chunk-IS5FRKIS.js → chunk-IKTOSJ4O.js} +4 -4
  13. package/dist/{chunk-IS5FRKIS.js.map → chunk-IKTOSJ4O.js.map} +1 -1
  14. package/dist/{chunk-KNNJ4COO.js → chunk-KDL6A76K.js} +3 -3
  15. package/dist/{chunk-KNNJ4COO.js.map → chunk-KDL6A76K.js.map} +1 -1
  16. package/dist/chunk-NSBPE2FW.js +15 -0
  17. package/dist/{chunk-PZ5AY32C.js.map → chunk-NSBPE2FW.js.map} +1 -1
  18. package/dist/{chunk-ELGG2VW2.js → chunk-NSTER7KE.js} +3 -3
  19. package/dist/{chunk-ELGG2VW2.js.map → chunk-NSTER7KE.js.map} +1 -1
  20. package/dist/{chunk-3AZDFCQF.js → chunk-QCRHJMDX.js} +3 -3
  21. package/dist/{chunk-3AZDFCQF.js.map → chunk-QCRHJMDX.js.map} +1 -1
  22. package/dist/{chunk-O7VQ2LQE.js → chunk-VHKZARMM.js} +4 -4
  23. package/dist/{chunk-O7VQ2LQE.js.map → chunk-VHKZARMM.js.map} +1 -1
  24. package/dist/{chunk-4CANWZWP.js → chunk-Y3OWAJHK.js} +3 -3
  25. package/dist/{chunk-4CANWZWP.js.map → chunk-Y3OWAJHK.js.map} +1 -1
  26. package/dist/chunk-YARXM6MQ.js +288 -0
  27. package/dist/chunk-YARXM6MQ.js.map +1 -0
  28. package/dist/crypto/index.d.ts +55 -0
  29. package/dist/crypto/index.js +4 -0
  30. package/dist/crypto/index.js.map +1 -0
  31. package/dist/index.d.ts +7 -58
  32. package/dist/index.js +39 -309
  33. package/dist/index.js.map +1 -1
  34. package/dist/mcp/index.js +2 -2
  35. package/dist/permission/index.d.ts +3 -3
  36. package/dist/permission/index.js +4 -4
  37. package/dist/redirect/index.d.ts +118 -0
  38. package/dist/redirect/index.js +5 -0
  39. package/dist/redirect/index.js.map +1 -0
  40. package/dist/{types-BTui0HQU.d.ts → types-6D7iJvGD.d.ts} +6 -122
  41. package/dist/vc/index.js +3 -3
  42. package/package.json +2 -1
  43. package/dist/chunk-62P5FJ34.js.map +0 -1
  44. package/dist/chunk-PZ5AY32C.js +0 -9
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/vc/types.ts","../src/vc/issuer.ts","../src/vc/verifier.ts"],"names":["makeError","importJWK","joseErrors"],"mappings":";;;;AAaO,IAAM,aAAA,GAAgB;AACtB,IAAM,aAAA,GAAgB;AACtB,IAAM,kBAAA,GAAqB;AAC3B,IAAM,oBAAA,GAAuB;AAG7B,IAAM,uBAAA,GAA0B;AAChC,IAAM,4BAAA,GAA+B;AACrC,IAAM,4BAAA,GAA+B;AAIrC,IAAM,WAAA,GAAc,EAAE,MAAA,CAAO;AAAA,EACnC,MAAM,CAAA,CAAE,IAAA,CAAK,CAAC,sBAAA,EAAwB,sBAAsB,CAAC,CAAA;AAAA,EAC7D,OAAA,EAAS,EAAE,MAAA,EAAO;AAAA,EAClB,kBAAA,EAAoB,EAAE,MAAA,EAAO;AAAA,EAC7B,cAAc,CAAA,CAAE,IAAA,CAAK,CAAC,iBAAA,EAAmB,gBAAgB,CAAC,CAAA;AAAA,EAC1D,UAAA,EAAY,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAChC,GAAA,EAAK,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AACjB,CAAC;AAMM,IAAM,sBAAA,GAAyB,EAAE,MAAA,CAAO;AAAA,EAC9C,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,EACb,IAAA,EAAM,EAAE,MAAA,EAAO;AAAA,EACf,eAAe,CAAA,CAAE,IAAA,CAAK,CAAC,YAAA,EAAc,YAAY,CAAC,CAAA;AAAA,EAClD,iBAAiB,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA,GAAM,WAAA,EAAY;AAAA,EAC9C,oBAAA,EAAsB,EAAE,MAAA;AACzB,CAAC;AAMM,IAAM,uBAAA,GAA0B,EAAE,MAAA,CAAO;AAAA,EAC/C,EAAA,EAAI,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACxB,OAAA,EAAS,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC7B,aAAa,CAAA,CAAE,KAAA,CAAM,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAS;AAAA,EAC1C,UAAA,EAAY,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA,CAAI,CAAC,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,CAAE,QAAA,EAAS;AAAA,EAC9C,iBAAiB,CAAA,CAAE,KAAA,CAAM,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAS;AAAA,EAC9C,iBAAiB,CAAA,CACf,KAAA;AAAA,IACA,EAAE,MAAA,CAAO;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,MACpB,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,MACpB,WAAA,EAAa,CAAA,CAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA;AAAA,MAC/B,SAAA,EAAW,EAAE,MAAA;AAAO,KACpB;AAAA,IAED,QAAA,EAAS;AAAA,EACX,IAAA,EAAM,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC1B,IAAA,EAAM,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AAClB,CAAC;AAMM,IAAM,0BAAA,GAA6B,EAAE,MAAA,CAAO;AAAA,EAClD,UAAA,EAAY,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EACrC,EAAA,EAAI,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACxB,IAAA,EAAM,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EAC/B,MAAA,EAAQ,EAAE,KAAA,CAAM,CAAC,EAAE,MAAA,EAAO,EAAG,CAAA,CAAE,MAAA,CAAO,EAAE,EAAA,EAAI,EAAE,MAAA,EAAO,EAAG,MAAM,CAAA,CAAE,MAAA,GAAS,QAAA,EAAS,EAAG,CAAC,CAAC,CAAA;AAAA,EACvF,YAAA,EAAc,EAAE,MAAA,EAAO;AAAA,EACvB,cAAA,EAAgB,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACpC,iBAAA,EAAmB,uBAAA;AAAA,EACnB,gBAAA,EAAkB,uBAAuB,QAAA,EAAS;AAAA,EAClD,KAAA,EAAO,YAAY,QAAA;AACpB,CAAC;AAMM,IAAM,4BAAA,GAA+B,EAAE,MAAA,CAAO;AAAA,EACpD,UAAA,EAAY,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EACrC,EAAA,EAAI,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACxB,IAAA,EAAM,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EAC/B,MAAA,EAAQ,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC5B,sBAAsB,CAAA,CAAE,KAAA,CAAM,0BAA0B,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EAC/D,KAAA,EAAO,YAAY,QAAA;AACpB,CAAC;;;ACpED,IAAM,mBAAA,GAAsB,KAAA;AAI5B,SAAS,SAAA,CAAU,IAAA,EAAc,OAAA,EAAiB,OAAA,EAAgD;AACjG,EAAA,OAAO,EAAE,IAAA,EAAM,OAAA,EAAS,GAA0C,EAAC,EAAG;AACvE;AAEA,SAAS,MAAA,GAAiB;AACzB,EAAA,OAAA,iBAAO,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAC/B;AAEA,SAAS,UAAU,OAAA,EAAyB;AAC3C,EAAA,OAAO,IAAI,KAAK,IAAA,CAAK,GAAA,KAAQ,OAAA,GAAU,GAAI,EAAE,WAAA,EAAY;AAC1D;AAoFO,SAAS,eAAe,MAAA,EAAkC;AAChE,EAAA,MAAM,EAAE,SAAA,EAAW,aAAA,EAAe,UAAA,GAAa,qBAAoB,GAAI,MAAA;AAEvE,EAAA,MAAM,GAAA,GAAM,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,SAAA,CAAU,MAAM,GAAG,CAAA,CAAE,GAAA,EAAI,IAAK,OAAO,CAAA,CAAA;AAEjE,EAAA,eAAe,SAAA,CACd,UAAA,EACA,OAAA,EACA,GAAA,EACqE;AACrE,IAAA,IAAI;AACH,MAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,aAAA,EAAe,OAAO,CAAA;AAGlD,MAAA,MAAM,EAAE,KAAA,EAAO,MAAA,EAAQ,GAAG,gBAAe,GAAI,UAAA;AAE7C,MAAA,MAAM,OAAA,GAAU,IAAI,OAAA,CAAQ;AAAA,QAC3B,EAAA,EAAI;AAAA,OACJ,CAAA,CACC,kBAAA,CAAmB,EAAE,GAAA,EAAK,SAAS,GAAA,EAAK,GAAA,EAAK,KAAA,EAAO,CAAA,CACpD,SAAA,CAAU,SAAS,CAAA,CACnB,WAAA,EAAY,CACZ,iBAAA,CAAkB,IAAA,CAAK,KAAA,CAAM,KAAK,GAAA,EAAI,GAAI,GAAI,CAAA,GAAI,GAAG,CAAA;AAEvD,MAAA,IAAI,WAAW,EAAA,EAAI;AAClB,QAAA,OAAA,CAAQ,MAAA,CAAO,WAAW,EAAE,CAAA;AAAA,MAC7B;AACA,MAAA,IAAI,OAAA,EAAS;AACZ,QAAA,OAAA,CAAQ,WAAW,OAAO,CAAA;AAAA,MAC3B;AAEA,MAAA,MAAM,GAAA,GAAM,MAAM,OAAA,CAAQ,IAAA,CAAK,GAAG,CAAA;AAClC,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,MAAM,EAAE,UAAA,EAAY,KAAI,EAAE;AAAA,IACnD,SAAS,GAAA,EAAK;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA;AAAA,UACN,gBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAEA,EAAA,eAAe,aACd,UAAA,EACwD;AACxD,IAAA,IAAI;AACH,MAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,aAAA,EAAe,OAAO,CAAA;AAGlD,MAAA,MAAM,EAAE,KAAA,EAAO,MAAA,EAAQ,GAAG,gBAAe,GAAI,UAAA;AAC7C,MAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY,CAAE,OAAO,IAAA,CAAK,SAAA,CAAU,cAAc,CAAC,CAAA;AAEvE,MAAA,MAAM,EAAE,WAAA,EAAY,GAAI,MAAM,OAAO,MAAM,CAAA;AAC3C,MAAA,MAAM,GAAA,GAAM,MAAM,IAAI,WAAA,CAAY,OAAO,CAAA,CACvC,kBAAA,CAAmB,EAAE,GAAA,EAAK,OAAA,EAAS,GAAA,EAAK,CAAA,CACxC,KAAK,GAAG,CAAA;AAEV,MAAA,MAAM,KAAA,GAAe;AAAA,QACpB,IAAA,EAAM,sBAAA;AAAA,QACN,SAAS,MAAA,EAAO;AAAA,QAChB,kBAAA,EAAoB,GAAA;AAAA,QACpB,YAAA,EAAc,iBAAA;AAAA,QACd;AAAA,OACD;AAEA,MAAA,MAAM,gBAAA,GAAyC;AAAA,QAC9C,GAAG,UAAA;AAAA,QACH;AAAA,OACD;AAEA,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,MAAM,EAAE,UAAA,EAAY,kBAAiB,EAAE;AAAA,IAChE,SAAS,GAAA,EAAK;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA;AAAA,UACN,gBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAEA,EAAA,SAAS,eAAA,CACR,KAAA,EACA,OAAA,EACA,GAAA,EACA,cAAA,EACuB;AACvB,IAAA,OAAO;AAAA,MACN,UAAA,EAAY,CAAC,aAAa,CAAA;AAAA,MAC1B,EAAA,EAAI,CAAA,SAAA,EAAY,UAAA,EAAY,CAAA,CAAA;AAAA,MAC5B,IAAA,EAAM,CAAC,kBAAA,EAAoB,GAAG,KAAK,CAAA;AAAA,MACnC,MAAA,EAAQ,SAAA;AAAA,MACR,cAAc,MAAA,EAAO;AAAA,MACrB,cAAA,EAAkC,SAAA,CAAU,GAAG,CAAA;AAAA,MAC/C,iBAAA,EAAmB;AAAA,KACpB;AAAA,EACD;AAEA,EAAA,eAAe,cAAA,CACd,UAAA,EACA,OAAA,EACA,GAAA,EACA,MAAA,EACsE;AACtE,IAAA,IAAI,WAAW,KAAA,EAAO;AACrB,MAAA,OAAO,SAAA,CAAU,UAAA,EAAY,OAAA,EAAS,GAAG,CAAA;AAAA,IAC1C;AACA,IAAA,OAAO,aAAa,UAAU,CAAA;AAAA,EAC/B;AAIA,EAAA,eAAe,qBACd,KAAA,EACsE;AACtE,IAAA,MAAM;AAAA,MACL,OAAA;AAAA,MACA,IAAA;AAAA,MACA,SAAA;AAAA,MACA,WAAA;AAAA,MACA,UAAA;AAAA,MACA,GAAA,GAAM,UAAA;AAAA,MACN,MAAA,GAAS;AAAA,KACV,GAAI,KAAA;AAEJ,IAAA,IAAI,CAAC,OAAA,EAAS;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qBAAqB;AAAA,OAC3D;AAAA,IACD;AAEA,IAAA,IAAI,UAAA,KAAe,MAAA,KAAc,UAAA,GAAa,CAAA,IAAK,aAAa,CAAA,CAAA,EAAI;AACnE,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,oCAAoC;AAAA,OAC1E;AAAA,IACD;AAEA,IAAA,MAAM,OAAA,GAA6B;AAAA,MAClC,EAAA,EAAI,OAAA;AAAA,MACJ,OAAA;AAAA,MACA,GAAI,IAAA,KAAS,MAAA,GAAY,EAAE,IAAA,KAAS,EAAC;AAAA,MACrC,GAAI,SAAA,KAAc,MAAA,GAAY,EAAE,IAAA,EAAM,SAAA,KAAc,EAAC;AAAA,MACrD,GAAI,WAAA,KAAgB,MAAA,GAAY,EAAE,WAAA,KAAgB,EAAC;AAAA,MACnD,GAAI,UAAA,KAAe,MAAA,GAAY,EAAE,UAAA,KAAe;AAAC,KAClD;AAEA,IAAA,MAAM,aAAa,eAAA,CAAgB,CAAC,uBAAuB,CAAA,EAAG,SAAS,GAAG,CAAA;AAC1E,IAAA,OAAO,cAAA,CAAe,UAAA,EAAY,OAAA,EAAS,GAAA,EAAK,MAAM,CAAA;AAAA,EACvD;AAEA,EAAA,eAAe,0BACd,KAAA,EACsE;AACtE,IAAA,MAAM,EAAE,OAAA,EAAS,WAAA,EAAa,MAAM,UAAA,EAAY,MAAA,GAAS,OAAM,GAAI,KAAA;AAEnE,IAAA,IAAI,CAAC,OAAA,EAAS;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qBAAqB;AAAA,OAC3D;AAAA,IACD;AAEA,IAAA,IAAI,CAAC,WAAA,IAAe,WAAA,CAAY,MAAA,KAAW,CAAA,EAAG;AAC7C,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qCAAqC;AAAA,OAC3E;AAAA,IACD;AAEA,IAAA,MAAM,OAAA,GAA6B;AAAA,MAClC,EAAA,EAAI,OAAA;AAAA,MACJ,OAAA;AAAA,MACA;AAAA,KACD;AAEA,IAAA,MAAM,aAAa,eAAA,CAAgB,CAAC,4BAA4B,CAAA,EAAG,SAAS,GAAG,CAAA;AAC/E,IAAA,OAAO,cAAA,CAAe,UAAA,EAAY,OAAA,EAAS,GAAA,EAAK,MAAM,CAAA;AAAA,EACvD;AAEA,EAAA,eAAe,0BACd,KAAA,EACsE;AACtE,IAAA,MAAM,EAAE,SAAS,KAAA,EAAO,eAAA,EAAiB,MAAM,UAAA,EAAY,MAAA,GAAS,OAAM,GAAI,KAAA;AAE9E,IAAA,IAAI,CAAC,OAAA,EAAS;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qBAAqB;AAAA,OAC3D;AAAA,IACD;AAEA,IAAA,IAAI,CAAC,KAAA,IAAS,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG;AACjC,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,8CAA8C;AAAA,OACpF;AAAA,IACD;AAEA,IAAA,MAAM,OAAA,GAA6B;AAAA,MAClC,EAAA,EAAI,OAAA;AAAA,MACJ,OAAA;AAAA,MACA,eAAA,EAAiB,KAAA;AAAA,MACjB,GAAI,eAAA,KAAoB,MAAA,GAAY,EAAE,eAAA,KAAoB;AAAC,KAC5D;AAEA,IAAA,MAAM,aAAa,eAAA,CAAgB,CAAC,4BAA4B,CAAA,EAAG,SAAS,GAAG,CAAA;AAC/E,IAAA,OAAO,cAAA,CAAe,UAAA,EAAY,OAAA,EAAS,GAAA,EAAK,MAAM,CAAA;AAAA,EACvD;AAEA,EAAA,OAAO;AAAA,IACN,oBAAA;AAAA,IACA,yBAAA;AAAA,IACA,yBAAA;AAAA,IACA;AAAA,GACD;AACD;ACpUA,SAASA,UAAAA,CAAU,IAAA,EAAc,OAAA,EAAiB,OAAA,EAAgD;AACjG,EAAA,OAAO,EAAE,IAAA,EAAM,OAAA,EAAS,GAAI,OAAA,KAAY,SAAY,EAAE,OAAA,EAAQ,GAAI,EAAC,EAAG;AACvE;AAEA,SAAS,gBAAgB,MAAA,EAAwD;AAChF,EAAA,IAAI,OAAO,MAAA,KAAW,QAAA,EAAU,OAAO,MAAA;AACvC,EAAA,OAAO,MAAA,CAAO,EAAA;AACf;AA4BO,SAAS,gBAAA,CAAiB,MAAA,GAA2B,EAAC,EAAe;AAC3E,EAAA,MAAM,EAAE,aAAA,EAAe,qBAAA,EAAsB,GAAI,MAAA;AAEjD,EAAA,eAAe,UAAA,CAAW,KAAa,WAAA,EAAuD;AAC7F,IAAA,IAAI,WAAA,EAAa;AAChB,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,IAAA,EAAM,WAAA,EAAY;AAAA,IAC3C;AAEA,IAAA,IAAI,aAAA,EAAe;AAClB,MAAA,MAAM,QAAA,GAAW,MAAM,aAAA,CAAc,GAAG,CAAA;AACxC,MAAA,IAAI,QAAA,EAAU;AACb,QAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,IAAA,EAAM,QAAA,EAAS;AAAA,MACxC;AAAA,IACD;AAEA,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,KAAA;AAAA,MACT,KAAA,EAAOA,UAAAA,CAAU,kBAAA,EAAoB,CAAA,sCAAA,EAAyC,GAAG,CAAA,CAAE;AAAA,KACpF;AAAA,EACD;AAEA,EAAA,eAAe,mBAAA,CACd,KACA,WAAA,EACsC;AACtC,IAAA,IAAI;AAEH,MAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,KAAA,CAAM,GAAG,CAAA;AAC3B,MAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACvB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,gBAAA,EAAkB,2BAA2B;AAAA,SAC/D;AAAA,MACD;AAGA,MAAA,MAAM,UAAA,GAAa,MAAM,CAAC,CAAA;AAC1B,MAAA,IAAI,CAAC,UAAA,EAAY;AAChB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,gBAAA,EAAkB,wBAAwB;AAAA,SAC5D;AAAA,MACD;AACA,MAAA,MAAM,aAAa,IAAA,CAAK,KAAA;AAAA,QACvB,IAAI,aAAY,CAAE,MAAA;AAAA,UACjB,UAAA,CAAW,IAAA;AAAA,YAAK,IAAA,CAAK,WAAW,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAC,CAAA;AAAA,YAAG,CAAC,CAAA,KACxE,CAAA,CAAE,UAAA,CAAW,CAAC;AAAA;AACf;AACD,OACD;AAEA,MAAA,MAAM,YAAY,OAAO,UAAA,CAAW,GAAA,KAAQ,QAAA,GAAW,WAAW,GAAA,GAAM,IAAA;AACxE,MAAA,IAAI,CAAC,SAAA,EAAW;AACf,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,cAAA,EAAgB,sBAAsB;AAAA,SACxD;AAAA,MACD;AAGA,MAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,SAAA,EAAW,WAAW,CAAA;AACzD,MAAA,IAAI,CAAC,SAAA,CAAU,OAAA,EAAS,OAAO,SAAA;AAE/B,MAAA,MAAM,SAAA,GAAY,MAAMC,SAAAA,CAAU,SAAA,CAAU,MAAM,OAAO,CAAA;AACzD,MAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,SAAA,CAAU,KAAK,SAAS,CAAA;AAElD,MAAA,MAAM,UAAU,OAAA,CAAQ,EAAA;AACxB,MAAA,IAAI,CAAC,OAAA,EAAS;AACb,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOD,UAAAA,CAAU,qBAAA,EAAuB,iCAAiC;AAAA,SAC1E;AAAA,MACD;AAGA,MAAA,MAAM,UAAA,GAAmC;AAAA,QACxC,GAAI,OAAA;AAAA,QACJ,MAAA,EAAQ;AAAA,OACT;AAGA,MAAA,MAAM,MAAA,GAAS,0BAAA,CAA2B,SAAA,CAAU,UAAU,CAAA;AAC9D,MAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,uBAAA,EAAyB,sCAAA,EAAwC;AAAA,YACjF,QAAQ,MAAA,CAAO,KAAA,CAAM,MAAA,CAAO,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,EAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA,CAAE;AAAA,WAC1E;AAAA,SACF;AAAA,MACD;AAGA,MAAA,IAAI,OAAA,CAAQ,GAAA,IAAO,OAAA,CAAQ,GAAA,GAAM,IAAA,CAAK,MAAM,IAAA,CAAK,GAAA,EAAI,GAAI,GAAI,CAAA,EAAG;AAC/D,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,wBAAwB;AAAA,SACxD;AAAA,MACD;AAGA,MAAA,IAAI,MAAA,CAAO,IAAA,CAAK,gBAAA,IAAoB,qBAAA,EAAuB;AAC1D,QAAA,MAAM,OAAA,GAAU,MAAM,qBAAA,CAAsB,MAAA,CAAO,KAAK,gBAAgB,CAAA;AACxE,QAAA,IAAI,OAAA,EAAS;AACZ,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,6BAA6B;AAAA,WAC7D;AAAA,QACD;AAAA,MACD;AAEA,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,IAAA;AAAA,QACT,IAAA,EAAM;AAAA,UACL,YAAY,MAAA,CAAO,IAAA;AAAA,UACnB,MAAA,EAAQ,KAAA;AAAA,UACR,MAAA,EAAQ,SAAA;AAAA,UACR,UAAU,IAAI,IAAA,CAAA,CAAM,OAAA,CAAQ,GAAA,IAAO,KAAK,GAAI,CAAA;AAAA,UAC5C,SAAA,EAAW,QAAQ,GAAA,GAAM,IAAI,KAAK,OAAA,CAAQ,GAAA,GAAM,GAAI,CAAA,GAAI;AAAA;AACzD,OACD;AAAA,IACD,SAAS,GAAA,EAAK;AAEb,MAAA,IAAI,GAAA,YAAeE,OAAW,UAAA,EAAY;AACzC,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOF,UAAAA,CAAU,YAAA,EAAc,wBAAwB;AAAA,SACxD;AAAA,MACD;AACA,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA;AAAA,UACN,kBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAEA,EAAA,eAAe,sBAAA,CACd,IACA,WAAA,EACsC;AAEtC,IAAA,MAAM,MAAA,GAAS,0BAAA,CAA2B,SAAA,CAAU,EAAE,CAAA;AACtD,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,uBAAA,EAAyB,sCAAA,EAAwC;AAAA,UACjF,QAAQ,MAAA,CAAO,KAAA,CAAM,MAAA,CAAO,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,EAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA,CAAE;AAAA,SAC1E;AAAA,OACF;AAAA,IACD;AAEA,IAAA,MAAM,aAAa,MAAA,CAAO,IAAA;AAE1B,IAAA,IAAI,CAAC,WAAW,KAAA,EAAO;AACtB,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,aAAA,EAAe,0CAA0C;AAAA,OAC3E;AAAA,IACD;AAEA,IAAA,IAAI,CAAC,UAAA,CAAW,KAAA,CAAM,GAAA,EAAK;AAC1B,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,WAAA,EAAa,oCAAoC;AAAA,OACnE;AAAA,IACD;AAEA,IAAA,MAAM,SAAA,GAAY,eAAA,CAAgB,UAAA,CAAW,MAAM,CAAA;AAGnD,IAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,SAAA,EAAW,WAAW,CAAA;AACzD,IAAA,IAAI,CAAC,SAAA,CAAU,OAAA,EAAS,OAAO,SAAA;AAE/B,IAAA,IAAI;AACH,MAAA,MAAM,SAAA,GAAY,MAAMC,SAAAA,CAAU,SAAA,CAAU,MAAM,OAAO,CAAA;AAGzD,MAAA,MAAM,EAAE,SAAQ,GAAI,MAAM,cAAc,UAAA,CAAW,KAAA,CAAM,KAAK,SAAS,CAAA;AAGvE,MAAA,MAAM,EAAE,KAAA,EAAO,MAAA,EAAQ,GAAG,gBAAe,GAAI,UAAA;AAC7C,MAAA,MAAM,aAAA,GAAgB,IAAI,WAAA,EAAY,CAAE,OAAO,OAAO,CAAA;AACtD,MAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAEpD,MAAA,IAAI,kBAAkB,cAAA,EAAgB;AACrC,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOD,UAAAA,CAAU,aAAA,EAAe,sDAAsD;AAAA,SACvF;AAAA,MACD;AAGA,MAAA,IAAI,WAAW,cAAA,EAAgB;AAC9B,QAAA,MAAM,MAAA,GAAS,IAAI,IAAA,CAAK,UAAA,CAAW,cAAc,CAAA;AACjD,QAAA,IAAI,MAAA,oBAAU,IAAI,IAAA,EAAK,EAAG;AACzB,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,wBAAwB;AAAA,WACxD;AAAA,QACD;AAAA,MACD;AAGA,MAAA,IAAI,UAAA,CAAW,oBAAoB,qBAAA,EAAuB;AACzD,QAAA,MAAM,OAAA,GAAU,MAAM,qBAAA,CAAsB,UAAA,CAAW,gBAAgB,CAAA;AACvE,QAAA,IAAI,OAAA,EAAS;AACZ,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,6BAA6B;AAAA,WAC7D;AAAA,QACD;AAAA,MACD;AAEA,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,IAAA;AAAA,QACT,IAAA,EAAM;AAAA,UACL,UAAA;AAAA,UACA,MAAA,EAAQ,SAAA;AAAA,UACR,MAAA,EAAQ,SAAA;AAAA,UACR,QAAA,EAAU,IAAI,IAAA,CAAK,UAAA,CAAW,YAAY,CAAA;AAAA,UAC1C,WAAW,UAAA,CAAW,cAAA,GAAiB,IAAI,IAAA,CAAK,UAAA,CAAW,cAAc,CAAA,GAAI;AAAA;AAC9E,OACD;AAAA,IACD,SAAS,GAAA,EAAK;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA;AAAA,UACN,kBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAIA,EAAA,eAAe,gBAAA,CACd,IACA,YAAA,EACsC;AACtC,IAAA,IAAI,OAAO,OAAO,QAAA,EAAU;AAC3B,MAAA,OAAO,mBAAA,CAAoB,IAAI,YAAY,CAAA;AAAA,IAC5C;AACA,IAAA,OAAO,sBAAA,CAAuB,IAAI,YAAY,CAAA;AAAA,EAC/C;AAEA,EAAA,eAAe,kBAAA,CACd,IACA,YAAA,EACwC;AACxC,IAAA,IAAI,YAAA;AAEJ,IAAA,IAAI,OAAO,OAAO,QAAA,EAAU;AAE3B,MAAA,IAAI;AACH,QAAA,MAAM,KAAA,GAAQ,EAAA,CAAG,KAAA,CAAM,GAAG,CAAA;AAC1B,QAAA,IAAI,MAAM,MAAA,KAAW,CAAA,IAAK,CAAC,KAAA,CAAM,CAAC,CAAA,EAAG;AACpC,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,gBAAA,EAAkB,wCAAwC;AAAA,WAC5E;AAAA,QACD;AAEA,QAAA,MAAM,UAAA,GAAa,MAAM,CAAC,CAAA;AAC1B,QAAA,MAAM,aAAa,IAAA,CAAK,KAAA;AAAA,UACvB,IAAI,aAAY,CAAE,MAAA;AAAA,YACjB,UAAA,CAAW,IAAA;AAAA,cAAK,IAAA,CAAK,WAAW,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAC,CAAA;AAAA,cAAG,CAAC,CAAA,KACxE,CAAA,CAAE,UAAA,CAAW,CAAC;AAAA;AACf;AACD,SACD;AAEA,QAAA,MAAM,YAAY,OAAO,UAAA,CAAW,GAAA,KAAQ,QAAA,GAAW,WAAW,GAAA,GAAM,IAAA;AACxE,QAAA,IAAI,CAAC,SAAA,EAAW;AACf,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,cAAA,EAAgB,mCAAmC;AAAA,WACrE;AAAA,QACD;AAEA,QAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,SAAA,EAAW,YAAY,CAAA;AAC1D,QAAA,IAAI,CAAC,SAAA,CAAU,OAAA,EAAS,OAAO,SAAA;AAE/B,QAAA,MAAM,SAAA,GAAY,MAAMC,SAAAA,CAAU,SAAA,CAAU,MAAM,OAAO,CAAA;AACzD,QAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,SAAA,CAAU,IAAI,SAAS,CAAA;AAEjD,QAAA,MAAM,UAAU,OAAA,CAAQ,EAAA;AACxB,QAAA,IAAI,CAAC,OAAA,EAAS;AACb,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOD,UAAAA,CAAU,qBAAA,EAAuB,iCAAiC;AAAA,WAC1E;AAAA,QACD;AAEA,QAAA,YAAA,GAAe,OAAA;AAAA,MAChB,SAAS,GAAA,EAAK;AACb,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA;AAAA,YACN,kBAAA;AAAA,YACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,SACD;AAAA,MACD;AAAA,IACD,CAAA,MAAO;AACN,MAAA,YAAA,GAAe,EAAA;AAAA,IAChB;AAGA,IAAA,MAAM,MAAA,GAAS,4BAAA,CAA6B,SAAA,CAAU,YAAY,CAAA;AAClE,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,yBAAA,EAA2B,wCAAA,EAA0C;AAAA,UACrF,QAAQ,MAAA,CAAO,KAAA,CAAM,MAAA,CAAO,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,EAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA,CAAE;AAAA,SAC1E;AAAA,OACF;AAAA,IACD;AAGA,IAAA,MAAM,sBAA4C,EAAC;AACnD,IAAA,KAAA,MAAW,EAAA,IAAM,MAAA,CAAO,IAAA,CAAK,oBAAA,EAAsB;AAClD,MAAA,MAAM,MAAA,GAAS,MAAM,gBAAA,CAAiB,EAAA,EAAI,YAAY,CAAA;AACtD,MAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA;AAAA,YACN,oCAAA;AAAA,YACA,CAAA,6CAAA,EAAgD,MAAA,CAAO,KAAA,CAAM,OAAO,CAAA,CAAA;AAAA,YACpE,EAAE,aAAA,EAAe,MAAA,CAAO,KAAA;AAAM;AAC/B,SACD;AAAA,MACD;AACA,MAAA,mBAAA,CAAoB,IAAA,CAAK,OAAO,IAAI,CAAA;AAAA,IACrC;AAEA,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,IAAA;AAAA,MACT,IAAA,EAAM;AAAA,QACL,cAAc,MAAA,CAAO,IAAA;AAAA,QACrB,WAAA,EAAa,mBAAA;AAAA,QACb,MAAA,EAAQ,MAAA,CAAO,IAAA,CAAK,MAAA,IAAU;AAAA;AAC/B,KACD;AAAA,EACD;AAEA,EAAA,SAAS,mBAAmB,EAAA,EAAgD;AAC3E,IAAA,MAAM,UAAU,EAAA,CAAG,iBAAA;AACnB,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,OAAA,CAAQ,OAAA,IAAW,OAAA,CAAQ,EAAA,IAAM,IAAA;AAAA,MAC1C,WAAA,EAAa,OAAA,CAAQ,WAAA,IAAe,EAAC;AAAA,MACrC,UAAA,EAAY,QAAQ,UAAA,IAAc,IAAA;AAAA,MAClC,eAAA,EAAiB,OAAA,CAAQ,eAAA,IAAmB;AAAC,KAC9C;AAAA,EACD;AAEA,EAAA,OAAO;AAAA,IACN,gBAAA;AAAA,IACA,kBAAA;AAAA,IACA;AAAA,GACD;AACD","file":"chunk-ELGG2VW2.js","sourcesContent":["/**\n * W3C Verifiable Credentials Data Model 2.0 types for KavachOS.\n *\n * Defines Zod-validated schemas for credentials, presentations,\n * proofs, and credential status. Agent-centric: the credential\n * subject carries agent identity, permissions, trust level, and\n * delegation scope.\n */\n\nimport { z } from \"zod\";\n\n// ─── W3C VC Constants ────────────────────────────────────────────────────────\n\nexport const VC_CONTEXT_V2 = \"https://www.w3.org/ns/credentials/v2\";\nexport const VC_CONTEXT_V1 = \"https://www.w3.org/2018/credentials/v1\";\nexport const VC_TYPE_CREDENTIAL = \"VerifiableCredential\";\nexport const VC_TYPE_PRESENTATION = \"VerifiablePresentation\";\n\n// KavachOS-specific credential types\nexport const KAVACH_AGENT_CREDENTIAL = \"KavachAgentCredential\";\nexport const KAVACH_PERMISSION_CREDENTIAL = \"KavachPermissionCredential\";\nexport const KAVACH_DELEGATION_CREDENTIAL = \"KavachDelegationCredential\";\n\n// ─── Proof Types ─────────────────────────────────────────────────────────────\n\nexport const ProofSchema = z.object({\n\ttype: z.enum([\"Ed25519Signature2020\", \"JsonWebSignature2020\"]),\n\tcreated: z.string(),\n\tverificationMethod: z.string(),\n\tproofPurpose: z.enum([\"assertionMethod\", \"authentication\"]),\n\tproofValue: z.string().optional(),\n\tjws: z.string().optional(),\n});\n\nexport type Proof = z.infer<typeof ProofSchema>;\n\n// ─── Credential Status ──────────────────────────────────────────────────────\n\nexport const CredentialStatusSchema = z.object({\n\tid: z.string(),\n\ttype: z.string(),\n\tstatusPurpose: z.enum([\"revocation\", \"suspension\"]),\n\tstatusListIndex: z.number().int().nonnegative(),\n\tstatusListCredential: z.string(),\n});\n\nexport type CredentialStatus = z.infer<typeof CredentialStatusSchema>;\n\n// ─── Credential Subject ─────────────────────────────────────────────────────\n\nexport const CredentialSubjectSchema = z.object({\n\tid: z.string().optional(),\n\tagentId: z.string().optional(),\n\tpermissions: z.array(z.string()).optional(),\n\ttrustLevel: z.number().min(0).max(1).optional(),\n\tdelegationScope: z.array(z.string()).optional(),\n\tdelegationChain: z\n\t\t.array(\n\t\t\tz.object({\n\t\t\t\tdelegator: z.string(),\n\t\t\t\tdelegatee: z.string(),\n\t\t\t\tpermissions: z.array(z.string()),\n\t\t\t\tcreatedAt: z.string(),\n\t\t\t}),\n\t\t)\n\t\t.optional(),\n\tname: z.string().optional(),\n\ttype: z.string().optional(),\n});\n\nexport type CredentialSubject = z.infer<typeof CredentialSubjectSchema>;\n\n// ─── Verifiable Credential ──────────────────────────────────────────────────\n\nexport const VerifiableCredentialSchema = z.object({\n\t\"@context\": z.array(z.string()).min(1),\n\tid: z.string().optional(),\n\ttype: z.array(z.string()).min(1),\n\tissuer: z.union([z.string(), z.object({ id: z.string(), name: z.string().optional() })]),\n\tissuanceDate: z.string(),\n\texpirationDate: z.string().optional(),\n\tcredentialSubject: CredentialSubjectSchema,\n\tcredentialStatus: CredentialStatusSchema.optional(),\n\tproof: ProofSchema.optional(),\n});\n\nexport type VerifiableCredential = z.infer<typeof VerifiableCredentialSchema>;\n\n// ─── Verifiable Presentation ────────────────────────────────────────────────\n\nexport const VerifiablePresentationSchema = z.object({\n\t\"@context\": z.array(z.string()).min(1),\n\tid: z.string().optional(),\n\ttype: z.array(z.string()).min(1),\n\tholder: z.string().optional(),\n\tverifiableCredential: z.array(VerifiableCredentialSchema).min(1),\n\tproof: ProofSchema.optional(),\n});\n\nexport type VerifiablePresentation = z.infer<typeof VerifiablePresentationSchema>;\n\n// ─── Issuer Config ──────────────────────────────────────────────────────────\n\nexport interface VCIssuerConfig {\n\t/** DID of the issuer (e.g. did:key:z6Mk...) */\n\tissuerDid: string;\n\t/** Private key JWK for signing credentials */\n\tprivateKeyJwk: JsonWebKey;\n\t/** Public key JWK for verification method references */\n\tpublicKeyJwk: JsonWebKey;\n\t/** Default credential lifetime in seconds. Default: 86400 (24 hours). */\n\tdefaultTtl?: number;\n\t/** Credential status endpoint base URL (for revocation). Optional. */\n\tstatusEndpoint?: string;\n}\n\n// ─── Verifier Config ────────────────────────────────────────────────────────\n\nexport interface VCVerifierConfig {\n\t/**\n\t * Resolve a DID to its public key JWK.\n\t * If not provided, only credentials with a known public key can be verified.\n\t */\n\tresolveDidKey?: (did: string) => Promise<JsonWebKey | null>;\n\t/**\n\t * Check credential revocation status.\n\t * If not provided, revocation checks are skipped.\n\t */\n\tcheckRevocationStatus?: (status: CredentialStatus) => Promise<boolean>;\n}\n\n// ─── JWT VC Types ───────────────────────────────────────────────────────────\n\n/** Claims embedded in a JWT-encoded Verifiable Credential */\nexport interface VCJwtPayload {\n\tiss: string;\n\tsub?: string;\n\tvc: Omit<VerifiableCredential, \"proof\">;\n\tiat: number;\n\texp?: number;\n\tjti?: string;\n}\n\n/** The format a credential was issued in */\nexport type CredentialFormat = \"jwt\" | \"json-ld\";\n\n/** Result of a successful credential verification */\nexport interface VerifiedCredential {\n\tcredential: VerifiableCredential;\n\tformat: CredentialFormat;\n\tissuer: string;\n\tissuedAt: Date;\n\texpiresAt: Date | null;\n}\n\n/** Result of a successful presentation verification */\nexport interface VerifiedPresentation {\n\tpresentation: VerifiablePresentation;\n\tcredentials: VerifiedCredential[];\n\tholder: string | null;\n}\n\n/** Extracted permissions from a verified credential */\nexport interface ExtractedPermissions {\n\tagentId: string | null;\n\tpermissions: string[];\n\ttrustLevel: number | null;\n\tdelegationScope: string[];\n}\n","/**\n * W3C Verifiable Credential issuance for KavachOS.\n *\n * Issues VCs as JWT (compact JWS) or JSON-LD with embedded proof.\n * Credentials encode agent identity, permissions, and delegation chains\n * so agents can prove their capabilities to any verifier without\n * a network call back to KavachOS.\n */\n\nimport { importJWK, SignJWT } from \"jose\";\nimport { generateId } from \"../crypto/web-crypto.js\";\nimport type { KavachError, Result } from \"../mcp/types.js\";\nimport type {\n\tCredentialFormat,\n\tCredentialSubject,\n\tProof,\n\tVCIssuerConfig,\n\tVerifiableCredential,\n} from \"./types.js\";\nimport {\n\tKAVACH_AGENT_CREDENTIAL,\n\tKAVACH_DELEGATION_CREDENTIAL,\n\tKAVACH_PERMISSION_CREDENTIAL,\n\tVC_CONTEXT_V2,\n\tVC_TYPE_CREDENTIAL,\n} from \"./types.js\";\n\n// ─── Constants ──────────────────────────────────────────────────────────────\n\nconst DEFAULT_TTL_SECONDS = 86400; // 24 hours\n\n// ─── Helpers ────────────────────────────────────────────────────────────────\n\nfunction makeError(code: string, message: string, details?: Record<string, unknown>): KavachError {\n\treturn { code, message, ...(details !== undefined ? { details } : {}) };\n}\n\nfunction nowISO(): string {\n\treturn new Date().toISOString();\n}\n\nfunction futureISO(seconds: number): string {\n\treturn new Date(Date.now() + seconds * 1000).toISOString();\n}\n\n// ─── Agent Credential Input ─────────────────────────────────────────────────\n\nexport interface IssueAgentCredentialInput {\n\t/** Agent ID (used as credentialSubject.id and sub claim) */\n\tagentId: string;\n\t/** Agent name */\n\tname?: string;\n\t/** Agent type (e.g. \"autonomous\", \"supervised\") */\n\tagentType?: string;\n\t/** Permissions granted to this agent */\n\tpermissions?: string[];\n\t/** Trust score between 0 and 1 */\n\ttrustLevel?: number;\n\t/** Credential lifetime in seconds. Overrides the issuer default. */\n\tttl?: number;\n\t/** Output format. Default: \"jwt\". */\n\tformat?: CredentialFormat;\n}\n\n// ─── Permission Credential Input ────────────────────────────────────────────\n\nexport interface IssuePermissionCredentialInput {\n\t/** Agent DID or ID that receives the permissions */\n\tagentId: string;\n\t/** Permissions being granted */\n\tpermissions: string[];\n\t/** Credential lifetime in seconds. Overrides the issuer default. */\n\tttl?: number;\n\t/** Output format. Default: \"jwt\". */\n\tformat?: CredentialFormat;\n}\n\n// ─── Delegation Credential Input ────────────────────────────────────────────\n\nexport interface DelegationLink {\n\tdelegator: string;\n\tdelegatee: string;\n\tpermissions: string[];\n\tcreatedAt: string;\n}\n\nexport interface IssueDelegationCredentialInput {\n\t/** The agent at the end of the delegation chain */\n\tagentId: string;\n\t/** Ordered delegation chain from root to leaf */\n\tchain: DelegationLink[];\n\t/** Scope of delegated permissions (subset of original) */\n\tdelegationScope?: string[];\n\t/** Credential lifetime in seconds. Overrides the issuer default. */\n\tttl?: number;\n\t/** Output format. Default: \"jwt\". */\n\tformat?: CredentialFormat;\n}\n\n// ─── VC Issuer Interface ────────────────────────────────────────────────────\n\nexport interface VCIssuer {\n\t/** Issue a VC encoding agent identity, permissions, and trust score */\n\tissueAgentCredential(\n\t\tinput: IssueAgentCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>>;\n\t/** Issue a VC for specific permission grants */\n\tissuePermissionCredential(\n\t\tinput: IssuePermissionCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>>;\n\t/** Issue a VC encoding a delegation chain */\n\tissueDelegationCredential(\n\t\tinput: IssueDelegationCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>>;\n\t/** The DID of this issuer */\n\treadonly issuerDid: string;\n}\n\n// ─── Factory ────────────────────────────────────────────────────────────────\n\n/**\n * Create a VC issuer bound to a specific DID and keypair.\n *\n * The issuer can produce credentials in JWT or JSON-LD format.\n * JWT credentials are signed as a compact JWS with the VC embedded\n * in the `vc` claim. JSON-LD credentials carry an embedded proof.\n */\nexport function createVCIssuer(config: VCIssuerConfig): VCIssuer {\n\tconst { issuerDid, privateKeyJwk, defaultTtl = DEFAULT_TTL_SECONDS } = config;\n\n\tconst kid = `${issuerDid}#${issuerDid.split(\":\").pop() ?? \"key-1\"}`;\n\n\tasync function signAsJwt(\n\t\tcredential: VerifiableCredential,\n\t\tsubject: string | undefined,\n\t\tttl: number,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt: string }>> {\n\t\ttry {\n\t\t\tconst key = await importJWK(privateKeyJwk, \"EdDSA\");\n\n\t\t\t// Strip proof from the VC when embedding in JWT — the JWT signature is the proof\n\t\t\tconst { proof: _proof, ...vcWithoutProof } = credential;\n\n\t\t\tconst builder = new SignJWT({\n\t\t\t\tvc: vcWithoutProof,\n\t\t\t})\n\t\t\t\t.setProtectedHeader({ alg: \"EdDSA\", kid, typ: \"JWT\" })\n\t\t\t\t.setIssuer(issuerDid)\n\t\t\t\t.setIssuedAt()\n\t\t\t\t.setExpirationTime(Math.floor(Date.now() / 1000) + ttl);\n\n\t\t\tif (credential.id) {\n\t\t\t\tbuilder.setJti(credential.id);\n\t\t\t}\n\t\t\tif (subject) {\n\t\t\t\tbuilder.setSubject(subject);\n\t\t\t}\n\n\t\t\tconst jwt = await builder.sign(key);\n\t\t\treturn { success: true, data: { credential, jwt } };\n\t\t} catch (err) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_SIGN_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to sign credential as JWT\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\tasync function signAsJsonLd(\n\t\tcredential: VerifiableCredential,\n\t): Promise<Result<{ credential: VerifiableCredential }>> {\n\t\ttry {\n\t\t\tconst key = await importJWK(privateKeyJwk, \"EdDSA\");\n\n\t\t\t// Create a JWS over the credential without proof\n\t\t\tconst { proof: _proof, ...vcWithoutProof } = credential;\n\t\t\tconst payload = new TextEncoder().encode(JSON.stringify(vcWithoutProof));\n\n\t\t\tconst { CompactSign } = await import(\"jose\");\n\t\t\tconst jws = await new CompactSign(payload)\n\t\t\t\t.setProtectedHeader({ alg: \"EdDSA\", kid })\n\t\t\t\t.sign(key);\n\n\t\t\tconst proof: Proof = {\n\t\t\t\ttype: \"JsonWebSignature2020\",\n\t\t\t\tcreated: nowISO(),\n\t\t\t\tverificationMethod: kid,\n\t\t\t\tproofPurpose: \"assertionMethod\",\n\t\t\t\tjws,\n\t\t\t};\n\n\t\t\tconst signedCredential: VerifiableCredential = {\n\t\t\t\t...credential,\n\t\t\t\tproof,\n\t\t\t};\n\n\t\t\treturn { success: true, data: { credential: signedCredential } };\n\t\t} catch (err) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_SIGN_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to sign credential as JSON-LD\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\tfunction buildCredential(\n\t\ttypes: string[],\n\t\tsubject: CredentialSubject,\n\t\tttl: number,\n\t\texpirationDate?: string,\n\t): VerifiableCredential {\n\t\treturn {\n\t\t\t\"@context\": [VC_CONTEXT_V2],\n\t\t\tid: `urn:uuid:${generateId()}`,\n\t\t\ttype: [VC_TYPE_CREDENTIAL, ...types],\n\t\t\tissuer: issuerDid,\n\t\t\tissuanceDate: nowISO(),\n\t\t\texpirationDate: expirationDate ?? futureISO(ttl),\n\t\t\tcredentialSubject: subject,\n\t\t};\n\t}\n\n\tasync function signCredential(\n\t\tcredential: VerifiableCredential,\n\t\tsubject: string | undefined,\n\t\tttl: number,\n\t\tformat: CredentialFormat,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tif (format === \"jwt\") {\n\t\t\treturn signAsJwt(credential, subject, ttl);\n\t\t}\n\t\treturn signAsJsonLd(credential);\n\t}\n\n\t// ── Public API ────────────────────────────────────────────────────────\n\n\tasync function issueAgentCredential(\n\t\tinput: IssueAgentCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tconst {\n\t\t\tagentId,\n\t\t\tname,\n\t\t\tagentType,\n\t\t\tpermissions,\n\t\t\ttrustLevel,\n\t\t\tttl = defaultTtl,\n\t\t\tformat = \"jwt\",\n\t\t} = input;\n\n\t\tif (!agentId) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"agentId is required\"),\n\t\t\t};\n\t\t}\n\n\t\tif (trustLevel !== undefined && (trustLevel < 0 || trustLevel > 1)) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"trustLevel must be between 0 and 1\"),\n\t\t\t};\n\t\t}\n\n\t\tconst subject: CredentialSubject = {\n\t\t\tid: agentId,\n\t\t\tagentId,\n\t\t\t...(name !== undefined ? { name } : {}),\n\t\t\t...(agentType !== undefined ? { type: agentType } : {}),\n\t\t\t...(permissions !== undefined ? { permissions } : {}),\n\t\t\t...(trustLevel !== undefined ? { trustLevel } : {}),\n\t\t};\n\n\t\tconst credential = buildCredential([KAVACH_AGENT_CREDENTIAL], subject, ttl);\n\t\treturn signCredential(credential, agentId, ttl, format);\n\t}\n\n\tasync function issuePermissionCredential(\n\t\tinput: IssuePermissionCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tconst { agentId, permissions, ttl = defaultTtl, format = \"jwt\" } = input;\n\n\t\tif (!agentId) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"agentId is required\"),\n\t\t\t};\n\t\t}\n\n\t\tif (!permissions || permissions.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"At least one permission is required\"),\n\t\t\t};\n\t\t}\n\n\t\tconst subject: CredentialSubject = {\n\t\t\tid: agentId,\n\t\t\tagentId,\n\t\t\tpermissions,\n\t\t};\n\n\t\tconst credential = buildCredential([KAVACH_PERMISSION_CREDENTIAL], subject, ttl);\n\t\treturn signCredential(credential, agentId, ttl, format);\n\t}\n\n\tasync function issueDelegationCredential(\n\t\tinput: IssueDelegationCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tconst { agentId, chain, delegationScope, ttl = defaultTtl, format = \"jwt\" } = input;\n\n\t\tif (!agentId) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"agentId is required\"),\n\t\t\t};\n\t\t}\n\n\t\tif (!chain || chain.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"Delegation chain must have at least one link\"),\n\t\t\t};\n\t\t}\n\n\t\tconst subject: CredentialSubject = {\n\t\t\tid: agentId,\n\t\t\tagentId,\n\t\t\tdelegationChain: chain,\n\t\t\t...(delegationScope !== undefined ? { delegationScope } : {}),\n\t\t};\n\n\t\tconst credential = buildCredential([KAVACH_DELEGATION_CREDENTIAL], subject, ttl);\n\t\treturn signCredential(credential, agentId, ttl, format);\n\t}\n\n\treturn {\n\t\tissueAgentCredential,\n\t\tissuePermissionCredential,\n\t\tissueDelegationCredential,\n\t\tissuerDid,\n\t};\n}\n","/**\n * W3C Verifiable Credential verification for KavachOS.\n *\n * Verifies credentials in both JWT and JSON-LD formats. Checks\n * signatures, expiry, and optional revocation status. Extracts\n * KavachOS-specific permissions from verified credentials.\n */\n\nimport { compactVerify, importJWK, errors as joseErrors, jwtVerify } from \"jose\";\nimport type { KavachError, Result } from \"../mcp/types.js\";\nimport type {\n\tCredentialFormat,\n\tExtractedPermissions,\n\tVCVerifierConfig,\n\tVerifiableCredential,\n\tVerifiablePresentation,\n\tVerifiedCredential,\n\tVerifiedPresentation,\n} from \"./types.js\";\nimport { VerifiableCredentialSchema, VerifiablePresentationSchema } from \"./types.js\";\n\n// ─── Helpers ────────────────────────────────────────────────────────────────\n\nfunction makeError(code: string, message: string, details?: Record<string, unknown>): KavachError {\n\treturn { code, message, ...(details !== undefined ? { details } : {}) };\n}\n\nfunction getIssuerString(issuer: string | { id: string; name?: string }): string {\n\tif (typeof issuer === \"string\") return issuer;\n\treturn issuer.id;\n}\n\n// ─── VC Verifier Interface ──────────────────────────────────────────────────\n\nexport interface VCVerifier {\n\t/** Verify a single credential (JWT string or JSON-LD object) */\n\tverifyCredential(\n\t\tvc: string | VerifiableCredential,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>>;\n\t/** Verify a presentation containing multiple VCs */\n\tverifyPresentation(\n\t\tvp: string | VerifiablePresentation,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedPresentation>>;\n\t/** Extract KavachOS permissions from a verified credential */\n\textractPermissions(vc: VerifiableCredential): ExtractedPermissions;\n}\n\n// ─── Factory ────────────────────────────────────────────────────────────────\n\n/**\n * Create a VC verifier that checks signatures, expiry, and revocation.\n *\n * The verifier accepts both JWT-encoded and JSON-LD credentials.\n * For JWT credentials, pass the compact JWS string. For JSON-LD\n * credentials with embedded proof, pass the credential object.\n */\nexport function createVCVerifier(config: VCVerifierConfig = {}): VCVerifier {\n\tconst { resolveDidKey, checkRevocationStatus } = config;\n\n\tasync function resolveKey(did: string, providedKey?: JsonWebKey): Promise<Result<JsonWebKey>> {\n\t\tif (providedKey) {\n\t\t\treturn { success: true, data: providedKey };\n\t\t}\n\n\t\tif (resolveDidKey) {\n\t\t\tconst resolved = await resolveDidKey(did);\n\t\t\tif (resolved) {\n\t\t\t\treturn { success: true, data: resolved };\n\t\t\t}\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: makeError(\"VC_KEY_NOT_FOUND\", `Could not resolve public key for DID: ${did}`),\n\t\t};\n\t}\n\n\tasync function verifyJwtCredential(\n\t\tjwt: string,\n\t\tprovidedKey?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>> {\n\t\ttry {\n\t\t\t// Decode the header to get the kid, then resolve the key\n\t\t\tconst parts = jwt.split(\".\");\n\t\t\tif (parts.length !== 3) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_INVALID_JWT\", \"JWT must have three parts\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// First pass: decode without verification to extract issuer\n\t\t\tconst payloadB64 = parts[1];\n\t\t\tif (!payloadB64) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_INVALID_JWT\", \"JWT payload is missing\"),\n\t\t\t\t};\n\t\t\t}\n\t\t\tconst rawPayload = JSON.parse(\n\t\t\t\tnew TextDecoder().decode(\n\t\t\t\t\tUint8Array.from(atob(payloadB64.replace(/-/g, \"+\").replace(/_/g, \"/\")), (c) =>\n\t\t\t\t\t\tc.charCodeAt(0),\n\t\t\t\t\t),\n\t\t\t\t),\n\t\t\t) as Record<string, unknown>;\n\n\t\t\tconst issuerDid = typeof rawPayload.iss === \"string\" ? rawPayload.iss : null;\n\t\t\tif (!issuerDid) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_NO_ISSUER\", \"JWT has no iss claim\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Resolve key\n\t\t\tconst keyResult = await resolveKey(issuerDid, providedKey);\n\t\t\tif (!keyResult.success) return keyResult;\n\n\t\t\tconst publicKey = await importJWK(keyResult.data, \"EdDSA\");\n\t\t\tconst { payload } = await jwtVerify(jwt, publicKey);\n\n\t\t\tconst vcClaim = payload.vc as Record<string, unknown> | undefined;\n\t\t\tif (!vcClaim) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_MISSING_VC_CLAIM\", \"JWT does not contain a vc claim\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Reconstruct the full credential from the JWT claims\n\t\t\tconst credential: VerifiableCredential = {\n\t\t\t\t...(vcClaim as unknown as VerifiableCredential),\n\t\t\t\tissuer: issuerDid,\n\t\t\t};\n\n\t\t\t// Validate against schema\n\t\t\tconst parsed = VerifiableCredentialSchema.safeParse(credential);\n\t\t\tif (!parsed.success) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_INVALID_CREDENTIAL\", \"Credential does not match W3C schema\", {\n\t\t\t\t\t\tissues: parsed.error.issues.map((i) => `${i.path.join(\".\")}: ${i.message}`),\n\t\t\t\t\t}),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Check expiry\n\t\t\tif (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_EXPIRED\", \"Credential has expired\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Check revocation\n\t\t\tif (parsed.data.credentialStatus && checkRevocationStatus) {\n\t\t\t\tconst revoked = await checkRevocationStatus(parsed.data.credentialStatus);\n\t\t\t\tif (revoked) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_REVOKED\", \"Credential has been revoked\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tsuccess: true,\n\t\t\t\tdata: {\n\t\t\t\t\tcredential: parsed.data,\n\t\t\t\t\tformat: \"jwt\" as CredentialFormat,\n\t\t\t\t\tissuer: issuerDid,\n\t\t\t\t\tissuedAt: new Date((payload.iat ?? 0) * 1000),\n\t\t\t\t\texpiresAt: payload.exp ? new Date(payload.exp * 1000) : null,\n\t\t\t\t},\n\t\t\t};\n\t\t} catch (err) {\n\t\t\t// Distinguish between expiry and other errors\n\t\t\tif (err instanceof joseErrors.JWTExpired) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_EXPIRED\", \"Credential has expired\"),\n\t\t\t\t};\n\t\t\t}\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_VERIFY_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to verify JWT credential\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\tasync function verifyJsonLdCredential(\n\t\tvc: VerifiableCredential,\n\t\tprovidedKey?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>> {\n\t\t// Validate schema\n\t\tconst parsed = VerifiableCredentialSchema.safeParse(vc);\n\t\tif (!parsed.success) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_CREDENTIAL\", \"Credential does not match W3C schema\", {\n\t\t\t\t\tissues: parsed.error.issues.map((i) => `${i.path.join(\".\")}: ${i.message}`),\n\t\t\t\t}),\n\t\t\t};\n\t\t}\n\n\t\tconst credential = parsed.data;\n\n\t\tif (!credential.proof) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_NO_PROOF\", \"JSON-LD credential has no embedded proof\"),\n\t\t\t};\n\t\t}\n\n\t\tif (!credential.proof.jws) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_NO_JWS\", \"Proof does not contain a JWS value\"),\n\t\t\t};\n\t\t}\n\n\t\tconst issuerDid = getIssuerString(credential.issuer);\n\n\t\t// Resolve key\n\t\tconst keyResult = await resolveKey(issuerDid, providedKey);\n\t\tif (!keyResult.success) return keyResult;\n\n\t\ttry {\n\t\t\tconst publicKey = await importJWK(keyResult.data, \"EdDSA\");\n\n\t\t\t// Verify the JWS\n\t\t\tconst { payload } = await compactVerify(credential.proof.jws, publicKey);\n\n\t\t\t// Compare signed content against current credential (minus proof)\n\t\t\tconst { proof: _proof, ...vcWithoutProof } = credential;\n\t\t\tconst signedContent = new TextDecoder().decode(payload);\n\t\t\tconst currentContent = JSON.stringify(vcWithoutProof);\n\n\t\t\tif (signedContent !== currentContent) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_TAMPERED\", \"Credential content does not match the signed payload\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Check expiry\n\t\t\tif (credential.expirationDate) {\n\t\t\t\tconst expiry = new Date(credential.expirationDate);\n\t\t\t\tif (expiry <= new Date()) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_EXPIRED\", \"Credential has expired\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Check revocation\n\t\t\tif (credential.credentialStatus && checkRevocationStatus) {\n\t\t\t\tconst revoked = await checkRevocationStatus(credential.credentialStatus);\n\t\t\t\tif (revoked) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_REVOKED\", \"Credential has been revoked\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tsuccess: true,\n\t\t\t\tdata: {\n\t\t\t\t\tcredential,\n\t\t\t\t\tformat: \"json-ld\" as CredentialFormat,\n\t\t\t\t\tissuer: issuerDid,\n\t\t\t\t\tissuedAt: new Date(credential.issuanceDate),\n\t\t\t\t\texpiresAt: credential.expirationDate ? new Date(credential.expirationDate) : null,\n\t\t\t\t},\n\t\t\t};\n\t\t} catch (err) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_VERIFY_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to verify JSON-LD credential\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\t// ── Public API ────────────────────────────────────────────────────────\n\n\tasync function verifyCredential(\n\t\tvc: string | VerifiableCredential,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>> {\n\t\tif (typeof vc === \"string\") {\n\t\t\treturn verifyJwtCredential(vc, publicKeyJwk);\n\t\t}\n\t\treturn verifyJsonLdCredential(vc, publicKeyJwk);\n\t}\n\n\tasync function verifyPresentation(\n\t\tvp: string | VerifiablePresentation,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedPresentation>> {\n\t\tlet presentation: VerifiablePresentation;\n\n\t\tif (typeof vp === \"string\") {\n\t\t\t// JWT-encoded presentation\n\t\t\ttry {\n\t\t\t\tconst parts = vp.split(\".\");\n\t\t\t\tif (parts.length !== 3 || !parts[1]) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_INVALID_JWT\", \"Presentation JWT must have three parts\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tconst payloadB64 = parts[1];\n\t\t\t\tconst rawPayload = JSON.parse(\n\t\t\t\t\tnew TextDecoder().decode(\n\t\t\t\t\t\tUint8Array.from(atob(payloadB64.replace(/-/g, \"+\").replace(/_/g, \"/\")), (c) =>\n\t\t\t\t\t\t\tc.charCodeAt(0),\n\t\t\t\t\t\t),\n\t\t\t\t\t),\n\t\t\t\t) as Record<string, unknown>;\n\n\t\t\t\tconst issuerDid = typeof rawPayload.iss === \"string\" ? rawPayload.iss : null;\n\t\t\t\tif (!issuerDid) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_NO_ISSUER\", \"Presentation JWT has no iss claim\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tconst keyResult = await resolveKey(issuerDid, publicKeyJwk);\n\t\t\t\tif (!keyResult.success) return keyResult;\n\n\t\t\t\tconst publicKey = await importJWK(keyResult.data, \"EdDSA\");\n\t\t\t\tconst { payload } = await jwtVerify(vp, publicKey);\n\n\t\t\t\tconst vpClaim = payload.vp as Record<string, unknown> | undefined;\n\t\t\t\tif (!vpClaim) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_MISSING_VP_CLAIM\", \"JWT does not contain a vp claim\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tpresentation = vpClaim as unknown as VerifiablePresentation;\n\t\t\t} catch (err) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\n\t\t\t\t\t\t\"VC_VERIFY_FAILED\",\n\t\t\t\t\t\terr instanceof Error ? err.message : \"Failed to verify presentation JWT\",\n\t\t\t\t\t),\n\t\t\t\t};\n\t\t\t}\n\t\t} else {\n\t\t\tpresentation = vp;\n\t\t}\n\n\t\t// Validate schema\n\t\tconst parsed = VerifiablePresentationSchema.safeParse(presentation);\n\t\tif (!parsed.success) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_PRESENTATION\", \"Presentation does not match W3C schema\", {\n\t\t\t\t\tissues: parsed.error.issues.map((i) => `${i.path.join(\".\")}: ${i.message}`),\n\t\t\t\t}),\n\t\t\t};\n\t\t}\n\n\t\t// Verify each credential in the presentation\n\t\tconst verifiedCredentials: VerifiedCredential[] = [];\n\t\tfor (const vc of parsed.data.verifiableCredential) {\n\t\t\tconst result = await verifyCredential(vc, publicKeyJwk);\n\t\t\tif (!result.success) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\n\t\t\t\t\t\t\"VC_PRESENTATION_CREDENTIAL_INVALID\",\n\t\t\t\t\t\t`Failed to verify credential in presentation: ${result.error.message}`,\n\t\t\t\t\t\t{ originalError: result.error },\n\t\t\t\t\t),\n\t\t\t\t};\n\t\t\t}\n\t\t\tverifiedCredentials.push(result.data);\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\tpresentation: parsed.data,\n\t\t\t\tcredentials: verifiedCredentials,\n\t\t\t\tholder: parsed.data.holder ?? null,\n\t\t\t},\n\t\t};\n\t}\n\n\tfunction extractPermissions(vc: VerifiableCredential): ExtractedPermissions {\n\t\tconst subject = vc.credentialSubject;\n\t\treturn {\n\t\t\tagentId: subject.agentId ?? subject.id ?? null,\n\t\t\tpermissions: subject.permissions ?? [],\n\t\t\ttrustLevel: subject.trustLevel ?? null,\n\t\t\tdelegationScope: subject.delegationScope ?? [],\n\t\t};\n\t}\n\n\treturn {\n\t\tverifyCredential,\n\t\tverifyPresentation,\n\t\textractPermissions,\n\t};\n}\n"]}
1
+ {"version":3,"sources":["../src/vc/types.ts","../src/vc/issuer.ts","../src/vc/verifier.ts"],"names":["makeError","importJWK","joseErrors"],"mappings":";;;;AAaO,IAAM,aAAA,GAAgB;AACtB,IAAM,aAAA,GAAgB;AACtB,IAAM,kBAAA,GAAqB;AAC3B,IAAM,oBAAA,GAAuB;AAG7B,IAAM,uBAAA,GAA0B;AAChC,IAAM,4BAAA,GAA+B;AACrC,IAAM,4BAAA,GAA+B;AAIrC,IAAM,WAAA,GAAc,EAAE,MAAA,CAAO;AAAA,EACnC,MAAM,CAAA,CAAE,IAAA,CAAK,CAAC,sBAAA,EAAwB,sBAAsB,CAAC,CAAA;AAAA,EAC7D,OAAA,EAAS,EAAE,MAAA,EAAO;AAAA,EAClB,kBAAA,EAAoB,EAAE,MAAA,EAAO;AAAA,EAC7B,cAAc,CAAA,CAAE,IAAA,CAAK,CAAC,iBAAA,EAAmB,gBAAgB,CAAC,CAAA;AAAA,EAC1D,UAAA,EAAY,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAChC,GAAA,EAAK,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AACjB,CAAC;AAMM,IAAM,sBAAA,GAAyB,EAAE,MAAA,CAAO;AAAA,EAC9C,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,EACb,IAAA,EAAM,EAAE,MAAA,EAAO;AAAA,EACf,eAAe,CAAA,CAAE,IAAA,CAAK,CAAC,YAAA,EAAc,YAAY,CAAC,CAAA;AAAA,EAClD,iBAAiB,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA,GAAM,WAAA,EAAY;AAAA,EAC9C,oBAAA,EAAsB,EAAE,MAAA;AACzB,CAAC;AAMM,IAAM,uBAAA,GAA0B,EAAE,MAAA,CAAO;AAAA,EAC/C,EAAA,EAAI,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACxB,OAAA,EAAS,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC7B,aAAa,CAAA,CAAE,KAAA,CAAM,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAS;AAAA,EAC1C,UAAA,EAAY,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA,CAAI,CAAC,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,CAAE,QAAA,EAAS;AAAA,EAC9C,iBAAiB,CAAA,CAAE,KAAA,CAAM,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAS;AAAA,EAC9C,iBAAiB,CAAA,CACf,KAAA;AAAA,IACA,EAAE,MAAA,CAAO;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,MACpB,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,MACpB,WAAA,EAAa,CAAA,CAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA;AAAA,MAC/B,SAAA,EAAW,EAAE,MAAA;AAAO,KACpB;AAAA,IAED,QAAA,EAAS;AAAA,EACX,IAAA,EAAM,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC1B,IAAA,EAAM,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AAClB,CAAC;AAMM,IAAM,0BAAA,GAA6B,EAAE,MAAA,CAAO;AAAA,EAClD,UAAA,EAAY,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EACrC,EAAA,EAAI,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACxB,IAAA,EAAM,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EAC/B,MAAA,EAAQ,EAAE,KAAA,CAAM,CAAC,EAAE,MAAA,EAAO,EAAG,CAAA,CAAE,MAAA,CAAO,EAAE,EAAA,EAAI,EAAE,MAAA,EAAO,EAAG,MAAM,CAAA,CAAE,MAAA,GAAS,QAAA,EAAS,EAAG,CAAC,CAAC,CAAA;AAAA,EACvF,YAAA,EAAc,EAAE,MAAA,EAAO;AAAA,EACvB,cAAA,EAAgB,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACpC,iBAAA,EAAmB,uBAAA;AAAA,EACnB,gBAAA,EAAkB,uBAAuB,QAAA,EAAS;AAAA,EAClD,KAAA,EAAO,YAAY,QAAA;AACpB,CAAC;AAMM,IAAM,4BAAA,GAA+B,EAAE,MAAA,CAAO;AAAA,EACpD,UAAA,EAAY,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EACrC,EAAA,EAAI,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACxB,IAAA,EAAM,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EAC/B,MAAA,EAAQ,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC5B,sBAAsB,CAAA,CAAE,KAAA,CAAM,0BAA0B,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EAC/D,KAAA,EAAO,YAAY,QAAA;AACpB,CAAC;;;ACpED,IAAM,mBAAA,GAAsB,KAAA;AAI5B,SAAS,SAAA,CAAU,IAAA,EAAc,OAAA,EAAiB,OAAA,EAAgD;AACjG,EAAA,OAAO,EAAE,IAAA,EAAM,OAAA,EAAS,GAA0C,EAAC,EAAG;AACvE;AAEA,SAAS,MAAA,GAAiB;AACzB,EAAA,OAAA,iBAAO,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAC/B;AAEA,SAAS,UAAU,OAAA,EAAyB;AAC3C,EAAA,OAAO,IAAI,KAAK,IAAA,CAAK,GAAA,KAAQ,OAAA,GAAU,GAAI,EAAE,WAAA,EAAY;AAC1D;AAoFO,SAAS,eAAe,MAAA,EAAkC;AAChE,EAAA,MAAM,EAAE,SAAA,EAAW,aAAA,EAAe,UAAA,GAAa,qBAAoB,GAAI,MAAA;AAEvE,EAAA,MAAM,GAAA,GAAM,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,SAAA,CAAU,MAAM,GAAG,CAAA,CAAE,GAAA,EAAI,IAAK,OAAO,CAAA,CAAA;AAEjE,EAAA,eAAe,SAAA,CACd,UAAA,EACA,OAAA,EACA,GAAA,EACqE;AACrE,IAAA,IAAI;AACH,MAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,aAAA,EAAe,OAAO,CAAA;AAGlD,MAAA,MAAM,EAAE,KAAA,EAAO,MAAA,EAAQ,GAAG,gBAAe,GAAI,UAAA;AAE7C,MAAA,MAAM,OAAA,GAAU,IAAI,OAAA,CAAQ;AAAA,QAC3B,EAAA,EAAI;AAAA,OACJ,CAAA,CACC,kBAAA,CAAmB,EAAE,GAAA,EAAK,SAAS,GAAA,EAAK,GAAA,EAAK,KAAA,EAAO,CAAA,CACpD,SAAA,CAAU,SAAS,CAAA,CACnB,WAAA,EAAY,CACZ,iBAAA,CAAkB,IAAA,CAAK,KAAA,CAAM,KAAK,GAAA,EAAI,GAAI,GAAI,CAAA,GAAI,GAAG,CAAA;AAEvD,MAAA,IAAI,WAAW,EAAA,EAAI;AAClB,QAAA,OAAA,CAAQ,MAAA,CAAO,WAAW,EAAE,CAAA;AAAA,MAC7B;AACA,MAAA,IAAI,OAAA,EAAS;AACZ,QAAA,OAAA,CAAQ,WAAW,OAAO,CAAA;AAAA,MAC3B;AAEA,MAAA,MAAM,GAAA,GAAM,MAAM,OAAA,CAAQ,IAAA,CAAK,GAAG,CAAA;AAClC,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,MAAM,EAAE,UAAA,EAAY,KAAI,EAAE;AAAA,IACnD,SAAS,GAAA,EAAK;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA;AAAA,UACN,gBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAEA,EAAA,eAAe,aACd,UAAA,EACwD;AACxD,IAAA,IAAI;AACH,MAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,aAAA,EAAe,OAAO,CAAA;AAGlD,MAAA,MAAM,EAAE,KAAA,EAAO,MAAA,EAAQ,GAAG,gBAAe,GAAI,UAAA;AAC7C,MAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY,CAAE,OAAO,IAAA,CAAK,SAAA,CAAU,cAAc,CAAC,CAAA;AAEvE,MAAA,MAAM,EAAE,WAAA,EAAY,GAAI,MAAM,OAAO,MAAM,CAAA;AAC3C,MAAA,MAAM,GAAA,GAAM,MAAM,IAAI,WAAA,CAAY,OAAO,CAAA,CACvC,kBAAA,CAAmB,EAAE,GAAA,EAAK,OAAA,EAAS,GAAA,EAAK,CAAA,CACxC,KAAK,GAAG,CAAA;AAEV,MAAA,MAAM,KAAA,GAAe;AAAA,QACpB,IAAA,EAAM,sBAAA;AAAA,QACN,SAAS,MAAA,EAAO;AAAA,QAChB,kBAAA,EAAoB,GAAA;AAAA,QACpB,YAAA,EAAc,iBAAA;AAAA,QACd;AAAA,OACD;AAEA,MAAA,MAAM,gBAAA,GAAyC;AAAA,QAC9C,GAAG,UAAA;AAAA,QACH;AAAA,OACD;AAEA,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,MAAM,EAAE,UAAA,EAAY,kBAAiB,EAAE;AAAA,IAChE,SAAS,GAAA,EAAK;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA;AAAA,UACN,gBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAEA,EAAA,SAAS,eAAA,CACR,KAAA,EACA,OAAA,EACA,GAAA,EACA,cAAA,EACuB;AACvB,IAAA,OAAO;AAAA,MACN,UAAA,EAAY,CAAC,aAAa,CAAA;AAAA,MAC1B,EAAA,EAAI,CAAA,SAAA,EAAY,UAAA,EAAY,CAAA,CAAA;AAAA,MAC5B,IAAA,EAAM,CAAC,kBAAA,EAAoB,GAAG,KAAK,CAAA;AAAA,MACnC,MAAA,EAAQ,SAAA;AAAA,MACR,cAAc,MAAA,EAAO;AAAA,MACrB,cAAA,EAAkC,SAAA,CAAU,GAAG,CAAA;AAAA,MAC/C,iBAAA,EAAmB;AAAA,KACpB;AAAA,EACD;AAEA,EAAA,eAAe,cAAA,CACd,UAAA,EACA,OAAA,EACA,GAAA,EACA,MAAA,EACsE;AACtE,IAAA,IAAI,WAAW,KAAA,EAAO;AACrB,MAAA,OAAO,SAAA,CAAU,UAAA,EAAY,OAAA,EAAS,GAAG,CAAA;AAAA,IAC1C;AACA,IAAA,OAAO,aAAa,UAAU,CAAA;AAAA,EAC/B;AAIA,EAAA,eAAe,qBACd,KAAA,EACsE;AACtE,IAAA,MAAM;AAAA,MACL,OAAA;AAAA,MACA,IAAA;AAAA,MACA,SAAA;AAAA,MACA,WAAA;AAAA,MACA,UAAA;AAAA,MACA,GAAA,GAAM,UAAA;AAAA,MACN,MAAA,GAAS;AAAA,KACV,GAAI,KAAA;AAEJ,IAAA,IAAI,CAAC,OAAA,EAAS;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qBAAqB;AAAA,OAC3D;AAAA,IACD;AAEA,IAAA,IAAI,UAAA,KAAe,MAAA,KAAc,UAAA,GAAa,CAAA,IAAK,aAAa,CAAA,CAAA,EAAI;AACnE,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,oCAAoC;AAAA,OAC1E;AAAA,IACD;AAEA,IAAA,MAAM,OAAA,GAA6B;AAAA,MAClC,EAAA,EAAI,OAAA;AAAA,MACJ,OAAA;AAAA,MACA,GAAI,IAAA,KAAS,MAAA,GAAY,EAAE,IAAA,KAAS,EAAC;AAAA,MACrC,GAAI,SAAA,KAAc,MAAA,GAAY,EAAE,IAAA,EAAM,SAAA,KAAc,EAAC;AAAA,MACrD,GAAI,WAAA,KAAgB,MAAA,GAAY,EAAE,WAAA,KAAgB,EAAC;AAAA,MACnD,GAAI,UAAA,KAAe,MAAA,GAAY,EAAE,UAAA,KAAe;AAAC,KAClD;AAEA,IAAA,MAAM,aAAa,eAAA,CAAgB,CAAC,uBAAuB,CAAA,EAAG,SAAS,GAAG,CAAA;AAC1E,IAAA,OAAO,cAAA,CAAe,UAAA,EAAY,OAAA,EAAS,GAAA,EAAK,MAAM,CAAA;AAAA,EACvD;AAEA,EAAA,eAAe,0BACd,KAAA,EACsE;AACtE,IAAA,MAAM,EAAE,OAAA,EAAS,WAAA,EAAa,MAAM,UAAA,EAAY,MAAA,GAAS,OAAM,GAAI,KAAA;AAEnE,IAAA,IAAI,CAAC,OAAA,EAAS;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qBAAqB;AAAA,OAC3D;AAAA,IACD;AAEA,IAAA,IAAI,CAAC,WAAA,IAAe,WAAA,CAAY,MAAA,KAAW,CAAA,EAAG;AAC7C,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qCAAqC;AAAA,OAC3E;AAAA,IACD;AAEA,IAAA,MAAM,OAAA,GAA6B;AAAA,MAClC,EAAA,EAAI,OAAA;AAAA,MACJ,OAAA;AAAA,MACA;AAAA,KACD;AAEA,IAAA,MAAM,aAAa,eAAA,CAAgB,CAAC,4BAA4B,CAAA,EAAG,SAAS,GAAG,CAAA;AAC/E,IAAA,OAAO,cAAA,CAAe,UAAA,EAAY,OAAA,EAAS,GAAA,EAAK,MAAM,CAAA;AAAA,EACvD;AAEA,EAAA,eAAe,0BACd,KAAA,EACsE;AACtE,IAAA,MAAM,EAAE,SAAS,KAAA,EAAO,eAAA,EAAiB,MAAM,UAAA,EAAY,MAAA,GAAS,OAAM,GAAI,KAAA;AAE9E,IAAA,IAAI,CAAC,OAAA,EAAS;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qBAAqB;AAAA,OAC3D;AAAA,IACD;AAEA,IAAA,IAAI,CAAC,KAAA,IAAS,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG;AACjC,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,8CAA8C;AAAA,OACpF;AAAA,IACD;AAEA,IAAA,MAAM,OAAA,GAA6B;AAAA,MAClC,EAAA,EAAI,OAAA;AAAA,MACJ,OAAA;AAAA,MACA,eAAA,EAAiB,KAAA;AAAA,MACjB,GAAI,eAAA,KAAoB,MAAA,GAAY,EAAE,eAAA,KAAoB;AAAC,KAC5D;AAEA,IAAA,MAAM,aAAa,eAAA,CAAgB,CAAC,4BAA4B,CAAA,EAAG,SAAS,GAAG,CAAA;AAC/E,IAAA,OAAO,cAAA,CAAe,UAAA,EAAY,OAAA,EAAS,GAAA,EAAK,MAAM,CAAA;AAAA,EACvD;AAEA,EAAA,OAAO;AAAA,IACN,oBAAA;AAAA,IACA,yBAAA;AAAA,IACA,yBAAA;AAAA,IACA;AAAA,GACD;AACD;ACpUA,SAASA,UAAAA,CAAU,IAAA,EAAc,OAAA,EAAiB,OAAA,EAAgD;AACjG,EAAA,OAAO,EAAE,IAAA,EAAM,OAAA,EAAS,GAAI,OAAA,KAAY,SAAY,EAAE,OAAA,EAAQ,GAAI,EAAC,EAAG;AACvE;AAEA,SAAS,gBAAgB,MAAA,EAAwD;AAChF,EAAA,IAAI,OAAO,MAAA,KAAW,QAAA,EAAU,OAAO,MAAA;AACvC,EAAA,OAAO,MAAA,CAAO,EAAA;AACf;AA4BO,SAAS,gBAAA,CAAiB,MAAA,GAA2B,EAAC,EAAe;AAC3E,EAAA,MAAM,EAAE,aAAA,EAAe,qBAAA,EAAsB,GAAI,MAAA;AAEjD,EAAA,eAAe,UAAA,CAAW,KAAa,WAAA,EAAuD;AAC7F,IAAA,IAAI,WAAA,EAAa;AAChB,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,IAAA,EAAM,WAAA,EAAY;AAAA,IAC3C;AAEA,IAAA,IAAI,aAAA,EAAe;AAClB,MAAA,MAAM,QAAA,GAAW,MAAM,aAAA,CAAc,GAAG,CAAA;AACxC,MAAA,IAAI,QAAA,EAAU;AACb,QAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,IAAA,EAAM,QAAA,EAAS;AAAA,MACxC;AAAA,IACD;AAEA,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,KAAA;AAAA,MACT,KAAA,EAAOA,UAAAA,CAAU,kBAAA,EAAoB,CAAA,sCAAA,EAAyC,GAAG,CAAA,CAAE;AAAA,KACpF;AAAA,EACD;AAEA,EAAA,eAAe,mBAAA,CACd,KACA,WAAA,EACsC;AACtC,IAAA,IAAI;AAEH,MAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,KAAA,CAAM,GAAG,CAAA;AAC3B,MAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACvB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,gBAAA,EAAkB,2BAA2B;AAAA,SAC/D;AAAA,MACD;AAGA,MAAA,MAAM,UAAA,GAAa,MAAM,CAAC,CAAA;AAC1B,MAAA,IAAI,CAAC,UAAA,EAAY;AAChB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,gBAAA,EAAkB,wBAAwB;AAAA,SAC5D;AAAA,MACD;AACA,MAAA,MAAM,aAAa,IAAA,CAAK,KAAA;AAAA,QACvB,IAAI,aAAY,CAAE,MAAA;AAAA,UACjB,UAAA,CAAW,IAAA;AAAA,YAAK,IAAA,CAAK,WAAW,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAC,CAAA;AAAA,YAAG,CAAC,CAAA,KACxE,CAAA,CAAE,UAAA,CAAW,CAAC;AAAA;AACf;AACD,OACD;AAEA,MAAA,MAAM,YAAY,OAAO,UAAA,CAAW,GAAA,KAAQ,QAAA,GAAW,WAAW,GAAA,GAAM,IAAA;AACxE,MAAA,IAAI,CAAC,SAAA,EAAW;AACf,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,cAAA,EAAgB,sBAAsB;AAAA,SACxD;AAAA,MACD;AAGA,MAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,SAAA,EAAW,WAAW,CAAA;AACzD,MAAA,IAAI,CAAC,SAAA,CAAU,OAAA,EAAS,OAAO,SAAA;AAE/B,MAAA,MAAM,SAAA,GAAY,MAAMC,SAAAA,CAAU,SAAA,CAAU,MAAM,OAAO,CAAA;AACzD,MAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,SAAA,CAAU,KAAK,SAAS,CAAA;AAElD,MAAA,MAAM,UAAU,OAAA,CAAQ,EAAA;AACxB,MAAA,IAAI,CAAC,OAAA,EAAS;AACb,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOD,UAAAA,CAAU,qBAAA,EAAuB,iCAAiC;AAAA,SAC1E;AAAA,MACD;AAGA,MAAA,MAAM,UAAA,GAAmC;AAAA,QACxC,GAAI,OAAA;AAAA,QACJ,MAAA,EAAQ;AAAA,OACT;AAGA,MAAA,MAAM,MAAA,GAAS,0BAAA,CAA2B,SAAA,CAAU,UAAU,CAAA;AAC9D,MAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,uBAAA,EAAyB,sCAAA,EAAwC;AAAA,YACjF,QAAQ,MAAA,CAAO,KAAA,CAAM,MAAA,CAAO,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,EAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA,CAAE;AAAA,WAC1E;AAAA,SACF;AAAA,MACD;AAGA,MAAA,IAAI,OAAA,CAAQ,GAAA,IAAO,OAAA,CAAQ,GAAA,GAAM,IAAA,CAAK,MAAM,IAAA,CAAK,GAAA,EAAI,GAAI,GAAI,CAAA,EAAG;AAC/D,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,wBAAwB;AAAA,SACxD;AAAA,MACD;AAGA,MAAA,IAAI,MAAA,CAAO,IAAA,CAAK,gBAAA,IAAoB,qBAAA,EAAuB;AAC1D,QAAA,MAAM,OAAA,GAAU,MAAM,qBAAA,CAAsB,MAAA,CAAO,KAAK,gBAAgB,CAAA;AACxE,QAAA,IAAI,OAAA,EAAS;AACZ,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,6BAA6B;AAAA,WAC7D;AAAA,QACD;AAAA,MACD;AAEA,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,IAAA;AAAA,QACT,IAAA,EAAM;AAAA,UACL,YAAY,MAAA,CAAO,IAAA;AAAA,UACnB,MAAA,EAAQ,KAAA;AAAA,UACR,MAAA,EAAQ,SAAA;AAAA,UACR,UAAU,IAAI,IAAA,CAAA,CAAM,OAAA,CAAQ,GAAA,IAAO,KAAK,GAAI,CAAA;AAAA,UAC5C,SAAA,EAAW,QAAQ,GAAA,GAAM,IAAI,KAAK,OAAA,CAAQ,GAAA,GAAM,GAAI,CAAA,GAAI;AAAA;AACzD,OACD;AAAA,IACD,SAAS,GAAA,EAAK;AAEb,MAAA,IAAI,GAAA,YAAeE,OAAW,UAAA,EAAY;AACzC,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOF,UAAAA,CAAU,YAAA,EAAc,wBAAwB;AAAA,SACxD;AAAA,MACD;AACA,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA;AAAA,UACN,kBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAEA,EAAA,eAAe,sBAAA,CACd,IACA,WAAA,EACsC;AAEtC,IAAA,MAAM,MAAA,GAAS,0BAAA,CAA2B,SAAA,CAAU,EAAE,CAAA;AACtD,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,uBAAA,EAAyB,sCAAA,EAAwC;AAAA,UACjF,QAAQ,MAAA,CAAO,KAAA,CAAM,MAAA,CAAO,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,EAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA,CAAE;AAAA,SAC1E;AAAA,OACF;AAAA,IACD;AAEA,IAAA,MAAM,aAAa,MAAA,CAAO,IAAA;AAE1B,IAAA,IAAI,CAAC,WAAW,KAAA,EAAO;AACtB,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,aAAA,EAAe,0CAA0C;AAAA,OAC3E;AAAA,IACD;AAEA,IAAA,IAAI,CAAC,UAAA,CAAW,KAAA,CAAM,GAAA,EAAK;AAC1B,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,WAAA,EAAa,oCAAoC;AAAA,OACnE;AAAA,IACD;AAEA,IAAA,MAAM,SAAA,GAAY,eAAA,CAAgB,UAAA,CAAW,MAAM,CAAA;AAGnD,IAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,SAAA,EAAW,WAAW,CAAA;AACzD,IAAA,IAAI,CAAC,SAAA,CAAU,OAAA,EAAS,OAAO,SAAA;AAE/B,IAAA,IAAI;AACH,MAAA,MAAM,SAAA,GAAY,MAAMC,SAAAA,CAAU,SAAA,CAAU,MAAM,OAAO,CAAA;AAGzD,MAAA,MAAM,EAAE,SAAQ,GAAI,MAAM,cAAc,UAAA,CAAW,KAAA,CAAM,KAAK,SAAS,CAAA;AAGvE,MAAA,MAAM,EAAE,KAAA,EAAO,MAAA,EAAQ,GAAG,gBAAe,GAAI,UAAA;AAC7C,MAAA,MAAM,aAAA,GAAgB,IAAI,WAAA,EAAY,CAAE,OAAO,OAAO,CAAA;AACtD,MAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAEpD,MAAA,IAAI,kBAAkB,cAAA,EAAgB;AACrC,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOD,UAAAA,CAAU,aAAA,EAAe,sDAAsD;AAAA,SACvF;AAAA,MACD;AAGA,MAAA,IAAI,WAAW,cAAA,EAAgB;AAC9B,QAAA,MAAM,MAAA,GAAS,IAAI,IAAA,CAAK,UAAA,CAAW,cAAc,CAAA;AACjD,QAAA,IAAI,MAAA,oBAAU,IAAI,IAAA,EAAK,EAAG;AACzB,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,wBAAwB;AAAA,WACxD;AAAA,QACD;AAAA,MACD;AAGA,MAAA,IAAI,UAAA,CAAW,oBAAoB,qBAAA,EAAuB;AACzD,QAAA,MAAM,OAAA,GAAU,MAAM,qBAAA,CAAsB,UAAA,CAAW,gBAAgB,CAAA;AACvE,QAAA,IAAI,OAAA,EAAS;AACZ,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,6BAA6B;AAAA,WAC7D;AAAA,QACD;AAAA,MACD;AAEA,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,IAAA;AAAA,QACT,IAAA,EAAM;AAAA,UACL,UAAA;AAAA,UACA,MAAA,EAAQ,SAAA;AAAA,UACR,MAAA,EAAQ,SAAA;AAAA,UACR,QAAA,EAAU,IAAI,IAAA,CAAK,UAAA,CAAW,YAAY,CAAA;AAAA,UAC1C,WAAW,UAAA,CAAW,cAAA,GAAiB,IAAI,IAAA,CAAK,UAAA,CAAW,cAAc,CAAA,GAAI;AAAA;AAC9E,OACD;AAAA,IACD,SAAS,GAAA,EAAK;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA;AAAA,UACN,kBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAIA,EAAA,eAAe,gBAAA,CACd,IACA,YAAA,EACsC;AACtC,IAAA,IAAI,OAAO,OAAO,QAAA,EAAU;AAC3B,MAAA,OAAO,mBAAA,CAAoB,IAAI,YAAY,CAAA;AAAA,IAC5C;AACA,IAAA,OAAO,sBAAA,CAAuB,IAAI,YAAY,CAAA;AAAA,EAC/C;AAEA,EAAA,eAAe,kBAAA,CACd,IACA,YAAA,EACwC;AACxC,IAAA,IAAI,YAAA;AAEJ,IAAA,IAAI,OAAO,OAAO,QAAA,EAAU;AAE3B,MAAA,IAAI;AACH,QAAA,MAAM,KAAA,GAAQ,EAAA,CAAG,KAAA,CAAM,GAAG,CAAA;AAC1B,QAAA,IAAI,MAAM,MAAA,KAAW,CAAA,IAAK,CAAC,KAAA,CAAM,CAAC,CAAA,EAAG;AACpC,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,gBAAA,EAAkB,wCAAwC;AAAA,WAC5E;AAAA,QACD;AAEA,QAAA,MAAM,UAAA,GAAa,MAAM,CAAC,CAAA;AAC1B,QAAA,MAAM,aAAa,IAAA,CAAK,KAAA;AAAA,UACvB,IAAI,aAAY,CAAE,MAAA;AAAA,YACjB,UAAA,CAAW,IAAA;AAAA,cAAK,IAAA,CAAK,WAAW,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAC,CAAA;AAAA,cAAG,CAAC,CAAA,KACxE,CAAA,CAAE,UAAA,CAAW,CAAC;AAAA;AACf;AACD,SACD;AAEA,QAAA,MAAM,YAAY,OAAO,UAAA,CAAW,GAAA,KAAQ,QAAA,GAAW,WAAW,GAAA,GAAM,IAAA;AACxE,QAAA,IAAI,CAAC,SAAA,EAAW;AACf,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,cAAA,EAAgB,mCAAmC;AAAA,WACrE;AAAA,QACD;AAEA,QAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,SAAA,EAAW,YAAY,CAAA;AAC1D,QAAA,IAAI,CAAC,SAAA,CAAU,OAAA,EAAS,OAAO,SAAA;AAE/B,QAAA,MAAM,SAAA,GAAY,MAAMC,SAAAA,CAAU,SAAA,CAAU,MAAM,OAAO,CAAA;AACzD,QAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,SAAA,CAAU,IAAI,SAAS,CAAA;AAEjD,QAAA,MAAM,UAAU,OAAA,CAAQ,EAAA;AACxB,QAAA,IAAI,CAAC,OAAA,EAAS;AACb,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOD,UAAAA,CAAU,qBAAA,EAAuB,iCAAiC;AAAA,WAC1E;AAAA,QACD;AAEA,QAAA,YAAA,GAAe,OAAA;AAAA,MAChB,SAAS,GAAA,EAAK;AACb,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA;AAAA,YACN,kBAAA;AAAA,YACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,SACD;AAAA,MACD;AAAA,IACD,CAAA,MAAO;AACN,MAAA,YAAA,GAAe,EAAA;AAAA,IAChB;AAGA,IAAA,MAAM,MAAA,GAAS,4BAAA,CAA6B,SAAA,CAAU,YAAY,CAAA;AAClE,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,yBAAA,EAA2B,wCAAA,EAA0C;AAAA,UACrF,QAAQ,MAAA,CAAO,KAAA,CAAM,MAAA,CAAO,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,EAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA,CAAE;AAAA,SAC1E;AAAA,OACF;AAAA,IACD;AAGA,IAAA,MAAM,sBAA4C,EAAC;AACnD,IAAA,KAAA,MAAW,EAAA,IAAM,MAAA,CAAO,IAAA,CAAK,oBAAA,EAAsB;AAClD,MAAA,MAAM,MAAA,GAAS,MAAM,gBAAA,CAAiB,EAAA,EAAI,YAAY,CAAA;AACtD,MAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA;AAAA,YACN,oCAAA;AAAA,YACA,CAAA,6CAAA,EAAgD,MAAA,CAAO,KAAA,CAAM,OAAO,CAAA,CAAA;AAAA,YACpE,EAAE,aAAA,EAAe,MAAA,CAAO,KAAA;AAAM;AAC/B,SACD;AAAA,MACD;AACA,MAAA,mBAAA,CAAoB,IAAA,CAAK,OAAO,IAAI,CAAA;AAAA,IACrC;AAEA,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,IAAA;AAAA,MACT,IAAA,EAAM;AAAA,QACL,cAAc,MAAA,CAAO,IAAA;AAAA,QACrB,WAAA,EAAa,mBAAA;AAAA,QACb,MAAA,EAAQ,MAAA,CAAO,IAAA,CAAK,MAAA,IAAU;AAAA;AAC/B,KACD;AAAA,EACD;AAEA,EAAA,SAAS,mBAAmB,EAAA,EAAgD;AAC3E,IAAA,MAAM,UAAU,EAAA,CAAG,iBAAA;AACnB,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,OAAA,CAAQ,OAAA,IAAW,OAAA,CAAQ,EAAA,IAAM,IAAA;AAAA,MAC1C,WAAA,EAAa,OAAA,CAAQ,WAAA,IAAe,EAAC;AAAA,MACrC,UAAA,EAAY,QAAQ,UAAA,IAAc,IAAA;AAAA,MAClC,eAAA,EAAiB,OAAA,CAAQ,eAAA,IAAmB;AAAC,KAC9C;AAAA,EACD;AAEA,EAAA,OAAO;AAAA,IACN,gBAAA;AAAA,IACA,kBAAA;AAAA,IACA;AAAA,GACD;AACD","file":"chunk-NSTER7KE.js","sourcesContent":["/**\n * W3C Verifiable Credentials Data Model 2.0 types for KavachOS.\n *\n * Defines Zod-validated schemas for credentials, presentations,\n * proofs, and credential status. Agent-centric: the credential\n * subject carries agent identity, permissions, trust level, and\n * delegation scope.\n */\n\nimport { z } from \"zod\";\n\n// ─── W3C VC Constants ────────────────────────────────────────────────────────\n\nexport const VC_CONTEXT_V2 = \"https://www.w3.org/ns/credentials/v2\";\nexport const VC_CONTEXT_V1 = \"https://www.w3.org/2018/credentials/v1\";\nexport const VC_TYPE_CREDENTIAL = \"VerifiableCredential\";\nexport const VC_TYPE_PRESENTATION = \"VerifiablePresentation\";\n\n// KavachOS-specific credential types\nexport const KAVACH_AGENT_CREDENTIAL = \"KavachAgentCredential\";\nexport const KAVACH_PERMISSION_CREDENTIAL = \"KavachPermissionCredential\";\nexport const KAVACH_DELEGATION_CREDENTIAL = \"KavachDelegationCredential\";\n\n// ─── Proof Types ─────────────────────────────────────────────────────────────\n\nexport const ProofSchema = z.object({\n\ttype: z.enum([\"Ed25519Signature2020\", \"JsonWebSignature2020\"]),\n\tcreated: z.string(),\n\tverificationMethod: z.string(),\n\tproofPurpose: z.enum([\"assertionMethod\", \"authentication\"]),\n\tproofValue: z.string().optional(),\n\tjws: z.string().optional(),\n});\n\nexport type Proof = z.infer<typeof ProofSchema>;\n\n// ─── Credential Status ──────────────────────────────────────────────────────\n\nexport const CredentialStatusSchema = z.object({\n\tid: z.string(),\n\ttype: z.string(),\n\tstatusPurpose: z.enum([\"revocation\", \"suspension\"]),\n\tstatusListIndex: z.number().int().nonnegative(),\n\tstatusListCredential: z.string(),\n});\n\nexport type CredentialStatus = z.infer<typeof CredentialStatusSchema>;\n\n// ─── Credential Subject ─────────────────────────────────────────────────────\n\nexport const CredentialSubjectSchema = z.object({\n\tid: z.string().optional(),\n\tagentId: z.string().optional(),\n\tpermissions: z.array(z.string()).optional(),\n\ttrustLevel: z.number().min(0).max(1).optional(),\n\tdelegationScope: z.array(z.string()).optional(),\n\tdelegationChain: z\n\t\t.array(\n\t\t\tz.object({\n\t\t\t\tdelegator: z.string(),\n\t\t\t\tdelegatee: z.string(),\n\t\t\t\tpermissions: z.array(z.string()),\n\t\t\t\tcreatedAt: z.string(),\n\t\t\t}),\n\t\t)\n\t\t.optional(),\n\tname: z.string().optional(),\n\ttype: z.string().optional(),\n});\n\nexport type CredentialSubject = z.infer<typeof CredentialSubjectSchema>;\n\n// ─── Verifiable Credential ──────────────────────────────────────────────────\n\nexport const VerifiableCredentialSchema = z.object({\n\t\"@context\": z.array(z.string()).min(1),\n\tid: z.string().optional(),\n\ttype: z.array(z.string()).min(1),\n\tissuer: z.union([z.string(), z.object({ id: z.string(), name: z.string().optional() })]),\n\tissuanceDate: z.string(),\n\texpirationDate: z.string().optional(),\n\tcredentialSubject: CredentialSubjectSchema,\n\tcredentialStatus: CredentialStatusSchema.optional(),\n\tproof: ProofSchema.optional(),\n});\n\nexport type VerifiableCredential = z.infer<typeof VerifiableCredentialSchema>;\n\n// ─── Verifiable Presentation ────────────────────────────────────────────────\n\nexport const VerifiablePresentationSchema = z.object({\n\t\"@context\": z.array(z.string()).min(1),\n\tid: z.string().optional(),\n\ttype: z.array(z.string()).min(1),\n\tholder: z.string().optional(),\n\tverifiableCredential: z.array(VerifiableCredentialSchema).min(1),\n\tproof: ProofSchema.optional(),\n});\n\nexport type VerifiablePresentation = z.infer<typeof VerifiablePresentationSchema>;\n\n// ─── Issuer Config ──────────────────────────────────────────────────────────\n\nexport interface VCIssuerConfig {\n\t/** DID of the issuer (e.g. did:key:z6Mk...) */\n\tissuerDid: string;\n\t/** Private key JWK for signing credentials */\n\tprivateKeyJwk: JsonWebKey;\n\t/** Public key JWK for verification method references */\n\tpublicKeyJwk: JsonWebKey;\n\t/** Default credential lifetime in seconds. Default: 86400 (24 hours). */\n\tdefaultTtl?: number;\n\t/** Credential status endpoint base URL (for revocation). Optional. */\n\tstatusEndpoint?: string;\n}\n\n// ─── Verifier Config ────────────────────────────────────────────────────────\n\nexport interface VCVerifierConfig {\n\t/**\n\t * Resolve a DID to its public key JWK.\n\t * If not provided, only credentials with a known public key can be verified.\n\t */\n\tresolveDidKey?: (did: string) => Promise<JsonWebKey | null>;\n\t/**\n\t * Check credential revocation status.\n\t * If not provided, revocation checks are skipped.\n\t */\n\tcheckRevocationStatus?: (status: CredentialStatus) => Promise<boolean>;\n}\n\n// ─── JWT VC Types ───────────────────────────────────────────────────────────\n\n/** Claims embedded in a JWT-encoded Verifiable Credential */\nexport interface VCJwtPayload {\n\tiss: string;\n\tsub?: string;\n\tvc: Omit<VerifiableCredential, \"proof\">;\n\tiat: number;\n\texp?: number;\n\tjti?: string;\n}\n\n/** The format a credential was issued in */\nexport type CredentialFormat = \"jwt\" | \"json-ld\";\n\n/** Result of a successful credential verification */\nexport interface VerifiedCredential {\n\tcredential: VerifiableCredential;\n\tformat: CredentialFormat;\n\tissuer: string;\n\tissuedAt: Date;\n\texpiresAt: Date | null;\n}\n\n/** Result of a successful presentation verification */\nexport interface VerifiedPresentation {\n\tpresentation: VerifiablePresentation;\n\tcredentials: VerifiedCredential[];\n\tholder: string | null;\n}\n\n/** Extracted permissions from a verified credential */\nexport interface ExtractedPermissions {\n\tagentId: string | null;\n\tpermissions: string[];\n\ttrustLevel: number | null;\n\tdelegationScope: string[];\n}\n","/**\n * W3C Verifiable Credential issuance for KavachOS.\n *\n * Issues VCs as JWT (compact JWS) or JSON-LD with embedded proof.\n * Credentials encode agent identity, permissions, and delegation chains\n * so agents can prove their capabilities to any verifier without\n * a network call back to KavachOS.\n */\n\nimport { importJWK, SignJWT } from \"jose\";\nimport { generateId } from \"../crypto/web-crypto.js\";\nimport type { KavachError, Result } from \"../mcp/types.js\";\nimport type {\n\tCredentialFormat,\n\tCredentialSubject,\n\tProof,\n\tVCIssuerConfig,\n\tVerifiableCredential,\n} from \"./types.js\";\nimport {\n\tKAVACH_AGENT_CREDENTIAL,\n\tKAVACH_DELEGATION_CREDENTIAL,\n\tKAVACH_PERMISSION_CREDENTIAL,\n\tVC_CONTEXT_V2,\n\tVC_TYPE_CREDENTIAL,\n} from \"./types.js\";\n\n// ─── Constants ──────────────────────────────────────────────────────────────\n\nconst DEFAULT_TTL_SECONDS = 86400; // 24 hours\n\n// ─── Helpers ────────────────────────────────────────────────────────────────\n\nfunction makeError(code: string, message: string, details?: Record<string, unknown>): KavachError {\n\treturn { code, message, ...(details !== undefined ? { details } : {}) };\n}\n\nfunction nowISO(): string {\n\treturn new Date().toISOString();\n}\n\nfunction futureISO(seconds: number): string {\n\treturn new Date(Date.now() + seconds * 1000).toISOString();\n}\n\n// ─── Agent Credential Input ─────────────────────────────────────────────────\n\nexport interface IssueAgentCredentialInput {\n\t/** Agent ID (used as credentialSubject.id and sub claim) */\n\tagentId: string;\n\t/** Agent name */\n\tname?: string;\n\t/** Agent type (e.g. \"autonomous\", \"supervised\") */\n\tagentType?: string;\n\t/** Permissions granted to this agent */\n\tpermissions?: string[];\n\t/** Trust score between 0 and 1 */\n\ttrustLevel?: number;\n\t/** Credential lifetime in seconds. Overrides the issuer default. */\n\tttl?: number;\n\t/** Output format. Default: \"jwt\". */\n\tformat?: CredentialFormat;\n}\n\n// ─── Permission Credential Input ────────────────────────────────────────────\n\nexport interface IssuePermissionCredentialInput {\n\t/** Agent DID or ID that receives the permissions */\n\tagentId: string;\n\t/** Permissions being granted */\n\tpermissions: string[];\n\t/** Credential lifetime in seconds. Overrides the issuer default. */\n\tttl?: number;\n\t/** Output format. Default: \"jwt\". */\n\tformat?: CredentialFormat;\n}\n\n// ─── Delegation Credential Input ────────────────────────────────────────────\n\nexport interface DelegationLink {\n\tdelegator: string;\n\tdelegatee: string;\n\tpermissions: string[];\n\tcreatedAt: string;\n}\n\nexport interface IssueDelegationCredentialInput {\n\t/** The agent at the end of the delegation chain */\n\tagentId: string;\n\t/** Ordered delegation chain from root to leaf */\n\tchain: DelegationLink[];\n\t/** Scope of delegated permissions (subset of original) */\n\tdelegationScope?: string[];\n\t/** Credential lifetime in seconds. Overrides the issuer default. */\n\tttl?: number;\n\t/** Output format. Default: \"jwt\". */\n\tformat?: CredentialFormat;\n}\n\n// ─── VC Issuer Interface ────────────────────────────────────────────────────\n\nexport interface VCIssuer {\n\t/** Issue a VC encoding agent identity, permissions, and trust score */\n\tissueAgentCredential(\n\t\tinput: IssueAgentCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>>;\n\t/** Issue a VC for specific permission grants */\n\tissuePermissionCredential(\n\t\tinput: IssuePermissionCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>>;\n\t/** Issue a VC encoding a delegation chain */\n\tissueDelegationCredential(\n\t\tinput: IssueDelegationCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>>;\n\t/** The DID of this issuer */\n\treadonly issuerDid: string;\n}\n\n// ─── Factory ────────────────────────────────────────────────────────────────\n\n/**\n * Create a VC issuer bound to a specific DID and keypair.\n *\n * The issuer can produce credentials in JWT or JSON-LD format.\n * JWT credentials are signed as a compact JWS with the VC embedded\n * in the `vc` claim. JSON-LD credentials carry an embedded proof.\n */\nexport function createVCIssuer(config: VCIssuerConfig): VCIssuer {\n\tconst { issuerDid, privateKeyJwk, defaultTtl = DEFAULT_TTL_SECONDS } = config;\n\n\tconst kid = `${issuerDid}#${issuerDid.split(\":\").pop() ?? \"key-1\"}`;\n\n\tasync function signAsJwt(\n\t\tcredential: VerifiableCredential,\n\t\tsubject: string | undefined,\n\t\tttl: number,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt: string }>> {\n\t\ttry {\n\t\t\tconst key = await importJWK(privateKeyJwk, \"EdDSA\");\n\n\t\t\t// Strip proof from the VC when embedding in JWT — the JWT signature is the proof\n\t\t\tconst { proof: _proof, ...vcWithoutProof } = credential;\n\n\t\t\tconst builder = new SignJWT({\n\t\t\t\tvc: vcWithoutProof,\n\t\t\t})\n\t\t\t\t.setProtectedHeader({ alg: \"EdDSA\", kid, typ: \"JWT\" })\n\t\t\t\t.setIssuer(issuerDid)\n\t\t\t\t.setIssuedAt()\n\t\t\t\t.setExpirationTime(Math.floor(Date.now() / 1000) + ttl);\n\n\t\t\tif (credential.id) {\n\t\t\t\tbuilder.setJti(credential.id);\n\t\t\t}\n\t\t\tif (subject) {\n\t\t\t\tbuilder.setSubject(subject);\n\t\t\t}\n\n\t\t\tconst jwt = await builder.sign(key);\n\t\t\treturn { success: true, data: { credential, jwt } };\n\t\t} catch (err) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_SIGN_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to sign credential as JWT\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\tasync function signAsJsonLd(\n\t\tcredential: VerifiableCredential,\n\t): Promise<Result<{ credential: VerifiableCredential }>> {\n\t\ttry {\n\t\t\tconst key = await importJWK(privateKeyJwk, \"EdDSA\");\n\n\t\t\t// Create a JWS over the credential without proof\n\t\t\tconst { proof: _proof, ...vcWithoutProof } = credential;\n\t\t\tconst payload = new TextEncoder().encode(JSON.stringify(vcWithoutProof));\n\n\t\t\tconst { CompactSign } = await import(\"jose\");\n\t\t\tconst jws = await new CompactSign(payload)\n\t\t\t\t.setProtectedHeader({ alg: \"EdDSA\", kid })\n\t\t\t\t.sign(key);\n\n\t\t\tconst proof: Proof = {\n\t\t\t\ttype: \"JsonWebSignature2020\",\n\t\t\t\tcreated: nowISO(),\n\t\t\t\tverificationMethod: kid,\n\t\t\t\tproofPurpose: \"assertionMethod\",\n\t\t\t\tjws,\n\t\t\t};\n\n\t\t\tconst signedCredential: VerifiableCredential = {\n\t\t\t\t...credential,\n\t\t\t\tproof,\n\t\t\t};\n\n\t\t\treturn { success: true, data: { credential: signedCredential } };\n\t\t} catch (err) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_SIGN_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to sign credential as JSON-LD\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\tfunction buildCredential(\n\t\ttypes: string[],\n\t\tsubject: CredentialSubject,\n\t\tttl: number,\n\t\texpirationDate?: string,\n\t): VerifiableCredential {\n\t\treturn {\n\t\t\t\"@context\": [VC_CONTEXT_V2],\n\t\t\tid: `urn:uuid:${generateId()}`,\n\t\t\ttype: [VC_TYPE_CREDENTIAL, ...types],\n\t\t\tissuer: issuerDid,\n\t\t\tissuanceDate: nowISO(),\n\t\t\texpirationDate: expirationDate ?? futureISO(ttl),\n\t\t\tcredentialSubject: subject,\n\t\t};\n\t}\n\n\tasync function signCredential(\n\t\tcredential: VerifiableCredential,\n\t\tsubject: string | undefined,\n\t\tttl: number,\n\t\tformat: CredentialFormat,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tif (format === \"jwt\") {\n\t\t\treturn signAsJwt(credential, subject, ttl);\n\t\t}\n\t\treturn signAsJsonLd(credential);\n\t}\n\n\t// ── Public API ────────────────────────────────────────────────────────\n\n\tasync function issueAgentCredential(\n\t\tinput: IssueAgentCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tconst {\n\t\t\tagentId,\n\t\t\tname,\n\t\t\tagentType,\n\t\t\tpermissions,\n\t\t\ttrustLevel,\n\t\t\tttl = defaultTtl,\n\t\t\tformat = \"jwt\",\n\t\t} = input;\n\n\t\tif (!agentId) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"agentId is required\"),\n\t\t\t};\n\t\t}\n\n\t\tif (trustLevel !== undefined && (trustLevel < 0 || trustLevel > 1)) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"trustLevel must be between 0 and 1\"),\n\t\t\t};\n\t\t}\n\n\t\tconst subject: CredentialSubject = {\n\t\t\tid: agentId,\n\t\t\tagentId,\n\t\t\t...(name !== undefined ? { name } : {}),\n\t\t\t...(agentType !== undefined ? { type: agentType } : {}),\n\t\t\t...(permissions !== undefined ? { permissions } : {}),\n\t\t\t...(trustLevel !== undefined ? { trustLevel } : {}),\n\t\t};\n\n\t\tconst credential = buildCredential([KAVACH_AGENT_CREDENTIAL], subject, ttl);\n\t\treturn signCredential(credential, agentId, ttl, format);\n\t}\n\n\tasync function issuePermissionCredential(\n\t\tinput: IssuePermissionCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tconst { agentId, permissions, ttl = defaultTtl, format = \"jwt\" } = input;\n\n\t\tif (!agentId) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"agentId is required\"),\n\t\t\t};\n\t\t}\n\n\t\tif (!permissions || permissions.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"At least one permission is required\"),\n\t\t\t};\n\t\t}\n\n\t\tconst subject: CredentialSubject = {\n\t\t\tid: agentId,\n\t\t\tagentId,\n\t\t\tpermissions,\n\t\t};\n\n\t\tconst credential = buildCredential([KAVACH_PERMISSION_CREDENTIAL], subject, ttl);\n\t\treturn signCredential(credential, agentId, ttl, format);\n\t}\n\n\tasync function issueDelegationCredential(\n\t\tinput: IssueDelegationCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tconst { agentId, chain, delegationScope, ttl = defaultTtl, format = \"jwt\" } = input;\n\n\t\tif (!agentId) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"agentId is required\"),\n\t\t\t};\n\t\t}\n\n\t\tif (!chain || chain.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"Delegation chain must have at least one link\"),\n\t\t\t};\n\t\t}\n\n\t\tconst subject: CredentialSubject = {\n\t\t\tid: agentId,\n\t\t\tagentId,\n\t\t\tdelegationChain: chain,\n\t\t\t...(delegationScope !== undefined ? { delegationScope } : {}),\n\t\t};\n\n\t\tconst credential = buildCredential([KAVACH_DELEGATION_CREDENTIAL], subject, ttl);\n\t\treturn signCredential(credential, agentId, ttl, format);\n\t}\n\n\treturn {\n\t\tissueAgentCredential,\n\t\tissuePermissionCredential,\n\t\tissueDelegationCredential,\n\t\tissuerDid,\n\t};\n}\n","/**\n * W3C Verifiable Credential verification for KavachOS.\n *\n * Verifies credentials in both JWT and JSON-LD formats. Checks\n * signatures, expiry, and optional revocation status. Extracts\n * KavachOS-specific permissions from verified credentials.\n */\n\nimport { compactVerify, importJWK, errors as joseErrors, jwtVerify } from \"jose\";\nimport type { KavachError, Result } from \"../mcp/types.js\";\nimport type {\n\tCredentialFormat,\n\tExtractedPermissions,\n\tVCVerifierConfig,\n\tVerifiableCredential,\n\tVerifiablePresentation,\n\tVerifiedCredential,\n\tVerifiedPresentation,\n} from \"./types.js\";\nimport { VerifiableCredentialSchema, VerifiablePresentationSchema } from \"./types.js\";\n\n// ─── Helpers ────────────────────────────────────────────────────────────────\n\nfunction makeError(code: string, message: string, details?: Record<string, unknown>): KavachError {\n\treturn { code, message, ...(details !== undefined ? { details } : {}) };\n}\n\nfunction getIssuerString(issuer: string | { id: string; name?: string }): string {\n\tif (typeof issuer === \"string\") return issuer;\n\treturn issuer.id;\n}\n\n// ─── VC Verifier Interface ──────────────────────────────────────────────────\n\nexport interface VCVerifier {\n\t/** Verify a single credential (JWT string or JSON-LD object) */\n\tverifyCredential(\n\t\tvc: string | VerifiableCredential,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>>;\n\t/** Verify a presentation containing multiple VCs */\n\tverifyPresentation(\n\t\tvp: string | VerifiablePresentation,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedPresentation>>;\n\t/** Extract KavachOS permissions from a verified credential */\n\textractPermissions(vc: VerifiableCredential): ExtractedPermissions;\n}\n\n// ─── Factory ────────────────────────────────────────────────────────────────\n\n/**\n * Create a VC verifier that checks signatures, expiry, and revocation.\n *\n * The verifier accepts both JWT-encoded and JSON-LD credentials.\n * For JWT credentials, pass the compact JWS string. For JSON-LD\n * credentials with embedded proof, pass the credential object.\n */\nexport function createVCVerifier(config: VCVerifierConfig = {}): VCVerifier {\n\tconst { resolveDidKey, checkRevocationStatus } = config;\n\n\tasync function resolveKey(did: string, providedKey?: JsonWebKey): Promise<Result<JsonWebKey>> {\n\t\tif (providedKey) {\n\t\t\treturn { success: true, data: providedKey };\n\t\t}\n\n\t\tif (resolveDidKey) {\n\t\t\tconst resolved = await resolveDidKey(did);\n\t\t\tif (resolved) {\n\t\t\t\treturn { success: true, data: resolved };\n\t\t\t}\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: makeError(\"VC_KEY_NOT_FOUND\", `Could not resolve public key for DID: ${did}`),\n\t\t};\n\t}\n\n\tasync function verifyJwtCredential(\n\t\tjwt: string,\n\t\tprovidedKey?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>> {\n\t\ttry {\n\t\t\t// Decode the header to get the kid, then resolve the key\n\t\t\tconst parts = jwt.split(\".\");\n\t\t\tif (parts.length !== 3) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_INVALID_JWT\", \"JWT must have three parts\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// First pass: decode without verification to extract issuer\n\t\t\tconst payloadB64 = parts[1];\n\t\t\tif (!payloadB64) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_INVALID_JWT\", \"JWT payload is missing\"),\n\t\t\t\t};\n\t\t\t}\n\t\t\tconst rawPayload = JSON.parse(\n\t\t\t\tnew TextDecoder().decode(\n\t\t\t\t\tUint8Array.from(atob(payloadB64.replace(/-/g, \"+\").replace(/_/g, \"/\")), (c) =>\n\t\t\t\t\t\tc.charCodeAt(0),\n\t\t\t\t\t),\n\t\t\t\t),\n\t\t\t) as Record<string, unknown>;\n\n\t\t\tconst issuerDid = typeof rawPayload.iss === \"string\" ? rawPayload.iss : null;\n\t\t\tif (!issuerDid) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_NO_ISSUER\", \"JWT has no iss claim\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Resolve key\n\t\t\tconst keyResult = await resolveKey(issuerDid, providedKey);\n\t\t\tif (!keyResult.success) return keyResult;\n\n\t\t\tconst publicKey = await importJWK(keyResult.data, \"EdDSA\");\n\t\t\tconst { payload } = await jwtVerify(jwt, publicKey);\n\n\t\t\tconst vcClaim = payload.vc as Record<string, unknown> | undefined;\n\t\t\tif (!vcClaim) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_MISSING_VC_CLAIM\", \"JWT does not contain a vc claim\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Reconstruct the full credential from the JWT claims\n\t\t\tconst credential: VerifiableCredential = {\n\t\t\t\t...(vcClaim as unknown as VerifiableCredential),\n\t\t\t\tissuer: issuerDid,\n\t\t\t};\n\n\t\t\t// Validate against schema\n\t\t\tconst parsed = VerifiableCredentialSchema.safeParse(credential);\n\t\t\tif (!parsed.success) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_INVALID_CREDENTIAL\", \"Credential does not match W3C schema\", {\n\t\t\t\t\t\tissues: parsed.error.issues.map((i) => `${i.path.join(\".\")}: ${i.message}`),\n\t\t\t\t\t}),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Check expiry\n\t\t\tif (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_EXPIRED\", \"Credential has expired\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Check revocation\n\t\t\tif (parsed.data.credentialStatus && checkRevocationStatus) {\n\t\t\t\tconst revoked = await checkRevocationStatus(parsed.data.credentialStatus);\n\t\t\t\tif (revoked) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_REVOKED\", \"Credential has been revoked\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tsuccess: true,\n\t\t\t\tdata: {\n\t\t\t\t\tcredential: parsed.data,\n\t\t\t\t\tformat: \"jwt\" as CredentialFormat,\n\t\t\t\t\tissuer: issuerDid,\n\t\t\t\t\tissuedAt: new Date((payload.iat ?? 0) * 1000),\n\t\t\t\t\texpiresAt: payload.exp ? new Date(payload.exp * 1000) : null,\n\t\t\t\t},\n\t\t\t};\n\t\t} catch (err) {\n\t\t\t// Distinguish between expiry and other errors\n\t\t\tif (err instanceof joseErrors.JWTExpired) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_EXPIRED\", \"Credential has expired\"),\n\t\t\t\t};\n\t\t\t}\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_VERIFY_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to verify JWT credential\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\tasync function verifyJsonLdCredential(\n\t\tvc: VerifiableCredential,\n\t\tprovidedKey?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>> {\n\t\t// Validate schema\n\t\tconst parsed = VerifiableCredentialSchema.safeParse(vc);\n\t\tif (!parsed.success) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_CREDENTIAL\", \"Credential does not match W3C schema\", {\n\t\t\t\t\tissues: parsed.error.issues.map((i) => `${i.path.join(\".\")}: ${i.message}`),\n\t\t\t\t}),\n\t\t\t};\n\t\t}\n\n\t\tconst credential = parsed.data;\n\n\t\tif (!credential.proof) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_NO_PROOF\", \"JSON-LD credential has no embedded proof\"),\n\t\t\t};\n\t\t}\n\n\t\tif (!credential.proof.jws) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_NO_JWS\", \"Proof does not contain a JWS value\"),\n\t\t\t};\n\t\t}\n\n\t\tconst issuerDid = getIssuerString(credential.issuer);\n\n\t\t// Resolve key\n\t\tconst keyResult = await resolveKey(issuerDid, providedKey);\n\t\tif (!keyResult.success) return keyResult;\n\n\t\ttry {\n\t\t\tconst publicKey = await importJWK(keyResult.data, \"EdDSA\");\n\n\t\t\t// Verify the JWS\n\t\t\tconst { payload } = await compactVerify(credential.proof.jws, publicKey);\n\n\t\t\t// Compare signed content against current credential (minus proof)\n\t\t\tconst { proof: _proof, ...vcWithoutProof } = credential;\n\t\t\tconst signedContent = new TextDecoder().decode(payload);\n\t\t\tconst currentContent = JSON.stringify(vcWithoutProof);\n\n\t\t\tif (signedContent !== currentContent) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_TAMPERED\", \"Credential content does not match the signed payload\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Check expiry\n\t\t\tif (credential.expirationDate) {\n\t\t\t\tconst expiry = new Date(credential.expirationDate);\n\t\t\t\tif (expiry <= new Date()) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_EXPIRED\", \"Credential has expired\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Check revocation\n\t\t\tif (credential.credentialStatus && checkRevocationStatus) {\n\t\t\t\tconst revoked = await checkRevocationStatus(credential.credentialStatus);\n\t\t\t\tif (revoked) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_REVOKED\", \"Credential has been revoked\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tsuccess: true,\n\t\t\t\tdata: {\n\t\t\t\t\tcredential,\n\t\t\t\t\tformat: \"json-ld\" as CredentialFormat,\n\t\t\t\t\tissuer: issuerDid,\n\t\t\t\t\tissuedAt: new Date(credential.issuanceDate),\n\t\t\t\t\texpiresAt: credential.expirationDate ? new Date(credential.expirationDate) : null,\n\t\t\t\t},\n\t\t\t};\n\t\t} catch (err) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_VERIFY_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to verify JSON-LD credential\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\t// ── Public API ────────────────────────────────────────────────────────\n\n\tasync function verifyCredential(\n\t\tvc: string | VerifiableCredential,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>> {\n\t\tif (typeof vc === \"string\") {\n\t\t\treturn verifyJwtCredential(vc, publicKeyJwk);\n\t\t}\n\t\treturn verifyJsonLdCredential(vc, publicKeyJwk);\n\t}\n\n\tasync function verifyPresentation(\n\t\tvp: string | VerifiablePresentation,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedPresentation>> {\n\t\tlet presentation: VerifiablePresentation;\n\n\t\tif (typeof vp === \"string\") {\n\t\t\t// JWT-encoded presentation\n\t\t\ttry {\n\t\t\t\tconst parts = vp.split(\".\");\n\t\t\t\tif (parts.length !== 3 || !parts[1]) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_INVALID_JWT\", \"Presentation JWT must have three parts\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tconst payloadB64 = parts[1];\n\t\t\t\tconst rawPayload = JSON.parse(\n\t\t\t\t\tnew TextDecoder().decode(\n\t\t\t\t\t\tUint8Array.from(atob(payloadB64.replace(/-/g, \"+\").replace(/_/g, \"/\")), (c) =>\n\t\t\t\t\t\t\tc.charCodeAt(0),\n\t\t\t\t\t\t),\n\t\t\t\t\t),\n\t\t\t\t) as Record<string, unknown>;\n\n\t\t\t\tconst issuerDid = typeof rawPayload.iss === \"string\" ? rawPayload.iss : null;\n\t\t\t\tif (!issuerDid) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_NO_ISSUER\", \"Presentation JWT has no iss claim\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tconst keyResult = await resolveKey(issuerDid, publicKeyJwk);\n\t\t\t\tif (!keyResult.success) return keyResult;\n\n\t\t\t\tconst publicKey = await importJWK(keyResult.data, \"EdDSA\");\n\t\t\t\tconst { payload } = await jwtVerify(vp, publicKey);\n\n\t\t\t\tconst vpClaim = payload.vp as Record<string, unknown> | undefined;\n\t\t\t\tif (!vpClaim) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_MISSING_VP_CLAIM\", \"JWT does not contain a vp claim\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tpresentation = vpClaim as unknown as VerifiablePresentation;\n\t\t\t} catch (err) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\n\t\t\t\t\t\t\"VC_VERIFY_FAILED\",\n\t\t\t\t\t\terr instanceof Error ? err.message : \"Failed to verify presentation JWT\",\n\t\t\t\t\t),\n\t\t\t\t};\n\t\t\t}\n\t\t} else {\n\t\t\tpresentation = vp;\n\t\t}\n\n\t\t// Validate schema\n\t\tconst parsed = VerifiablePresentationSchema.safeParse(presentation);\n\t\tif (!parsed.success) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_PRESENTATION\", \"Presentation does not match W3C schema\", {\n\t\t\t\t\tissues: parsed.error.issues.map((i) => `${i.path.join(\".\")}: ${i.message}`),\n\t\t\t\t}),\n\t\t\t};\n\t\t}\n\n\t\t// Verify each credential in the presentation\n\t\tconst verifiedCredentials: VerifiedCredential[] = [];\n\t\tfor (const vc of parsed.data.verifiableCredential) {\n\t\t\tconst result = await verifyCredential(vc, publicKeyJwk);\n\t\t\tif (!result.success) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\n\t\t\t\t\t\t\"VC_PRESENTATION_CREDENTIAL_INVALID\",\n\t\t\t\t\t\t`Failed to verify credential in presentation: ${result.error.message}`,\n\t\t\t\t\t\t{ originalError: result.error },\n\t\t\t\t\t),\n\t\t\t\t};\n\t\t\t}\n\t\t\tverifiedCredentials.push(result.data);\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\tpresentation: parsed.data,\n\t\t\t\tcredentials: verifiedCredentials,\n\t\t\t\tholder: parsed.data.holder ?? null,\n\t\t\t},\n\t\t};\n\t}\n\n\tfunction extractPermissions(vc: VerifiableCredential): ExtractedPermissions {\n\t\tconst subject = vc.credentialSubject;\n\t\treturn {\n\t\t\tagentId: subject.agentId ?? subject.id ?? null,\n\t\t\tpermissions: subject.permissions ?? [],\n\t\t\ttrustLevel: subject.trustLevel ?? null,\n\t\t\tdelegationScope: subject.delegationScope ?? [],\n\t\t};\n\t}\n\n\treturn {\n\t\tverifyCredential,\n\t\tverifyPresentation,\n\t\textractPermissions,\n\t};\n}\n"]}
@@ -109,7 +109,7 @@ async function hmacSha1Raw(key, data) {
109
109
  const signature = await globalThis.crypto.subtle.sign("HMAC", cryptoKey, buf);
110
110
  return new Uint8Array(signature);
111
111
  }
112
- var PBKDF2_ITERATIONS = 6e5;
112
+ var PBKDF2_ITERATIONS = 1e5;
113
113
  var PBKDF2_KEY_LENGTH = 64;
114
114
  var PBKDF2_SALT_LENGTH = 32;
115
115
  async function pbkdf2Hash(password, salt, iterations) {
@@ -182,5 +182,5 @@ function constantTimeEqual(a, b) {
182
182
  }
183
183
 
184
184
  export { constantTimeEqual, fromBase64Url, fromHex, generateId, hmacSha1Raw, hmacSha256, hmacSha256Raw, importHmacKey, pbkdf2Hash, pbkdf2Verify, randomBytes, randomBytesHex, sha1, sha256, sha256Raw, toBase64Url, toHex };
185
- //# sourceMappingURL=chunk-3AZDFCQF.js.map
186
- //# sourceMappingURL=chunk-3AZDFCQF.js.map
185
+ //# sourceMappingURL=chunk-QCRHJMDX.js.map
186
+ //# sourceMappingURL=chunk-QCRHJMDX.js.map
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/crypto/web-crypto.ts"],"names":[],"mappings":";AAYA,IAAM,SAAA,GAAY,kBAAA;AAGX,SAAS,MAAM,KAAA,EAA2B;AAChD,EAAA,IAAI,GAAA,GAAM,EAAA;AACV,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,MAAM,CAAA,GAAI,MAAM,CAAC,CAAA;AACjB,IAAA,GAAA,IAAO,SAAA,CAAU,KAAK,CAAC,CAAA;AACvB,IAAA,GAAA,IAAO,SAAA,CAAU,IAAI,EAAI,CAAA;AAAA,EAC1B;AACA,EAAA,OAAO,GAAA;AACR;AAGO,SAAS,QAAQ,GAAA,EAAyB;AAChD,EAAA,IAAI,GAAA,CAAI,MAAA,GAAS,CAAA,KAAM,CAAA,EAAG;AACzB,IAAA,MAAM,IAAI,MAAM,2CAA2C,CAAA;AAAA,EAC5D;AACA,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,GAAA,CAAI,SAAS,CAAC,CAAA;AAC3C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,MAAM,KAAK,QAAA,CAAS,GAAA,CAAI,CAAA,GAAI,CAAC,GAAa,EAAE,CAAA;AAC5C,IAAA,MAAM,KAAK,QAAA,CAAS,GAAA,CAAI,IAAI,CAAA,GAAI,CAAC,GAAa,EAAE,CAAA;AAChD,IAAA,IAAI,OAAO,KAAA,CAAM,EAAE,KAAK,MAAA,CAAO,KAAA,CAAM,EAAE,CAAA,EAAG;AACzC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,2CAAA,EAA8C,CAAA,GAAI,CAAC,CAAA,CAAE,CAAA;AAAA,IACtE;AACA,IAAA,KAAA,CAAM,CAAC,CAAA,GAAK,EAAA,IAAM,CAAA,GAAK,EAAA;AAAA,EACxB;AACA,EAAA,OAAO,KAAA;AACR;AAGO,SAAS,YAAY,KAAA,EAA2B;AACtD,EAAA,IAAI,MAAA,GAAS,EAAA;AACb,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,MAAA,IAAU,MAAA,CAAO,YAAA,CAAa,KAAA,CAAM,CAAC,CAAW,CAAA;AAAA,EACjD;AACA,EAAA,OAAO,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,OAAO,EAAE,CAAA;AAC9E;AAGO,SAAS,cAAc,GAAA,EAAyB;AAEtD,EAAA,IAAI,MAAA,GAAS,IAAI,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,GAAG,CAAA;AAErD,EAAA,OAAO,MAAA,CAAO,MAAA,GAAS,CAAA,KAAM,CAAA,EAAG;AAC/B,IAAA,MAAA,IAAU,GAAA;AAAA,EACX;AACA,EAAA,MAAM,MAAA,GAAS,KAAK,MAAM,CAAA;AAC1B,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAA,CAAO,MAAM,CAAA;AAC1C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,QAAQ,CAAA,EAAA,EAAK;AACvC,IAAA,KAAA,CAAM,CAAC,CAAA,GAAI,MAAA,CAAO,UAAA,CAAW,CAAC,CAAA;AAAA,EAC/B;AACA,EAAA,OAAO,KAAA;AACR;AAOO,SAAS,UAAA,GAAqB;AACpC,EAAA,OAAO,UAAA,CAAW,OAAO,UAAA,EAAW;AACrC;AAGO,SAAS,YAAY,MAAA,EAA4B;AACvD,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAM,CAAA;AACnC,EAAA,UAAA,CAAW,MAAA,CAAO,gBAAgB,KAAK,CAAA;AACvC,EAAA,OAAO,KAAA;AACR;AAGO,SAAS,eAAe,MAAA,EAAwB;AACtD,EAAA,OAAO,KAAA,CAAM,WAAA,CAAY,MAAM,CAAC,CAAA;AACjC;AAMA,IAAM,YAAA,GAAe,IAAI,WAAA,EAAY;AAErC,SAAS,QAAQ,IAAA,EAAwC;AACxD,EAAA,IAAI,OAAO,SAAS,QAAA,EAAU;AAC7B,IAAA,MAAM,OAAA,GAAU,YAAA,CAAa,MAAA,CAAO,IAAI,CAAA;AACxC,IAAA,OAAQ,QAAQ,MAAA,CAAuB,KAAA;AAAA,MACtC,OAAA,CAAQ,UAAA;AAAA,MACR,OAAA,CAAQ,aAAa,OAAA,CAAQ;AAAA,KAC9B;AAAA,EACD;AACA,EAAA,OAAQ,IAAA,CAAK,OAAuB,KAAA,CAAM,IAAA,CAAK,YAAY,IAAA,CAAK,UAAA,GAAa,KAAK,UAAU,CAAA;AAC7F;AAOA,eAAsB,OAAO,IAAA,EAA4C;AACxE,EAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA,CAAO,OAAO,MAAA,CAAO,SAAA,EAAW,OAAA,CAAQ,IAAI,CAAC,CAAA;AAC7E,EAAA,OAAO,KAAA,CAAM,IAAI,UAAA,CAAW,MAAM,CAAC,CAAA;AACpC;AAGA,eAAsB,UAAU,IAAA,EAAgD;AAC/E,EAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA,CAAO,OAAO,MAAA,CAAO,SAAA,EAAW,OAAA,CAAQ,IAAI,CAAC,CAAA;AAC7E,EAAA,OAAO,IAAI,WAAW,MAAM,CAAA;AAC7B;AAGA,eAAsB,KAAK,IAAA,EAA4C;AACtE,EAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA,CAAO,OAAO,MAAA,CAAO,OAAA,EAAS,OAAA,CAAQ,IAAI,CAAC,CAAA;AAC3E,EAAA,OAAO,KAAA,CAAM,IAAI,UAAA,CAAW,MAAM,CAAC,CAAA;AACpC;AAOA,eAAsB,aAAA,CACrB,GAAA,EACA,IAAA,GAA4B,SAAA,EACP;AACrB,EAAA,MAAM,UAAU,OAAO,GAAA,KAAQ,WAAW,YAAA,CAAa,MAAA,CAAO,GAAG,CAAA,GAAI,GAAA;AACrE,EAAA,OAAO,UAAA,CAAW,OAAO,MAAA,CAAO,SAAA;AAAA,IAC/B,KAAA;AAAA,IACC,QAAQ,MAAA,CAAuB,KAAA;AAAA,MAC/B,OAAA,CAAQ,UAAA;AAAA,MACR,OAAA,CAAQ,aAAa,OAAA,CAAQ;AAAA,KAC9B;AAAA,IACA,EAAE,IAAA,EAAM,MAAA,EAAQ,MAAM,EAAE,IAAA,EAAM,MAAK,EAAE;AAAA,IACrC,KAAA;AAAA,IACA,CAAC,QAAQ,QAAQ;AAAA,GAClB;AACD;AAGA,eAAsB,UAAA,CACrB,KACA,IAAA,EACkB;AAClB,EAAA,MAAM,SAAA,GAAY,MAAM,aAAA,CAAc,GAAA,EAAK,SAAS,CAAA;AACpD,EAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,KAAK,MAAA,EAAQ,SAAA,EAAW,OAAA,CAAQ,IAAI,CAAC,CAAA;AACtF,EAAA,OAAO,KAAA,CAAM,IAAI,UAAA,CAAW,SAAS,CAAC,CAAA;AACvC;AAGA,eAAsB,aAAA,CACrB,KACA,IAAA,EACsB;AACtB,EAAA,MAAM,SAAA,GAAY,MAAM,aAAA,CAAc,GAAA,EAAK,SAAS,CAAA;AACpD,EAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,KAAK,MAAA,EAAQ,SAAA,EAAW,OAAA,CAAQ,IAAI,CAAC,CAAA;AACtF,EAAA,OAAO,IAAI,WAAW,SAAS,CAAA;AAChC;AAGA,eAAsB,WAAA,CAAY,KAAiB,IAAA,EAAuC;AACzF,EAAA,MAAM,SAAA,GAAY,MAAM,aAAA,CAAc,GAAA,EAAK,OAAO,CAAA;AAClD,EAAA,MAAM,GAAA,GAAO,KAAK,MAAA,CAAuB,KAAA;AAAA,IACxC,IAAA,CAAK,UAAA;AAAA,IACL,IAAA,CAAK,aAAa,IAAA,CAAK;AAAA,GACxB;AACA,EAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,MAAA,CAAO,OAAO,IAAA,CAAK,MAAA,EAAQ,WAAW,GAAG,CAAA;AAC5E,EAAA,OAAO,IAAI,WAAW,SAAS,CAAA;AAChC;AAMA,IAAM,iBAAA,GAAoB,GAAA;AAC1B,IAAM,iBAAA,GAAoB,EAAA;AAC1B,IAAM,kBAAA,GAAqB,EAAA;AAQ3B,eAAsB,UAAA,CACrB,QAAA,EACA,IAAA,EACA,UAAA,EACkB;AAClB,EAAA,MAAM,UAAA,GAAa,IAAA,IAAQ,WAAA,CAAY,kBAAkB,CAAA;AACzD,EAAA,MAAM,mBAAmB,UAAA,IAAc,iBAAA;AAEvC,EAAA,MAAM,WAAA,GAAc,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,SAAA;AAAA,IAClD,KAAA;AAAA,IACA,YAAA,CAAa,OAAO,QAAQ,CAAA;AAAA,IAC5B,QAAA;AAAA,IACA,KAAA;AAAA,IACA,CAAC,YAAY;AAAA,GACd;AAEA,EAAA,MAAM,OAAA,GAAW,WAAW,MAAA,CAAuB,KAAA;AAAA,IAClD,UAAA,CAAW,UAAA;AAAA,IACX,UAAA,CAAW,aAAa,UAAA,CAAW;AAAA,GACpC;AACA,EAAA,MAAM,OAAA,GAAU,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,UAAA;AAAA,IAC9C;AAAA,MACC,IAAA,EAAM,QAAA;AAAA,MACN,IAAA,EAAM,OAAA;AAAA,MACN,UAAA,EAAY,gBAAA;AAAA,MACZ,IAAA,EAAM;AAAA,KACP;AAAA,IACA,WAAA;AAAA,IACA,iBAAA,GAAoB;AAAA,GACrB;AAEA,EAAA,OAAO,CAAA,OAAA,EAAU,gBAAgB,CAAA,CAAA,EAAI,KAAA,CAAM,UAAU,CAAC,CAAA,CAAA,EAAI,KAAA,CAAM,IAAI,UAAA,CAAW,OAAO,CAAC,CAAC,CAAA,CAAA;AACzF;AAOA,eAAsB,YAAA,CAAa,UAAkB,MAAA,EAAkC;AACtF,EAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,KAAA,CAAM,GAAG,CAAA;AAC9B,EAAA,IAAI,MAAM,MAAA,KAAW,CAAA,IAAK,KAAA,CAAM,CAAC,MAAM,QAAA,EAAU;AAChD,IAAA,OAAO,KAAA;AAAA,EACR;AAEA,EAAA,MAAM,UAAA,GAAa,QAAA,CAAS,KAAA,CAAM,CAAC,GAAa,EAAE,CAAA;AAClD,EAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,KAAA,CAAM,CAAC,CAAW,CAAA;AACvC,EAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,KAAA,CAAM,CAAC,CAAW,CAAA;AAE7C,EAAA,IAAI,MAAA,CAAO,KAAA,CAAM,UAAU,CAAA,EAAG,OAAO,KAAA;AAErC,EAAA,MAAM,WAAA,GAAc,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,SAAA;AAAA,IAClD,KAAA;AAAA,IACA,YAAA,CAAa,OAAO,QAAQ,CAAA;AAAA,IAC5B,QAAA;AAAA,IACA,KAAA;AAAA,IACA,CAAC,YAAY;AAAA,GACd;AAEA,EAAA,MAAM,OAAA,GAAW,KAAK,MAAA,CAAuB,KAAA;AAAA,IAC5C,IAAA,CAAK,UAAA;AAAA,IACL,IAAA,CAAK,aAAa,IAAA,CAAK;AAAA,GACxB;AACA,EAAA,MAAM,OAAA,GAAU,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,UAAA;AAAA,IAC9C;AAAA,MACC,IAAA,EAAM,QAAA;AAAA,MACN,IAAA,EAAM,OAAA;AAAA,MACN,UAAA;AAAA,MACA,IAAA,EAAM;AAAA,KACP;AAAA,IACA,WAAA;AAAA,IACA,WAAW,MAAA,GAAS;AAAA,GACrB;AAEA,EAAA,OAAO,iBAAA,CAAkB,IAAI,UAAA,CAAW,OAAO,GAAG,UAAU,CAAA;AAC7D;AAUO,SAAS,iBAAA,CAAkB,GAAe,CAAA,EAAwB;AACxE,EAAA,IAAI,CAAA,CAAE,UAAA,KAAe,CAAA,CAAE,UAAA,EAAY;AAClC,IAAA,OAAO,KAAA;AAAA,EACR;AACA,EAAA,IAAI,IAAA,GAAO,CAAA;AACX,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,CAAE,YAAY,CAAA,EAAA,EAAK;AACtC,IAAA,IAAA,IAAS,CAAA,CAAE,CAAC,CAAA,GAAgB,CAAA,CAAE,CAAC,CAAA;AAAA,EAChC;AACA,EAAA,OAAO,IAAA,KAAS,CAAA;AACjB","file":"chunk-3AZDFCQF.js","sourcesContent":["/**\n * Web Crypto API utilities for KavachOS.\n *\n * This module uses ONLY the Web Crypto API (globalThis.crypto) which is\n * available natively in Cloudflare Workers, Deno, Bun, and Node 20+.\n * No `node:crypto` imports are used, making the core package edge-compatible.\n */\n\n// ---------------------------------------------------------------------------\n// Encoding helpers\n// ---------------------------------------------------------------------------\n\nconst HEX_CHARS = \"0123456789abcdef\";\n\n/** Encode a Uint8Array as a lowercase hex string. */\nexport function toHex(bytes: Uint8Array): string {\n\tlet hex = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst b = bytes[i] as number;\n\t\thex += HEX_CHARS[b >> 4] as string;\n\t\thex += HEX_CHARS[b & 0x0f] as string;\n\t}\n\treturn hex;\n}\n\n/** Decode a hex string into a Uint8Array. */\nexport function fromHex(hex: string): Uint8Array {\n\tif (hex.length % 2 !== 0) {\n\t\tthrow new Error(\"fromHex: hex string must have even length\");\n\t}\n\tconst bytes = new Uint8Array(hex.length / 2);\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst hi = parseInt(hex[i * 2] as string, 16);\n\t\tconst lo = parseInt(hex[i * 2 + 1] as string, 16);\n\t\tif (Number.isNaN(hi) || Number.isNaN(lo)) {\n\t\t\tthrow new Error(`fromHex: invalid hex character at position ${i * 2}`);\n\t\t}\n\t\tbytes[i] = (hi << 4) | lo;\n\t}\n\treturn bytes;\n}\n\n/** Encode a Uint8Array as a base64url string (no padding). */\nexport function toBase64Url(bytes: Uint8Array): string {\n\tlet binary = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tbinary += String.fromCharCode(bytes[i] as number);\n\t}\n\treturn btoa(binary).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n\n/** Decode a base64url string into a Uint8Array. */\nexport function fromBase64Url(b64: string): Uint8Array {\n\t// Restore standard base64\n\tlet base64 = b64.replace(/-/g, \"+\").replace(/_/g, \"/\");\n\t// Add padding\n\twhile (base64.length % 4 !== 0) {\n\t\tbase64 += \"=\";\n\t}\n\tconst binary = atob(base64);\n\tconst bytes = new Uint8Array(binary.length);\n\tfor (let i = 0; i < binary.length; i++) {\n\t\tbytes[i] = binary.charCodeAt(i);\n\t}\n\treturn bytes;\n}\n\n// ---------------------------------------------------------------------------\n// Random generation\n// ---------------------------------------------------------------------------\n\n/** Generate a v4 UUID using the globally available crypto.randomUUID(). */\nexport function generateId(): string {\n\treturn globalThis.crypto.randomUUID();\n}\n\n/** Generate cryptographically secure random bytes as a Uint8Array. */\nexport function randomBytes(length: number): Uint8Array {\n\tconst bytes = new Uint8Array(length);\n\tglobalThis.crypto.getRandomValues(bytes);\n\treturn bytes;\n}\n\n/** Generate cryptographically secure random bytes as a hex string. */\nexport function randomBytesHex(length: number): string {\n\treturn toHex(randomBytes(length));\n}\n\n// ---------------------------------------------------------------------------\n// Text encoding helper (internal)\n// ---------------------------------------------------------------------------\n\nconst TEXT_ENCODER = new TextEncoder();\n\nfunction toBytes(data: string | Uint8Array): ArrayBuffer {\n\tif (typeof data === \"string\") {\n\t\tconst encoded = TEXT_ENCODER.encode(data);\n\t\treturn (encoded.buffer as ArrayBuffer).slice(\n\t\t\tencoded.byteOffset,\n\t\t\tencoded.byteOffset + encoded.byteLength,\n\t\t);\n\t}\n\treturn (data.buffer as ArrayBuffer).slice(data.byteOffset, data.byteOffset + data.byteLength);\n}\n\n// ---------------------------------------------------------------------------\n// Hashing\n// ---------------------------------------------------------------------------\n\n/** SHA-256 hash, returns hex string. */\nexport async function sha256(data: string | Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n/** SHA-256 hash, returns Uint8Array. */\nexport async function sha256Raw(data: string | Uint8Array): Promise<Uint8Array> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn new Uint8Array(digest);\n}\n\n/** SHA-1 hash, returns hex string. Needed for HIBP k-anonymity. */\nexport async function sha1(data: string | Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-1\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n// ---------------------------------------------------------------------------\n// HMAC\n// ---------------------------------------------------------------------------\n\n/** Import a secret key for HMAC operations. */\nexport async function importHmacKey(\n\tkey: string | Uint8Array,\n\thash: \"SHA-256\" | \"SHA-1\" = \"SHA-256\",\n): Promise<CryptoKey> {\n\tconst keyData = typeof key === \"string\" ? TEXT_ENCODER.encode(key) : key;\n\treturn globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\t(keyData.buffer as ArrayBuffer).slice(\n\t\t\tkeyData.byteOffset,\n\t\t\tkeyData.byteOffset + keyData.byteLength,\n\t\t),\n\t\t{ name: \"HMAC\", hash: { name: hash } },\n\t\tfalse,\n\t\t[\"sign\", \"verify\"],\n\t);\n}\n\n/** HMAC-SHA256 sign, returns hex string. */\nexport async function hmacSha256(\n\tkey: string | Uint8Array,\n\tdata: string | Uint8Array,\n): Promise<string> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn toHex(new Uint8Array(signature));\n}\n\n/** HMAC-SHA256 sign, returns Uint8Array. */\nexport async function hmacSha256Raw(\n\tkey: string | Uint8Array,\n\tdata: string | Uint8Array,\n): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn new Uint8Array(signature);\n}\n\n/** HMAC-SHA1 sign, returns Uint8Array (needed for TOTP per RFC 6238). */\nexport async function hmacSha1Raw(key: Uint8Array, data: Uint8Array): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-1\");\n\tconst buf = (data.buffer as ArrayBuffer).slice(\n\t\tdata.byteOffset,\n\t\tdata.byteOffset + data.byteLength,\n\t);\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, buf);\n\treturn new Uint8Array(signature);\n}\n\n// ---------------------------------------------------------------------------\n// PBKDF2 password hashing\n// ---------------------------------------------------------------------------\n\nconst PBKDF2_ITERATIONS = 600_000; // OWASP 2023 recommendation for SHA-256\nconst PBKDF2_KEY_LENGTH = 64; // bytes\nconst PBKDF2_SALT_LENGTH = 32; // bytes\n\n/**\n * Hash a password using PBKDF2-SHA256.\n *\n * Returns a string in the format: `pbkdf2:iterations:salt_hex:hash_hex`\n * which is safe to store in the database.\n */\nexport async function pbkdf2Hash(\n\tpassword: string,\n\tsalt?: Uint8Array,\n\titerations?: number,\n): Promise<string> {\n\tconst actualSalt = salt ?? randomBytes(PBKDF2_SALT_LENGTH);\n\tconst actualIterations = iterations ?? PBKDF2_ITERATIONS;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (actualSalt.buffer as ArrayBuffer).slice(\n\t\tactualSalt.byteOffset,\n\t\tactualSalt.byteOffset + actualSalt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations: actualIterations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tPBKDF2_KEY_LENGTH * 8,\n\t);\n\n\treturn `pbkdf2:${actualIterations}:${toHex(actualSalt)}:${toHex(new Uint8Array(derived))}`;\n}\n\n/**\n * Verify a password against a stored PBKDF2 hash.\n *\n * Supports the `pbkdf2:iterations:salt:hash` format produced by `pbkdf2Hash`.\n */\nexport async function pbkdf2Verify(password: string, stored: string): Promise<boolean> {\n\tconst parts = stored.split(\":\");\n\tif (parts.length !== 4 || parts[0] !== \"pbkdf2\") {\n\t\treturn false;\n\t}\n\n\tconst iterations = parseInt(parts[1] as string, 10);\n\tconst salt = fromHex(parts[2] as string);\n\tconst storedHash = fromHex(parts[3] as string);\n\n\tif (Number.isNaN(iterations)) return false;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (salt.buffer as ArrayBuffer).slice(\n\t\tsalt.byteOffset,\n\t\tsalt.byteOffset + salt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tstoredHash.length * 8,\n\t);\n\n\treturn constantTimeEqual(new Uint8Array(derived), storedHash);\n}\n\n// ---------------------------------------------------------------------------\n// Constant-time comparison\n// ---------------------------------------------------------------------------\n\n/**\n * Constant-time comparison of two Uint8Arrays.\n * Returns false immediately if lengths differ (length is not secret).\n */\nexport function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {\n\tif (a.byteLength !== b.byteLength) {\n\t\treturn false;\n\t}\n\tlet diff = 0;\n\tfor (let i = 0; i < a.byteLength; i++) {\n\t\tdiff |= (a[i] as number) ^ (b[i] as number);\n\t}\n\treturn diff === 0;\n}\n"]}
1
+ {"version":3,"sources":["../src/crypto/web-crypto.ts"],"names":[],"mappings":";AAYA,IAAM,SAAA,GAAY,kBAAA;AAGX,SAAS,MAAM,KAAA,EAA2B;AAChD,EAAA,IAAI,GAAA,GAAM,EAAA;AACV,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,MAAM,CAAA,GAAI,MAAM,CAAC,CAAA;AACjB,IAAA,GAAA,IAAO,SAAA,CAAU,KAAK,CAAC,CAAA;AACvB,IAAA,GAAA,IAAO,SAAA,CAAU,IAAI,EAAI,CAAA;AAAA,EAC1B;AACA,EAAA,OAAO,GAAA;AACR;AAGO,SAAS,QAAQ,GAAA,EAAyB;AAChD,EAAA,IAAI,GAAA,CAAI,MAAA,GAAS,CAAA,KAAM,CAAA,EAAG;AACzB,IAAA,MAAM,IAAI,MAAM,2CAA2C,CAAA;AAAA,EAC5D;AACA,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,GAAA,CAAI,SAAS,CAAC,CAAA;AAC3C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,MAAM,KAAK,QAAA,CAAS,GAAA,CAAI,CAAA,GAAI,CAAC,GAAa,EAAE,CAAA;AAC5C,IAAA,MAAM,KAAK,QAAA,CAAS,GAAA,CAAI,IAAI,CAAA,GAAI,CAAC,GAAa,EAAE,CAAA;AAChD,IAAA,IAAI,OAAO,KAAA,CAAM,EAAE,KAAK,MAAA,CAAO,KAAA,CAAM,EAAE,CAAA,EAAG;AACzC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,2CAAA,EAA8C,CAAA,GAAI,CAAC,CAAA,CAAE,CAAA;AAAA,IACtE;AACA,IAAA,KAAA,CAAM,CAAC,CAAA,GAAK,EAAA,IAAM,CAAA,GAAK,EAAA;AAAA,EACxB;AACA,EAAA,OAAO,KAAA;AACR;AAGO,SAAS,YAAY,KAAA,EAA2B;AACtD,EAAA,IAAI,MAAA,GAAS,EAAA;AACb,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,MAAA,IAAU,MAAA,CAAO,YAAA,CAAa,KAAA,CAAM,CAAC,CAAW,CAAA;AAAA,EACjD;AACA,EAAA,OAAO,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,OAAO,EAAE,CAAA;AAC9E;AAGO,SAAS,cAAc,GAAA,EAAyB;AAEtD,EAAA,IAAI,MAAA,GAAS,IAAI,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,GAAG,CAAA;AAErD,EAAA,OAAO,MAAA,CAAO,MAAA,GAAS,CAAA,KAAM,CAAA,EAAG;AAC/B,IAAA,MAAA,IAAU,GAAA;AAAA,EACX;AACA,EAAA,MAAM,MAAA,GAAS,KAAK,MAAM,CAAA;AAC1B,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAA,CAAO,MAAM,CAAA;AAC1C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,QAAQ,CAAA,EAAA,EAAK;AACvC,IAAA,KAAA,CAAM,CAAC,CAAA,GAAI,MAAA,CAAO,UAAA,CAAW,CAAC,CAAA;AAAA,EAC/B;AACA,EAAA,OAAO,KAAA;AACR;AAOO,SAAS,UAAA,GAAqB;AACpC,EAAA,OAAO,UAAA,CAAW,OAAO,UAAA,EAAW;AACrC;AAGO,SAAS,YAAY,MAAA,EAA4B;AACvD,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAM,CAAA;AACnC,EAAA,UAAA,CAAW,MAAA,CAAO,gBAAgB,KAAK,CAAA;AACvC,EAAA,OAAO,KAAA;AACR;AAGO,SAAS,eAAe,MAAA,EAAwB;AACtD,EAAA,OAAO,KAAA,CAAM,WAAA,CAAY,MAAM,CAAC,CAAA;AACjC;AAMA,IAAM,YAAA,GAAe,IAAI,WAAA,EAAY;AAErC,SAAS,QAAQ,IAAA,EAAwC;AACxD,EAAA,IAAI,OAAO,SAAS,QAAA,EAAU;AAC7B,IAAA,MAAM,OAAA,GAAU,YAAA,CAAa,MAAA,CAAO,IAAI,CAAA;AACxC,IAAA,OAAQ,QAAQ,MAAA,CAAuB,KAAA;AAAA,MACtC,OAAA,CAAQ,UAAA;AAAA,MACR,OAAA,CAAQ,aAAa,OAAA,CAAQ;AAAA,KAC9B;AAAA,EACD;AACA,EAAA,OAAQ,IAAA,CAAK,OAAuB,KAAA,CAAM,IAAA,CAAK,YAAY,IAAA,CAAK,UAAA,GAAa,KAAK,UAAU,CAAA;AAC7F;AAOA,eAAsB,OAAO,IAAA,EAA4C;AACxE,EAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA,CAAO,OAAO,MAAA,CAAO,SAAA,EAAW,OAAA,CAAQ,IAAI,CAAC,CAAA;AAC7E,EAAA,OAAO,KAAA,CAAM,IAAI,UAAA,CAAW,MAAM,CAAC,CAAA;AACpC;AAGA,eAAsB,UAAU,IAAA,EAAgD;AAC/E,EAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA,CAAO,OAAO,MAAA,CAAO,SAAA,EAAW,OAAA,CAAQ,IAAI,CAAC,CAAA;AAC7E,EAAA,OAAO,IAAI,WAAW,MAAM,CAAA;AAC7B;AAGA,eAAsB,KAAK,IAAA,EAA4C;AACtE,EAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA,CAAO,OAAO,MAAA,CAAO,OAAA,EAAS,OAAA,CAAQ,IAAI,CAAC,CAAA;AAC3E,EAAA,OAAO,KAAA,CAAM,IAAI,UAAA,CAAW,MAAM,CAAC,CAAA;AACpC;AAOA,eAAsB,aAAA,CACrB,GAAA,EACA,IAAA,GAA4B,SAAA,EACP;AACrB,EAAA,MAAM,UAAU,OAAO,GAAA,KAAQ,WAAW,YAAA,CAAa,MAAA,CAAO,GAAG,CAAA,GAAI,GAAA;AACrE,EAAA,OAAO,UAAA,CAAW,OAAO,MAAA,CAAO,SAAA;AAAA,IAC/B,KAAA;AAAA,IACC,QAAQ,MAAA,CAAuB,KAAA;AAAA,MAC/B,OAAA,CAAQ,UAAA;AAAA,MACR,OAAA,CAAQ,aAAa,OAAA,CAAQ;AAAA,KAC9B;AAAA,IACA,EAAE,IAAA,EAAM,MAAA,EAAQ,MAAM,EAAE,IAAA,EAAM,MAAK,EAAE;AAAA,IACrC,KAAA;AAAA,IACA,CAAC,QAAQ,QAAQ;AAAA,GAClB;AACD;AAGA,eAAsB,UAAA,CACrB,KACA,IAAA,EACkB;AAClB,EAAA,MAAM,SAAA,GAAY,MAAM,aAAA,CAAc,GAAA,EAAK,SAAS,CAAA;AACpD,EAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,KAAK,MAAA,EAAQ,SAAA,EAAW,OAAA,CAAQ,IAAI,CAAC,CAAA;AACtF,EAAA,OAAO,KAAA,CAAM,IAAI,UAAA,CAAW,SAAS,CAAC,CAAA;AACvC;AAGA,eAAsB,aAAA,CACrB,KACA,IAAA,EACsB;AACtB,EAAA,MAAM,SAAA,GAAY,MAAM,aAAA,CAAc,GAAA,EAAK,SAAS,CAAA;AACpD,EAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,KAAK,MAAA,EAAQ,SAAA,EAAW,OAAA,CAAQ,IAAI,CAAC,CAAA;AACtF,EAAA,OAAO,IAAI,WAAW,SAAS,CAAA;AAChC;AAGA,eAAsB,WAAA,CAAY,KAAiB,IAAA,EAAuC;AACzF,EAAA,MAAM,SAAA,GAAY,MAAM,aAAA,CAAc,GAAA,EAAK,OAAO,CAAA;AAClD,EAAA,MAAM,GAAA,GAAO,KAAK,MAAA,CAAuB,KAAA;AAAA,IACxC,IAAA,CAAK,UAAA;AAAA,IACL,IAAA,CAAK,aAAa,IAAA,CAAK;AAAA,GACxB;AACA,EAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,MAAA,CAAO,OAAO,IAAA,CAAK,MAAA,EAAQ,WAAW,GAAG,CAAA;AAC5E,EAAA,OAAO,IAAI,WAAW,SAAS,CAAA;AAChC;AAMA,IAAM,iBAAA,GAAoB,GAAA;AAC1B,IAAM,iBAAA,GAAoB,EAAA;AAC1B,IAAM,kBAAA,GAAqB,EAAA;AAQ3B,eAAsB,UAAA,CACrB,QAAA,EACA,IAAA,EACA,UAAA,EACkB;AAClB,EAAA,MAAM,UAAA,GAAa,IAAA,IAAQ,WAAA,CAAY,kBAAkB,CAAA;AACzD,EAAA,MAAM,mBAAmB,UAAA,IAAc,iBAAA;AAEvC,EAAA,MAAM,WAAA,GAAc,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,SAAA;AAAA,IAClD,KAAA;AAAA,IACA,YAAA,CAAa,OAAO,QAAQ,CAAA;AAAA,IAC5B,QAAA;AAAA,IACA,KAAA;AAAA,IACA,CAAC,YAAY;AAAA,GACd;AAEA,EAAA,MAAM,OAAA,GAAW,WAAW,MAAA,CAAuB,KAAA;AAAA,IAClD,UAAA,CAAW,UAAA;AAAA,IACX,UAAA,CAAW,aAAa,UAAA,CAAW;AAAA,GACpC;AACA,EAAA,MAAM,OAAA,GAAU,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,UAAA;AAAA,IAC9C;AAAA,MACC,IAAA,EAAM,QAAA;AAAA,MACN,IAAA,EAAM,OAAA;AAAA,MACN,UAAA,EAAY,gBAAA;AAAA,MACZ,IAAA,EAAM;AAAA,KACP;AAAA,IACA,WAAA;AAAA,IACA,iBAAA,GAAoB;AAAA,GACrB;AAEA,EAAA,OAAO,CAAA,OAAA,EAAU,gBAAgB,CAAA,CAAA,EAAI,KAAA,CAAM,UAAU,CAAC,CAAA,CAAA,EAAI,KAAA,CAAM,IAAI,UAAA,CAAW,OAAO,CAAC,CAAC,CAAA,CAAA;AACzF;AAOA,eAAsB,YAAA,CAAa,UAAkB,MAAA,EAAkC;AACtF,EAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,KAAA,CAAM,GAAG,CAAA;AAC9B,EAAA,IAAI,MAAM,MAAA,KAAW,CAAA,IAAK,KAAA,CAAM,CAAC,MAAM,QAAA,EAAU;AAChD,IAAA,OAAO,KAAA;AAAA,EACR;AAEA,EAAA,MAAM,UAAA,GAAa,QAAA,CAAS,KAAA,CAAM,CAAC,GAAa,EAAE,CAAA;AAClD,EAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,KAAA,CAAM,CAAC,CAAW,CAAA;AACvC,EAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,KAAA,CAAM,CAAC,CAAW,CAAA;AAE7C,EAAA,IAAI,MAAA,CAAO,KAAA,CAAM,UAAU,CAAA,EAAG,OAAO,KAAA;AAErC,EAAA,MAAM,WAAA,GAAc,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,SAAA;AAAA,IAClD,KAAA;AAAA,IACA,YAAA,CAAa,OAAO,QAAQ,CAAA;AAAA,IAC5B,QAAA;AAAA,IACA,KAAA;AAAA,IACA,CAAC,YAAY;AAAA,GACd;AAEA,EAAA,MAAM,OAAA,GAAW,KAAK,MAAA,CAAuB,KAAA;AAAA,IAC5C,IAAA,CAAK,UAAA;AAAA,IACL,IAAA,CAAK,aAAa,IAAA,CAAK;AAAA,GACxB;AACA,EAAA,MAAM,OAAA,GAAU,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,UAAA;AAAA,IAC9C;AAAA,MACC,IAAA,EAAM,QAAA;AAAA,MACN,IAAA,EAAM,OAAA;AAAA,MACN,UAAA;AAAA,MACA,IAAA,EAAM;AAAA,KACP;AAAA,IACA,WAAA;AAAA,IACA,WAAW,MAAA,GAAS;AAAA,GACrB;AAEA,EAAA,OAAO,iBAAA,CAAkB,IAAI,UAAA,CAAW,OAAO,GAAG,UAAU,CAAA;AAC7D;AAUO,SAAS,iBAAA,CAAkB,GAAe,CAAA,EAAwB;AACxE,EAAA,IAAI,CAAA,CAAE,UAAA,KAAe,CAAA,CAAE,UAAA,EAAY;AAClC,IAAA,OAAO,KAAA;AAAA,EACR;AACA,EAAA,IAAI,IAAA,GAAO,CAAA;AACX,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,CAAE,YAAY,CAAA,EAAA,EAAK;AACtC,IAAA,IAAA,IAAS,CAAA,CAAE,CAAC,CAAA,GAAgB,CAAA,CAAE,CAAC,CAAA;AAAA,EAChC;AACA,EAAA,OAAO,IAAA,KAAS,CAAA;AACjB","file":"chunk-QCRHJMDX.js","sourcesContent":["/**\n * Web Crypto API utilities for KavachOS.\n *\n * This module uses ONLY the Web Crypto API (globalThis.crypto) which is\n * available natively in Cloudflare Workers, Deno, Bun, and Node 20+.\n * No `node:crypto` imports are used, making the core package edge-compatible.\n */\n\n// ---------------------------------------------------------------------------\n// Encoding helpers\n// ---------------------------------------------------------------------------\n\nconst HEX_CHARS = \"0123456789abcdef\";\n\n/** Encode a Uint8Array as a lowercase hex string. */\nexport function toHex(bytes: Uint8Array): string {\n\tlet hex = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst b = bytes[i] as number;\n\t\thex += HEX_CHARS[b >> 4] as string;\n\t\thex += HEX_CHARS[b & 0x0f] as string;\n\t}\n\treturn hex;\n}\n\n/** Decode a hex string into a Uint8Array. */\nexport function fromHex(hex: string): Uint8Array {\n\tif (hex.length % 2 !== 0) {\n\t\tthrow new Error(\"fromHex: hex string must have even length\");\n\t}\n\tconst bytes = new Uint8Array(hex.length / 2);\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst hi = parseInt(hex[i * 2] as string, 16);\n\t\tconst lo = parseInt(hex[i * 2 + 1] as string, 16);\n\t\tif (Number.isNaN(hi) || Number.isNaN(lo)) {\n\t\t\tthrow new Error(`fromHex: invalid hex character at position ${i * 2}`);\n\t\t}\n\t\tbytes[i] = (hi << 4) | lo;\n\t}\n\treturn bytes;\n}\n\n/** Encode a Uint8Array as a base64url string (no padding). */\nexport function toBase64Url(bytes: Uint8Array): string {\n\tlet binary = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tbinary += String.fromCharCode(bytes[i] as number);\n\t}\n\treturn btoa(binary).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n\n/** Decode a base64url string into a Uint8Array. */\nexport function fromBase64Url(b64: string): Uint8Array {\n\t// Restore standard base64\n\tlet base64 = b64.replace(/-/g, \"+\").replace(/_/g, \"/\");\n\t// Add padding\n\twhile (base64.length % 4 !== 0) {\n\t\tbase64 += \"=\";\n\t}\n\tconst binary = atob(base64);\n\tconst bytes = new Uint8Array(binary.length);\n\tfor (let i = 0; i < binary.length; i++) {\n\t\tbytes[i] = binary.charCodeAt(i);\n\t}\n\treturn bytes;\n}\n\n// ---------------------------------------------------------------------------\n// Random generation\n// ---------------------------------------------------------------------------\n\n/** Generate a v4 UUID using the globally available crypto.randomUUID(). */\nexport function generateId(): string {\n\treturn globalThis.crypto.randomUUID();\n}\n\n/** Generate cryptographically secure random bytes as a Uint8Array. */\nexport function randomBytes(length: number): Uint8Array {\n\tconst bytes = new Uint8Array(length);\n\tglobalThis.crypto.getRandomValues(bytes);\n\treturn bytes;\n}\n\n/** Generate cryptographically secure random bytes as a hex string. */\nexport function randomBytesHex(length: number): string {\n\treturn toHex(randomBytes(length));\n}\n\n// ---------------------------------------------------------------------------\n// Text encoding helper (internal)\n// ---------------------------------------------------------------------------\n\nconst TEXT_ENCODER = new TextEncoder();\n\nfunction toBytes(data: string | Uint8Array): ArrayBuffer {\n\tif (typeof data === \"string\") {\n\t\tconst encoded = TEXT_ENCODER.encode(data);\n\t\treturn (encoded.buffer as ArrayBuffer).slice(\n\t\t\tencoded.byteOffset,\n\t\t\tencoded.byteOffset + encoded.byteLength,\n\t\t);\n\t}\n\treturn (data.buffer as ArrayBuffer).slice(data.byteOffset, data.byteOffset + data.byteLength);\n}\n\n// ---------------------------------------------------------------------------\n// Hashing\n// ---------------------------------------------------------------------------\n\n/** SHA-256 hash, returns hex string. */\nexport async function sha256(data: string | Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n/** SHA-256 hash, returns Uint8Array. */\nexport async function sha256Raw(data: string | Uint8Array): Promise<Uint8Array> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn new Uint8Array(digest);\n}\n\n/** SHA-1 hash, returns hex string. Needed for HIBP k-anonymity. */\nexport async function sha1(data: string | Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-1\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n// ---------------------------------------------------------------------------\n// HMAC\n// ---------------------------------------------------------------------------\n\n/** Import a secret key for HMAC operations. */\nexport async function importHmacKey(\n\tkey: string | Uint8Array,\n\thash: \"SHA-256\" | \"SHA-1\" = \"SHA-256\",\n): Promise<CryptoKey> {\n\tconst keyData = typeof key === \"string\" ? TEXT_ENCODER.encode(key) : key;\n\treturn globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\t(keyData.buffer as ArrayBuffer).slice(\n\t\t\tkeyData.byteOffset,\n\t\t\tkeyData.byteOffset + keyData.byteLength,\n\t\t),\n\t\t{ name: \"HMAC\", hash: { name: hash } },\n\t\tfalse,\n\t\t[\"sign\", \"verify\"],\n\t);\n}\n\n/** HMAC-SHA256 sign, returns hex string. */\nexport async function hmacSha256(\n\tkey: string | Uint8Array,\n\tdata: string | Uint8Array,\n): Promise<string> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn toHex(new Uint8Array(signature));\n}\n\n/** HMAC-SHA256 sign, returns Uint8Array. */\nexport async function hmacSha256Raw(\n\tkey: string | Uint8Array,\n\tdata: string | Uint8Array,\n): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn new Uint8Array(signature);\n}\n\n/** HMAC-SHA1 sign, returns Uint8Array (needed for TOTP per RFC 6238). */\nexport async function hmacSha1Raw(key: Uint8Array, data: Uint8Array): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-1\");\n\tconst buf = (data.buffer as ArrayBuffer).slice(\n\t\tdata.byteOffset,\n\t\tdata.byteOffset + data.byteLength,\n\t);\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, buf);\n\treturn new Uint8Array(signature);\n}\n\n// ---------------------------------------------------------------------------\n// PBKDF2 password hashing\n// ---------------------------------------------------------------------------\n\nconst PBKDF2_ITERATIONS = 100_000; // CF Workers caps at 100K; OWASP recommends 600K for Node.js\nconst PBKDF2_KEY_LENGTH = 64; // bytes\nconst PBKDF2_SALT_LENGTH = 32; // bytes\n\n/**\n * Hash a password using PBKDF2-SHA256.\n *\n * Returns a string in the format: `pbkdf2:iterations:salt_hex:hash_hex`\n * which is safe to store in the database.\n */\nexport async function pbkdf2Hash(\n\tpassword: string,\n\tsalt?: Uint8Array,\n\titerations?: number,\n): Promise<string> {\n\tconst actualSalt = salt ?? randomBytes(PBKDF2_SALT_LENGTH);\n\tconst actualIterations = iterations ?? PBKDF2_ITERATIONS;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (actualSalt.buffer as ArrayBuffer).slice(\n\t\tactualSalt.byteOffset,\n\t\tactualSalt.byteOffset + actualSalt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations: actualIterations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tPBKDF2_KEY_LENGTH * 8,\n\t);\n\n\treturn `pbkdf2:${actualIterations}:${toHex(actualSalt)}:${toHex(new Uint8Array(derived))}`;\n}\n\n/**\n * Verify a password against a stored PBKDF2 hash.\n *\n * Supports the `pbkdf2:iterations:salt:hash` format produced by `pbkdf2Hash`.\n */\nexport async function pbkdf2Verify(password: string, stored: string): Promise<boolean> {\n\tconst parts = stored.split(\":\");\n\tif (parts.length !== 4 || parts[0] !== \"pbkdf2\") {\n\t\treturn false;\n\t}\n\n\tconst iterations = parseInt(parts[1] as string, 10);\n\tconst salt = fromHex(parts[2] as string);\n\tconst storedHash = fromHex(parts[3] as string);\n\n\tif (Number.isNaN(iterations)) return false;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (salt.buffer as ArrayBuffer).slice(\n\t\tsalt.byteOffset,\n\t\tsalt.byteOffset + salt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tstoredHash.length * 8,\n\t);\n\n\treturn constantTimeEqual(new Uint8Array(derived), storedHash);\n}\n\n// ---------------------------------------------------------------------------\n// Constant-time comparison\n// ---------------------------------------------------------------------------\n\n/**\n * Constant-time comparison of two Uint8Arrays.\n * Returns false immediately if lengths differ (length is not secret).\n */\nexport function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {\n\tif (a.byteLength !== b.byteLength) {\n\t\treturn false;\n\t}\n\tlet diff = 0;\n\tfor (let i = 0; i < a.byteLength; i++) {\n\t\tdiff |= (a[i] as number) ^ (b[i] as number);\n\t}\n\treturn diff === 0;\n}\n"]}
@@ -1,5 +1,5 @@
1
- import { auditLogs, rateLimits } from './chunk-KNNJ4COO.js';
2
- import { generateId } from './chunk-3AZDFCQF.js';
1
+ import { auditLogs, rateLimits } from './chunk-KDL6A76K.js';
2
+ import { generateId } from './chunk-QCRHJMDX.js';
3
3
  import { and, eq, gte } from 'drizzle-orm';
4
4
 
5
5
  function matchResource(pattern, resource) {
@@ -247,5 +247,5 @@ function getPermissionTemplate(name) {
247
247
  }
248
248
 
249
249
  export { createPermissionEngine, getPermissionTemplate, permissionTemplates };
250
- //# sourceMappingURL=chunk-O7VQ2LQE.js.map
251
- //# sourceMappingURL=chunk-O7VQ2LQE.js.map
250
+ //# sourceMappingURL=chunk-VHKZARMM.js.map
251
+ //# sourceMappingURL=chunk-VHKZARMM.js.map
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/permission/engine.ts","../src/permission/templates.ts"],"names":["result"],"mappings":";;;;AAwBA,SAAS,aAAA,CAAc,SAAiB,QAAA,EAA2B;AAClE,EAAA,IAAI,OAAA,KAAY,KAAK,OAAO,IAAA;AAE5B,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,KAAA,CAAM,GAAG,CAAA;AACtC,EAAA,MAAM,aAAA,GAAgB,QAAA,CAAS,KAAA,CAAM,GAAG,CAAA;AAExC,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,YAAA,CAAa,QAAQ,CAAA,EAAA,EAAK;AAC7C,IAAA,MAAM,IAAA,GAAO,aAAa,CAAC,CAAA;AAC3B,IAAA,IAAI,IAAA,KAAS,KAAK,OAAO,IAAA;AACzB,IAAA,IAAI,IAAA,KAAS,aAAA,CAAc,CAAC,CAAA,EAAG,OAAO,KAAA;AAAA,EACvC;AAEA,EAAA,OAAO,YAAA,CAAa,WAAW,aAAA,CAAc,MAAA;AAC9C;AAKA,SAAS,WAAA,CAAY,gBAA0B,eAAA,EAAkC;AAChF,EAAA,OAAO,eAAe,QAAA,CAAS,eAAe,CAAA,IAAK,cAAA,CAAe,SAAS,GAAG,CAAA;AAC/E;AAKA,SAAS,UAAU,EAAA,EAA2B;AAC7C,EAAA,MAAM,KAAA,GAAQ,EAAA,CAAG,KAAA,CAAM,GAAG,CAAA;AAC1B,EAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAC/B,EAAA,IAAI,MAAA,GAAS,CAAA;AACb,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACzB,IAAA,MAAM,GAAA,GAAM,QAAA,CAAS,IAAA,EAAM,EAAE,CAAA;AAC7B,IAAA,IAAI,MAAA,CAAO,MAAM,GAAG,CAAA,IAAK,MAAM,CAAA,IAAK,GAAA,GAAM,KAAK,OAAO,IAAA;AACtD,IAAA,MAAA,GAAU,UAAU,CAAA,GAAK,GAAA;AAAA,EAC1B;AACA,EAAA,OAAO,MAAA,KAAW,CAAA;AACnB;AAMA,SAAS,cAAA,CAAe,OAAe,EAAA,EAAqB;AAC3D,EAAA,MAAM,UAAA,GAAa,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA;AACpC,EAAA,IAAI,eAAe,EAAA,EAAI;AACtB,IAAA,OAAO,KAAA,KAAU,EAAA;AAAA,EAClB;AAEA,EAAA,MAAM,MAAA,GAAS,KAAA,CAAM,KAAA,CAAM,CAAA,EAAG,UAAU,CAAA;AACxC,EAAA,MAAM,YAAY,QAAA,CAAS,KAAA,CAAM,MAAM,UAAA,GAAa,CAAC,GAAG,EAAE,CAAA;AAC1D,EAAA,IAAI,MAAA,CAAO,MAAM,SAAS,CAAA,IAAK,YAAY,CAAA,IAAK,SAAA,GAAY,IAAI,OAAO,KAAA;AAEvE,EAAA,MAAM,QAAA,GAAW,UAAU,MAAM,CAAA;AACjC,EAAA,MAAM,KAAA,GAAQ,UAAU,EAAE,CAAA;AAC1B,EAAA,IAAI,QAAA,KAAa,IAAA,IAAQ,KAAA,KAAU,IAAA,EAAM,OAAO,KAAA;AAEhD,EAAA,MAAM,OAAO,SAAA,KAAc,CAAA,GAAI,IAAK,EAAC,IAAM,KAAK,SAAA,KAAgB,CAAA;AAChE,EAAA,OAAA,CAAQ,QAAA,GAAW,WAAW,KAAA,GAAQ,IAAA,CAAA;AACvC;AAKA,SAAS,WAAA,CAAY,WAAqB,EAAA,EAAqB;AAC9D,EAAA,OAAO,UAAU,IAAA,CAAK,CAAC,UAAU,cAAA,CAAe,KAAA,EAAO,EAAE,CAAC,CAAA;AAC3D;AAKA,SAAS,mBAAA,CACR,UACA,IAAA,EACsC;AACtC,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC/B,IAAA,MAAM,KAAA,GAAQ,IAAI,MAAA,CAAO,OAAO,CAAA;AAEhC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,IAAI,CAAA,EAAG;AAChD,MAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,CAAC,KAAA,CAAM,IAAA,CAAK,KAAK,CAAA,EAAG;AACpD,QAAA,OAAO;AAAA,UACN,KAAA,EAAO,KAAA;AAAA,UACP,QAAQ,CAAA,UAAA,EAAa,GAAG,CAAA,SAAA,EAAY,KAAK,6BAA6B,OAAO,CAAA,CAAA;AAAA,SAC9E;AAAA,MACD;AAAA,IACD;AAAA,EACD;AACA,EAAA,OAAO,EAAE,OAAO,IAAA,EAAK;AACtB;AAKA,eAAe,cAAA,CACd,EAAA,EACA,OAAA,EACA,QAAA,EACA,eAAA,EACiD;AACjD,EAAA,MAAM,UAAA,GAAa,IAAI,IAAA,CAAK,IAAA,CAAK,KAAI,GAAI,EAAA,GAAK,KAAK,GAAI,CAAA;AAEvD,EAAA,MAAM,OAAO,MAAM,EAAA,CACjB,QAAO,CACP,IAAA,CAAK,UAAU,CAAA,CACf,KAAA;AAAA,IACA,GAAA;AAAA,MACC,EAAA,CAAG,UAAA,CAAW,OAAA,EAAS,OAAO,CAAA;AAAA,MAC9B,EAAA,CAAG,UAAA,CAAW,QAAA,EAAU,QAAQ,CAAA;AAAA,MAChC,GAAA,CAAI,UAAA,CAAW,WAAA,EAAa,UAAU;AAAA;AACvC,GACD;AAED,EAAA,MAAM,UAAA,GAAa,KAAK,MAAA,CAAO,CAAC,KAAK,CAAA,KAAM,GAAA,GAAM,CAAA,CAAE,KAAA,EAAO,CAAC,CAAA;AAE3D,EAAA,IAAI,cAAc,eAAA,EAAiB;AAClC,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,KAAA;AAAA,MACT,QAAQ,CAAA,qBAAA,EAAwB,UAAU,CAAA,CAAA,EAAI,eAAe,iCAAiC,QAAQ,CAAA,CAAA;AAAA,KACvG;AAAA,EACD;AAGA,EAAA,MAAM,aAAA,GAAgB,IAAI,IAAA,CAAK,IAAA,CAAK,MAAM,IAAA,CAAK,GAAA,EAAI,IAAK,CAAA,GAAI,EAAA,GAAK,GAAA,CAAK,CAAA,IAAK,CAAA,GAAI,KAAK,GAAA,CAAK,CAAA;AACzF,EAAA,MAAM,QAAA,GAAW,IAAA,CAAK,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,OAAA,EAAQ,KAAM,aAAA,CAAc,OAAA,EAAS,CAAA;AAErF,EAAA,IAAI,QAAA,EAAU;AACb,IAAA,MAAM,GACJ,MAAA,CAAO,UAAU,EACjB,GAAA,CAAI,EAAE,OAAO,QAAA,CAAS,KAAA,GAAQ,CAAA,EAAG,EACjC,KAAA,CAAM,EAAA,CAAG,WAAW,EAAA,EAAI,QAAA,CAAS,EAAE,CAAC,CAAA;AAAA,EACvC,CAAA,MAAO;AACN,IAAA,MAAM,EAAA,CAAG,MAAA,CAAO,UAAU,CAAA,CAAE,MAAA,CAAO;AAAA,MAClC,IAAI,UAAA,EAAW;AAAA,MACf,OAAA;AAAA,MACA,QAAA;AAAA,MACA,WAAA,EAAa,aAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACP,CAAA;AAAA,EACF;AAEA,EAAA,OAAO,EAAE,SAAS,IAAA,EAAK;AACxB;AAKO,SAAS,uBAAuB,MAAA,EAAgC;AACtE,EAAA,MAAM,EAAE,EAAA,EAAI,QAAA,EAAS,GAAI,MAAA;AAMzB,EAAA,eAAe,SAAA,CACd,OACA,OAAA,EAC2B;AAC3B,IAAA,MAAM,SAAA,GAAY,YAAY,GAAA,EAAI;AAClC,IAAA,MAAM,UAAU,UAAA,EAAW;AAG3B,IAAA,MAAM,kBAAA,GAAqB,MAAM,WAAA,CAAY,IAAA;AAAA,MAC5C,CAAC,CAAA,KAAM,aAAA,CAAc,CAAA,CAAE,QAAA,EAAU,OAAA,CAAQ,QAAQ,CAAA,IAAK,WAAA,CAAY,CAAA,CAAE,OAAA,EAAS,OAAA,CAAQ,MAAM;AAAA,KAC5F;AAEA,IAAA,IAAI,CAAC,kBAAA,EAAoB;AACxB,MAAA,MAAMA,OAAAA,GAA0B;AAAA,QAC/B,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,+BAA+B,KAAA,CAAM,IAAI,gBAAgB,OAAA,CAAQ,MAAM,CAAA,MAAA,EAAS,OAAA,CAAQ,QAAQ,CAAA,CAAA,CAAA;AAAA,QACxG;AAAA,OACD;AACA,MAAA,IAAI,QAAA,EAAU;AACb,QAAA,MAAM,cAAc,EAAA,EAAI,KAAA,EAAO,OAAA,EAASA,OAAAA,EAAQ,WAAW,OAAO,CAAA;AAAA,MACnE;AACA,MAAA,OAAOA,OAAAA;AAAA,IACR;AAGA,IAAA,IAAI,mBAAmB,WAAA,EAAa;AACnC,MAAA,MAAM,mBAAmB,MAAM,mBAAA;AAAA,QAC9B,EAAA;AAAA,QACA,KAAA;AAAA,QACA,OAAA;AAAA,QACA,kBAAA,CAAmB;AAAA,OACpB;AACA,MAAA,IAAI,CAAC,iBAAiB,OAAA,EAAS;AAC9B,QAAA,MAAMA,OAAAA,GAA0B;AAAA,UAC/B,OAAA,EAAS,KAAA;AAAA,UACT,QAAQ,gBAAA,CAAiB,MAAA;AAAA,UACzB;AAAA,SACD;AACA,QAAA,IAAI,QAAA,EAAU;AACb,UAAA,MAAM,cAAc,EAAA,EAAI,KAAA,EAAO,OAAA,EAASA,OAAAA,EAAQ,WAAW,OAAO,CAAA;AAAA,QACnE;AACA,QAAA,OAAOA,OAAAA;AAAA,MACR;AAAA,IACD;AAEA,IAAA,MAAM,MAAA,GAA0B,EAAE,OAAA,EAAS,IAAA,EAAM,OAAA,EAAQ;AACzD,IAAA,IAAI,QAAA,EAAU;AACb,MAAA,MAAM,cAAc,EAAA,EAAI,KAAA,EAAO,OAAA,EAAS,MAAA,EAAQ,WAAW,OAAO,CAAA;AAAA,IACnE;AACA,IAAA,OAAO,MAAA;AAAA,EACR;AAEA,EAAA,OAAO,EAAE,SAAA,EAAU;AACpB;AAEA,eAAe,mBAAA,CACd,EAAA,EACA,KAAA,EACA,OAAA,EACA,WAAA,EACiD;AAEjD,EAAA,IAAI,YAAY,eAAA,EAAiB;AAChC,IAAA,MAAM,aAAa,MAAM,cAAA;AAAA,MACxB,EAAA;AAAA,MACA,KAAA,CAAM,EAAA;AAAA,MACN,OAAA,CAAQ,QAAA;AAAA,MACR,WAAA,CAAY;AAAA,KACb;AACA,IAAA,IAAI,CAAC,WAAW,OAAA,EAAS;AACxB,MAAA,OAAO,UAAA;AAAA,IACR;AAAA,EACD;AAGA,EAAA,IAAI,WAAA,CAAY,kBAAA,IAAsB,OAAA,CAAQ,SAAA,EAAW;AACxD,IAAA,MAAM,aAAA,GAAgB,mBAAA,CAAoB,WAAA,CAAY,kBAAA,EAAoB,QAAQ,SAAS,CAAA;AAC3F,IAAA,IAAI,CAAC,cAAc,KAAA,EAAO;AACzB,MAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,MAAA,EAAQ,cAAc,MAAA,EAAO;AAAA,IACvD;AAAA,EACD;AAGA,EAAA,IAAI,YAAY,eAAA,EAAiB;AAChC,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,KAAA;AAAA,MACT,MAAA,EAAQ;AAAA,KACT;AAAA,EACD;AAGA,EAAA,IAAI,YAAY,UAAA,EAAY;AAC3B,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,KAAA,GAAQ,IAAI,QAAA,EAAS;AAC3B,IAAA,MAAM,OAAA,GAAU,IAAI,UAAA,EAAW;AAC/B,IAAA,MAAM,cAAc,CAAA,EAAG,MAAA,CAAO,KAAK,CAAA,CAAE,SAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAAA,EAAI,OAAO,OAAO,CAAA,CAAE,QAAA,CAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAAA;AAEzF,IAAA,IAAI,cAAc,WAAA,CAAY,UAAA,CAAW,SAAS,WAAA,GAAc,WAAA,CAAY,WAAW,GAAA,EAAK;AAC3F,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,kCAAkC,WAAA,CAAY,UAAA,CAAW,KAAK,CAAA,KAAA,EAAQ,WAAA,CAAY,WAAW,GAAG,CAAA;AAAA,OACzG;AAAA,IACD;AAAA,EACD;AAGA,EAAA,IAAI,WAAA,CAAY,WAAA,IAAe,WAAA,CAAY,WAAA,CAAY,SAAS,CAAA,EAAG;AAClE,IAAA,IAAI,CAAC,QAAQ,EAAA,EAAI;AAChB,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ;AAAA,OACT;AAAA,IACD;AACA,IAAA,IAAI,CAAC,WAAA,CAAY,WAAA,CAAY,WAAA,EAAa,OAAA,CAAQ,EAAE,CAAA,EAAG;AACtD,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,CAAA,oBAAA,EAAuB,OAAA,CAAQ,EAAE,CAAA,2CAAA;AAAA,OAC1C;AAAA,IACD;AAAA,EACD;AAEA,EAAA,OAAO,EAAE,SAAS,IAAA,EAAK;AACxB;AAEA,eAAe,cACd,EAAA,EACA,KAAA,EACA,OAAA,EACA,MAAA,EACA,WACA,OAAA,EACgB;AAChB,EAAA,MAAM,aAAa,IAAA,CAAK,KAAA,CAAM,WAAA,CAAY,GAAA,KAAQ,SAAS,CAAA;AAE3D,EAAA,MAAM,EAAA,CAAG,MAAA,CAAO,SAAS,CAAA,CAAE,MAAA,CAAO;AAAA,IACjC,EAAA,EAAI,OAAA;AAAA,IACJ,SAAS,KAAA,CAAM,EAAA;AAAA,IACf,QAAQ,KAAA,CAAM,OAAA;AAAA,IACd,QAAQ,OAAA,CAAQ,MAAA;AAAA,IAChB,UAAU,OAAA,CAAQ,QAAA;AAAA,IAClB,UAAA,EAAY,OAAA,CAAQ,SAAA,IAAa,EAAC;AAAA,IAClC,MAAA,EAAQ,MAAA,CAAO,OAAA,GAAU,SAAA,GAAY,QAAA;AAAA,IACrC,MAAA,EAAQ,OAAO,MAAA,IAAU,IAAA;AAAA,IACzB,UAAA;AAAA,IACA,SAAA,sBAAe,IAAA,EAAK;AAAA,IACpB,EAAA,EAAI,OAAA,CAAQ,OAAA,EAAS,EAAA,IAAM,IAAA;AAAA,IAC3B,SAAA,EAAW,OAAA,CAAQ,OAAA,EAAS,SAAA,IAAa;AAAA,GACzC,CAAA;AACF;;;AC7TO,IAAM,mBAAA,GAAsB;AAAA;AAAA,EAElC,QAAA,EAAU,CAAC,EAAE,QAAA,EAAU,KAAK,OAAA,EAAS,CAAC,MAAM,CAAA,EAAG,CAAA;AAAA;AAAA,EAG/C,SAAA,EAAW,CAAC,EAAE,QAAA,EAAU,GAAA,EAAK,SAAS,CAAC,MAAA,EAAQ,OAAO,CAAA,EAAG,CAAA;AAAA;AAAA,EAGzD,KAAA,EAAO,CAAC,EAAE,QAAA,EAAU,KAAK,OAAA,EAAS,CAAC,GAAG,CAAA,EAAG,CAAA;AAAA;AAAA,EAGzC,QAAA,EAAU,CAAC,EAAE,QAAA,EAAU,OAAA,EAAS,SAAS,CAAC,MAAA,EAAQ,SAAS,CAAA,EAAG,CAAA;AAAA;AAAA,EAG9D,OAAA,EAAS,CAAC,EAAE,QAAA,EAAU,OAAA,EAAS,OAAA,EAAS,CAAC,MAAA,EAAQ,OAAA,EAAS,SAAS,CAAA,EAAG,CAAA;AAAA;AAAA,EAGtE,eAAA,EAAiB;AAAA,IAChB;AAAA,MACC,QAAA,EAAU,GAAA;AAAA,MACV,OAAA,EAAS,CAAC,MAAM,CAAA;AAAA,MAChB,WAAA,EAAa,EAAE,eAAA,EAAiB,GAAA;AAAI;AACrC,GACD;AAAA;AAAA,EAGA,gBAAA,EAAkB;AAAA,IACjB;AAAA,MACC,QAAA,EAAU,GAAA;AAAA,MACV,OAAA,EAAS,CAAC,GAAG,CAAA;AAAA,MACb,WAAA,EAAa,EAAE,eAAA,EAAiB,IAAA;AAAK;AACtC,GACD;AAAA;AAAA,EAGA,aAAA,EAAe;AAAA,IACd;AAAA,MACC,QAAA,EAAU,GAAA;AAAA,MACV,OAAA,EAAS,CAAC,MAAA,EAAQ,OAAA,EAAS,SAAS,CAAA;AAAA,MACpC,WAAA,EAAa,EAAE,UAAA,EAAY,EAAE,OAAO,OAAA,EAAS,GAAA,EAAK,SAAQ;AAAE;AAC7D;AAEF;AAQO,SAAS,sBAAsB,IAAA,EAA4C;AACjF,EAAA,OAAO,KAAK,KAAA,CAAM,IAAA,CAAK,UAAU,mBAAA,CAAoB,IAAI,CAAC,CAAC,CAAA;AAC5D","file":"chunk-O7VQ2LQE.js","sourcesContent":["import { and, eq, gte } from \"drizzle-orm\";\nimport { generateId } from \"../crypto/web-crypto.js\";\nimport type { Database } from \"../db/database.js\";\nimport { auditLogs, rateLimits } from \"../db/schema.js\";\nimport type {\n\tAgentIdentity,\n\tAuthorizeRequest,\n\tAuthorizeResult,\n\tPermissionConstraints,\n} from \"../types.js\";\n\ninterface PermissionEngineConfig {\n\tdb: Database;\n\tauditAll: boolean;\n}\n\n/**\n * Match a resource pattern against a requested resource.\n *\n * Supports wildcards:\n * - \"mcp:github:*\" matches \"mcp:github:create_issue\"\n * - \"tool:*\" matches \"tool:file_read\"\n * - \"*\" matches everything\n */\nfunction matchResource(pattern: string, resource: string): boolean {\n\tif (pattern === \"*\") return true;\n\n\tconst patternParts = pattern.split(\":\");\n\tconst resourceParts = resource.split(\":\");\n\n\tfor (let i = 0; i < patternParts.length; i++) {\n\t\tconst part = patternParts[i];\n\t\tif (part === \"*\") return true;\n\t\tif (part !== resourceParts[i]) return false;\n\t}\n\n\treturn patternParts.length === resourceParts.length;\n}\n\n/**\n * Check if an action is allowed by a permission's actions list.\n */\nfunction matchAction(allowedActions: string[], requestedAction: string): boolean {\n\treturn allowedActions.includes(requestedAction) || allowedActions.includes(\"*\");\n}\n\n/**\n * Parse an IPv4 address into a 32-bit integer.\n */\nfunction parseIPv4(ip: string): number | null {\n\tconst parts = ip.split(\".\");\n\tif (parts.length !== 4) return null;\n\tlet result = 0;\n\tfor (const part of parts) {\n\t\tconst num = parseInt(part, 10);\n\t\tif (Number.isNaN(num) || num < 0 || num > 255) return null;\n\t\tresult = (result << 8) | num;\n\t}\n\treturn result >>> 0;\n}\n\n/**\n * Check whether an IP matches a CIDR range or exact IP entry.\n * Supports both \"10.0.0.1\" and \"10.0.0.0/8\" notation (IPv4 only).\n */\nfunction matchesIPEntry(entry: string, ip: string): boolean {\n\tconst slashIndex = entry.indexOf(\"/\");\n\tif (slashIndex === -1) {\n\t\treturn entry === ip;\n\t}\n\n\tconst cidrIp = entry.slice(0, slashIndex);\n\tconst prefixLen = parseInt(entry.slice(slashIndex + 1), 10);\n\tif (Number.isNaN(prefixLen) || prefixLen < 0 || prefixLen > 32) return false;\n\n\tconst entryNum = parseIPv4(cidrIp);\n\tconst ipNum = parseIPv4(ip);\n\tif (entryNum === null || ipNum === null) return false;\n\n\tconst mask = prefixLen === 0 ? 0 : (~0 << (32 - prefixLen)) >>> 0;\n\treturn (entryNum & mask) === (ipNum & mask);\n}\n\n/**\n * Check whether an IP is in the allowlist (exact IPs or CIDR ranges).\n */\nfunction isIPAllowed(allowlist: string[], ip: string): boolean {\n\treturn allowlist.some((entry) => matchesIPEntry(entry, ip));\n}\n\n/**\n * Validate argument patterns against the request arguments.\n */\nfunction validateArgPatterns(\n\tpatterns: string[],\n\targs: Record<string, unknown>,\n): { valid: boolean; reason?: string } {\n\tfor (const pattern of patterns) {\n\t\tconst regex = new RegExp(pattern);\n\t\t// Check all string arguments against the pattern\n\t\tfor (const [key, value] of Object.entries(args)) {\n\t\t\tif (typeof value === \"string\" && !regex.test(value)) {\n\t\t\t\treturn {\n\t\t\t\t\tvalid: false,\n\t\t\t\t\treason: `Argument \"${key}\" value \"${value}\" does not match pattern \"${pattern}\"`,\n\t\t\t\t};\n\t\t\t}\n\t\t}\n\t}\n\treturn { valid: true };\n}\n\n/**\n * Check rate limits for an agent on a specific resource.\n */\nasync function checkRateLimit(\n\tdb: Database,\n\tagentId: string,\n\tresource: string,\n\tmaxCallsPerHour: number,\n): Promise<{ allowed: boolean; reason?: string }> {\n\tconst oneHourAgo = new Date(Date.now() - 60 * 60 * 1000);\n\n\tconst rows = await db\n\t\t.select()\n\t\t.from(rateLimits)\n\t\t.where(\n\t\t\tand(\n\t\t\t\teq(rateLimits.agentId, agentId),\n\t\t\t\teq(rateLimits.resource, resource),\n\t\t\t\tgte(rateLimits.windowStart, oneHourAgo),\n\t\t\t),\n\t\t);\n\n\tconst totalCalls = rows.reduce((sum, r) => sum + r.count, 0);\n\n\tif (totalCalls >= maxCallsPerHour) {\n\t\treturn {\n\t\t\tallowed: false,\n\t\t\treason: `Rate limit exceeded: ${totalCalls}/${maxCallsPerHour} calls per hour for resource \"${resource}\"`,\n\t\t};\n\t}\n\n\t// Increment counter\n\tconst currentWindow = new Date(Math.floor(Date.now() / (5 * 60 * 1000)) * (5 * 60 * 1000)); // 5-min windows\n\tconst existing = rows.find((r) => r.windowStart.getTime() === currentWindow.getTime());\n\n\tif (existing) {\n\t\tawait db\n\t\t\t.update(rateLimits)\n\t\t\t.set({ count: existing.count + 1 })\n\t\t\t.where(eq(rateLimits.id, existing.id));\n\t} else {\n\t\tawait db.insert(rateLimits).values({\n\t\t\tid: generateId(),\n\t\t\tagentId,\n\t\t\tresource,\n\t\t\twindowStart: currentWindow,\n\t\t\tcount: 1,\n\t\t});\n\t}\n\n\treturn { allowed: true };\n}\n\n/**\n * Create the permission/authorization engine.\n */\nexport function createPermissionEngine(config: PermissionEngineConfig) {\n\tconst { db, auditAll } = config;\n\n\t/**\n\t * Check if an agent is authorized to perform an action.\n\t * This is the core authorization function.\n\t */\n\tasync function authorize(\n\t\tagent: AgentIdentity,\n\t\trequest: AuthorizeRequest,\n\t): Promise<AuthorizeResult> {\n\t\tconst startTime = performance.now();\n\t\tconst auditId = generateId();\n\n\t\t// Find matching permission\n\t\tconst matchingPermission = agent.permissions.find(\n\t\t\t(p) => matchResource(p.resource, request.resource) && matchAction(p.actions, request.action),\n\t\t);\n\n\t\tif (!matchingPermission) {\n\t\t\tconst result: AuthorizeResult = {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `No permission grants agent \"${agent.name}\" access to \"${request.action}\" on \"${request.resource}\"`,\n\t\t\t\tauditId,\n\t\t\t};\n\t\t\tif (auditAll) {\n\t\t\t\tawait writeAuditLog(db, agent, request, result, startTime, auditId);\n\t\t\t}\n\t\t\treturn result;\n\t\t}\n\n\t\t// Check constraints\n\t\tif (matchingPermission.constraints) {\n\t\t\tconst constraintResult = await evaluateConstraints(\n\t\t\t\tdb,\n\t\t\t\tagent,\n\t\t\t\trequest,\n\t\t\t\tmatchingPermission.constraints,\n\t\t\t);\n\t\t\tif (!constraintResult.allowed) {\n\t\t\t\tconst result: AuthorizeResult = {\n\t\t\t\t\tallowed: false,\n\t\t\t\t\treason: constraintResult.reason,\n\t\t\t\t\tauditId,\n\t\t\t\t};\n\t\t\t\tif (auditAll) {\n\t\t\t\t\tawait writeAuditLog(db, agent, request, result, startTime, auditId);\n\t\t\t\t}\n\t\t\t\treturn result;\n\t\t\t}\n\t\t}\n\n\t\tconst result: AuthorizeResult = { allowed: true, auditId };\n\t\tif (auditAll) {\n\t\t\tawait writeAuditLog(db, agent, request, result, startTime, auditId);\n\t\t}\n\t\treturn result;\n\t}\n\n\treturn { authorize };\n}\n\nasync function evaluateConstraints(\n\tdb: Database,\n\tagent: AgentIdentity,\n\trequest: AuthorizeRequest,\n\tconstraints: PermissionConstraints,\n): Promise<{ allowed: boolean; reason?: string }> {\n\t// Rate limit check\n\tif (constraints.maxCallsPerHour) {\n\t\tconst rateResult = await checkRateLimit(\n\t\t\tdb,\n\t\t\tagent.id,\n\t\t\trequest.resource,\n\t\t\tconstraints.maxCallsPerHour,\n\t\t);\n\t\tif (!rateResult.allowed) {\n\t\t\treturn rateResult;\n\t\t}\n\t}\n\n\t// Argument pattern check\n\tif (constraints.allowedArgPatterns && request.arguments) {\n\t\tconst patternResult = validateArgPatterns(constraints.allowedArgPatterns, request.arguments);\n\t\tif (!patternResult.valid) {\n\t\t\treturn { allowed: false, reason: patternResult.reason };\n\t\t}\n\t}\n\n\t// Human-in-the-loop check\n\tif (constraints.requireApproval) {\n\t\treturn {\n\t\t\tallowed: false,\n\t\t\treason: \"This action requires human approval before execution\",\n\t\t};\n\t}\n\n\t// Time window check\n\tif (constraints.timeWindow) {\n\t\tconst now = new Date();\n\t\tconst hours = now.getHours();\n\t\tconst minutes = now.getMinutes();\n\t\tconst currentTime = `${String(hours).padStart(2, \"0\")}:${String(minutes).padStart(2, \"0\")}`;\n\n\t\tif (currentTime < constraints.timeWindow.start || currentTime > constraints.timeWindow.end) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `Action is only allowed between ${constraints.timeWindow.start} and ${constraints.timeWindow.end}`,\n\t\t\t};\n\t\t}\n\t}\n\n\t// IP allowlist check\n\tif (constraints.ipAllowlist && constraints.ipAllowlist.length > 0) {\n\t\tif (!request.ip) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: \"IP_NOT_ALLOWED: No IP address provided; resource requires an IP allowlist match\",\n\t\t\t};\n\t\t}\n\t\tif (!isIPAllowed(constraints.ipAllowlist, request.ip)) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `IP_NOT_ALLOWED: IP \"${request.ip}\" is not in the allowlist for this resource`,\n\t\t\t};\n\t\t}\n\t}\n\n\treturn { allowed: true };\n}\n\nasync function writeAuditLog(\n\tdb: Database,\n\tagent: AgentIdentity,\n\trequest: AuthorizeRequest,\n\tresult: AuthorizeResult,\n\tstartTime: number,\n\tauditId: string,\n): Promise<void> {\n\tconst durationMs = Math.round(performance.now() - startTime);\n\n\tawait db.insert(auditLogs).values({\n\t\tid: auditId,\n\t\tagentId: agent.id,\n\t\tuserId: agent.ownerId,\n\t\taction: request.action,\n\t\tresource: request.resource,\n\t\tparameters: request.arguments ?? {},\n\t\tresult: result.allowed ? \"allowed\" : \"denied\",\n\t\treason: result.reason ?? null,\n\t\tdurationMs,\n\t\ttimestamp: new Date(),\n\t\tip: request.context?.ip ?? null,\n\t\tuserAgent: request.context?.userAgent ?? null,\n\t});\n}\n","import type { Permission } from \"../types.js\";\n\n/**\n * Pre-built permission templates for common access patterns.\n * Use these as starting points when creating agents.\n */\nexport const permissionTemplates = {\n\t/** Read-only access to all resources */\n\treadonly: [{ resource: \"*\", actions: [\"read\"] }] satisfies Permission[],\n\n\t/** Read and write access to all resources */\n\treadwrite: [{ resource: \"*\", actions: [\"read\", \"write\"] }] satisfies Permission[],\n\n\t/** Full access to all resources and actions */\n\tadmin: [{ resource: \"*\", actions: [\"*\"] }] satisfies Permission[],\n\n\t/** Standard MCP tool access - read + execute */\n\tmcpBasic: [{ resource: \"mcp:*\", actions: [\"read\", \"execute\"] }] satisfies Permission[],\n\n\t/** MCP tool access with write - read + write + execute */\n\tmcpFull: [{ resource: \"mcp:*\", actions: [\"read\", \"write\", \"execute\"] }] satisfies Permission[],\n\n\t/** Rate-limited read access (100 calls/hour) */\n\trateLimitedRead: [\n\t\t{\n\t\t\tresource: \"*\",\n\t\t\tactions: [\"read\"],\n\t\t\tconstraints: { maxCallsPerHour: 100 },\n\t\t},\n\t] satisfies Permission[],\n\n\t/** Approval-required access (human-in-the-loop for everything) */\n\tapprovalRequired: [\n\t\t{\n\t\t\tresource: \"*\",\n\t\t\tactions: [\"*\"],\n\t\t\tconstraints: { requireApproval: true },\n\t\t},\n\t] satisfies Permission[],\n\n\t/** Business hours only access (9am-5pm) */\n\tbusinessHours: [\n\t\t{\n\t\t\tresource: \"*\",\n\t\t\tactions: [\"read\", \"write\", \"execute\"],\n\t\t\tconstraints: { timeWindow: { start: \"09:00\", end: \"17:00\" } },\n\t\t},\n\t] satisfies Permission[],\n} as const;\n\nexport type PermissionTemplateName = keyof typeof permissionTemplates;\n\n/**\n * Get a permission template by name.\n * Returns a fresh copy of the permissions array.\n */\nexport function getPermissionTemplate(name: PermissionTemplateName): Permission[] {\n\treturn JSON.parse(JSON.stringify(permissionTemplates[name])) as Permission[];\n}\n"]}
1
+ {"version":3,"sources":["../src/permission/engine.ts","../src/permission/templates.ts"],"names":["result"],"mappings":";;;;AAwBA,SAAS,aAAA,CAAc,SAAiB,QAAA,EAA2B;AAClE,EAAA,IAAI,OAAA,KAAY,KAAK,OAAO,IAAA;AAE5B,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,KAAA,CAAM,GAAG,CAAA;AACtC,EAAA,MAAM,aAAA,GAAgB,QAAA,CAAS,KAAA,CAAM,GAAG,CAAA;AAExC,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,YAAA,CAAa,QAAQ,CAAA,EAAA,EAAK;AAC7C,IAAA,MAAM,IAAA,GAAO,aAAa,CAAC,CAAA;AAC3B,IAAA,IAAI,IAAA,KAAS,KAAK,OAAO,IAAA;AACzB,IAAA,IAAI,IAAA,KAAS,aAAA,CAAc,CAAC,CAAA,EAAG,OAAO,KAAA;AAAA,EACvC;AAEA,EAAA,OAAO,YAAA,CAAa,WAAW,aAAA,CAAc,MAAA;AAC9C;AAKA,SAAS,WAAA,CAAY,gBAA0B,eAAA,EAAkC;AAChF,EAAA,OAAO,eAAe,QAAA,CAAS,eAAe,CAAA,IAAK,cAAA,CAAe,SAAS,GAAG,CAAA;AAC/E;AAKA,SAAS,UAAU,EAAA,EAA2B;AAC7C,EAAA,MAAM,KAAA,GAAQ,EAAA,CAAG,KAAA,CAAM,GAAG,CAAA;AAC1B,EAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAC/B,EAAA,IAAI,MAAA,GAAS,CAAA;AACb,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACzB,IAAA,MAAM,GAAA,GAAM,QAAA,CAAS,IAAA,EAAM,EAAE,CAAA;AAC7B,IAAA,IAAI,MAAA,CAAO,MAAM,GAAG,CAAA,IAAK,MAAM,CAAA,IAAK,GAAA,GAAM,KAAK,OAAO,IAAA;AACtD,IAAA,MAAA,GAAU,UAAU,CAAA,GAAK,GAAA;AAAA,EAC1B;AACA,EAAA,OAAO,MAAA,KAAW,CAAA;AACnB;AAMA,SAAS,cAAA,CAAe,OAAe,EAAA,EAAqB;AAC3D,EAAA,MAAM,UAAA,GAAa,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA;AACpC,EAAA,IAAI,eAAe,EAAA,EAAI;AACtB,IAAA,OAAO,KAAA,KAAU,EAAA;AAAA,EAClB;AAEA,EAAA,MAAM,MAAA,GAAS,KAAA,CAAM,KAAA,CAAM,CAAA,EAAG,UAAU,CAAA;AACxC,EAAA,MAAM,YAAY,QAAA,CAAS,KAAA,CAAM,MAAM,UAAA,GAAa,CAAC,GAAG,EAAE,CAAA;AAC1D,EAAA,IAAI,MAAA,CAAO,MAAM,SAAS,CAAA,IAAK,YAAY,CAAA,IAAK,SAAA,GAAY,IAAI,OAAO,KAAA;AAEvE,EAAA,MAAM,QAAA,GAAW,UAAU,MAAM,CAAA;AACjC,EAAA,MAAM,KAAA,GAAQ,UAAU,EAAE,CAAA;AAC1B,EAAA,IAAI,QAAA,KAAa,IAAA,IAAQ,KAAA,KAAU,IAAA,EAAM,OAAO,KAAA;AAEhD,EAAA,MAAM,OAAO,SAAA,KAAc,CAAA,GAAI,IAAK,EAAC,IAAM,KAAK,SAAA,KAAgB,CAAA;AAChE,EAAA,OAAA,CAAQ,QAAA,GAAW,WAAW,KAAA,GAAQ,IAAA,CAAA;AACvC;AAKA,SAAS,WAAA,CAAY,WAAqB,EAAA,EAAqB;AAC9D,EAAA,OAAO,UAAU,IAAA,CAAK,CAAC,UAAU,cAAA,CAAe,KAAA,EAAO,EAAE,CAAC,CAAA;AAC3D;AAKA,SAAS,mBAAA,CACR,UACA,IAAA,EACsC;AACtC,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC/B,IAAA,MAAM,KAAA,GAAQ,IAAI,MAAA,CAAO,OAAO,CAAA;AAEhC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,IAAI,CAAA,EAAG;AAChD,MAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,CAAC,KAAA,CAAM,IAAA,CAAK,KAAK,CAAA,EAAG;AACpD,QAAA,OAAO;AAAA,UACN,KAAA,EAAO,KAAA;AAAA,UACP,QAAQ,CAAA,UAAA,EAAa,GAAG,CAAA,SAAA,EAAY,KAAK,6BAA6B,OAAO,CAAA,CAAA;AAAA,SAC9E;AAAA,MACD;AAAA,IACD;AAAA,EACD;AACA,EAAA,OAAO,EAAE,OAAO,IAAA,EAAK;AACtB;AAKA,eAAe,cAAA,CACd,EAAA,EACA,OAAA,EACA,QAAA,EACA,eAAA,EACiD;AACjD,EAAA,MAAM,UAAA,GAAa,IAAI,IAAA,CAAK,IAAA,CAAK,KAAI,GAAI,EAAA,GAAK,KAAK,GAAI,CAAA;AAEvD,EAAA,MAAM,OAAO,MAAM,EAAA,CACjB,QAAO,CACP,IAAA,CAAK,UAAU,CAAA,CACf,KAAA;AAAA,IACA,GAAA;AAAA,MACC,EAAA,CAAG,UAAA,CAAW,OAAA,EAAS,OAAO,CAAA;AAAA,MAC9B,EAAA,CAAG,UAAA,CAAW,QAAA,EAAU,QAAQ,CAAA;AAAA,MAChC,GAAA,CAAI,UAAA,CAAW,WAAA,EAAa,UAAU;AAAA;AACvC,GACD;AAED,EAAA,MAAM,UAAA,GAAa,KAAK,MAAA,CAAO,CAAC,KAAK,CAAA,KAAM,GAAA,GAAM,CAAA,CAAE,KAAA,EAAO,CAAC,CAAA;AAE3D,EAAA,IAAI,cAAc,eAAA,EAAiB;AAClC,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,KAAA;AAAA,MACT,QAAQ,CAAA,qBAAA,EAAwB,UAAU,CAAA,CAAA,EAAI,eAAe,iCAAiC,QAAQ,CAAA,CAAA;AAAA,KACvG;AAAA,EACD;AAGA,EAAA,MAAM,aAAA,GAAgB,IAAI,IAAA,CAAK,IAAA,CAAK,MAAM,IAAA,CAAK,GAAA,EAAI,IAAK,CAAA,GAAI,EAAA,GAAK,GAAA,CAAK,CAAA,IAAK,CAAA,GAAI,KAAK,GAAA,CAAK,CAAA;AACzF,EAAA,MAAM,QAAA,GAAW,IAAA,CAAK,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,OAAA,EAAQ,KAAM,aAAA,CAAc,OAAA,EAAS,CAAA;AAErF,EAAA,IAAI,QAAA,EAAU;AACb,IAAA,MAAM,GACJ,MAAA,CAAO,UAAU,EACjB,GAAA,CAAI,EAAE,OAAO,QAAA,CAAS,KAAA,GAAQ,CAAA,EAAG,EACjC,KAAA,CAAM,EAAA,CAAG,WAAW,EAAA,EAAI,QAAA,CAAS,EAAE,CAAC,CAAA;AAAA,EACvC,CAAA,MAAO;AACN,IAAA,MAAM,EAAA,CAAG,MAAA,CAAO,UAAU,CAAA,CAAE,MAAA,CAAO;AAAA,MAClC,IAAI,UAAA,EAAW;AAAA,MACf,OAAA;AAAA,MACA,QAAA;AAAA,MACA,WAAA,EAAa,aAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACP,CAAA;AAAA,EACF;AAEA,EAAA,OAAO,EAAE,SAAS,IAAA,EAAK;AACxB;AAKO,SAAS,uBAAuB,MAAA,EAAgC;AACtE,EAAA,MAAM,EAAE,EAAA,EAAI,QAAA,EAAS,GAAI,MAAA;AAMzB,EAAA,eAAe,SAAA,CACd,OACA,OAAA,EAC2B;AAC3B,IAAA,MAAM,SAAA,GAAY,YAAY,GAAA,EAAI;AAClC,IAAA,MAAM,UAAU,UAAA,EAAW;AAG3B,IAAA,MAAM,kBAAA,GAAqB,MAAM,WAAA,CAAY,IAAA;AAAA,MAC5C,CAAC,CAAA,KAAM,aAAA,CAAc,CAAA,CAAE,QAAA,EAAU,OAAA,CAAQ,QAAQ,CAAA,IAAK,WAAA,CAAY,CAAA,CAAE,OAAA,EAAS,OAAA,CAAQ,MAAM;AAAA,KAC5F;AAEA,IAAA,IAAI,CAAC,kBAAA,EAAoB;AACxB,MAAA,MAAMA,OAAAA,GAA0B;AAAA,QAC/B,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,+BAA+B,KAAA,CAAM,IAAI,gBAAgB,OAAA,CAAQ,MAAM,CAAA,MAAA,EAAS,OAAA,CAAQ,QAAQ,CAAA,CAAA,CAAA;AAAA,QACxG;AAAA,OACD;AACA,MAAA,IAAI,QAAA,EAAU;AACb,QAAA,MAAM,cAAc,EAAA,EAAI,KAAA,EAAO,OAAA,EAASA,OAAAA,EAAQ,WAAW,OAAO,CAAA;AAAA,MACnE;AACA,MAAA,OAAOA,OAAAA;AAAA,IACR;AAGA,IAAA,IAAI,mBAAmB,WAAA,EAAa;AACnC,MAAA,MAAM,mBAAmB,MAAM,mBAAA;AAAA,QAC9B,EAAA;AAAA,QACA,KAAA;AAAA,QACA,OAAA;AAAA,QACA,kBAAA,CAAmB;AAAA,OACpB;AACA,MAAA,IAAI,CAAC,iBAAiB,OAAA,EAAS;AAC9B,QAAA,MAAMA,OAAAA,GAA0B;AAAA,UAC/B,OAAA,EAAS,KAAA;AAAA,UACT,QAAQ,gBAAA,CAAiB,MAAA;AAAA,UACzB;AAAA,SACD;AACA,QAAA,IAAI,QAAA,EAAU;AACb,UAAA,MAAM,cAAc,EAAA,EAAI,KAAA,EAAO,OAAA,EAASA,OAAAA,EAAQ,WAAW,OAAO,CAAA;AAAA,QACnE;AACA,QAAA,OAAOA,OAAAA;AAAA,MACR;AAAA,IACD;AAEA,IAAA,MAAM,MAAA,GAA0B,EAAE,OAAA,EAAS,IAAA,EAAM,OAAA,EAAQ;AACzD,IAAA,IAAI,QAAA,EAAU;AACb,MAAA,MAAM,cAAc,EAAA,EAAI,KAAA,EAAO,OAAA,EAAS,MAAA,EAAQ,WAAW,OAAO,CAAA;AAAA,IACnE;AACA,IAAA,OAAO,MAAA;AAAA,EACR;AAEA,EAAA,OAAO,EAAE,SAAA,EAAU;AACpB;AAEA,eAAe,mBAAA,CACd,EAAA,EACA,KAAA,EACA,OAAA,EACA,WAAA,EACiD;AAEjD,EAAA,IAAI,YAAY,eAAA,EAAiB;AAChC,IAAA,MAAM,aAAa,MAAM,cAAA;AAAA,MACxB,EAAA;AAAA,MACA,KAAA,CAAM,EAAA;AAAA,MACN,OAAA,CAAQ,QAAA;AAAA,MACR,WAAA,CAAY;AAAA,KACb;AACA,IAAA,IAAI,CAAC,WAAW,OAAA,EAAS;AACxB,MAAA,OAAO,UAAA;AAAA,IACR;AAAA,EACD;AAGA,EAAA,IAAI,WAAA,CAAY,kBAAA,IAAsB,OAAA,CAAQ,SAAA,EAAW;AACxD,IAAA,MAAM,aAAA,GAAgB,mBAAA,CAAoB,WAAA,CAAY,kBAAA,EAAoB,QAAQ,SAAS,CAAA;AAC3F,IAAA,IAAI,CAAC,cAAc,KAAA,EAAO;AACzB,MAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,MAAA,EAAQ,cAAc,MAAA,EAAO;AAAA,IACvD;AAAA,EACD;AAGA,EAAA,IAAI,YAAY,eAAA,EAAiB;AAChC,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,KAAA;AAAA,MACT,MAAA,EAAQ;AAAA,KACT;AAAA,EACD;AAGA,EAAA,IAAI,YAAY,UAAA,EAAY;AAC3B,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,KAAA,GAAQ,IAAI,QAAA,EAAS;AAC3B,IAAA,MAAM,OAAA,GAAU,IAAI,UAAA,EAAW;AAC/B,IAAA,MAAM,cAAc,CAAA,EAAG,MAAA,CAAO,KAAK,CAAA,CAAE,SAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAAA,EAAI,OAAO,OAAO,CAAA,CAAE,QAAA,CAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAAA;AAEzF,IAAA,IAAI,cAAc,WAAA,CAAY,UAAA,CAAW,SAAS,WAAA,GAAc,WAAA,CAAY,WAAW,GAAA,EAAK;AAC3F,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,kCAAkC,WAAA,CAAY,UAAA,CAAW,KAAK,CAAA,KAAA,EAAQ,WAAA,CAAY,WAAW,GAAG,CAAA;AAAA,OACzG;AAAA,IACD;AAAA,EACD;AAGA,EAAA,IAAI,WAAA,CAAY,WAAA,IAAe,WAAA,CAAY,WAAA,CAAY,SAAS,CAAA,EAAG;AAClE,IAAA,IAAI,CAAC,QAAQ,EAAA,EAAI;AAChB,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ;AAAA,OACT;AAAA,IACD;AACA,IAAA,IAAI,CAAC,WAAA,CAAY,WAAA,CAAY,WAAA,EAAa,OAAA,CAAQ,EAAE,CAAA,EAAG;AACtD,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,CAAA,oBAAA,EAAuB,OAAA,CAAQ,EAAE,CAAA,2CAAA;AAAA,OAC1C;AAAA,IACD;AAAA,EACD;AAEA,EAAA,OAAO,EAAE,SAAS,IAAA,EAAK;AACxB;AAEA,eAAe,cACd,EAAA,EACA,KAAA,EACA,OAAA,EACA,MAAA,EACA,WACA,OAAA,EACgB;AAChB,EAAA,MAAM,aAAa,IAAA,CAAK,KAAA,CAAM,WAAA,CAAY,GAAA,KAAQ,SAAS,CAAA;AAE3D,EAAA,MAAM,EAAA,CAAG,MAAA,CAAO,SAAS,CAAA,CAAE,MAAA,CAAO;AAAA,IACjC,EAAA,EAAI,OAAA;AAAA,IACJ,SAAS,KAAA,CAAM,EAAA;AAAA,IACf,QAAQ,KAAA,CAAM,OAAA;AAAA,IACd,QAAQ,OAAA,CAAQ,MAAA;AAAA,IAChB,UAAU,OAAA,CAAQ,QAAA;AAAA,IAClB,UAAA,EAAY,OAAA,CAAQ,SAAA,IAAa,EAAC;AAAA,IAClC,MAAA,EAAQ,MAAA,CAAO,OAAA,GAAU,SAAA,GAAY,QAAA;AAAA,IACrC,MAAA,EAAQ,OAAO,MAAA,IAAU,IAAA;AAAA,IACzB,UAAA;AAAA,IACA,SAAA,sBAAe,IAAA,EAAK;AAAA,IACpB,EAAA,EAAI,OAAA,CAAQ,OAAA,EAAS,EAAA,IAAM,IAAA;AAAA,IAC3B,SAAA,EAAW,OAAA,CAAQ,OAAA,EAAS,SAAA,IAAa;AAAA,GACzC,CAAA;AACF;;;AC7TO,IAAM,mBAAA,GAAsB;AAAA;AAAA,EAElC,QAAA,EAAU,CAAC,EAAE,QAAA,EAAU,KAAK,OAAA,EAAS,CAAC,MAAM,CAAA,EAAG,CAAA;AAAA;AAAA,EAG/C,SAAA,EAAW,CAAC,EAAE,QAAA,EAAU,GAAA,EAAK,SAAS,CAAC,MAAA,EAAQ,OAAO,CAAA,EAAG,CAAA;AAAA;AAAA,EAGzD,KAAA,EAAO,CAAC,EAAE,QAAA,EAAU,KAAK,OAAA,EAAS,CAAC,GAAG,CAAA,EAAG,CAAA;AAAA;AAAA,EAGzC,QAAA,EAAU,CAAC,EAAE,QAAA,EAAU,OAAA,EAAS,SAAS,CAAC,MAAA,EAAQ,SAAS,CAAA,EAAG,CAAA;AAAA;AAAA,EAG9D,OAAA,EAAS,CAAC,EAAE,QAAA,EAAU,OAAA,EAAS,OAAA,EAAS,CAAC,MAAA,EAAQ,OAAA,EAAS,SAAS,CAAA,EAAG,CAAA;AAAA;AAAA,EAGtE,eAAA,EAAiB;AAAA,IAChB;AAAA,MACC,QAAA,EAAU,GAAA;AAAA,MACV,OAAA,EAAS,CAAC,MAAM,CAAA;AAAA,MAChB,WAAA,EAAa,EAAE,eAAA,EAAiB,GAAA;AAAI;AACrC,GACD;AAAA;AAAA,EAGA,gBAAA,EAAkB;AAAA,IACjB;AAAA,MACC,QAAA,EAAU,GAAA;AAAA,MACV,OAAA,EAAS,CAAC,GAAG,CAAA;AAAA,MACb,WAAA,EAAa,EAAE,eAAA,EAAiB,IAAA;AAAK;AACtC,GACD;AAAA;AAAA,EAGA,aAAA,EAAe;AAAA,IACd;AAAA,MACC,QAAA,EAAU,GAAA;AAAA,MACV,OAAA,EAAS,CAAC,MAAA,EAAQ,OAAA,EAAS,SAAS,CAAA;AAAA,MACpC,WAAA,EAAa,EAAE,UAAA,EAAY,EAAE,OAAO,OAAA,EAAS,GAAA,EAAK,SAAQ;AAAE;AAC7D;AAEF;AAQO,SAAS,sBAAsB,IAAA,EAA4C;AACjF,EAAA,OAAO,KAAK,KAAA,CAAM,IAAA,CAAK,UAAU,mBAAA,CAAoB,IAAI,CAAC,CAAC,CAAA;AAC5D","file":"chunk-VHKZARMM.js","sourcesContent":["import { and, eq, gte } from \"drizzle-orm\";\nimport { generateId } from \"../crypto/web-crypto.js\";\nimport type { Database } from \"../db/database.js\";\nimport { auditLogs, rateLimits } from \"../db/schema.js\";\nimport type {\n\tAgentIdentity,\n\tAuthorizeRequest,\n\tAuthorizeResult,\n\tPermissionConstraints,\n} from \"../types.js\";\n\ninterface PermissionEngineConfig {\n\tdb: Database;\n\tauditAll: boolean;\n}\n\n/**\n * Match a resource pattern against a requested resource.\n *\n * Supports wildcards:\n * - \"mcp:github:*\" matches \"mcp:github:create_issue\"\n * - \"tool:*\" matches \"tool:file_read\"\n * - \"*\" matches everything\n */\nfunction matchResource(pattern: string, resource: string): boolean {\n\tif (pattern === \"*\") return true;\n\n\tconst patternParts = pattern.split(\":\");\n\tconst resourceParts = resource.split(\":\");\n\n\tfor (let i = 0; i < patternParts.length; i++) {\n\t\tconst part = patternParts[i];\n\t\tif (part === \"*\") return true;\n\t\tif (part !== resourceParts[i]) return false;\n\t}\n\n\treturn patternParts.length === resourceParts.length;\n}\n\n/**\n * Check if an action is allowed by a permission's actions list.\n */\nfunction matchAction(allowedActions: string[], requestedAction: string): boolean {\n\treturn allowedActions.includes(requestedAction) || allowedActions.includes(\"*\");\n}\n\n/**\n * Parse an IPv4 address into a 32-bit integer.\n */\nfunction parseIPv4(ip: string): number | null {\n\tconst parts = ip.split(\".\");\n\tif (parts.length !== 4) return null;\n\tlet result = 0;\n\tfor (const part of parts) {\n\t\tconst num = parseInt(part, 10);\n\t\tif (Number.isNaN(num) || num < 0 || num > 255) return null;\n\t\tresult = (result << 8) | num;\n\t}\n\treturn result >>> 0;\n}\n\n/**\n * Check whether an IP matches a CIDR range or exact IP entry.\n * Supports both \"10.0.0.1\" and \"10.0.0.0/8\" notation (IPv4 only).\n */\nfunction matchesIPEntry(entry: string, ip: string): boolean {\n\tconst slashIndex = entry.indexOf(\"/\");\n\tif (slashIndex === -1) {\n\t\treturn entry === ip;\n\t}\n\n\tconst cidrIp = entry.slice(0, slashIndex);\n\tconst prefixLen = parseInt(entry.slice(slashIndex + 1), 10);\n\tif (Number.isNaN(prefixLen) || prefixLen < 0 || prefixLen > 32) return false;\n\n\tconst entryNum = parseIPv4(cidrIp);\n\tconst ipNum = parseIPv4(ip);\n\tif (entryNum === null || ipNum === null) return false;\n\n\tconst mask = prefixLen === 0 ? 0 : (~0 << (32 - prefixLen)) >>> 0;\n\treturn (entryNum & mask) === (ipNum & mask);\n}\n\n/**\n * Check whether an IP is in the allowlist (exact IPs or CIDR ranges).\n */\nfunction isIPAllowed(allowlist: string[], ip: string): boolean {\n\treturn allowlist.some((entry) => matchesIPEntry(entry, ip));\n}\n\n/**\n * Validate argument patterns against the request arguments.\n */\nfunction validateArgPatterns(\n\tpatterns: string[],\n\targs: Record<string, unknown>,\n): { valid: boolean; reason?: string } {\n\tfor (const pattern of patterns) {\n\t\tconst regex = new RegExp(pattern);\n\t\t// Check all string arguments against the pattern\n\t\tfor (const [key, value] of Object.entries(args)) {\n\t\t\tif (typeof value === \"string\" && !regex.test(value)) {\n\t\t\t\treturn {\n\t\t\t\t\tvalid: false,\n\t\t\t\t\treason: `Argument \"${key}\" value \"${value}\" does not match pattern \"${pattern}\"`,\n\t\t\t\t};\n\t\t\t}\n\t\t}\n\t}\n\treturn { valid: true };\n}\n\n/**\n * Check rate limits for an agent on a specific resource.\n */\nasync function checkRateLimit(\n\tdb: Database,\n\tagentId: string,\n\tresource: string,\n\tmaxCallsPerHour: number,\n): Promise<{ allowed: boolean; reason?: string }> {\n\tconst oneHourAgo = new Date(Date.now() - 60 * 60 * 1000);\n\n\tconst rows = await db\n\t\t.select()\n\t\t.from(rateLimits)\n\t\t.where(\n\t\t\tand(\n\t\t\t\teq(rateLimits.agentId, agentId),\n\t\t\t\teq(rateLimits.resource, resource),\n\t\t\t\tgte(rateLimits.windowStart, oneHourAgo),\n\t\t\t),\n\t\t);\n\n\tconst totalCalls = rows.reduce((sum, r) => sum + r.count, 0);\n\n\tif (totalCalls >= maxCallsPerHour) {\n\t\treturn {\n\t\t\tallowed: false,\n\t\t\treason: `Rate limit exceeded: ${totalCalls}/${maxCallsPerHour} calls per hour for resource \"${resource}\"`,\n\t\t};\n\t}\n\n\t// Increment counter\n\tconst currentWindow = new Date(Math.floor(Date.now() / (5 * 60 * 1000)) * (5 * 60 * 1000)); // 5-min windows\n\tconst existing = rows.find((r) => r.windowStart.getTime() === currentWindow.getTime());\n\n\tif (existing) {\n\t\tawait db\n\t\t\t.update(rateLimits)\n\t\t\t.set({ count: existing.count + 1 })\n\t\t\t.where(eq(rateLimits.id, existing.id));\n\t} else {\n\t\tawait db.insert(rateLimits).values({\n\t\t\tid: generateId(),\n\t\t\tagentId,\n\t\t\tresource,\n\t\t\twindowStart: currentWindow,\n\t\t\tcount: 1,\n\t\t});\n\t}\n\n\treturn { allowed: true };\n}\n\n/**\n * Create the permission/authorization engine.\n */\nexport function createPermissionEngine(config: PermissionEngineConfig) {\n\tconst { db, auditAll } = config;\n\n\t/**\n\t * Check if an agent is authorized to perform an action.\n\t * This is the core authorization function.\n\t */\n\tasync function authorize(\n\t\tagent: AgentIdentity,\n\t\trequest: AuthorizeRequest,\n\t): Promise<AuthorizeResult> {\n\t\tconst startTime = performance.now();\n\t\tconst auditId = generateId();\n\n\t\t// Find matching permission\n\t\tconst matchingPermission = agent.permissions.find(\n\t\t\t(p) => matchResource(p.resource, request.resource) && matchAction(p.actions, request.action),\n\t\t);\n\n\t\tif (!matchingPermission) {\n\t\t\tconst result: AuthorizeResult = {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `No permission grants agent \"${agent.name}\" access to \"${request.action}\" on \"${request.resource}\"`,\n\t\t\t\tauditId,\n\t\t\t};\n\t\t\tif (auditAll) {\n\t\t\t\tawait writeAuditLog(db, agent, request, result, startTime, auditId);\n\t\t\t}\n\t\t\treturn result;\n\t\t}\n\n\t\t// Check constraints\n\t\tif (matchingPermission.constraints) {\n\t\t\tconst constraintResult = await evaluateConstraints(\n\t\t\t\tdb,\n\t\t\t\tagent,\n\t\t\t\trequest,\n\t\t\t\tmatchingPermission.constraints,\n\t\t\t);\n\t\t\tif (!constraintResult.allowed) {\n\t\t\t\tconst result: AuthorizeResult = {\n\t\t\t\t\tallowed: false,\n\t\t\t\t\treason: constraintResult.reason,\n\t\t\t\t\tauditId,\n\t\t\t\t};\n\t\t\t\tif (auditAll) {\n\t\t\t\t\tawait writeAuditLog(db, agent, request, result, startTime, auditId);\n\t\t\t\t}\n\t\t\t\treturn result;\n\t\t\t}\n\t\t}\n\n\t\tconst result: AuthorizeResult = { allowed: true, auditId };\n\t\tif (auditAll) {\n\t\t\tawait writeAuditLog(db, agent, request, result, startTime, auditId);\n\t\t}\n\t\treturn result;\n\t}\n\n\treturn { authorize };\n}\n\nasync function evaluateConstraints(\n\tdb: Database,\n\tagent: AgentIdentity,\n\trequest: AuthorizeRequest,\n\tconstraints: PermissionConstraints,\n): Promise<{ allowed: boolean; reason?: string }> {\n\t// Rate limit check\n\tif (constraints.maxCallsPerHour) {\n\t\tconst rateResult = await checkRateLimit(\n\t\t\tdb,\n\t\t\tagent.id,\n\t\t\trequest.resource,\n\t\t\tconstraints.maxCallsPerHour,\n\t\t);\n\t\tif (!rateResult.allowed) {\n\t\t\treturn rateResult;\n\t\t}\n\t}\n\n\t// Argument pattern check\n\tif (constraints.allowedArgPatterns && request.arguments) {\n\t\tconst patternResult = validateArgPatterns(constraints.allowedArgPatterns, request.arguments);\n\t\tif (!patternResult.valid) {\n\t\t\treturn { allowed: false, reason: patternResult.reason };\n\t\t}\n\t}\n\n\t// Human-in-the-loop check\n\tif (constraints.requireApproval) {\n\t\treturn {\n\t\t\tallowed: false,\n\t\t\treason: \"This action requires human approval before execution\",\n\t\t};\n\t}\n\n\t// Time window check\n\tif (constraints.timeWindow) {\n\t\tconst now = new Date();\n\t\tconst hours = now.getHours();\n\t\tconst minutes = now.getMinutes();\n\t\tconst currentTime = `${String(hours).padStart(2, \"0\")}:${String(minutes).padStart(2, \"0\")}`;\n\n\t\tif (currentTime < constraints.timeWindow.start || currentTime > constraints.timeWindow.end) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `Action is only allowed between ${constraints.timeWindow.start} and ${constraints.timeWindow.end}`,\n\t\t\t};\n\t\t}\n\t}\n\n\t// IP allowlist check\n\tif (constraints.ipAllowlist && constraints.ipAllowlist.length > 0) {\n\t\tif (!request.ip) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: \"IP_NOT_ALLOWED: No IP address provided; resource requires an IP allowlist match\",\n\t\t\t};\n\t\t}\n\t\tif (!isIPAllowed(constraints.ipAllowlist, request.ip)) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `IP_NOT_ALLOWED: IP \"${request.ip}\" is not in the allowlist for this resource`,\n\t\t\t};\n\t\t}\n\t}\n\n\treturn { allowed: true };\n}\n\nasync function writeAuditLog(\n\tdb: Database,\n\tagent: AgentIdentity,\n\trequest: AuthorizeRequest,\n\tresult: AuthorizeResult,\n\tstartTime: number,\n\tauditId: string,\n): Promise<void> {\n\tconst durationMs = Math.round(performance.now() - startTime);\n\n\tawait db.insert(auditLogs).values({\n\t\tid: auditId,\n\t\tagentId: agent.id,\n\t\tuserId: agent.ownerId,\n\t\taction: request.action,\n\t\tresource: request.resource,\n\t\tparameters: request.arguments ?? {},\n\t\tresult: result.allowed ? \"allowed\" : \"denied\",\n\t\treason: result.reason ?? null,\n\t\tdurationMs,\n\t\ttimestamp: new Date(),\n\t\tip: request.context?.ip ?? null,\n\t\tuserAgent: request.context?.userAgent ?? null,\n\t});\n}\n","import type { Permission } from \"../types.js\";\n\n/**\n * Pre-built permission templates for common access patterns.\n * Use these as starting points when creating agents.\n */\nexport const permissionTemplates = {\n\t/** Read-only access to all resources */\n\treadonly: [{ resource: \"*\", actions: [\"read\"] }] satisfies Permission[],\n\n\t/** Read and write access to all resources */\n\treadwrite: [{ resource: \"*\", actions: [\"read\", \"write\"] }] satisfies Permission[],\n\n\t/** Full access to all resources and actions */\n\tadmin: [{ resource: \"*\", actions: [\"*\"] }] satisfies Permission[],\n\n\t/** Standard MCP tool access - read + execute */\n\tmcpBasic: [{ resource: \"mcp:*\", actions: [\"read\", \"execute\"] }] satisfies Permission[],\n\n\t/** MCP tool access with write - read + write + execute */\n\tmcpFull: [{ resource: \"mcp:*\", actions: [\"read\", \"write\", \"execute\"] }] satisfies Permission[],\n\n\t/** Rate-limited read access (100 calls/hour) */\n\trateLimitedRead: [\n\t\t{\n\t\t\tresource: \"*\",\n\t\t\tactions: [\"read\"],\n\t\t\tconstraints: { maxCallsPerHour: 100 },\n\t\t},\n\t] satisfies Permission[],\n\n\t/** Approval-required access (human-in-the-loop for everything) */\n\tapprovalRequired: [\n\t\t{\n\t\t\tresource: \"*\",\n\t\t\tactions: [\"*\"],\n\t\t\tconstraints: { requireApproval: true },\n\t\t},\n\t] satisfies Permission[],\n\n\t/** Business hours only access (9am-5pm) */\n\tbusinessHours: [\n\t\t{\n\t\t\tresource: \"*\",\n\t\t\tactions: [\"read\", \"write\", \"execute\"],\n\t\t\tconstraints: { timeWindow: { start: \"09:00\", end: \"17:00\" } },\n\t\t},\n\t] satisfies Permission[],\n} as const;\n\nexport type PermissionTemplateName = keyof typeof permissionTemplates;\n\n/**\n * Get a permission template by name.\n * Returns a fresh copy of the permissions array.\n */\nexport function getPermissionTemplate(name: PermissionTemplateName): Permission[] {\n\treturn JSON.parse(JSON.stringify(permissionTemplates[name])) as Permission[];\n}\n"]}
@@ -1,4 +1,4 @@
1
- import { auditLogs } from './chunk-KNNJ4COO.js';
1
+ import { auditLogs } from './chunk-KDL6A76K.js';
2
2
  import { eq, gte, lte, desc, and, lt } from 'drizzle-orm';
3
3
 
4
4
  function createAuditModule(config) {
@@ -97,5 +97,5 @@ function toAuditEntry(row) {
97
97
  }
98
98
 
99
99
  export { createAuditModule };
100
- //# sourceMappingURL=chunk-4CANWZWP.js.map
101
- //# sourceMappingURL=chunk-4CANWZWP.js.map
100
+ //# sourceMappingURL=chunk-Y3OWAJHK.js.map
101
+ //# sourceMappingURL=chunk-Y3OWAJHK.js.map
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/audit/audit.ts"],"names":[],"mappings":";;;AAaO,SAAS,kBAAkB,MAAA,EAA2B;AAC5D,EAAA,MAAM,EAAE,IAAG,GAAI,MAAA;AAEf,EAAA,eAAe,MAAM,MAAA,EAA4C;AAChE,IAAA,MAAM,aAAa,EAAC;AAEpB,IAAA,IAAI,MAAA,CAAO,SAAS,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,OAAA,EAAS,MAAA,CAAO,OAAO,CAAC,CAAA;AACzE,IAAA,IAAI,MAAA,CAAO,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,MAAA,EAAQ,MAAA,CAAO,MAAM,CAAC,CAAA;AACtE,IAAA,IAAI,MAAA,CAAO,OAAO,UAAA,CAAW,IAAA,CAAK,IAAI,SAAA,CAAU,SAAA,EAAW,MAAA,CAAO,KAAK,CAAC,CAAA;AACxE,IAAA,IAAI,MAAA,CAAO,OAAO,UAAA,CAAW,IAAA,CAAK,IAAI,SAAA,CAAU,SAAA,EAAW,MAAA,CAAO,KAAK,CAAC,CAAA;AACxE,IAAA,IAAI,MAAA,CAAO,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,MAAA,EAAQ,MAAA,CAAO,MAAM,CAAC,CAAA;AAEtE,IAAA,IAAI,CAAA,GAAI,EAAA,CAAG,MAAA,EAAO,CAAE,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC,EAAE,QAAA,EAAS;AAEhF,IAAA,IAAI,UAAA,CAAW,SAAS,CAAA,EAAG;AAC1B,MAAA,CAAA,GAAI,CAAA,CAAE,KAAA,CAAM,GAAA,CAAI,GAAG,UAAU,CAAC,CAAA;AAAA,IAC/B;AAEA,IAAA,IAAI,OAAO,KAAA,EAAO;AACjB,MAAA,CAAA,GAAI,CAAA,CAAE,KAAA,CAAM,MAAA,CAAO,KAAK,CAAA;AAAA,IACzB;AACA,IAAA,IAAI,OAAO,MAAA,EAAQ;AAClB,MAAA,CAAA,GAAI,CAAA,CAAE,MAAA,CAAO,MAAA,CAAO,MAAM,CAAA;AAAA,IAC3B;AAEA,IAAA,MAAM,OAAO,MAAM,CAAA;AAEnB,IAAA,OAAO,IAAA,CACL,MAAA,CAAO,CAAC,GAAA,KAAQ;AAEhB,MAAA,IAAI,MAAA,CAAO,OAAA,IAAW,MAAA,CAAO,OAAA,CAAQ,SAAS,CAAA,EAAG;AAChD,QAAA,OAAO,MAAA,CAAO,OAAA,CAAQ,QAAA,CAAS,GAAA,CAAI,MAAM,CAAA;AAAA,MAC1C;AACA,MAAA,OAAO,IAAA;AAAA,IACR,CAAC,CAAA,CACA,GAAA,CAAI,YAAY,CAAA;AAAA,EACnB;AAEA,EAAA,eAAe,WAAW,OAAA,EAA8C;AACvE,IAAA,MAAM,OAAA,GAAU,MAAM,KAAA,CAAM;AAAA,MAC3B,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,KAAA,EAAO;AAAA;AAAA,KACP,CAAA;AAED,IAAA,IAAI,OAAA,CAAQ,WAAW,MAAA,EAAQ;AAC9B,MAAA,OAAO,IAAA,CAAK,SAAA,CAAU,OAAA,EAAS,IAAA,EAAM,CAAC,CAAA;AAAA,IACvC;AAGA,IAAA,MAAM,OAAA,GAAU;AAAA,MACf,IAAA;AAAA,MACA,SAAA;AAAA,MACA,QAAA;AAAA,MACA,QAAA;AAAA,MACA,UAAA;AAAA,MACA,QAAA;AAAA,MACA,QAAA;AAAA,MACA,YAAA;AAAA,MACA,YAAA;AAAA,MACA;AAAA,KACD;AACA,IAAA,MAAM,OAAA,GAAU,CAAC,OAAA,CAAQ,IAAA,CAAK,GAAG,CAAC,CAAA;AAElC,IAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC5B,MAAA,OAAA,CAAQ,IAAA;AAAA,QACP;AAAA,UACC,KAAA,CAAM,EAAA;AAAA,UACN,KAAA,CAAM,OAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,KAAA,CAAM,QAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,CAAA,CAAA,EAAK,KAAA,CAA2C,MAAA,IAAU,EAAE,CAAA,CAAA,CAAA;AAAA,UAC5D,KAAA,CAAM,UAAA;AAAA,UACN,MAAM,UAAA,IAAc,EAAA;AAAA,UACpB,KAAA,CAAM,UAAU,WAAA;AAAY,SAC7B,CAAE,KAAK,GAAG;AAAA,OACX;AAAA,IACD;AAEA,IAAA,OAAO,OAAA,CAAQ,KAAK,IAAI,CAAA;AAAA,EACzB;AAMA,EAAA,eAAe,QAAQ,OAAA,EAAkE;AACxF,IAAA,MAAM,MAAA,GAAS,IAAI,IAAA,CAAK,IAAA,CAAK,GAAA,EAAI,GAAI,OAAA,CAAQ,aAAA,GAAgB,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAGhF,IAAA,MAAM,WAAW,MAAM,EAAA,CACrB,OAAO,EAAE,EAAA,EAAI,UAAU,EAAA,EAAI,CAAA,CAC3B,IAAA,CAAK,SAAS,CAAA,CACd,KAAA,CAAM,GAAG,SAAA,CAAU,SAAA,EAAW,MAAM,CAAC,CAAA;AAEvC,IAAA,IAAI,QAAA,CAAS,WAAW,CAAA,EAAG;AAC1B,MAAA,OAAO,EAAE,SAAS,CAAA,EAAE;AAAA,IACrB;AAEA,IAAA,MAAM,EAAA,CAAG,OAAO,SAAS,CAAA,CAAE,MAAM,EAAA,CAAG,SAAA,CAAU,SAAA,EAAW,MAAM,CAAC,CAAA;AAEhE,IAAA,OAAO,EAAE,OAAA,EAAS,QAAA,CAAS,MAAA,EAAO;AAAA,EACnC;AAEA,EAAA,OAAO,EAAE,KAAA,EAAO,MAAA,EAAQ,UAAA,EAAY,OAAA,EAAQ;AAC7C;AAEA,SAAS,aAAa,GAAA,EAAgD;AACrE,EAAA,OAAO;AAAA,IACN,IAAI,GAAA,CAAI,EAAA;AAAA,IACR,SAAS,GAAA,CAAI,OAAA;AAAA,IACb,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,UAAU,GAAA,CAAI,QAAA;AAAA,IACd,UAAA,EAAa,GAAA,CAAI,UAAA,IAA0C,EAAC;AAAA,IAC5D,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,MAAA,EAAQ,IAAI,MAAA,IAAU,MAAA;AAAA,IACtB,YAAY,GAAA,CAAI,UAAA;AAAA,IAChB,UAAA,EAAY,IAAI,UAAA,IAAc,MAAA;AAAA,IAC9B,WAAW,GAAA,CAAI;AAAA,GAChB;AACD","file":"chunk-4CANWZWP.js","sourcesContent":["import { and, desc, eq, gte, lt, lte } from \"drizzle-orm\";\nimport type { Database } from \"../db/database.js\";\nimport { auditLogs } from \"../db/schema.js\";\nimport type { AuditEntry, AuditExportOptions, AuditFilter } from \"../types.js\";\n\ninterface AuditModuleConfig {\n\tdb: Database;\n}\n\n/**\n * Create the audit log module.\n * Provides query and export capabilities for the immutable audit trail.\n */\nexport function createAuditModule(config: AuditModuleConfig) {\n\tconst { db } = config;\n\n\tasync function query(filter: AuditFilter): Promise<AuditEntry[]> {\n\t\tconst conditions = [];\n\n\t\tif (filter.agentId) conditions.push(eq(auditLogs.agentId, filter.agentId));\n\t\tif (filter.userId) conditions.push(eq(auditLogs.userId, filter.userId));\n\t\tif (filter.since) conditions.push(gte(auditLogs.timestamp, filter.since));\n\t\tif (filter.until) conditions.push(lte(auditLogs.timestamp, filter.until));\n\t\tif (filter.result) conditions.push(eq(auditLogs.result, filter.result));\n\n\t\tlet q = db.select().from(auditLogs).orderBy(desc(auditLogs.timestamp)).$dynamic();\n\n\t\tif (conditions.length > 0) {\n\t\t\tq = q.where(and(...conditions));\n\t\t}\n\n\t\tif (filter.limit) {\n\t\t\tq = q.limit(filter.limit);\n\t\t}\n\t\tif (filter.offset) {\n\t\t\tq = q.offset(filter.offset);\n\t\t}\n\n\t\tconst rows = await q;\n\n\t\treturn rows\n\t\t\t.filter((row) => {\n\t\t\t\t// Filter by actions if specified\n\t\t\t\tif (filter.actions && filter.actions.length > 0) {\n\t\t\t\t\treturn filter.actions.includes(row.action);\n\t\t\t\t}\n\t\t\t\treturn true;\n\t\t\t})\n\t\t\t.map(toAuditEntry);\n\t}\n\n\tasync function exportLogs(options: AuditExportOptions): Promise<string> {\n\t\tconst entries = await query({\n\t\t\tsince: options.since,\n\t\t\tuntil: options.until,\n\t\t\tlimit: 10000, // cap exports\n\t\t});\n\n\t\tif (options.format === \"json\") {\n\t\t\treturn JSON.stringify(entries, null, 2);\n\t\t}\n\n\t\t// CSV format\n\t\tconst headers = [\n\t\t\t\"id\",\n\t\t\t\"agentId\",\n\t\t\t\"userId\",\n\t\t\t\"action\",\n\t\t\t\"resource\",\n\t\t\t\"result\",\n\t\t\t\"reason\",\n\t\t\t\"durationMs\",\n\t\t\t\"tokensCost\",\n\t\t\t\"timestamp\",\n\t\t];\n\t\tconst csvRows = [headers.join(\",\")];\n\n\t\tfor (const entry of entries) {\n\t\t\tcsvRows.push(\n\t\t\t\t[\n\t\t\t\t\tentry.id,\n\t\t\t\t\tentry.agentId,\n\t\t\t\t\tentry.userId,\n\t\t\t\t\tentry.action,\n\t\t\t\t\tentry.resource,\n\t\t\t\t\tentry.result,\n\t\t\t\t\t`\"${(entry as AuditEntry & { reason?: string }).reason ?? \"\"}\"`,\n\t\t\t\t\tentry.durationMs,\n\t\t\t\t\tentry.tokensCost ?? \"\",\n\t\t\t\t\tentry.timestamp.toISOString(),\n\t\t\t\t].join(\",\"),\n\t\t\t);\n\t\t}\n\n\t\treturn csvRows.join(\"\\n\");\n\t}\n\n\t/**\n\t * Delete audit log entries older than the specified retention period.\n\t * Returns the count of deleted rows.\n\t */\n\tasync function cleanup(options: { retentionDays: number }): Promise<{ deleted: number }> {\n\t\tconst cutoff = new Date(Date.now() - options.retentionDays * 24 * 60 * 60 * 1000);\n\n\t\t// Count rows to be deleted before removing them\n\t\tconst toDelete = await db\n\t\t\t.select({ id: auditLogs.id })\n\t\t\t.from(auditLogs)\n\t\t\t.where(lt(auditLogs.timestamp, cutoff));\n\n\t\tif (toDelete.length === 0) {\n\t\t\treturn { deleted: 0 };\n\t\t}\n\n\t\tawait db.delete(auditLogs).where(lt(auditLogs.timestamp, cutoff));\n\n\t\treturn { deleted: toDelete.length };\n\t}\n\n\treturn { query, export: exportLogs, cleanup };\n}\n\nfunction toAuditEntry(row: typeof auditLogs.$inferSelect): AuditEntry {\n\treturn {\n\t\tid: row.id,\n\t\tagentId: row.agentId,\n\t\tuserId: row.userId,\n\t\taction: row.action,\n\t\tresource: row.resource,\n\t\tparameters: (row.parameters as Record<string, unknown>) ?? {},\n\t\tresult: row.result as AuditEntry[\"result\"],\n\t\treason: row.reason ?? undefined,\n\t\tdurationMs: row.durationMs,\n\t\ttokensCost: row.tokensCost ?? undefined,\n\t\ttimestamp: row.timestamp,\n\t};\n}\n"]}
1
+ {"version":3,"sources":["../src/audit/audit.ts"],"names":[],"mappings":";;;AAaO,SAAS,kBAAkB,MAAA,EAA2B;AAC5D,EAAA,MAAM,EAAE,IAAG,GAAI,MAAA;AAEf,EAAA,eAAe,MAAM,MAAA,EAA4C;AAChE,IAAA,MAAM,aAAa,EAAC;AAEpB,IAAA,IAAI,MAAA,CAAO,SAAS,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,OAAA,EAAS,MAAA,CAAO,OAAO,CAAC,CAAA;AACzE,IAAA,IAAI,MAAA,CAAO,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,MAAA,EAAQ,MAAA,CAAO,MAAM,CAAC,CAAA;AACtE,IAAA,IAAI,MAAA,CAAO,OAAO,UAAA,CAAW,IAAA,CAAK,IAAI,SAAA,CAAU,SAAA,EAAW,MAAA,CAAO,KAAK,CAAC,CAAA;AACxE,IAAA,IAAI,MAAA,CAAO,OAAO,UAAA,CAAW,IAAA,CAAK,IAAI,SAAA,CAAU,SAAA,EAAW,MAAA,CAAO,KAAK,CAAC,CAAA;AACxE,IAAA,IAAI,MAAA,CAAO,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,MAAA,EAAQ,MAAA,CAAO,MAAM,CAAC,CAAA;AAEtE,IAAA,IAAI,CAAA,GAAI,EAAA,CAAG,MAAA,EAAO,CAAE,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC,EAAE,QAAA,EAAS;AAEhF,IAAA,IAAI,UAAA,CAAW,SAAS,CAAA,EAAG;AAC1B,MAAA,CAAA,GAAI,CAAA,CAAE,KAAA,CAAM,GAAA,CAAI,GAAG,UAAU,CAAC,CAAA;AAAA,IAC/B;AAEA,IAAA,IAAI,OAAO,KAAA,EAAO;AACjB,MAAA,CAAA,GAAI,CAAA,CAAE,KAAA,CAAM,MAAA,CAAO,KAAK,CAAA;AAAA,IACzB;AACA,IAAA,IAAI,OAAO,MAAA,EAAQ;AAClB,MAAA,CAAA,GAAI,CAAA,CAAE,MAAA,CAAO,MAAA,CAAO,MAAM,CAAA;AAAA,IAC3B;AAEA,IAAA,MAAM,OAAO,MAAM,CAAA;AAEnB,IAAA,OAAO,IAAA,CACL,MAAA,CAAO,CAAC,GAAA,KAAQ;AAEhB,MAAA,IAAI,MAAA,CAAO,OAAA,IAAW,MAAA,CAAO,OAAA,CAAQ,SAAS,CAAA,EAAG;AAChD,QAAA,OAAO,MAAA,CAAO,OAAA,CAAQ,QAAA,CAAS,GAAA,CAAI,MAAM,CAAA;AAAA,MAC1C;AACA,MAAA,OAAO,IAAA;AAAA,IACR,CAAC,CAAA,CACA,GAAA,CAAI,YAAY,CAAA;AAAA,EACnB;AAEA,EAAA,eAAe,WAAW,OAAA,EAA8C;AACvE,IAAA,MAAM,OAAA,GAAU,MAAM,KAAA,CAAM;AAAA,MAC3B,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,KAAA,EAAO;AAAA;AAAA,KACP,CAAA;AAED,IAAA,IAAI,OAAA,CAAQ,WAAW,MAAA,EAAQ;AAC9B,MAAA,OAAO,IAAA,CAAK,SAAA,CAAU,OAAA,EAAS,IAAA,EAAM,CAAC,CAAA;AAAA,IACvC;AAGA,IAAA,MAAM,OAAA,GAAU;AAAA,MACf,IAAA;AAAA,MACA,SAAA;AAAA,MACA,QAAA;AAAA,MACA,QAAA;AAAA,MACA,UAAA;AAAA,MACA,QAAA;AAAA,MACA,QAAA;AAAA,MACA,YAAA;AAAA,MACA,YAAA;AAAA,MACA;AAAA,KACD;AACA,IAAA,MAAM,OAAA,GAAU,CAAC,OAAA,CAAQ,IAAA,CAAK,GAAG,CAAC,CAAA;AAElC,IAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC5B,MAAA,OAAA,CAAQ,IAAA;AAAA,QACP;AAAA,UACC,KAAA,CAAM,EAAA;AAAA,UACN,KAAA,CAAM,OAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,KAAA,CAAM,QAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,CAAA,CAAA,EAAK,KAAA,CAA2C,MAAA,IAAU,EAAE,CAAA,CAAA,CAAA;AAAA,UAC5D,KAAA,CAAM,UAAA;AAAA,UACN,MAAM,UAAA,IAAc,EAAA;AAAA,UACpB,KAAA,CAAM,UAAU,WAAA;AAAY,SAC7B,CAAE,KAAK,GAAG;AAAA,OACX;AAAA,IACD;AAEA,IAAA,OAAO,OAAA,CAAQ,KAAK,IAAI,CAAA;AAAA,EACzB;AAMA,EAAA,eAAe,QAAQ,OAAA,EAAkE;AACxF,IAAA,MAAM,MAAA,GAAS,IAAI,IAAA,CAAK,IAAA,CAAK,GAAA,EAAI,GAAI,OAAA,CAAQ,aAAA,GAAgB,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAGhF,IAAA,MAAM,WAAW,MAAM,EAAA,CACrB,OAAO,EAAE,EAAA,EAAI,UAAU,EAAA,EAAI,CAAA,CAC3B,IAAA,CAAK,SAAS,CAAA,CACd,KAAA,CAAM,GAAG,SAAA,CAAU,SAAA,EAAW,MAAM,CAAC,CAAA;AAEvC,IAAA,IAAI,QAAA,CAAS,WAAW,CAAA,EAAG;AAC1B,MAAA,OAAO,EAAE,SAAS,CAAA,EAAE;AAAA,IACrB;AAEA,IAAA,MAAM,EAAA,CAAG,OAAO,SAAS,CAAA,CAAE,MAAM,EAAA,CAAG,SAAA,CAAU,SAAA,EAAW,MAAM,CAAC,CAAA;AAEhE,IAAA,OAAO,EAAE,OAAA,EAAS,QAAA,CAAS,MAAA,EAAO;AAAA,EACnC;AAEA,EAAA,OAAO,EAAE,KAAA,EAAO,MAAA,EAAQ,UAAA,EAAY,OAAA,EAAQ;AAC7C;AAEA,SAAS,aAAa,GAAA,EAAgD;AACrE,EAAA,OAAO;AAAA,IACN,IAAI,GAAA,CAAI,EAAA;AAAA,IACR,SAAS,GAAA,CAAI,OAAA;AAAA,IACb,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,UAAU,GAAA,CAAI,QAAA;AAAA,IACd,UAAA,EAAa,GAAA,CAAI,UAAA,IAA0C,EAAC;AAAA,IAC5D,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,MAAA,EAAQ,IAAI,MAAA,IAAU,MAAA;AAAA,IACtB,YAAY,GAAA,CAAI,UAAA;AAAA,IAChB,UAAA,EAAY,IAAI,UAAA,IAAc,MAAA;AAAA,IAC9B,WAAW,GAAA,CAAI;AAAA,GAChB;AACD","file":"chunk-Y3OWAJHK.js","sourcesContent":["import { and, desc, eq, gte, lt, lte } from \"drizzle-orm\";\nimport type { Database } from \"../db/database.js\";\nimport { auditLogs } from \"../db/schema.js\";\nimport type { AuditEntry, AuditExportOptions, AuditFilter } from \"../types.js\";\n\ninterface AuditModuleConfig {\n\tdb: Database;\n}\n\n/**\n * Create the audit log module.\n * Provides query and export capabilities for the immutable audit trail.\n */\nexport function createAuditModule(config: AuditModuleConfig) {\n\tconst { db } = config;\n\n\tasync function query(filter: AuditFilter): Promise<AuditEntry[]> {\n\t\tconst conditions = [];\n\n\t\tif (filter.agentId) conditions.push(eq(auditLogs.agentId, filter.agentId));\n\t\tif (filter.userId) conditions.push(eq(auditLogs.userId, filter.userId));\n\t\tif (filter.since) conditions.push(gte(auditLogs.timestamp, filter.since));\n\t\tif (filter.until) conditions.push(lte(auditLogs.timestamp, filter.until));\n\t\tif (filter.result) conditions.push(eq(auditLogs.result, filter.result));\n\n\t\tlet q = db.select().from(auditLogs).orderBy(desc(auditLogs.timestamp)).$dynamic();\n\n\t\tif (conditions.length > 0) {\n\t\t\tq = q.where(and(...conditions));\n\t\t}\n\n\t\tif (filter.limit) {\n\t\t\tq = q.limit(filter.limit);\n\t\t}\n\t\tif (filter.offset) {\n\t\t\tq = q.offset(filter.offset);\n\t\t}\n\n\t\tconst rows = await q;\n\n\t\treturn rows\n\t\t\t.filter((row) => {\n\t\t\t\t// Filter by actions if specified\n\t\t\t\tif (filter.actions && filter.actions.length > 0) {\n\t\t\t\t\treturn filter.actions.includes(row.action);\n\t\t\t\t}\n\t\t\t\treturn true;\n\t\t\t})\n\t\t\t.map(toAuditEntry);\n\t}\n\n\tasync function exportLogs(options: AuditExportOptions): Promise<string> {\n\t\tconst entries = await query({\n\t\t\tsince: options.since,\n\t\t\tuntil: options.until,\n\t\t\tlimit: 10000, // cap exports\n\t\t});\n\n\t\tif (options.format === \"json\") {\n\t\t\treturn JSON.stringify(entries, null, 2);\n\t\t}\n\n\t\t// CSV format\n\t\tconst headers = [\n\t\t\t\"id\",\n\t\t\t\"agentId\",\n\t\t\t\"userId\",\n\t\t\t\"action\",\n\t\t\t\"resource\",\n\t\t\t\"result\",\n\t\t\t\"reason\",\n\t\t\t\"durationMs\",\n\t\t\t\"tokensCost\",\n\t\t\t\"timestamp\",\n\t\t];\n\t\tconst csvRows = [headers.join(\",\")];\n\n\t\tfor (const entry of entries) {\n\t\t\tcsvRows.push(\n\t\t\t\t[\n\t\t\t\t\tentry.id,\n\t\t\t\t\tentry.agentId,\n\t\t\t\t\tentry.userId,\n\t\t\t\t\tentry.action,\n\t\t\t\t\tentry.resource,\n\t\t\t\t\tentry.result,\n\t\t\t\t\t`\"${(entry as AuditEntry & { reason?: string }).reason ?? \"\"}\"`,\n\t\t\t\t\tentry.durationMs,\n\t\t\t\t\tentry.tokensCost ?? \"\",\n\t\t\t\t\tentry.timestamp.toISOString(),\n\t\t\t\t].join(\",\"),\n\t\t\t);\n\t\t}\n\n\t\treturn csvRows.join(\"\\n\");\n\t}\n\n\t/**\n\t * Delete audit log entries older than the specified retention period.\n\t * Returns the count of deleted rows.\n\t */\n\tasync function cleanup(options: { retentionDays: number }): Promise<{ deleted: number }> {\n\t\tconst cutoff = new Date(Date.now() - options.retentionDays * 24 * 60 * 60 * 1000);\n\n\t\t// Count rows to be deleted before removing them\n\t\tconst toDelete = await db\n\t\t\t.select({ id: auditLogs.id })\n\t\t\t.from(auditLogs)\n\t\t\t.where(lt(auditLogs.timestamp, cutoff));\n\n\t\tif (toDelete.length === 0) {\n\t\t\treturn { deleted: 0 };\n\t\t}\n\n\t\tawait db.delete(auditLogs).where(lt(auditLogs.timestamp, cutoff));\n\n\t\treturn { deleted: toDelete.length };\n\t}\n\n\treturn { query, export: exportLogs, cleanup };\n}\n\nfunction toAuditEntry(row: typeof auditLogs.$inferSelect): AuditEntry {\n\treturn {\n\t\tid: row.id,\n\t\tagentId: row.agentId,\n\t\tuserId: row.userId,\n\t\taction: row.action,\n\t\tresource: row.resource,\n\t\tparameters: (row.parameters as Record<string, unknown>) ?? {},\n\t\tresult: row.result as AuditEntry[\"result\"],\n\t\treason: row.reason ?? undefined,\n\t\tdurationMs: row.durationMs,\n\t\ttokensCost: row.tokensCost ?? undefined,\n\t\ttimestamp: row.timestamp,\n\t};\n}\n"]}