kavachos 0.3.0 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/a2a/index.d.ts +2 -2
- package/dist/agent/index.d.ts +3 -3
- package/dist/agent/index.js +4 -0
- package/dist/agent/index.js.map +1 -1
- package/dist/audit/index.d.ts +2 -2
- package/dist/audit/index.js +4 -0
- package/dist/audit/index.js.map +1 -1
- package/dist/auth/index.d.ts +64 -3
- package/dist/auth/index.js +91 -2
- package/dist/auth/index.js.map +1 -1
- package/dist/index.d.ts +32 -4
- package/dist/index.js +851 -67
- package/dist/index.js.map +1 -1
- package/dist/mcp/index.d.ts +2 -2
- package/dist/mcp/index.js +38 -1
- package/dist/mcp/index.js.map +1 -1
- package/dist/permission/index.d.ts +8 -3
- package/dist/permission/index.js +68 -59
- package/dist/permission/index.js.map +1 -1
- package/dist/{types-BuHrZcjE.d.ts → types-BiUe9e8u.d.ts} +24 -0
- package/dist/{types-B02D3kZy.d.ts → types-RJPOU4un.d.ts} +114 -2
- package/dist/vc/index.d.ts +254 -65
- package/dist/vc/index.js +160 -12
- package/dist/vc/index.js.map +1 -1
- package/package.json +2 -1
package/dist/vc/index.js
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
|
-
import { importJWK, jwtVerify, errors, compactVerify
|
|
1
|
+
import { importJWK, jwtVerify, SignJWT, CompactSign, errors, compactVerify } from 'jose';
|
|
2
2
|
import { z } from 'zod';
|
|
3
3
|
|
|
4
|
-
// src/vc/
|
|
4
|
+
// src/vc/audit-export.ts
|
|
5
5
|
|
|
6
6
|
// src/crypto/web-crypto.ts
|
|
7
7
|
function generateId() {
|
|
@@ -46,7 +46,7 @@ var CredentialSubjectSchema = z.object({
|
|
|
46
46
|
).optional(),
|
|
47
47
|
name: z.string().optional(),
|
|
48
48
|
type: z.string().optional()
|
|
49
|
-
});
|
|
49
|
+
}).passthrough();
|
|
50
50
|
var VerifiableCredentialSchema = z.object({
|
|
51
51
|
"@context": z.array(z.string()).min(1),
|
|
52
52
|
id: z.string().optional(),
|
|
@@ -67,8 +67,156 @@ var VerifiablePresentationSchema = z.object({
|
|
|
67
67
|
proof: ProofSchema.optional()
|
|
68
68
|
});
|
|
69
69
|
|
|
70
|
-
// src/vc/
|
|
70
|
+
// src/vc/audit-export.ts
|
|
71
|
+
var KAVACHOS_AUDIT_CREDENTIAL = "KavachosAuditCredential";
|
|
72
|
+
var KAVACHOS_AUDIT_CONTEXT = "https://kavachos.com/contexts/audit/v1.jsonld";
|
|
73
|
+
var KAVACHOS_VERSION = "0.3.0";
|
|
71
74
|
var DEFAULT_TTL_SECONDS = 86400;
|
|
75
|
+
function toDecision(result) {
|
|
76
|
+
if (result === "allowed") return "allow";
|
|
77
|
+
return "deny";
|
|
78
|
+
}
|
|
79
|
+
function buildAuditCredential(record, issuerDid) {
|
|
80
|
+
const subject = {
|
|
81
|
+
id: record.id,
|
|
82
|
+
agentId: record.agentId,
|
|
83
|
+
...record.userId ? { principalId: record.userId } : {},
|
|
84
|
+
operation: record.action,
|
|
85
|
+
target: record.resource,
|
|
86
|
+
decision: toDecision(record.result),
|
|
87
|
+
...record.reason ? { policyName: record.reason } : {},
|
|
88
|
+
timestamp: record.timestamp.toISOString(),
|
|
89
|
+
kavachosVersion: KAVACHOS_VERSION
|
|
90
|
+
};
|
|
91
|
+
return {
|
|
92
|
+
"@context": [VC_CONTEXT_V2, KAVACHOS_AUDIT_CONTEXT],
|
|
93
|
+
id: `urn:uuid:${generateId()}`,
|
|
94
|
+
type: [VC_TYPE_CREDENTIAL, KAVACHOS_AUDIT_CREDENTIAL],
|
|
95
|
+
issuer: issuerDid,
|
|
96
|
+
issuanceDate: (/* @__PURE__ */ new Date()).toISOString(),
|
|
97
|
+
expirationDate: new Date(Date.now() + DEFAULT_TTL_SECONDS * 1e3).toISOString(),
|
|
98
|
+
// Cast: AuditCredentialSubject is intentionally wider than CredentialSubject
|
|
99
|
+
// because the VC schema uses an open-ended subject. The additional fields
|
|
100
|
+
// (operation, target, decision, etc.) are preserved via spread at runtime.
|
|
101
|
+
credentialSubject: subject
|
|
102
|
+
};
|
|
103
|
+
}
|
|
104
|
+
async function signAsJsonLd(credential, config) {
|
|
105
|
+
const { issuerDid, privateKeyJwk } = config;
|
|
106
|
+
const kid = `${issuerDid}#${issuerDid.split(":").pop() ?? "key-1"}`;
|
|
107
|
+
const key = await importJWK(privateKeyJwk, "EdDSA");
|
|
108
|
+
const { proof: _proof, ...vcWithoutProof } = credential;
|
|
109
|
+
const payload = new TextEncoder().encode(JSON.stringify(vcWithoutProof));
|
|
110
|
+
const jws = await new CompactSign(payload).setProtectedHeader({ alg: "EdDSA", kid }).sign(key);
|
|
111
|
+
const proof = {
|
|
112
|
+
type: "JsonWebSignature2020",
|
|
113
|
+
created: (/* @__PURE__ */ new Date()).toISOString(),
|
|
114
|
+
verificationMethod: kid,
|
|
115
|
+
proofPurpose: "assertionMethod",
|
|
116
|
+
jws
|
|
117
|
+
};
|
|
118
|
+
return { ...credential, proof };
|
|
119
|
+
}
|
|
120
|
+
async function signAsJwt(credential, config) {
|
|
121
|
+
const { issuerDid, privateKeyJwk } = config;
|
|
122
|
+
const ttl = config.defaultTtl ?? DEFAULT_TTL_SECONDS;
|
|
123
|
+
const kid = `${issuerDid}#${issuerDid.split(":").pop() ?? "key-1"}`;
|
|
124
|
+
const key = await importJWK(privateKeyJwk, "EdDSA");
|
|
125
|
+
const { proof: _proof, ...vcWithoutProof } = credential;
|
|
126
|
+
const builder = new SignJWT({ vc: vcWithoutProof }).setProtectedHeader({ alg: "EdDSA", kid, typ: "JWT" }).setIssuer(issuerDid).setIssuedAt().setExpirationTime(Math.floor(Date.now() / 1e3) + ttl);
|
|
127
|
+
if (credential.id) builder.setJti(credential.id);
|
|
128
|
+
if (credential.credentialSubject.id) builder.setSubject(credential.credentialSubject.id);
|
|
129
|
+
const jwt = await builder.sign(key);
|
|
130
|
+
return { credential, jwt };
|
|
131
|
+
}
|
|
132
|
+
async function signPresentationAsJsonLd(presentation, config) {
|
|
133
|
+
const { issuerDid, privateKeyJwk } = config;
|
|
134
|
+
const kid = `${issuerDid}#${issuerDid.split(":").pop() ?? "key-1"}`;
|
|
135
|
+
const key = await importJWK(privateKeyJwk, "EdDSA");
|
|
136
|
+
const { proof: _proof, ...vpWithoutProof } = presentation;
|
|
137
|
+
const payload = new TextEncoder().encode(JSON.stringify(vpWithoutProof));
|
|
138
|
+
const jws = await new CompactSign(payload).setProtectedHeader({ alg: "EdDSA", kid }).sign(key);
|
|
139
|
+
const proof = {
|
|
140
|
+
type: "JsonWebSignature2020",
|
|
141
|
+
created: (/* @__PURE__ */ new Date()).toISOString(),
|
|
142
|
+
verificationMethod: kid,
|
|
143
|
+
proofPurpose: "assertionMethod",
|
|
144
|
+
jws
|
|
145
|
+
};
|
|
146
|
+
return { ...presentation, proof };
|
|
147
|
+
}
|
|
148
|
+
async function exportAuditAsVC(options) {
|
|
149
|
+
const {
|
|
150
|
+
since,
|
|
151
|
+
until,
|
|
152
|
+
issuerDid,
|
|
153
|
+
issuerConfig,
|
|
154
|
+
format = "ldp_vc",
|
|
155
|
+
output = "individual",
|
|
156
|
+
filter,
|
|
157
|
+
records
|
|
158
|
+
} = options;
|
|
159
|
+
const inRange = records.filter((r) => {
|
|
160
|
+
const t = r.timestamp.getTime();
|
|
161
|
+
return t >= since.getTime() && t <= until.getTime();
|
|
162
|
+
});
|
|
163
|
+
const filtered = filter ? inRange.filter(filter) : inRange;
|
|
164
|
+
if (filtered.length === 0) {
|
|
165
|
+
return {
|
|
166
|
+
credentials: [],
|
|
167
|
+
format,
|
|
168
|
+
issuedAt: /* @__PURE__ */ new Date(),
|
|
169
|
+
count: 0
|
|
170
|
+
};
|
|
171
|
+
}
|
|
172
|
+
const credentials = [];
|
|
173
|
+
const jwts = [];
|
|
174
|
+
for (const record of filtered) {
|
|
175
|
+
const base = buildAuditCredential(record, issuerDid);
|
|
176
|
+
if (format === "jwt_vc") {
|
|
177
|
+
const { credential, jwt } = await signAsJwt(base, issuerConfig);
|
|
178
|
+
credentials.push(credential);
|
|
179
|
+
jwts.push(jwt);
|
|
180
|
+
} else {
|
|
181
|
+
const signed = await signAsJsonLd(base, issuerConfig);
|
|
182
|
+
credentials.push(signed);
|
|
183
|
+
}
|
|
184
|
+
}
|
|
185
|
+
const issuedAt = /* @__PURE__ */ new Date();
|
|
186
|
+
if (output === "individual") {
|
|
187
|
+
return {
|
|
188
|
+
credentials,
|
|
189
|
+
...format === "jwt_vc" ? { jwts } : {},
|
|
190
|
+
format,
|
|
191
|
+
issuedAt,
|
|
192
|
+
count: credentials.length
|
|
193
|
+
};
|
|
194
|
+
}
|
|
195
|
+
const basePresentation = {
|
|
196
|
+
"@context": [VC_CONTEXT_V2, KAVACHOS_AUDIT_CONTEXT],
|
|
197
|
+
id: `urn:uuid:${generateId()}`,
|
|
198
|
+
type: [VC_TYPE_PRESENTATION],
|
|
199
|
+
holder: issuerDid,
|
|
200
|
+
verifiableCredential: credentials
|
|
201
|
+
};
|
|
202
|
+
const presentation = format === "jwt_vc" ? basePresentation : await signPresentationAsJsonLd(basePresentation, issuerConfig);
|
|
203
|
+
return {
|
|
204
|
+
credentials,
|
|
205
|
+
...format === "jwt_vc" ? { jwts } : {},
|
|
206
|
+
presentation,
|
|
207
|
+
format,
|
|
208
|
+
issuedAt,
|
|
209
|
+
count: credentials.length
|
|
210
|
+
};
|
|
211
|
+
}
|
|
212
|
+
function listAuditRecords(records, since, until, filter) {
|
|
213
|
+
const inRange = records.filter((r) => {
|
|
214
|
+
const t = r.timestamp.getTime();
|
|
215
|
+
return t >= since.getTime() && t <= until.getTime();
|
|
216
|
+
});
|
|
217
|
+
return filter ? inRange.filter(filter) : inRange;
|
|
218
|
+
}
|
|
219
|
+
var DEFAULT_TTL_SECONDS2 = 86400;
|
|
72
220
|
function makeError(code, message, details) {
|
|
73
221
|
return { code, message, ...{} };
|
|
74
222
|
}
|
|
@@ -79,9 +227,9 @@ function futureISO(seconds) {
|
|
|
79
227
|
return new Date(Date.now() + seconds * 1e3).toISOString();
|
|
80
228
|
}
|
|
81
229
|
function createVCIssuer(config) {
|
|
82
|
-
const { issuerDid, privateKeyJwk, defaultTtl =
|
|
230
|
+
const { issuerDid, privateKeyJwk, defaultTtl = DEFAULT_TTL_SECONDS2 } = config;
|
|
83
231
|
const kid = `${issuerDid}#${issuerDid.split(":").pop() ?? "key-1"}`;
|
|
84
|
-
async function
|
|
232
|
+
async function signAsJwt2(credential, subject, ttl) {
|
|
85
233
|
try {
|
|
86
234
|
const key = await importJWK(privateKeyJwk, "EdDSA");
|
|
87
235
|
const { proof: _proof, ...vcWithoutProof } = credential;
|
|
@@ -106,13 +254,13 @@ function createVCIssuer(config) {
|
|
|
106
254
|
};
|
|
107
255
|
}
|
|
108
256
|
}
|
|
109
|
-
async function
|
|
257
|
+
async function signAsJsonLd2(credential) {
|
|
110
258
|
try {
|
|
111
259
|
const key = await importJWK(privateKeyJwk, "EdDSA");
|
|
112
260
|
const { proof: _proof, ...vcWithoutProof } = credential;
|
|
113
261
|
const payload = new TextEncoder().encode(JSON.stringify(vcWithoutProof));
|
|
114
|
-
const { CompactSign } = await import('jose');
|
|
115
|
-
const jws = await new
|
|
262
|
+
const { CompactSign: CompactSign2 } = await import('jose');
|
|
263
|
+
const jws = await new CompactSign2(payload).setProtectedHeader({ alg: "EdDSA", kid }).sign(key);
|
|
116
264
|
const proof = {
|
|
117
265
|
type: "JsonWebSignature2020",
|
|
118
266
|
created: nowISO(),
|
|
@@ -148,9 +296,9 @@ function createVCIssuer(config) {
|
|
|
148
296
|
}
|
|
149
297
|
async function signCredential(credential, subject, ttl, format) {
|
|
150
298
|
if (format === "jwt") {
|
|
151
|
-
return
|
|
299
|
+
return signAsJwt2(credential, subject, ttl);
|
|
152
300
|
}
|
|
153
|
-
return
|
|
301
|
+
return signAsJsonLd2(credential);
|
|
154
302
|
}
|
|
155
303
|
async function issueAgentCredential(input) {
|
|
156
304
|
const {
|
|
@@ -539,6 +687,6 @@ function createVCVerifier(config = {}) {
|
|
|
539
687
|
};
|
|
540
688
|
}
|
|
541
689
|
|
|
542
|
-
export { CredentialStatusSchema, CredentialSubjectSchema, KAVACH_AGENT_CREDENTIAL, KAVACH_DELEGATION_CREDENTIAL, KAVACH_PERMISSION_CREDENTIAL, ProofSchema, VC_CONTEXT_V1, VC_CONTEXT_V2, VC_TYPE_CREDENTIAL, VC_TYPE_PRESENTATION, VerifiableCredentialSchema, VerifiablePresentationSchema, createVCIssuer, createVCVerifier };
|
|
690
|
+
export { CredentialStatusSchema, CredentialSubjectSchema, KAVACHOS_AUDIT_CONTEXT, KAVACHOS_AUDIT_CREDENTIAL, KAVACH_AGENT_CREDENTIAL, KAVACH_DELEGATION_CREDENTIAL, KAVACH_PERMISSION_CREDENTIAL, ProofSchema, VC_CONTEXT_V1, VC_CONTEXT_V2, VC_TYPE_CREDENTIAL, VC_TYPE_PRESENTATION, VerifiableCredentialSchema, VerifiablePresentationSchema, createVCIssuer, createVCVerifier, exportAuditAsVC, listAuditRecords };
|
|
543
691
|
//# sourceMappingURL=index.js.map
|
|
544
692
|
//# sourceMappingURL=index.js.map
|
package/dist/vc/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/crypto/web-crypto.ts","../../src/vc/types.ts","../../src/vc/issuer.ts","../../src/vc/verifier.ts"],"names":["makeError","importJWK","joseErrors"],"mappings":";;;;;;AAwEO,SAAS,UAAA,GAAqB;AACpC,EAAA,OAAO,UAAA,CAAW,OAAO,UAAA,EAAW;AACrC;AAkBqB,IAAI,WAAA;AC/ElB,IAAM,aAAA,GAAgB;AACtB,IAAM,aAAA,GAAgB;AACtB,IAAM,kBAAA,GAAqB;AAC3B,IAAM,oBAAA,GAAuB;AAG7B,IAAM,uBAAA,GAA0B;AAChC,IAAM,4BAAA,GAA+B;AACrC,IAAM,4BAAA,GAA+B;AAIrC,IAAM,WAAA,GAAc,EAAE,MAAA,CAAO;AAAA,EACnC,MAAM,CAAA,CAAE,IAAA,CAAK,CAAC,sBAAA,EAAwB,sBAAsB,CAAC,CAAA;AAAA,EAC7D,OAAA,EAAS,EAAE,MAAA,EAAO;AAAA,EAClB,kBAAA,EAAoB,EAAE,MAAA,EAAO;AAAA,EAC7B,cAAc,CAAA,CAAE,IAAA,CAAK,CAAC,iBAAA,EAAmB,gBAAgB,CAAC,CAAA;AAAA,EAC1D,UAAA,EAAY,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAChC,GAAA,EAAK,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AACjB,CAAC;AAMM,IAAM,sBAAA,GAAyB,EAAE,MAAA,CAAO;AAAA,EAC9C,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,EACb,IAAA,EAAM,EAAE,MAAA,EAAO;AAAA,EACf,eAAe,CAAA,CAAE,IAAA,CAAK,CAAC,YAAA,EAAc,YAAY,CAAC,CAAA;AAAA,EAClD,iBAAiB,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA,GAAM,WAAA,EAAY;AAAA,EAC9C,oBAAA,EAAsB,EAAE,MAAA;AACzB,CAAC;AAMM,IAAM,uBAAA,GAA0B,EAAE,MAAA,CAAO;AAAA,EAC/C,EAAA,EAAI,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACxB,OAAA,EAAS,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC7B,aAAa,CAAA,CAAE,KAAA,CAAM,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAS;AAAA,EAC1C,UAAA,EAAY,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA,CAAI,CAAC,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,CAAE,QAAA,EAAS;AAAA,EAC9C,iBAAiB,CAAA,CAAE,KAAA,CAAM,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAS;AAAA,EAC9C,iBAAiB,CAAA,CACf,KAAA;AAAA,IACA,EAAE,MAAA,CAAO;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,MACpB,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,MACpB,WAAA,EAAa,CAAA,CAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA;AAAA,MAC/B,SAAA,EAAW,EAAE,MAAA;AAAO,KACpB;AAAA,IAED,QAAA,EAAS;AAAA,EACX,IAAA,EAAM,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC1B,IAAA,EAAM,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AAClB,CAAC;AAMM,IAAM,0BAAA,GAA6B,EAAE,MAAA,CAAO;AAAA,EAClD,UAAA,EAAY,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EACrC,EAAA,EAAI,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACxB,IAAA,EAAM,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EAC/B,MAAA,EAAQ,EAAE,KAAA,CAAM,CAAC,EAAE,MAAA,EAAO,EAAG,CAAA,CAAE,MAAA,CAAO,EAAE,EAAA,EAAI,EAAE,MAAA,EAAO,EAAG,MAAM,CAAA,CAAE,MAAA,GAAS,QAAA,EAAS,EAAG,CAAC,CAAC,CAAA;AAAA,EACvF,YAAA,EAAc,EAAE,MAAA,EAAO;AAAA,EACvB,cAAA,EAAgB,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACpC,iBAAA,EAAmB,uBAAA;AAAA,EACnB,gBAAA,EAAkB,uBAAuB,QAAA,EAAS;AAAA,EAClD,KAAA,EAAO,YAAY,QAAA;AACpB,CAAC;AAMM,IAAM,4BAAA,GAA+B,EAAE,MAAA,CAAO;AAAA,EACpD,UAAA,EAAY,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EACrC,EAAA,EAAI,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACxB,IAAA,EAAM,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EAC/B,MAAA,EAAQ,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC5B,sBAAsB,CAAA,CAAE,KAAA,CAAM,0BAA0B,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EAC/D,KAAA,EAAO,YAAY,QAAA;AACpB,CAAC;;;ACpED,IAAM,mBAAA,GAAsB,KAAA;AAI5B,SAAS,SAAA,CAAU,IAAA,EAAc,OAAA,EAAiB,OAAA,EAAgD;AACjG,EAAA,OAAO,EAAE,IAAA,EAAM,OAAA,EAAS,GAA0C,EAAC,EAAG;AACvE;AAEA,SAAS,MAAA,GAAiB;AACzB,EAAA,OAAA,iBAAO,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAC/B;AAEA,SAAS,UAAU,OAAA,EAAyB;AAC3C,EAAA,OAAO,IAAI,KAAK,IAAA,CAAK,GAAA,KAAQ,OAAA,GAAU,GAAI,EAAE,WAAA,EAAY;AAC1D;AAoFO,SAAS,eAAe,MAAA,EAAkC;AAChE,EAAA,MAAM,EAAE,SAAA,EAAW,aAAA,EAAe,UAAA,GAAa,qBAAoB,GAAI,MAAA;AAEvE,EAAA,MAAM,GAAA,GAAM,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,SAAA,CAAU,MAAM,GAAG,CAAA,CAAE,GAAA,EAAI,IAAK,OAAO,CAAA,CAAA;AAEjE,EAAA,eAAe,SAAA,CACd,UAAA,EACA,OAAA,EACA,GAAA,EACqE;AACrE,IAAA,IAAI;AACH,MAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,aAAA,EAAe,OAAO,CAAA;AAGlD,MAAA,MAAM,EAAE,KAAA,EAAO,MAAA,EAAQ,GAAG,gBAAe,GAAI,UAAA;AAE7C,MAAA,MAAM,OAAA,GAAU,IAAI,OAAA,CAAQ;AAAA,QAC3B,EAAA,EAAI;AAAA,OACJ,CAAA,CACC,kBAAA,CAAmB,EAAE,GAAA,EAAK,SAAS,GAAA,EAAK,GAAA,EAAK,KAAA,EAAO,CAAA,CACpD,SAAA,CAAU,SAAS,CAAA,CACnB,WAAA,EAAY,CACZ,iBAAA,CAAkB,IAAA,CAAK,KAAA,CAAM,KAAK,GAAA,EAAI,GAAI,GAAI,CAAA,GAAI,GAAG,CAAA;AAEvD,MAAA,IAAI,WAAW,EAAA,EAAI;AAClB,QAAA,OAAA,CAAQ,MAAA,CAAO,WAAW,EAAE,CAAA;AAAA,MAC7B;AACA,MAAA,IAAI,OAAA,EAAS;AACZ,QAAA,OAAA,CAAQ,WAAW,OAAO,CAAA;AAAA,MAC3B;AAEA,MAAA,MAAM,GAAA,GAAM,MAAM,OAAA,CAAQ,IAAA,CAAK,GAAG,CAAA;AAClC,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,MAAM,EAAE,UAAA,EAAY,KAAI,EAAE;AAAA,IACnD,SAAS,GAAA,EAAK;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA;AAAA,UACN,gBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAEA,EAAA,eAAe,aACd,UAAA,EACwD;AACxD,IAAA,IAAI;AACH,MAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,aAAA,EAAe,OAAO,CAAA;AAGlD,MAAA,MAAM,EAAE,KAAA,EAAO,MAAA,EAAQ,GAAG,gBAAe,GAAI,UAAA;AAC7C,MAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY,CAAE,OAAO,IAAA,CAAK,SAAA,CAAU,cAAc,CAAC,CAAA;AAEvE,MAAA,MAAM,EAAE,WAAA,EAAY,GAAI,MAAM,OAAO,MAAM,CAAA;AAC3C,MAAA,MAAM,GAAA,GAAM,MAAM,IAAI,WAAA,CAAY,OAAO,CAAA,CACvC,kBAAA,CAAmB,EAAE,GAAA,EAAK,OAAA,EAAS,GAAA,EAAK,CAAA,CACxC,KAAK,GAAG,CAAA;AAEV,MAAA,MAAM,KAAA,GAAe;AAAA,QACpB,IAAA,EAAM,sBAAA;AAAA,QACN,SAAS,MAAA,EAAO;AAAA,QAChB,kBAAA,EAAoB,GAAA;AAAA,QACpB,YAAA,EAAc,iBAAA;AAAA,QACd;AAAA,OACD;AAEA,MAAA,MAAM,gBAAA,GAAyC;AAAA,QAC9C,GAAG,UAAA;AAAA,QACH;AAAA,OACD;AAEA,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,MAAM,EAAE,UAAA,EAAY,kBAAiB,EAAE;AAAA,IAChE,SAAS,GAAA,EAAK;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA;AAAA,UACN,gBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAEA,EAAA,SAAS,eAAA,CACR,KAAA,EACA,OAAA,EACA,GAAA,EACA,cAAA,EACuB;AACvB,IAAA,OAAO;AAAA,MACN,UAAA,EAAY,CAAC,aAAa,CAAA;AAAA,MAC1B,EAAA,EAAI,CAAA,SAAA,EAAY,UAAA,EAAY,CAAA,CAAA;AAAA,MAC5B,IAAA,EAAM,CAAC,kBAAA,EAAoB,GAAG,KAAK,CAAA;AAAA,MACnC,MAAA,EAAQ,SAAA;AAAA,MACR,cAAc,MAAA,EAAO;AAAA,MACrB,cAAA,EAAkC,SAAA,CAAU,GAAG,CAAA;AAAA,MAC/C,iBAAA,EAAmB;AAAA,KACpB;AAAA,EACD;AAEA,EAAA,eAAe,cAAA,CACd,UAAA,EACA,OAAA,EACA,GAAA,EACA,MAAA,EACsE;AACtE,IAAA,IAAI,WAAW,KAAA,EAAO;AACrB,MAAA,OAAO,SAAA,CAAU,UAAA,EAAY,OAAA,EAAS,GAAG,CAAA;AAAA,IAC1C;AACA,IAAA,OAAO,aAAa,UAAU,CAAA;AAAA,EAC/B;AAIA,EAAA,eAAe,qBACd,KAAA,EACsE;AACtE,IAAA,MAAM;AAAA,MACL,OAAA;AAAA,MACA,IAAA;AAAA,MACA,SAAA;AAAA,MACA,WAAA;AAAA,MACA,UAAA;AAAA,MACA,GAAA,GAAM,UAAA;AAAA,MACN,MAAA,GAAS;AAAA,KACV,GAAI,KAAA;AAEJ,IAAA,IAAI,CAAC,OAAA,EAAS;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qBAAqB;AAAA,OAC3D;AAAA,IACD;AAEA,IAAA,IAAI,UAAA,KAAe,MAAA,KAAc,UAAA,GAAa,CAAA,IAAK,aAAa,CAAA,CAAA,EAAI;AACnE,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,oCAAoC;AAAA,OAC1E;AAAA,IACD;AAEA,IAAA,MAAM,OAAA,GAA6B;AAAA,MAClC,EAAA,EAAI,OAAA;AAAA,MACJ,OAAA;AAAA,MACA,GAAI,IAAA,KAAS,MAAA,GAAY,EAAE,IAAA,KAAS,EAAC;AAAA,MACrC,GAAI,SAAA,KAAc,MAAA,GAAY,EAAE,IAAA,EAAM,SAAA,KAAc,EAAC;AAAA,MACrD,GAAI,WAAA,KAAgB,MAAA,GAAY,EAAE,WAAA,KAAgB,EAAC;AAAA,MACnD,GAAI,UAAA,KAAe,MAAA,GAAY,EAAE,UAAA,KAAe;AAAC,KAClD;AAEA,IAAA,MAAM,aAAa,eAAA,CAAgB,CAAC,uBAAuB,CAAA,EAAG,SAAS,GAAG,CAAA;AAC1E,IAAA,OAAO,cAAA,CAAe,UAAA,EAAY,OAAA,EAAS,GAAA,EAAK,MAAM,CAAA;AAAA,EACvD;AAEA,EAAA,eAAe,0BACd,KAAA,EACsE;AACtE,IAAA,MAAM,EAAE,OAAA,EAAS,WAAA,EAAa,MAAM,UAAA,EAAY,MAAA,GAAS,OAAM,GAAI,KAAA;AAEnE,IAAA,IAAI,CAAC,OAAA,EAAS;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qBAAqB;AAAA,OAC3D;AAAA,IACD;AAEA,IAAA,IAAI,CAAC,WAAA,IAAe,WAAA,CAAY,MAAA,KAAW,CAAA,EAAG;AAC7C,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qCAAqC;AAAA,OAC3E;AAAA,IACD;AAEA,IAAA,MAAM,OAAA,GAA6B;AAAA,MAClC,EAAA,EAAI,OAAA;AAAA,MACJ,OAAA;AAAA,MACA;AAAA,KACD;AAEA,IAAA,MAAM,aAAa,eAAA,CAAgB,CAAC,4BAA4B,CAAA,EAAG,SAAS,GAAG,CAAA;AAC/E,IAAA,OAAO,cAAA,CAAe,UAAA,EAAY,OAAA,EAAS,GAAA,EAAK,MAAM,CAAA;AAAA,EACvD;AAEA,EAAA,eAAe,0BACd,KAAA,EACsE;AACtE,IAAA,MAAM,EAAE,SAAS,KAAA,EAAO,eAAA,EAAiB,MAAM,UAAA,EAAY,MAAA,GAAS,OAAM,GAAI,KAAA;AAE9E,IAAA,IAAI,CAAC,OAAA,EAAS;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qBAAqB;AAAA,OAC3D;AAAA,IACD;AAEA,IAAA,IAAI,CAAC,KAAA,IAAS,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG;AACjC,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,8CAA8C;AAAA,OACpF;AAAA,IACD;AAEA,IAAA,MAAM,OAAA,GAA6B;AAAA,MAClC,EAAA,EAAI,OAAA;AAAA,MACJ,OAAA;AAAA,MACA,eAAA,EAAiB,KAAA;AAAA,MACjB,GAAI,eAAA,KAAoB,MAAA,GAAY,EAAE,eAAA,KAAoB;AAAC,KAC5D;AAEA,IAAA,MAAM,aAAa,eAAA,CAAgB,CAAC,4BAA4B,CAAA,EAAG,SAAS,GAAG,CAAA;AAC/E,IAAA,OAAO,cAAA,CAAe,UAAA,EAAY,OAAA,EAAS,GAAA,EAAK,MAAM,CAAA;AAAA,EACvD;AAEA,EAAA,OAAO;AAAA,IACN,oBAAA;AAAA,IACA,yBAAA;AAAA,IACA,yBAAA;AAAA,IACA;AAAA,GACD;AACD;ACpUA,SAASA,UAAAA,CAAU,IAAA,EAAc,OAAA,EAAiB,OAAA,EAAgD;AACjG,EAAA,OAAO,EAAE,IAAA,EAAM,OAAA,EAAS,GAAI,OAAA,KAAY,SAAY,EAAE,OAAA,EAAQ,GAAI,EAAC,EAAG;AACvE;AAEA,SAAS,gBAAgB,MAAA,EAAwD;AAChF,EAAA,IAAI,OAAO,MAAA,KAAW,QAAA,EAAU,OAAO,MAAA;AACvC,EAAA,OAAO,MAAA,CAAO,EAAA;AACf;AA4BO,SAAS,gBAAA,CAAiB,MAAA,GAA2B,EAAC,EAAe;AAC3E,EAAA,MAAM,EAAE,aAAA,EAAe,qBAAA,EAAsB,GAAI,MAAA;AAEjD,EAAA,eAAe,UAAA,CAAW,KAAa,WAAA,EAAuD;AAC7F,IAAA,IAAI,WAAA,EAAa;AAChB,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,IAAA,EAAM,WAAA,EAAY;AAAA,IAC3C;AAEA,IAAA,IAAI,aAAA,EAAe;AAClB,MAAA,MAAM,QAAA,GAAW,MAAM,aAAA,CAAc,GAAG,CAAA;AACxC,MAAA,IAAI,QAAA,EAAU;AACb,QAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,IAAA,EAAM,QAAA,EAAS;AAAA,MACxC;AAAA,IACD;AAEA,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,KAAA;AAAA,MACT,KAAA,EAAOA,UAAAA,CAAU,kBAAA,EAAoB,CAAA,sCAAA,EAAyC,GAAG,CAAA,CAAE;AAAA,KACpF;AAAA,EACD;AAEA,EAAA,eAAe,mBAAA,CACd,KACA,WAAA,EACsC;AACtC,IAAA,IAAI;AAEH,MAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,KAAA,CAAM,GAAG,CAAA;AAC3B,MAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACvB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,gBAAA,EAAkB,2BAA2B;AAAA,SAC/D;AAAA,MACD;AAGA,MAAA,MAAM,UAAA,GAAa,MAAM,CAAC,CAAA;AAC1B,MAAA,IAAI,CAAC,UAAA,EAAY;AAChB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,gBAAA,EAAkB,wBAAwB;AAAA,SAC5D;AAAA,MACD;AACA,MAAA,MAAM,aAAa,IAAA,CAAK,KAAA;AAAA,QACvB,IAAI,aAAY,CAAE,MAAA;AAAA,UACjB,UAAA,CAAW,IAAA;AAAA,YAAK,IAAA,CAAK,WAAW,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAC,CAAA;AAAA,YAAG,CAAC,CAAA,KACxE,CAAA,CAAE,UAAA,CAAW,CAAC;AAAA;AACf;AACD,OACD;AAEA,MAAA,MAAM,YAAY,OAAO,UAAA,CAAW,GAAA,KAAQ,QAAA,GAAW,WAAW,GAAA,GAAM,IAAA;AACxE,MAAA,IAAI,CAAC,SAAA,EAAW;AACf,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,cAAA,EAAgB,sBAAsB;AAAA,SACxD;AAAA,MACD;AAGA,MAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,SAAA,EAAW,WAAW,CAAA;AACzD,MAAA,IAAI,CAAC,SAAA,CAAU,OAAA,EAAS,OAAO,SAAA;AAE/B,MAAA,MAAM,SAAA,GAAY,MAAMC,SAAAA,CAAU,SAAA,CAAU,MAAM,OAAO,CAAA;AACzD,MAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,SAAA,CAAU,KAAK,SAAS,CAAA;AAElD,MAAA,MAAM,UAAU,OAAA,CAAQ,EAAA;AACxB,MAAA,IAAI,CAAC,OAAA,EAAS;AACb,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOD,UAAAA,CAAU,qBAAA,EAAuB,iCAAiC;AAAA,SAC1E;AAAA,MACD;AAGA,MAAA,MAAM,UAAA,GAAmC;AAAA,QACxC,GAAI,OAAA;AAAA,QACJ,MAAA,EAAQ;AAAA,OACT;AAGA,MAAA,MAAM,MAAA,GAAS,0BAAA,CAA2B,SAAA,CAAU,UAAU,CAAA;AAC9D,MAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,uBAAA,EAAyB,sCAAA,EAAwC;AAAA,YACjF,QAAQ,MAAA,CAAO,KAAA,CAAM,MAAA,CAAO,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,EAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA,CAAE;AAAA,WAC1E;AAAA,SACF;AAAA,MACD;AAGA,MAAA,IAAI,OAAA,CAAQ,GAAA,IAAO,OAAA,CAAQ,GAAA,GAAM,IAAA,CAAK,MAAM,IAAA,CAAK,GAAA,EAAI,GAAI,GAAI,CAAA,EAAG;AAC/D,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,wBAAwB;AAAA,SACxD;AAAA,MACD;AAGA,MAAA,IAAI,MAAA,CAAO,IAAA,CAAK,gBAAA,IAAoB,qBAAA,EAAuB;AAC1D,QAAA,MAAM,OAAA,GAAU,MAAM,qBAAA,CAAsB,MAAA,CAAO,KAAK,gBAAgB,CAAA;AACxE,QAAA,IAAI,OAAA,EAAS;AACZ,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,6BAA6B;AAAA,WAC7D;AAAA,QACD;AAAA,MACD;AAEA,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,IAAA;AAAA,QACT,IAAA,EAAM;AAAA,UACL,YAAY,MAAA,CAAO,IAAA;AAAA,UACnB,MAAA,EAAQ,KAAA;AAAA,UACR,MAAA,EAAQ,SAAA;AAAA,UACR,UAAU,IAAI,IAAA,CAAA,CAAM,OAAA,CAAQ,GAAA,IAAO,KAAK,GAAI,CAAA;AAAA,UAC5C,SAAA,EAAW,QAAQ,GAAA,GAAM,IAAI,KAAK,OAAA,CAAQ,GAAA,GAAM,GAAI,CAAA,GAAI;AAAA;AACzD,OACD;AAAA,IACD,SAAS,GAAA,EAAK;AAEb,MAAA,IAAI,GAAA,YAAeE,OAAW,UAAA,EAAY;AACzC,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOF,UAAAA,CAAU,YAAA,EAAc,wBAAwB;AAAA,SACxD;AAAA,MACD;AACA,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA;AAAA,UACN,kBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAEA,EAAA,eAAe,sBAAA,CACd,IACA,WAAA,EACsC;AAEtC,IAAA,MAAM,MAAA,GAAS,0BAAA,CAA2B,SAAA,CAAU,EAAE,CAAA;AACtD,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,uBAAA,EAAyB,sCAAA,EAAwC;AAAA,UACjF,QAAQ,MAAA,CAAO,KAAA,CAAM,MAAA,CAAO,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,EAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA,CAAE;AAAA,SAC1E;AAAA,OACF;AAAA,IACD;AAEA,IAAA,MAAM,aAAa,MAAA,CAAO,IAAA;AAE1B,IAAA,IAAI,CAAC,WAAW,KAAA,EAAO;AACtB,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,aAAA,EAAe,0CAA0C;AAAA,OAC3E;AAAA,IACD;AAEA,IAAA,IAAI,CAAC,UAAA,CAAW,KAAA,CAAM,GAAA,EAAK;AAC1B,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,WAAA,EAAa,oCAAoC;AAAA,OACnE;AAAA,IACD;AAEA,IAAA,MAAM,SAAA,GAAY,eAAA,CAAgB,UAAA,CAAW,MAAM,CAAA;AAGnD,IAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,SAAA,EAAW,WAAW,CAAA;AACzD,IAAA,IAAI,CAAC,SAAA,CAAU,OAAA,EAAS,OAAO,SAAA;AAE/B,IAAA,IAAI;AACH,MAAA,MAAM,SAAA,GAAY,MAAMC,SAAAA,CAAU,SAAA,CAAU,MAAM,OAAO,CAAA;AAGzD,MAAA,MAAM,EAAE,SAAQ,GAAI,MAAM,cAAc,UAAA,CAAW,KAAA,CAAM,KAAK,SAAS,CAAA;AAGvE,MAAA,MAAM,EAAE,KAAA,EAAO,MAAA,EAAQ,GAAG,gBAAe,GAAI,UAAA;AAC7C,MAAA,MAAM,aAAA,GAAgB,IAAI,WAAA,EAAY,CAAE,OAAO,OAAO,CAAA;AACtD,MAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAEpD,MAAA,IAAI,kBAAkB,cAAA,EAAgB;AACrC,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOD,UAAAA,CAAU,aAAA,EAAe,sDAAsD;AAAA,SACvF;AAAA,MACD;AAGA,MAAA,IAAI,WAAW,cAAA,EAAgB;AAC9B,QAAA,MAAM,MAAA,GAAS,IAAI,IAAA,CAAK,UAAA,CAAW,cAAc,CAAA;AACjD,QAAA,IAAI,MAAA,oBAAU,IAAI,IAAA,EAAK,EAAG;AACzB,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,wBAAwB;AAAA,WACxD;AAAA,QACD;AAAA,MACD;AAGA,MAAA,IAAI,UAAA,CAAW,oBAAoB,qBAAA,EAAuB;AACzD,QAAA,MAAM,OAAA,GAAU,MAAM,qBAAA,CAAsB,UAAA,CAAW,gBAAgB,CAAA;AACvE,QAAA,IAAI,OAAA,EAAS;AACZ,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,6BAA6B;AAAA,WAC7D;AAAA,QACD;AAAA,MACD;AAEA,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,IAAA;AAAA,QACT,IAAA,EAAM;AAAA,UACL,UAAA;AAAA,UACA,MAAA,EAAQ,SAAA;AAAA,UACR,MAAA,EAAQ,SAAA;AAAA,UACR,QAAA,EAAU,IAAI,IAAA,CAAK,UAAA,CAAW,YAAY,CAAA;AAAA,UAC1C,WAAW,UAAA,CAAW,cAAA,GAAiB,IAAI,IAAA,CAAK,UAAA,CAAW,cAAc,CAAA,GAAI;AAAA;AAC9E,OACD;AAAA,IACD,SAAS,GAAA,EAAK;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA;AAAA,UACN,kBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAIA,EAAA,eAAe,gBAAA,CACd,IACA,YAAA,EACsC;AACtC,IAAA,IAAI,OAAO,OAAO,QAAA,EAAU;AAC3B,MAAA,OAAO,mBAAA,CAAoB,IAAI,YAAY,CAAA;AAAA,IAC5C;AACA,IAAA,OAAO,sBAAA,CAAuB,IAAI,YAAY,CAAA;AAAA,EAC/C;AAEA,EAAA,eAAe,kBAAA,CACd,IACA,YAAA,EACwC;AACxC,IAAA,IAAI,YAAA;AAEJ,IAAA,IAAI,OAAO,OAAO,QAAA,EAAU;AAE3B,MAAA,IAAI;AACH,QAAA,MAAM,KAAA,GAAQ,EAAA,CAAG,KAAA,CAAM,GAAG,CAAA;AAC1B,QAAA,IAAI,MAAM,MAAA,KAAW,CAAA,IAAK,CAAC,KAAA,CAAM,CAAC,CAAA,EAAG;AACpC,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,gBAAA,EAAkB,wCAAwC;AAAA,WAC5E;AAAA,QACD;AAEA,QAAA,MAAM,UAAA,GAAa,MAAM,CAAC,CAAA;AAC1B,QAAA,MAAM,aAAa,IAAA,CAAK,KAAA;AAAA,UACvB,IAAI,aAAY,CAAE,MAAA;AAAA,YACjB,UAAA,CAAW,IAAA;AAAA,cAAK,IAAA,CAAK,WAAW,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAC,CAAA;AAAA,cAAG,CAAC,CAAA,KACxE,CAAA,CAAE,UAAA,CAAW,CAAC;AAAA;AACf;AACD,SACD;AAEA,QAAA,MAAM,YAAY,OAAO,UAAA,CAAW,GAAA,KAAQ,QAAA,GAAW,WAAW,GAAA,GAAM,IAAA;AACxE,QAAA,IAAI,CAAC,SAAA,EAAW;AACf,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,cAAA,EAAgB,mCAAmC;AAAA,WACrE;AAAA,QACD;AAEA,QAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,SAAA,EAAW,YAAY,CAAA;AAC1D,QAAA,IAAI,CAAC,SAAA,CAAU,OAAA,EAAS,OAAO,SAAA;AAE/B,QAAA,MAAM,SAAA,GAAY,MAAMC,SAAAA,CAAU,SAAA,CAAU,MAAM,OAAO,CAAA;AACzD,QAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,SAAA,CAAU,IAAI,SAAS,CAAA;AAEjD,QAAA,MAAM,UAAU,OAAA,CAAQ,EAAA;AACxB,QAAA,IAAI,CAAC,OAAA,EAAS;AACb,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOD,UAAAA,CAAU,qBAAA,EAAuB,iCAAiC;AAAA,WAC1E;AAAA,QACD;AAEA,QAAA,YAAA,GAAe,OAAA;AAAA,MAChB,SAAS,GAAA,EAAK;AACb,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA;AAAA,YACN,kBAAA;AAAA,YACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,SACD;AAAA,MACD;AAAA,IACD,CAAA,MAAO;AACN,MAAA,YAAA,GAAe,EAAA;AAAA,IAChB;AAGA,IAAA,MAAM,MAAA,GAAS,4BAAA,CAA6B,SAAA,CAAU,YAAY,CAAA;AAClE,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,yBAAA,EAA2B,wCAAA,EAA0C;AAAA,UACrF,QAAQ,MAAA,CAAO,KAAA,CAAM,MAAA,CAAO,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,EAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA,CAAE;AAAA,SAC1E;AAAA,OACF;AAAA,IACD;AAGA,IAAA,MAAM,sBAA4C,EAAC;AACnD,IAAA,KAAA,MAAW,EAAA,IAAM,MAAA,CAAO,IAAA,CAAK,oBAAA,EAAsB;AAClD,MAAA,MAAM,MAAA,GAAS,MAAM,gBAAA,CAAiB,EAAA,EAAI,YAAY,CAAA;AACtD,MAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA;AAAA,YACN,oCAAA;AAAA,YACA,CAAA,6CAAA,EAAgD,MAAA,CAAO,KAAA,CAAM,OAAO,CAAA,CAAA;AAAA,YACpE,EAAE,aAAA,EAAe,MAAA,CAAO,KAAA;AAAM;AAC/B,SACD;AAAA,MACD;AACA,MAAA,mBAAA,CAAoB,IAAA,CAAK,OAAO,IAAI,CAAA;AAAA,IACrC;AAEA,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,IAAA;AAAA,MACT,IAAA,EAAM;AAAA,QACL,cAAc,MAAA,CAAO,IAAA;AAAA,QACrB,WAAA,EAAa,mBAAA;AAAA,QACb,MAAA,EAAQ,MAAA,CAAO,IAAA,CAAK,MAAA,IAAU;AAAA;AAC/B,KACD;AAAA,EACD;AAEA,EAAA,SAAS,mBAAmB,EAAA,EAAgD;AAC3E,IAAA,MAAM,UAAU,EAAA,CAAG,iBAAA;AACnB,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,OAAA,CAAQ,OAAA,IAAW,OAAA,CAAQ,EAAA,IAAM,IAAA;AAAA,MAC1C,WAAA,EAAa,OAAA,CAAQ,WAAA,IAAe,EAAC;AAAA,MACrC,UAAA,EAAY,QAAQ,UAAA,IAAc,IAAA;AAAA,MAClC,eAAA,EAAiB,OAAA,CAAQ,eAAA,IAAmB;AAAC,KAC9C;AAAA,EACD;AAEA,EAAA,OAAO;AAAA,IACN,gBAAA;AAAA,IACA,kBAAA;AAAA,IACA;AAAA,GACD;AACD","file":"index.js","sourcesContent":["/**\n * Web Crypto API utilities for KavachOS.\n *\n * This module uses ONLY the Web Crypto API (globalThis.crypto) which is\n * available natively in Cloudflare Workers, Deno, Bun, and Node 20+.\n * No `node:crypto` imports are used, making the core package edge-compatible.\n */\n\n// ---------------------------------------------------------------------------\n// Encoding helpers\n// ---------------------------------------------------------------------------\n\nconst HEX_CHARS = \"0123456789abcdef\";\n\n/** Encode a Uint8Array as a lowercase hex string. */\nexport function toHex(bytes: Uint8Array): string {\n\tlet hex = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst b = bytes[i] as number;\n\t\thex += HEX_CHARS[b >> 4] as string;\n\t\thex += HEX_CHARS[b & 0x0f] as string;\n\t}\n\treturn hex;\n}\n\n/** Decode a hex string into a Uint8Array. */\nexport function fromHex(hex: string): Uint8Array {\n\tif (hex.length % 2 !== 0) {\n\t\tthrow new Error(\"fromHex: hex string must have even length\");\n\t}\n\tconst bytes = new Uint8Array(hex.length / 2);\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst hi = parseInt(hex[i * 2] as string, 16);\n\t\tconst lo = parseInt(hex[i * 2 + 1] as string, 16);\n\t\tif (Number.isNaN(hi) || Number.isNaN(lo)) {\n\t\t\tthrow new Error(`fromHex: invalid hex character at position ${i * 2}`);\n\t\t}\n\t\tbytes[i] = (hi << 4) | lo;\n\t}\n\treturn bytes;\n}\n\n/** Encode a Uint8Array as a base64url string (no padding). */\nexport function toBase64Url(bytes: Uint8Array): string {\n\tlet binary = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tbinary += String.fromCharCode(bytes[i] as number);\n\t}\n\treturn btoa(binary).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n\n/** Decode a base64url string into a Uint8Array. */\nexport function fromBase64Url(b64: string): Uint8Array {\n\t// Restore standard base64\n\tlet base64 = b64.replace(/-/g, \"+\").replace(/_/g, \"/\");\n\t// Add padding\n\twhile (base64.length % 4 !== 0) {\n\t\tbase64 += \"=\";\n\t}\n\tconst binary = atob(base64);\n\tconst bytes = new Uint8Array(binary.length);\n\tfor (let i = 0; i < binary.length; i++) {\n\t\tbytes[i] = binary.charCodeAt(i);\n\t}\n\treturn bytes;\n}\n\n// ---------------------------------------------------------------------------\n// Random generation\n// ---------------------------------------------------------------------------\n\n/** Generate a v4 UUID using the globally available crypto.randomUUID(). */\nexport function generateId(): string {\n\treturn globalThis.crypto.randomUUID();\n}\n\n/** Generate cryptographically secure random bytes as a Uint8Array. */\nexport function randomBytes(length: number): Uint8Array {\n\tconst bytes = new Uint8Array(length);\n\tglobalThis.crypto.getRandomValues(bytes);\n\treturn bytes;\n}\n\n/** Generate cryptographically secure random bytes as a hex string. */\nexport function randomBytesHex(length: number): string {\n\treturn toHex(randomBytes(length));\n}\n\n// ---------------------------------------------------------------------------\n// Text encoding helper (internal)\n// ---------------------------------------------------------------------------\n\nconst TEXT_ENCODER = new TextEncoder();\n\nfunction toBytes(data: string | Uint8Array): ArrayBuffer {\n\tif (typeof data === \"string\") {\n\t\tconst encoded = TEXT_ENCODER.encode(data);\n\t\treturn (encoded.buffer as ArrayBuffer).slice(\n\t\t\tencoded.byteOffset,\n\t\t\tencoded.byteOffset + encoded.byteLength,\n\t\t);\n\t}\n\treturn (data.buffer as ArrayBuffer).slice(data.byteOffset, data.byteOffset + data.byteLength);\n}\n\n// ---------------------------------------------------------------------------\n// Hashing\n// ---------------------------------------------------------------------------\n\n/** SHA-256 hash, returns hex string. */\nexport async function sha256(data: string | Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n/** SHA-256 hash, returns Uint8Array. */\nexport async function sha256Raw(data: string | Uint8Array): Promise<Uint8Array> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn new Uint8Array(digest);\n}\n\n/** SHA-1 hash, returns hex string. Needed for HIBP k-anonymity. */\nexport async function sha1(data: string | Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-1\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n// ---------------------------------------------------------------------------\n// HMAC\n// ---------------------------------------------------------------------------\n\n/** Import a secret key for HMAC operations. */\nexport async function importHmacKey(\n\tkey: string | Uint8Array,\n\thash: \"SHA-256\" | \"SHA-1\" = \"SHA-256\",\n): Promise<CryptoKey> {\n\tconst keyData = typeof key === \"string\" ? TEXT_ENCODER.encode(key) : key;\n\treturn globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\t(keyData.buffer as ArrayBuffer).slice(\n\t\t\tkeyData.byteOffset,\n\t\t\tkeyData.byteOffset + keyData.byteLength,\n\t\t),\n\t\t{ name: \"HMAC\", hash: { name: hash } },\n\t\tfalse,\n\t\t[\"sign\", \"verify\"],\n\t);\n}\n\n/** HMAC-SHA256 sign, returns hex string. */\nexport async function hmacSha256(\n\tkey: string | Uint8Array,\n\tdata: string | Uint8Array,\n): Promise<string> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn toHex(new Uint8Array(signature));\n}\n\n/** HMAC-SHA256 sign, returns Uint8Array. */\nexport async function hmacSha256Raw(\n\tkey: string | Uint8Array,\n\tdata: string | Uint8Array,\n): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn new Uint8Array(signature);\n}\n\n/** HMAC-SHA1 sign, returns Uint8Array (needed for TOTP per RFC 6238). */\nexport async function hmacSha1Raw(key: Uint8Array, data: Uint8Array): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-1\");\n\tconst buf = (data.buffer as ArrayBuffer).slice(\n\t\tdata.byteOffset,\n\t\tdata.byteOffset + data.byteLength,\n\t);\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, buf);\n\treturn new Uint8Array(signature);\n}\n\n// ---------------------------------------------------------------------------\n// PBKDF2 password hashing\n// ---------------------------------------------------------------------------\n\nconst PBKDF2_ITERATIONS = 100_000; // CF Workers caps at 100K; OWASP recommends 600K for Node.js\nconst PBKDF2_KEY_LENGTH = 64; // bytes\nconst PBKDF2_SALT_LENGTH = 32; // bytes\n\n/**\n * Hash a password using PBKDF2-SHA256.\n *\n * Returns a string in the format: `pbkdf2:iterations:salt_hex:hash_hex`\n * which is safe to store in the database.\n */\nexport async function pbkdf2Hash(\n\tpassword: string,\n\tsalt?: Uint8Array,\n\titerations?: number,\n): Promise<string> {\n\tconst actualSalt = salt ?? randomBytes(PBKDF2_SALT_LENGTH);\n\tconst actualIterations = iterations ?? PBKDF2_ITERATIONS;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (actualSalt.buffer as ArrayBuffer).slice(\n\t\tactualSalt.byteOffset,\n\t\tactualSalt.byteOffset + actualSalt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations: actualIterations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tPBKDF2_KEY_LENGTH * 8,\n\t);\n\n\treturn `pbkdf2:${actualIterations}:${toHex(actualSalt)}:${toHex(new Uint8Array(derived))}`;\n}\n\n/**\n * Verify a password against a stored PBKDF2 hash.\n *\n * Supports the `pbkdf2:iterations:salt:hash` format produced by `pbkdf2Hash`.\n */\nexport async function pbkdf2Verify(password: string, stored: string): Promise<boolean> {\n\tconst parts = stored.split(\":\");\n\tif (parts.length !== 4 || parts[0] !== \"pbkdf2\") {\n\t\treturn false;\n\t}\n\n\tconst iterations = parseInt(parts[1] as string, 10);\n\tconst salt = fromHex(parts[2] as string);\n\tconst storedHash = fromHex(parts[3] as string);\n\n\tif (Number.isNaN(iterations)) return false;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (salt.buffer as ArrayBuffer).slice(\n\t\tsalt.byteOffset,\n\t\tsalt.byteOffset + salt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tstoredHash.length * 8,\n\t);\n\n\treturn constantTimeEqual(new Uint8Array(derived), storedHash);\n}\n\n// ---------------------------------------------------------------------------\n// Constant-time comparison\n// ---------------------------------------------------------------------------\n\n/**\n * Constant-time comparison of two Uint8Arrays.\n * Returns false immediately if lengths differ (length is not secret).\n */\nexport function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {\n\tif (a.byteLength !== b.byteLength) {\n\t\treturn false;\n\t}\n\tlet diff = 0;\n\tfor (let i = 0; i < a.byteLength; i++) {\n\t\tdiff |= (a[i] as number) ^ (b[i] as number);\n\t}\n\treturn diff === 0;\n}\n","/**\n * W3C Verifiable Credentials Data Model 2.0 types for KavachOS.\n *\n * Defines Zod-validated schemas for credentials, presentations,\n * proofs, and credential status. Agent-centric: the credential\n * subject carries agent identity, permissions, trust level, and\n * delegation scope.\n */\n\nimport { z } from \"zod\";\n\n// ─── W3C VC Constants ────────────────────────────────────────────────────────\n\nexport const VC_CONTEXT_V2 = \"https://www.w3.org/ns/credentials/v2\";\nexport const VC_CONTEXT_V1 = \"https://www.w3.org/2018/credentials/v1\";\nexport const VC_TYPE_CREDENTIAL = \"VerifiableCredential\";\nexport const VC_TYPE_PRESENTATION = \"VerifiablePresentation\";\n\n// KavachOS-specific credential types\nexport const KAVACH_AGENT_CREDENTIAL = \"KavachAgentCredential\";\nexport const KAVACH_PERMISSION_CREDENTIAL = \"KavachPermissionCredential\";\nexport const KAVACH_DELEGATION_CREDENTIAL = \"KavachDelegationCredential\";\n\n// ─── Proof Types ─────────────────────────────────────────────────────────────\n\nexport const ProofSchema = z.object({\n\ttype: z.enum([\"Ed25519Signature2020\", \"JsonWebSignature2020\"]),\n\tcreated: z.string(),\n\tverificationMethod: z.string(),\n\tproofPurpose: z.enum([\"assertionMethod\", \"authentication\"]),\n\tproofValue: z.string().optional(),\n\tjws: z.string().optional(),\n});\n\nexport type Proof = z.infer<typeof ProofSchema>;\n\n// ─── Credential Status ──────────────────────────────────────────────────────\n\nexport const CredentialStatusSchema = z.object({\n\tid: z.string(),\n\ttype: z.string(),\n\tstatusPurpose: z.enum([\"revocation\", \"suspension\"]),\n\tstatusListIndex: z.number().int().nonnegative(),\n\tstatusListCredential: z.string(),\n});\n\nexport type CredentialStatus = z.infer<typeof CredentialStatusSchema>;\n\n// ─── Credential Subject ─────────────────────────────────────────────────────\n\nexport const CredentialSubjectSchema = z.object({\n\tid: z.string().optional(),\n\tagentId: z.string().optional(),\n\tpermissions: z.array(z.string()).optional(),\n\ttrustLevel: z.number().min(0).max(1).optional(),\n\tdelegationScope: z.array(z.string()).optional(),\n\tdelegationChain: z\n\t\t.array(\n\t\t\tz.object({\n\t\t\t\tdelegator: z.string(),\n\t\t\t\tdelegatee: z.string(),\n\t\t\t\tpermissions: z.array(z.string()),\n\t\t\t\tcreatedAt: z.string(),\n\t\t\t}),\n\t\t)\n\t\t.optional(),\n\tname: z.string().optional(),\n\ttype: z.string().optional(),\n});\n\nexport type CredentialSubject = z.infer<typeof CredentialSubjectSchema>;\n\n// ─── Verifiable Credential ──────────────────────────────────────────────────\n\nexport const VerifiableCredentialSchema = z.object({\n\t\"@context\": z.array(z.string()).min(1),\n\tid: z.string().optional(),\n\ttype: z.array(z.string()).min(1),\n\tissuer: z.union([z.string(), z.object({ id: z.string(), name: z.string().optional() })]),\n\tissuanceDate: z.string(),\n\texpirationDate: z.string().optional(),\n\tcredentialSubject: CredentialSubjectSchema,\n\tcredentialStatus: CredentialStatusSchema.optional(),\n\tproof: ProofSchema.optional(),\n});\n\nexport type VerifiableCredential = z.infer<typeof VerifiableCredentialSchema>;\n\n// ─── Verifiable Presentation ────────────────────────────────────────────────\n\nexport const VerifiablePresentationSchema = z.object({\n\t\"@context\": z.array(z.string()).min(1),\n\tid: z.string().optional(),\n\ttype: z.array(z.string()).min(1),\n\tholder: z.string().optional(),\n\tverifiableCredential: z.array(VerifiableCredentialSchema).min(1),\n\tproof: ProofSchema.optional(),\n});\n\nexport type VerifiablePresentation = z.infer<typeof VerifiablePresentationSchema>;\n\n// ─── Issuer Config ──────────────────────────────────────────────────────────\n\nexport interface VCIssuerConfig {\n\t/** DID of the issuer (e.g. did:key:z6Mk...) */\n\tissuerDid: string;\n\t/** Private key JWK for signing credentials */\n\tprivateKeyJwk: JsonWebKey;\n\t/** Public key JWK for verification method references */\n\tpublicKeyJwk: JsonWebKey;\n\t/** Default credential lifetime in seconds. Default: 86400 (24 hours). */\n\tdefaultTtl?: number;\n\t/** Credential status endpoint base URL (for revocation). Optional. */\n\tstatusEndpoint?: string;\n}\n\n// ─── Verifier Config ────────────────────────────────────────────────────────\n\nexport interface VCVerifierConfig {\n\t/**\n\t * Resolve a DID to its public key JWK.\n\t * If not provided, only credentials with a known public key can be verified.\n\t */\n\tresolveDidKey?: (did: string) => Promise<JsonWebKey | null>;\n\t/**\n\t * Check credential revocation status.\n\t * If not provided, revocation checks are skipped.\n\t */\n\tcheckRevocationStatus?: (status: CredentialStatus) => Promise<boolean>;\n}\n\n// ─── JWT VC Types ───────────────────────────────────────────────────────────\n\n/** Claims embedded in a JWT-encoded Verifiable Credential */\nexport interface VCJwtPayload {\n\tiss: string;\n\tsub?: string;\n\tvc: Omit<VerifiableCredential, \"proof\">;\n\tiat: number;\n\texp?: number;\n\tjti?: string;\n}\n\n/** The format a credential was issued in */\nexport type CredentialFormat = \"jwt\" | \"json-ld\";\n\n/** Result of a successful credential verification */\nexport interface VerifiedCredential {\n\tcredential: VerifiableCredential;\n\tformat: CredentialFormat;\n\tissuer: string;\n\tissuedAt: Date;\n\texpiresAt: Date | null;\n}\n\n/** Result of a successful presentation verification */\nexport interface VerifiedPresentation {\n\tpresentation: VerifiablePresentation;\n\tcredentials: VerifiedCredential[];\n\tholder: string | null;\n}\n\n/** Extracted permissions from a verified credential */\nexport interface ExtractedPermissions {\n\tagentId: string | null;\n\tpermissions: string[];\n\ttrustLevel: number | null;\n\tdelegationScope: string[];\n}\n","/**\n * W3C Verifiable Credential issuance for KavachOS.\n *\n * Issues VCs as JWT (compact JWS) or JSON-LD with embedded proof.\n * Credentials encode agent identity, permissions, and delegation chains\n * so agents can prove their capabilities to any verifier without\n * a network call back to KavachOS.\n */\n\nimport { importJWK, SignJWT } from \"jose\";\nimport { generateId } from \"../crypto/web-crypto.js\";\nimport type { KavachError, Result } from \"../mcp/types.js\";\nimport type {\n\tCredentialFormat,\n\tCredentialSubject,\n\tProof,\n\tVCIssuerConfig,\n\tVerifiableCredential,\n} from \"./types.js\";\nimport {\n\tKAVACH_AGENT_CREDENTIAL,\n\tKAVACH_DELEGATION_CREDENTIAL,\n\tKAVACH_PERMISSION_CREDENTIAL,\n\tVC_CONTEXT_V2,\n\tVC_TYPE_CREDENTIAL,\n} from \"./types.js\";\n\n// ─── Constants ──────────────────────────────────────────────────────────────\n\nconst DEFAULT_TTL_SECONDS = 86400; // 24 hours\n\n// ─── Helpers ────────────────────────────────────────────────────────────────\n\nfunction makeError(code: string, message: string, details?: Record<string, unknown>): KavachError {\n\treturn { code, message, ...(details !== undefined ? { details } : {}) };\n}\n\nfunction nowISO(): string {\n\treturn new Date().toISOString();\n}\n\nfunction futureISO(seconds: number): string {\n\treturn new Date(Date.now() + seconds * 1000).toISOString();\n}\n\n// ─── Agent Credential Input ─────────────────────────────────────────────────\n\nexport interface IssueAgentCredentialInput {\n\t/** Agent ID (used as credentialSubject.id and sub claim) */\n\tagentId: string;\n\t/** Agent name */\n\tname?: string;\n\t/** Agent type (e.g. \"autonomous\", \"supervised\") */\n\tagentType?: string;\n\t/** Permissions granted to this agent */\n\tpermissions?: string[];\n\t/** Trust score between 0 and 1 */\n\ttrustLevel?: number;\n\t/** Credential lifetime in seconds. Overrides the issuer default. */\n\tttl?: number;\n\t/** Output format. Default: \"jwt\". */\n\tformat?: CredentialFormat;\n}\n\n// ─── Permission Credential Input ────────────────────────────────────────────\n\nexport interface IssuePermissionCredentialInput {\n\t/** Agent DID or ID that receives the permissions */\n\tagentId: string;\n\t/** Permissions being granted */\n\tpermissions: string[];\n\t/** Credential lifetime in seconds. Overrides the issuer default. */\n\tttl?: number;\n\t/** Output format. Default: \"jwt\". */\n\tformat?: CredentialFormat;\n}\n\n// ─── Delegation Credential Input ────────────────────────────────────────────\n\nexport interface DelegationLink {\n\tdelegator: string;\n\tdelegatee: string;\n\tpermissions: string[];\n\tcreatedAt: string;\n}\n\nexport interface IssueDelegationCredentialInput {\n\t/** The agent at the end of the delegation chain */\n\tagentId: string;\n\t/** Ordered delegation chain from root to leaf */\n\tchain: DelegationLink[];\n\t/** Scope of delegated permissions (subset of original) */\n\tdelegationScope?: string[];\n\t/** Credential lifetime in seconds. Overrides the issuer default. */\n\tttl?: number;\n\t/** Output format. Default: \"jwt\". */\n\tformat?: CredentialFormat;\n}\n\n// ─── VC Issuer Interface ────────────────────────────────────────────────────\n\nexport interface VCIssuer {\n\t/** Issue a VC encoding agent identity, permissions, and trust score */\n\tissueAgentCredential(\n\t\tinput: IssueAgentCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>>;\n\t/** Issue a VC for specific permission grants */\n\tissuePermissionCredential(\n\t\tinput: IssuePermissionCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>>;\n\t/** Issue a VC encoding a delegation chain */\n\tissueDelegationCredential(\n\t\tinput: IssueDelegationCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>>;\n\t/** The DID of this issuer */\n\treadonly issuerDid: string;\n}\n\n// ─── Factory ────────────────────────────────────────────────────────────────\n\n/**\n * Create a VC issuer bound to a specific DID and keypair.\n *\n * The issuer can produce credentials in JWT or JSON-LD format.\n * JWT credentials are signed as a compact JWS with the VC embedded\n * in the `vc` claim. JSON-LD credentials carry an embedded proof.\n */\nexport function createVCIssuer(config: VCIssuerConfig): VCIssuer {\n\tconst { issuerDid, privateKeyJwk, defaultTtl = DEFAULT_TTL_SECONDS } = config;\n\n\tconst kid = `${issuerDid}#${issuerDid.split(\":\").pop() ?? \"key-1\"}`;\n\n\tasync function signAsJwt(\n\t\tcredential: VerifiableCredential,\n\t\tsubject: string | undefined,\n\t\tttl: number,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt: string }>> {\n\t\ttry {\n\t\t\tconst key = await importJWK(privateKeyJwk, \"EdDSA\");\n\n\t\t\t// Strip proof from the VC when embedding in JWT — the JWT signature is the proof\n\t\t\tconst { proof: _proof, ...vcWithoutProof } = credential;\n\n\t\t\tconst builder = new SignJWT({\n\t\t\t\tvc: vcWithoutProof,\n\t\t\t})\n\t\t\t\t.setProtectedHeader({ alg: \"EdDSA\", kid, typ: \"JWT\" })\n\t\t\t\t.setIssuer(issuerDid)\n\t\t\t\t.setIssuedAt()\n\t\t\t\t.setExpirationTime(Math.floor(Date.now() / 1000) + ttl);\n\n\t\t\tif (credential.id) {\n\t\t\t\tbuilder.setJti(credential.id);\n\t\t\t}\n\t\t\tif (subject) {\n\t\t\t\tbuilder.setSubject(subject);\n\t\t\t}\n\n\t\t\tconst jwt = await builder.sign(key);\n\t\t\treturn { success: true, data: { credential, jwt } };\n\t\t} catch (err) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_SIGN_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to sign credential as JWT\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\tasync function signAsJsonLd(\n\t\tcredential: VerifiableCredential,\n\t): Promise<Result<{ credential: VerifiableCredential }>> {\n\t\ttry {\n\t\t\tconst key = await importJWK(privateKeyJwk, \"EdDSA\");\n\n\t\t\t// Create a JWS over the credential without proof\n\t\t\tconst { proof: _proof, ...vcWithoutProof } = credential;\n\t\t\tconst payload = new TextEncoder().encode(JSON.stringify(vcWithoutProof));\n\n\t\t\tconst { CompactSign } = await import(\"jose\");\n\t\t\tconst jws = await new CompactSign(payload)\n\t\t\t\t.setProtectedHeader({ alg: \"EdDSA\", kid })\n\t\t\t\t.sign(key);\n\n\t\t\tconst proof: Proof = {\n\t\t\t\ttype: \"JsonWebSignature2020\",\n\t\t\t\tcreated: nowISO(),\n\t\t\t\tverificationMethod: kid,\n\t\t\t\tproofPurpose: \"assertionMethod\",\n\t\t\t\tjws,\n\t\t\t};\n\n\t\t\tconst signedCredential: VerifiableCredential = {\n\t\t\t\t...credential,\n\t\t\t\tproof,\n\t\t\t};\n\n\t\t\treturn { success: true, data: { credential: signedCredential } };\n\t\t} catch (err) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_SIGN_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to sign credential as JSON-LD\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\tfunction buildCredential(\n\t\ttypes: string[],\n\t\tsubject: CredentialSubject,\n\t\tttl: number,\n\t\texpirationDate?: string,\n\t): VerifiableCredential {\n\t\treturn {\n\t\t\t\"@context\": [VC_CONTEXT_V2],\n\t\t\tid: `urn:uuid:${generateId()}`,\n\t\t\ttype: [VC_TYPE_CREDENTIAL, ...types],\n\t\t\tissuer: issuerDid,\n\t\t\tissuanceDate: nowISO(),\n\t\t\texpirationDate: expirationDate ?? futureISO(ttl),\n\t\t\tcredentialSubject: subject,\n\t\t};\n\t}\n\n\tasync function signCredential(\n\t\tcredential: VerifiableCredential,\n\t\tsubject: string | undefined,\n\t\tttl: number,\n\t\tformat: CredentialFormat,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tif (format === \"jwt\") {\n\t\t\treturn signAsJwt(credential, subject, ttl);\n\t\t}\n\t\treturn signAsJsonLd(credential);\n\t}\n\n\t// ── Public API ────────────────────────────────────────────────────────\n\n\tasync function issueAgentCredential(\n\t\tinput: IssueAgentCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tconst {\n\t\t\tagentId,\n\t\t\tname,\n\t\t\tagentType,\n\t\t\tpermissions,\n\t\t\ttrustLevel,\n\t\t\tttl = defaultTtl,\n\t\t\tformat = \"jwt\",\n\t\t} = input;\n\n\t\tif (!agentId) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"agentId is required\"),\n\t\t\t};\n\t\t}\n\n\t\tif (trustLevel !== undefined && (trustLevel < 0 || trustLevel > 1)) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"trustLevel must be between 0 and 1\"),\n\t\t\t};\n\t\t}\n\n\t\tconst subject: CredentialSubject = {\n\t\t\tid: agentId,\n\t\t\tagentId,\n\t\t\t...(name !== undefined ? { name } : {}),\n\t\t\t...(agentType !== undefined ? { type: agentType } : {}),\n\t\t\t...(permissions !== undefined ? { permissions } : {}),\n\t\t\t...(trustLevel !== undefined ? { trustLevel } : {}),\n\t\t};\n\n\t\tconst credential = buildCredential([KAVACH_AGENT_CREDENTIAL], subject, ttl);\n\t\treturn signCredential(credential, agentId, ttl, format);\n\t}\n\n\tasync function issuePermissionCredential(\n\t\tinput: IssuePermissionCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tconst { agentId, permissions, ttl = defaultTtl, format = \"jwt\" } = input;\n\n\t\tif (!agentId) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"agentId is required\"),\n\t\t\t};\n\t\t}\n\n\t\tif (!permissions || permissions.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"At least one permission is required\"),\n\t\t\t};\n\t\t}\n\n\t\tconst subject: CredentialSubject = {\n\t\t\tid: agentId,\n\t\t\tagentId,\n\t\t\tpermissions,\n\t\t};\n\n\t\tconst credential = buildCredential([KAVACH_PERMISSION_CREDENTIAL], subject, ttl);\n\t\treturn signCredential(credential, agentId, ttl, format);\n\t}\n\n\tasync function issueDelegationCredential(\n\t\tinput: IssueDelegationCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tconst { agentId, chain, delegationScope, ttl = defaultTtl, format = \"jwt\" } = input;\n\n\t\tif (!agentId) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"agentId is required\"),\n\t\t\t};\n\t\t}\n\n\t\tif (!chain || chain.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"Delegation chain must have at least one link\"),\n\t\t\t};\n\t\t}\n\n\t\tconst subject: CredentialSubject = {\n\t\t\tid: agentId,\n\t\t\tagentId,\n\t\t\tdelegationChain: chain,\n\t\t\t...(delegationScope !== undefined ? { delegationScope } : {}),\n\t\t};\n\n\t\tconst credential = buildCredential([KAVACH_DELEGATION_CREDENTIAL], subject, ttl);\n\t\treturn signCredential(credential, agentId, ttl, format);\n\t}\n\n\treturn {\n\t\tissueAgentCredential,\n\t\tissuePermissionCredential,\n\t\tissueDelegationCredential,\n\t\tissuerDid,\n\t};\n}\n","/**\n * W3C Verifiable Credential verification for KavachOS.\n *\n * Verifies credentials in both JWT and JSON-LD formats. Checks\n * signatures, expiry, and optional revocation status. Extracts\n * KavachOS-specific permissions from verified credentials.\n */\n\nimport { compactVerify, importJWK, errors as joseErrors, jwtVerify } from \"jose\";\nimport type { KavachError, Result } from \"../mcp/types.js\";\nimport type {\n\tCredentialFormat,\n\tExtractedPermissions,\n\tVCVerifierConfig,\n\tVerifiableCredential,\n\tVerifiablePresentation,\n\tVerifiedCredential,\n\tVerifiedPresentation,\n} from \"./types.js\";\nimport { VerifiableCredentialSchema, VerifiablePresentationSchema } from \"./types.js\";\n\n// ─── Helpers ────────────────────────────────────────────────────────────────\n\nfunction makeError(code: string, message: string, details?: Record<string, unknown>): KavachError {\n\treturn { code, message, ...(details !== undefined ? { details } : {}) };\n}\n\nfunction getIssuerString(issuer: string | { id: string; name?: string }): string {\n\tif (typeof issuer === \"string\") return issuer;\n\treturn issuer.id;\n}\n\n// ─── VC Verifier Interface ──────────────────────────────────────────────────\n\nexport interface VCVerifier {\n\t/** Verify a single credential (JWT string or JSON-LD object) */\n\tverifyCredential(\n\t\tvc: string | VerifiableCredential,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>>;\n\t/** Verify a presentation containing multiple VCs */\n\tverifyPresentation(\n\t\tvp: string | VerifiablePresentation,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedPresentation>>;\n\t/** Extract KavachOS permissions from a verified credential */\n\textractPermissions(vc: VerifiableCredential): ExtractedPermissions;\n}\n\n// ─── Factory ────────────────────────────────────────────────────────────────\n\n/**\n * Create a VC verifier that checks signatures, expiry, and revocation.\n *\n * The verifier accepts both JWT-encoded and JSON-LD credentials.\n * For JWT credentials, pass the compact JWS string. For JSON-LD\n * credentials with embedded proof, pass the credential object.\n */\nexport function createVCVerifier(config: VCVerifierConfig = {}): VCVerifier {\n\tconst { resolveDidKey, checkRevocationStatus } = config;\n\n\tasync function resolveKey(did: string, providedKey?: JsonWebKey): Promise<Result<JsonWebKey>> {\n\t\tif (providedKey) {\n\t\t\treturn { success: true, data: providedKey };\n\t\t}\n\n\t\tif (resolveDidKey) {\n\t\t\tconst resolved = await resolveDidKey(did);\n\t\t\tif (resolved) {\n\t\t\t\treturn { success: true, data: resolved };\n\t\t\t}\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: makeError(\"VC_KEY_NOT_FOUND\", `Could not resolve public key for DID: ${did}`),\n\t\t};\n\t}\n\n\tasync function verifyJwtCredential(\n\t\tjwt: string,\n\t\tprovidedKey?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>> {\n\t\ttry {\n\t\t\t// Decode the header to get the kid, then resolve the key\n\t\t\tconst parts = jwt.split(\".\");\n\t\t\tif (parts.length !== 3) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_INVALID_JWT\", \"JWT must have three parts\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// First pass: decode without verification to extract issuer\n\t\t\tconst payloadB64 = parts[1];\n\t\t\tif (!payloadB64) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_INVALID_JWT\", \"JWT payload is missing\"),\n\t\t\t\t};\n\t\t\t}\n\t\t\tconst rawPayload = JSON.parse(\n\t\t\t\tnew TextDecoder().decode(\n\t\t\t\t\tUint8Array.from(atob(payloadB64.replace(/-/g, \"+\").replace(/_/g, \"/\")), (c) =>\n\t\t\t\t\t\tc.charCodeAt(0),\n\t\t\t\t\t),\n\t\t\t\t),\n\t\t\t) as Record<string, unknown>;\n\n\t\t\tconst issuerDid = typeof rawPayload.iss === \"string\" ? rawPayload.iss : null;\n\t\t\tif (!issuerDid) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_NO_ISSUER\", \"JWT has no iss claim\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Resolve key\n\t\t\tconst keyResult = await resolveKey(issuerDid, providedKey);\n\t\t\tif (!keyResult.success) return keyResult;\n\n\t\t\tconst publicKey = await importJWK(keyResult.data, \"EdDSA\");\n\t\t\tconst { payload } = await jwtVerify(jwt, publicKey);\n\n\t\t\tconst vcClaim = payload.vc as Record<string, unknown> | undefined;\n\t\t\tif (!vcClaim) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_MISSING_VC_CLAIM\", \"JWT does not contain a vc claim\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Reconstruct the full credential from the JWT claims\n\t\t\tconst credential: VerifiableCredential = {\n\t\t\t\t...(vcClaim as unknown as VerifiableCredential),\n\t\t\t\tissuer: issuerDid,\n\t\t\t};\n\n\t\t\t// Validate against schema\n\t\t\tconst parsed = VerifiableCredentialSchema.safeParse(credential);\n\t\t\tif (!parsed.success) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_INVALID_CREDENTIAL\", \"Credential does not match W3C schema\", {\n\t\t\t\t\t\tissues: parsed.error.issues.map((i) => `${i.path.join(\".\")}: ${i.message}`),\n\t\t\t\t\t}),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Check expiry\n\t\t\tif (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_EXPIRED\", \"Credential has expired\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Check revocation\n\t\t\tif (parsed.data.credentialStatus && checkRevocationStatus) {\n\t\t\t\tconst revoked = await checkRevocationStatus(parsed.data.credentialStatus);\n\t\t\t\tif (revoked) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_REVOKED\", \"Credential has been revoked\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tsuccess: true,\n\t\t\t\tdata: {\n\t\t\t\t\tcredential: parsed.data,\n\t\t\t\t\tformat: \"jwt\" as CredentialFormat,\n\t\t\t\t\tissuer: issuerDid,\n\t\t\t\t\tissuedAt: new Date((payload.iat ?? 0) * 1000),\n\t\t\t\t\texpiresAt: payload.exp ? new Date(payload.exp * 1000) : null,\n\t\t\t\t},\n\t\t\t};\n\t\t} catch (err) {\n\t\t\t// Distinguish between expiry and other errors\n\t\t\tif (err instanceof joseErrors.JWTExpired) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_EXPIRED\", \"Credential has expired\"),\n\t\t\t\t};\n\t\t\t}\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_VERIFY_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to verify JWT credential\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\tasync function verifyJsonLdCredential(\n\t\tvc: VerifiableCredential,\n\t\tprovidedKey?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>> {\n\t\t// Validate schema\n\t\tconst parsed = VerifiableCredentialSchema.safeParse(vc);\n\t\tif (!parsed.success) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_CREDENTIAL\", \"Credential does not match W3C schema\", {\n\t\t\t\t\tissues: parsed.error.issues.map((i) => `${i.path.join(\".\")}: ${i.message}`),\n\t\t\t\t}),\n\t\t\t};\n\t\t}\n\n\t\tconst credential = parsed.data;\n\n\t\tif (!credential.proof) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_NO_PROOF\", \"JSON-LD credential has no embedded proof\"),\n\t\t\t};\n\t\t}\n\n\t\tif (!credential.proof.jws) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_NO_JWS\", \"Proof does not contain a JWS value\"),\n\t\t\t};\n\t\t}\n\n\t\tconst issuerDid = getIssuerString(credential.issuer);\n\n\t\t// Resolve key\n\t\tconst keyResult = await resolveKey(issuerDid, providedKey);\n\t\tif (!keyResult.success) return keyResult;\n\n\t\ttry {\n\t\t\tconst publicKey = await importJWK(keyResult.data, \"EdDSA\");\n\n\t\t\t// Verify the JWS\n\t\t\tconst { payload } = await compactVerify(credential.proof.jws, publicKey);\n\n\t\t\t// Compare signed content against current credential (minus proof)\n\t\t\tconst { proof: _proof, ...vcWithoutProof } = credential;\n\t\t\tconst signedContent = new TextDecoder().decode(payload);\n\t\t\tconst currentContent = JSON.stringify(vcWithoutProof);\n\n\t\t\tif (signedContent !== currentContent) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_TAMPERED\", \"Credential content does not match the signed payload\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Check expiry\n\t\t\tif (credential.expirationDate) {\n\t\t\t\tconst expiry = new Date(credential.expirationDate);\n\t\t\t\tif (expiry <= new Date()) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_EXPIRED\", \"Credential has expired\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Check revocation\n\t\t\tif (credential.credentialStatus && checkRevocationStatus) {\n\t\t\t\tconst revoked = await checkRevocationStatus(credential.credentialStatus);\n\t\t\t\tif (revoked) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_REVOKED\", \"Credential has been revoked\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tsuccess: true,\n\t\t\t\tdata: {\n\t\t\t\t\tcredential,\n\t\t\t\t\tformat: \"json-ld\" as CredentialFormat,\n\t\t\t\t\tissuer: issuerDid,\n\t\t\t\t\tissuedAt: new Date(credential.issuanceDate),\n\t\t\t\t\texpiresAt: credential.expirationDate ? new Date(credential.expirationDate) : null,\n\t\t\t\t},\n\t\t\t};\n\t\t} catch (err) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_VERIFY_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to verify JSON-LD credential\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\t// ── Public API ────────────────────────────────────────────────────────\n\n\tasync function verifyCredential(\n\t\tvc: string | VerifiableCredential,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>> {\n\t\tif (typeof vc === \"string\") {\n\t\t\treturn verifyJwtCredential(vc, publicKeyJwk);\n\t\t}\n\t\treturn verifyJsonLdCredential(vc, publicKeyJwk);\n\t}\n\n\tasync function verifyPresentation(\n\t\tvp: string | VerifiablePresentation,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedPresentation>> {\n\t\tlet presentation: VerifiablePresentation;\n\n\t\tif (typeof vp === \"string\") {\n\t\t\t// JWT-encoded presentation\n\t\t\ttry {\n\t\t\t\tconst parts = vp.split(\".\");\n\t\t\t\tif (parts.length !== 3 || !parts[1]) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_INVALID_JWT\", \"Presentation JWT must have three parts\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tconst payloadB64 = parts[1];\n\t\t\t\tconst rawPayload = JSON.parse(\n\t\t\t\t\tnew TextDecoder().decode(\n\t\t\t\t\t\tUint8Array.from(atob(payloadB64.replace(/-/g, \"+\").replace(/_/g, \"/\")), (c) =>\n\t\t\t\t\t\t\tc.charCodeAt(0),\n\t\t\t\t\t\t),\n\t\t\t\t\t),\n\t\t\t\t) as Record<string, unknown>;\n\n\t\t\t\tconst issuerDid = typeof rawPayload.iss === \"string\" ? rawPayload.iss : null;\n\t\t\t\tif (!issuerDid) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_NO_ISSUER\", \"Presentation JWT has no iss claim\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tconst keyResult = await resolveKey(issuerDid, publicKeyJwk);\n\t\t\t\tif (!keyResult.success) return keyResult;\n\n\t\t\t\tconst publicKey = await importJWK(keyResult.data, \"EdDSA\");\n\t\t\t\tconst { payload } = await jwtVerify(vp, publicKey);\n\n\t\t\t\tconst vpClaim = payload.vp as Record<string, unknown> | undefined;\n\t\t\t\tif (!vpClaim) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_MISSING_VP_CLAIM\", \"JWT does not contain a vp claim\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tpresentation = vpClaim as unknown as VerifiablePresentation;\n\t\t\t} catch (err) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\n\t\t\t\t\t\t\"VC_VERIFY_FAILED\",\n\t\t\t\t\t\terr instanceof Error ? err.message : \"Failed to verify presentation JWT\",\n\t\t\t\t\t),\n\t\t\t\t};\n\t\t\t}\n\t\t} else {\n\t\t\tpresentation = vp;\n\t\t}\n\n\t\t// Validate schema\n\t\tconst parsed = VerifiablePresentationSchema.safeParse(presentation);\n\t\tif (!parsed.success) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_PRESENTATION\", \"Presentation does not match W3C schema\", {\n\t\t\t\t\tissues: parsed.error.issues.map((i) => `${i.path.join(\".\")}: ${i.message}`),\n\t\t\t\t}),\n\t\t\t};\n\t\t}\n\n\t\t// Verify each credential in the presentation\n\t\tconst verifiedCredentials: VerifiedCredential[] = [];\n\t\tfor (const vc of parsed.data.verifiableCredential) {\n\t\t\tconst result = await verifyCredential(vc, publicKeyJwk);\n\t\t\tif (!result.success) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\n\t\t\t\t\t\t\"VC_PRESENTATION_CREDENTIAL_INVALID\",\n\t\t\t\t\t\t`Failed to verify credential in presentation: ${result.error.message}`,\n\t\t\t\t\t\t{ originalError: result.error },\n\t\t\t\t\t),\n\t\t\t\t};\n\t\t\t}\n\t\t\tverifiedCredentials.push(result.data);\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\tpresentation: parsed.data,\n\t\t\t\tcredentials: verifiedCredentials,\n\t\t\t\tholder: parsed.data.holder ?? null,\n\t\t\t},\n\t\t};\n\t}\n\n\tfunction extractPermissions(vc: VerifiableCredential): ExtractedPermissions {\n\t\tconst subject = vc.credentialSubject;\n\t\treturn {\n\t\t\tagentId: subject.agentId ?? subject.id ?? null,\n\t\t\tpermissions: subject.permissions ?? [],\n\t\t\ttrustLevel: subject.trustLevel ?? null,\n\t\t\tdelegationScope: subject.delegationScope ?? [],\n\t\t};\n\t}\n\n\treturn {\n\t\tverifyCredential,\n\t\tverifyPresentation,\n\t\textractPermissions,\n\t};\n}\n"]}
|
|
1
|
+
{"version":3,"sources":["../../src/crypto/web-crypto.ts","../../src/vc/types.ts","../../src/vc/audit-export.ts","../../src/vc/issuer.ts","../../src/vc/verifier.ts"],"names":["DEFAULT_TTL_SECONDS","signAsJwt","importJWK","SignJWT","signAsJsonLd","CompactSign","makeError","joseErrors"],"mappings":";;;;;;AAwEO,SAAS,UAAA,GAAqB;AACpC,EAAA,OAAO,UAAA,CAAW,OAAO,UAAA,EAAW;AACrC;AAkBqB,IAAI,WAAA;AC/ElB,IAAM,aAAA,GAAgB;AACtB,IAAM,aAAA,GAAgB;AACtB,IAAM,kBAAA,GAAqB;AAC3B,IAAM,oBAAA,GAAuB;AAG7B,IAAM,uBAAA,GAA0B;AAChC,IAAM,4BAAA,GAA+B;AACrC,IAAM,4BAAA,GAA+B;AAIrC,IAAM,WAAA,GAAc,EAAE,MAAA,CAAO;AAAA,EACnC,MAAM,CAAA,CAAE,IAAA,CAAK,CAAC,sBAAA,EAAwB,sBAAsB,CAAC,CAAA;AAAA,EAC7D,OAAA,EAAS,EAAE,MAAA,EAAO;AAAA,EAClB,kBAAA,EAAoB,EAAE,MAAA,EAAO;AAAA,EAC7B,cAAc,CAAA,CAAE,IAAA,CAAK,CAAC,iBAAA,EAAmB,gBAAgB,CAAC,CAAA;AAAA,EAC1D,UAAA,EAAY,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAChC,GAAA,EAAK,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AACjB,CAAC;AAMM,IAAM,sBAAA,GAAyB,EAAE,MAAA,CAAO;AAAA,EAC9C,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,EACb,IAAA,EAAM,EAAE,MAAA,EAAO;AAAA,EACf,eAAe,CAAA,CAAE,IAAA,CAAK,CAAC,YAAA,EAAc,YAAY,CAAC,CAAA;AAAA,EAClD,iBAAiB,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA,GAAM,WAAA,EAAY;AAAA,EAC9C,oBAAA,EAAsB,EAAE,MAAA;AACzB,CAAC;AAMM,IAAM,uBAAA,GAA0B,EACrC,MAAA,CAAO;AAAA,EACP,EAAA,EAAI,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACxB,OAAA,EAAS,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC7B,aAAa,CAAA,CAAE,KAAA,CAAM,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAS;AAAA,EAC1C,UAAA,EAAY,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA,CAAI,CAAC,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,CAAE,QAAA,EAAS;AAAA,EAC9C,iBAAiB,CAAA,CAAE,KAAA,CAAM,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAS;AAAA,EAC9C,iBAAiB,CAAA,CACf,KAAA;AAAA,IACA,EAAE,MAAA,CAAO;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,MACpB,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,MACpB,WAAA,EAAa,CAAA,CAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA;AAAA,MAC/B,SAAA,EAAW,EAAE,MAAA;AAAO,KACpB;AAAA,IAED,QAAA,EAAS;AAAA,EACX,IAAA,EAAM,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC1B,IAAA,EAAM,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AAClB,CAAC,EAGA,WAAA;AAMK,IAAM,0BAAA,GAA6B,EAAE,MAAA,CAAO;AAAA,EAClD,UAAA,EAAY,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EACrC,EAAA,EAAI,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACxB,IAAA,EAAM,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EAC/B,MAAA,EAAQ,EAAE,KAAA,CAAM,CAAC,EAAE,MAAA,EAAO,EAAG,CAAA,CAAE,MAAA,CAAO,EAAE,EAAA,EAAI,EAAE,MAAA,EAAO,EAAG,MAAM,CAAA,CAAE,MAAA,GAAS,QAAA,EAAS,EAAG,CAAC,CAAC,CAAA;AAAA,EACvF,YAAA,EAAc,EAAE,MAAA,EAAO;AAAA,EACvB,cAAA,EAAgB,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACpC,iBAAA,EAAmB,uBAAA;AAAA,EACnB,gBAAA,EAAkB,uBAAuB,QAAA,EAAS;AAAA,EAClD,KAAA,EAAO,YAAY,QAAA;AACpB,CAAC;AAMM,IAAM,4BAAA,GAA+B,EAAE,MAAA,CAAO;AAAA,EACpD,UAAA,EAAY,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EACrC,EAAA,EAAI,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACxB,IAAA,EAAM,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EAC/B,MAAA,EAAQ,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC5B,sBAAsB,CAAA,CAAE,KAAA,CAAM,0BAA0B,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EAC/D,KAAA,EAAO,YAAY,QAAA;AACpB,CAAC;;;AC1EM,IAAM,yBAAA,GAA4B;AAMlC,IAAM,sBAAA,GAAyB;AAEtC,IAAM,gBAAA,GAAmB,OAAA;AACzB,IAAM,mBAAA,GAAsB,KAAA;AAoE5B,SAAS,WAAW,MAAA,EAAsE;AACzF,EAAA,IAAI,MAAA,KAAW,WAAW,OAAO,OAAA;AAEjC,EAAA,OAAO,MAAA;AACR;AAIA,SAAS,oBAAA,CAAqB,QAAqB,SAAA,EAAyC;AAC3F,EAAA,MAAM,OAAA,GAAkC;AAAA,IACvC,IAAI,MAAA,CAAO,EAAA;AAAA,IACX,SAAS,MAAA,CAAO,OAAA;AAAA,IAChB,GAAI,OAAO,MAAA,GAAS,EAAE,aAAa,MAAA,CAAO,MAAA,KAAW,EAAC;AAAA,IACtD,WAAW,MAAA,CAAO,MAAA;AAAA,IAClB,QAAQ,MAAA,CAAO,QAAA;AAAA,IACf,QAAA,EAAU,UAAA,CAAW,MAAA,CAAO,MAAM,CAAA;AAAA,IAClC,GAAI,OAAO,MAAA,GAAS,EAAE,YAAY,MAAA,CAAO,MAAA,KAAW,EAAC;AAAA,IACrD,SAAA,EAAW,MAAA,CAAO,SAAA,CAAU,WAAA,EAAY;AAAA,IACxC,eAAA,EAAiB;AAAA,GAClB;AAEA,EAAA,OAAO;AAAA,IACN,UAAA,EAAY,CAAC,aAAA,EAAe,sBAAsB,CAAA;AAAA,IAClD,EAAA,EAAI,CAAA,SAAA,EAAY,UAAA,EAAY,CAAA,CAAA;AAAA,IAC5B,IAAA,EAAM,CAAC,kBAAA,EAAoB,yBAAyB,CAAA;AAAA,IACpD,MAAA,EAAQ,SAAA;AAAA,IACR,YAAA,EAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,IACrC,cAAA,EAAgB,IAAI,IAAA,CAAK,IAAA,CAAK,KAAI,GAAI,mBAAA,GAAsB,GAAI,CAAA,CAAE,WAAA,EAAY;AAAA;AAAA;AAAA;AAAA,IAI9E,iBAAA,EAAmB;AAAA,GACpB;AACD;AAIA,eAAe,YAAA,CACd,YACA,MAAA,EACgC;AAChC,EAAA,MAAM,EAAE,SAAA,EAAW,aAAA,EAAc,GAAI,MAAA;AACrC,EAAA,MAAM,GAAA,GAAM,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,SAAA,CAAU,MAAM,GAAG,CAAA,CAAE,GAAA,EAAI,IAAK,OAAO,CAAA,CAAA;AACjE,EAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,aAAA,EAAe,OAAO,CAAA;AAGlD,EAAA,MAAM,EAAE,KAAA,EAAO,MAAA,EAAQ,GAAG,gBAAe,GAAI,UAAA;AAC7C,EAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY,CAAE,OAAO,IAAA,CAAK,SAAA,CAAU,cAAc,CAAC,CAAA;AAEvE,EAAA,MAAM,GAAA,GAAM,MAAM,IAAI,WAAA,CAAY,OAAO,CAAA,CAAE,kBAAA,CAAmB,EAAE,GAAA,EAAK,OAAA,EAAS,GAAA,EAAK,CAAA,CAAE,KAAK,GAAG,CAAA;AAE7F,EAAA,MAAM,KAAA,GAAe;AAAA,IACpB,IAAA,EAAM,sBAAA;AAAA,IACN,OAAA,EAAA,iBAAS,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,IAChC,kBAAA,EAAoB,GAAA;AAAA,IACpB,YAAA,EAAc,iBAAA;AAAA,IACd;AAAA,GACD;AAEA,EAAA,OAAO,EAAE,GAAG,UAAA,EAAY,KAAA,EAAM;AAC/B;AAEA,eAAe,SAAA,CACd,YACA,MAAA,EAC6D;AAC7D,EAAA,MAAM,EAAE,SAAA,EAAW,aAAA,EAAc,GAAI,MAAA;AACrC,EAAA,MAAM,GAAA,GAAM,OAAO,UAAA,IAAc,mBAAA;AACjC,EAAA,MAAM,GAAA,GAAM,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,SAAA,CAAU,MAAM,GAAG,CAAA,CAAE,GAAA,EAAI,IAAK,OAAO,CAAA,CAAA;AACjE,EAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,aAAA,EAAe,OAAO,CAAA;AAElD,EAAA,MAAM,EAAE,KAAA,EAAO,MAAA,EAAQ,GAAG,gBAAe,GAAI,UAAA;AAE7C,EAAA,MAAM,OAAA,GAAU,IAAI,OAAA,CAAQ,EAAE,EAAA,EAAI,cAAA,EAAgB,CAAA,CAChD,kBAAA,CAAmB,EAAE,GAAA,EAAK,OAAA,EAAS,KAAK,GAAA,EAAK,KAAA,EAAO,CAAA,CACpD,SAAA,CAAU,SAAS,CAAA,CACnB,WAAA,EAAY,CACZ,iBAAA,CAAkB,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,EAAI,GAAI,GAAI,IAAI,GAAG,CAAA;AAEvD,EAAA,IAAI,UAAA,CAAW,EAAA,EAAI,OAAA,CAAQ,MAAA,CAAO,WAAW,EAAE,CAAA;AAC/C,EAAA,IAAI,WAAW,iBAAA,CAAkB,EAAA,UAAY,UAAA,CAAW,UAAA,CAAW,kBAAkB,EAAE,CAAA;AAEvF,EAAA,MAAM,GAAA,GAAM,MAAM,OAAA,CAAQ,IAAA,CAAK,GAAG,CAAA;AAClC,EAAA,OAAO,EAAE,YAAY,GAAA,EAAI;AAC1B;AAEA,eAAe,wBAAA,CACd,cACA,MAAA,EACkC;AAClC,EAAA,MAAM,EAAE,SAAA,EAAW,aAAA,EAAc,GAAI,MAAA;AACrC,EAAA,MAAM,GAAA,GAAM,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,SAAA,CAAU,MAAM,GAAG,CAAA,CAAE,GAAA,EAAI,IAAK,OAAO,CAAA,CAAA;AACjE,EAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,aAAA,EAAe,OAAO,CAAA;AAElD,EAAA,MAAM,EAAE,KAAA,EAAO,MAAA,EAAQ,GAAG,gBAAe,GAAI,YAAA;AAC7C,EAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY,CAAE,OAAO,IAAA,CAAK,SAAA,CAAU,cAAc,CAAC,CAAA;AAEvE,EAAA,MAAM,GAAA,GAAM,MAAM,IAAI,WAAA,CAAY,OAAO,CAAA,CAAE,kBAAA,CAAmB,EAAE,GAAA,EAAK,OAAA,EAAS,GAAA,EAAK,CAAA,CAAE,KAAK,GAAG,CAAA;AAE7F,EAAA,MAAM,KAAA,GAAe;AAAA,IACpB,IAAA,EAAM,sBAAA;AAAA,IACN,OAAA,EAAA,iBAAS,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,IAChC,kBAAA,EAAoB,GAAA;AAAA,IACpB,YAAA,EAAc,iBAAA;AAAA,IACd;AAAA,GACD;AAEA,EAAA,OAAO,EAAE,GAAG,YAAA,EAAc,KAAA,EAAM;AACjC;AA2BA,eAAsB,gBAAgB,OAAA,EAAyD;AAC9F,EAAA,MAAM;AAAA,IACL,KAAA;AAAA,IACA,KAAA;AAAA,IACA,SAAA;AAAA,IACA,YAAA;AAAA,IACA,MAAA,GAAS,QAAA;AAAA,IACT,MAAA,GAAS,YAAA;AAAA,IACT,MAAA;AAAA,IACA;AAAA,GACD,GAAI,OAAA;AAGJ,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,MAAA,CAAO,CAAC,CAAA,KAAM;AACrC,IAAA,MAAM,CAAA,GAAI,CAAA,CAAE,SAAA,CAAU,OAAA,EAAQ;AAC9B,IAAA,OAAO,KAAK,KAAA,CAAM,OAAA,EAAQ,IAAK,CAAA,IAAK,MAAM,OAAA,EAAQ;AAAA,EACnD,CAAC,CAAA;AAGD,EAAA,MAAM,QAAA,GAAW,MAAA,GAAS,OAAA,CAAQ,MAAA,CAAO,MAAM,CAAA,GAAI,OAAA;AAEnD,EAAA,IAAI,QAAA,CAAS,WAAW,CAAA,EAAG;AAC1B,IAAA,OAAO;AAAA,MACN,aAAa,EAAC;AAAA,MACd,MAAA;AAAA,MACA,QAAA,sBAAc,IAAA,EAAK;AAAA,MACnB,KAAA,EAAO;AAAA,KACR;AAAA,EACD;AAEA,EAAA,MAAM,cAAsC,EAAC;AAC7C,EAAA,MAAM,OAAiB,EAAC;AAExB,EAAA,KAAA,MAAW,UAAU,QAAA,EAAU;AAC9B,IAAA,MAAM,IAAA,GAAO,oBAAA,CAAqB,MAAA,EAAQ,SAAS,CAAA;AAEnD,IAAA,IAAI,WAAW,QAAA,EAAU;AACxB,MAAA,MAAM,EAAE,UAAA,EAAY,GAAA,KAAQ,MAAM,SAAA,CAAU,MAAM,YAAY,CAAA;AAC9D,MAAA,WAAA,CAAY,KAAK,UAAU,CAAA;AAC3B,MAAA,IAAA,CAAK,KAAK,GAAG,CAAA;AAAA,IACd,CAAA,MAAO;AACN,MAAA,MAAM,MAAA,GAAS,MAAM,YAAA,CAAa,IAAA,EAAM,YAAY,CAAA;AACpD,MAAA,WAAA,CAAY,KAAK,MAAM,CAAA;AAAA,IACxB;AAAA,EACD;AAEA,EAAA,MAAM,QAAA,uBAAe,IAAA,EAAK;AAE1B,EAAA,IAAI,WAAW,YAAA,EAAc;AAC5B,IAAA,OAAO;AAAA,MACN,WAAA;AAAA,MACA,GAAI,MAAA,KAAW,QAAA,GAAW,EAAE,IAAA,KAAS,EAAC;AAAA,MACtC,MAAA;AAAA,MACA,QAAA;AAAA,MACA,OAAO,WAAA,CAAY;AAAA,KACpB;AAAA,EACD;AAGA,EAAA,MAAM,gBAAA,GAA2C;AAAA,IAChD,UAAA,EAAY,CAAC,aAAA,EAAe,sBAAsB,CAAA;AAAA,IAClD,EAAA,EAAI,CAAA,SAAA,EAAY,UAAA,EAAY,CAAA,CAAA;AAAA,IAC5B,IAAA,EAAM,CAAC,oBAAoB,CAAA;AAAA,IAC3B,MAAA,EAAQ,SAAA;AAAA,IACR,oBAAA,EAAsB;AAAA,GACvB;AAEA,EAAA,MAAM,eACL,MAAA,KAAW,QAAA,GACR,mBACA,MAAM,wBAAA,CAAyB,kBAAkB,YAAY,CAAA;AAEjE,EAAA,OAAO;AAAA,IACN,WAAA;AAAA,IACA,GAAI,MAAA,KAAW,QAAA,GAAW,EAAE,IAAA,KAAS,EAAC;AAAA,IACtC,YAAA;AAAA,IACA,MAAA;AAAA,IACA,QAAA;AAAA,IACA,OAAO,WAAA,CAAY;AAAA,GACpB;AACD;AAaO,SAAS,gBAAA,CACf,OAAA,EACA,KAAA,EACA,KAAA,EACA,MAAA,EACgB;AAChB,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,MAAA,CAAO,CAAC,CAAA,KAAM;AACrC,IAAA,MAAM,CAAA,GAAI,CAAA,CAAE,SAAA,CAAU,OAAA,EAAQ;AAC9B,IAAA,OAAO,KAAK,KAAA,CAAM,OAAA,EAAQ,IAAK,CAAA,IAAK,MAAM,OAAA,EAAQ;AAAA,EACnD,CAAC,CAAA;AAED,EAAA,OAAO,MAAA,GAAS,OAAA,CAAQ,MAAA,CAAO,MAAM,CAAA,GAAI,OAAA;AAC1C;AC3TA,IAAMA,oBAAAA,GAAsB,KAAA;AAI5B,SAAS,SAAA,CAAU,IAAA,EAAc,OAAA,EAAiB,OAAA,EAAgD;AACjG,EAAA,OAAO,EAAE,IAAA,EAAM,OAAA,EAAS,GAA0C,EAAC,EAAG;AACvE;AAEA,SAAS,MAAA,GAAiB;AACzB,EAAA,OAAA,iBAAO,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAC/B;AAEA,SAAS,UAAU,OAAA,EAAyB;AAC3C,EAAA,OAAO,IAAI,KAAK,IAAA,CAAK,GAAA,KAAQ,OAAA,GAAU,GAAI,EAAE,WAAA,EAAY;AAC1D;AAoFO,SAAS,eAAe,MAAA,EAAkC;AAChE,EAAA,MAAM,EAAE,SAAA,EAAW,aAAA,EAAe,UAAA,GAAaA,sBAAoB,GAAI,MAAA;AAEvE,EAAA,MAAM,GAAA,GAAM,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,SAAA,CAAU,MAAM,GAAG,CAAA,CAAE,GAAA,EAAI,IAAK,OAAO,CAAA,CAAA;AAEjE,EAAA,eAAeC,UAAAA,CACd,UAAA,EACA,OAAA,EACA,GAAA,EACqE;AACrE,IAAA,IAAI;AACH,MAAA,MAAM,GAAA,GAAM,MAAMC,SAAAA,CAAU,aAAA,EAAe,OAAO,CAAA;AAGlD,MAAA,MAAM,EAAE,KAAA,EAAO,MAAA,EAAQ,GAAG,gBAAe,GAAI,UAAA;AAE7C,MAAA,MAAM,OAAA,GAAU,IAAIC,OAAAA,CAAQ;AAAA,QAC3B,EAAA,EAAI;AAAA,OACJ,CAAA,CACC,kBAAA,CAAmB,EAAE,GAAA,EAAK,SAAS,GAAA,EAAK,GAAA,EAAK,KAAA,EAAO,CAAA,CACpD,SAAA,CAAU,SAAS,CAAA,CACnB,WAAA,EAAY,CACZ,iBAAA,CAAkB,IAAA,CAAK,KAAA,CAAM,KAAK,GAAA,EAAI,GAAI,GAAI,CAAA,GAAI,GAAG,CAAA;AAEvD,MAAA,IAAI,WAAW,EAAA,EAAI;AAClB,QAAA,OAAA,CAAQ,MAAA,CAAO,WAAW,EAAE,CAAA;AAAA,MAC7B;AACA,MAAA,IAAI,OAAA,EAAS;AACZ,QAAA,OAAA,CAAQ,WAAW,OAAO,CAAA;AAAA,MAC3B;AAEA,MAAA,MAAM,GAAA,GAAM,MAAM,OAAA,CAAQ,IAAA,CAAK,GAAG,CAAA;AAClC,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,MAAM,EAAE,UAAA,EAAY,KAAI,EAAE;AAAA,IACnD,SAAS,GAAA,EAAK;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA;AAAA,UACN,gBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAEA,EAAA,eAAeC,cACd,UAAA,EACwD;AACxD,IAAA,IAAI;AACH,MAAA,MAAM,GAAA,GAAM,MAAMF,SAAAA,CAAU,aAAA,EAAe,OAAO,CAAA;AAGlD,MAAA,MAAM,EAAE,KAAA,EAAO,MAAA,EAAQ,GAAG,gBAAe,GAAI,UAAA;AAC7C,MAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY,CAAE,OAAO,IAAA,CAAK,SAAA,CAAU,cAAc,CAAC,CAAA;AAEvE,MAAA,MAAM,EAAE,WAAA,EAAAG,YAAAA,EAAY,GAAI,MAAM,OAAO,MAAM,CAAA;AAC3C,MAAA,MAAM,GAAA,GAAM,MAAM,IAAIA,YAAAA,CAAY,OAAO,CAAA,CACvC,kBAAA,CAAmB,EAAE,GAAA,EAAK,OAAA,EAAS,GAAA,EAAK,CAAA,CACxC,KAAK,GAAG,CAAA;AAEV,MAAA,MAAM,KAAA,GAAe;AAAA,QACpB,IAAA,EAAM,sBAAA;AAAA,QACN,SAAS,MAAA,EAAO;AAAA,QAChB,kBAAA,EAAoB,GAAA;AAAA,QACpB,YAAA,EAAc,iBAAA;AAAA,QACd;AAAA,OACD;AAEA,MAAA,MAAM,gBAAA,GAAyC;AAAA,QAC9C,GAAG,UAAA;AAAA,QACH;AAAA,OACD;AAEA,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,MAAM,EAAE,UAAA,EAAY,kBAAiB,EAAE;AAAA,IAChE,SAAS,GAAA,EAAK;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA;AAAA,UACN,gBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAEA,EAAA,SAAS,eAAA,CACR,KAAA,EACA,OAAA,EACA,GAAA,EACA,cAAA,EACuB;AACvB,IAAA,OAAO;AAAA,MACN,UAAA,EAAY,CAAC,aAAa,CAAA;AAAA,MAC1B,EAAA,EAAI,CAAA,SAAA,EAAY,UAAA,EAAY,CAAA,CAAA;AAAA,MAC5B,IAAA,EAAM,CAAC,kBAAA,EAAoB,GAAG,KAAK,CAAA;AAAA,MACnC,MAAA,EAAQ,SAAA;AAAA,MACR,cAAc,MAAA,EAAO;AAAA,MACrB,cAAA,EAAkC,SAAA,CAAU,GAAG,CAAA;AAAA,MAC/C,iBAAA,EAAmB;AAAA,KACpB;AAAA,EACD;AAEA,EAAA,eAAe,cAAA,CACd,UAAA,EACA,OAAA,EACA,GAAA,EACA,MAAA,EACsE;AACtE,IAAA,IAAI,WAAW,KAAA,EAAO;AACrB,MAAA,OAAOJ,UAAAA,CAAU,UAAA,EAAY,OAAA,EAAS,GAAG,CAAA;AAAA,IAC1C;AACA,IAAA,OAAOG,cAAa,UAAU,CAAA;AAAA,EAC/B;AAIA,EAAA,eAAe,qBACd,KAAA,EACsE;AACtE,IAAA,MAAM;AAAA,MACL,OAAA;AAAA,MACA,IAAA;AAAA,MACA,SAAA;AAAA,MACA,WAAA;AAAA,MACA,UAAA;AAAA,MACA,GAAA,GAAM,UAAA;AAAA,MACN,MAAA,GAAS;AAAA,KACV,GAAI,KAAA;AAEJ,IAAA,IAAI,CAAC,OAAA,EAAS;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qBAAqB;AAAA,OAC3D;AAAA,IACD;AAEA,IAAA,IAAI,UAAA,KAAe,MAAA,KAAc,UAAA,GAAa,CAAA,IAAK,aAAa,CAAA,CAAA,EAAI;AACnE,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,oCAAoC;AAAA,OAC1E;AAAA,IACD;AAEA,IAAA,MAAM,OAAA,GAA6B;AAAA,MAClC,EAAA,EAAI,OAAA;AAAA,MACJ,OAAA;AAAA,MACA,GAAI,IAAA,KAAS,MAAA,GAAY,EAAE,IAAA,KAAS,EAAC;AAAA,MACrC,GAAI,SAAA,KAAc,MAAA,GAAY,EAAE,IAAA,EAAM,SAAA,KAAc,EAAC;AAAA,MACrD,GAAI,WAAA,KAAgB,MAAA,GAAY,EAAE,WAAA,KAAgB,EAAC;AAAA,MACnD,GAAI,UAAA,KAAe,MAAA,GAAY,EAAE,UAAA,KAAe;AAAC,KAClD;AAEA,IAAA,MAAM,aAAa,eAAA,CAAgB,CAAC,uBAAuB,CAAA,EAAG,SAAS,GAAG,CAAA;AAC1E,IAAA,OAAO,cAAA,CAAe,UAAA,EAAY,OAAA,EAAS,GAAA,EAAK,MAAM,CAAA;AAAA,EACvD;AAEA,EAAA,eAAe,0BACd,KAAA,EACsE;AACtE,IAAA,MAAM,EAAE,OAAA,EAAS,WAAA,EAAa,MAAM,UAAA,EAAY,MAAA,GAAS,OAAM,GAAI,KAAA;AAEnE,IAAA,IAAI,CAAC,OAAA,EAAS;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qBAAqB;AAAA,OAC3D;AAAA,IACD;AAEA,IAAA,IAAI,CAAC,WAAA,IAAe,WAAA,CAAY,MAAA,KAAW,CAAA,EAAG;AAC7C,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qCAAqC;AAAA,OAC3E;AAAA,IACD;AAEA,IAAA,MAAM,OAAA,GAA6B;AAAA,MAClC,EAAA,EAAI,OAAA;AAAA,MACJ,OAAA;AAAA,MACA;AAAA,KACD;AAEA,IAAA,MAAM,aAAa,eAAA,CAAgB,CAAC,4BAA4B,CAAA,EAAG,SAAS,GAAG,CAAA;AAC/E,IAAA,OAAO,cAAA,CAAe,UAAA,EAAY,OAAA,EAAS,GAAA,EAAK,MAAM,CAAA;AAAA,EACvD;AAEA,EAAA,eAAe,0BACd,KAAA,EACsE;AACtE,IAAA,MAAM,EAAE,SAAS,KAAA,EAAO,eAAA,EAAiB,MAAM,UAAA,EAAY,MAAA,GAAS,OAAM,GAAI,KAAA;AAE9E,IAAA,IAAI,CAAC,OAAA,EAAS;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qBAAqB;AAAA,OAC3D;AAAA,IACD;AAEA,IAAA,IAAI,CAAC,KAAA,IAAS,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG;AACjC,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,8CAA8C;AAAA,OACpF;AAAA,IACD;AAEA,IAAA,MAAM,OAAA,GAA6B;AAAA,MAClC,EAAA,EAAI,OAAA;AAAA,MACJ,OAAA;AAAA,MACA,eAAA,EAAiB,KAAA;AAAA,MACjB,GAAI,eAAA,KAAoB,MAAA,GAAY,EAAE,eAAA,KAAoB;AAAC,KAC5D;AAEA,IAAA,MAAM,aAAa,eAAA,CAAgB,CAAC,4BAA4B,CAAA,EAAG,SAAS,GAAG,CAAA;AAC/E,IAAA,OAAO,cAAA,CAAe,UAAA,EAAY,OAAA,EAAS,GAAA,EAAK,MAAM,CAAA;AAAA,EACvD;AAEA,EAAA,OAAO;AAAA,IACN,oBAAA;AAAA,IACA,yBAAA;AAAA,IACA,yBAAA;AAAA,IACA;AAAA,GACD;AACD;ACpUA,SAASE,UAAAA,CAAU,IAAA,EAAc,OAAA,EAAiB,OAAA,EAAgD;AACjG,EAAA,OAAO,EAAE,IAAA,EAAM,OAAA,EAAS,GAAI,OAAA,KAAY,SAAY,EAAE,OAAA,EAAQ,GAAI,EAAC,EAAG;AACvE;AAEA,SAAS,gBAAgB,MAAA,EAAwD;AAChF,EAAA,IAAI,OAAO,MAAA,KAAW,QAAA,EAAU,OAAO,MAAA;AACvC,EAAA,OAAO,MAAA,CAAO,EAAA;AACf;AA4BO,SAAS,gBAAA,CAAiB,MAAA,GAA2B,EAAC,EAAe;AAC3E,EAAA,MAAM,EAAE,aAAA,EAAe,qBAAA,EAAsB,GAAI,MAAA;AAEjD,EAAA,eAAe,UAAA,CAAW,KAAa,WAAA,EAAuD;AAC7F,IAAA,IAAI,WAAA,EAAa;AAChB,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,IAAA,EAAM,WAAA,EAAY;AAAA,IAC3C;AAEA,IAAA,IAAI,aAAA,EAAe;AAClB,MAAA,MAAM,QAAA,GAAW,MAAM,aAAA,CAAc,GAAG,CAAA;AACxC,MAAA,IAAI,QAAA,EAAU;AACb,QAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,IAAA,EAAM,QAAA,EAAS;AAAA,MACxC;AAAA,IACD;AAEA,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,KAAA;AAAA,MACT,KAAA,EAAOA,UAAAA,CAAU,kBAAA,EAAoB,CAAA,sCAAA,EAAyC,GAAG,CAAA,CAAE;AAAA,KACpF;AAAA,EACD;AAEA,EAAA,eAAe,mBAAA,CACd,KACA,WAAA,EACsC;AACtC,IAAA,IAAI;AAEH,MAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,KAAA,CAAM,GAAG,CAAA;AAC3B,MAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACvB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,gBAAA,EAAkB,2BAA2B;AAAA,SAC/D;AAAA,MACD;AAGA,MAAA,MAAM,UAAA,GAAa,MAAM,CAAC,CAAA;AAC1B,MAAA,IAAI,CAAC,UAAA,EAAY;AAChB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,gBAAA,EAAkB,wBAAwB;AAAA,SAC5D;AAAA,MACD;AACA,MAAA,MAAM,aAAa,IAAA,CAAK,KAAA;AAAA,QACvB,IAAI,aAAY,CAAE,MAAA;AAAA,UACjB,UAAA,CAAW,IAAA;AAAA,YAAK,IAAA,CAAK,WAAW,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAC,CAAA;AAAA,YAAG,CAAC,CAAA,KACxE,CAAA,CAAE,UAAA,CAAW,CAAC;AAAA;AACf;AACD,OACD;AAEA,MAAA,MAAM,YAAY,OAAO,UAAA,CAAW,GAAA,KAAQ,QAAA,GAAW,WAAW,GAAA,GAAM,IAAA;AACxE,MAAA,IAAI,CAAC,SAAA,EAAW;AACf,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,cAAA,EAAgB,sBAAsB;AAAA,SACxD;AAAA,MACD;AAGA,MAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,SAAA,EAAW,WAAW,CAAA;AACzD,MAAA,IAAI,CAAC,SAAA,CAAU,OAAA,EAAS,OAAO,SAAA;AAE/B,MAAA,MAAM,SAAA,GAAY,MAAMJ,SAAAA,CAAU,SAAA,CAAU,MAAM,OAAO,CAAA;AACzD,MAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,SAAA,CAAU,KAAK,SAAS,CAAA;AAElD,MAAA,MAAM,UAAU,OAAA,CAAQ,EAAA;AACxB,MAAA,IAAI,CAAC,OAAA,EAAS;AACb,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOI,UAAAA,CAAU,qBAAA,EAAuB,iCAAiC;AAAA,SAC1E;AAAA,MACD;AAGA,MAAA,MAAM,UAAA,GAAmC;AAAA,QACxC,GAAI,OAAA;AAAA,QACJ,MAAA,EAAQ;AAAA,OACT;AAGA,MAAA,MAAM,MAAA,GAAS,0BAAA,CAA2B,SAAA,CAAU,UAAU,CAAA;AAC9D,MAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,uBAAA,EAAyB,sCAAA,EAAwC;AAAA,YACjF,QAAQ,MAAA,CAAO,KAAA,CAAM,MAAA,CAAO,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,EAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA,CAAE;AAAA,WAC1E;AAAA,SACF;AAAA,MACD;AAGA,MAAA,IAAI,OAAA,CAAQ,GAAA,IAAO,OAAA,CAAQ,GAAA,GAAM,IAAA,CAAK,MAAM,IAAA,CAAK,GAAA,EAAI,GAAI,GAAI,CAAA,EAAG;AAC/D,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,wBAAwB;AAAA,SACxD;AAAA,MACD;AAGA,MAAA,IAAI,MAAA,CAAO,IAAA,CAAK,gBAAA,IAAoB,qBAAA,EAAuB;AAC1D,QAAA,MAAM,OAAA,GAAU,MAAM,qBAAA,CAAsB,MAAA,CAAO,KAAK,gBAAgB,CAAA;AACxE,QAAA,IAAI,OAAA,EAAS;AACZ,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,6BAA6B;AAAA,WAC7D;AAAA,QACD;AAAA,MACD;AAEA,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,IAAA;AAAA,QACT,IAAA,EAAM;AAAA,UACL,YAAY,MAAA,CAAO,IAAA;AAAA,UACnB,MAAA,EAAQ,KAAA;AAAA,UACR,MAAA,EAAQ,SAAA;AAAA,UACR,UAAU,IAAI,IAAA,CAAA,CAAM,OAAA,CAAQ,GAAA,IAAO,KAAK,GAAI,CAAA;AAAA,UAC5C,SAAA,EAAW,QAAQ,GAAA,GAAM,IAAI,KAAK,OAAA,CAAQ,GAAA,GAAM,GAAI,CAAA,GAAI;AAAA;AACzD,OACD;AAAA,IACD,SAAS,GAAA,EAAK;AAEb,MAAA,IAAI,GAAA,YAAeC,OAAW,UAAA,EAAY;AACzC,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOD,UAAAA,CAAU,YAAA,EAAc,wBAAwB;AAAA,SACxD;AAAA,MACD;AACA,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA;AAAA,UACN,kBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAEA,EAAA,eAAe,sBAAA,CACd,IACA,WAAA,EACsC;AAEtC,IAAA,MAAM,MAAA,GAAS,0BAAA,CAA2B,SAAA,CAAU,EAAE,CAAA;AACtD,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,uBAAA,EAAyB,sCAAA,EAAwC;AAAA,UACjF,QAAQ,MAAA,CAAO,KAAA,CAAM,MAAA,CAAO,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,EAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA,CAAE;AAAA,SAC1E;AAAA,OACF;AAAA,IACD;AAEA,IAAA,MAAM,aAAa,MAAA,CAAO,IAAA;AAE1B,IAAA,IAAI,CAAC,WAAW,KAAA,EAAO;AACtB,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,aAAA,EAAe,0CAA0C;AAAA,OAC3E;AAAA,IACD;AAEA,IAAA,IAAI,CAAC,UAAA,CAAW,KAAA,CAAM,GAAA,EAAK;AAC1B,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,WAAA,EAAa,oCAAoC;AAAA,OACnE;AAAA,IACD;AAEA,IAAA,MAAM,SAAA,GAAY,eAAA,CAAgB,UAAA,CAAW,MAAM,CAAA;AAGnD,IAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,SAAA,EAAW,WAAW,CAAA;AACzD,IAAA,IAAI,CAAC,SAAA,CAAU,OAAA,EAAS,OAAO,SAAA;AAE/B,IAAA,IAAI;AACH,MAAA,MAAM,SAAA,GAAY,MAAMJ,SAAAA,CAAU,SAAA,CAAU,MAAM,OAAO,CAAA;AAGzD,MAAA,MAAM,EAAE,SAAQ,GAAI,MAAM,cAAc,UAAA,CAAW,KAAA,CAAM,KAAK,SAAS,CAAA;AAGvE,MAAA,MAAM,EAAE,KAAA,EAAO,MAAA,EAAQ,GAAG,gBAAe,GAAI,UAAA;AAC7C,MAAA,MAAM,aAAA,GAAgB,IAAI,WAAA,EAAY,CAAE,OAAO,OAAO,CAAA;AACtD,MAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAEpD,MAAA,IAAI,kBAAkB,cAAA,EAAgB;AACrC,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOI,UAAAA,CAAU,aAAA,EAAe,sDAAsD;AAAA,SACvF;AAAA,MACD;AAGA,MAAA,IAAI,WAAW,cAAA,EAAgB;AAC9B,QAAA,MAAM,MAAA,GAAS,IAAI,IAAA,CAAK,UAAA,CAAW,cAAc,CAAA;AACjD,QAAA,IAAI,MAAA,oBAAU,IAAI,IAAA,EAAK,EAAG;AACzB,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,wBAAwB;AAAA,WACxD;AAAA,QACD;AAAA,MACD;AAGA,MAAA,IAAI,UAAA,CAAW,oBAAoB,qBAAA,EAAuB;AACzD,QAAA,MAAM,OAAA,GAAU,MAAM,qBAAA,CAAsB,UAAA,CAAW,gBAAgB,CAAA;AACvE,QAAA,IAAI,OAAA,EAAS;AACZ,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,6BAA6B;AAAA,WAC7D;AAAA,QACD;AAAA,MACD;AAEA,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,IAAA;AAAA,QACT,IAAA,EAAM;AAAA,UACL,UAAA;AAAA,UACA,MAAA,EAAQ,SAAA;AAAA,UACR,MAAA,EAAQ,SAAA;AAAA,UACR,QAAA,EAAU,IAAI,IAAA,CAAK,UAAA,CAAW,YAAY,CAAA;AAAA,UAC1C,WAAW,UAAA,CAAW,cAAA,GAAiB,IAAI,IAAA,CAAK,UAAA,CAAW,cAAc,CAAA,GAAI;AAAA;AAC9E,OACD;AAAA,IACD,SAAS,GAAA,EAAK;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA;AAAA,UACN,kBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAIA,EAAA,eAAe,gBAAA,CACd,IACA,YAAA,EACsC;AACtC,IAAA,IAAI,OAAO,OAAO,QAAA,EAAU;AAC3B,MAAA,OAAO,mBAAA,CAAoB,IAAI,YAAY,CAAA;AAAA,IAC5C;AACA,IAAA,OAAO,sBAAA,CAAuB,IAAI,YAAY,CAAA;AAAA,EAC/C;AAEA,EAAA,eAAe,kBAAA,CACd,IACA,YAAA,EACwC;AACxC,IAAA,IAAI,YAAA;AAEJ,IAAA,IAAI,OAAO,OAAO,QAAA,EAAU;AAE3B,MAAA,IAAI;AACH,QAAA,MAAM,KAAA,GAAQ,EAAA,CAAG,KAAA,CAAM,GAAG,CAAA;AAC1B,QAAA,IAAI,MAAM,MAAA,KAAW,CAAA,IAAK,CAAC,KAAA,CAAM,CAAC,CAAA,EAAG;AACpC,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,gBAAA,EAAkB,wCAAwC;AAAA,WAC5E;AAAA,QACD;AAEA,QAAA,MAAM,UAAA,GAAa,MAAM,CAAC,CAAA;AAC1B,QAAA,MAAM,aAAa,IAAA,CAAK,KAAA;AAAA,UACvB,IAAI,aAAY,CAAE,MAAA;AAAA,YACjB,UAAA,CAAW,IAAA;AAAA,cAAK,IAAA,CAAK,WAAW,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAC,CAAA;AAAA,cAAG,CAAC,CAAA,KACxE,CAAA,CAAE,UAAA,CAAW,CAAC;AAAA;AACf;AACD,SACD;AAEA,QAAA,MAAM,YAAY,OAAO,UAAA,CAAW,GAAA,KAAQ,QAAA,GAAW,WAAW,GAAA,GAAM,IAAA;AACxE,QAAA,IAAI,CAAC,SAAA,EAAW;AACf,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,cAAA,EAAgB,mCAAmC;AAAA,WACrE;AAAA,QACD;AAEA,QAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,SAAA,EAAW,YAAY,CAAA;AAC1D,QAAA,IAAI,CAAC,SAAA,CAAU,OAAA,EAAS,OAAO,SAAA;AAE/B,QAAA,MAAM,SAAA,GAAY,MAAMJ,SAAAA,CAAU,SAAA,CAAU,MAAM,OAAO,CAAA;AACzD,QAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,SAAA,CAAU,IAAI,SAAS,CAAA;AAEjD,QAAA,MAAM,UAAU,OAAA,CAAQ,EAAA;AACxB,QAAA,IAAI,CAAC,OAAA,EAAS;AACb,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOI,UAAAA,CAAU,qBAAA,EAAuB,iCAAiC;AAAA,WAC1E;AAAA,QACD;AAEA,QAAA,YAAA,GAAe,OAAA;AAAA,MAChB,SAAS,GAAA,EAAK;AACb,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA;AAAA,YACN,kBAAA;AAAA,YACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,SACD;AAAA,MACD;AAAA,IACD,CAAA,MAAO;AACN,MAAA,YAAA,GAAe,EAAA;AAAA,IAChB;AAGA,IAAA,MAAM,MAAA,GAAS,4BAAA,CAA6B,SAAA,CAAU,YAAY,CAAA;AAClE,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,yBAAA,EAA2B,wCAAA,EAA0C;AAAA,UACrF,QAAQ,MAAA,CAAO,KAAA,CAAM,MAAA,CAAO,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,EAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA,CAAE;AAAA,SAC1E;AAAA,OACF;AAAA,IACD;AAGA,IAAA,MAAM,sBAA4C,EAAC;AACnD,IAAA,KAAA,MAAW,EAAA,IAAM,MAAA,CAAO,IAAA,CAAK,oBAAA,EAAsB;AAClD,MAAA,MAAM,MAAA,GAAS,MAAM,gBAAA,CAAiB,EAAA,EAAI,YAAY,CAAA;AACtD,MAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA;AAAA,YACN,oCAAA;AAAA,YACA,CAAA,6CAAA,EAAgD,MAAA,CAAO,KAAA,CAAM,OAAO,CAAA,CAAA;AAAA,YACpE,EAAE,aAAA,EAAe,MAAA,CAAO,KAAA;AAAM;AAC/B,SACD;AAAA,MACD;AACA,MAAA,mBAAA,CAAoB,IAAA,CAAK,OAAO,IAAI,CAAA;AAAA,IACrC;AAEA,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,IAAA;AAAA,MACT,IAAA,EAAM;AAAA,QACL,cAAc,MAAA,CAAO,IAAA;AAAA,QACrB,WAAA,EAAa,mBAAA;AAAA,QACb,MAAA,EAAQ,MAAA,CAAO,IAAA,CAAK,MAAA,IAAU;AAAA;AAC/B,KACD;AAAA,EACD;AAEA,EAAA,SAAS,mBAAmB,EAAA,EAAgD;AAC3E,IAAA,MAAM,UAAU,EAAA,CAAG,iBAAA;AACnB,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,OAAA,CAAQ,OAAA,IAAW,OAAA,CAAQ,EAAA,IAAM,IAAA;AAAA,MAC1C,WAAA,EAAa,OAAA,CAAQ,WAAA,IAAe,EAAC;AAAA,MACrC,UAAA,EAAY,QAAQ,UAAA,IAAc,IAAA;AAAA,MAClC,eAAA,EAAiB,OAAA,CAAQ,eAAA,IAAmB;AAAC,KAC9C;AAAA,EACD;AAEA,EAAA,OAAO;AAAA,IACN,gBAAA;AAAA,IACA,kBAAA;AAAA,IACA;AAAA,GACD;AACD","file":"index.js","sourcesContent":["/**\n * Web Crypto API utilities for KavachOS.\n *\n * This module uses ONLY the Web Crypto API (globalThis.crypto) which is\n * available natively in Cloudflare Workers, Deno, Bun, and Node 20+.\n * No `node:crypto` imports are used, making the core package edge-compatible.\n */\n\n// ---------------------------------------------------------------------------\n// Encoding helpers\n// ---------------------------------------------------------------------------\n\nconst HEX_CHARS = \"0123456789abcdef\";\n\n/** Encode a Uint8Array as a lowercase hex string. */\nexport function toHex(bytes: Uint8Array): string {\n\tlet hex = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst b = bytes[i] as number;\n\t\thex += HEX_CHARS[b >> 4] as string;\n\t\thex += HEX_CHARS[b & 0x0f] as string;\n\t}\n\treturn hex;\n}\n\n/** Decode a hex string into a Uint8Array. */\nexport function fromHex(hex: string): Uint8Array {\n\tif (hex.length % 2 !== 0) {\n\t\tthrow new Error(\"fromHex: hex string must have even length\");\n\t}\n\tconst bytes = new Uint8Array(hex.length / 2);\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst hi = parseInt(hex[i * 2] as string, 16);\n\t\tconst lo = parseInt(hex[i * 2 + 1] as string, 16);\n\t\tif (Number.isNaN(hi) || Number.isNaN(lo)) {\n\t\t\tthrow new Error(`fromHex: invalid hex character at position ${i * 2}`);\n\t\t}\n\t\tbytes[i] = (hi << 4) | lo;\n\t}\n\treturn bytes;\n}\n\n/** Encode a Uint8Array as a base64url string (no padding). */\nexport function toBase64Url(bytes: Uint8Array): string {\n\tlet binary = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tbinary += String.fromCharCode(bytes[i] as number);\n\t}\n\treturn btoa(binary).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n\n/** Decode a base64url string into a Uint8Array. */\nexport function fromBase64Url(b64: string): Uint8Array {\n\t// Restore standard base64\n\tlet base64 = b64.replace(/-/g, \"+\").replace(/_/g, \"/\");\n\t// Add padding\n\twhile (base64.length % 4 !== 0) {\n\t\tbase64 += \"=\";\n\t}\n\tconst binary = atob(base64);\n\tconst bytes = new Uint8Array(binary.length);\n\tfor (let i = 0; i < binary.length; i++) {\n\t\tbytes[i] = binary.charCodeAt(i);\n\t}\n\treturn bytes;\n}\n\n// ---------------------------------------------------------------------------\n// Random generation\n// ---------------------------------------------------------------------------\n\n/** Generate a v4 UUID using the globally available crypto.randomUUID(). */\nexport function generateId(): string {\n\treturn globalThis.crypto.randomUUID();\n}\n\n/** Generate cryptographically secure random bytes as a Uint8Array. */\nexport function randomBytes(length: number): Uint8Array {\n\tconst bytes = new Uint8Array(length);\n\tglobalThis.crypto.getRandomValues(bytes);\n\treturn bytes;\n}\n\n/** Generate cryptographically secure random bytes as a hex string. */\nexport function randomBytesHex(length: number): string {\n\treturn toHex(randomBytes(length));\n}\n\n// ---------------------------------------------------------------------------\n// Text encoding helper (internal)\n// ---------------------------------------------------------------------------\n\nconst TEXT_ENCODER = new TextEncoder();\n\nfunction toBytes(data: string | Uint8Array): ArrayBuffer {\n\tif (typeof data === \"string\") {\n\t\tconst encoded = TEXT_ENCODER.encode(data);\n\t\treturn (encoded.buffer as ArrayBuffer).slice(\n\t\t\tencoded.byteOffset,\n\t\t\tencoded.byteOffset + encoded.byteLength,\n\t\t);\n\t}\n\treturn (data.buffer as ArrayBuffer).slice(data.byteOffset, data.byteOffset + data.byteLength);\n}\n\n// ---------------------------------------------------------------------------\n// Hashing\n// ---------------------------------------------------------------------------\n\n/** SHA-256 hash, returns hex string. */\nexport async function sha256(data: string | Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n/** SHA-256 hash, returns Uint8Array. */\nexport async function sha256Raw(data: string | Uint8Array): Promise<Uint8Array> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn new Uint8Array(digest);\n}\n\n/** SHA-1 hash, returns hex string. Needed for HIBP k-anonymity. */\nexport async function sha1(data: string | Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-1\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n// ---------------------------------------------------------------------------\n// HMAC\n// ---------------------------------------------------------------------------\n\n/** Import a secret key for HMAC operations. */\nexport async function importHmacKey(\n\tkey: string | Uint8Array,\n\thash: \"SHA-256\" | \"SHA-1\" = \"SHA-256\",\n): Promise<CryptoKey> {\n\tconst keyData = typeof key === \"string\" ? TEXT_ENCODER.encode(key) : key;\n\treturn globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\t(keyData.buffer as ArrayBuffer).slice(\n\t\t\tkeyData.byteOffset,\n\t\t\tkeyData.byteOffset + keyData.byteLength,\n\t\t),\n\t\t{ name: \"HMAC\", hash: { name: hash } },\n\t\tfalse,\n\t\t[\"sign\", \"verify\"],\n\t);\n}\n\n/** HMAC-SHA256 sign, returns hex string. */\nexport async function hmacSha256(\n\tkey: string | Uint8Array,\n\tdata: string | Uint8Array,\n): Promise<string> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn toHex(new Uint8Array(signature));\n}\n\n/** HMAC-SHA256 sign, returns Uint8Array. */\nexport async function hmacSha256Raw(\n\tkey: string | Uint8Array,\n\tdata: string | Uint8Array,\n): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn new Uint8Array(signature);\n}\n\n/** HMAC-SHA1 sign, returns Uint8Array (needed for TOTP per RFC 6238). */\nexport async function hmacSha1Raw(key: Uint8Array, data: Uint8Array): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-1\");\n\tconst buf = (data.buffer as ArrayBuffer).slice(\n\t\tdata.byteOffset,\n\t\tdata.byteOffset + data.byteLength,\n\t);\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, buf);\n\treturn new Uint8Array(signature);\n}\n\n// ---------------------------------------------------------------------------\n// PBKDF2 password hashing\n// ---------------------------------------------------------------------------\n\nconst PBKDF2_ITERATIONS = 100_000; // CF Workers caps at 100K; OWASP recommends 600K for Node.js\nconst PBKDF2_KEY_LENGTH = 64; // bytes\nconst PBKDF2_SALT_LENGTH = 32; // bytes\n\n/**\n * Hash a password using PBKDF2-SHA256.\n *\n * Returns a string in the format: `pbkdf2:iterations:salt_hex:hash_hex`\n * which is safe to store in the database.\n */\nexport async function pbkdf2Hash(\n\tpassword: string,\n\tsalt?: Uint8Array,\n\titerations?: number,\n): Promise<string> {\n\tconst actualSalt = salt ?? randomBytes(PBKDF2_SALT_LENGTH);\n\tconst actualIterations = iterations ?? PBKDF2_ITERATIONS;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (actualSalt.buffer as ArrayBuffer).slice(\n\t\tactualSalt.byteOffset,\n\t\tactualSalt.byteOffset + actualSalt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations: actualIterations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tPBKDF2_KEY_LENGTH * 8,\n\t);\n\n\treturn `pbkdf2:${actualIterations}:${toHex(actualSalt)}:${toHex(new Uint8Array(derived))}`;\n}\n\n/**\n * Verify a password against a stored PBKDF2 hash.\n *\n * Supports the `pbkdf2:iterations:salt:hash` format produced by `pbkdf2Hash`.\n */\nexport async function pbkdf2Verify(password: string, stored: string): Promise<boolean> {\n\tconst parts = stored.split(\":\");\n\tif (parts.length !== 4 || parts[0] !== \"pbkdf2\") {\n\t\treturn false;\n\t}\n\n\tconst iterations = parseInt(parts[1] as string, 10);\n\tconst salt = fromHex(parts[2] as string);\n\tconst storedHash = fromHex(parts[3] as string);\n\n\tif (Number.isNaN(iterations)) return false;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (salt.buffer as ArrayBuffer).slice(\n\t\tsalt.byteOffset,\n\t\tsalt.byteOffset + salt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tstoredHash.length * 8,\n\t);\n\n\treturn constantTimeEqual(new Uint8Array(derived), storedHash);\n}\n\n// ---------------------------------------------------------------------------\n// Constant-time comparison\n// ---------------------------------------------------------------------------\n\n/**\n * Constant-time comparison of two Uint8Arrays.\n * Returns false immediately if lengths differ (length is not secret).\n */\nexport function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {\n\tif (a.byteLength !== b.byteLength) {\n\t\treturn false;\n\t}\n\tlet diff = 0;\n\tfor (let i = 0; i < a.byteLength; i++) {\n\t\tdiff |= (a[i] as number) ^ (b[i] as number);\n\t}\n\treturn diff === 0;\n}\n","/**\n * W3C Verifiable Credentials Data Model 2.0 types for KavachOS.\n *\n * Defines Zod-validated schemas for credentials, presentations,\n * proofs, and credential status. Agent-centric: the credential\n * subject carries agent identity, permissions, trust level, and\n * delegation scope.\n */\n\nimport { z } from \"zod\";\n\n// ─── W3C VC Constants ────────────────────────────────────────────────────────\n\nexport const VC_CONTEXT_V2 = \"https://www.w3.org/ns/credentials/v2\";\nexport const VC_CONTEXT_V1 = \"https://www.w3.org/2018/credentials/v1\";\nexport const VC_TYPE_CREDENTIAL = \"VerifiableCredential\";\nexport const VC_TYPE_PRESENTATION = \"VerifiablePresentation\";\n\n// KavachOS-specific credential types\nexport const KAVACH_AGENT_CREDENTIAL = \"KavachAgentCredential\";\nexport const KAVACH_PERMISSION_CREDENTIAL = \"KavachPermissionCredential\";\nexport const KAVACH_DELEGATION_CREDENTIAL = \"KavachDelegationCredential\";\n\n// ─── Proof Types ─────────────────────────────────────────────────────────────\n\nexport const ProofSchema = z.object({\n\ttype: z.enum([\"Ed25519Signature2020\", \"JsonWebSignature2020\"]),\n\tcreated: z.string(),\n\tverificationMethod: z.string(),\n\tproofPurpose: z.enum([\"assertionMethod\", \"authentication\"]),\n\tproofValue: z.string().optional(),\n\tjws: z.string().optional(),\n});\n\nexport type Proof = z.infer<typeof ProofSchema>;\n\n// ─── Credential Status ──────────────────────────────────────────────────────\n\nexport const CredentialStatusSchema = z.object({\n\tid: z.string(),\n\ttype: z.string(),\n\tstatusPurpose: z.enum([\"revocation\", \"suspension\"]),\n\tstatusListIndex: z.number().int().nonnegative(),\n\tstatusListCredential: z.string(),\n});\n\nexport type CredentialStatus = z.infer<typeof CredentialStatusSchema>;\n\n// ─── Credential Subject ─────────────────────────────────────────────────────\n\nexport const CredentialSubjectSchema = z\n\t.object({\n\t\tid: z.string().optional(),\n\t\tagentId: z.string().optional(),\n\t\tpermissions: z.array(z.string()).optional(),\n\t\ttrustLevel: z.number().min(0).max(1).optional(),\n\t\tdelegationScope: z.array(z.string()).optional(),\n\t\tdelegationChain: z\n\t\t\t.array(\n\t\t\t\tz.object({\n\t\t\t\t\tdelegator: z.string(),\n\t\t\t\t\tdelegatee: z.string(),\n\t\t\t\t\tpermissions: z.array(z.string()),\n\t\t\t\t\tcreatedAt: z.string(),\n\t\t\t\t}),\n\t\t\t)\n\t\t\t.optional(),\n\t\tname: z.string().optional(),\n\t\ttype: z.string().optional(),\n\t})\n\t// Passthrough preserves application-specific fields (e.g. audit subject fields)\n\t// so that signature verification can reconstruct the exact signed content.\n\t.passthrough();\n\nexport type CredentialSubject = z.infer<typeof CredentialSubjectSchema>;\n\n// ─── Verifiable Credential ──────────────────────────────────────────────────\n\nexport const VerifiableCredentialSchema = z.object({\n\t\"@context\": z.array(z.string()).min(1),\n\tid: z.string().optional(),\n\ttype: z.array(z.string()).min(1),\n\tissuer: z.union([z.string(), z.object({ id: z.string(), name: z.string().optional() })]),\n\tissuanceDate: z.string(),\n\texpirationDate: z.string().optional(),\n\tcredentialSubject: CredentialSubjectSchema,\n\tcredentialStatus: CredentialStatusSchema.optional(),\n\tproof: ProofSchema.optional(),\n});\n\nexport type VerifiableCredential = z.infer<typeof VerifiableCredentialSchema>;\n\n// ─── Verifiable Presentation ────────────────────────────────────────────────\n\nexport const VerifiablePresentationSchema = z.object({\n\t\"@context\": z.array(z.string()).min(1),\n\tid: z.string().optional(),\n\ttype: z.array(z.string()).min(1),\n\tholder: z.string().optional(),\n\tverifiableCredential: z.array(VerifiableCredentialSchema).min(1),\n\tproof: ProofSchema.optional(),\n});\n\nexport type VerifiablePresentation = z.infer<typeof VerifiablePresentationSchema>;\n\n// ─── Issuer Config ──────────────────────────────────────────────────────────\n\nexport interface VCIssuerConfig {\n\t/** DID of the issuer (e.g. did:key:z6Mk...) */\n\tissuerDid: string;\n\t/** Private key JWK for signing credentials */\n\tprivateKeyJwk: JsonWebKey;\n\t/** Public key JWK for verification method references */\n\tpublicKeyJwk: JsonWebKey;\n\t/** Default credential lifetime in seconds. Default: 86400 (24 hours). */\n\tdefaultTtl?: number;\n\t/** Credential status endpoint base URL (for revocation). Optional. */\n\tstatusEndpoint?: string;\n}\n\n// ─── Verifier Config ────────────────────────────────────────────────────────\n\nexport interface VCVerifierConfig {\n\t/**\n\t * Resolve a DID to its public key JWK.\n\t * If not provided, only credentials with a known public key can be verified.\n\t */\n\tresolveDidKey?: (did: string) => Promise<JsonWebKey | null>;\n\t/**\n\t * Check credential revocation status.\n\t * If not provided, revocation checks are skipped.\n\t */\n\tcheckRevocationStatus?: (status: CredentialStatus) => Promise<boolean>;\n}\n\n// ─── JWT VC Types ───────────────────────────────────────────────────────────\n\n/** Claims embedded in a JWT-encoded Verifiable Credential */\nexport interface VCJwtPayload {\n\tiss: string;\n\tsub?: string;\n\tvc: Omit<VerifiableCredential, \"proof\">;\n\tiat: number;\n\texp?: number;\n\tjti?: string;\n}\n\n/** The format a credential was issued in */\nexport type CredentialFormat = \"jwt\" | \"json-ld\";\n\n/** Result of a successful credential verification */\nexport interface VerifiedCredential {\n\tcredential: VerifiableCredential;\n\tformat: CredentialFormat;\n\tissuer: string;\n\tissuedAt: Date;\n\texpiresAt: Date | null;\n}\n\n/** Result of a successful presentation verification */\nexport interface VerifiedPresentation {\n\tpresentation: VerifiablePresentation;\n\tcredentials: VerifiedCredential[];\n\tholder: string | null;\n}\n\n/** Extracted permissions from a verified credential */\nexport interface ExtractedPermissions {\n\tagentId: string | null;\n\tpermissions: string[];\n\ttrustLevel: number | null;\n\tdelegationScope: string[];\n}\n","/**\n * Export audit records as W3C Verifiable Credentials.\n *\n * Takes a time range of audit log entries and returns either individual\n * credentials per record or a single Verifiable Presentation wrapping\n * all of them. Useful for compliance exports that must be\n * cryptographically verifiable (EU AI Act Article 12, SOC 2 CC7).\n *\n * Context URL: https://kavachos.com/contexts/audit/v1.jsonld\n * This context is defined locally — the URL does not need to resolve at\n * runtime. It serves as a stable identifier for the credential schema.\n */\n\nimport { CompactSign, importJWK, SignJWT } from \"jose\";\nimport { generateId } from \"../crypto/web-crypto.js\";\nimport type { AuditEntry } from \"../types.js\";\nimport type {\n\tCredentialSubject,\n\tProof,\n\tVCIssuerConfig,\n\tVerifiableCredential,\n\tVerifiablePresentation,\n} from \"./types.js\";\nimport { VC_CONTEXT_V2, VC_TYPE_CREDENTIAL, VC_TYPE_PRESENTATION } from \"./types.js\";\n\n// ─── Constants ───────────────────────────────────────────────────────────────\n\nexport const KAVACHOS_AUDIT_CREDENTIAL = \"KavachosAuditCredential\";\n\n/**\n * Context URL for KavachosAuditCredential.\n * Defined locally — the URL does not need to resolve at runtime.\n */\nexport const KAVACHOS_AUDIT_CONTEXT = \"https://kavachos.com/contexts/audit/v1.jsonld\";\n\nconst KAVACHOS_VERSION = \"0.3.0\";\nconst DEFAULT_TTL_SECONDS = 86400;\n\n// ─── Types ───────────────────────────────────────────────────────────────────\n\n/** AuditRecord is an alias for AuditEntry used in the VC export surface. */\nexport type AuditRecord = AuditEntry;\n\n/** Options passed to `exportAuditAsVC`. */\nexport interface ExportAuditOptions {\n\t/** Start of the time range (inclusive). */\n\tsince: Date;\n\t/** End of the time range (inclusive). */\n\tuntil: Date;\n\t/**\n\t * DID of the issuer signing the credentials.\n\t * Must match the keypair in `issuerConfig`.\n\t */\n\tissuerDid: string;\n\t/** Private/public keypair config for signing. */\n\tissuerConfig: VCIssuerConfig;\n\t/** Output format. Default: `\"ldp_vc\"` (JSON-LD with embedded proof). */\n\tformat?: \"ldp_vc\" | \"jwt_vc\";\n\t/** Output structure. Default: `\"individual\"` (one VC per record). */\n\toutput?: \"individual\" | \"presentation\";\n\t/** Optional filter applied after the time range query. */\n\tfilter?: (record: AuditRecord) => boolean;\n\t/** Records to export. Pass the results of `listAuditRecords` or `kavach.audit.query()`. */\n\trecords: AuditRecord[];\n}\n\n/** The result of `exportAuditAsVC`. */\nexport interface AuditExportResult {\n\t/**\n\t * Individual credentials — one per audit record.\n\t * When `output === \"presentation\"`, these are also embedded in `presentation`.\n\t */\n\tcredentials: VerifiableCredential[];\n\t/**\n\t * JWT strings when `format === \"jwt_vc\"`. Parallel to `credentials`.\n\t * Pass these to `verifyCredential()` instead of the credential objects.\n\t */\n\tjwts?: string[];\n\t/** Present only when `output === \"presentation\"`. */\n\tpresentation?: VerifiablePresentation;\n\t/** The format used. */\n\tformat: \"ldp_vc\" | \"jwt_vc\";\n\t/** Timestamp of the export run. */\n\tissuedAt: Date;\n\t/** Number of credentials produced. */\n\tcount: number;\n}\n\n/** The credentialSubject for a KavachosAuditCredential. */\nexport interface AuditCredentialSubject {\n\tid: string;\n\tagentId: string;\n\tprincipalId?: string;\n\toperation: string;\n\ttarget: string;\n\tdecision: \"allow\" | \"deny\" | \"approval_required\";\n\tpolicyName?: string;\n\ttimestamp: string;\n\ttraceId?: string;\n\tkavachosVersion: string;\n}\n\n// ─── Decision mapping ────────────────────────────────────────────────────────\n\nfunction toDecision(result: AuditEntry[\"result\"]): \"allow\" | \"deny\" | \"approval_required\" {\n\tif (result === \"allowed\") return \"allow\";\n\t// \"denied\" and \"rate_limited\" both map to deny in the VC decision field\n\treturn \"deny\";\n}\n\n// ─── Credential builder ──────────────────────────────────────────────────────\n\nfunction buildAuditCredential(record: AuditRecord, issuerDid: string): VerifiableCredential {\n\tconst subject: AuditCredentialSubject = {\n\t\tid: record.id,\n\t\tagentId: record.agentId,\n\t\t...(record.userId ? { principalId: record.userId } : {}),\n\t\toperation: record.action,\n\t\ttarget: record.resource,\n\t\tdecision: toDecision(record.result),\n\t\t...(record.reason ? { policyName: record.reason } : {}),\n\t\ttimestamp: record.timestamp.toISOString(),\n\t\tkavachosVersion: KAVACHOS_VERSION,\n\t};\n\n\treturn {\n\t\t\"@context\": [VC_CONTEXT_V2, KAVACHOS_AUDIT_CONTEXT],\n\t\tid: `urn:uuid:${generateId()}`,\n\t\ttype: [VC_TYPE_CREDENTIAL, KAVACHOS_AUDIT_CREDENTIAL],\n\t\tissuer: issuerDid,\n\t\tissuanceDate: new Date().toISOString(),\n\t\texpirationDate: new Date(Date.now() + DEFAULT_TTL_SECONDS * 1000).toISOString(),\n\t\t// Cast: AuditCredentialSubject is intentionally wider than CredentialSubject\n\t\t// because the VC schema uses an open-ended subject. The additional fields\n\t\t// (operation, target, decision, etc.) are preserved via spread at runtime.\n\t\tcredentialSubject: subject as unknown as CredentialSubject,\n\t};\n}\n\n// ─── Signing ──────────────────────────────────────────────────────────────────\n\nasync function signAsJsonLd(\n\tcredential: VerifiableCredential,\n\tconfig: VCIssuerConfig,\n): Promise<VerifiableCredential> {\n\tconst { issuerDid, privateKeyJwk } = config;\n\tconst kid = `${issuerDid}#${issuerDid.split(\":\").pop() ?? \"key-1\"}`;\n\tconst key = await importJWK(privateKeyJwk, \"EdDSA\");\n\n\t// Sign the credential body (without proof) as a compact JWS\n\tconst { proof: _proof, ...vcWithoutProof } = credential;\n\tconst payload = new TextEncoder().encode(JSON.stringify(vcWithoutProof));\n\n\tconst jws = await new CompactSign(payload).setProtectedHeader({ alg: \"EdDSA\", kid }).sign(key);\n\n\tconst proof: Proof = {\n\t\ttype: \"JsonWebSignature2020\",\n\t\tcreated: new Date().toISOString(),\n\t\tverificationMethod: kid,\n\t\tproofPurpose: \"assertionMethod\",\n\t\tjws,\n\t};\n\n\treturn { ...credential, proof };\n}\n\nasync function signAsJwt(\n\tcredential: VerifiableCredential,\n\tconfig: VCIssuerConfig,\n): Promise<{ credential: VerifiableCredential; jwt: string }> {\n\tconst { issuerDid, privateKeyJwk } = config;\n\tconst ttl = config.defaultTtl ?? DEFAULT_TTL_SECONDS;\n\tconst kid = `${issuerDid}#${issuerDid.split(\":\").pop() ?? \"key-1\"}`;\n\tconst key = await importJWK(privateKeyJwk, \"EdDSA\");\n\n\tconst { proof: _proof, ...vcWithoutProof } = credential;\n\n\tconst builder = new SignJWT({ vc: vcWithoutProof })\n\t\t.setProtectedHeader({ alg: \"EdDSA\", kid, typ: \"JWT\" })\n\t\t.setIssuer(issuerDid)\n\t\t.setIssuedAt()\n\t\t.setExpirationTime(Math.floor(Date.now() / 1000) + ttl);\n\n\tif (credential.id) builder.setJti(credential.id);\n\tif (credential.credentialSubject.id) builder.setSubject(credential.credentialSubject.id);\n\n\tconst jwt = await builder.sign(key);\n\treturn { credential, jwt };\n}\n\nasync function signPresentationAsJsonLd(\n\tpresentation: VerifiablePresentation,\n\tconfig: VCIssuerConfig,\n): Promise<VerifiablePresentation> {\n\tconst { issuerDid, privateKeyJwk } = config;\n\tconst kid = `${issuerDid}#${issuerDid.split(\":\").pop() ?? \"key-1\"}`;\n\tconst key = await importJWK(privateKeyJwk, \"EdDSA\");\n\n\tconst { proof: _proof, ...vpWithoutProof } = presentation;\n\tconst payload = new TextEncoder().encode(JSON.stringify(vpWithoutProof));\n\n\tconst jws = await new CompactSign(payload).setProtectedHeader({ alg: \"EdDSA\", kid }).sign(key);\n\n\tconst proof: Proof = {\n\t\ttype: \"JsonWebSignature2020\",\n\t\tcreated: new Date().toISOString(),\n\t\tverificationMethod: kid,\n\t\tproofPurpose: \"assertionMethod\",\n\t\tjws,\n\t};\n\n\treturn { ...presentation, proof };\n}\n\n// ─── Public API ───────────────────────────────────────────────────────────────\n\n/**\n * Export a set of audit records as Verifiable Credentials.\n *\n * Pass `records` from `kavach.audit.query()` or `listAuditRecords`.\n * The function applies the optional `filter`, signs each record with\n * the issuer keypair, and returns either individual VCs or a single\n * Verifiable Presentation.\n *\n * ```ts\n * const result = await exportAuditAsVC({\n * since: new Date('2025-01-01'),\n * until: new Date('2025-01-31'),\n * issuerDid: keyPair.did,\n * issuerConfig: {\n * issuerDid: keyPair.did,\n * privateKeyJwk: keyPair.privateKeyJwk,\n * publicKeyJwk: keyPair.publicKeyJwk,\n * },\n * records,\n * });\n * console.log(result.count); // 42\n * ```\n */\nexport async function exportAuditAsVC(options: ExportAuditOptions): Promise<AuditExportResult> {\n\tconst {\n\t\tsince,\n\t\tuntil,\n\t\tissuerDid,\n\t\tissuerConfig,\n\t\tformat = \"ldp_vc\",\n\t\toutput = \"individual\",\n\t\tfilter,\n\t\trecords,\n\t} = options;\n\n\t// Apply time range filter first\n\tconst inRange = records.filter((r) => {\n\t\tconst t = r.timestamp.getTime();\n\t\treturn t >= since.getTime() && t <= until.getTime();\n\t});\n\n\t// Apply caller-supplied filter if provided\n\tconst filtered = filter ? inRange.filter(filter) : inRange;\n\n\tif (filtered.length === 0) {\n\t\treturn {\n\t\t\tcredentials: [],\n\t\t\tformat,\n\t\t\tissuedAt: new Date(),\n\t\t\tcount: 0,\n\t\t};\n\t}\n\n\tconst credentials: VerifiableCredential[] = [];\n\tconst jwts: string[] = [];\n\n\tfor (const record of filtered) {\n\t\tconst base = buildAuditCredential(record, issuerDid);\n\n\t\tif (format === \"jwt_vc\") {\n\t\t\tconst { credential, jwt } = await signAsJwt(base, issuerConfig);\n\t\t\tcredentials.push(credential);\n\t\t\tjwts.push(jwt);\n\t\t} else {\n\t\t\tconst signed = await signAsJsonLd(base, issuerConfig);\n\t\t\tcredentials.push(signed);\n\t\t}\n\t}\n\n\tconst issuedAt = new Date();\n\n\tif (output === \"individual\") {\n\t\treturn {\n\t\t\tcredentials,\n\t\t\t...(format === \"jwt_vc\" ? { jwts } : {}),\n\t\t\tformat,\n\t\t\tissuedAt,\n\t\t\tcount: credentials.length,\n\t\t};\n\t}\n\n\t// Build a Verifiable Presentation wrapping all credentials\n\tconst basePresentation: VerifiablePresentation = {\n\t\t\"@context\": [VC_CONTEXT_V2, KAVACHOS_AUDIT_CONTEXT],\n\t\tid: `urn:uuid:${generateId()}`,\n\t\ttype: [VC_TYPE_PRESENTATION],\n\t\tholder: issuerDid,\n\t\tverifiableCredential: credentials,\n\t};\n\n\tconst presentation =\n\t\tformat === \"jwt_vc\"\n\t\t\t? basePresentation\n\t\t\t: await signPresentationAsJsonLd(basePresentation, issuerConfig);\n\n\treturn {\n\t\tcredentials,\n\t\t...(format === \"jwt_vc\" ? { jwts } : {}),\n\t\tpresentation,\n\t\tformat,\n\t\tissuedAt,\n\t\tcount: credentials.length,\n\t};\n}\n\n/**\n * Filter audit records by time range with an optional predicate.\n *\n * Convenience helper for callers that already have records in memory\n * and want to slice them before passing to `exportAuditAsVC`.\n *\n * ```ts\n * const records = await kavach.audit.query({ since, until });\n * const denyRecords = listAuditRecords(records, since, until, r => r.result === 'denied');\n * ```\n */\nexport function listAuditRecords(\n\trecords: AuditRecord[],\n\tsince: Date,\n\tuntil: Date,\n\tfilter?: (record: AuditRecord) => boolean,\n): AuditRecord[] {\n\tconst inRange = records.filter((r) => {\n\t\tconst t = r.timestamp.getTime();\n\t\treturn t >= since.getTime() && t <= until.getTime();\n\t});\n\n\treturn filter ? inRange.filter(filter) : inRange;\n}\n","/**\n * W3C Verifiable Credential issuance for KavachOS.\n *\n * Issues VCs as JWT (compact JWS) or JSON-LD with embedded proof.\n * Credentials encode agent identity, permissions, and delegation chains\n * so agents can prove their capabilities to any verifier without\n * a network call back to KavachOS.\n */\n\nimport { importJWK, SignJWT } from \"jose\";\nimport { generateId } from \"../crypto/web-crypto.js\";\nimport type { KavachError, Result } from \"../mcp/types.js\";\nimport type {\n\tCredentialFormat,\n\tCredentialSubject,\n\tProof,\n\tVCIssuerConfig,\n\tVerifiableCredential,\n} from \"./types.js\";\nimport {\n\tKAVACH_AGENT_CREDENTIAL,\n\tKAVACH_DELEGATION_CREDENTIAL,\n\tKAVACH_PERMISSION_CREDENTIAL,\n\tVC_CONTEXT_V2,\n\tVC_TYPE_CREDENTIAL,\n} from \"./types.js\";\n\n// ─── Constants ──────────────────────────────────────────────────────────────\n\nconst DEFAULT_TTL_SECONDS = 86400; // 24 hours\n\n// ─── Helpers ────────────────────────────────────────────────────────────────\n\nfunction makeError(code: string, message: string, details?: Record<string, unknown>): KavachError {\n\treturn { code, message, ...(details !== undefined ? { details } : {}) };\n}\n\nfunction nowISO(): string {\n\treturn new Date().toISOString();\n}\n\nfunction futureISO(seconds: number): string {\n\treturn new Date(Date.now() + seconds * 1000).toISOString();\n}\n\n// ─── Agent Credential Input ─────────────────────────────────────────────────\n\nexport interface IssueAgentCredentialInput {\n\t/** Agent ID (used as credentialSubject.id and sub claim) */\n\tagentId: string;\n\t/** Agent name */\n\tname?: string;\n\t/** Agent type (e.g. \"autonomous\", \"supervised\") */\n\tagentType?: string;\n\t/** Permissions granted to this agent */\n\tpermissions?: string[];\n\t/** Trust score between 0 and 1 */\n\ttrustLevel?: number;\n\t/** Credential lifetime in seconds. Overrides the issuer default. */\n\tttl?: number;\n\t/** Output format. Default: \"jwt\". */\n\tformat?: CredentialFormat;\n}\n\n// ─── Permission Credential Input ────────────────────────────────────────────\n\nexport interface IssuePermissionCredentialInput {\n\t/** Agent DID or ID that receives the permissions */\n\tagentId: string;\n\t/** Permissions being granted */\n\tpermissions: string[];\n\t/** Credential lifetime in seconds. Overrides the issuer default. */\n\tttl?: number;\n\t/** Output format. Default: \"jwt\". */\n\tformat?: CredentialFormat;\n}\n\n// ─── Delegation Credential Input ────────────────────────────────────────────\n\nexport interface DelegationLink {\n\tdelegator: string;\n\tdelegatee: string;\n\tpermissions: string[];\n\tcreatedAt: string;\n}\n\nexport interface IssueDelegationCredentialInput {\n\t/** The agent at the end of the delegation chain */\n\tagentId: string;\n\t/** Ordered delegation chain from root to leaf */\n\tchain: DelegationLink[];\n\t/** Scope of delegated permissions (subset of original) */\n\tdelegationScope?: string[];\n\t/** Credential lifetime in seconds. Overrides the issuer default. */\n\tttl?: number;\n\t/** Output format. Default: \"jwt\". */\n\tformat?: CredentialFormat;\n}\n\n// ─── VC Issuer Interface ────────────────────────────────────────────────────\n\nexport interface VCIssuer {\n\t/** Issue a VC encoding agent identity, permissions, and trust score */\n\tissueAgentCredential(\n\t\tinput: IssueAgentCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>>;\n\t/** Issue a VC for specific permission grants */\n\tissuePermissionCredential(\n\t\tinput: IssuePermissionCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>>;\n\t/** Issue a VC encoding a delegation chain */\n\tissueDelegationCredential(\n\t\tinput: IssueDelegationCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>>;\n\t/** The DID of this issuer */\n\treadonly issuerDid: string;\n}\n\n// ─── Factory ────────────────────────────────────────────────────────────────\n\n/**\n * Create a VC issuer bound to a specific DID and keypair.\n *\n * The issuer can produce credentials in JWT or JSON-LD format.\n * JWT credentials are signed as a compact JWS with the VC embedded\n * in the `vc` claim. JSON-LD credentials carry an embedded proof.\n */\nexport function createVCIssuer(config: VCIssuerConfig): VCIssuer {\n\tconst { issuerDid, privateKeyJwk, defaultTtl = DEFAULT_TTL_SECONDS } = config;\n\n\tconst kid = `${issuerDid}#${issuerDid.split(\":\").pop() ?? \"key-1\"}`;\n\n\tasync function signAsJwt(\n\t\tcredential: VerifiableCredential,\n\t\tsubject: string | undefined,\n\t\tttl: number,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt: string }>> {\n\t\ttry {\n\t\t\tconst key = await importJWK(privateKeyJwk, \"EdDSA\");\n\n\t\t\t// Strip proof from the VC when embedding in JWT — the JWT signature is the proof\n\t\t\tconst { proof: _proof, ...vcWithoutProof } = credential;\n\n\t\t\tconst builder = new SignJWT({\n\t\t\t\tvc: vcWithoutProof,\n\t\t\t})\n\t\t\t\t.setProtectedHeader({ alg: \"EdDSA\", kid, typ: \"JWT\" })\n\t\t\t\t.setIssuer(issuerDid)\n\t\t\t\t.setIssuedAt()\n\t\t\t\t.setExpirationTime(Math.floor(Date.now() / 1000) + ttl);\n\n\t\t\tif (credential.id) {\n\t\t\t\tbuilder.setJti(credential.id);\n\t\t\t}\n\t\t\tif (subject) {\n\t\t\t\tbuilder.setSubject(subject);\n\t\t\t}\n\n\t\t\tconst jwt = await builder.sign(key);\n\t\t\treturn { success: true, data: { credential, jwt } };\n\t\t} catch (err) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_SIGN_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to sign credential as JWT\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\tasync function signAsJsonLd(\n\t\tcredential: VerifiableCredential,\n\t): Promise<Result<{ credential: VerifiableCredential }>> {\n\t\ttry {\n\t\t\tconst key = await importJWK(privateKeyJwk, \"EdDSA\");\n\n\t\t\t// Create a JWS over the credential without proof\n\t\t\tconst { proof: _proof, ...vcWithoutProof } = credential;\n\t\t\tconst payload = new TextEncoder().encode(JSON.stringify(vcWithoutProof));\n\n\t\t\tconst { CompactSign } = await import(\"jose\");\n\t\t\tconst jws = await new CompactSign(payload)\n\t\t\t\t.setProtectedHeader({ alg: \"EdDSA\", kid })\n\t\t\t\t.sign(key);\n\n\t\t\tconst proof: Proof = {\n\t\t\t\ttype: \"JsonWebSignature2020\",\n\t\t\t\tcreated: nowISO(),\n\t\t\t\tverificationMethod: kid,\n\t\t\t\tproofPurpose: \"assertionMethod\",\n\t\t\t\tjws,\n\t\t\t};\n\n\t\t\tconst signedCredential: VerifiableCredential = {\n\t\t\t\t...credential,\n\t\t\t\tproof,\n\t\t\t};\n\n\t\t\treturn { success: true, data: { credential: signedCredential } };\n\t\t} catch (err) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_SIGN_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to sign credential as JSON-LD\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\tfunction buildCredential(\n\t\ttypes: string[],\n\t\tsubject: CredentialSubject,\n\t\tttl: number,\n\t\texpirationDate?: string,\n\t): VerifiableCredential {\n\t\treturn {\n\t\t\t\"@context\": [VC_CONTEXT_V2],\n\t\t\tid: `urn:uuid:${generateId()}`,\n\t\t\ttype: [VC_TYPE_CREDENTIAL, ...types],\n\t\t\tissuer: issuerDid,\n\t\t\tissuanceDate: nowISO(),\n\t\t\texpirationDate: expirationDate ?? futureISO(ttl),\n\t\t\tcredentialSubject: subject,\n\t\t};\n\t}\n\n\tasync function signCredential(\n\t\tcredential: VerifiableCredential,\n\t\tsubject: string | undefined,\n\t\tttl: number,\n\t\tformat: CredentialFormat,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tif (format === \"jwt\") {\n\t\t\treturn signAsJwt(credential, subject, ttl);\n\t\t}\n\t\treturn signAsJsonLd(credential);\n\t}\n\n\t// ── Public API ────────────────────────────────────────────────────────\n\n\tasync function issueAgentCredential(\n\t\tinput: IssueAgentCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tconst {\n\t\t\tagentId,\n\t\t\tname,\n\t\t\tagentType,\n\t\t\tpermissions,\n\t\t\ttrustLevel,\n\t\t\tttl = defaultTtl,\n\t\t\tformat = \"jwt\",\n\t\t} = input;\n\n\t\tif (!agentId) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"agentId is required\"),\n\t\t\t};\n\t\t}\n\n\t\tif (trustLevel !== undefined && (trustLevel < 0 || trustLevel > 1)) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"trustLevel must be between 0 and 1\"),\n\t\t\t};\n\t\t}\n\n\t\tconst subject: CredentialSubject = {\n\t\t\tid: agentId,\n\t\t\tagentId,\n\t\t\t...(name !== undefined ? { name } : {}),\n\t\t\t...(agentType !== undefined ? { type: agentType } : {}),\n\t\t\t...(permissions !== undefined ? { permissions } : {}),\n\t\t\t...(trustLevel !== undefined ? { trustLevel } : {}),\n\t\t};\n\n\t\tconst credential = buildCredential([KAVACH_AGENT_CREDENTIAL], subject, ttl);\n\t\treturn signCredential(credential, agentId, ttl, format);\n\t}\n\n\tasync function issuePermissionCredential(\n\t\tinput: IssuePermissionCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tconst { agentId, permissions, ttl = defaultTtl, format = \"jwt\" } = input;\n\n\t\tif (!agentId) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"agentId is required\"),\n\t\t\t};\n\t\t}\n\n\t\tif (!permissions || permissions.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"At least one permission is required\"),\n\t\t\t};\n\t\t}\n\n\t\tconst subject: CredentialSubject = {\n\t\t\tid: agentId,\n\t\t\tagentId,\n\t\t\tpermissions,\n\t\t};\n\n\t\tconst credential = buildCredential([KAVACH_PERMISSION_CREDENTIAL], subject, ttl);\n\t\treturn signCredential(credential, agentId, ttl, format);\n\t}\n\n\tasync function issueDelegationCredential(\n\t\tinput: IssueDelegationCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tconst { agentId, chain, delegationScope, ttl = defaultTtl, format = \"jwt\" } = input;\n\n\t\tif (!agentId) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"agentId is required\"),\n\t\t\t};\n\t\t}\n\n\t\tif (!chain || chain.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"Delegation chain must have at least one link\"),\n\t\t\t};\n\t\t}\n\n\t\tconst subject: CredentialSubject = {\n\t\t\tid: agentId,\n\t\t\tagentId,\n\t\t\tdelegationChain: chain,\n\t\t\t...(delegationScope !== undefined ? { delegationScope } : {}),\n\t\t};\n\n\t\tconst credential = buildCredential([KAVACH_DELEGATION_CREDENTIAL], subject, ttl);\n\t\treturn signCredential(credential, agentId, ttl, format);\n\t}\n\n\treturn {\n\t\tissueAgentCredential,\n\t\tissuePermissionCredential,\n\t\tissueDelegationCredential,\n\t\tissuerDid,\n\t};\n}\n","/**\n * W3C Verifiable Credential verification for KavachOS.\n *\n * Verifies credentials in both JWT and JSON-LD formats. Checks\n * signatures, expiry, and optional revocation status. Extracts\n * KavachOS-specific permissions from verified credentials.\n */\n\nimport { compactVerify, importJWK, errors as joseErrors, jwtVerify } from \"jose\";\nimport type { KavachError, Result } from \"../mcp/types.js\";\nimport type {\n\tCredentialFormat,\n\tExtractedPermissions,\n\tVCVerifierConfig,\n\tVerifiableCredential,\n\tVerifiablePresentation,\n\tVerifiedCredential,\n\tVerifiedPresentation,\n} from \"./types.js\";\nimport { VerifiableCredentialSchema, VerifiablePresentationSchema } from \"./types.js\";\n\n// ─── Helpers ────────────────────────────────────────────────────────────────\n\nfunction makeError(code: string, message: string, details?: Record<string, unknown>): KavachError {\n\treturn { code, message, ...(details !== undefined ? { details } : {}) };\n}\n\nfunction getIssuerString(issuer: string | { id: string; name?: string }): string {\n\tif (typeof issuer === \"string\") return issuer;\n\treturn issuer.id;\n}\n\n// ─── VC Verifier Interface ──────────────────────────────────────────────────\n\nexport interface VCVerifier {\n\t/** Verify a single credential (JWT string or JSON-LD object) */\n\tverifyCredential(\n\t\tvc: string | VerifiableCredential,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>>;\n\t/** Verify a presentation containing multiple VCs */\n\tverifyPresentation(\n\t\tvp: string | VerifiablePresentation,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedPresentation>>;\n\t/** Extract KavachOS permissions from a verified credential */\n\textractPermissions(vc: VerifiableCredential): ExtractedPermissions;\n}\n\n// ─── Factory ────────────────────────────────────────────────────────────────\n\n/**\n * Create a VC verifier that checks signatures, expiry, and revocation.\n *\n * The verifier accepts both JWT-encoded and JSON-LD credentials.\n * For JWT credentials, pass the compact JWS string. For JSON-LD\n * credentials with embedded proof, pass the credential object.\n */\nexport function createVCVerifier(config: VCVerifierConfig = {}): VCVerifier {\n\tconst { resolveDidKey, checkRevocationStatus } = config;\n\n\tasync function resolveKey(did: string, providedKey?: JsonWebKey): Promise<Result<JsonWebKey>> {\n\t\tif (providedKey) {\n\t\t\treturn { success: true, data: providedKey };\n\t\t}\n\n\t\tif (resolveDidKey) {\n\t\t\tconst resolved = await resolveDidKey(did);\n\t\t\tif (resolved) {\n\t\t\t\treturn { success: true, data: resolved };\n\t\t\t}\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: makeError(\"VC_KEY_NOT_FOUND\", `Could not resolve public key for DID: ${did}`),\n\t\t};\n\t}\n\n\tasync function verifyJwtCredential(\n\t\tjwt: string,\n\t\tprovidedKey?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>> {\n\t\ttry {\n\t\t\t// Decode the header to get the kid, then resolve the key\n\t\t\tconst parts = jwt.split(\".\");\n\t\t\tif (parts.length !== 3) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_INVALID_JWT\", \"JWT must have three parts\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// First pass: decode without verification to extract issuer\n\t\t\tconst payloadB64 = parts[1];\n\t\t\tif (!payloadB64) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_INVALID_JWT\", \"JWT payload is missing\"),\n\t\t\t\t};\n\t\t\t}\n\t\t\tconst rawPayload = JSON.parse(\n\t\t\t\tnew TextDecoder().decode(\n\t\t\t\t\tUint8Array.from(atob(payloadB64.replace(/-/g, \"+\").replace(/_/g, \"/\")), (c) =>\n\t\t\t\t\t\tc.charCodeAt(0),\n\t\t\t\t\t),\n\t\t\t\t),\n\t\t\t) as Record<string, unknown>;\n\n\t\t\tconst issuerDid = typeof rawPayload.iss === \"string\" ? rawPayload.iss : null;\n\t\t\tif (!issuerDid) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_NO_ISSUER\", \"JWT has no iss claim\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Resolve key\n\t\t\tconst keyResult = await resolveKey(issuerDid, providedKey);\n\t\t\tif (!keyResult.success) return keyResult;\n\n\t\t\tconst publicKey = await importJWK(keyResult.data, \"EdDSA\");\n\t\t\tconst { payload } = await jwtVerify(jwt, publicKey);\n\n\t\t\tconst vcClaim = payload.vc as Record<string, unknown> | undefined;\n\t\t\tif (!vcClaim) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_MISSING_VC_CLAIM\", \"JWT does not contain a vc claim\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Reconstruct the full credential from the JWT claims\n\t\t\tconst credential: VerifiableCredential = {\n\t\t\t\t...(vcClaim as unknown as VerifiableCredential),\n\t\t\t\tissuer: issuerDid,\n\t\t\t};\n\n\t\t\t// Validate against schema\n\t\t\tconst parsed = VerifiableCredentialSchema.safeParse(credential);\n\t\t\tif (!parsed.success) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_INVALID_CREDENTIAL\", \"Credential does not match W3C schema\", {\n\t\t\t\t\t\tissues: parsed.error.issues.map((i) => `${i.path.join(\".\")}: ${i.message}`),\n\t\t\t\t\t}),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Check expiry\n\t\t\tif (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_EXPIRED\", \"Credential has expired\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Check revocation\n\t\t\tif (parsed.data.credentialStatus && checkRevocationStatus) {\n\t\t\t\tconst revoked = await checkRevocationStatus(parsed.data.credentialStatus);\n\t\t\t\tif (revoked) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_REVOKED\", \"Credential has been revoked\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tsuccess: true,\n\t\t\t\tdata: {\n\t\t\t\t\tcredential: parsed.data,\n\t\t\t\t\tformat: \"jwt\" as CredentialFormat,\n\t\t\t\t\tissuer: issuerDid,\n\t\t\t\t\tissuedAt: new Date((payload.iat ?? 0) * 1000),\n\t\t\t\t\texpiresAt: payload.exp ? new Date(payload.exp * 1000) : null,\n\t\t\t\t},\n\t\t\t};\n\t\t} catch (err) {\n\t\t\t// Distinguish between expiry and other errors\n\t\t\tif (err instanceof joseErrors.JWTExpired) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_EXPIRED\", \"Credential has expired\"),\n\t\t\t\t};\n\t\t\t}\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_VERIFY_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to verify JWT credential\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\tasync function verifyJsonLdCredential(\n\t\tvc: VerifiableCredential,\n\t\tprovidedKey?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>> {\n\t\t// Validate schema\n\t\tconst parsed = VerifiableCredentialSchema.safeParse(vc);\n\t\tif (!parsed.success) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_CREDENTIAL\", \"Credential does not match W3C schema\", {\n\t\t\t\t\tissues: parsed.error.issues.map((i) => `${i.path.join(\".\")}: ${i.message}`),\n\t\t\t\t}),\n\t\t\t};\n\t\t}\n\n\t\tconst credential = parsed.data;\n\n\t\tif (!credential.proof) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_NO_PROOF\", \"JSON-LD credential has no embedded proof\"),\n\t\t\t};\n\t\t}\n\n\t\tif (!credential.proof.jws) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_NO_JWS\", \"Proof does not contain a JWS value\"),\n\t\t\t};\n\t\t}\n\n\t\tconst issuerDid = getIssuerString(credential.issuer);\n\n\t\t// Resolve key\n\t\tconst keyResult = await resolveKey(issuerDid, providedKey);\n\t\tif (!keyResult.success) return keyResult;\n\n\t\ttry {\n\t\t\tconst publicKey = await importJWK(keyResult.data, \"EdDSA\");\n\n\t\t\t// Verify the JWS\n\t\t\tconst { payload } = await compactVerify(credential.proof.jws, publicKey);\n\n\t\t\t// Compare signed content against current credential (minus proof)\n\t\t\tconst { proof: _proof, ...vcWithoutProof } = credential;\n\t\t\tconst signedContent = new TextDecoder().decode(payload);\n\t\t\tconst currentContent = JSON.stringify(vcWithoutProof);\n\n\t\t\tif (signedContent !== currentContent) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_TAMPERED\", \"Credential content does not match the signed payload\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Check expiry\n\t\t\tif (credential.expirationDate) {\n\t\t\t\tconst expiry = new Date(credential.expirationDate);\n\t\t\t\tif (expiry <= new Date()) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_EXPIRED\", \"Credential has expired\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Check revocation\n\t\t\tif (credential.credentialStatus && checkRevocationStatus) {\n\t\t\t\tconst revoked = await checkRevocationStatus(credential.credentialStatus);\n\t\t\t\tif (revoked) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_REVOKED\", \"Credential has been revoked\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tsuccess: true,\n\t\t\t\tdata: {\n\t\t\t\t\tcredential,\n\t\t\t\t\tformat: \"json-ld\" as CredentialFormat,\n\t\t\t\t\tissuer: issuerDid,\n\t\t\t\t\tissuedAt: new Date(credential.issuanceDate),\n\t\t\t\t\texpiresAt: credential.expirationDate ? new Date(credential.expirationDate) : null,\n\t\t\t\t},\n\t\t\t};\n\t\t} catch (err) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_VERIFY_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to verify JSON-LD credential\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\t// ── Public API ────────────────────────────────────────────────────────\n\n\tasync function verifyCredential(\n\t\tvc: string | VerifiableCredential,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>> {\n\t\tif (typeof vc === \"string\") {\n\t\t\treturn verifyJwtCredential(vc, publicKeyJwk);\n\t\t}\n\t\treturn verifyJsonLdCredential(vc, publicKeyJwk);\n\t}\n\n\tasync function verifyPresentation(\n\t\tvp: string | VerifiablePresentation,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedPresentation>> {\n\t\tlet presentation: VerifiablePresentation;\n\n\t\tif (typeof vp === \"string\") {\n\t\t\t// JWT-encoded presentation\n\t\t\ttry {\n\t\t\t\tconst parts = vp.split(\".\");\n\t\t\t\tif (parts.length !== 3 || !parts[1]) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_INVALID_JWT\", \"Presentation JWT must have three parts\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tconst payloadB64 = parts[1];\n\t\t\t\tconst rawPayload = JSON.parse(\n\t\t\t\t\tnew TextDecoder().decode(\n\t\t\t\t\t\tUint8Array.from(atob(payloadB64.replace(/-/g, \"+\").replace(/_/g, \"/\")), (c) =>\n\t\t\t\t\t\t\tc.charCodeAt(0),\n\t\t\t\t\t\t),\n\t\t\t\t\t),\n\t\t\t\t) as Record<string, unknown>;\n\n\t\t\t\tconst issuerDid = typeof rawPayload.iss === \"string\" ? rawPayload.iss : null;\n\t\t\t\tif (!issuerDid) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_NO_ISSUER\", \"Presentation JWT has no iss claim\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tconst keyResult = await resolveKey(issuerDid, publicKeyJwk);\n\t\t\t\tif (!keyResult.success) return keyResult;\n\n\t\t\t\tconst publicKey = await importJWK(keyResult.data, \"EdDSA\");\n\t\t\t\tconst { payload } = await jwtVerify(vp, publicKey);\n\n\t\t\t\tconst vpClaim = payload.vp as Record<string, unknown> | undefined;\n\t\t\t\tif (!vpClaim) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_MISSING_VP_CLAIM\", \"JWT does not contain a vp claim\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tpresentation = vpClaim as unknown as VerifiablePresentation;\n\t\t\t} catch (err) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\n\t\t\t\t\t\t\"VC_VERIFY_FAILED\",\n\t\t\t\t\t\terr instanceof Error ? err.message : \"Failed to verify presentation JWT\",\n\t\t\t\t\t),\n\t\t\t\t};\n\t\t\t}\n\t\t} else {\n\t\t\tpresentation = vp;\n\t\t}\n\n\t\t// Validate schema\n\t\tconst parsed = VerifiablePresentationSchema.safeParse(presentation);\n\t\tif (!parsed.success) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_PRESENTATION\", \"Presentation does not match W3C schema\", {\n\t\t\t\t\tissues: parsed.error.issues.map((i) => `${i.path.join(\".\")}: ${i.message}`),\n\t\t\t\t}),\n\t\t\t};\n\t\t}\n\n\t\t// Verify each credential in the presentation\n\t\tconst verifiedCredentials: VerifiedCredential[] = [];\n\t\tfor (const vc of parsed.data.verifiableCredential) {\n\t\t\tconst result = await verifyCredential(vc, publicKeyJwk);\n\t\t\tif (!result.success) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\n\t\t\t\t\t\t\"VC_PRESENTATION_CREDENTIAL_INVALID\",\n\t\t\t\t\t\t`Failed to verify credential in presentation: ${result.error.message}`,\n\t\t\t\t\t\t{ originalError: result.error },\n\t\t\t\t\t),\n\t\t\t\t};\n\t\t\t}\n\t\t\tverifiedCredentials.push(result.data);\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\tpresentation: parsed.data,\n\t\t\t\tcredentials: verifiedCredentials,\n\t\t\t\tholder: parsed.data.holder ?? null,\n\t\t\t},\n\t\t};\n\t}\n\n\tfunction extractPermissions(vc: VerifiableCredential): ExtractedPermissions {\n\t\tconst subject = vc.credentialSubject;\n\t\treturn {\n\t\t\tagentId: subject.agentId ?? subject.id ?? null,\n\t\t\tpermissions: subject.permissions ?? [],\n\t\t\ttrustLevel: subject.trustLevel ?? null,\n\t\t\tdelegationScope: subject.delegationScope ?? [],\n\t\t};\n\t}\n\n\treturn {\n\t\tverifyCredential,\n\t\tverifyPresentation,\n\t\textractPermissions,\n\t};\n}\n"]}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "kavachos",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.4.0",
|
|
4
4
|
"description": "The auth OS for AI agents - identity, permissions, delegation, and audit for the agentic era",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.js",
|
|
@@ -128,6 +128,7 @@
|
|
|
128
128
|
"test": "vitest run",
|
|
129
129
|
"test:watch": "vitest watch",
|
|
130
130
|
"coverage": "vitest run --coverage",
|
|
131
|
+
"bench": "vitest bench --run",
|
|
131
132
|
"clean": "rm -rf dist .turbo"
|
|
132
133
|
}
|
|
133
134
|
}
|