latchkey 2.8.0 → 2.9.0

package/dist/src/gateway/permissionPointer.js

@@ -1,171 +0,0 @@
-/**
- * Optional `x-latchkey-gateway-permission-pointer` header support.
- *
- * The header carries a minimal HS256 JWT whose only payload field is
- * `permissionsConfig`, an absolute path to a `permissions.json` file.
- * When the gateway receives such a header on a `/gateway/...` request and
- * the JWT is valid, it uses the referenced permissions config instead of
- * the default one for that single request.
- *
- * The signing key is derived from the Latchkey encryption key via HKDF-like
- * HMAC-SHA256 with a domain-separation label, so the encryption key itself
- * is never used to sign or verify these JWTs directly.
- */
-import { createHmac, timingSafeEqual } from 'node:crypto';
-import { existsSync, statSync } from 'node:fs';
-import { isAbsolute } from 'node:path';
-/**
- * HTTP header used to carry the permission-pointer JWT. Lowercased to match
- * how Node's `http.IncomingMessage.headers` exposes header names.
- */
-export const PERMISSION_POINTER_HEADER = 'x-latchkey-gateway-permission-pointer';
-/**
- * Domain-separation label mixed into the HMAC that derives the JWT signing
- * key from the Latchkey encryption key. Changing this value invalidates all
- * previously issued tokens.
- */
-const SIGNING_KEY_DERIVATION_LABEL = 'latchkey:gateway:permission-pointer:v1';
-const JWT_HEADER = { alg: 'HS256', typ: 'JWT' };
-const JWT_HEADER_ENCODED = base64UrlEncode(Buffer.from(JSON.stringify(JWT_HEADER), 'utf-8'));
-export class InvalidPermissionPointerError extends Error {
-    constructor(message) {
-        super(message);
-        this.name = 'InvalidPermissionPointerError';
-    }
-}
-export class PermissionPointerFileMissingError extends Error {
-    constructor(filePath) {
-        super(`Permission pointer references missing or invalid file: ${filePath}`);
-        this.name = 'PermissionPointerFileMissingError';
-    }
-}
-function base64UrlEncode(buffer) {
-    return buffer
-        .toString('base64')
-        .replace(/\+/g, '-')
-        .replace(/\//g, '_')
-        .replace(/=+$/, '');
-}
-function base64UrlDecode(value) {
-    const padded = value
-        .replace(/-/g, '+')
-        .replace(/_/g, '/')
-        .padEnd(value.length + ((4 - (value.length % 4)) % 4), '=');
-    return Buffer.from(padded, 'base64');
-}
-/**
- * Derive the HS256 signing key used for permission-pointer JWTs from the
- * Latchkey encryption key. The encryption key is base64-encoded; the
- * derived key is the raw HMAC-SHA256 output (32 bytes).
- */
-export function derivePermissionPointerSigningKey(encryptionKeyBase64) {
-    const masterKey = Buffer.from(encryptionKeyBase64, 'base64');
-    return createHmac('sha256', masterKey).update(SIGNING_KEY_DERIVATION_LABEL).digest();
-}
-/**
- * Build a permission-pointer JWT for the given absolute path. The path is
- * not validated here; callers that want to ensure the file exists must do
- * so before calling this function.
- */
-export function createPermissionPointerJwt(permissionsConfigPath, signingKey) {
-    if (!isAbsolute(permissionsConfigPath)) {
-        throw new InvalidPermissionPointerError(`permissionsConfig path must be absolute: ${permissionsConfigPath}`);
-    }
-    const payload = { permissionsConfig: permissionsConfigPath };
-    const payloadEncoded = base64UrlEncode(Buffer.from(JSON.stringify(payload), 'utf-8'));
-    const signingInput = `${JWT_HEADER_ENCODED}.${payloadEncoded}`;
-    const signature = createHmac('sha256', signingKey).update(signingInput).digest();
-    return `${signingInput}.${base64UrlEncode(signature)}`;
-}
-function parsePayload(payloadEncoded) {
-    let payloadJson;
-    try {
-        payloadJson = base64UrlDecode(payloadEncoded).toString('utf-8');
-    }
-    catch {
-        throw new InvalidPermissionPointerError('Permission pointer payload is not valid base64url.');
-    }
-    let payload;
-    try {
-        payload = JSON.parse(payloadJson);
-    }
-    catch {
-        throw new InvalidPermissionPointerError('Permission pointer payload is not valid JSON.');
-    }
-    if (typeof payload !== 'object' ||
-        payload === null ||
-        !('permissionsConfig' in payload) ||
-        typeof payload.permissionsConfig !== 'string') {
-        throw new InvalidPermissionPointerError("Permission pointer payload must contain a string 'permissionsConfig' field.");
-    }
-    const permissionsConfig = payload.permissionsConfig;
-    if (!isAbsolute(permissionsConfig)) {
-        throw new InvalidPermissionPointerError(`Permission pointer 'permissionsConfig' must be an absolute path: ${permissionsConfig}`);
-    }
-    return { permissionsConfig };
-}
-/**
- * Verify a permission-pointer JWT and return its payload. Throws
- * `InvalidPermissionPointerError` on any structural, signature, or content
- * issue (i.e. anything that should be reported as "the JWT is invalid").
- *
- * This intentionally does not check that the referenced file exists; that
- * concern is handled by `resolvePermissionPointer` so that file-system
- * errors can be reported separately from JWT errors.
- */
-export function verifyPermissionPointerJwt(token, signingKey) {
-    const segments = token.split('.');
-    if (segments.length !== 3) {
-        throw new InvalidPermissionPointerError('Permission pointer JWT must have three dot-separated segments.');
-    }
-    const headerEncoded = segments[0];
-    const payloadEncoded = segments[1];
-    const signatureEncoded = segments[2];
-    let headerJson;
-    try {
-        headerJson = base64UrlDecode(headerEncoded).toString('utf-8');
-    }
-    catch {
-        throw new InvalidPermissionPointerError('Permission pointer header is not valid base64url.');
-    }
-    let header;
-    try {
-        header = JSON.parse(headerJson);
-    }
-    catch {
-        throw new InvalidPermissionPointerError('Permission pointer header is not valid JSON.');
-    }
-    if (typeof header !== 'object' ||
-        header === null ||
-        header.alg !== 'HS256' ||
-        header.typ !== 'JWT') {
-        throw new InvalidPermissionPointerError("Permission pointer header must declare alg='HS256' and typ='JWT'.");
-    }
-    let providedSignature;
-    try {
-        providedSignature = base64UrlDecode(signatureEncoded);
-    }
-    catch {
-        throw new InvalidPermissionPointerError('Permission pointer signature is not valid base64url.');
-    }
-    const expectedSignature = createHmac('sha256', signingKey)
-        .update(`${headerEncoded}.${payloadEncoded}`)
-        .digest();
-    if (providedSignature.length !== expectedSignature.length ||
-        !timingSafeEqual(providedSignature, expectedSignature)) {
-        throw new InvalidPermissionPointerError('Permission pointer signature is invalid.');
-    }
-    return parsePayload(payloadEncoded);
-}
-/**
- * Verify a permission-pointer JWT and additionally require the referenced
- * file to exist as a regular file. Returns the absolute path on success.
- */
-export function resolvePermissionPointer(token, signingKey) {
-    const { permissionsConfig } = verifyPermissionPointerJwt(token, signingKey);
-    if (!existsSync(permissionsConfig) || !statSync(permissionsConfig).isFile()) {
-        throw new PermissionPointerFileMissingError(permissionsConfig);
-    }
-    return permissionsConfig;
-}
-//# sourceMappingURL=permissionPointer.js.map

package/dist/src/gateway/permissionPointer.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"permissionPointer.js","sourceRoot":"","sources":["../../../src/gateway/permissionPointer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAEvC;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG,uCAAuC,CAAC;AAEjF;;;;GAIG;AACH,MAAM,4BAA4B,GAAG,wCAAwC,CAAC;AAE9E,MAAM,UAAU,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAW,CAAC;AACzD,MAAM,kBAAkB,GAAG,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;AAE7F,MAAM,OAAO,6BAA8B,SAAQ,KAAK;IACtD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,+BAA+B,CAAC;IAC9C,CAAC;CACF;AAED,MAAM,OAAO,iCAAkC,SAAQ,KAAK;IAC1D,YAAY,QAAgB;QAC1B,KAAK,CAAC,0DAA0D,QAAQ,EAAE,CAAC,CAAC;QAC5E,IAAI,CAAC,IAAI,GAAG,mCAAmC,CAAC;IAClD,CAAC;CACF;AAED,SAAS,eAAe,CAAC,MAAc;IACrC,OAAO,MAAM;SACV,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,MAAM,MAAM,GAAG,KAAK;SACjB,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;SAClB,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;SAClB,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC9D,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iCAAiC,CAAC,mBAA2B;IAC3E,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE,QAAQ,CAAC,CAAC;IAC7D,OAAO,UAAU,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,MAAM,CAAC,4BAA4B,CAAC,CAAC,MAAM,EAAE,CAAC;AACvF,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,0BAA0B,CACxC,qBAA6B,EAC7B,UAAkB;IAElB,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,6BAA6B,CACrC,4CAA4C,qBAAqB,EAAE,CACpE,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,CAAC;IAC7D,MAAM,cAAc,GAAG,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;IACtF,MAAM,YAAY,GAAG,GAAG,kBAAkB,IAAI,cAAc,EAAE,CAAC;IAC/D,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,EAAE,CAAC;IACjF,OAAO,GAAG,YAAY,IAAI,eAAe,CAAC,SAAS,CAAC,EAAE,CAAC;AACzD,CAAC;AAMD,SAAS,YAAY,CAAC,cAAsB;IAC1C,IAAI,WAAmB,CAAC;IACxB,IAAI,CAAC;QACH,WAAW,GAAG,eAAe,CAAC,cAAc,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,6BAA6B,CAAC,oDAAoD,CAAC,CAAC;IAChG,CAAC;IAED,IAAI,OAAgB,CAAC;IACrB,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,6BAA6B,CAAC,+CAA+C,CAAC,CAAC;IAC3F,CAAC;IAED,IACE,OAAO,OAAO,KAAK,QAAQ;QAC3B,OAAO,KAAK,IAAI;QAChB,CAAC,CAAC,mBAAmB,IAAI,OAAO,CAAC;QACjC,OAAQ,OAAmC,CAAC,iBAAiB,KAAK,QAAQ,EAC1E,CAAC;QACD,MAAM,IAAI,6BAA6B,CACrC,6EAA6E,CAC9E,CAAC;IACJ,CAAC;IAED,MAAM,iBAAiB,GAAI,OAAyC,CAAC,iBAAiB,CAAC;IACvF,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,6BAA6B,CACrC,oEAAoE,iBAAiB,EAAE,CACxF,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,iBAAiB,EAAE,CAAC;AAC/B,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,0BAA0B,CACxC,KAAa,EACb,UAAkB;IAElB,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,6BAA6B,CACrC,gEAAgE,CACjE,CAAC;IACJ,CAAC;IACD,MAAM,aAAa,GAAG,QAAQ,CAAC,CAAC,CAAE,CAAC;IACnC,MAAM,cAAc,GAAG,QAAQ,CAAC,CAAC,CAAE,CAAC;IACpC,MAAM,gBAAgB,GAAG,QAAQ,CAAC,CAAC,CAAE,CAAC;IAEtC,IAAI,UAAkB,CAAC;IACvB,IAAI,CAAC;QACH,UAAU,GAAG,eAAe,CAAC,aAAa,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAChE,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,6BAA6B,CAAC,mDAAmD,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,6BAA6B,CAAC,8CAA8C,CAAC,CAAC;IAC1F,CAAC;IACD,IACE,OAAO,MAAM,KAAK,QAAQ;QAC1B,MAAM,KAAK,IAAI;QACd,MAAkC,CAAC,GAAG,KAAK,OAAO;QAClD,MAAkC,CAAC,GAAG,KAAK,KAAK,EACjD,CAAC;QACD,MAAM,IAAI,6BAA6B,CACrC,mEAAmE,CACpE,CAAC;IACJ,CAAC;IAED,IAAI,iBAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,iBAAiB,GAAG,eAAe,CAAC,gBAAgB,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,6BAA6B,CAAC,sDAAsD,CAAC,CAAC;IAClG,CAAC;IAED,MAAM,iBAAiB,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;SACvD,MAAM,CAAC,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;SAC5C,MAAM,EAAE,CAAC;IAEZ,IACE,iBAAiB,CAAC,MAAM,KAAK,iBAAiB,CAAC,MAAM;QACrD,CAAC,eAAe,CAAC,iBAAiB,EAAE,iBAAiB,CAAC,EACtD,CAAC;QACD,MAAM,IAAI,6BAA6B,CAAC,0CAA0C,CAAC,CAAC;IACtF,CAAC;IAED,OAAO,YAAY,CAAC,cAAc,CAAC,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CAAC,KAAa,EAAE,UAAkB;IACxE,MAAM,EAAE,iBAAiB,EAAE,GAAG,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAC5E,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC;QAC5E,MAAM,IAAI,iCAAiC,CAAC,iBAAiB,CAAC,CAAC;IACjE,CAAC;IACD,OAAO,iBAAiB,CAAC;AAC3B,CAAC"}

package/dist/tests/encryptedStorageKeyGeneration.test.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=encryptedStorageKeyGeneration.test.d.ts.map

package/dist/tests/encryptedStorageKeyGeneration.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"encryptedStorageKeyGeneration.test.d.ts","sourceRoot":"","sources":["../../tests/encryptedStorageKeyGeneration.test.ts"],"names":[],"mappings":""}

package/dist/tests/encryptedStorageKeyGeneration.test.js

@@ -1,23 +0,0 @@
-import { describe, it, expect, vi } from 'vitest';
-import { EncryptedStorage } from '../src/encryptedStorage.js';
-import { EncryptionKeyLostError } from '../src/encryption.js';
-vi.mock('../src/keychain.js', async (importOriginal) => {
-    const original = await importOriginal();
-    return {
-        ...original,
-        retrieveFromKeychain: () => Promise.resolve(null),
-        storeInKeychain: () => Promise.resolve(undefined),
-    };
-});
-describe('EncryptedStorage key generation guard', () => {
-    it('should throw EncryptionKeyLostError when allowKeyGeneration is false and keychain has no key', async () => {
-        await expect(EncryptedStorage.create({ allowKeyGeneration: false })).rejects.toThrow(EncryptionKeyLostError);
-    });
-    it('should generate a new key when allowKeyGeneration is true and keychain has no key', async () => {
-        await expect(EncryptedStorage.create({ allowKeyGeneration: true })).resolves.toBeDefined();
-    });
-    it('should generate a new key when allowKeyGeneration is not set and keychain has no key', async () => {
-        await expect(EncryptedStorage.create({})).resolves.toBeDefined();
-    });
-});
-//# sourceMappingURL=encryptedStorageKeyGeneration.test.js.map

package/dist/tests/encryptedStorageKeyGeneration.test.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"encryptedStorageKeyGeneration.test.js","sourceRoot":"","sources":["../../tests/encryptedStorageKeyGeneration.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAC9D,OAAO,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAE9D,EAAE,CAAC,IAAI,CAAC,oBAAoB,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE;IACrD,MAAM,QAAQ,GAAG,MAAM,cAAc,EAAuC,CAAC;IAC7E,OAAO;QACL,GAAG,QAAQ;QACX,oBAAoB,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC;QACjD,eAAe,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC;KAClD,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,uCAAuC,EAAE,GAAG,EAAE;IACrD,EAAE,CAAC,8FAA8F,EAAE,KAAK,IAAI,EAAE;QAC5G,MAAM,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,EAAE,kBAAkB,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAClF,sBAAsB,CACvB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mFAAmF,EAAE,KAAK,IAAI,EAAE;QACjG,MAAM,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC7F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sFAAsF,EAAE,KAAK,IAAI,EAAE;QACpG,MAAM,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IACnE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/tests/permissionPointer.test.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=permissionPointer.test.d.ts.map

package/dist/tests/permissionPointer.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"permissionPointer.test.d.ts","sourceRoot":"","sources":["../../tests/permissionPointer.test.ts"],"names":[],"mappings":""}

package/dist/tests/permissionPointer.test.js

@@ -1,152 +0,0 @@
-import { describe, it, expect, beforeEach, afterEach } from 'vitest';
-import { createHmac } from 'node:crypto';
-import { mkdtempSync, mkdirSync, rmSync, writeFileSync } from 'node:fs';
-import { join } from 'node:path';
-import { tmpdir } from 'node:os';
-import { createPermissionPointerJwt, derivePermissionPointerSigningKey, InvalidPermissionPointerError, PERMISSION_POINTER_HEADER, PermissionPointerFileMissingError, resolvePermissionPointer, verifyPermissionPointerJwt, } from '../src/gateway/permissionPointer.js';
-const TEST_ENCRYPTION_KEY = 'dGVzdGtleXRlc3RrZXl0ZXN0a2V5dGVzdGtleXRlc3Q=';
-const OTHER_ENCRYPTION_KEY = 'b3RoZXJrZXlvdGhlcmtleW90aGVya2V5b3RoZXJrZXk=';
-describe('PERMISSION_POINTER_HEADER', () => {
-    it('is the lowercase header name', () => {
-        expect(PERMISSION_POINTER_HEADER).toBe('x-latchkey-gateway-permission-pointer');
-    });
-});
-describe('derivePermissionPointerSigningKey', () => {
-    it('produces a deterministic 32-byte key', () => {
-        const a = derivePermissionPointerSigningKey(TEST_ENCRYPTION_KEY);
-        const b = derivePermissionPointerSigningKey(TEST_ENCRYPTION_KEY);
-        expect(a.length).toBe(32);
-        expect(a.equals(b)).toBe(true);
-    });
-    it('produces different keys for different master keys', () => {
-        const a = derivePermissionPointerSigningKey(TEST_ENCRYPTION_KEY);
-        const b = derivePermissionPointerSigningKey(OTHER_ENCRYPTION_KEY);
-        expect(a.equals(b)).toBe(false);
-    });
-    it('does not equal the encryption key itself', () => {
-        const derived = derivePermissionPointerSigningKey(TEST_ENCRYPTION_KEY);
-        const master = Buffer.from(TEST_ENCRYPTION_KEY, 'base64');
-        expect(derived.equals(master)).toBe(false);
-    });
-});
-describe('createPermissionPointerJwt / verifyPermissionPointerJwt', () => {
-    const signingKey = derivePermissionPointerSigningKey(TEST_ENCRYPTION_KEY);
-    it('round-trips an absolute path', () => {
-        const token = createPermissionPointerJwt('/etc/latchkey/permissions.json', signingKey);
-        const payload = verifyPermissionPointerJwt(token, signingKey);
-        expect(payload).toEqual({ permissionsConfig: '/etc/latchkey/permissions.json' });
-    });
-    it('produces a three-segment JWT', () => {
-        const token = createPermissionPointerJwt('/x.json', signingKey);
-        expect(token.split('.')).toHaveLength(3);
-    });
-    it('uses HS256/JWT in the header', () => {
-        const token = createPermissionPointerJwt('/x.json', signingKey);
-        const header = token.split('.')[0];
-        const json = Buffer.from(header.replace(/-/g, '+').replace(/_/g, '/'), 'base64').toString('utf-8');
-        expect(JSON.parse(json)).toEqual({ alg: 'HS256', typ: 'JWT' });
-    });
-    it('payload contains only the permissionsConfig field', () => {
-        const token = createPermissionPointerJwt('/x.json', signingKey);
-        const payload = token.split('.')[1];
-        const json = Buffer.from(payload.replace(/-/g, '+').replace(/_/g, '/'), 'base64').toString('utf-8');
-        expect(JSON.parse(json)).toEqual({ permissionsConfig: '/x.json' });
-    });
-    it('rejects creation for non-absolute paths', () => {
-        expect(() => createPermissionPointerJwt('relative/path.json', signingKey)).toThrow(InvalidPermissionPointerError);
-    });
-    it('rejects tokens signed with a different key', () => {
-        const otherKey = derivePermissionPointerSigningKey(OTHER_ENCRYPTION_KEY);
-        const token = createPermissionPointerJwt('/x.json', otherKey);
-        expect(() => verifyPermissionPointerJwt(token, signingKey)).toThrow(InvalidPermissionPointerError);
-    });
-    it('rejects tokens with a tampered payload', () => {
-        const token = createPermissionPointerJwt('/x.json', signingKey);
-        const [header, , signature] = token.split('.');
-        const tamperedPayload = Buffer.from(JSON.stringify({ permissionsConfig: '/y.json' }), 'utf-8')
-            .toString('base64')
-            .replace(/\+/g, '-')
-            .replace(/\//g, '_')
-            .replace(/=+$/, '');
-        const tampered = `${header}.${tamperedPayload}.${signature}`;
-        expect(() => verifyPermissionPointerJwt(tampered, signingKey)).toThrow(InvalidPermissionPointerError);
-    });
-    it('rejects tokens that do not have three segments', () => {
-        expect(() => verifyPermissionPointerJwt('a.b', signingKey)).toThrow(InvalidPermissionPointerError);
-        expect(() => verifyPermissionPointerJwt('a.b.c.d', signingKey)).toThrow(InvalidPermissionPointerError);
-    });
-    function base64Url(value) {
-        return Buffer.from(value, 'utf-8')
-            .toString('base64')
-            .replace(/\+/g, '-')
-            .replace(/\//g, '_')
-            .replace(/=+$/, '');
-    }
-    function buildSignedToken(headerJson, payloadJson) {
-        const headerSegment = base64Url(headerJson);
-        const payloadSegment = base64Url(payloadJson);
-        const signature = createHmac('sha256', signingKey)
-            .update(`${headerSegment}.${payloadSegment}`)
-            .digest()
-            .toString('base64')
-            .replace(/\+/g, '-')
-            .replace(/\//g, '_')
-            .replace(/=+$/, '');
-        return `${headerSegment}.${payloadSegment}.${signature}`;
-    }
-    it('rejects tokens whose payload is not valid JSON', () => {
-        // Sign a payload that is base64url of "not-json" so we hit the JSON parse
-        // error rather than the signature mismatch error first.
-        const headerSegment = base64Url(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
-        const payloadSegment = base64Url('not-json');
-        const signature = createHmac('sha256', signingKey)
-            .update(`${headerSegment}.${payloadSegment}`)
-            .digest()
-            .toString('base64')
-            .replace(/\+/g, '-')
-            .replace(/\//g, '_')
-            .replace(/=+$/, '');
-        const token = `${headerSegment}.${payloadSegment}.${signature}`;
-        expect(() => verifyPermissionPointerJwt(token, signingKey)).toThrow(InvalidPermissionPointerError);
-    });
-    it('rejects payloads without permissionsConfig', () => {
-        const token = buildSignedToken(JSON.stringify({ alg: 'HS256', typ: 'JWT' }), JSON.stringify({ other: '/x.json' }));
-        expect(() => verifyPermissionPointerJwt(token, signingKey)).toThrow(InvalidPermissionPointerError);
-    });
-    it('rejects payloads whose permissionsConfig is not absolute', () => {
-        const token = buildSignedToken(JSON.stringify({ alg: 'HS256', typ: 'JWT' }), JSON.stringify({ permissionsConfig: 'relative.json' }));
-        expect(() => verifyPermissionPointerJwt(token, signingKey)).toThrow(InvalidPermissionPointerError);
-    });
-    it('rejects headers with the wrong algorithm', () => {
-        const token = buildSignedToken(JSON.stringify({ alg: 'none', typ: 'JWT' }), JSON.stringify({ permissionsConfig: '/x.json' }));
-        expect(() => verifyPermissionPointerJwt(token, signingKey)).toThrow(InvalidPermissionPointerError);
-    });
-});
-describe('resolvePermissionPointer', () => {
-    const signingKey = derivePermissionPointerSigningKey(TEST_ENCRYPTION_KEY);
-    let tempDir;
-    beforeEach(() => {
-        tempDir = mkdtempSync(join(tmpdir(), 'latchkey-pp-test-'));
-    });
-    afterEach(() => {
-        rmSync(tempDir, { recursive: true, force: true });
-    });
-    it('returns the path when the file exists', () => {
-        const path = join(tempDir, 'permissions.json');
-        writeFileSync(path, '{}');
-        const token = createPermissionPointerJwt(path, signingKey);
-        expect(resolvePermissionPointer(token, signingKey)).toBe(path);
-    });
-    it('throws PermissionPointerFileMissingError when the file is absent', () => {
-        const path = join(tempDir, 'does-not-exist.json');
-        const token = createPermissionPointerJwt(path, signingKey);
-        expect(() => resolvePermissionPointer(token, signingKey)).toThrow(PermissionPointerFileMissingError);
-    });
-    it('throws PermissionPointerFileMissingError when the path is a directory', () => {
-        const path = join(tempDir, 'subdir');
-        mkdirSync(path);
-        const token = createPermissionPointerJwt(path, signingKey);
-        expect(() => resolvePermissionPointer(token, signingKey)).toThrow(PermissionPointerFileMissingError);
-    });
-});
-//# sourceMappingURL=permissionPointer.test.js.map

package/dist/tests/permissionPointer.test.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"permissionPointer.test.js","sourceRoot":"","sources":["../../tests/permissionPointer.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EACL,0BAA0B,EAC1B,iCAAiC,EACjC,6BAA6B,EAC7B,yBAAyB,EACzB,iCAAiC,EACjC,wBAAwB,EACxB,0BAA0B,GAC3B,MAAM,qCAAqC,CAAC;AAE7C,MAAM,mBAAmB,GAAG,8CAA8C,CAAC;AAC3E,MAAM,oBAAoB,GAAG,8CAA8C,CAAC;AAE5E,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,CAAC,yBAAyB,CAAC,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;IAClF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,mCAAmC,EAAE,GAAG,EAAE;IACjD,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,CAAC,GAAG,iCAAiC,CAAC,mBAAmB,CAAC,CAAC;QACjE,MAAM,CAAC,GAAG,iCAAiC,CAAC,mBAAmB,CAAC,CAAC;QACjE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC1B,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,CAAC,GAAG,iCAAiC,CAAC,mBAAmB,CAAC,CAAC;QACjE,MAAM,CAAC,GAAG,iCAAiC,CAAC,oBAAoB,CAAC,CAAC;QAClE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,OAAO,GAAG,iCAAiC,CAAC,mBAAmB,CAAC,CAAC;QACvE,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE,QAAQ,CAAC,CAAC;QAC1D,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,yDAAyD,EAAE,GAAG,EAAE;IACvE,MAAM,UAAU,GAAG,iCAAiC,CAAC,mBAAmB,CAAC,CAAC;IAE1E,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,KAAK,GAAG,0BAA0B,CAAC,gCAAgC,EAAE,UAAU,CAAC,CAAC;QACvF,MAAM,OAAO,GAAG,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAC9D,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,iBAAiB,EAAE,gCAAgC,EAAE,CAAC,CAAC;IACnF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,KAAK,GAAG,0BAA0B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAChE,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,KAAK,GAAG,0BAA0B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAChE,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;QACpC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,CACvF,OAAO,CACR,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,KAAK,GAAG,0BAA0B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAChE,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;QACrC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,CACxF,OAAO,CACR,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,oBAAoB,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CAChF,6BAA6B,CAC9B,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,QAAQ,GAAG,iCAAiC,CAAC,oBAAoB,CAAC,CAAC;QACzE,MAAM,KAAK,GAAG,0BAA0B,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC9D,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACjE,6BAA6B,CAC9B,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,KAAK,GAAG,0BAA0B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAChE,MAAM,CAAC,MAAM,EAAE,AAAD,EAAG,SAAS,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAA6B,CAAC;QAC3E,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CACjC,IAAI,CAAC,SAAS,CAAC,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,EAChD,OAAO,CACR;aACE,QAAQ,CAAC,QAAQ,CAAC;aAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACtB,MAAM,QAAQ,GAAG,GAAG,MAAM,IAAI,eAAe,IAAI,SAAS,EAAE,CAAC;QAC7D,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACpE,6BAA6B,CAC9B,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACjE,6BAA6B,CAC9B,CAAC;QACF,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACrE,6BAA6B,CAC9B,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,SAAS,SAAS,CAAC,KAAa;QAC9B,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC;aAC/B,QAAQ,CAAC,QAAQ,CAAC;aAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACxB,CAAC;IAED,SAAS,gBAAgB,CAAC,UAAkB,EAAE,WAAmB;QAC/D,MAAM,aAAa,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;QAC5C,MAAM,cAAc,GAAG,SAAS,CAAC,WAAW,CAAC,CAAC;QAC9C,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;aAC/C,MAAM,CAAC,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;aAC5C,MAAM,EAAE;aACR,QAAQ,CAAC,QAAQ,CAAC;aAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACtB,OAAO,GAAG,aAAa,IAAI,cAAc,IAAI,SAAS,EAAE,CAAC;IAC3D,CAAC;IAED,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,0EAA0E;QAC1E,wDAAwD;QACxD,MAAM,aAAa,GAAG,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAC9E,MAAM,cAAc,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;QAC7C,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;aAC/C,MAAM,CAAC,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;aAC5C,MAAM,EAAE;aACR,QAAQ,CAAC,QAAQ,CAAC;aAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACtB,MAAM,KAAK,GAAG,GAAG,aAAa,IAAI,cAAc,IAAI,SAAS,EAAE,CAAC;QAChE,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACjE,6BAA6B,CAC9B,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,KAAK,GAAG,gBAAgB,CAC5B,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAC5C,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CACrC,CAAC;QACF,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACjE,6BAA6B,CAC9B,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,GAAG,EAAE;QAClE,MAAM,KAAK,GAAG,gBAAgB,CAC5B,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAC5C,IAAI,CAAC,SAAS,CAAC,EAAE,iBAAiB,EAAE,eAAe,EAAE,CAAC,CACvD,CAAC;QACF,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACjE,6BAA6B,CAC9B,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,KAAK,GAAG,gBAAgB,CAC5B,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAC3C,IAAI,CAAC,SAAS,CAAC,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,CACjD,CAAC;QACF,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACjE,6BAA6B,CAC9B,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,0BAA0B,EAAE,GAAG,EAAE;IACxC,MAAM,UAAU,GAAG,iCAAiC,CAAC,mBAAmB,CAAC,CAAC;IAC1E,IAAI,OAAe,CAAC;IAEpB,UAAU,CAAC,GAAG,EAAE;QACd,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,mBAAmB,CAAC,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QAC/C,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAC1B,MAAM,KAAK,GAAG,0BAA0B,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC3D,MAAM,CAAC,wBAAwB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,GAAG,EAAE;QAC1E,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,qBAAqB,CAAC,CAAC;QAClD,MAAM,KAAK,GAAG,0BAA0B,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC3D,MAAM,CAAC,GAAG,EAAE,CAAC,wBAAwB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CAC/D,iCAAiC,CAClC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACrC,SAAS,CAAC,IAAI,CAAC,CAAC;QAChB,MAAM,KAAK,GAAG,0BAA0B,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC3D,MAAM,CAAC,GAAG,EAAE,CAAC,wBAAwB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CAC/D,iCAAiC,CAClC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}