nlcurl 0.7.0 → 0.9.0

package/dist/tls/ct.d.ts

@@ -0,0 +1,78 @@
+/** Hash algorithms used in Signed Certificate Timestamps. */
+export declare enum SCTHashAlgorithm {
+    NONE = 0,
+    MD5 = 1,
+    SHA1 = 2,
+    SHA224 = 3,
+    SHA256 = 4,
+    SHA384 = 5,
+    SHA512 = 6
+}
+/** Digital signature algorithms used in Signed Certificate Timestamps. */
+export declare enum SCTSignatureAlgorithm {
+    ANONYMOUS = 0,
+    RSA = 1,
+    DSA = 2,
+    ECDSA = 3
+}
+/** Signed Certificate Timestamp version identifiers. */
+export declare enum SCTVersion {
+    V1 = 0
+}
+/** Parsed Signed Certificate Timestamp (RFC 6962). */
+export interface SCT {
+    /** SCT structure version. */
+    version: SCTVersion;
+    /** Log ID (SHA-256 hash of the log's public key). */
+    logId: Buffer;
+    /** Timestamp when the SCT was issued. */
+    timestamp: Date;
+    /** SCT extensions data. */
+    extensions: Buffer;
+    /** Hash algorithm used in the signature. */
+    hashAlgorithm: SCTHashAlgorithm;
+    /** Signature algorithm used. */
+    signatureAlgorithm: SCTSignatureAlgorithm;
+    /** Digital signature bytes. */
+    signature: Buffer;
+}
+/** Result of validating SCTs for Certificate Transparency compliance. */
+export interface SCTValidationResult {
+    /** Whether the certificate meets CT compliance requirements. */
+    compliant: boolean;
+    /** Number of unique SCTs found. */
+    sctCount: number;
+    /** Deduplicated SCT entries. */
+    scts: SCT[];
+    /** Source from which the SCTs were obtained. */
+    source?: "embedded" | "tls-extension" | "ocsp";
+}
+/**
+ * Parse a serialized SCT list into individual SCT entries.
+ *
+ * @param {Buffer} data - TLS-encoded SCT list buffer.
+ * @returns {SCT[]} Array of parsed {@link SCT} objects.
+ */
+export declare function parseSCTList(data: Buffer): SCT[];
+/**
+ * Validate a set of SCTs for Certificate Transparency compliance.
+ *
+ * Deduplicates by log ID and requires at least two unique logs.
+ *
+ * @param {SCT[]} scts - Array of parsed SCTs.
+ * @returns {SCTValidationResult} Validation result with compliance status.
+ */
+export declare function validateSCTs(scts: SCT[]): SCTValidationResult;
+/**
+ * Extract embedded SCTs from a TLS socket's peer certificate.
+ *
+ * @param {{ getPeerCertificate?: (detailed?: boolean) => { raw?: Buffer; serialNumber?: string } }} socket - Socket with a `getPeerCertificate` method.
+ * @returns {SCTValidationResult | undefined} Validation result, or `undefined` if SCTs cannot be extracted.
+ */
+export declare function extractSCTsFromSocket(socket: {
+    getPeerCertificate?: (detailed?: boolean) => {
+        raw?: Buffer;
+        serialNumber?: string;
+    };
+}): SCTValidationResult | undefined;
+//# sourceMappingURL=ct.d.ts.map

package/dist/tls/ct.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ct.d.ts","sourceRoot":"","sources":["../../src/tls/ct.ts"],"names":[],"mappings":"AAAA,6DAA6D;AAC7D,oBAAY,gBAAgB;IAC1B,IAAI,IAAI;IACR,GAAG,IAAI;IACP,IAAI,IAAI;IACR,MAAM,IAAI;IACV,MAAM,IAAI;IACV,MAAM,IAAI;IACV,MAAM,IAAI;CACX;AAED,0EAA0E;AAC1E,oBAAY,qBAAqB;IAC/B,SAAS,IAAI;IACb,GAAG,IAAI;IACP,GAAG,IAAI;IACP,KAAK,IAAI;CACV;AAED,wDAAwD;AACxD,oBAAY,UAAU;IACpB,EAAE,IAAI;CACP;AAED,sDAAsD;AACtD,MAAM,WAAW,GAAG;IAClB,6BAA6B;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,qDAAqD;IACrD,KAAK,EAAE,MAAM,CAAC;IACd,yCAAyC;IACzC,SAAS,EAAE,IAAI,CAAC;IAChB,2BAA2B;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,4CAA4C;IAC5C,aAAa,EAAE,gBAAgB,CAAC;IAChC,gCAAgC;IAChC,kBAAkB,EAAE,qBAAqB,CAAC;IAC1C,+BAA+B;IAC/B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,yEAAyE;AACzE,MAAM,WAAW,mBAAmB;IAClC,gEAAgE;IAChE,SAAS,EAAE,OAAO,CAAC;IACnB,mCAAmC;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,gCAAgC;IAChC,IAAI,EAAE,GAAG,EAAE,CAAC;IACZ,gDAAgD;IAChD,MAAM,CAAC,EAAE,UAAU,GAAG,eAAe,GAAG,MAAM,CAAC;CAChD;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,GAAG,EAAE,CAsBhD;AA+CD;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,mBAAmB,CAgB7D;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE;IAAE,kBAAkB,CAAC,EAAE,CAAC,QAAQ,CAAC,EAAE,OAAO,KAAK;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GAAG,mBAAmB,GAAG,SAAS,CA2CvK"}

package/dist/tls/ct.js

@@ -0,0 +1,175 @@
+/** Hash algorithms used in Signed Certificate Timestamps. */
+export var SCTHashAlgorithm;
+(function (SCTHashAlgorithm) {
+    SCTHashAlgorithm[SCTHashAlgorithm["NONE"] = 0] = "NONE";
+    SCTHashAlgorithm[SCTHashAlgorithm["MD5"] = 1] = "MD5";
+    SCTHashAlgorithm[SCTHashAlgorithm["SHA1"] = 2] = "SHA1";
+    SCTHashAlgorithm[SCTHashAlgorithm["SHA224"] = 3] = "SHA224";
+    SCTHashAlgorithm[SCTHashAlgorithm["SHA256"] = 4] = "SHA256";
+    SCTHashAlgorithm[SCTHashAlgorithm["SHA384"] = 5] = "SHA384";
+    SCTHashAlgorithm[SCTHashAlgorithm["SHA512"] = 6] = "SHA512";
+})(SCTHashAlgorithm || (SCTHashAlgorithm = {}));
+/** Digital signature algorithms used in Signed Certificate Timestamps. */
+export var SCTSignatureAlgorithm;
+(function (SCTSignatureAlgorithm) {
+    SCTSignatureAlgorithm[SCTSignatureAlgorithm["ANONYMOUS"] = 0] = "ANONYMOUS";
+    SCTSignatureAlgorithm[SCTSignatureAlgorithm["RSA"] = 1] = "RSA";
+    SCTSignatureAlgorithm[SCTSignatureAlgorithm["DSA"] = 2] = "DSA";
+    SCTSignatureAlgorithm[SCTSignatureAlgorithm["ECDSA"] = 3] = "ECDSA";
+})(SCTSignatureAlgorithm || (SCTSignatureAlgorithm = {}));
+/** Signed Certificate Timestamp version identifiers. */
+export var SCTVersion;
+(function (SCTVersion) {
+    SCTVersion[SCTVersion["V1"] = 0] = "V1";
+})(SCTVersion || (SCTVersion = {}));
+/**
+ * Parse a serialized SCT list into individual SCT entries.
+ *
+ * @param {Buffer} data - TLS-encoded SCT list buffer.
+ * @returns {SCT[]} Array of parsed {@link SCT} objects.
+ */
+export function parseSCTList(data) {
+    if (data.length < 2)
+        return [];
+    const listLength = data.readUInt16BE(0);
+    if (listLength + 2 > data.length)
+        return [];
+    const scts = [];
+    let offset = 2;
+    const end = 2 + listLength;
+    while (offset + 2 <= end) {
+        const sctLength = data.readUInt16BE(offset);
+        offset += 2;
+        if (offset + sctLength > end)
+            break;
+        const sct = parseSingleSCT(data.subarray(offset, offset + sctLength));
+        if (sct)
+            scts.push(sct);
+        offset += sctLength;
+    }
+    return scts;
+}
+function parseSingleSCT(data) {
+    if (data.length < 1 + 32 + 8 + 2 + 2 + 2)
+        return null;
+    let offset = 0;
+    const version = data[offset];
+    if (version !== SCTVersion.V1)
+        return null;
+    offset += 1;
+    const logId = Buffer.from(data.subarray(offset, offset + 32));
+    offset += 32;
+    const timestampMs = Number(data.readBigUInt64BE(offset));
+    const timestamp = new Date(timestampMs);
+    offset += 8;
+    const extensionsLength = data.readUInt16BE(offset);
+    offset += 2;
+    const extensions = Buffer.from(data.subarray(offset, offset + extensionsLength));
+    offset += extensionsLength;
+    if (offset + 4 > data.length)
+        return null;
+    const hashAlgorithm = data[offset];
+    offset += 1;
+    const signatureAlgorithm = data[offset];
+    offset += 1;
+    const signatureLength = data.readUInt16BE(offset);
+    offset += 2;
+    if (offset + signatureLength > data.length)
+        return null;
+    const signature = Buffer.from(data.subarray(offset, offset + signatureLength));
+    return {
+        version,
+        logId,
+        timestamp,
+        extensions,
+        hashAlgorithm,
+        signatureAlgorithm,
+        signature,
+    };
+}
+/**
+ * Validate a set of SCTs for Certificate Transparency compliance.
+ *
+ * Deduplicates by log ID and requires at least two unique logs.
+ *
+ * @param {SCT[]} scts - Array of parsed SCTs.
+ * @returns {SCTValidationResult} Validation result with compliance status.
+ */
+export function validateSCTs(scts) {
+    const uniqueLogs = new Set();
+    const uniqueSCTs = [];
+    for (const sct of scts) {
+        const logIdHex = sct.logId.toString("hex");
+        if (!uniqueLogs.has(logIdHex)) {
+            uniqueLogs.add(logIdHex);
+            uniqueSCTs.push(sct);
+        }
+    }
+    return {
+        compliant: uniqueLogs.size >= 2,
+        sctCount: uniqueSCTs.length,
+        scts: uniqueSCTs,
+    };
+}
+/**
+ * Extract embedded SCTs from a TLS socket's peer certificate.
+ *
+ * @param {{ getPeerCertificate?: (detailed?: boolean) => { raw?: Buffer; serialNumber?: string } }} socket - Socket with a `getPeerCertificate` method.
+ * @returns {SCTValidationResult | undefined} Validation result, or `undefined` if SCTs cannot be extracted.
+ */
+export function extractSCTsFromSocket(socket) {
+    if (!socket.getPeerCertificate)
+        return undefined;
+    const cert = socket.getPeerCertificate(true);
+    if (!cert || !cert.raw)
+        return undefined;
+    const sctExtOid = Buffer.from([0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x02]);
+    const extIdx = cert.raw.indexOf(sctExtOid);
+    if (extIdx === -1) {
+        return { compliant: false, sctCount: 0, scts: [] };
+    }
+    let offset = extIdx + sctExtOid.length;
+    if (offset < cert.raw.length && cert.raw[offset] === 0x01) {
+        offset += 3;
+    }
+    if (offset >= cert.raw.length || cert.raw[offset] !== 0x04) {
+        return { compliant: false, sctCount: 0, scts: [] };
+    }
+    offset++;
+    const result = readLength(cert.raw, offset);
+    if (result.value === -1)
+        return { compliant: false, sctCount: 0, scts: [] };
+    offset += result.bytesRead;
+    if (offset >= cert.raw.length || cert.raw[offset] !== 0x04) {
+        const scts = parseSCTList(cert.raw.subarray(offset));
+        const validation = validateSCTs(scts);
+        validation.source = "embedded";
+        return validation;
+    }
+    offset++;
+    const innerResult = readLength(cert.raw, offset);
+    if (innerResult.value === -1)
+        return { compliant: false, sctCount: 0, scts: [] };
+    offset += innerResult.bytesRead;
+    const sctData = cert.raw.subarray(offset, offset + innerResult.value);
+    const scts = parseSCTList(sctData);
+    const validation = validateSCTs(scts);
+    validation.source = "embedded";
+    return validation;
+}
+function readLength(buf, offset) {
+    if (offset >= buf.length)
+        return { value: -1, bytesRead: 0 };
+    const first = buf[offset];
+    if (first < 0x80)
+        return { value: first, bytesRead: 1 };
+    const numBytes = first & 0x7f;
+    if (numBytes === 0 || numBytes > 4 || offset + numBytes >= buf.length)
+        return { value: -1, bytesRead: 0 };
+    let value = 0;
+    for (let i = 0; i < numBytes; i++) {
+        value = (value << 8) | buf[offset + 1 + i];
+    }
+    return { value, bytesRead: 1 + numBytes };
+}
+//# sourceMappingURL=ct.js.map

package/dist/tls/ct.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ct.js","sourceRoot":"","sources":["../../src/tls/ct.ts"],"names":[],"mappings":"AAAA,6DAA6D;AAC7D,MAAM,CAAN,IAAY,gBAQX;AARD,WAAY,gBAAgB;IAC1B,uDAAQ,CAAA;IACR,qDAAO,CAAA;IACP,uDAAQ,CAAA;IACR,2DAAU,CAAA;IACV,2DAAU,CAAA;IACV,2DAAU,CAAA;IACV,2DAAU,CAAA;AACZ,CAAC,EARW,gBAAgB,KAAhB,gBAAgB,QAQ3B;AAED,0EAA0E;AAC1E,MAAM,CAAN,IAAY,qBAKX;AALD,WAAY,qBAAqB;IAC/B,2EAAa,CAAA;IACb,+DAAO,CAAA;IACP,+DAAO,CAAA;IACP,mEAAS,CAAA;AACX,CAAC,EALW,qBAAqB,KAArB,qBAAqB,QAKhC;AAED,wDAAwD;AACxD,MAAM,CAAN,IAAY,UAEX;AAFD,WAAY,UAAU;IACpB,uCAAM,CAAA;AACR,CAAC,EAFW,UAAU,KAAV,UAAU,QAErB;AAgCD;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IAE/B,MAAM,UAAU,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACxC,IAAI,UAAU,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,CAAC;IAE5C,MAAM,IAAI,GAAU,EAAE,CAAC;IACvB,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,MAAM,GAAG,GAAG,CAAC,GAAG,UAAU,CAAC;IAE3B,OAAO,MAAM,GAAG,CAAC,IAAI,GAAG,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,IAAI,CAAC,CAAC;QAEZ,IAAI,MAAM,GAAG,SAAS,GAAG,GAAG;YAAE,MAAM;QAEpC,MAAM,GAAG,GAAG,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC;QACtE,IAAI,GAAG;YAAE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACxB,MAAM,IAAI,SAAS,CAAC;IACtB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEtD,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAgB,CAAC;IAC5C,IAAI,OAAO,KAAK,UAAU,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IAC3C,MAAM,IAAI,CAAC,CAAC;IAEZ,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC;IAC9D,MAAM,IAAI,EAAE,CAAC;IAEb,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC;IACzD,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,WAAW,CAAC,CAAC;IACxC,MAAM,IAAI,CAAC,CAAC;IAEZ,MAAM,gBAAgB,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IACnD,MAAM,IAAI,CAAC,CAAC;IACZ,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,gBAAgB,CAAC,CAAC,CAAC;IACjF,MAAM,IAAI,gBAAgB,CAAC;IAE3B,IAAI,MAAM,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAE1C,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAsB,CAAC;IACxD,MAAM,IAAI,CAAC,CAAC;IACZ,MAAM,kBAAkB,GAAG,IAAI,CAAC,MAAM,CAA2B,CAAC;IAClE,MAAM,IAAI,CAAC,CAAC;IAEZ,MAAM,eAAe,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAClD,MAAM,IAAI,CAAC,CAAC;IAEZ,IAAI,MAAM,GAAG,eAAe,GAAG,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACxD,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,eAAe,CAAC,CAAC,CAAC;IAE/E,OAAO;QACL,OAAO;QACP,KAAK;QACL,SAAS;QACT,UAAU;QACV,aAAa;QACb,kBAAkB;QAClB,SAAS;KACV,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAAC,IAAW;IACtC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,MAAM,UAAU,GAAU,EAAE,CAAC;IAC7B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC3C,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9B,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACzB,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO;QACL,SAAS,EAAE,UAAU,CAAC,IAAI,IAAI,CAAC;QAC/B,QAAQ,EAAE,UAAU,CAAC,MAAM;QAC3B,IAAI,EAAE,UAAU;KACjB,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAgG;IACpI,IAAI,CAAC,MAAM,CAAC,kBAAkB;QAAE,OAAO,SAAS,CAAC;IAEjD,MAAM,IAAI,GAAG,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC;IAC7C,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAEzC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;IACxG,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAE3C,IAAI,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;QAClB,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACrD,CAAC;IAED,IAAI,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC;IAEvC,IAAI,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QAC1D,MAAM,IAAI,CAAC,CAAC;IACd,CAAC;IAED,IAAI,MAAM,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QAC3D,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACrD,CAAC;IACD,MAAM,EAAE,CAAC;IACT,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC5C,IAAI,MAAM,CAAC,KAAK,KAAK,CAAC,CAAC;QAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IAC5E,MAAM,IAAI,MAAM,CAAC,SAAS,CAAC;IAE3B,IAAI,MAAM,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QAC3D,MAAM,IAAI,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QACrD,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;QACtC,UAAU,CAAC,MAAM,GAAG,UAAU,CAAC;QAC/B,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,MAAM,EAAE,CAAC;IACT,MAAM,WAAW,GAAG,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IACjD,IAAI,WAAW,CAAC,KAAK,KAAK,CAAC,CAAC;QAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACjF,MAAM,IAAI,WAAW,CAAC,SAAS,CAAC;IAEhC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IACtE,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IACnC,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACtC,UAAU,CAAC,MAAM,GAAG,UAAU,CAAC;IAC/B,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,UAAU,CAAC,GAAW,EAAE,MAAc;IAC7C,IAAI,MAAM,IAAI,GAAG,CAAC,MAAM;QAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;IAC7D,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,CAAE,CAAC;IAC3B,IAAI,KAAK,GAAG,IAAI;QAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;IACxD,MAAM,QAAQ,GAAG,KAAK,GAAG,IAAI,CAAC;IAC9B,IAAI,QAAQ,KAAK,CAAC,IAAI,QAAQ,GAAG,CAAC,IAAI,MAAM,GAAG,QAAQ,IAAI,GAAG,CAAC,MAAM;QAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;IAC1G,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,KAAK,GAAG,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,GAAG,CAAC,CAAE,CAAC;IAC9C,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,GAAG,QAAQ,EAAE,CAAC;AAC5C,CAAC"}

package/dist/tls/early-data.d.ts

@@ -0,0 +1,45 @@
+/** Configuration for TLS 1.3 early data (0-RTT). */
+export interface EarlyDataConfig {
+    /** Enable early data transmission. */
+    enabled?: boolean;
+    /** Maximum early data payload size in bytes. */
+    maxSize?: number;
+    /** Restrict early data to safe (idempotent) HTTP methods only. */
+    safeOnly?: boolean;
+}
+/** Outcome of an early data (0-RTT) transmission attempt. */
+export interface EarlyDataResult {
+    /** Whether the server accepted the early data. */
+    accepted: boolean;
+    /** Whether early data transmission was attempted. */
+    attempted: boolean;
+    /** Number of bytes sent as early data. */
+    bytesSent: number;
+}
+/**
+ * Determine whether early data can be sent for the given HTTP method.
+ *
+ * @param {string} method - HTTP method string.
+ * @param {EarlyDataConfig} [config] - Early data configuration.
+ * @returns {boolean} `true` if early data is permitted.
+ */
+export declare function canSendEarlyData(method: string, config?: EarlyDataConfig): boolean;
+/**
+ * Prepare request data for 0-RTT transmission.
+ *
+ * @param {Buffer} requestData - Serialized request bytes.
+ * @param {EarlyDataConfig} [config] - Early data configuration.
+ * @returns {Buffer|null} Buffer to send as early data, or `null` if not applicable.
+ */
+export declare function prepareEarlyData(requestData: Buffer, config?: EarlyDataConfig): Buffer | null;
+/**
+ * Check whether the server accepted early data on a connected socket.
+ *
+ * @param {{ alpnProtocol?: string | false; earlyData?: boolean }} socket - Socket with optional `earlyData` flag.
+ * @returns {EarlyDataResult} Early data acceptance result.
+ */
+export declare function checkEarlyDataAccepted(socket: {
+    alpnProtocol?: string | false;
+    earlyData?: boolean;
+}): EarlyDataResult;
+//# sourceMappingURL=early-data.d.ts.map

package/dist/tls/early-data.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"early-data.d.ts","sourceRoot":"","sources":["../../src/tls/early-data.ts"],"names":[],"mappings":"AAEA,oDAAoD;AACpD,MAAM,WAAW,eAAe;IAC9B,sCAAsC;IACtC,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,gDAAgD;IAChD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kEAAkE;IAClE,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,6DAA6D;AAC7D,MAAM,WAAW,eAAe;IAC9B,kDAAkD;IAClD,QAAQ,EAAE,OAAO,CAAC;IAClB,qDAAqD;IACrD,SAAS,EAAE,OAAO,CAAC;IACnB,0CAA0C;IAC1C,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,eAAe,GAAG,OAAO,CAMlF;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,eAAe,GAAG,MAAM,GAAG,IAAI,CAO7F;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE;IAAE,YAAY,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC;IAAC,SAAS,CAAC,EAAE,OAAO,CAAA;CAAE,GAAG,eAAe,CAOtH"}

package/dist/tls/early-data.js

@@ -0,0 +1,46 @@
+const SAFE_EARLY_DATA_METHODS = new Set(["GET", "HEAD", "OPTIONS"]);
+/**
+ * Determine whether early data can be sent for the given HTTP method.
+ *
+ * @param {string} method - HTTP method string.
+ * @param {EarlyDataConfig} [config] - Early data configuration.
+ * @returns {boolean} `true` if early data is permitted.
+ */
+export function canSendEarlyData(method, config) {
+    if (!config?.enabled)
+        return false;
+    if (config.safeOnly !== false && !SAFE_EARLY_DATA_METHODS.has(method.toUpperCase())) {
+        return false;
+    }
+    return true;
+}
+/**
+ * Prepare request data for 0-RTT transmission.
+ *
+ * @param {Buffer} requestData - Serialized request bytes.
+ * @param {EarlyDataConfig} [config] - Early data configuration.
+ * @returns {Buffer|null} Buffer to send as early data, or `null` if not applicable.
+ */
+export function prepareEarlyData(requestData, config) {
+    if (!config?.enabled)
+        return null;
+    const maxSize = config.maxSize ?? 16384;
+    if (requestData.length > maxSize)
+        return null;
+    return requestData;
+}
+/**
+ * Check whether the server accepted early data on a connected socket.
+ *
+ * @param {{ alpnProtocol?: string | false; earlyData?: boolean }} socket - Socket with optional `earlyData` flag.
+ * @returns {EarlyDataResult} Early data acceptance result.
+ */
+export function checkEarlyDataAccepted(socket) {
+    const accepted = socket.earlyData === true;
+    return {
+        accepted,
+        attempted: true,
+        bytesSent: 0,
+    };
+}
+//# sourceMappingURL=early-data.js.map

package/dist/tls/early-data.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"early-data.js","sourceRoot":"","sources":["../../src/tls/early-data.ts"],"names":[],"mappings":"AAAA,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC;AAsBpE;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAc,EAAE,MAAwB;IACvE,IAAI,CAAC,MAAM,EAAE,OAAO;QAAE,OAAO,KAAK,CAAC;IACnC,IAAI,MAAM,CAAC,QAAQ,KAAK,KAAK,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QACpF,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,WAAmB,EAAE,MAAwB;IAC5E,IAAI,CAAC,MAAM,EAAE,OAAO;QAAE,OAAO,IAAI,CAAC;IAElC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,KAAK,CAAC;IACxC,IAAI,WAAW,CAAC,MAAM,GAAG,OAAO;QAAE,OAAO,IAAI,CAAC;IAE9C,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,sBAAsB,CAAC,MAA8D;IACnG,MAAM,QAAQ,GAAG,MAAM,CAAC,SAAS,KAAK,IAAI,CAAC;IAC3C,OAAO;QACL,QAAQ;QACR,SAAS,EAAE,IAAI;QACf,SAAS,EAAE,CAAC;KACb,CAAC;AACJ,CAAC"}

package/dist/tls/ech.d.ts

@@ -1,141 +1,108 @@
-/**
- * A parsed ECHConfig entry from an ECHConfigList.
- */
+/** Parsed individual Encrypted Client Hello configuration entry. */
 export interface ECHConfig {
-    /** ECH version (0xfe0d for draft-13+). */
+    /** ECH config version identifier. */
     version: number;
-    /** Length of this config. */
+    /** Length of the configuration contents. */
     length: number;
-    /** The opaque config contents. */
+    /** Raw configuration content bytes. */
     contents: Buffer;
-    /** The public_name (the "cover" domain, e.g. "cloudflare-ech.com"). */
+    /** Public name (outer SNI) extracted from the config. */
     publicName: string;
 }
-/**
- * Parsed ECH configuration ready for use in a TLS connection.
- */
+/** Complete parsed ECH configuration list with outer SNI. */
 export interface ECHParameters {
-    /** Raw ECHConfigList to pass to Node.js TLS or encode in ClientHello. */
+    /** Raw serialized ECHConfigList buffer. */
     echConfigList: Buffer;
-    /** The public_name (outer SNI) that replaces the true SNI in the outer ClientHello. */
+    /** Outer SNI derived from the first config's public name. */
     outerSNI: string;
-    /** Parsed individual ECH configs. */
+    /** Individual ECH configuration entries. */
     configs: ECHConfig[];
 }
-/**
- * ECH configuration options for the library.
- */
+/** User-facing options for Encrypted Client Hello. */
 export interface ECHOptions {
-    /**
-     * Whether to enable ECH when an ECHConfigList is available from HTTPS-RR.
-     * @default true when HTTPS-RR is enabled
-     */
+    /** Enable ECH support. */
     enabled?: boolean;
-    /**
-     * Pre-configured ECHConfigList (base64 or raw Buffer).
-     * When set, bypasses HTTPS-RR discovery.
-     */
+    /** Base64 or binary ECHConfigList. */
     echConfigList?: string | Buffer;
-    /**
-     * Whether to use GREASE ECH when no real ECH config is available.
-     * GREASE ECH pads ClientHello to resist distinguishing ECH-capable clients.
-     * @default false
-     */
+    /** Send a GREASE ECH extension when no real config is available. */
     grease?: boolean;
+    /** Maximum number of ECH retry attempts. */
+    maxRetries?: number;
 }
 /**
- * Parses an ECHConfigList from raw bytes (as received from HTTPS-RR or config).
- *
- * ECHConfigList format (draft-ietf-tls-esni §4):
- * ```
- * struct {
- *   uint16 length;
- *   ECHConfig echConfigs<1..2^16-1>;
- * } ECHConfigList;
- *
- * struct {
- *   uint16 version;
- *   uint16 length;
- *   opaque contents<1..2^16-1>;
- * } ECHConfig;
- * ```
+ * Parse a serialized ECHConfigList into structured parameters.
  *
- * @param data Raw ECHConfigList bytes.
- * @returns Parsed ECH parameters, or null if invalid.
+ * @param {Buffer} data - Raw ECHConfigList buffer.
+ * @returns {ECHParameters|null} Parsed parameters, or `null` if the data is invalid.
  */
 export declare function parseECHConfigList(data: Buffer): ECHParameters | null;
 /**
- * Generates a GREASE ECH extension for the outer ClientHello.
- * This makes ECH-capable clients indistinguishable from non-ECH clients
- * by including a random ECH extension even when no real config is available.
+ * Generate a GREASE Encrypted Client Hello extension payload.
  *
- * @returns A plausible-looking random ECH extension payload.
+ * @returns {Buffer} Random GREASE ECH extension data.
  */
 export declare function generateGreaseECH(): Buffer;
-/** Parsed HPKE key configuration from an ECHConfig. */
+/** Parsed HPKE key configuration from an ECHConfig entry. */
 export interface HpkeKeyConfig {
+    /** Configuration identifier byte. */
     configId: number;
+    /** Key Encapsulation Mechanism identifier. */
     kemId: number;
+    /** Receiver's public key bytes. */
     publicKey: Buffer;
+    /** Supported KDF and AEAD cipher suite pairs. */
     cipherSuites: Array<{
         kdfId: number;
         aeadId: number;
     }>;
 }
 /**
- * Parses the HpkeKeyConfig from ECHConfig contents.
+ * Parse the HPKE key configuration from ECHConfig contents.
  *
- * HpkeKeyConfig layout:
- * ```
- * struct {
- *   uint8  config_id;
- *   uint16 kem_id;
- *   opaque public_key<1..2^16-1>;
- *   HpkeSymmetricCipherSuite cipher_suites<4..2^16-4>;
- * } HpkeKeyConfig;
- * ```
+ * @param {Buffer} contents - Raw contents buffer of an ECHConfig entry.
+ * @returns {HpkeKeyConfig|null} Parsed HPKE key config, or `null` if malformed.
  */
 export declare function parseHpkeKeyConfig(contents: Buffer): HpkeKeyConfig | null;
 /**
- * Extracts the `maximum_name_length` field from ECHConfig contents.
- * This value determines how much padding is added to the inner ClientHello.
+ * Extract the maximum name length field from ECHConfig contents.
+ *
+ * @param {Buffer} contents - Raw ECHConfig contents.
+ * @returns {number} Maximum name length, or `0` if unparseable.
  */
 export declare function getMaxNameLength(contents: Buffer): number;
 /**
- * Builds the ECH outer extension data (type=outer) for the ClientHello.
+ * Build the outer ECH extension data for a ClientHello.
  *
- * Layout:
- * ```
- * uint8  type = 0x00 (outer)
- * uint16 kdf_id
- * uint16 aead_id
- * uint8  config_id
- * opaque enc<0..2^16-1>
- * opaque payload<1..2^16-1>
- * ```
+ * @param {number} kdfId - KDF identifier.
+ * @param {number} aeadId - AEAD identifier.
+ * @param {number} configId - ECH config ID.
+ * @param {Buffer} enc - HPKE encapsulated key.
+ * @param {Buffer} payload - Encrypted inner ClientHello payload.
+ * @returns {Buffer} Serialized ECH outer extension bytes.
  */
 export declare function buildECHOuterExtData(kdfId: number, aeadId: number, configId: number, enc: Buffer, payload: Buffer): Buffer;
-/** Parameters needed to construct an ECH-encrypted ClientHello. */
+/** Parameters required to encrypt an inner ClientHello with ECH. */
 export interface ECHEncryptionParams {
-    /** The selected ECHConfig entry. */
+    /** Selected ECH configuration entry. */
     config: ECHConfig;
-    /** Raw bytes of the selected ECHConfig (version + length + contents). */
+    /** Raw bytes of the selected configuration (including version and length). */
     configRaw: Buffer;
 }
 /**
- * Extracts the raw bytes of the first ECHConfig entry from an ECHConfigList.
- * Returns the `version(2) + length(2) + contents(configLength)` bytes.
+ * Extract the first raw ECHConfig entry from a serialized ECHConfigList.
+ *
+ * @param {Buffer} echConfigList - Full serialized ECHConfigList buffer.
+ * @returns {Buffer | null} Raw config bytes, or `null` if the list is too short.
  */
 export declare function extractFirstECHConfigRaw(echConfigList: Buffer): Buffer | null;
 /**
- * Core ECH encryption: encrypts an inner ClientHello body using HPKE and
- * returns all values needed to populate the outer ECH extension.
+ * Encrypt an inner ClientHello body using HPKE for Encrypted Client Hello.
  *
- * @param innerCHBody  Serialized inner ClientHello body (after handshake header).
- * @param outerCHAAD   Full outer ClientHello handshake message with ECH payload zeroed.
- * @param config       The selected ECHConfig entry.
- * @param configRaw    Raw bytes of the ECHConfig entry (version + length + contents).
- * @returns ECH outer extension data and HPKE metadata.
+ * @param {Buffer} innerCHBody - Serialized inner ClientHello body.
+ * @param {Buffer} outerCHAAD - Additional authenticated data from the outer ClientHello.
+ * @param {ECHConfig} config - Parsed ECH configuration entry.
+ * @param {Buffer} configRaw - Raw bytes of the ECH configuration.
+ * @returns {{ extensionData: Buffer; enc: Buffer; kdfId: number; aeadId: number; configId: number }} Extension data, encapsulated key, and algorithm identifiers.
  */
 export declare function echEncryptInner(innerCHBody: Buffer, outerCHAAD: Buffer, config: ECHConfig, configRaw: Buffer): {
     extensionData: Buffer;
@@ -144,4 +111,20 @@ export declare function echEncryptInner(innerCHBody: Buffer, outerCHAAD: Buffer,
     aeadId: number;
     configId: number;
 };
+/**
+ * Parse ECH retry configuration from a server's EncryptedExtensions.
+ *
+ * @param {Buffer} data - Serialized ECHConfigList from the retry_configs extension.
+ * @returns {ECHParameters | null} Parsed retry parameters, or `null` if invalid.
+ */
+export declare function parseECHRetryConfigs(data: Buffer): ECHParameters | null;
+/**
+ * Determine whether an ECH retry should be attempted.
+ *
+ * @param {number} retryCount - Number of retries already attempted.
+ * @param {number} maxRetries - Maximum allowed retries.
+ * @param {ECHParameters | null} retryConfigs - Retry ECH configs from the server.
+ * @returns {boolean} `true` if another retry is warranted.
+ */
+export declare function shouldRetryECH(retryCount: number, maxRetries: number, retryConfigs: ECHParameters | null): boolean;
 //# sourceMappingURL=ech.d.ts.map

package/dist/tls/ech.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ech.d.ts","sourceRoot":"","sources":["../../src/tls/ech.ts"],"names":[],"mappings":"AAkBA;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,0CAA0C;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,6BAA6B;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,kCAAkC;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,uEAAuE;IACvE,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,yEAAyE;IACzE,aAAa,EAAE,MAAM,CAAC;IACtB,uFAAuF;IACvF,QAAQ,EAAE,MAAM,CAAC;IACjB,qCAAqC;IACrC,OAAO,EAAE,SAAS,EAAE,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB;;;OAGG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAChC;;;;OAIG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,CAwCrE;AAgDD;;;;;;GAMG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CA0B1C;AAED,uDAAuD;AACvD,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,KAAK,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACxD;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,CAiCzE;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAiBzD;AA2ID;;;;;;;;;;;;GAYG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAkB1H;AAED,mEAAmE;AACnE,MAAM,WAAW,mBAAmB;IAClC,oCAAoC;IACpC,MAAM,EAAE,SAAS,CAAC;IAClB,yEAAyE;IACzE,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAU7E;AAED;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,GAAG;IAAE,aAAa,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAqBtM"}
+{"version":3,"file":"ech.d.ts","sourceRoot":"","sources":["../../src/tls/ech.ts"],"names":[],"mappings":"AAEA,oEAAoE;AACpE,MAAM,WAAW,SAAS;IACxB,qCAAqC;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,4CAA4C;IAC5C,MAAM,EAAE,MAAM,CAAC;IACf,uCAAuC;IACvC,QAAQ,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,6DAA6D;AAC7D,MAAM,WAAW,aAAa;IAC5B,2CAA2C;IAC3C,aAAa,EAAE,MAAM,CAAC;IACtB,6DAA6D;IAC7D,QAAQ,EAAE,MAAM,CAAC;IACjB,4CAA4C;IAC5C,OAAO,EAAE,SAAS,EAAE,CAAC;CACtB;AAED,sDAAsD;AACtD,MAAM,WAAW,UAAU;IACzB,0BAA0B;IAC1B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,sCAAsC;IACtC,aAAa,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAChC,oEAAoE;IACpE,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,4CAA4C;IAC5C,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,CAwCrE;AA4BD;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CA0B1C;AAED,6DAA6D;AAC7D,MAAM,WAAW,aAAa;IAC5B,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,8CAA8C;IAC9C,KAAK,EAAE,MAAM,CAAC;IACd,mCAAmC;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,iDAAiD;IACjD,YAAY,EAAE,KAAK,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACxD;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,CAiCzE;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAiBzD;AA8HD;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAkB1H;AAED,oEAAoE;AACpE,MAAM,WAAW,mBAAmB;IAClC,wCAAwC;IACxC,MAAM,EAAE,SAAS,CAAC;IAClB,8EAA8E;IAC9E,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAU7E;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,GAAG;IAAE,aAAa,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAqBtM;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,CAEvE;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,YAAY,EAAE,aAAa,GAAG,IAAI,GAAG,OAAO,CAIlH"}