secretvm-verify 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +312 -0
- package/dist/agent.d.ts +29 -0
- package/dist/agent.js +353 -0
- package/dist/agent.js.map +1 -0
- package/dist/amd.d.ts +2 -0
- package/dist/amd.js +287 -0
- package/dist/amd.js.map +1 -0
- package/dist/artifacts.d.ts +35 -0
- package/dist/artifacts.js +105 -0
- package/dist/artifacts.js.map +1 -0
- package/dist/chains.d.ts +15 -0
- package/dist/chains.js +50 -0
- package/dist/chains.js.map +1 -0
- package/dist/cli.d.ts +2 -0
- package/dist/cli.js +318 -0
- package/dist/cli.js.map +1 -0
- package/dist/cpu.d.ts +9 -0
- package/dist/cpu.js +54 -0
- package/dist/cpu.js.map +1 -0
- package/dist/index.d.ts +15 -0
- package/dist/index.js +10 -0
- package/dist/index.js.map +1 -0
- package/dist/nvidia.d.ts +2 -0
- package/dist/nvidia.js +182 -0
- package/dist/nvidia.js.map +1 -0
- package/dist/rtmr.d.ts +10 -0
- package/dist/rtmr.js +45 -0
- package/dist/rtmr.js.map +1 -0
- package/dist/sevGctx.d.ts +38 -0
- package/dist/sevGctx.js +213 -0
- package/dist/sevGctx.js.map +1 -0
- package/dist/tdx.d.ts +11 -0
- package/dist/tdx.js +371 -0
- package/dist/tdx.js.map +1 -0
- package/dist/types.d.ts +18 -0
- package/dist/types.js +11 -0
- package/dist/types.js.map +1 -0
- package/dist/vm.d.ts +6 -0
- package/dist/vm.js +208 -0
- package/dist/vm.js.map +1 -0
- package/dist/workload.d.ts +62 -0
- package/dist/workload.js +253 -0
- package/dist/workload.js.map +1 -0
- package/package.json +39 -0
package/dist/cli.js
ADDED
|
@@ -0,0 +1,318 @@
|
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
import { readFileSync } from "node:fs";
|
|
3
|
+
import { checkSecretVm, checkCpuAttestation, checkTdxCpuAttestation, checkSevCpuAttestation, checkNvidiaGpuAttestation, detectCpuQuoteType, resolveSecretVmVersion, resolveAmdSevVersion, verifyWorkload, formatWorkloadResult, } from "./index.js";
|
|
4
|
+
import { verifyAgent, checkAgent } from "./agent.js";
|
|
5
|
+
const args = process.argv.slice(2);
|
|
6
|
+
function getFlag(name) {
|
|
7
|
+
return args.includes(name);
|
|
8
|
+
}
|
|
9
|
+
function getFlagValue(name) {
|
|
10
|
+
const idx = args.indexOf(name);
|
|
11
|
+
if (idx >= 0 && idx + 1 < args.length)
|
|
12
|
+
return args[idx + 1];
|
|
13
|
+
return undefined;
|
|
14
|
+
}
|
|
15
|
+
function getPositional() {
|
|
16
|
+
return args.find((a) => !a.startsWith("--") && a !== "-v" && a !== "-rv" && a !== "-vw");
|
|
17
|
+
}
|
|
18
|
+
const raw = getFlag("--raw");
|
|
19
|
+
const verbose = getFlag("--verbose") || getFlag("-v");
|
|
20
|
+
const product = getFlagValue("--product") ?? "";
|
|
21
|
+
const USAGE = `Usage: secretvm-verify <command> <value> [--product NAME] [--raw] [--verbose|-v]
|
|
22
|
+
|
|
23
|
+
Commands:
|
|
24
|
+
--secretvm <url> Verify a Secret VM (CPU + GPU + TLS binding)
|
|
25
|
+
--cpu <file> Verify a CPU quote (auto-detect TDX vs SEV-SNP)
|
|
26
|
+
--tdx <file> Verify an Intel TDX quote
|
|
27
|
+
--sev <file> Verify an AMD SEV-SNP report
|
|
28
|
+
--gpu <file> Verify an NVIDIA GPU attestation
|
|
29
|
+
--resolve-version, -rv <file> Resolve SecretVM version from TDX or AMD SEV-SNP quote
|
|
30
|
+
--verify-workload, -vw <file> --compose <file>
|
|
31
|
+
Verify TDX or AMD SEV-SNP workload against a docker-compose.yaml
|
|
32
|
+
--check-agent <id> --chain <name>
|
|
33
|
+
Resolve and verify an ERC-8004 agent on-chain
|
|
34
|
+
--agent <file> Verify an ERC-8004 agent from a metadata JSON file
|
|
35
|
+
|
|
36
|
+
Options:
|
|
37
|
+
--chain NAME Chain name for --check-agent (e.g. base, ethereum, arbitrum)
|
|
38
|
+
--product NAME AMD product name (Genoa, Milan, Turin)
|
|
39
|
+
--raw Output raw JSON result
|
|
40
|
+
--verbose, -v Print all attestation report fields
|
|
41
|
+
|
|
42
|
+
Examples:
|
|
43
|
+
secretvm-verify --secretvm yellow-krill.vm.scrtlabs.com
|
|
44
|
+
secretvm-verify --tdx cpu_quote.txt
|
|
45
|
+
secretvm-verify --sev amd_cpu_quote.txt --product Genoa
|
|
46
|
+
secretvm-verify --gpu gpu_attest.txt
|
|
47
|
+
secretvm-verify --cpu cpu_quote.txt --raw
|
|
48
|
+
secretvm-verify --resolve-version cpu_quote.txt
|
|
49
|
+
secretvm-verify --verify-workload cpu_quote.txt --compose docker-compose.yaml`;
|
|
50
|
+
// Determine which command to run
|
|
51
|
+
let result;
|
|
52
|
+
if (getFlag("--secretvm")) {
|
|
53
|
+
const url = getFlagValue("--secretvm") ?? getPositional();
|
|
54
|
+
if (!url) {
|
|
55
|
+
console.log(USAGE);
|
|
56
|
+
process.exit(1);
|
|
57
|
+
}
|
|
58
|
+
if (!raw)
|
|
59
|
+
console.log(`Checking attestation for ${url} ...\n`);
|
|
60
|
+
result = await checkSecretVm(url, product);
|
|
61
|
+
}
|
|
62
|
+
else if (getFlag("--cpu")) {
|
|
63
|
+
const file = getFlagValue("--cpu") ?? getPositional();
|
|
64
|
+
if (!file) {
|
|
65
|
+
console.log(USAGE);
|
|
66
|
+
process.exit(1);
|
|
67
|
+
}
|
|
68
|
+
if (!raw)
|
|
69
|
+
console.log(`Verifying CPU quote from ${file} ...\n`);
|
|
70
|
+
result = await checkCpuAttestation(readFileSync(file, "utf8"), product);
|
|
71
|
+
}
|
|
72
|
+
else if (getFlag("--tdx")) {
|
|
73
|
+
const file = getFlagValue("--tdx") ?? getPositional();
|
|
74
|
+
if (!file) {
|
|
75
|
+
console.log(USAGE);
|
|
76
|
+
process.exit(1);
|
|
77
|
+
}
|
|
78
|
+
if (!raw)
|
|
79
|
+
console.log(`Verifying TDX quote from ${file} ...\n`);
|
|
80
|
+
result = await checkTdxCpuAttestation(readFileSync(file, "utf8"));
|
|
81
|
+
}
|
|
82
|
+
else if (getFlag("--sev")) {
|
|
83
|
+
const file = getFlagValue("--sev") ?? getPositional();
|
|
84
|
+
if (!file) {
|
|
85
|
+
console.log(USAGE);
|
|
86
|
+
process.exit(1);
|
|
87
|
+
}
|
|
88
|
+
if (!raw)
|
|
89
|
+
console.log(`Verifying AMD SEV-SNP report from ${file} ...\n`);
|
|
90
|
+
result = await checkSevCpuAttestation(readFileSync(file, "utf8"), product);
|
|
91
|
+
}
|
|
92
|
+
else if (getFlag("--gpu")) {
|
|
93
|
+
const file = getFlagValue("--gpu") ?? getPositional();
|
|
94
|
+
if (!file) {
|
|
95
|
+
console.log(USAGE);
|
|
96
|
+
process.exit(1);
|
|
97
|
+
}
|
|
98
|
+
if (!raw)
|
|
99
|
+
console.log(`Verifying NVIDIA GPU attestation from ${file} ...\n`);
|
|
100
|
+
result = await checkNvidiaGpuAttestation(readFileSync(file, "utf8"));
|
|
101
|
+
}
|
|
102
|
+
else if (getFlag("--resolve-version") || getFlag("-rv")) {
|
|
103
|
+
const file = getFlagValue("--resolve-version") ?? getFlagValue("-rv") ?? getPositional();
|
|
104
|
+
if (!file) {
|
|
105
|
+
console.log(USAGE);
|
|
106
|
+
process.exit(1);
|
|
107
|
+
}
|
|
108
|
+
const quoteData = readFileSync(file, "utf8");
|
|
109
|
+
const quoteType = detectCpuQuoteType(quoteData);
|
|
110
|
+
if (quoteType === "SEV-SNP") {
|
|
111
|
+
// Step 1: cryptographic quote verification
|
|
112
|
+
const quoteResult = await checkSevCpuAttestation(quoteData, product);
|
|
113
|
+
// Step 2: registry lookup
|
|
114
|
+
const version = resolveAmdSevVersion(quoteData);
|
|
115
|
+
if (raw) {
|
|
116
|
+
console.log(JSON.stringify({ quote: quoteResult, version }, null, 2));
|
|
117
|
+
process.exit(quoteResult.valid && !!version ? 0 : 1);
|
|
118
|
+
}
|
|
119
|
+
if (!quoteResult.valid) {
|
|
120
|
+
console.log("🚫 Quote cryptographic verification failed");
|
|
121
|
+
process.exit(1);
|
|
122
|
+
}
|
|
123
|
+
if (version) {
|
|
124
|
+
console.log(`✅ Authentic SecretVM confirmed`);
|
|
125
|
+
console.log(`Template: ${version.template_name}`);
|
|
126
|
+
console.log(`VM type: ${version.vm_type}`);
|
|
127
|
+
console.log(`Version: ${version.artifacts_ver}`);
|
|
128
|
+
}
|
|
129
|
+
else {
|
|
130
|
+
console.log("🚫 SecretVM artifacts not found in registry (unknown version)");
|
|
131
|
+
}
|
|
132
|
+
process.exit(quoteResult.valid && !!version ? 0 : 1);
|
|
133
|
+
}
|
|
134
|
+
else {
|
|
135
|
+
const quoteResult = await checkTdxCpuAttestation(quoteData);
|
|
136
|
+
const version = resolveSecretVmVersion(quoteData);
|
|
137
|
+
if (raw) {
|
|
138
|
+
console.log(JSON.stringify({ quote: quoteResult, version }, null, 2));
|
|
139
|
+
process.exit(quoteResult.valid && !!version ? 0 : 1);
|
|
140
|
+
}
|
|
141
|
+
if (!quoteResult.valid) {
|
|
142
|
+
console.log("🚫 Attestation doesn't belong to an authentic SecretVM");
|
|
143
|
+
process.exit(1);
|
|
144
|
+
}
|
|
145
|
+
if (version) {
|
|
146
|
+
console.log(`Template: ${version.template_name}`);
|
|
147
|
+
console.log(`Version: ${version.artifacts_ver}`);
|
|
148
|
+
}
|
|
149
|
+
else {
|
|
150
|
+
console.log("No matching SecretVM version found in registry.");
|
|
151
|
+
}
|
|
152
|
+
process.exit(!!version ? 0 : 1);
|
|
153
|
+
}
|
|
154
|
+
}
|
|
155
|
+
else if (getFlag("--verify-workload") || getFlag("-vw")) {
|
|
156
|
+
const quoteFile = getFlagValue("--verify-workload") ?? getFlagValue("-vw") ?? getPositional();
|
|
157
|
+
const composeFile = getFlagValue("--compose");
|
|
158
|
+
if (!quoteFile || !composeFile) {
|
|
159
|
+
console.log(USAGE);
|
|
160
|
+
process.exit(1);
|
|
161
|
+
}
|
|
162
|
+
const quoteData = readFileSync(quoteFile, "utf8");
|
|
163
|
+
const composeData = readFileSync(composeFile, "utf8");
|
|
164
|
+
const quoteType = detectCpuQuoteType(quoteData);
|
|
165
|
+
if (quoteType === "SEV-SNP") {
|
|
166
|
+
// Step 1: cryptographic quote verification
|
|
167
|
+
const quoteResult = await checkSevCpuAttestation(quoteData, product);
|
|
168
|
+
if (raw) {
|
|
169
|
+
const workloadResult = verifyWorkload(quoteData, composeData);
|
|
170
|
+
console.log(JSON.stringify({ quote: quoteResult, workload: workloadResult }, null, 2));
|
|
171
|
+
process.exit(quoteResult.valid && workloadResult.status === "authentic_match" ? 0 : 1);
|
|
172
|
+
}
|
|
173
|
+
if (!quoteResult.valid) {
|
|
174
|
+
console.log("🚫 Quote cryptographic verification failed");
|
|
175
|
+
process.exit(1);
|
|
176
|
+
}
|
|
177
|
+
// Step 2: registry lookup — confirms this is a known SecretVM
|
|
178
|
+
const version = resolveAmdSevVersion(quoteData);
|
|
179
|
+
if (!version) {
|
|
180
|
+
console.log("🚫 SecretVM artifacts not found in registry (unknown version)");
|
|
181
|
+
process.exit(1);
|
|
182
|
+
}
|
|
183
|
+
console.log(`✅ Authentic SecretVM confirmed: ${version.vm_type}/${version.template_name} ${version.artifacts_ver}`);
|
|
184
|
+
// Step 3: workload (compose hash) verification
|
|
185
|
+
const workloadResult = verifyWorkload(quoteData, composeData);
|
|
186
|
+
if (workloadResult.status === "authentic_match") {
|
|
187
|
+
console.log("✅ Confirmed that the VM is running the specified docker-compose.yaml");
|
|
188
|
+
}
|
|
189
|
+
else {
|
|
190
|
+
console.log("🚫 Attestation does not match the specified docker-compose.yaml");
|
|
191
|
+
}
|
|
192
|
+
process.exit(workloadResult.status === "authentic_match" ? 0 : 1);
|
|
193
|
+
}
|
|
194
|
+
else {
|
|
195
|
+
const quoteResult = await checkTdxCpuAttestation(quoteData);
|
|
196
|
+
if (raw) {
|
|
197
|
+
const workloadResult = verifyWorkload(quoteData, composeData);
|
|
198
|
+
console.log(JSON.stringify({ quote: quoteResult, workload: workloadResult }, null, 2));
|
|
199
|
+
process.exit(quoteResult.valid && workloadResult.status === "authentic_match" ? 0 : 1);
|
|
200
|
+
}
|
|
201
|
+
if (!quoteResult.valid) {
|
|
202
|
+
console.log("🚫 Attestation doesn't belong to an authentic SecretVM");
|
|
203
|
+
process.exit(1);
|
|
204
|
+
}
|
|
205
|
+
const workloadResult = verifyWorkload(quoteData, composeData);
|
|
206
|
+
console.log(formatWorkloadResult(workloadResult));
|
|
207
|
+
process.exit(workloadResult.status === "authentic_match" ? 0 : 1);
|
|
208
|
+
}
|
|
209
|
+
}
|
|
210
|
+
else if (getFlag("--check-agent")) {
|
|
211
|
+
const id = getFlagValue("--check-agent");
|
|
212
|
+
const chain = getFlagValue("--chain");
|
|
213
|
+
if (!id || !chain) {
|
|
214
|
+
console.log(USAGE);
|
|
215
|
+
process.exit(1);
|
|
216
|
+
}
|
|
217
|
+
if (!raw)
|
|
218
|
+
console.log(`Resolving and verifying agent ${id} on ${chain} ...\n`);
|
|
219
|
+
result = await checkAgent(Number(id), chain);
|
|
220
|
+
}
|
|
221
|
+
else if (getFlag("--agent")) {
|
|
222
|
+
const file = getFlagValue("--agent") ?? getPositional();
|
|
223
|
+
if (!file) {
|
|
224
|
+
console.log(USAGE);
|
|
225
|
+
process.exit(1);
|
|
226
|
+
}
|
|
227
|
+
const metadata = JSON.parse(readFileSync(file, "utf8"));
|
|
228
|
+
if (!raw)
|
|
229
|
+
console.log(`Verifying agent "${metadata.name}" ...\n`);
|
|
230
|
+
result = await verifyAgent(metadata);
|
|
231
|
+
}
|
|
232
|
+
else {
|
|
233
|
+
// Legacy: bare URL defaults to --secretvm
|
|
234
|
+
const url = getPositional();
|
|
235
|
+
if (!url) {
|
|
236
|
+
console.log(USAGE);
|
|
237
|
+
process.exit(1);
|
|
238
|
+
}
|
|
239
|
+
if (!raw)
|
|
240
|
+
console.log(`Checking attestation for ${url} ...\n`);
|
|
241
|
+
result = await checkSecretVm(url, product);
|
|
242
|
+
}
|
|
243
|
+
// Output
|
|
244
|
+
if (raw) {
|
|
245
|
+
console.log(JSON.stringify(result, null, 2));
|
|
246
|
+
process.exit(result.valid ? 0 : 1);
|
|
247
|
+
}
|
|
248
|
+
console.log("Checks:");
|
|
249
|
+
for (const [name, passed] of Object.entries(result.checks)) {
|
|
250
|
+
if (name === "gpu_quote_fetched" && !passed) {
|
|
251
|
+
console.log(` ${"gpu:".padEnd(35)} GPU not present`);
|
|
252
|
+
continue;
|
|
253
|
+
}
|
|
254
|
+
const status = passed ? "PASS" : "FAIL";
|
|
255
|
+
console.log(` ${(name + ":").padEnd(35)} ${status}`);
|
|
256
|
+
}
|
|
257
|
+
const report = result.report;
|
|
258
|
+
// Secret VM specific fields
|
|
259
|
+
if (report.cpu_type)
|
|
260
|
+
console.log(`\nCPU type: ${report.cpu_type}`);
|
|
261
|
+
if (report.tls_fingerprint)
|
|
262
|
+
console.log(`TLS fingerprint: ${report.tls_fingerprint}`);
|
|
263
|
+
// CPU fields (direct or nested under cpu)
|
|
264
|
+
const cpu = report.cpu ?? report;
|
|
265
|
+
if (cpu.report_data)
|
|
266
|
+
console.log(`Report data: ${cpu.report_data}`);
|
|
267
|
+
if (cpu.measurement)
|
|
268
|
+
console.log(`Measurement: ${cpu.measurement}`);
|
|
269
|
+
if (cpu.mr_td)
|
|
270
|
+
console.log(`MR TD: ${cpu.mr_td}`);
|
|
271
|
+
if (cpu.tcb_status)
|
|
272
|
+
console.log(`TCB status: ${cpu.tcb_status}`);
|
|
273
|
+
if (cpu.product)
|
|
274
|
+
console.log(`AMD product: ${cpu.product}`);
|
|
275
|
+
if (cpu.chip_id)
|
|
276
|
+
console.log(`Chip ID: ${cpu.chip_id}`);
|
|
277
|
+
if (cpu.fmspc)
|
|
278
|
+
console.log(`FMSPC: ${cpu.fmspc}`);
|
|
279
|
+
// GPU fields (direct or nested under gpu)
|
|
280
|
+
const gpu = report.gpu ?? report;
|
|
281
|
+
if (gpu.overall_result !== undefined)
|
|
282
|
+
console.log(`\nGPU overall result: ${gpu.overall_result}`);
|
|
283
|
+
if (gpu.gpus) {
|
|
284
|
+
for (const [gpuId, info] of Object.entries(gpu.gpus)) {
|
|
285
|
+
console.log(`\n${gpuId}:`);
|
|
286
|
+
console.log(` Model: ${info.model}`);
|
|
287
|
+
console.log(` Driver: ${info.driver_version}`);
|
|
288
|
+
console.log(` Secure boot: ${info.secure_boot}`);
|
|
289
|
+
}
|
|
290
|
+
}
|
|
291
|
+
// Verbose: print all report fields
|
|
292
|
+
if (verbose) {
|
|
293
|
+
console.log("\nAll attestation report fields:");
|
|
294
|
+
for (const [key, value] of Object.entries(report)) {
|
|
295
|
+
if (typeof value === "object" && value !== null) {
|
|
296
|
+
console.log(` ${key}:`);
|
|
297
|
+
for (const [subKey, subValue] of Object.entries(value)) {
|
|
298
|
+
if (typeof subValue === "object" && subValue !== null) {
|
|
299
|
+
console.log(` ${subKey}: ${JSON.stringify(subValue)}`);
|
|
300
|
+
}
|
|
301
|
+
else {
|
|
302
|
+
console.log(` ${subKey}: ${subValue}`);
|
|
303
|
+
}
|
|
304
|
+
}
|
|
305
|
+
}
|
|
306
|
+
else {
|
|
307
|
+
console.log(` ${key}: ${value}`);
|
|
308
|
+
}
|
|
309
|
+
}
|
|
310
|
+
}
|
|
311
|
+
if (result.errors.length > 0) {
|
|
312
|
+
console.log("\nErrors:");
|
|
313
|
+
for (const err of result.errors)
|
|
314
|
+
console.log(` - ${err}`);
|
|
315
|
+
}
|
|
316
|
+
console.log(`\n${result.valid ? "PASSED" : "FAILED"}`);
|
|
317
|
+
process.exit(result.valid ? 0 : 1);
|
|
318
|
+
//# sourceMappingURL=cli.js.map
|
package/dist/cli.js.map
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EACL,aAAa,EACb,mBAAmB,EACnB,sBAAsB,EACtB,sBAAsB,EACtB,yBAAyB,EACzB,kBAAkB,EAClB,sBAAsB,EACtB,oBAAoB,EACpB,cAAc,EACd,oBAAoB,GACrB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAgB,WAAW,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAGnE,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAEnC,SAAS,OAAO,CAAC,IAAY;IAC3B,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;IAC5D,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,aAAa;IACpB,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,KAAK,CAAC,CAAC;AAC3F,CAAC;AAED,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAC7B,MAAM,OAAO,GAAG,OAAO,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;AACtD,MAAM,OAAO,GAAG,YAAY,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;AAEhD,MAAM,KAAK,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;gFA4BkE,CAAC;AAEjF,iCAAiC;AACjC,IAAI,MAAyB,CAAC;AAE9B,IAAI,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;IAC1B,MAAM,GAAG,GAAG,YAAY,CAAC,YAAY,CAAC,IAAI,aAAa,EAAE,CAAC;IAC1D,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,IAAI,CAAC,GAAG;QAAE,OAAO,CAAC,GAAG,CAAC,4BAA4B,GAAG,QAAQ,CAAC,CAAC;IAC/D,MAAM,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAC7C,CAAC;KAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;IAC5B,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,CAAC,IAAI,aAAa,EAAE,CAAC;IACtD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,IAAI,CAAC,GAAG;QAAE,OAAO,CAAC,GAAG,CAAC,4BAA4B,IAAI,QAAQ,CAAC,CAAC;IAChE,MAAM,GAAG,MAAM,mBAAmB,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,OAAO,CAAC,CAAC;AAC1E,CAAC;KAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;IAC5B,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,CAAC,IAAI,aAAa,EAAE,CAAC;IACtD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,IAAI,CAAC,GAAG;QAAE,OAAO,CAAC,GAAG,CAAC,4BAA4B,IAAI,QAAQ,CAAC,CAAC;IAChE,MAAM,GAAG,MAAM,sBAAsB,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;AACpE,CAAC;KAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;IAC5B,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,CAAC,IAAI,aAAa,EAAE,CAAC;IACtD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,IAAI,CAAC,GAAG;QAAE,OAAO,CAAC,GAAG,CAAC,qCAAqC,IAAI,QAAQ,CAAC,CAAC;IACzE,MAAM,GAAG,MAAM,sBAAsB,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,OAAO,CAAC,CAAC;AAC7E,CAAC;KAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;IAC5B,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,CAAC,IAAI,aAAa,EAAE,CAAC;IACtD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,IAAI,CAAC,GAAG;QAAE,OAAO,CAAC,GAAG,CAAC,yCAAyC,IAAI,QAAQ,CAAC,CAAC;IAC7E,MAAM,GAAG,MAAM,yBAAyB,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;AACvE,CAAC;KAAM,IAAI,OAAO,CAAC,mBAAmB,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;IAC1D,MAAM,IAAI,GAAG,YAAY,CAAC,mBAAmB,CAAC,IAAI,YAAY,CAAC,KAAK,CAAC,IAAI,aAAa,EAAE,CAAC;IACzF,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAC7C,MAAM,SAAS,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;IAChD,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC5B,2CAA2C;QAC3C,MAAM,WAAW,GAAG,MAAM,sBAAsB,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACrE,0BAA0B;QAC1B,MAAM,OAAO,GAAG,oBAAoB,CAAC,SAAS,CAAC,CAAC;QAChD,IAAI,GAAG,EAAE,CAAC;YACR,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YACtE,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACvD,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC;YAC1D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;YAC9C,OAAO,CAAC,GAAG,CAAC,aAAa,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;YAClD,OAAO,CAAC,GAAG,CAAC,aAAa,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;YAC5C,OAAO,CAAC,GAAG,CAAC,aAAa,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;QACpD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,+DAA+D,CAAC,CAAC;QAC/E,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACvD,CAAC;SAAM,CAAC;QACN,MAAM,WAAW,GAAG,MAAM,sBAAsB,CAAC,SAAS,CAAC,CAAC;QAC5D,MAAM,OAAO,GAAG,sBAAsB,CAAC,SAAS,CAAC,CAAC;QAClD,IAAI,GAAG,EAAE,CAAC;YACR,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YACtE,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACvD,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAC;YACtE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CAAC,aAAa,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;YAClD,OAAO,CAAC,GAAG,CAAC,aAAa,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;QACpD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;QACjE,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC;AACH,CAAC;KAAM,IAAI,OAAO,CAAC,mBAAmB,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;IAC1D,MAAM,SAAS,GAAG,YAAY,CAAC,mBAAmB,CAAC,IAAI,YAAY,CAAC,KAAK,CAAC,IAAI,aAAa,EAAE,CAAC;IAC9F,MAAM,WAAW,GAAG,YAAY,CAAC,WAAW,CAAC,CAAC;IAC9C,IAAI,CAAC,SAAS,IAAI,CAAC,WAAW,EAAE,CAAC;QAC/B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,MAAM,SAAS,GAAG,YAAY,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAClD,MAAM,WAAW,GAAG,YAAY,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,SAAS,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;IAChD,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC5B,2CAA2C;QAC3C,MAAM,WAAW,GAAG,MAAM,sBAAsB,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACrE,IAAI,GAAG,EAAE,CAAC;YACR,MAAM,cAAc,GAAG,cAAc,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YAC9D,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,QAAQ,EAAE,cAAc,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YACvF,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,IAAI,cAAc,CAAC,MAAM,KAAK,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACzF,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC;YAC1D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,8DAA8D;QAC9D,MAAM,OAAO,GAAG,oBAAoB,CAAC,SAAS,CAAC,CAAC;QAChD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,GAAG,CAAC,+DAA+D,CAAC,CAAC;YAC7E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,mCAAmC,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,aAAa,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;QACpH,+CAA+C;QAC/C,MAAM,cAAc,GAAG,cAAc,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;QAC9D,IAAI,cAAc,CAAC,MAAM,KAAK,iBAAiB,EAAE,CAAC;YAChD,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;QACtF,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC;QACjF,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,KAAK,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACpE,CAAC;SAAM,CAAC;QACN,MAAM,WAAW,GAAG,MAAM,sBAAsB,CAAC,SAAS,CAAC,CAAC;QAC5D,IAAI,GAAG,EAAE,CAAC;YACR,MAAM,cAAc,GAAG,cAAc,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YAC9D,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,QAAQ,EAAE,cAAc,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YACvF,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,IAAI,cAAc,CAAC,MAAM,KAAK,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACzF,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAC;YACtE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,MAAM,cAAc,GAAG,cAAc,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,cAAc,CAAC,CAAC,CAAC;QAClD,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,KAAK,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACpE,CAAC;AACH,CAAC;KAAM,IAAI,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;IACpC,MAAM,EAAE,GAAG,YAAY,CAAC,eAAe,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;IACtC,IAAI,CAAC,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,IAAI,CAAC,GAAG;QAAE,OAAO,CAAC,GAAG,CAAC,iCAAiC,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC;IAC/E,MAAM,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC;AAC/C,CAAC;KAAM,IAAI,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;IAC9B,MAAM,IAAI,GAAG,YAAY,CAAC,SAAS,CAAC,IAAI,aAAa,EAAE,CAAC;IACxD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IACxD,IAAI,CAAC,GAAG;QAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB,QAAQ,CAAC,IAAI,SAAS,CAAC,CAAC;IAClE,MAAM,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC,CAAC;AACvC,CAAC;KAAM,CAAC;IACN,0CAA0C;IAC1C,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;IAC5B,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,IAAI,CAAC,GAAG;QAAE,OAAO,CAAC,GAAG,CAAC,4BAA4B,GAAG,QAAQ,CAAC,CAAC;IAC/D,MAAM,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS;AACT,IAAI,GAAG,EAAE,CAAC;IACR,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC7C,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACrC,CAAC;AAED,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;AACvB,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;IAC3D,IAAI,IAAI,KAAK,mBAAmB,IAAI,CAAC,MAAM,EAAE,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,kBAAkB,CAAC,CAAC;QACtD,SAAS;IACX,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;IACxC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,MAAM,EAAE,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;AAE7B,4BAA4B;AAC5B,IAAI,MAAM,CAAC,QAAQ;IAAE,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;AACnE,IAAI,MAAM,CAAC,eAAe;IAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB,MAAM,CAAC,eAAe,EAAE,CAAC,CAAC;AAEtF,0CAA0C;AAC1C,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC;AACjC,IAAI,GAAG,CAAC,WAAW;IAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;AACpE,IAAI,GAAG,CAAC,WAAW;IAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;AACpE,IAAI,GAAG,CAAC,KAAK;IAAE,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC;AAClD,IAAI,GAAG,CAAC,UAAU;IAAE,OAAO,CAAC,GAAG,CAAC,eAAe,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;AACjE,IAAI,GAAG,CAAC,OAAO;IAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;AAC5D,IAAI,GAAG,CAAC,OAAO;IAAE,OAAO,CAAC,GAAG,CAAC,YAAY,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;AACxD,IAAI,GAAG,CAAC,KAAK;IAAE,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC;AAElD,0CAA0C;AAC1C,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC;AACjC,IAAI,GAAG,CAAC,cAAc,KAAK,SAAS;IAAE,OAAO,CAAC,GAAG,CAAC,yBAAyB,GAAG,CAAC,cAAc,EAAE,CAAC,CAAC;AACjG,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;IACb,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAM,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,GAAG,CAAC,CAAC;QAC3B,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;QACtC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,CAAC,cAAc,EAAE,CAAC,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;IACpD,CAAC;AACH,CAAC;AAED,mCAAmC;AACnC,IAAI,OAAO,EAAE,CAAC;IACZ,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;IAChD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YAChD,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC;YACzB,KAAK,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACvD,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;oBACtD,OAAO,CAAC,GAAG,CAAC,OAAO,MAAM,KAAK,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;gBAC5D,CAAC;qBAAM,CAAC;oBACN,OAAO,CAAC,GAAG,CAAC,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC,CAAC;gBAC5C,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,KAAK,KAAK,EAAE,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;AACH,CAAC;AAED,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;IAC7B,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACzB,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM;QAAE,OAAO,CAAC,GAAG,CAAC,OAAO,GAAG,EAAE,CAAC,CAAC;AAC7D,CAAC;AAED,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;AACvD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC"}
|
package/dist/cpu.d.ts
ADDED
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
import { AttestationResult } from "./types.js";
|
|
2
|
+
/**
|
|
3
|
+
* Detect whether the quote is Intel TDX (hex) or AMD SEV-SNP (base64).
|
|
4
|
+
*/
|
|
5
|
+
export declare function detectCpuQuoteType(data: string): "TDX" | "SEV-SNP" | "unknown";
|
|
6
|
+
/**
|
|
7
|
+
* Verify a CPU attestation quote, auto-detecting Intel TDX vs AMD SEV-SNP.
|
|
8
|
+
*/
|
|
9
|
+
export declare function checkCpuAttestation(data: string, product?: string): Promise<AttestationResult>;
|
package/dist/cpu.js
ADDED
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
import { makeResult } from "./types.js";
|
|
2
|
+
import { checkTdxCpuAttestation } from "./tdx.js";
|
|
3
|
+
import { checkSevCpuAttestation } from "./amd.js";
|
|
4
|
+
/**
|
|
5
|
+
* Detect whether the quote is Intel TDX (hex) or AMD SEV-SNP (base64).
|
|
6
|
+
*/
|
|
7
|
+
export function detectCpuQuoteType(data) {
|
|
8
|
+
const text = data.trim();
|
|
9
|
+
// Try hex — TDX quotes: version=4, tee_type=0x81
|
|
10
|
+
try {
|
|
11
|
+
const buf = Buffer.from(text, "hex");
|
|
12
|
+
if (buf.length >= 8) {
|
|
13
|
+
const version = buf.readUInt16LE(0);
|
|
14
|
+
const teeType = buf.readUInt32LE(4);
|
|
15
|
+
if (version === 4 && teeType === 0x81)
|
|
16
|
+
return "TDX";
|
|
17
|
+
}
|
|
18
|
+
}
|
|
19
|
+
catch {
|
|
20
|
+
// not hex
|
|
21
|
+
}
|
|
22
|
+
// Try base64 — AMD SEV-SNP: version >= 2, sig_algo == 1
|
|
23
|
+
try {
|
|
24
|
+
const buf = Buffer.from(text, "base64");
|
|
25
|
+
if (buf.length >= 0x38) {
|
|
26
|
+
const version = buf.readUInt32LE(0);
|
|
27
|
+
const sigAlgo = buf.readUInt32LE(0x034);
|
|
28
|
+
if (version >= 2 && version <= 4 && sigAlgo === 1)
|
|
29
|
+
return "SEV-SNP";
|
|
30
|
+
}
|
|
31
|
+
}
|
|
32
|
+
catch {
|
|
33
|
+
// not base64
|
|
34
|
+
}
|
|
35
|
+
return "unknown";
|
|
36
|
+
}
|
|
37
|
+
/**
|
|
38
|
+
* Verify a CPU attestation quote, auto-detecting Intel TDX vs AMD SEV-SNP.
|
|
39
|
+
*/
|
|
40
|
+
export async function checkCpuAttestation(data, product = "") {
|
|
41
|
+
const quoteType = detectCpuQuoteType(data);
|
|
42
|
+
if (quoteType === "TDX") {
|
|
43
|
+
return checkTdxCpuAttestation(data);
|
|
44
|
+
}
|
|
45
|
+
if (quoteType === "SEV-SNP") {
|
|
46
|
+
return checkSevCpuAttestation(data, product);
|
|
47
|
+
}
|
|
48
|
+
return makeResult("unknown", {
|
|
49
|
+
errors: [
|
|
50
|
+
"Could not detect quote type (expected hex-encoded TDX or base64-encoded SEV-SNP)",
|
|
51
|
+
],
|
|
52
|
+
});
|
|
53
|
+
}
|
|
54
|
+
//# sourceMappingURL=cpu.js.map
|
package/dist/cpu.js.map
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cpu.js","sourceRoot":"","sources":["../src/cpu.ts"],"names":[],"mappings":"AAAA,OAAO,EAAqB,UAAU,EAAE,MAAM,YAAY,CAAC;AAC3D,OAAO,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAC;AAClD,OAAO,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAC;AAElD;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAAY;IAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAEzB,iDAAiD;IACjD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QACrC,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YACpB,MAAM,OAAO,GAAG,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACpC,MAAM,OAAO,GAAG,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACpC,IAAI,OAAO,KAAK,CAAC,IAAI,OAAO,KAAK,IAAI;gBAAE,OAAO,KAAK,CAAC;QACtD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,UAAU;IACZ,CAAC;IAED,wDAAwD;IACxD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QACxC,IAAI,GAAG,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACpC,MAAM,OAAO,GAAG,GAAG,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;YACxC,IAAI,OAAO,IAAI,CAAC,IAAI,OAAO,IAAI,CAAC,IAAI,OAAO,KAAK,CAAC;gBAAE,OAAO,SAAS,CAAC;QACtE,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,aAAa;IACf,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,IAAY,EACZ,OAAO,GAAG,EAAE;IAEZ,MAAM,SAAS,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;IAE3C,IAAI,SAAS,KAAK,KAAK,EAAE,CAAC;QACxB,OAAO,sBAAsB,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IACD,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC5B,OAAO,sBAAsB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC/C,CAAC;IAED,OAAO,UAAU,CAAC,SAAS,EAAE;QAC3B,MAAM,EAAE;YACN,kFAAkF;SACnF;KACF,CAAC,CAAC;AACL,CAAC"}
|
package/dist/index.d.ts
ADDED
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
export type { AttestationResult } from "./types.js";
|
|
2
|
+
export { checkTdxCpuAttestation, parseTdxQuoteFields } from "./tdx.js";
|
|
3
|
+
export type { TdxQuoteFields } from "./tdx.js";
|
|
4
|
+
export { checkSevCpuAttestation } from "./amd.js";
|
|
5
|
+
export { checkNvidiaGpuAttestation } from "./nvidia.js";
|
|
6
|
+
export { checkCpuAttestation, detectCpuQuoteType } from "./cpu.js";
|
|
7
|
+
export { checkSecretVm } from "./vm.js";
|
|
8
|
+
export { resolveSecretVmVersion, resolveAmdSevVersion, verifyTdxWorkload, verifySevWorkload, verifyWorkload, formatWorkloadResult, } from "./workload.js";
|
|
9
|
+
export type { WorkloadResult, WorkloadStatus } from "./workload.js";
|
|
10
|
+
export { loadTdxRegistry, findMatchingArtifacts, pickNewestVersion, resolveVersion, } from "./artifacts.js";
|
|
11
|
+
export type { TdxArtifactEntry } from "./artifacts.js";
|
|
12
|
+
export { resolveAgent, verifyAgent, checkAgent } from "./agent.js";
|
|
13
|
+
export type { AgentMetadata, AgentService } from "./types.js";
|
|
14
|
+
export { getChainConfig, getRpcUrl, listChains } from "./chains.js";
|
|
15
|
+
export type { ChainConfig } from "./chains.js";
|
package/dist/index.js
ADDED
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
export { checkTdxCpuAttestation, parseTdxQuoteFields } from "./tdx.js";
|
|
2
|
+
export { checkSevCpuAttestation } from "./amd.js";
|
|
3
|
+
export { checkNvidiaGpuAttestation } from "./nvidia.js";
|
|
4
|
+
export { checkCpuAttestation, detectCpuQuoteType } from "./cpu.js";
|
|
5
|
+
export { checkSecretVm } from "./vm.js";
|
|
6
|
+
export { resolveSecretVmVersion, resolveAmdSevVersion, verifyTdxWorkload, verifySevWorkload, verifyWorkload, formatWorkloadResult, } from "./workload.js";
|
|
7
|
+
export { loadTdxRegistry, findMatchingArtifacts, pickNewestVersion, resolveVersion, } from "./artifacts.js";
|
|
8
|
+
export { resolveAgent, verifyAgent, checkAgent } from "./agent.js";
|
|
9
|
+
export { getChainConfig, getRpcUrl, listChains } from "./chains.js";
|
|
10
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAC;AAEvE,OAAO,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAC;AAClD,OAAO,EAAE,yBAAyB,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AACnE,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACxC,OAAO,EACH,sBAAsB,EACtB,oBAAoB,EACpB,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,EACd,oBAAoB,GACvB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACH,eAAe,EACf,qBAAqB,EACrB,iBAAiB,EACjB,cAAc,GACjB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAEnE,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC"}
|
package/dist/nvidia.d.ts
ADDED
package/dist/nvidia.js
ADDED
|
@@ -0,0 +1,182 @@
|
|
|
1
|
+
import crypto from "node:crypto";
|
|
2
|
+
import { makeResult } from "./types.js";
|
|
3
|
+
const NRAS_URL = "https://nras.attestation.nvidia.com/v4/attest/gpu";
|
|
4
|
+
const NRAS_JWKS_URL = "https://nras.attestation.nvidia.com/.well-known/jwks.json";
|
|
5
|
+
// ---------------------------------------------------------------------------
|
|
6
|
+
// JWT helpers
|
|
7
|
+
// ---------------------------------------------------------------------------
|
|
8
|
+
function base64urlDecode(s) {
|
|
9
|
+
return Buffer.from(s + "=".repeat((4 - (s.length % 4)) % 4), "base64url");
|
|
10
|
+
}
|
|
11
|
+
function decodeJwtHeader(token) {
|
|
12
|
+
return JSON.parse(base64urlDecode(token.split(".")[0]).toString());
|
|
13
|
+
}
|
|
14
|
+
function decodeJwtPayload(token) {
|
|
15
|
+
const parts = token.split(".");
|
|
16
|
+
if (parts.length !== 3)
|
|
17
|
+
throw new Error(`Invalid JWT: expected 3 parts`);
|
|
18
|
+
return JSON.parse(base64urlDecode(parts[1]).toString());
|
|
19
|
+
}
|
|
20
|
+
async function fetchJwks() {
|
|
21
|
+
const resp = await fetch(NRAS_JWKS_URL);
|
|
22
|
+
if (!resp.ok)
|
|
23
|
+
throw new Error(`JWKS fetch failed: ${resp.status}`);
|
|
24
|
+
const jwks = (await resp.json());
|
|
25
|
+
const keys = new Map();
|
|
26
|
+
for (const key of jwks.keys ?? []) {
|
|
27
|
+
if (key.kid)
|
|
28
|
+
keys.set(key.kid, key);
|
|
29
|
+
}
|
|
30
|
+
return keys;
|
|
31
|
+
}
|
|
32
|
+
function verifyJwtSignature(token, jwks) {
|
|
33
|
+
const header = decodeJwtHeader(token);
|
|
34
|
+
const { kid, alg } = header;
|
|
35
|
+
if (alg !== "ES384")
|
|
36
|
+
return false;
|
|
37
|
+
if (!jwks.has(kid))
|
|
38
|
+
return false;
|
|
39
|
+
const jwk = jwks.get(kid);
|
|
40
|
+
let pubKey;
|
|
41
|
+
const x5c = jwk.x5c ?? [];
|
|
42
|
+
if (x5c.length > 0) {
|
|
43
|
+
const cert = new crypto.X509Certificate(Buffer.from(x5c[0], "base64"));
|
|
44
|
+
pubKey = cert.publicKey;
|
|
45
|
+
}
|
|
46
|
+
else {
|
|
47
|
+
pubKey = crypto.createPublicKey({ key: jwk, format: "jwk" });
|
|
48
|
+
}
|
|
49
|
+
const parts = token.split(".");
|
|
50
|
+
const signedData = Buffer.from(`${parts[0]}.${parts[1]}`);
|
|
51
|
+
const sigRaw = base64urlDecode(parts[2]);
|
|
52
|
+
// ES384: raw R||S (48+48), convert to DER
|
|
53
|
+
const r = sigRaw.subarray(0, 48);
|
|
54
|
+
const s = sigRaw.subarray(48);
|
|
55
|
+
const derSig = ecdsaRsToDer(r, s);
|
|
56
|
+
const verifier = crypto.createVerify("SHA384");
|
|
57
|
+
verifier.update(signedData);
|
|
58
|
+
try {
|
|
59
|
+
return verifier.verify({ key: pubKey, dsaEncoding: "der" }, derSig);
|
|
60
|
+
}
|
|
61
|
+
catch {
|
|
62
|
+
return false;
|
|
63
|
+
}
|
|
64
|
+
}
|
|
65
|
+
function ecdsaRsToDer(r, s) {
|
|
66
|
+
function encodeInt(v) {
|
|
67
|
+
let i = 0;
|
|
68
|
+
while (i < v.length - 1 && v[i] === 0)
|
|
69
|
+
i++;
|
|
70
|
+
let trimmed = v.subarray(i);
|
|
71
|
+
if (trimmed[0] & 0x80) {
|
|
72
|
+
trimmed = Buffer.concat([Buffer.from([0x00]), trimmed]);
|
|
73
|
+
}
|
|
74
|
+
return Buffer.concat([Buffer.from([0x02, trimmed.length]), trimmed]);
|
|
75
|
+
}
|
|
76
|
+
const ri = encodeInt(r);
|
|
77
|
+
const si = encodeInt(s);
|
|
78
|
+
return Buffer.concat([Buffer.from([0x30, ri.length + si.length]), ri, si]);
|
|
79
|
+
}
|
|
80
|
+
// ---------------------------------------------------------------------------
|
|
81
|
+
// Public
|
|
82
|
+
// ---------------------------------------------------------------------------
|
|
83
|
+
export async function checkNvidiaGpuAttestation(data) {
|
|
84
|
+
const errors = [];
|
|
85
|
+
const checks = {};
|
|
86
|
+
// Parse input
|
|
87
|
+
let attestationData;
|
|
88
|
+
try {
|
|
89
|
+
attestationData = JSON.parse(data);
|
|
90
|
+
checks.input_parsed = true;
|
|
91
|
+
}
|
|
92
|
+
catch (e) {
|
|
93
|
+
return makeResult("NVIDIA-GPU", {
|
|
94
|
+
checks: { input_parsed: false },
|
|
95
|
+
errors: [e.message],
|
|
96
|
+
});
|
|
97
|
+
}
|
|
98
|
+
// Submit to NRAS
|
|
99
|
+
let nrasResponse;
|
|
100
|
+
try {
|
|
101
|
+
const resp = await fetch(NRAS_URL, {
|
|
102
|
+
method: "POST",
|
|
103
|
+
headers: {
|
|
104
|
+
"Content-Type": "application/json",
|
|
105
|
+
Accept: "application/json",
|
|
106
|
+
},
|
|
107
|
+
body: JSON.stringify(attestationData),
|
|
108
|
+
});
|
|
109
|
+
if (!resp.ok) {
|
|
110
|
+
const text = await resp.text();
|
|
111
|
+
errors.push(`NRAS returned ${resp.status}: ${text.slice(0, 200)}`);
|
|
112
|
+
checks.nras_submission = false;
|
|
113
|
+
return makeResult("NVIDIA-GPU", { checks, errors });
|
|
114
|
+
}
|
|
115
|
+
nrasResponse = (await resp.json());
|
|
116
|
+
checks.nras_submission = true;
|
|
117
|
+
}
|
|
118
|
+
catch (e) {
|
|
119
|
+
errors.push(`NRAS request failed: ${e.message}`);
|
|
120
|
+
checks.nras_submission = false;
|
|
121
|
+
return makeResult("NVIDIA-GPU", { checks, errors });
|
|
122
|
+
}
|
|
123
|
+
// Fetch JWKS
|
|
124
|
+
let jwks;
|
|
125
|
+
try {
|
|
126
|
+
jwks = await fetchJwks();
|
|
127
|
+
}
|
|
128
|
+
catch (e) {
|
|
129
|
+
errors.push(`Failed to fetch NVIDIA JWKS: ${e.message}`);
|
|
130
|
+
jwks = new Map();
|
|
131
|
+
}
|
|
132
|
+
const report = {};
|
|
133
|
+
let allSigsValid = true;
|
|
134
|
+
// Platform JWT
|
|
135
|
+
const jwtEntry = nrasResponse[0];
|
|
136
|
+
if (Array.isArray(jwtEntry) && jwtEntry[0] === "JWT") {
|
|
137
|
+
const platformToken = jwtEntry[1];
|
|
138
|
+
const sigValid = jwks.size > 0 ? verifyJwtSignature(platformToken, jwks) : false;
|
|
139
|
+
checks.platform_jwt_signature = sigValid;
|
|
140
|
+
if (!sigValid) {
|
|
141
|
+
allSigsValid = false;
|
|
142
|
+
errors.push("Platform JWT signature verification failed");
|
|
143
|
+
}
|
|
144
|
+
const claims = decodeJwtPayload(platformToken);
|
|
145
|
+
report.overall_result = claims["x-nvidia-overall-att-result"];
|
|
146
|
+
report.subject = claims.sub;
|
|
147
|
+
report.issuer = claims.iss;
|
|
148
|
+
report.nonce = claims.eat_nonce;
|
|
149
|
+
}
|
|
150
|
+
// Per-GPU JWTs
|
|
151
|
+
const gpuEntries = nrasResponse[1] ?? {};
|
|
152
|
+
const gpuReports = {};
|
|
153
|
+
if (typeof gpuEntries === "object" && !Array.isArray(gpuEntries)) {
|
|
154
|
+
for (const [gpuId, token] of Object.entries(gpuEntries)) {
|
|
155
|
+
const sigValid = jwks.size > 0 ? verifyJwtSignature(token, jwks) : false;
|
|
156
|
+
checks[`${gpuId}_jwt_signature`] = sigValid;
|
|
157
|
+
if (!sigValid) {
|
|
158
|
+
allSigsValid = false;
|
|
159
|
+
errors.push(`${gpuId} JWT signature verification failed`);
|
|
160
|
+
}
|
|
161
|
+
const claims = decodeJwtPayload(token);
|
|
162
|
+
gpuReports[gpuId] = {
|
|
163
|
+
model: claims.hwmodel,
|
|
164
|
+
oem_id: claims.oemid,
|
|
165
|
+
ueid: claims.ueid,
|
|
166
|
+
debug_status: claims.dbgstat,
|
|
167
|
+
secure_boot: claims.secboot,
|
|
168
|
+
driver_version: claims["x-nvidia-gpu-driver-version"],
|
|
169
|
+
vbios_version: claims["x-nvidia-gpu-vbios-version"],
|
|
170
|
+
attestation_report_parsed: claims["x-nvidia-gpu-attestation-report-parsed"],
|
|
171
|
+
attestation_report_signature_verified: claims["x-nvidia-gpu-attestation-report-signature-verified"],
|
|
172
|
+
attestation_report_nonce_match: claims["x-nvidia-gpu-attestation-report-nonce-match"],
|
|
173
|
+
arch_check: claims["x-nvidia-gpu-arch-check"],
|
|
174
|
+
measurements: claims.measres,
|
|
175
|
+
};
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
report.gpus = gpuReports;
|
|
179
|
+
const valid = !!report.overall_result && allSigsValid;
|
|
180
|
+
return makeResult("NVIDIA-GPU", { valid, checks, report, errors });
|
|
181
|
+
}
|
|
182
|
+
//# sourceMappingURL=nvidia.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"nvidia.js","sourceRoot":"","sources":["../src/nvidia.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAqB,UAAU,EAAE,MAAM,YAAY,CAAC;AAE3D,MAAM,QAAQ,GAAG,mDAAmD,CAAC;AACrE,MAAM,aAAa,GACjB,2DAA2D,CAAC;AAE9D,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E,SAAS,eAAe,CAAC,CAAS;IAChC,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;AAC5E,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,OAAO,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;AACtE,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAa;IACrC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACzE,OAAO,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;AAC3D,CAAC;AAED,KAAK,UAAU,SAAS;IACtB,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,aAAa,CAAC,CAAC;IACxC,IAAI,CAAC,IAAI,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IACnE,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAQ,CAAC;IACxC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAe,CAAC;IACpC,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;QAClC,IAAI,GAAG,CAAC,GAAG;YAAE,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,kBAAkB,CACzB,KAAa,EACb,IAAsB;IAEtB,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACtC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,MAAM,CAAC;IAC5B,IAAI,GAAG,KAAK,OAAO;QAAE,OAAO,KAAK,CAAC;IAClC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAEjC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC;IAE3B,IAAI,MAAwB,CAAC;IAC7B,MAAM,GAAG,GAAa,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC;IACpC,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnB,MAAM,IAAI,GAAG,IAAI,MAAM,CAAC,eAAe,CACrC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAE,EAAE,QAAQ,CAAC,CAC/B,CAAC;QACF,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC;IAC1B,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,MAAM,CAAC,eAAe,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC1D,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC;IAE1C,0CAA0C;IAC1C,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACjC,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAC9B,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAElC,MAAM,QAAQ,GAAG,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IAC/C,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAC5B,IAAI,CAAC;QACH,OAAO,QAAQ,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,KAAK,EAAE,EAAE,MAAM,CAAC,CAAC;IACtE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,CAAS,EAAE,CAAS;IACxC,SAAS,SAAS,CAAC,CAAS;QAC1B,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;YAAE,CAAC,EAAE,CAAC;QAC3C,IAAI,OAAO,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QAC5B,IAAI,OAAO,CAAC,CAAC,CAAE,GAAG,IAAI,EAAE,CAAC;YACvB,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;QAC1D,CAAC;QACD,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;IACvE,CAAC;IACD,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;IACxB,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;IACxB,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;AAC7E,CAAC;AAED,8EAA8E;AAC9E,SAAS;AACT,8EAA8E;AAE9E,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,IAAY;IAEZ,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,MAAM,GAA4B,EAAE,CAAC;IAE3C,cAAc;IACd,IAAI,eAAoB,CAAC;IACzB,IAAI,CAAC;QACH,eAAe,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,CAAC,YAAY,GAAG,IAAI,CAAC;IAC7B,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,OAAO,UAAU,CAAC,YAAY,EAAE;YAC9B,MAAM,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE;YAC/B,MAAM,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;SACpB,CAAC,CAAC;IACL,CAAC;IAED,iBAAiB;IACjB,IAAI,YAAmB,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;YACjC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC;SACtC,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;YACb,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAC/B,MAAM,CAAC,IAAI,CAAC,iBAAiB,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;YACnE,MAAM,CAAC,eAAe,GAAG,KAAK,CAAC;YAC/B,OAAO,UAAU,CAAC,YAAY,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QACtD,CAAC;QACD,YAAY,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAU,CAAC;QAC5C,MAAM,CAAC,eAAe,GAAG,IAAI,CAAC;IAChC,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,MAAM,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;QACjD,MAAM,CAAC,eAAe,GAAG,KAAK,CAAC;QAC/B,OAAO,UAAU,CAAC,YAAY,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IACtD,CAAC;IAED,aAAa;IACb,IAAI,IAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,SAAS,EAAE,CAAC;IAC3B,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,MAAM,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;QACzD,IAAI,GAAG,IAAI,GAAG,EAAE,CAAC;IACnB,CAAC;IAED,MAAM,MAAM,GAAwB,EAAE,CAAC;IACvC,IAAI,YAAY,GAAG,IAAI,CAAC;IAExB,eAAe;IACf,MAAM,QAAQ,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;IACjC,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,CAAC,CAAC,KAAK,KAAK,EAAE,CAAC;QACrD,MAAM,aAAa,GAAW,QAAQ,CAAC,CAAC,CAAC,CAAC;QAC1C,MAAM,QAAQ,GACZ,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;QAClE,MAAM,CAAC,sBAAsB,GAAG,QAAQ,CAAC;QACzC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,YAAY,GAAG,KAAK,CAAC;YACrB,MAAM,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QAC5D,CAAC;QAED,MAAM,MAAM,GAAG,gBAAgB,CAAC,aAAa,CAAC,CAAC;QAC/C,MAAM,CAAC,cAAc,GAAG,MAAM,CAAC,6BAA6B,CAAC,CAAC;QAC9D,MAAM,CAAC,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC;QAC5B,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC;QAC3B,MAAM,CAAC,KAAK,GAAG,MAAM,CAAC,SAAS,CAAC;IAClC,CAAC;IAED,eAAe;IACf,MAAM,UAAU,GAA2B,YAAY,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACjE,MAAM,UAAU,GAAwB,EAAE,CAAC;IAC3C,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QACjE,KAAK,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;YACxD,MAAM,QAAQ,GACZ,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;YAC1D,MAAM,CAAC,GAAG,KAAK,gBAAgB,CAAC,GAAG,QAAQ,CAAC;YAC5C,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,YAAY,GAAG,KAAK,CAAC;gBACrB,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,oCAAoC,CAAC,CAAC;YAC5D,CAAC;YAED,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;YACvC,UAAU,CAAC,KAAK,CAAC,GAAG;gBAClB,KAAK,EAAE,MAAM,CAAC,OAAO;gBACrB,MAAM,EAAE,MAAM,CAAC,KAAK;gBACpB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,YAAY,EAAE,MAAM,CAAC,OAAO;gBAC5B,WAAW,EAAE,MAAM,CAAC,OAAO;gBAC3B,cAAc,EAAE,MAAM,CAAC,6BAA6B,CAAC;gBACrD,aAAa,EAAE,MAAM,CAAC,4BAA4B,CAAC;gBACnD,yBAAyB,EACvB,MAAM,CAAC,wCAAwC,CAAC;gBAClD,qCAAqC,EACnC,MAAM,CAAC,oDAAoD,CAAC;gBAC9D,8BAA8B,EAC5B,MAAM,CAAC,6CAA6C,CAAC;gBACvD,UAAU,EAAE,MAAM,CAAC,yBAAyB,CAAC;gBAC7C,YAAY,EAAE,MAAM,CAAC,OAAO;aAC7B,CAAC;QACJ,CAAC;IACH,CAAC;IACD,MAAM,CAAC,IAAI,GAAG,UAAU,CAAC;IAEzB,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,CAAC,cAAc,IAAI,YAAY,CAAC;IAEtD,OAAO,UAAU,CAAC,YAAY,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;AACrE,CAAC"}
|
package/dist/rtmr.d.ts
ADDED
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Calculate RTMR3 from a docker-compose file content and rootfs_data.
|
|
3
|
+
*
|
|
4
|
+
* Mirrors portal logic exactly:
|
|
5
|
+
* 1. Parse docker-compose YAML and re-stringify (normalise)
|
|
6
|
+
* 2. SHA-256 of normalised YAML bytes → log[0]
|
|
7
|
+
* 3. rootfs_data (hex) → log[1]
|
|
8
|
+
* 4. replayRtmr(log)
|
|
9
|
+
*/
|
|
10
|
+
export declare function calculateRtmr3(dockerCompose: Buffer | string, rootfsData: string): string;
|