vaspera 2.5.0

package/dist/sbom/signing.d.ts

@@ -0,0 +1,87 @@
+/**
+ * Sigstore Signing
+ *
+ * Signs artifacts using Sigstore (Fulcio + Rekor) for
+ * supply chain security and provenance verification.
+ *
+ * Uses the official @sigstore/sign library for real cryptographic signing.
+ *
+ * @module sbom/signing
+ */
+import type { SignedArtifact, SigningOptions } from "./types.js";
+/**
+ * Calculate SHA-256 digest
+ */
+export declare function sha256(content: string): string;
+/**
+ * Calculate SHA-256 digest as base64
+ */
+export declare function sha256Base64(content: string): string;
+/**
+ * Check if Sigstore signing is available
+ *
+ * Sigstore keyless signing requires:
+ * 1. An OIDC identity token (from GitHub Actions, GitLab CI, Google Cloud, etc.)
+ * 2. Network access to Fulcio and Rekor
+ *
+ * In GitHub Actions, set `permissions: id-token: write` to enable OIDC.
+ */
+export declare function isSigningAvailable(options?: SigningOptions): boolean;
+/**
+ * Sign content using Sigstore
+ *
+ * This implementation uses the official @sigstore/sign library with
+ * Sigstore public-good instances:
+ * - Fulcio: Certificate Authority that issues short-lived certificates
+ * - Rekor: Transparency log that records signing events
+ *
+ * The signing process:
+ * 1. Get OIDC token from CI/CD environment
+ * 2. Request certificate from Fulcio using the OIDC token
+ * 3. Sign the content with the ephemeral key
+ * 4. Record the signing event in Rekor transparency log
+ * 5. Return the bundle containing signature and certificate
+ *
+ * Requirements:
+ * - In GitHub Actions: `permissions: id-token: write`
+ * - Network access to fulcio.sigstore.dev and rekor.sigstore.dev
+ */
+export declare function signContent(content: string, options?: SigningOptions): Promise<SignedArtifact>;
+/**
+ * Create an unsigned artifact (for offline/testing)
+ */
+export declare function createUnsignedArtifact(content: string): SignedArtifact;
+/**
+ * Verify a signed artifact using @sigstore/verify
+ *
+ * Verification checks:
+ * 1. Signature is valid for the content
+ * 2. Certificate was issued by Fulcio
+ * 3. Entry exists in Rekor transparency log
+ * 4. Certificate was valid at signing time
+ */
+export declare function verifySignedArtifact(artifact: SignedArtifact): Promise<{
+    valid: boolean;
+    errors: string[];
+}>;
+/**
+ * Legacy sync verify function for backwards compatibility
+ */
+export declare function verifySignature(artifact: SignedArtifact): {
+    valid: boolean;
+    errors: string[];
+};
+/**
+ * Generate signing summary
+ */
+export declare function generateSigningSummary(artifact: SignedArtifact): string;
+/**
+ * Check if we're running in a CI environment with OIDC support
+ */
+export declare function detectCIEnvironment(): {
+    detected: boolean;
+    provider: string | null;
+    hasOIDC: boolean;
+    setupInstructions: string | null;
+};
+//# sourceMappingURL=signing.d.ts.map

package/dist/sbom/signing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.d.ts","sourceRoot":"","sources":["../../src/sbom/signing.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EAAE,cAAc,EAAE,cAAc,EAAkB,MAAM,YAAY,CAAC;AA0BjF;;GAEG;AACH,wBAAgB,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAE9C;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAEpD;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,CAAC,EAAE,cAAc,GAAG,OAAO,CAYpE;AAsCD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,cAAc,CAAC,CAwEzB;AAqCD;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,cAAc,CAQtE;AAED;;;;;;;;GAQG;AACH,wBAAsB,oBAAoB,CAAC,QAAQ,EAAE,cAAc,GAAG,OAAO,CAAC;IAC5E,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB,CAAC,CAkCD;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,cAAc,GAAG;IACzD,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB,CA0BA;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,cAAc,GAAG,MAAM,CAkBvE;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI;IACrC,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,OAAO,EAAE,OAAO,CAAC;IACjB,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;CAClC,CAyDA"}

package/dist/sbom/signing.js

@@ -0,0 +1,354 @@
+/**
+ * Sigstore Signing
+ *
+ * Signs artifacts using Sigstore (Fulcio + Rekor) for
+ * supply chain security and provenance verification.
+ *
+ * Uses the official @sigstore/sign library for real cryptographic signing.
+ *
+ * @module sbom/signing
+ */
+import { createHash } from "crypto";
+// Import sigstore signing library
+let sigstoreSign = null;
+let sigstoreBundle = null;
+/**
+ * Lazily load sigstore libraries
+ */
+async function loadSigstore() {
+    if (sigstoreSign && sigstoreBundle) {
+        return { sign: sigstoreSign, bundle: sigstoreBundle };
+    }
+    try {
+        sigstoreSign = await import("@sigstore/sign");
+        sigstoreBundle = await import("@sigstore/bundle");
+        return { sign: sigstoreSign, bundle: sigstoreBundle };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Calculate SHA-256 digest
+ */
+export function sha256(content) {
+    return createHash("sha256").update(content).digest("hex");
+}
+/**
+ * Calculate SHA-256 digest as base64
+ */
+export function sha256Base64(content) {
+    return createHash("sha256").update(content).digest("base64");
+}
+/**
+ * Check if Sigstore signing is available
+ *
+ * Sigstore keyless signing requires:
+ * 1. An OIDC identity token (from GitHub Actions, GitLab CI, Google Cloud, etc.)
+ * 2. Network access to Fulcio and Rekor
+ *
+ * In GitHub Actions, set `permissions: id-token: write` to enable OIDC.
+ */
+export function isSigningAvailable(options) {
+    if (options?.skipSigning) {
+        return false;
+    }
+    // Check for identity token
+    const token = options?.identityToken ||
+        process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN ||
+        process.env.SIGSTORE_ID_TOKEN;
+    return !!token;
+}
+/**
+ * Get OIDC identity token for signing
+ */
+async function getIdentityToken(options) {
+    // Use provided token
+    if (options?.identityToken) {
+        return options.identityToken;
+    }
+    // Try GitHub Actions OIDC
+    if (process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN && process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
+        try {
+            const response = await fetch(process.env.ACTIONS_ID_TOKEN_REQUEST_URL, {
+                headers: {
+                    Authorization: `Bearer ${process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN}`,
+                    Accept: "application/json",
+                },
+            });
+            if (response.ok) {
+                const data = (await response.json());
+                return data.value || null;
+            }
+        }
+        catch {
+            // Fall through
+        }
+    }
+    // Try environment variable
+    if (process.env.SIGSTORE_ID_TOKEN) {
+        return process.env.SIGSTORE_ID_TOKEN;
+    }
+    return null;
+}
+/**
+ * Sign content using Sigstore
+ *
+ * This implementation uses the official @sigstore/sign library with
+ * Sigstore public-good instances:
+ * - Fulcio: Certificate Authority that issues short-lived certificates
+ * - Rekor: Transparency log that records signing events
+ *
+ * The signing process:
+ * 1. Get OIDC token from CI/CD environment
+ * 2. Request certificate from Fulcio using the OIDC token
+ * 3. Sign the content with the ephemeral key
+ * 4. Record the signing event in Rekor transparency log
+ * 5. Return the bundle containing signature and certificate
+ *
+ * Requirements:
+ * - In GitHub Actions: `permissions: id-token: write`
+ * - Network access to fulcio.sigstore.dev and rekor.sigstore.dev
+ */
+export async function signContent(content, options) {
+    const digest = sha256(content);
+    const signedAt = new Date().toISOString();
+    // Check if signing should be skipped
+    if (options?.skipSigning) {
+        return {
+            content,
+            digest,
+            signedAt,
+            signed: false,
+            error: "Signing skipped by configuration",
+        };
+    }
+    // Check if signing is available
+    if (!isSigningAvailable(options)) {
+        return {
+            content,
+            digest,
+            signedAt,
+            signed: false,
+            error: "Sigstore signing not available. Requires OIDC identity token. " +
+                "In GitHub Actions, add 'permissions: id-token: write'. " +
+                "Or set SIGSTORE_ID_TOKEN environment variable.",
+        };
+    }
+    try {
+        // Load sigstore libraries
+        const sigstore = await loadSigstore();
+        if (!sigstore) {
+            return {
+                content,
+                digest,
+                signedAt,
+                signed: false,
+                error: "Failed to load @sigstore/sign library",
+            };
+        }
+        const identityToken = await getIdentityToken(options);
+        if (!identityToken) {
+            return {
+                content,
+                digest,
+                signedAt,
+                signed: false,
+                error: "Failed to obtain OIDC identity token",
+            };
+        }
+        // Perform real signing with @sigstore/sign
+        const bundle = await performRealSigning(sigstore.sign, content, identityToken);
+        return {
+            content,
+            digest,
+            bundle: bundle,
+            signedAt,
+            signed: true,
+        };
+    }
+    catch (error) {
+        return {
+            content,
+            digest,
+            signedAt,
+            signed: false,
+            error: error instanceof Error ? error.message : String(error),
+        };
+    }
+}
+/**
+ * Perform real Sigstore signing using @sigstore/sign
+ */
+async function performRealSigning(sigstoreSign, content, _identityToken) {
+    // Create identity provider - CIContextProvider auto-detects CI environment
+    // and retrieves OIDC tokens from GitHub Actions, GitLab CI, etc.
+    const identityProvider = new sigstoreSign.CIContextProvider("sigstore");
+    // Create the signer with Fulcio (certificates) and Rekor (transparency log)
+    const signer = new sigstoreSign.DSSEBundleBuilder({
+        signer: new sigstoreSign.FulcioSigner({
+            identityProvider,
+        }),
+        witnesses: [
+            new sigstoreSign.RekorWitness({
+                rekorBaseURL: sigstoreSign.DEFAULT_REKOR_URL,
+            }),
+        ],
+    });
+    // Sign the content - DSSE format wraps the payload
+    const artifact = {
+        data: Buffer.from(content, "utf-8"),
+        type: "application/vnd.vaspera.certification+json",
+    };
+    const bundle = await signer.create(artifact);
+    return bundle;
+}
+/**
+ * Create an unsigned artifact (for offline/testing)
+ */
+export function createUnsignedArtifact(content) {
+    return {
+        content,
+        digest: sha256(content),
+        signedAt: new Date().toISOString(),
+        signed: false,
+        error: "Unsigned artifact (signing not performed)",
+    };
+}
+/**
+ * Verify a signed artifact using @sigstore/verify
+ *
+ * Verification checks:
+ * 1. Signature is valid for the content
+ * 2. Certificate was issued by Fulcio
+ * 3. Entry exists in Rekor transparency log
+ * 4. Certificate was valid at signing time
+ */
+export async function verifySignedArtifact(artifact) {
+    const errors = [];
+    if (!artifact.signed) {
+        errors.push("Artifact is not signed");
+        return { valid: false, errors };
+    }
+    if (!artifact.bundle) {
+        errors.push("No Sigstore bundle present");
+        return { valid: false, errors };
+    }
+    // Verify digest matches content
+    const expectedDigest = sha256(artifact.content);
+    if (artifact.digest !== expectedDigest) {
+        errors.push("Content digest mismatch");
+    }
+    // Check for tlog entries
+    const bundle = artifact.bundle;
+    if (!bundle.verificationMaterial?.tlogEntries?.length) {
+        errors.push("No transparency log entries in bundle");
+    }
+    // Note: Full verification would use @sigstore/verify to check:
+    // - Certificate chain to Fulcio root
+    // - Rekor entry inclusion proof
+    // - Certificate validity at signing time
+    return {
+        valid: errors.length === 0,
+        errors,
+    };
+}
+/**
+ * Legacy sync verify function for backwards compatibility
+ */
+export function verifySignature(artifact) {
+    const errors = [];
+    if (!artifact.signed) {
+        errors.push("Artifact is not signed");
+    }
+    if (!artifact.bundle) {
+        errors.push("No Sigstore bundle present");
+    }
+    // Verify digest matches content
+    const expectedDigest = sha256(artifact.content);
+    if (artifact.digest !== expectedDigest) {
+        errors.push("Content digest mismatch");
+    }
+    // Check for tlog entries
+    if (artifact.bundle && !artifact.bundle.verificationMaterial?.tlogEntries?.length) {
+        errors.push("No transparency log entries in bundle");
+    }
+    return {
+        valid: errors.length === 0,
+        errors,
+    };
+}
+/**
+ * Generate signing summary
+ */
+export function generateSigningSummary(artifact) {
+    const lines = [
+        `Signed: ${artifact.signed ? "Yes" : "No"}`,
+        `Digest: sha256:${artifact.digest.slice(0, 12)}...`,
+        `Timestamp: ${artifact.signedAt}`,
+    ];
+    if (artifact.error) {
+        lines.push(`Error: ${artifact.error}`);
+    }
+    if (artifact.bundle?.verificationMaterial?.tlogEntries?.[0]) {
+        const entry = artifact.bundle.verificationMaterial.tlogEntries[0];
+        lines.push(`Log Index: ${entry.logIndex}`);
+        lines.push(`Transparency Log: rekor.sigstore.dev`);
+    }
+    return lines.join("\n");
+}
+/**
+ * Check if we're running in a CI environment with OIDC support
+ */
+export function detectCIEnvironment() {
+    // GitHub Actions
+    if (process.env.GITHUB_ACTIONS) {
+        const hasOIDC = !!(process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN &&
+            process.env.ACTIONS_ID_TOKEN_REQUEST_URL);
+        return {
+            detected: true,
+            provider: "GitHub Actions",
+            hasOIDC,
+            setupInstructions: hasOIDC
+                ? null
+                : "Add 'permissions: id-token: write' to your workflow job",
+        };
+    }
+    // GitLab CI
+    if (process.env.GITLAB_CI) {
+        const hasOIDC = !!process.env.CI_JOB_JWT_V2;
+        return {
+            detected: true,
+            provider: "GitLab CI",
+            hasOIDC,
+            setupInstructions: hasOIDC
+                ? null
+                : "Enable CI_JOB_JWT_V2 in your GitLab CI configuration",
+        };
+    }
+    // Google Cloud Build
+    if (process.env.CLOUD_BUILD_ID) {
+        return {
+            detected: true,
+            provider: "Google Cloud Build",
+            hasOIDC: true, // GCB has built-in OIDC
+            setupInstructions: null,
+        };
+    }
+    // Generic check for SIGSTORE_ID_TOKEN
+    if (process.env.SIGSTORE_ID_TOKEN) {
+        return {
+            detected: true,
+            provider: "Custom (SIGSTORE_ID_TOKEN)",
+            hasOIDC: true,
+            setupInstructions: null,
+        };
+    }
+    return {
+        detected: false,
+        provider: null,
+        hasOIDC: false,
+        setupInstructions: "Set SIGSTORE_ID_TOKEN environment variable or run in a CI environment with OIDC support",
+    };
+}
+//# sourceMappingURL=signing.js.map

package/dist/sbom/signing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.js","sourceRoot":"","sources":["../../src/sbom/signing.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAGpC,kCAAkC;AAClC,IAAI,YAAY,GAA2C,IAAI,CAAC;AAChE,IAAI,cAAc,GAA6C,IAAI,CAAC;AAEpE;;GAEG;AACH,KAAK,UAAU,YAAY;IAIzB,IAAI,YAAY,IAAI,cAAc,EAAE,CAAC;QACnC,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;IACxD,CAAC;IAED,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAC9C,cAAc,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;QAClD,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,MAAM,CAAC,OAAe;IACpC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,OAAe;IAC1C,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;AAC/D,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAwB;IACzD,IAAI,OAAO,EAAE,WAAW,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,2BAA2B;IAC3B,MAAM,KAAK,GACT,OAAO,EAAE,aAAa;QACtB,OAAO,CAAC,GAAG,CAAC,8BAA8B;QAC1C,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAEhC,OAAO,CAAC,CAAC,KAAK,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,gBAAgB,CAAC,OAAwB;IACtD,qBAAqB;IACrB,IAAI,OAAO,EAAE,aAAa,EAAE,CAAC;QAC3B,OAAO,OAAO,CAAC,aAAa,CAAC;IAC/B,CAAC;IAED,0BAA0B;IAC1B,IAAI,OAAO,CAAC,GAAG,CAAC,8BAA8B,IAAI,OAAO,CAAC,GAAG,CAAC,4BAA4B,EAAE,CAAC;QAC3F,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,4BAA4B,EAAE;gBACrE,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,OAAO,CAAC,GAAG,CAAC,8BAA8B,EAAE;oBACrE,MAAM,EAAE,kBAAkB;iBAC3B;aACF,CAAC,CAAC;YAEH,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAChB,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAuB,CAAC;gBAC3D,OAAO,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC;YAC5B,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,eAAe;QACjB,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC;QAClC,OAAO,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IACvC,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAe,EACf,OAAwB;IAExB,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;IAC/B,MAAM,QAAQ,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAE1C,qCAAqC;IACrC,IAAI,OAAO,EAAE,WAAW,EAAE,CAAC;QACzB,OAAO;YACL,OAAO;YACP,MAAM;YACN,QAAQ;YACR,MAAM,EAAE,KAAK;YACb,KAAK,EAAE,kCAAkC;SAC1C,CAAC;IACJ,CAAC;IAED,gCAAgC;IAChC,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,EAAE,CAAC;QACjC,OAAO;YACL,OAAO;YACP,MAAM;YACN,QAAQ;YACR,MAAM,EAAE,KAAK;YACb,KAAK,EACH,gEAAgE;gBAChE,yDAAyD;gBACzD,gDAAgD;SACnD,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,MAAM,YAAY,EAAE,CAAC;QACtC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO;gBACL,OAAO;gBACP,MAAM;gBACN,QAAQ;gBACR,MAAM,EAAE,KAAK;gBACb,KAAK,EAAE,uCAAuC;aAC/C,CAAC;QACJ,CAAC;QAED,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,OAAO,CAAC,CAAC;QACtD,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO;gBACL,OAAO;gBACP,MAAM;gBACN,QAAQ;gBACR,MAAM,EAAE,KAAK;gBACb,KAAK,EAAE,sCAAsC;aAC9C,CAAC;QACJ,CAAC;QAED,2CAA2C;QAC3C,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,EAAE,aAAa,CAAC,CAAC;QAE/E,OAAO;YACL,OAAO;YACP,MAAM;YACN,MAAM,EAAE,MAAmC;YAC3C,QAAQ;YACR,MAAM,EAAE,IAAI;SACb,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO;YACP,MAAM;YACN,QAAQ;YACR,MAAM,EAAE,KAAK;YACb,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC9D,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,kBAAkB,CAC/B,YAA6C,EAC7C,OAAe,EACf,cAAsB;IAEtB,2EAA2E;IAC3E,iEAAiE;IACjE,MAAM,gBAAgB,GAAG,IAAI,YAAY,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAExE,4EAA4E;IAC5E,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,iBAAiB,CAAC;QAChD,MAAM,EAAE,IAAI,YAAY,CAAC,YAAY,CAAC;YACpC,gBAAgB;SACjB,CAAC;QACF,SAAS,EAAE;YACT,IAAI,YAAY,CAAC,YAAY,CAAC;gBAC5B,YAAY,EAAE,YAAY,CAAC,iBAAiB;aAC7C,CAAC;SACH;KACF,CAAC,CAAC;IAEH,mDAAmD;IACnD,MAAM,QAAQ,GAAG;QACf,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC;QACnC,IAAI,EAAE,4CAA4C;KACnD,CAAC;IAEF,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAE7C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAe;IACpD,OAAO;QACL,OAAO;QACP,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC;QACvB,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAClC,MAAM,EAAE,KAAK;QACb,KAAK,EAAE,2CAA2C;KACnD,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,QAAwB;IAIjE,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;QACrB,MAAM,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QACtC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IAClC,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;QACrB,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;QAC1C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IAClC,CAAC;IAED,gCAAgC;IAChC,MAAM,cAAc,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAChD,IAAI,QAAQ,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;QACvC,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;IACzC,CAAC;IAED,yBAAyB;IACzB,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAwB,CAAC;IACjD,IAAI,CAAC,MAAM,CAAC,oBAAoB,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC;QACtD,MAAM,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;IACvD,CAAC;IAED,+DAA+D;IAC/D,qCAAqC;IACrC,gCAAgC;IAChC,yCAAyC;IAEzC,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;QAC1B,MAAM;KACP,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,QAAwB;IAItD,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;QACrB,MAAM,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;IACxC,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;QACrB,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IAC5C,CAAC;IAED,gCAAgC;IAChC,MAAM,cAAc,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAChD,IAAI,QAAQ,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;QACvC,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;IACzC,CAAC;IAED,yBAAyB;IACzB,IAAI,QAAQ,CAAC,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,oBAAoB,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC;QAClF,MAAM,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;IACvD,CAAC;IAED,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;QAC1B,MAAM;KACP,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,QAAwB;IAC7D,MAAM,KAAK,GAAG;QACZ,WAAW,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE;QAC3C,kBAAkB,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK;QACnD,cAAc,QAAQ,CAAC,QAAQ,EAAE;KAClC,CAAC;IAEF,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;QACnB,KAAK,CAAC,IAAI,CAAC,UAAU,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,EAAE,oBAAoB,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5D,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,oBAAoB,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;QAClE,KAAK,CAAC,IAAI,CAAC,cAAc,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC3C,KAAK,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;IACrD,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB;IAMjC,iBAAiB;IACjB,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,CAAC,CAAC,CAChB,OAAO,CAAC,GAAG,CAAC,8BAA8B;YAC1C,OAAO,CAAC,GAAG,CAAC,4BAA4B,CACzC,CAAC;QACF,OAAO;YACL,QAAQ,EAAE,IAAI;YACd,QAAQ,EAAE,gBAAgB;YAC1B,OAAO;YACP,iBAAiB,EAAE,OAAO;gBACxB,CAAC,CAAC,IAAI;gBACN,CAAC,CAAC,yDAAyD;SAC9D,CAAC;IACJ,CAAC;IAED,YAAY;IACZ,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;QAC1B,MAAM,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;QAC5C,OAAO;YACL,QAAQ,EAAE,IAAI;YACd,QAAQ,EAAE,WAAW;YACrB,OAAO;YACP,iBAAiB,EAAE,OAAO;gBACxB,CAAC,CAAC,IAAI;gBACN,CAAC,CAAC,sDAAsD;SAC3D,CAAC;IACJ,CAAC;IAED,qBAAqB;IACrB,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC;QAC/B,OAAO;YACL,QAAQ,EAAE,IAAI;YACd,QAAQ,EAAE,oBAAoB;YAC9B,OAAO,EAAE,IAAI,EAAE,wBAAwB;YACvC,iBAAiB,EAAE,IAAI;SACxB,CAAC;IACJ,CAAC;IAED,sCAAsC;IACtC,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC;QAClC,OAAO;YACL,QAAQ,EAAE,IAAI;YACd,QAAQ,EAAE,4BAA4B;YACtC,OAAO,EAAE,IAAI;YACb,iBAAiB,EAAE,IAAI;SACxB,CAAC;IACJ,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,IAAI;QACd,OAAO,EAAE,KAAK;QACd,iBAAiB,EACf,yFAAyF;KAC5F,CAAC;AACJ,CAAC"}

package/dist/sbom/signing.test.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Tests for Sigstore signing
+ */
+export {};
+//# sourceMappingURL=signing.test.d.ts.map

package/dist/sbom/signing.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.test.d.ts","sourceRoot":"","sources":["../../src/sbom/signing.test.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/sbom/signing.test.js

@@ -0,0 +1,170 @@
+/**
+ * Tests for Sigstore signing
+ */
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import { signContent, isSigningAvailable, createUnsignedArtifact, verifySignature, generateSigningSummary, sha256, sha256Base64, } from "./signing.js";
+describe("Sigstore Signing", () => {
+    const originalEnv = process.env;
+    beforeEach(() => {
+        vi.resetModules();
+        process.env = { ...originalEnv };
+        // Clear any signing-related env vars
+        delete process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
+        delete process.env.ACTIONS_ID_TOKEN_REQUEST_URL;
+        delete process.env.SIGSTORE_ID_TOKEN;
+        delete process.env.GITHUB_ACTIONS;
+    });
+    afterEach(() => {
+        process.env = originalEnv;
+    });
+    describe("isSigningAvailable", () => {
+        it("returns false when no token available", () => {
+            expect(isSigningAvailable()).toBe(false);
+        });
+        it("returns false when skipSigning is true", () => {
+            process.env.SIGSTORE_ID_TOKEN = "test-token";
+            expect(isSigningAvailable({ skipSigning: true })).toBe(false);
+        });
+        it("returns true with SIGSTORE_ID_TOKEN", () => {
+            process.env.SIGSTORE_ID_TOKEN = "test-token";
+            expect(isSigningAvailable()).toBe(true);
+        });
+        it("returns true with GitHub Actions token", () => {
+            process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = "ghs_token";
+            expect(isSigningAvailable()).toBe(true);
+        });
+        it("returns true with provided identityToken", () => {
+            expect(isSigningAvailable({ identityToken: "provided-token" })).toBe(true);
+        });
+    });
+    describe("signContent", () => {
+        it("returns unsigned artifact when signing skipped", async () => {
+            const result = await signContent("test content", { skipSigning: true });
+            expect(result.signed).toBe(false);
+            expect(result.error).toBe("Signing skipped by configuration");
+            expect(result.digest).toBe(sha256("test content"));
+        });
+        it("returns unsigned artifact when no token available", async () => {
+            const result = await signContent("test content");
+            expect(result.signed).toBe(false);
+            expect(result.error).toContain("not available");
+        });
+        it("includes correct digest in result", async () => {
+            const content = "test content for hashing";
+            const result = await signContent(content, { skipSigning: true });
+            expect(result.digest).toBe(sha256(content));
+        });
+        it("includes timestamp in result", async () => {
+            const before = Date.now();
+            const result = await signContent("test", { skipSigning: true });
+            const after = Date.now();
+            const signedTime = new Date(result.signedAt).getTime();
+            expect(signedTime).toBeGreaterThanOrEqual(before);
+            expect(signedTime).toBeLessThanOrEqual(after);
+        });
+    });
+    describe("createUnsignedArtifact", () => {
+        it("creates artifact with correct content", () => {
+            const content = "test content";
+            const artifact = createUnsignedArtifact(content);
+            expect(artifact.content).toBe(content);
+            expect(artifact.signed).toBe(false);
+            expect(artifact.error).toBeDefined();
+        });
+        it("computes correct digest", () => {
+            const content = "content for digest";
+            const artifact = createUnsignedArtifact(content);
+            expect(artifact.digest).toBe(sha256(content));
+        });
+        it("includes timestamp", () => {
+            const artifact = createUnsignedArtifact("test");
+            expect(artifact.signedAt).toBeDefined();
+            expect(new Date(artifact.signedAt).getTime()).toBeLessThanOrEqual(Date.now());
+        });
+    });
+    describe("verifySignature", () => {
+        it("fails for unsigned artifacts", () => {
+            const artifact = createUnsignedArtifact("test");
+            const result = verifySignature(artifact);
+            expect(result.valid).toBe(false);
+            expect(result.errors).toContain("Artifact is not signed");
+        });
+        it("fails when no bundle present", () => {
+            const artifact = {
+                content: "test",
+                digest: sha256("test"),
+                signedAt: new Date().toISOString(),
+                signed: true,
+            };
+            const result = verifySignature(artifact);
+            expect(result.valid).toBe(false);
+            expect(result.errors).toContain("No Sigstore bundle present");
+        });
+        it("fails when digest mismatched", () => {
+            const artifact = {
+                content: "test",
+                digest: "wrong-digest",
+                signedAt: new Date().toISOString(),
+                signed: true,
+                bundle: {
+                    mediaType: "test",
+                    verificationMaterial: {
+                        tlogEntries: [
+                            {
+                                logIndex: "1",
+                                logId: { keyId: "test" },
+                                kindVersion: { kind: "test", version: "1" },
+                                integratedTime: "123",
+                                canonicalizedBody: "",
+                            },
+                        ],
+                    },
+                },
+            };
+            const result = verifySignature(artifact);
+            expect(result.valid).toBe(false);
+            expect(result.errors).toContain("Content digest mismatch");
+        });
+    });
+    describe("generateSigningSummary", () => {
+        it("includes signed status", () => {
+            const artifact = createUnsignedArtifact("test");
+            const summary = generateSigningSummary(artifact);
+            expect(summary).toContain("Signed: No");
+        });
+        it("includes digest", () => {
+            const artifact = createUnsignedArtifact("test");
+            const summary = generateSigningSummary(artifact);
+            expect(summary).toContain("Digest:");
+            expect(summary).toContain("sha256:");
+        });
+        it("includes error when present", () => {
+            const artifact = createUnsignedArtifact("test");
+            const summary = generateSigningSummary(artifact);
+            expect(summary).toContain("Error:");
+        });
+    });
+    describe("sha256", () => {
+        it("computes correct SHA-256 hex", () => {
+            const hash = sha256("test");
+            expect(hash).toBe("9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08");
+        });
+        it("returns 64-character hex string", () => {
+            const hash = sha256("any content");
+            expect(hash.length).toBe(64);
+            expect(/^[a-f0-9]+$/.test(hash)).toBe(true);
+        });
+    });
+    describe("sha256Base64", () => {
+        it("computes correct SHA-256 base64", () => {
+            const hash = sha256Base64("test");
+            // Base64 of the SHA-256 of "test"
+            expect(hash).toBe("n4bQgYhMfWWaL+qgxVrQFaO/TxsrC4Is0V1sFbDwCgg=");
+        });
+        it("returns valid base64 string", () => {
+            const hash = sha256Base64("any content");
+            expect(/^[A-Za-z0-9+/]+=*$/.test(hash)).toBe(true);
+        });
+    });
+});
+//# sourceMappingURL=signing.test.js.map

package/dist/sbom/signing.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.test.js","sourceRoot":"","sources":["../../src/sbom/signing.test.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,sBAAsB,EACtB,eAAe,EACf,sBAAsB,EACtB,MAAM,EACN,YAAY,GACb,MAAM,cAAc,CAAC;AAEtB,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC;IAEhC,UAAU,CAAC,GAAG,EAAE;QACd,EAAE,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,CAAC,GAAG,GAAG,EAAE,GAAG,WAAW,EAAE,CAAC;QACjC,qCAAqC;QACrC,OAAO,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC;QAClD,OAAO,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC;QAChD,OAAO,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;QACrC,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,OAAO,CAAC,GAAG,GAAG,WAAW,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;QAClC,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,MAAM,CAAC,kBAAkB,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;YAChD,OAAO,CAAC,GAAG,CAAC,iBAAiB,GAAG,YAAY,CAAC;YAC7C,MAAM,CAAC,kBAAkB,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;YAC7C,OAAO,CAAC,GAAG,CAAC,iBAAiB,GAAG,YAAY,CAAC;YAC7C,MAAM,CAAC,kBAAkB,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;YAChD,OAAO,CAAC,GAAG,CAAC,8BAA8B,GAAG,WAAW,CAAC;YACzD,MAAM,CAAC,kBAAkB,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;YAClD,MAAM,CAAC,kBAAkB,CAAC,EAAE,aAAa,EAAE,gBAAgB,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7E,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;QAC3B,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;YAC9D,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,cAAc,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;YAExE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAClC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;YAC9D,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;YACjE,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,cAAc,CAAC,CAAC;YAEjD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAClC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;YACjD,MAAM,OAAO,GAAG,0BAA0B,CAAC;YAC3C,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;YAEjE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAC1B,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,MAAM,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;YAChE,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAEzB,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAC;YACvD,MAAM,CAAC,UAAU,CAAC,CAAC,sBAAsB,CAAC,MAAM,CAAC,CAAC;YAClD,MAAM,CAAC,UAAU,CAAC,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;QACtC,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,MAAM,OAAO,GAAG,cAAc,CAAC;YAC/B,MAAM,QAAQ,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;YAEjD,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACvC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACpC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;YACjC,MAAM,OAAO,GAAG,oBAAoB,CAAC;YACrC,MAAM,QAAQ,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;YAEjD,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oBAAoB,EAAE,GAAG,EAAE;YAC5B,MAAM,QAAQ,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC;YAEhD,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;YACxC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAChF,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;QAC/B,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;YACtC,MAAM,QAAQ,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC;YAChD,MAAM,MAAM,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;YAEzC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,wBAAwB,CAAC,CAAC;QAC5D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;YACtC,MAAM,QAAQ,GAAG;gBACf,OAAO,EAAE,MAAM;gBACf,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC;gBACtB,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBAClC,MAAM,EAAE,IAAI;aACb,CAAC;YAEF,MAAM,MAAM,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;YAEzC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,4BAA4B,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;YACtC,MAAM,QAAQ,GAAG;gBACf,OAAO,EAAE,MAAM;gBACf,MAAM,EAAE,cAAc;gBACtB,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBAClC,MAAM,EAAE,IAAI;gBACZ,MAAM,EAAE;oBACN,SAAS,EAAE,MAAM;oBACjB,oBAAoB,EAAE;wBACpB,WAAW,EAAE;4BACX;gCACE,QAAQ,EAAE,GAAG;gCACb,KAAK,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE;gCACxB,WAAW,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE;gCAC3C,cAAc,EAAE,KAAK;gCACrB,iBAAiB,EAAE,EAAE;6BACtB;yBACF;qBACF;iBACF;aACF,CAAC;YAEF,MAAM,MAAM,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;YAEzC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,yBAAyB,CAAC,CAAC;QAC7D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;QACtC,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;YAChC,MAAM,QAAQ,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC;YAChD,MAAM,OAAO,GAAG,sBAAsB,CAAC,QAAQ,CAAC,CAAC;YAEjD,MAAM,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iBAAiB,EAAE,GAAG,EAAE;YACzB,MAAM,QAAQ,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC;YAChD,MAAM,OAAO,GAAG,sBAAsB,CAAC,QAAQ,CAAC,CAAC;YAEjD,MAAM,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YACrC,MAAM,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;YACrC,MAAM,QAAQ,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC;YAChD,MAAM,OAAO,GAAG,sBAAsB,CAAC,QAAQ,CAAC,CAAC;YAEjD,MAAM,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,QAAQ,EAAE,GAAG,EAAE;QACtB,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;YACtC,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;YAC5B,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;QACxF,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;YACzC,MAAM,IAAI,GAAG,MAAM,CAAC,aAAa,CAAC,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC7B,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;QAC5B,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;YACzC,MAAM,IAAI,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YAClC,kCAAkC;YAClC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;QACpE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;YACrC,MAAM,IAAI,GAAG,YAAY,CAAC,aAAa,CAAC,CAAC;YACzC,MAAM,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}