web3ql-client 1.2.0

package/README.md

@@ -0,0 +1,66 @@
+# @web3ql/sdk
+
+TypeScript client SDK for the Web3QL on-chain encrypted database system. End-to-end NaCl encryption — plaintext never touches the chain.
+
+## Install
+
+```bash
+npm install @web3ql/sdk ethers tweetnacl @noble/hashes
+```
+
+## Quick start
+
+```typescript
+import { Web3QLClient, EncryptedTableClient, deriveKeypairFromWallet } from '@web3ql/sdk'
+import { ethers } from 'ethers'
+
+const provider = new ethers.JsonRpcProvider('https://forno.celo-sepolia.celo-testnet.org')
+const wallet   = new ethers.Wallet(process.env.PRIVATE_KEY!, provider)
+
+// Derive keypair — same result as browser Explorer
+const keypair = await deriveKeypairFromWallet(wallet)
+
+const client = new Web3QLClient('0x2cfE616062261927fCcC727333d6dD3D5880FDd1', wallet)
+const db     = await client.createDatabase('my_app')
+const table  = await db.createTable('users', '{"name":"string"}')
+
+const enc = new EncryptedTableClient(table.address, wallet, keypair)
+await enc.writeString('user_001', JSON.stringify({ name: 'Alice' }))
+const plain = await enc.readString('user_001')  // decrypts on read
+```
+
+## Key exports
+
+| Export | Description |
+|---|---|
+| `Web3QLClient` | Top-level: createDatabase(), getUserDatabases() |
+| `DatabaseClient` | createTable(), getTable(), listTables() |
+| `EncryptedTableClient` | write/read/update/delete + grantAccess() |
+| `TypedTableClient` | Prisma-style: create(), findMany(), updateById() |
+| `PublicKeyRegistryClient` | register(), getPublicKey(), hasKey() |
+| `deriveKeypairFromWallet(signer)` | ✅ Recommended — browser-compatible |
+| `deriveKeypair(privKey)` | ⚠️ Deprecated — different keypair from browser |
+
+## Key derivation
+
+```typescript
+// Signs 'Web3QL encryption key derivation v1' deterministically
+// SHA-256(signature) → X25519 seed → NaCl keypair
+// Identical result in browser (MetaMask) and server (ethers Wallet)
+const keypair = await deriveKeypairFromWallet(wallet)
+```
+
+Always use `deriveKeypairFromWallet` so SDK-written records are readable in the Web3QL Cloud Explorer browser UI.
+
+## Encryption model
+
+- Per-record random 32-byte symmetric key → NaCl secretbox (XSalsa20-Poly1305)
+- Symmetric key wrapped per recipient → NaCl box (X25519 ECDH)
+- `secretbox blob = [ 24-byte nonce | encrypted(plaintext, symKey) ]`
+- `key envelope   = [ 24-byte nonce | box(symKey, myPriv, recipientPub) ]`
+
+## Build
+
+```bash
+cd sdk && pnpm install && pnpm build
+```

package/contracts/PublicKeyRegistry.sol

@@ -0,0 +1,87 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.20;
+
+/**
+ * @title  PublicKeyRegistry
+ * @notice Stores one X25519 encryption public key per Ethereum address.
+ *
+ * Why is this needed?
+ * ─────────────────────────────────────────────────────────────
+ *  When Alice wants to share a record with Bob, she needs Bob's
+ *  X25519 public key to encrypt the symmetric key for him.
+ *  Bob registers his public key here once (~40k gas), and Alice
+ *  looks it up before calling grantAccess().
+ *
+ * Key derivation (SDK side):
+ *  The X25519 private key = SHA-256(Ethereum private key)
+ *  The X25519 public key  = scalar_mult(privKey, Curve25519.G)
+ *  This is done entirely off-chain in @web3ql/sdk's crypto module.
+ *
+ * Security:
+ *  • Registering here reveals only the X25519 PUBLIC key.
+ *  • The Ethereum private key and X25519 private key are never
+ *    transmitted or stored anywhere.
+ *  • Users can rotate their key at any time by calling register()
+ *    again — old encrypted records won't be accessible with the
+ *    new key (same as real-world key rotation).
+ *
+ * @dev    Intentionally NOT upgradeable — immutable registry.
+ *         Deploy once on Celo, share the address in the SDK config.
+ */
+contract PublicKeyRegistry {
+
+    // ─────────────────────────────────────────────────────────
+    //  State
+    // ─────────────────────────────────────────────────────────
+
+    /// address → X25519 public key (32 bytes packed into bytes32)
+    mapping(address => bytes32) private _keys;
+
+    // ─────────────────────────────────────────────────────────
+    //  Events
+    // ─────────────────────────────────────────────────────────
+
+    event KeyRegistered(address indexed user, bytes32 publicKey);
+
+    // ─────────────────────────────────────────────────────────
+    //  Write
+    // ─────────────────────────────────────────────────────────
+
+    /**
+     * @notice Register (or rotate) your X25519 encryption public key.
+     * @param pubKey  32-byte X25519 public key from @web3ql/sdk's deriveKeypair().
+     *
+     * One-time cost ~40k gas on Celo (~$0.001).
+     * Can be re-called to rotate the key — existing encrypted records
+     * will need to be re-shared by their owners after rotation.
+     */
+    function register(bytes32 pubKey) external {
+        require(pubKey != bytes32(0), "PublicKeyRegistry: pubKey must not be zero");
+        _keys[msg.sender] = pubKey;
+        emit KeyRegistered(msg.sender, pubKey);
+    }
+
+    // ─────────────────────────────────────────────────────────
+    //  Read
+    // ─────────────────────────────────────────────────────────
+
+    /**
+     * @notice Return the X25519 public key for a registered address.
+     * @dev    Reverts if the address has never registered.
+     *         Use hasKey() to check first if you want a graceful fallback.
+     */
+    function getKey(address user) external view returns (bytes32) {
+        require(
+            _keys[user] != bytes32(0),
+            "PublicKeyRegistry: address has not registered a public key"
+        );
+        return _keys[user];
+    }
+
+    /**
+     * @notice Check whether an address has a registered key.
+     */
+    function hasKey(address user) external view returns (bool) {
+        return _keys[user] != bytes32(0);
+    }
+}

package/dist/src/access.d.ts

@@ -0,0 +1,176 @@
+/**
+ * @file   access.ts
+ * @notice Web3QL v1.2 — advanced access control.
+ *
+ * Extends the base OWNER/EDITOR/VIEWER per-record model with:
+ *
+ *   1. TIME-LIMITED ACCESS      — expiry block stored in a meta record.
+ *                                 SDK checks expiry before decode.
+ *   2. DELEGATED SIGNING        — sign a capability token so a 3rd party
+ *                                 can write on your behalf without your wallet.
+ *   3. PUBLIC TABLE MODE        — unencrypted writes. Anyone can read.
+ *                                 Useful for leaderboards, public state.
+ *   4. COLUMN-LEVEL ENCRYPTION  — different symmetric key per column.
+ *                                 Viewers get keys only for their allowed columns.
+ *
+ * Usage — time-limited share:
+ * ─────────────────────────────────────────────────────────────
+ *   const am = new AccessManager(tableClient, signer, keypair, registry);
+ *
+ *   // Share record key1 with Bob, expires in 100 blocks
+ *   await am.shareWithExpiry(key1, bobAddress, Role.VIEWER, registry, 100n);
+ *
+ *   // Bob reads record — SDK auto-checks expiry:
+ *   const data = await am.readIfNotExpired(key1, bobAddress);
+ *
+ * Usage — delegated signing:
+ * ─────────────────────────────────────────────────────────────
+ *   // Alice signs a capability token for Bob to write to key1 once
+ *   const token = await am.signCapability({ key: key1, action: 'write', nonce: 1n });
+ *
+ *   // Bob submits it — the relay/contract verifies Alice's signature
+ *   await am.submitWithCapability(key1, plaintext, token);
+ *
+ * Usage — public table:
+ * ─────────────────────────────────────────────────────────────
+ *   const pub = new PublicTableClient(tableAddress, signer);
+ *   await pub.write(key, plaintext);     // stored as plaintext
+ *   const text = await pub.read(key);    // no decryption needed
+ * ─────────────────────────────────────────────────────────────
+ */
+import { ethers } from 'ethers';
+import type { EncryptedTableClient } from './table-client.js';
+import { Role } from './table-client.js';
+import type { PublicKeyRegistryClient } from './registry.js';
+import type { EncryptionKeypair } from './crypto.js';
+import { encryptKeyForSelf, decryptKeyForSelf } from './crypto.js';
+export { Role };
+export interface TimedGrant {
+    grantee: string;
+    role: Role;
+    expiryBlock: bigint;
+    grantedAt: bigint;
+}
+/**
+ * Stores a time-limited grant as a JSON meta record on-chain.
+ *
+ * Key scheme: keccak256(abi.encodePacked("__grant__", recordKey, grantee))
+ */
+export declare function grantMetaKey(client: EncryptedTableClient, recordKey: string, grantee: string): string;
+export interface CapabilityToken {
+    /** Signer's address (granter). */
+    granter: string;
+    /** Address allowed to use this token. */
+    grantee: string;
+    /** bytes32 record key the token applies to. */
+    key: string;
+    /** 'write' | 'update' | 'delete' */
+    action: 'write' | 'update' | 'delete';
+    /** Monotonic nonce to prevent replay. */
+    nonce: bigint;
+    /** Block number after which token is invalid. 0 = never expires. */
+    expiryBlock: bigint;
+    /** ECDSA signature (over the above fields). */
+    signature: string;
+}
+export declare class AccessManager {
+    private client;
+    private signer;
+    private keypair;
+    constructor(client: EncryptedTableClient, signer: ethers.Signer, keypair: EncryptionKeypair);
+    /**
+     * Share a record with expiry — stores a signed grant meta record on-chain.
+     *
+     * @param recordKey    bytes32 record key to share.
+     * @param recipient    Address to grant access to.
+     * @param role         Role.VIEWER or Role.EDITOR.
+     * @param registry     PublicKeyRegistryClient to look up recipient's pubkey.
+     * @param expiryBlocks Number of blocks until the grant expires.
+     */
+    shareWithExpiry(recordKey: string, recipient: string, role: Role, registry: PublicKeyRegistryClient, expiryBlocks: bigint): Promise<void>;
+    /**
+     * Check whether a grant is still valid (not past expiry block).
+     * Returns the TimedGrant if valid, null if expired or not found.
+     */
+    checkGrant(recordKey: string, grantee: string): Promise<TimedGrant | null>;
+    /**
+     * Revoke an expired or unwanted timed grant.
+     */
+    revokeGrant(recordKey: string, grantee: string): Promise<void>;
+    /**
+     * Sign a capability token that allows `grantee` to perform `action` on `key`.
+     *
+     * The signature uses EIP-712 typed data. The relay or contract can verify
+     * the granter's address from the signature without trusting the grantee.
+     */
+    signCapability(params: {
+        grantee: string;
+        key: string;
+        action: 'write' | 'update' | 'delete';
+        nonce: bigint;
+        expiryBlock: bigint;
+    }): Promise<CapabilityToken>;
+    /**
+     * Verify a capability token was signed by the stated granter and is not expired.
+     * Returns the recovered granter address, or throws if invalid.
+     */
+    static verifyCapability(token: CapabilityToken, provider: ethers.Provider): Promise<string>;
+}
+/**
+ * PublicTableClient wraps a Web3QL table contract in "no-encryption" mode.
+ *
+ * Data is stored as raw UTF-8 bytes.  Anyone who knows the table address can
+ * read every record directly on-chain — no symmetric key required.
+ *
+ * Use cases: leaderboards, public voting tallies, open datasets.
+ *
+ * ⚠  All data is FULLY PUBLIC. Do not store sensitive information.
+ */
+export declare class PublicTableClient {
+    readonly tableAddress: string;
+    private contract;
+    private signer;
+    constructor(tableAddress: string, signer: ethers.Signer);
+    private get c();
+    deriveKey(tableName: string, id: bigint): string;
+    write(key: string, plaintext: string): Promise<ethers.TransactionReceipt>;
+    read(key: string): Promise<string>;
+    update(key: string, plaintext: string): Promise<ethers.TransactionReceipt>;
+    delete(key: string): Promise<ethers.TransactionReceipt>;
+    exists(key: string): Promise<boolean>;
+}
+/**
+ * ColumnKeySet: encrypt specific columns with different symmetric keys.
+ *
+ * Scenario: a "users" table has columns [id, name, email, salary].
+ * You want VIEWER-role collaborators to see name but NOT salary.
+ *
+ * Solution:
+ *   • Split row into two groups: visible={id, name} and private={email, salary}
+ *   • Encrypt each group with a separate symmetric key
+ *   • VIEWER gets the key for the visible group only
+ *   • EDITOR gets both keys
+ */
+export interface ColumnKeySet {
+    /** Symmetric key for the "public within this sharing scope" columns */
+    visibleKey: Uint8Array;
+    /** Symmetric key for the private columns */
+    privateKey: Uint8Array;
+    /** Columns encrypted with visibleKey */
+    visibleCols: string[];
+}
+/**
+ * Split a plain JS row object into two encrypted blobs —
+ * one for visible columns, one for private columns.
+ */
+export declare function encryptWithColumnKeys(row: Record<string, unknown>, visibleCols: string[], visibleKey: Uint8Array, privateKey: Uint8Array): {
+    visible: Uint8Array;
+    private: Uint8Array;
+};
+/**
+ * Decrypt and merge the two column blobs.
+ */
+export declare function decryptColumnBlobs(visibleBlob: Uint8Array, privateBlob: Uint8Array, visibleKey: Uint8Array, privateKey: Uint8Array): Record<string, unknown>;
+export declare function generateColumnKeySet(visibleCols: string[]): ColumnKeySet;
+export { encryptKeyForSelf, decryptKeyForSelf };
+//# sourceMappingURL=access.d.ts.map

package/dist/src/access.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../../src/access.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAwC,QAAQ,CAAC;AAClE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAqB,mBAAmB,CAAC;AAC7E,OAAO,EAAE,IAAI,EAAE,MAA0C,mBAAmB,CAAC;AAC7E,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAkB,eAAe,CAAC;AACzE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAwB,aAAa,CAAC;AACvE,OAAO,EAIL,iBAAiB,EACjB,iBAAiB,EAClB,MAAwD,aAAa,CAAC;AAEvE,OAAO,EAAE,IAAI,EAAE,CAAC;AAMhB,MAAM,WAAW,UAAU;IACzB,OAAO,EAAM,MAAM,CAAC;IACpB,IAAI,EAAS,IAAI,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAI,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAC1B,MAAM,EAAI,oBAAoB,EAC9B,SAAS,EAAE,MAAM,EACjB,OAAO,EAAG,MAAM,GACf,MAAM,CAIR;AAMD,MAAM,WAAW,eAAe;IAC9B,kCAAkC;IAClC,OAAO,EAAK,MAAM,CAAC;IACnB,yCAAyC;IACzC,OAAO,EAAK,MAAM,CAAC;IACnB,+CAA+C;IAC/C,GAAG,EAAS,MAAM,CAAC;IACnB,oCAAoC;IACpC,MAAM,EAAM,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAC;IAC1C,yCAAyC;IACzC,KAAK,EAAO,MAAM,CAAC;IACnB,oEAAoE;IACpE,WAAW,EAAE,MAAM,CAAC;IACpB,+CAA+C;IAC/C,SAAS,EAAG,MAAM,CAAC;CACpB;AAsBD,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAA0B;IACxC,OAAO,CAAC,MAAM,CAAmB;IACjC,OAAO,CAAC,OAAO,CAAsB;gBAGnC,MAAM,EAAG,oBAAoB,EAC7B,MAAM,EAAG,MAAM,CAAC,MAAM,EACtB,OAAO,EAAE,iBAAiB;IAS5B;;;;;;;;OAQG;IACG,eAAe,CACnB,SAAS,EAAM,MAAM,EACrB,SAAS,EAAM,MAAM,EACrB,IAAI,EAAW,IAAI,EACnB,QAAQ,EAAO,uBAAuB,EACtC,YAAY,EAAG,MAAM,GACpB,OAAO,CAAC,IAAI,CAAC;IAkBhB;;;OAGG;IACG,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAyBhF;;OAEG;IACG,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMpE;;;;;OAKG;IACG,cAAc,CAAC,MAAM,EAAE;QAC3B,OAAO,EAAM,MAAM,CAAC;QACpB,GAAG,EAAU,MAAM,CAAC;QACpB,MAAM,EAAO,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAC;QAC3C,KAAK,EAAQ,MAAM,CAAC;QACpB,WAAW,EAAE,MAAM,CAAC;KACrB,GAAG,OAAO,CAAC,eAAe,CAAC;IAkB5B;;;OAGG;WACU,gBAAgB,CAC3B,KAAK,EAAK,eAAe,EACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ,GACxB,OAAO,CAAC,MAAM,CAAC;CAqBnB;AAcD;;;;;;;;;GASG;AACH,qBAAa,iBAAiB;IAC5B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,OAAO,CAAC,QAAQ,CAAuB;IACvC,OAAO,CAAC,MAAM,CAAuB;gBAEzB,YAAY,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM;IAOvD,OAAO,KAAK,CAAC,GAAiC;IAE9C,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,MAAM;IAI1C,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAAC;IAQzE,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAKlC,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAAC;IAO1E,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAAC;IAKvD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAG5C;AAMD;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,YAAY;IAC3B,uEAAuE;IACvE,UAAU,EAAG,UAAU,CAAC;IACxB,4CAA4C;IAC5C,UAAU,EAAG,UAAU,CAAC;IACxB,wCAAwC;IACxC,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CACnC,GAAG,EAAU,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACpC,WAAW,EAAE,MAAM,EAAE,EACrB,UAAU,EAAG,UAAU,EACvB,UAAU,EAAG,UAAU,GACtB;IAAE,OAAO,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,UAAU,CAAA;CAAE,CAa9C;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,WAAW,EAAG,UAAU,EACxB,WAAW,EAAG,UAAU,EACxB,UAAU,EAAI,UAAU,EACxB,UAAU,EAAI,UAAU,GACvB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAOzB;AAMD,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,YAAY,CAMxE;AAGD,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,CAAC"}

package/dist/src/access.js

@@ -0,0 +1,283 @@
+/**
+ * @file   access.ts
+ * @notice Web3QL v1.2 — advanced access control.
+ *
+ * Extends the base OWNER/EDITOR/VIEWER per-record model with:
+ *
+ *   1. TIME-LIMITED ACCESS      — expiry block stored in a meta record.
+ *                                 SDK checks expiry before decode.
+ *   2. DELEGATED SIGNING        — sign a capability token so a 3rd party
+ *                                 can write on your behalf without your wallet.
+ *   3. PUBLIC TABLE MODE        — unencrypted writes. Anyone can read.
+ *                                 Useful for leaderboards, public state.
+ *   4. COLUMN-LEVEL ENCRYPTION  — different symmetric key per column.
+ *                                 Viewers get keys only for their allowed columns.
+ *
+ * Usage — time-limited share:
+ * ─────────────────────────────────────────────────────────────
+ *   const am = new AccessManager(tableClient, signer, keypair, registry);
+ *
+ *   // Share record key1 with Bob, expires in 100 blocks
+ *   await am.shareWithExpiry(key1, bobAddress, Role.VIEWER, registry, 100n);
+ *
+ *   // Bob reads record — SDK auto-checks expiry:
+ *   const data = await am.readIfNotExpired(key1, bobAddress);
+ *
+ * Usage — delegated signing:
+ * ─────────────────────────────────────────────────────────────
+ *   // Alice signs a capability token for Bob to write to key1 once
+ *   const token = await am.signCapability({ key: key1, action: 'write', nonce: 1n });
+ *
+ *   // Bob submits it — the relay/contract verifies Alice's signature
+ *   await am.submitWithCapability(key1, plaintext, token);
+ *
+ * Usage — public table:
+ * ─────────────────────────────────────────────────────────────
+ *   const pub = new PublicTableClient(tableAddress, signer);
+ *   await pub.write(key, plaintext);     // stored as plaintext
+ *   const text = await pub.read(key);    // no decryption needed
+ * ─────────────────────────────────────────────────────────────
+ */
+import { ethers } from 'ethers';
+import { Role } from './table-client.js';
+import { generateSymmetricKey, encryptData, decryptData, encryptKeyForSelf, decryptKeyForSelf, } from './crypto.js';
+export { Role };
+/**
+ * Stores a time-limited grant as a JSON meta record on-chain.
+ *
+ * Key scheme: keccak256(abi.encodePacked("__grant__", recordKey, grantee))
+ */
+export function grantMetaKey(client, recordKey, grantee) {
+    return ethers.keccak256(ethers.solidityPacked(['string', 'bytes32', 'address'], ['__grant__', recordKey, grantee]));
+}
+const CAP_DOMAIN = {
+    name: 'Web3QL Capability',
+    version: '1',
+};
+const CAP_TYPES = {
+    Capability: [
+        { name: 'granter', type: 'address' },
+        { name: 'grantee', type: 'address' },
+        { name: 'key', type: 'bytes32' },
+        { name: 'action', type: 'string' },
+        { name: 'nonce', type: 'uint256' },
+        { name: 'expiryBlock', type: 'uint256' },
+    ],
+};
+// ─────────────────────────────────────────────────────────────
+//  AccessManager
+// ─────────────────────────────────────────────────────────────
+export class AccessManager {
+    client;
+    signer;
+    keypair;
+    constructor(client, signer, keypair) {
+        this.client = client;
+        this.signer = signer;
+        this.keypair = keypair;
+    }
+    // ── Time-limited sharing ─────────────────────────────────────
+    /**
+     * Share a record with expiry — stores a signed grant meta record on-chain.
+     *
+     * @param recordKey    bytes32 record key to share.
+     * @param recipient    Address to grant access to.
+     * @param role         Role.VIEWER or Role.EDITOR.
+     * @param registry     PublicKeyRegistryClient to look up recipient's pubkey.
+     * @param expiryBlocks Number of blocks until the grant expires.
+     */
+    async shareWithExpiry(recordKey, recipient, role, registry, expiryBlocks) {
+        // 1. Standard key share
+        await this.client.share(recordKey, recipient, role, registry);
+        // 2. Store grant metadata on-chain
+        const provider = this.signer.provider;
+        const currentBlock = provider ? BigInt(await provider.getBlockNumber()) : 0n;
+        const meta = {
+            grantee: recipient.toLowerCase(),
+            role,
+            expiryBlock: currentBlock + expiryBlocks,
+            grantedAt: currentBlock,
+        };
+        const metaKey = grantMetaKey(this.client, recordKey, recipient);
+        await this.client.writeRaw(metaKey, JSON.stringify(meta));
+    }
+    /**
+     * Check whether a grant is still valid (not past expiry block).
+     * Returns the TimedGrant if valid, null if expired or not found.
+     */
+    async checkGrant(recordKey, grantee) {
+        const metaKey = grantMetaKey(this.client, recordKey, grantee);
+        try {
+            const exists = await this.client.exists(metaKey);
+            if (!exists)
+                return null;
+            const json = await this.client.readPlaintext(metaKey);
+            const grant = JSON.parse(json);
+            grant.expiryBlock = BigInt(grant.expiryBlock);
+            grant.grantedAt = BigInt(grant.grantedAt);
+            const provider = this.signer.provider;
+            if (provider) {
+                const currentBlock = BigInt(await provider.getBlockNumber());
+                if (grant.expiryBlock > 0n && currentBlock > grant.expiryBlock) {
+                    // Grant has expired — auto-revoke
+                    await this.client.revoke(recordKey, grantee).catch(() => { });
+                    return null;
+                }
+            }
+            return grant;
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Revoke an expired or unwanted timed grant.
+     */
+    async revokeGrant(recordKey, grantee) {
+        await this.client.revoke(recordKey, grantee);
+    }
+    // ── Capability tokens ────────────────────────────────────────
+    /**
+     * Sign a capability token that allows `grantee` to perform `action` on `key`.
+     *
+     * The signature uses EIP-712 typed data. The relay or contract can verify
+     * the granter's address from the signature without trusting the grantee.
+     */
+    async signCapability(params) {
+        const granter = await this.signer.getAddress();
+        const message = {
+            granter,
+            grantee: params.grantee,
+            key: params.key,
+            action: params.action,
+            nonce: params.nonce,
+            expiryBlock: params.expiryBlock,
+        };
+        const signature = await this.signer.signTypedData(CAP_DOMAIN, CAP_TYPES, message);
+        return { ...message, signature, granter };
+    }
+    /**
+     * Verify a capability token was signed by the stated granter and is not expired.
+     * Returns the recovered granter address, or throws if invalid.
+     */
+    static async verifyCapability(token, provider) {
+        const currentBlock = BigInt(await provider.getBlockNumber());
+        if (token.expiryBlock > 0n && currentBlock > token.expiryBlock) {
+            throw new Error('CapabilityToken: expired');
+        }
+        const message = {
+            granter: token.granter,
+            grantee: token.grantee,
+            key: token.key,
+            action: token.action,
+            nonce: token.nonce,
+            expiryBlock: token.expiryBlock,
+        };
+        const recovered = ethers.verifyTypedData(CAP_DOMAIN, CAP_TYPES, message, token.signature);
+        if (recovered.toLowerCase() !== token.granter.toLowerCase()) {
+            throw new Error('CapabilityToken: signature mismatch');
+        }
+        return recovered;
+    }
+}
+// ─────────────────────────────────────────────────────────────
+//  Public table mode  (no encryption)
+// ─────────────────────────────────────────────────────────────
+const PUBLIC_TABLE_ABI = [
+    'function write(bytes32 key, bytes calldata ciphertext, bytes calldata encryptedKey) external',
+    'function read(bytes32 key) external view returns (bytes memory ciphertext, bool deleted, uint256 version, uint256 updatedAt, address owner)',
+    'function update(bytes32 key, bytes calldata ciphertext, bytes calldata encryptedKey) external',
+    'function deleteRecord(bytes32 key) external',
+    'function recordExists(bytes32 key) external view returns (bool)',
+];
+/**
+ * PublicTableClient wraps a Web3QL table contract in "no-encryption" mode.
+ *
+ * Data is stored as raw UTF-8 bytes.  Anyone who knows the table address can
+ * read every record directly on-chain — no symmetric key required.
+ *
+ * Use cases: leaderboards, public voting tallies, open datasets.
+ *
+ * ⚠  All data is FULLY PUBLIC. Do not store sensitive information.
+ */
+export class PublicTableClient {
+    tableAddress;
+    contract;
+    signer;
+    constructor(tableAddress, signer) {
+        this.tableAddress = tableAddress;
+        this.signer = signer;
+        this.contract = new ethers.Contract(tableAddress, PUBLIC_TABLE_ABI, signer);
+    }
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    get c() { return this.contract; }
+    deriveKey(tableName, id) {
+        return ethers.solidityPackedKeccak256(['string', 'uint256'], [tableName, id]);
+    }
+    async write(key, plaintext) {
+        const data = new TextEncoder().encode(plaintext);
+        // Contract requires encryptedKey.length > 0 — use 1-byte public marker
+        const publicMarker = new Uint8Array([0x50]); // 'P' for Public
+        const tx = await this.c.write(key, data, publicMarker);
+        return tx.wait();
+    }
+    async read(key) {
+        const [ciphertext /* rest ignored */] = await this.c.read(key);
+        return new TextDecoder().decode(ethers.getBytes(ciphertext));
+    }
+    async update(key, plaintext) {
+        const data = new TextEncoder().encode(plaintext);
+        const publicMarker = new Uint8Array([0x50]);
+        const tx = await this.c.update(key, data, publicMarker);
+        return tx.wait();
+    }
+    async delete(key) {
+        const tx = await this.c.deleteRecord(key);
+        return tx.wait();
+    }
+    async exists(key) {
+        return this.c.recordExists(key);
+    }
+}
+/**
+ * Split a plain JS row object into two encrypted blobs —
+ * one for visible columns, one for private columns.
+ */
+export function encryptWithColumnKeys(row, visibleCols, visibleKey, privateKey) {
+    const visiblePart = {};
+    const privatePart = {};
+    for (const [k, v] of Object.entries(row)) {
+        if (visibleCols.includes(k))
+            visiblePart[k] = v;
+        else
+            privatePart[k] = v;
+    }
+    return {
+        visible: encryptData(new TextEncoder().encode(JSON.stringify(visiblePart)), visibleKey),
+        private: encryptData(new TextEncoder().encode(JSON.stringify(privatePart)), privateKey),
+    };
+}
+/**
+ * Decrypt and merge the two column blobs.
+ */
+export function decryptColumnBlobs(visibleBlob, privateBlob, visibleKey, privateKey) {
+    const visibleText = new TextDecoder().decode(decryptData(visibleBlob, visibleKey));
+    const privateText = new TextDecoder().decode(decryptData(privateBlob, privateKey));
+    return {
+        ...JSON.parse(visibleText),
+        ...JSON.parse(privateText),
+    };
+}
+// ─────────────────────────────────────────────────────────────
+//  Convenience: generate fresh column key set
+// ─────────────────────────────────────────────────────────────
+export function generateColumnKeySet(visibleCols) {
+    return {
+        visibleKey: generateSymmetricKey(),
+        privateKey: generateSymmetricKey(),
+        visibleCols,
+    };
+}
+// Export for self-encryption helpers (used by AccessManager internally)
+export { encryptKeyForSelf, decryptKeyForSelf };
+//# sourceMappingURL=access.js.map

package/dist/src/access.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.js","sourceRoot":"","sources":["../../src/access.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAwC,QAAQ,CAAC;AAElE,OAAO,EAAE,IAAI,EAAE,MAA0C,mBAAmB,CAAC;AAG7E,OAAO,EACL,oBAAoB,EACpB,WAAW,EACX,WAAW,EACX,iBAAiB,EACjB,iBAAiB,GAClB,MAAwD,aAAa,CAAC;AAEvE,OAAO,EAAE,IAAI,EAAE,CAAC;AAahB;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAC1B,MAA8B,EAC9B,SAAiB,EACjB,OAAgB;IAEhB,OAAO,MAAM,CAAC,SAAS,CACrB,MAAM,CAAC,cAAc,CAAC,CAAC,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC,EAAE,CAAC,WAAW,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC,CAC3F,CAAC;AACJ,CAAC;AAuBD,MAAM,UAAU,GAAG;IACjB,IAAI,EAAK,mBAAmB;IAC5B,OAAO,EAAE,GAAG;CACb,CAAC;AAEF,MAAM,SAAS,GAAG;IAChB,UAAU,EAAE;QACV,EAAE,IAAI,EAAE,SAAS,EAAK,IAAI,EAAE,SAAS,EAAE;QACvC,EAAE,IAAI,EAAE,SAAS,EAAK,IAAI,EAAE,SAAS,EAAE;QACvC,EAAE,IAAI,EAAE,KAAK,EAAS,IAAI,EAAE,SAAS,EAAE;QACvC,EAAE,IAAI,EAAE,QAAQ,EAAM,IAAI,EAAE,QAAQ,EAAG;QACvC,EAAE,IAAI,EAAE,OAAO,EAAO,IAAI,EAAE,SAAS,EAAE;QACvC,EAAE,IAAI,EAAE,aAAa,EAAC,IAAI,EAAE,SAAS,EAAE;KACxC;CACF,CAAC;AAEF,gEAAgE;AAChE,iBAAiB;AACjB,gEAAgE;AAEhE,MAAM,OAAO,aAAa;IAChB,MAAM,CAA0B;IAChC,MAAM,CAAmB;IACzB,OAAO,CAAsB;IAErC,YACE,MAA6B,EAC7B,MAAsB,EACtB,OAA0B;QAE1B,IAAI,CAAC,MAAM,GAAI,MAAM,CAAC;QACtB,IAAI,CAAC,MAAM,GAAI,MAAM,CAAC;QACtB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED,gEAAgE;IAEhE;;;;;;;;OAQG;IACH,KAAK,CAAC,eAAe,CACnB,SAAqB,EACrB,SAAqB,EACrB,IAAmB,EACnB,QAAsC,EACtC,YAAqB;QAErB,wBAAwB;QACxB,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;QAE9D,mCAAmC;QACnC,MAAM,QAAQ,GAAO,IAAI,CAAC,MAAwB,CAAC,QAAQ,CAAC;QAC5D,MAAM,YAAY,GAAG,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,QAAQ,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC7E,MAAM,IAAI,GAAe;YACvB,OAAO,EAAM,SAAS,CAAC,WAAW,EAAE;YACpC,IAAI;YACJ,WAAW,EAAE,YAAY,GAAG,YAAY;YACxC,SAAS,EAAI,YAAY;SAC1B,CAAC;QAEF,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QAChE,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,UAAU,CAAC,SAAiB,EAAE,OAAe;QACjD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;QAC9D,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACjD,IAAI,CAAC,MAAM;gBAAE,OAAO,IAAI,CAAC;YACzB,MAAM,IAAI,GAAI,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;YACvD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAe,CAAC;YAC7C,KAAK,CAAC,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;YAC9C,KAAK,CAAC,SAAS,GAAK,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAE5C,MAAM,QAAQ,GAAI,IAAI,CAAC,MAAwB,CAAC,QAAQ,CAAC;YACzD,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,QAAQ,CAAC,cAAc,EAAE,CAAC,CAAC;gBAC7D,IAAI,KAAK,CAAC,WAAW,GAAG,EAAE,IAAI,YAAY,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;oBAC/D,kCAAkC;oBAClC,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAc,CAAC,CAAC,CAAC;oBACzE,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CAAC,SAAiB,EAAE,OAAe;QAClD,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAC/C,CAAC;IAED,gEAAgE;IAEhE;;;;;OAKG;IACH,KAAK,CAAC,cAAc,CAAC,MAMpB;QACC,MAAM,OAAO,GAAK,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;QACjD,MAAM,OAAO,GAAG;YACd,OAAO;YACP,OAAO,EAAM,MAAM,CAAC,OAAO;YAC3B,GAAG,EAAU,MAAM,CAAC,GAAG;YACvB,MAAM,EAAO,MAAM,CAAC,MAAM;YAC1B,KAAK,EAAQ,MAAM,CAAC,KAAK;YACzB,WAAW,EAAE,MAAM,CAAC,WAAW;SAChC,CAAC;QACF,MAAM,SAAS,GAAG,MAAO,IAAI,CAAC,MAAwB,CAAC,aAAa,CAClE,UAAU,EACV,SAAS,EACT,OAAO,CACR,CAAC;QACF,OAAO,EAAE,GAAG,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;IAC5C,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAC3B,KAAyB,EACzB,QAAyB;QAEzB,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,QAAQ,CAAC,cAAc,EAAE,CAAC,CAAC;QAC7D,IAAI,KAAK,CAAC,WAAW,GAAG,EAAE,IAAI,YAAY,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;YAC/D,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,OAAO,GAAG;YACd,OAAO,EAAM,KAAK,CAAC,OAAO;YAC1B,OAAO,EAAM,KAAK,CAAC,OAAO;YAC1B,GAAG,EAAU,KAAK,CAAC,GAAG;YACtB,MAAM,EAAO,KAAK,CAAC,MAAM;YACzB,KAAK,EAAQ,KAAK,CAAC,KAAK;YACxB,WAAW,EAAE,KAAK,CAAC,WAAW;SAC/B,CAAC;QAEF,MAAM,SAAS,GAAG,MAAM,CAAC,eAAe,CAAC,UAAU,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;QAC1F,IAAI,SAAS,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC;YAC5D,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;CACF;AAED,gEAAgE;AAChE,sCAAsC;AACtC,gEAAgE;AAEhE,MAAM,gBAAgB,GAAG;IACvB,8FAA8F;IAC9F,6IAA6I;IAC7I,+FAA+F;IAC/F,6CAA6C;IAC7C,iEAAiE;CACzD,CAAC;AAEX;;;;;;;;;GASG;AACH,MAAM,OAAO,iBAAiB;IACnB,YAAY,CAAS;IACtB,QAAQ,CAAuB;IAC/B,MAAM,CAAuB;IAErC,YAAY,YAAoB,EAAE,MAAqB;QACrD,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QACjC,IAAI,CAAC,MAAM,GAAS,MAAM,CAAC;QAC3B,IAAI,CAAC,QAAQ,GAAO,IAAI,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAClF,CAAC;IAED,8DAA8D;IAC9D,IAAY,CAAC,KAAU,OAAO,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;IAE9C,SAAS,CAAC,SAAiB,EAAE,EAAU;QACrC,OAAO,MAAM,CAAC,uBAAuB,CAAC,CAAC,QAAQ,EAAE,SAAS,CAAC,EAAE,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC;IAChF,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,SAAiB;QACxC,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACjD,uEAAuE;QACvE,MAAM,YAAY,GAAG,IAAI,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,iBAAiB;QAC9D,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,YAAY,CAAC,CAAC;QACvD,OAAO,EAAE,CAAC,IAAI,EAAE,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,GAAW;QACpB,MAAM,CAAC,UAAU,CAAC,kBAAkB,CAAC,GAAG,MAAM,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC/D,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAoB,CAAC,CAAC,CAAC;IACzE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW,EAAE,SAAiB;QACzC,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACjD,MAAM,YAAY,GAAG,IAAI,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QAC5C,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,EAAE,YAAY,CAAC,CAAC;QACxD,OAAO,EAAE,CAAC,IAAI,EAAE,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QAC1C,OAAO,EAAE,CAAC,IAAI,EAAE,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,OAAO,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,GAAG,CAAqB,CAAC;IACtD,CAAC;CACF;AA2BD;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CACnC,GAAoC,EACpC,WAAqB,EACrB,UAAuB,EACvB,UAAuB;IAEvB,MAAM,WAAW,GAA4B,EAAE,CAAC;IAChD,MAAM,WAAW,GAA4B,EAAE,CAAC;IAEhD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,IAAI,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC;YAAE,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;;YAC3C,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,OAAO;QACL,OAAO,EAAG,WAAW,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,EAAE,UAAU,CAAC;QACxF,OAAO,EAAG,WAAW,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,EAAE,UAAU,CAAC;KACzF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,WAAwB,EACxB,WAAwB,EACxB,UAAwB,EACxB,UAAwB;IAExB,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC,CAAC;IACnF,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC,CAAC;IACnF,OAAO;QACL,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAA4B;QACrD,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAA4B;KACtD,CAAC;AACJ,CAAC;AAED,gEAAgE;AAChE,8CAA8C;AAC9C,gEAAgE;AAEhE,MAAM,UAAU,oBAAoB,CAAC,WAAqB;IACxD,OAAO;QACL,UAAU,EAAI,oBAAoB,EAAE;QACpC,UAAU,EAAI,oBAAoB,EAAE;QACpC,WAAW;KACZ,CAAC;AACJ,CAAC;AAED,wEAAwE;AACxE,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,CAAC"}