{"version":3,"sources":["../lib/index.ts","../lib/builder/CredentialSupportedBuilderV1_13.ts","../lib/builder/VcIssuerBuilder.ts","../lib/VcIssuer.ts","../lib/functions/CredentialOfferUtils.ts","../lib/functions/ASOidcClient.ts","../lib/state-manager/MemoryStates.ts","../lib/state-manager/LookupStateManager.ts","../lib/state-manager/CredentialOfferStateBuilder.ts","../lib/builder/DisplayBuilder.ts","../lib/builder/IssuerMetadataBuilderV1_13.ts","../lib/builder/AuthorizationServerMetadataBuilder.ts","../lib/tokens/index.ts"],"sourcesContent":["import { VCI_LOGGERS } from '@sphereon/oid4vci-common'\nimport { ISimpleLogger } from '@sphereon/ssi-types'\n\nexport const LOG: ISimpleLogger = VCI_LOGGERS.get('sphereon:oid4vci:issuer')\n\nexport * from './builder'\nexport * from './functions'\nexport * from './VcIssuer'\nexport * from './state-manager'\nexport * from './tokens'\nexport * from './types'\n","import {\n CredentialConfigurationSupportedV1_0_13,\n CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_13,\n CredentialDefinitionJwtVcJsonV1_0_13,\n CredentialsSupportedDisplay,\n IssuerCredentialSubject,\n IssuerCredentialSubjectDisplay,\n KeyProofType,\n OID4VCICredentialFormat,\n ProofType,\n ProofTypesSupported,\n TokenErrorResponse,\n} from '@sphereon/oid4vci-common'\n\nexport class CredentialSupportedBuilderV1_13 {\n format?: OID4VCICredentialFormat\n scope?: string\n credentialName?: string\n credentialDefinition?: CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_13 | CredentialDefinitionJwtVcJsonV1_0_13\n cryptographicBindingMethodsSupported?: ('jwk' | 'cose_key' | 'did' | string)[]\n credentialSigningAlgValuesSupported?: string[]\n proofTypesSupported?: ProofTypesSupported\n display?: CredentialsSupportedDisplay[]\n credentialSubject?: IssuerCredentialSubject\n\n withFormat(credentialFormat: OID4VCICredentialFormat): CredentialSupportedBuilderV1_13 {\n this.format = credentialFormat\n return this\n }\n\n withCredentialName(credentialName: string): CredentialSupportedBuilderV1_13 {\n this.credentialName = credentialName\n return this\n }\n\n withCredentialDefinition(\n credentialDefinition: CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_13 | CredentialDefinitionJwtVcJsonV1_0_13,\n ): CredentialSupportedBuilderV1_13 {\n if (!credentialDefinition.type) {\n throw new Error('credentialDefinition should contain a type array')\n }\n this.credentialDefinition = credentialDefinition\n return this\n }\n\n withScope(scope: string): CredentialSupportedBuilderV1_13 {\n this.scope = scope\n return this\n }\n addCryptographicBindingMethod(method: string | string[]): CredentialSupportedBuilderV1_13 {\n if (!Array.isArray(method)) {\n this.cryptographicBindingMethodsSupported = this.cryptographicBindingMethodsSupported\n ? [...this.cryptographicBindingMethodsSupported, method]\n : [method]\n } else {\n this.cryptographicBindingMethodsSupported = this.cryptographicBindingMethodsSupported\n ? [...this.cryptographicBindingMethodsSupported, ...method]\n : method\n }\n return this\n }\n\n withCryptographicBindingMethod(method: string | string[]): CredentialSupportedBuilderV1_13 {\n this.cryptographicBindingMethodsSupported = Array.isArray(method) ? method : [method]\n return this\n }\n\n addCredentialSigningAlgValuesSupported(algValues: string | string[]): CredentialSupportedBuilderV1_13 {\n if (!Array.isArray(algValues)) {\n this.credentialSigningAlgValuesSupported = this.credentialSigningAlgValuesSupported\n ? [...this.credentialSigningAlgValuesSupported, algValues]\n : [algValues]\n } else {\n this.credentialSigningAlgValuesSupported = this.credentialSigningAlgValuesSupported\n ? [...this.credentialSigningAlgValuesSupported, ...algValues]\n : algValues\n }\n return this\n }\n\n withCredentialSigningAlgValuesSupported(algValues: string | string[]): CredentialSupportedBuilderV1_13 {\n this.credentialSigningAlgValuesSupported = Array.isArray(algValues) ? algValues : [algValues]\n return this\n }\n\n addProofTypesSupported(keyProofType: KeyProofType, proofType: ProofType): CredentialSupportedBuilderV1_13 {\n if (!this.proofTypesSupported) {\n this.proofTypesSupported = {}\n }\n this.proofTypesSupported[keyProofType] = proofType\n return this\n }\n\n withProofTypesSupported(proofTypesSupported: ProofTypesSupported): CredentialSupportedBuilderV1_13 {\n this.proofTypesSupported = proofTypesSupported\n return this\n }\n\n addCredentialSupportedDisplay(credentialDisplay: CredentialsSupportedDisplay | CredentialsSupportedDisplay[]): CredentialSupportedBuilderV1_13 {\n if (!Array.isArray(credentialDisplay)) {\n this.display = this.display ? [...this.display, credentialDisplay] : [credentialDisplay]\n } else {\n this.display = this.display ? [...this.display, ...credentialDisplay] : credentialDisplay\n }\n return this\n }\n\n withCredentialSupportedDisplay(credentialDisplay: CredentialsSupportedDisplay | CredentialsSupportedDisplay[]): CredentialSupportedBuilderV1_13 {\n this.display = Array.isArray(credentialDisplay) ? credentialDisplay : [credentialDisplay]\n return this\n }\n\n withCredentialSubject(credentialSubject: IssuerCredentialSubject) {\n this.credentialSubject = credentialSubject\n return this\n }\n\n addCredentialSubjectPropertyDisplay(\n subjectProperty: string,\n issuerCredentialSubjectDisplay: IssuerCredentialSubjectDisplay,\n ): CredentialSupportedBuilderV1_13 {\n if (!this.credentialSubject) {\n this.credentialSubject = {}\n }\n this.credentialSubject[subjectProperty] = issuerCredentialSubjectDisplay\n return this\n }\n\n public build(): Record {\n if (!this.format) {\n throw new Error(TokenErrorResponse.invalid_request)\n }\n\n const credentialSupported: CredentialConfigurationSupportedV1_0_13 = {\n format: this.format,\n } as CredentialConfigurationSupportedV1_0_13\n\n if (!this.credentialDefinition) {\n throw new Error('credentialDefinition is required')\n }\n credentialSupported.credential_definition = this.credentialDefinition\n if (this.scope) {\n credentialSupported.scope = this.scope\n }\n if (!this.credentialName) {\n throw new Error('A unique credential name is required')\n }\n //TODO: right now commented out all the special handlings for sd-jwt\n /*\n // SdJwtVc has a different format\n if (isFormat(credentialSupported, 'vc+sd-jwt')) {\n if (this.types.length > 1) {\n throw new Error('Only one type is allowed for vc+sd-jwt')\n }\n credentialSupported.vct = this.types[0]\n }\n // And else would work here, but this way we get the correct typing\n else if (isNotFormat(credentialSupported, 'vc+sd-jwt')) {\n credentialSupported.types = this.types\n\n if (this.credentialSubject) {\n credentialSupported.credentialSubject = this.credentialSubject\n }\n }*/\n\n if (this.credentialSigningAlgValuesSupported) {\n credentialSupported.credential_signing_alg_values_supported = this.credentialSigningAlgValuesSupported\n }\n if (this.cryptographicBindingMethodsSupported) {\n credentialSupported.cryptographic_binding_methods_supported = this.cryptographicBindingMethodsSupported\n }\n if (this.display) {\n credentialSupported.display = this.display\n }\n\n const supportedConfiguration: Record = {}\n supportedConfiguration[this.credentialName] = credentialSupported as CredentialConfigurationSupportedV1_0_13\n\n return supportedConfiguration\n }\n}\n","import {\n AuthorizationServerMetadata,\n ClientMetadata,\n ClientResponseType,\n CNonceState,\n CredentialConfigurationSupportedV1_0_13,\n CredentialIssuerMetadataOptsV1_0_13,\n CredentialOfferSession,\n IssuerMetadata,\n IssuerMetadataV1_0_13,\n IStateManager,\n JWTVerifyCallback,\n MetadataDisplay,\n TokenErrorResponse,\n TxCode,\n URIState,\n} from '@sphereon/oid4vci-common'\n\nimport { VcIssuer } from '../VcIssuer'\nimport { oidcAccessTokenVerifyCallback } from '../functions'\nimport { MemoryStates } from '../state-manager'\nimport { CredentialDataSupplier, CredentialSignerCallback } from '../types'\n\nimport { IssuerMetadataBuilderV1_13 } from './IssuerMetadataBuilderV1_13'\n\nexport class VcIssuerBuilder {\n issuerMetadataBuilder?: IssuerMetadataBuilderV1_13\n issuerMetadata: Partial = {}\n authorizationServerMetadata: Partial = {}\n asClientOpts?: ClientMetadata\n txCode?: TxCode\n defaultCredentialOfferBaseUri?: string\n userPinRequired?: boolean\n cNonceExpiresIn?: number\n credentialOfferStateManager?: IStateManager\n credentialOfferURIManager?: IStateManager\n cNonceStateManager?: IStateManager\n credentialSignerCallback?: CredentialSignerCallback\n jwtVerifyCallback?: JWTVerifyCallback\n credentialDataSupplier?: CredentialDataSupplier\n\n public withIssuerMetadata(issuerMetadata: IssuerMetadata) {\n if (!issuerMetadata.credential_configurations_supported) {\n throw new Error('IssuerMetadata should be from type v1_0_13 or higher.')\n }\n this.issuerMetadata = issuerMetadata as IssuerMetadataV1_0_13\n return this\n }\n\n public withASClientMetadata(clientMetadata: ClientMetadata): this {\n this.asClientOpts = clientMetadata\n return this\n }\n\n public withASClientMetadataParams({\n client_id,\n client_secret,\n redirect_uris,\n response_types,\n ...other\n }: { client_id: string; client_secret?: string; redirect_uris?: string[]; response_types?: ClientResponseType[] } & ClientMetadata): this {\n this.asClientOpts = { ...other, client_id, client_secret, redirect_uris, response_types }\n return this\n }\n\n public withAuthorizationMetadata(authorizationServerMetadata: AuthorizationServerMetadata) {\n this.authorizationServerMetadata = authorizationServerMetadata\n return this\n }\n\n public withIssuerMetadataBuilder(builder: IssuerMetadataBuilderV1_13) {\n this.issuerMetadataBuilder = builder\n return this\n }\n\n public withDefaultCredentialOfferBaseUri(baseUri: string) {\n this.defaultCredentialOfferBaseUri = baseUri\n return this\n }\n\n public withCredentialIssuer(issuer: string): this {\n this.issuerMetadata.credential_issuer = issuer\n return this\n }\n\n public withAuthorizationServers(authorizationServers: string | string[]): this {\n this.issuerMetadata.authorization_servers = typeof authorizationServers === 'string' ? [authorizationServers] : authorizationServers\n return this\n }\n\n public withCredentialEndpoint(credentialEndpoint: string): this {\n this.issuerMetadata.credential_endpoint = credentialEndpoint\n return this\n }\n\n public withBatchCredentialEndpoint(batchCredentialEndpoint: string): this {\n this.issuerMetadata.batch_credential_endpoint = batchCredentialEndpoint\n throw Error('Not implemented yet')\n // return this\n }\n\n public withTokenEndpoint(tokenEndpoint: string): this {\n this.issuerMetadata.token_endpoint = tokenEndpoint\n return this\n }\n\n public withIssuerDisplay(issuerDisplay: MetadataDisplay[] | MetadataDisplay): this {\n this.issuerMetadata.display = Array.isArray(issuerDisplay) ? issuerDisplay : [issuerDisplay]\n return this\n }\n\n public addIssuerDisplay(issuerDisplay: MetadataDisplay): this {\n this.issuerMetadata.display = [...(this.issuerMetadata.display ?? []), issuerDisplay]\n return this\n }\n\n public withCredentialConfigurationsSupported(credentialConfigurationsSupported: Record) {\n this.issuerMetadata.credential_configurations_supported = credentialConfigurationsSupported\n return this\n }\n\n public addCredentialConfigurationsSupported(id: string, supportedCredential: CredentialConfigurationSupportedV1_0_13) {\n if (!this.issuerMetadata.credential_configurations_supported) {\n this.issuerMetadata.credential_configurations_supported = {}\n }\n this.issuerMetadata.credential_configurations_supported[id] = supportedCredential\n return this\n }\n\n public withTXCode(txCode: TxCode): this {\n this.txCode = txCode\n return this\n }\n\n public withCredentialOfferURIStateManager(credentialOfferURIManager: IStateManager): this {\n this.credentialOfferURIManager = credentialOfferURIManager\n return this\n }\n\n public withInMemoryCredentialOfferURIState(): this {\n this.withCredentialOfferURIStateManager(new MemoryStates())\n return this\n }\n\n public withCredentialOfferStateManager(credentialOfferManager: IStateManager): this {\n this.credentialOfferStateManager = credentialOfferManager\n return this\n }\n\n public withInMemoryCredentialOfferState(): this {\n this.withCredentialOfferStateManager(new MemoryStates())\n return this\n }\n\n public withCNonceStateManager(cNonceManager: IStateManager): this {\n this.cNonceStateManager = cNonceManager\n return this\n }\n\n public withInMemoryCNonceState(): this {\n this.withCNonceStateManager(new MemoryStates())\n return this\n }\n\n public withCNonceExpiresIn(cNonceExpiresIn: number): this {\n this.cNonceExpiresIn = cNonceExpiresIn\n return this\n }\n\n public withCredentialSignerCallback(cb: CredentialSignerCallback): this {\n this.credentialSignerCallback = cb\n return this\n }\n\n public withJWTVerifyCallback(verifyCallback: JWTVerifyCallback): this {\n this.jwtVerifyCallback = verifyCallback\n return this\n }\n\n public withCredentialDataSupplier(credentialDataSupplier: CredentialDataSupplier): this {\n this.credentialDataSupplier = credentialDataSupplier\n return this\n }\n\n public build(): VcIssuer {\n if (!this.credentialOfferStateManager) {\n throw new Error(TokenErrorResponse.invalid_request)\n }\n if (!this.cNonceStateManager) {\n throw new Error(TokenErrorResponse.invalid_request)\n }\n if (Object.keys(this.issuerMetadata).length === 0) {\n throw new Error('issuerMetadata not set')\n }\n if (Object.keys(this.authorizationServerMetadata).length === 0) {\n throw new Error('authorizationServerMetadata not set')\n }\n\n const builder = this.issuerMetadataBuilder?.build()\n const metadata: Partial = { ...this.issuerMetadata, ...builder }\n // Let's make sure these get merged correctly:\n metadata.credential_configurations_supported = this.issuerMetadata.credential_configurations_supported\n metadata.display = [...(this.issuerMetadata.display ?? []), ...(builder?.display ?? [])]\n if (!metadata.credential_endpoint || !metadata.credential_issuer || !this.issuerMetadata.credential_configurations_supported) {\n throw new Error(TokenErrorResponse.invalid_request)\n }\n if (this.asClientOpts && typeof this.jwtVerifyCallback !== 'function') {\n if (!this.issuerMetadata.credential_issuer) {\n throw Error('issuerMetadata.credential_issuer is required when using asClientOpts')\n } else if (!this.issuerMetadata.authorization_servers) {\n throw Error('issuerMetadata.authorization_servers is required when using asClientOpts')\n }\n this.jwtVerifyCallback = oidcAccessTokenVerifyCallback({\n clientMetadata: this.asClientOpts,\n credentialIssuer: this.issuerMetadata.credential_issuer,\n authorizationServer: this.issuerMetadata.authorization_servers[0],\n })\n }\n return new VcIssuer(metadata as IssuerMetadataV1_0_13, this.authorizationServerMetadata as AuthorizationServerMetadata, {\n //TODO: discuss this with Niels. I did not find this in the spec. but I think we should somehow communicate this\n ...(this.txCode && { txCode: this.txCode }),\n defaultCredentialOfferBaseUri: this.defaultCredentialOfferBaseUri,\n credentialSignerCallback: this.credentialSignerCallback,\n jwtVerifyCallback: this.jwtVerifyCallback,\n credentialDataSupplier: this.credentialDataSupplier,\n credentialOfferSessions: this.credentialOfferStateManager,\n cNonces: this.cNonceStateManager,\n cNonceExpiresIn: this.cNonceExpiresIn,\n uris: this.credentialOfferURIManager,\n asClientOpts: this.asClientOpts,\n })\n }\n}\n","import { uuidv4 } from '@sphereon/oid4vc-common'\nimport {\n ALG_ERROR,\n AUD_ERROR,\n AuthorizationServerMetadata,\n ClientMetadata,\n CNonceState,\n CreateCredentialOfferURIResult,\n CREDENTIAL_MISSING_ERROR,\n CredentialConfigurationSupportedV1_0_13,\n CredentialDataSupplierInput,\n CredentialEventNames,\n CredentialIssuerMetadataOptsV1_0_13,\n CredentialOfferEventNames,\n CredentialOfferMode,\n CredentialOfferSession,\n CredentialOfferV1_0_13,\n CredentialRequest,\n CredentialRequestV1_0_13,\n CredentialResponse,\n DID_NO_DIDDOC_ERROR,\n EVENTS,\n IAT_ERROR,\n ISSUER_CONFIG_ERROR,\n IssueStatus,\n IStateManager,\n JsonLdIssuerCredentialDefinition,\n JWT_VERIFY_CONFIG_ERROR,\n JWTVerifyCallback,\n JwtVerifyResult,\n KID_DID_NO_DID_ERROR,\n KID_JWK_X5C_ERROR,\n NO_ISS_IN_AUTHORIZATION_CODE_CONTEXT,\n NotificationRequest,\n OID4VCICredentialFormat,\n OpenId4VCIVersion,\n PRE_AUTH_GRANT_LITERAL,\n QRCodeOpts,\n StatusListOpts,\n TokenErrorResponse,\n toUniformCredentialOfferRequest,\n TxCode,\n TYP_ERROR,\n URIState,\n} from '@sphereon/oid4vci-common'\nimport { CompactSdJwtVc, CredentialMapper, InitiatorType, SubSystem, System, W3CVerifiableCredential } from '@sphereon/ssi-types'\nimport ShortUUID from 'short-uuid'\n\nimport { assertValidPinNumber, createCredentialOfferObject, createCredentialOfferURIFromObject, CredentialOfferGrantInput } from './functions'\nimport { LookupStateManager, lookupStateManagerMultiGetAsserted, MemoryStates } from './state-manager'\nimport { CredentialDataSupplier, CredentialDataSupplierArgs, CredentialIssuanceInput, CredentialSignerCallback } from './types'\n\nimport { LOG } from './index'\n\nconst shortUUID = ShortUUID()\n\nexport class VcIssuer {\n private readonly _issuerMetadata: CredentialIssuerMetadataOptsV1_0_13\n private readonly _authorizationServerMetadata: AuthorizationServerMetadata\n private readonly _defaultCredentialOfferBaseUri?: string\n private readonly _credentialSignerCallback?: CredentialSignerCallback\n private readonly _jwtVerifyCallback?: JWTVerifyCallback\n private readonly _credentialDataSupplier?: CredentialDataSupplier\n private readonly _credentialOfferSessions: IStateManager\n private readonly _cNonces: IStateManager\n private readonly _uris: IStateManager\n private readonly _cNonceExpiresIn: number\n private readonly _asClientOpts?: ClientMetadata\n\n constructor(\n issuerMetadata: CredentialIssuerMetadataOptsV1_0_13,\n authorizationServerMetadata: AuthorizationServerMetadata,\n args: {\n txCode?: TxCode\n baseUri?: string\n credentialOfferSessions: IStateManager\n defaultCredentialOfferBaseUri?: string\n cNonces: IStateManager\n uris?: IStateManager\n credentialSignerCallback?: CredentialSignerCallback\n jwtVerifyCallback?: JWTVerifyCallback\n credentialDataSupplier?: CredentialDataSupplier\n cNonceExpiresIn?: number | undefined // expiration duration in seconds\n asClientOpts?: ClientMetadata\n },\n ) {\n this._issuerMetadata = issuerMetadata\n this._authorizationServerMetadata = authorizationServerMetadata\n this._defaultCredentialOfferBaseUri = args.defaultCredentialOfferBaseUri\n this._credentialOfferSessions = args.credentialOfferSessions ?? new MemoryStates()\n this._uris = args.uris ?? new MemoryStates()\n this._cNonces = args.cNonces\n this._credentialSignerCallback = args?.credentialSignerCallback\n this._jwtVerifyCallback = args?.jwtVerifyCallback\n this._credentialDataSupplier = args?.credentialDataSupplier\n this._cNonceExpiresIn = (args?.cNonceExpiresIn ?? (process.env.C_NONCE_EXPIRES_IN ? parseInt(process.env.C_NONCE_EXPIRES_IN) : 300)) as number\n this._asClientOpts = args?.asClientOpts\n }\n\n public async getCredentialOfferSessionById(\n id: string,\n lookups: Array<'uri' | 'preAuthorizedCode' | 'issuerState' | 'correlationId'> = ['preAuthorizedCode', 'issuerState', 'correlationId'],\n ): Promise {\n // preAuth and issuerState can be looked up directly\n if (Array.isArray(lookups) && lookups.length > 0) {\n if (!this.uris) {\n return Promise.reject(Error('Cannot lookup credential offer by id if URI state manager is not set'))\n }\n return lookupStateManagerMultiGetAsserted({\n id,\n keyValueMapper: this._uris,\n valueStateManager: this._credentialOfferSessions,\n lookups: ['preAuthorizedCode', 'issuerState', 'correlationId'],\n })\n // return new LookupStateManager(this.uris, this._credentialOfferSessions, lookup).getFromMultiple(id)\n }\n const session = await this._credentialOfferSessions.get(id)\n if (!session) {\n return Promise.reject(Error(`No session found for id ${id}`))\n }\n return session\n }\n\n public async deleteCredentialOfferSessionById(\n id: string,\n lookups: Array<'uri' | 'preAuthorizedCode' | 'issuerState' | 'correlationId'> = ['preAuthorizedCode', 'issuerState'],\n ): Promise {\n const session = await this.getCredentialOfferSessionById(id, lookups)\n if (session) {\n if (session.preAuthorizedCode && (await this._credentialOfferSessions.has(session.preAuthorizedCode))) {\n await this._credentialOfferSessions.delete(session.preAuthorizedCode)\n }\n if (session.issuerState && (await this._credentialOfferSessions.has(session.issuerState))) {\n await this._credentialOfferSessions.delete(session.issuerState)\n }\n }\n return session\n }\n\n public async processNotification({\n preAuthorizedCode,\n issuerState,\n notification,\n }: {\n preAuthorizedCode?: string\n issuerState?: string\n notification: NotificationRequest\n }): Promise {\n const sessionId = preAuthorizedCode ?? issuerState\n const session = sessionId ? await this.getCredentialOfferSessionById(sessionId) : undefined\n if (!session || !sessionId) {\n LOG.error(`No session or session id found ${sessionId}`)\n return Error('invalid_notification_request')\n }\n if (notification.notification_id !== session.notification_id) {\n LOG.error(`Notification id ${notification.notification_id} not found in session. session notification id ${session.notification_id}`)\n return Error('invalid_notification_id')\n } else if (session.notification) {\n LOG.info(`Overwriting existing notification, as a new notification came in ${session.notification_id}`)\n }\n await this.updateSession({ preAuthorizedCode: preAuthorizedCode, issuerState: issuerState, notification })\n LOG.info(`Processed notification ${notification} for ${session.notification_id}`)\n return session\n }\n\n public async createCredentialOfferURI(opts: {\n offerMode?: CredentialOfferMode\n grants?: CredentialOfferGrantInput\n client_id?: string\n redirectUri?: string\n credential_configuration_ids?: Array\n credentialDefinition?: JsonLdIssuerCredentialDefinition\n credentialOfferUri?: string\n credentialDataSupplierInput?: CredentialDataSupplierInput // Optional storage that can help the credential Data Supplier. For instance to store credential input data during offer creation, if no additional data can be supplied later on\n baseUri?: string\n scheme?: string\n pinLength?: number\n qrCodeOpts?: QRCodeOpts\n correlationId?: string\n statusListOpts?: Array\n sessionLifeTimeInSec?: number\n }): Promise {\n const {\n offerMode = 'VALUE',\n correlationId = shortUUID.generate(),\n credential_configuration_ids,\n statusListOpts,\n credentialOfferUri,\n redirectUri,\n } = opts\n if (offerMode === 'REFERENCE' && !credentialOfferUri) {\n return Promise.reject(Error('credentialOfferUri must be supplied for offerMode REFERENCE!'))\n }\n\n const grants = opts.grants ? { ...opts.grants } : {}\n // for backwards compat, would be better if user sets the prop on the grants directly\n if (opts.pinLength !== undefined) {\n if (grants[PRE_AUTH_GRANT_LITERAL]) {\n grants[PRE_AUTH_GRANT_LITERAL].tx_code = {\n ...grants[PRE_AUTH_GRANT_LITERAL].tx_code,\n length: grants[PRE_AUTH_GRANT_LITERAL].tx_code?.length ?? opts.pinLength,\n }\n }\n }\n if (grants[PRE_AUTH_GRANT_LITERAL]?.tx_code && !grants[PRE_AUTH_GRANT_LITERAL]?.tx_code?.length) {\n grants[PRE_AUTH_GRANT_LITERAL].tx_code.length = 4\n }\n\n const baseUri = opts?.baseUri ?? this.defaultCredentialOfferBaseUri\n const credentialOfferObject = createCredentialOfferObject(this._issuerMetadata, {\n ...opts,\n grants,\n credentialOffer: credential_configuration_ids\n ? {\n credential_issuer: this._issuerMetadata.credential_issuer,\n credential_configuration_ids,\n }\n : undefined,\n })\n\n const preAuthGrant = credentialOfferObject.credential_offer.grants?.[PRE_AUTH_GRANT_LITERAL]\n const authGrant = credentialOfferObject.credential_offer.grants?.authorization_code\n\n const preAuthorizedCode = preAuthGrant?.['pre-authorized_code']\n const issuerState = authGrant?.issuer_state\n const txCode = preAuthGrant?.tx_code\n\n let userPin: string | undefined\n if (preAuthGrant?.tx_code) {\n const pinLength = preAuthGrant.tx_code.length ?? 4\n\n userPin = ('' + Math.round((Math.pow(10, pinLength) - 1) * Math.random())).padStart(pinLength, '0')\n assertValidPinNumber(userPin, pinLength)\n }\n const createdAt = +new Date()\n const lastUpdatedAt = createdAt\n const expirationInMs = (opts.sessionLifeTimeInSec ?? 10 * 60) * 1000\n const expiresAt = createdAt + Math.abs(expirationInMs)\n if (offerMode === 'REFERENCE') {\n if (!this.uris) {\n throw Error('No URI state manager set, whilst apparently credential offer by reference is being used')\n }\n\n const offerUri = opts.credentialOfferUri?.replace(':id', correlationId) // TODO how is this going to work with auth code flow?\n if (!offerUri) {\n return Promise.reject(Error('credentialOfferUri must be supplied for offerMode REFERENCE!'))\n }\n\n credentialOfferObject.credential_offer_uri = offerUri\n await this.uris.set(correlationId, {\n uri: offerUri,\n createdAt: createdAt,\n expiresAt,\n preAuthorizedCode,\n issuerState,\n correlationId: correlationId,\n })\n }\n\n const credentialOffer = await toUniformCredentialOfferRequest(\n {\n credential_offer: credentialOfferObject.credential_offer,\n credential_offer_uri: credentialOfferObject.credential_offer_uri,\n } as CredentialOfferV1_0_13,\n {\n version: OpenId4VCIVersion.VER_1_0_13,\n resolve: false, // We are creating the object, so do not resolve\n },\n )\n\n const status = IssueStatus.OFFER_CREATED\n const session: CredentialOfferSession = {\n redirectUri,\n preAuthorizedCode,\n issuerState,\n createdAt,\n lastUpdatedAt,\n expiresAt,\n status,\n notification_id: uuidv4(),\n ...(opts.client_id && { clientId: opts.client_id }),\n ...(userPin && { txCode: userPin }), // We used to use userPin according to older specs. We map these onto txCode now. If both are used, txCode in the end wins, even if they are different\n ...(opts.credentialDataSupplierInput && { credentialDataSupplierInput: opts.credentialDataSupplierInput }),\n credentialOffer,\n statusLists: statusListOpts,\n }\n\n const uri = createCredentialOfferURIFromObject(credentialOffer, offerMode, { ...opts, baseUri })\n if (preAuthorizedCode) {\n const lookupManager = new LookupStateManager(this.uris, this._credentialOfferSessions, 'correlationId')\n await lookupManager.setMapped(preAuthorizedCode, { preAuthorizedCode, uri, createdAt, expiresAt, correlationId, issuerState }, session)\n // await this.credentialOfferSessions.set(preAuthorizedCode, session)\n }\n // todo: check whether we could have the same value for issuer state and pre auth code if both are supported.\n if (issuerState) {\n const lookupManager = new LookupStateManager(this.uris, this._credentialOfferSessions, 'correlationId')\n await lookupManager.setMapped(issuerState, { preAuthorizedCode, uri, createdAt, expiresAt, correlationId, issuerState }, session)\n // await this.credentialOfferSessions.set(issuerState, session)\n }\n let qrCodeDataUri: string | undefined\n if (opts.qrCodeOpts) {\n const { AwesomeQR } = await import('awesome-qr')\n const qrCode = new AwesomeQR({ ...opts.qrCodeOpts, text: uri })\n qrCodeDataUri = `data:image/png;base64,${(await qrCode.draw())!.toString('base64')}`\n }\n const credentialOfferResult = {\n session,\n uri,\n qrCodeDataUri,\n correlationId,\n txCode,\n ...(userPin !== undefined && { userPin, pinLength: userPin?.length ?? 0 }),\n }\n EVENTS.emit(CredentialOfferEventNames.OID4VCI_OFFER_CREATED, {\n eventName: CredentialOfferEventNames.OID4VCI_OFFER_CREATED,\n id: correlationId,\n data: credentialOfferResult,\n initiator: '',\n initiatorType: InitiatorType.EXTERNAL,\n system: System.OID4VCI,\n issuer: this.issuerMetadata.credential_issuer,\n subsystem: SubSystem.API,\n createdAt,\n expiresAt,\n })\n return credentialOfferResult\n }\n\n /**\n * issueCredentialFromIssueRequest\n * @param opts issuerRequestParams\n * - issueCredentialsRequest the credential request\n * - issuerState the state of the issuer\n * - jwtVerifyCallback callback that verifies the Proof of Possession JWT\n * - issuerCallback callback to issue a Verifiable Credential\n * - cNonce an existing c_nonce\n */\n public async issueCredential(opts: {\n credentialRequest: CredentialRequest\n credential?: CredentialIssuanceInput\n credentialDataSupplier?: CredentialDataSupplier\n credentialDataSupplierInput?: CredentialDataSupplierInput\n newCNonce?: string\n cNonceExpiresIn?: number // expiration duration in seconds\n tokenExpiresIn?: number // expiration duration in seconds\n jwtVerifyCallback?: JWTVerifyCallback\n credentialSignerCallback?: CredentialSignerCallback\n responseCNonce?: string\n }): Promise {\n /*if (!('credential_identifier' in opts.credentialRequest)) {\n throw new Error('credential request should be of spec version 1.0.13 or above')\n }*/\n const credentialRequest = opts.credentialRequest as CredentialRequestV1_0_13\n let preAuthorizedCode: string | undefined\n let issuerState: string | undefined\n try {\n if (!('credential_identifier' in credentialRequest) && !credentialRequest.format) {\n throw new Error('credential request should either have a credential_identifier or format and type')\n }\n if (credentialRequest.format && !this.isMetadataSupportCredentialRequestFormat(credentialRequest.format)) {\n throw new Error(TokenErrorResponse.invalid_request)\n }\n const validated = await this.validateCredentialRequestProof({\n ...opts,\n tokenExpiresIn: opts.tokenExpiresIn ?? 180,\n })\n preAuthorizedCode = validated.preAuthorizedCode\n issuerState = validated.issuerState\n\n const { preAuthSession, authSession, cNonceState, jwtVerifyResult } = validated\n const did = jwtVerifyResult.did\n const jwk = jwtVerifyResult.jwk\n const kid = jwtVerifyResult.kid\n const newcNonce = opts.newCNonce ? opts.newCNonce : uuidv4()\n const newcNonceState = {\n cNonce: newcNonce,\n createdAt: +new Date(),\n ...(authSession?.issuerState && { issuerState: authSession.issuerState }),\n ...(preAuthSession && { preAuthorizedCode: preAuthSession.preAuthorizedCode }),\n }\n await this.cNonces.set(newcNonce, newcNonceState)\n\n if (!opts.credential && this._credentialDataSupplier === undefined && opts.credentialDataSupplier === undefined) {\n throw Error(`Either a credential needs to be supplied or a credentialDataSupplier`)\n }\n let credential: CredentialIssuanceInput | undefined\n let format: OID4VCICredentialFormat | undefined = credentialRequest.format\n let signerCallback: CredentialSignerCallback | undefined = opts.credentialSignerCallback\n const session: CredentialOfferSession | undefined = preAuthorizedCode && preAuthSession ? preAuthSession : authSession\n if (opts.credential) {\n credential = opts.credential\n } else {\n const credentialDataSupplier: CredentialDataSupplier | undefined =\n typeof opts.credentialDataSupplier === 'function' ? opts.credentialDataSupplier : this._credentialDataSupplier\n if (typeof credentialDataSupplier !== 'function') {\n throw Error('Data supplier is mandatory if no credential is supplied')\n }\n if (!session) {\n throw Error('Either a preAuth or Auth session is required, none found')\n }\n const credentialOffer = session.credentialOffer\n if (!credentialOffer) {\n throw Error('Credential Offer missing')\n }\n const credentialDataSupplierInput = opts.credentialDataSupplierInput ?? session.credentialDataSupplierInput\n\n const result = await credentialDataSupplier({\n ...(cNonceState ? { ...cNonceState } : { ...authSession }),\n credentialRequest: opts.credentialRequest,\n credentialSupplierConfig: this._issuerMetadata.credential_supplier_config,\n credentialOffer /*todo: clientId: */,\n ...(credentialDataSupplierInput && { credentialDataSupplierInput }),\n } as CredentialDataSupplierArgs)\n credential = result.credential\n if (result.format) {\n format = result.format\n }\n if (typeof result.signCallback === 'function') {\n signerCallback = result.signCallback\n }\n }\n if (!credential) {\n throw Error('A credential needs to be supplied at this point')\n }\n // Bind credential to the provided proof of possession\n if (CredentialMapper.isSdJwtDecodedCredentialPayload(credential) && (kid || jwk) && !credential.cnf) {\n if (kid) {\n credential.cnf = {\n kid,\n }\n }\n // else TODO temp workaround IATAB2B-57\n if (jwk) {\n credential.cnf = {\n jwk,\n }\n }\n } else if (did && !CredentialMapper.isSdJwtDecodedCredentialPayload(credential) && credential.credentialSubject !== undefined) {\n const credentialSubjects = Array.isArray(credential.credentialSubject) ? credential.credentialSubject : [credential.credentialSubject]\n credentialSubjects.map((subject) => {\n if (!subject.id) {\n subject.id = did\n }\n return subject\n })\n credential.credentialSubject = Array.isArray(credential.credentialSubject) ? credentialSubjects : credentialSubjects[0]\n } else {\n // Mdoc Format\n // Nothing to do here\n }\n\n let issuer: string | undefined = undefined\n if (credential.iss) {\n issuer = credential.iss\n } else if (credential.issuer) {\n if (typeof credential.issuer === 'string') {\n issuer = credential.issuer\n } else if (typeof credential.issuer === 'object' && 'id' in credential.issuer && typeof credential.issuer.id === 'string') {\n issuer = credential.issuer.id\n }\n }\n\n const verifiableCredential = await this.issueCredentialImpl(\n {\n credentialRequest: opts.credentialRequest,\n format,\n credential,\n jwtVerifyResult,\n issuer,\n ...(session && { statusLists: session.statusLists }),\n },\n signerCallback,\n )\n // TODO implement acceptance_token (deferred response)\n // TODO update verification accordingly\n if (!verifiableCredential) {\n // credential: OPTIONAL. Contains issued Credential. MUST be present when acceptance_token is not returned. MAY be a JSON string or a JSON object, depending on the Credential format. See Appendix E for the Credential format specific encoding requirements\n throw new Error(CREDENTIAL_MISSING_ERROR)\n }\n if (cNonceState) {\n // remove the previous nonce\n await this.cNonces.delete(cNonceState.cNonce)\n }\n\n let notification_id: string | undefined\n\n if (preAuthorizedCode && preAuthSession) {\n preAuthSession.lastUpdatedAt = +new Date()\n preAuthSession.status = IssueStatus.CREDENTIAL_ISSUED\n notification_id = preAuthSession.notification_id\n await this._credentialOfferSessions.set(preAuthorizedCode, preAuthSession)\n } else if (issuerState && authSession) {\n // If both were set we used the pre auth flow above as well, hence the else if\n authSession.lastUpdatedAt = +new Date()\n authSession.status = IssueStatus.CREDENTIAL_ISSUED\n notification_id = authSession.notification_id\n await this._credentialOfferSessions.set(issuerState, authSession)\n }\n\n const response: CredentialResponse = {\n credential: verifiableCredential,\n // format: credentialRequest.format,\n c_nonce: newcNonce,\n c_nonce_expires_in: this._cNonceExpiresIn,\n ...(notification_id && { notification_id }),\n }\n // eslint-disable-next-line @typescript-eslint/ban-ts-comment\n // @ts-ignore\n const experimentalSubjectIssuance = opts.credentialRequest.credential_subject_issuance\n if (experimentalSubjectIssuance?.subject_proof_mode) {\n if (experimentalSubjectIssuance.subject_proof_mode !== 'proof_replace') {\n throw Error('Only proof replace is supported currently')\n }\n response.transaction_id = authSession?.issuerState\n response.credential_subject_issuance = experimentalSubjectIssuance\n }\n return response\n } catch (error: unknown) {\n await this.updateSession({ preAuthorizedCode, issuerState, error })\n throw error\n }\n }\n\n private async updateSession({\n preAuthorizedCode,\n error,\n issuerState,\n notification,\n }: {\n preAuthorizedCode?: string\n issuerState?: string\n error?: unknown\n notification?: NotificationRequest\n }) {\n let issueState: IssueStatus | undefined = undefined\n if (error) {\n issueState = IssueStatus.ERROR\n } else if (notification) {\n if (notification.event == 'credential_accepted') {\n issueState = IssueStatus.NOTIFICATION_CREDENTIAL_ACCEPTED\n } else if (notification.event == 'credential_deleted') {\n issueState = IssueStatus.NOTIFICATION_CREDENTIAL_DELETED\n } else if (notification.event == 'credential_failure') {\n issueState = IssueStatus.NOTIFICATION_CREDENTIAL_FAILURE\n }\n }\n\n if (preAuthorizedCode) {\n const preAuthSession = await this._credentialOfferSessions.get(preAuthorizedCode)\n if (preAuthSession) {\n preAuthSession.lastUpdatedAt = +new Date()\n if (issueState) {\n preAuthSession.status = issueState\n }\n if (error) {\n preAuthSession.error = error instanceof Error ? error.message : error?.toString()\n }\n preAuthSession.notification_id\n if (notification) {\n preAuthSession.notification = notification\n }\n await this._credentialOfferSessions.set(preAuthorizedCode, preAuthSession)\n }\n }\n if (issuerState) {\n const authSession = await this._credentialOfferSessions.get(issuerState)\n if (authSession) {\n authSession.lastUpdatedAt = +new Date()\n if (issueState) {\n authSession.status = issueState\n }\n if (error) {\n authSession.error = error instanceof Error ? error.message : error?.toString()\n }\n if (notification) {\n authSession.notification = notification\n }\n await this._credentialOfferSessions.set(issuerState, authSession)\n }\n }\n }\n\n /*\n private async retrieveGrantsAndCredentialOfferSession(id: string): Promise<{\n clientId?: string;\n grants?: Grant,\n session: CredentialOfferSession\n }> {\n const session: CredentialOfferSession | undefined = await this._credentialOfferSessions.getAsserted(id)\n const clientId = session?.clientId\n const grants = session?.credentialOffer?.credential_offer?.grants\n if (!grants?.authorization_code?.issuer_state && !grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL]) {\n throw new Error(GRANTS_MUST_NOT_BE_UNDEFINED)\n }\n return { session, clientId, grants }\n }*/\n\n private async validateCredentialRequestProof({\n credentialRequest,\n jwtVerifyCallback,\n tokenExpiresIn,\n }: {\n credentialRequest: CredentialRequest\n tokenExpiresIn: number // expiration duration in seconds\n // grants?: Grant,\n clientId?: string\n jwtVerifyCallback?: JWTVerifyCallback\n }) {\n let preAuthorizedCode: string | undefined\n let issuerState: string | undefined\n\n const supportedIssuanceFormats = ['jwt_vc_json', 'jwt_vc_json-ld', 'vc+sd-jwt', 'ldp_vc', 'mso_mdoc']\n try {\n if (credentialRequest.format && !supportedIssuanceFormats.includes(credentialRequest.format)) {\n throw Error(`Format ${credentialRequest.format} not supported yet`)\n } else if (typeof this._jwtVerifyCallback !== 'function' && typeof jwtVerifyCallback !== 'function') {\n throw new Error(JWT_VERIFY_CONFIG_ERROR)\n } else if (!credentialRequest.proof) {\n throw Error('Proof of possession is required. No proof value present in credential request')\n }\n\n const jwtVerifyResult = jwtVerifyCallback\n ? await jwtVerifyCallback(credentialRequest.proof)\n : // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n await this._jwtVerifyCallback!(credentialRequest.proof)\n\n const { didDocument, did, jwt } = jwtVerifyResult\n const { header, payload } = jwt\n const { iss, aud, iat, nonce } = payload\n const issuer_state = 'issuer_state' in credentialRequest && credentialRequest.issuer_state ? credentialRequest.issuer_state : undefined\n if (!nonce && !issuer_state) {\n throw Error('No nonce was found in the Proof of Possession')\n }\n let createdAt: number\n let cNonceState: CNonceState | undefined\n if (nonce) {\n cNonceState = await this.cNonces.getAsserted(nonce)\n preAuthorizedCode = cNonceState.preAuthorizedCode\n issuerState = cNonceState.issuerState\n createdAt = cNonceState.createdAt\n } else if (issuer_state) {\n const session = await this._credentialOfferSessions.getAsserted(issuer_state as string)\n issuerState = issuer_state as string | undefined\n createdAt = session.createdAt\n } else {\n throw Error('No nonce or issuer_state was found in the Proof of Possession')\n }\n // The verify callback should set the correct values, but let's look at the JWT ourselves to to be sure\n const alg = jwtVerifyResult.alg ?? header.alg\n const kid = jwtVerifyResult.kid ?? header.kid\n const jwk = jwtVerifyResult.jwk ?? header.jwk\n const x5c = jwtVerifyResult.x5c ?? header.x5c\n const typ = header.typ\n\n if (typ !== 'openid4vci-proof+jwt') {\n throw Error(TYP_ERROR)\n } else if (!alg) {\n throw Error(ALG_ERROR)\n } else if (x5c && (kid || jwk)) {\n // x5c cannot be used together with kid or jwk\n throw Error(KID_JWK_X5C_ERROR)\n } else if (kid && !did) {\n if (!jwk && !x5c) {\n // Make sure the callback function extracts the DID from the kid\n throw Error(KID_DID_NO_DID_ERROR)\n } else {\n // If JWK or x5c is present, log the information and proceed\n console.log(`KID present but no DID, using JWK or x5c`)\n }\n } else if (did && !didDocument) {\n // Make sure the callback function does DID resolution when a did is present\n throw Error(DID_NO_DIDDOC_ERROR)\n }\n\n const preAuthSession = preAuthorizedCode ? await this.credentialOfferSessions.get(preAuthorizedCode) : undefined\n const authSession = issuerState ? await this.credentialOfferSessions.get(issuerState) : undefined\n if (!preAuthSession && !authSession) {\n throw Error('Either a pre-authorized code or issuer state needs to be present')\n }\n if (preAuthSession) {\n if (!preAuthSession.preAuthorizedCode || preAuthSession.preAuthorizedCode !== preAuthorizedCode) {\n throw Error('Invalid pre-authorized code')\n }\n preAuthSession.lastUpdatedAt = +new Date()\n preAuthSession.status = IssueStatus.CREDENTIAL_REQUEST_RECEIVED\n await this._credentialOfferSessions.set(preAuthorizedCode, preAuthSession)\n }\n if (authSession) {\n if (!authSession.issuerState || authSession.issuerState !== issuerState) {\n throw Error('Invalid issuer state')\n }\n authSession.lastUpdatedAt = +new Date()\n authSession.status = IssueStatus.CREDENTIAL_REQUEST_RECEIVED\n }\n\n // https://www.rfc-editor.org/rfc/rfc6749.html#section-3.2.1\n // A client MAY use the \"client_id\" request parameter to identify itself\n // when sending requests to the token endpoint. In the\n // \"authorization_code\" \"grant_type\" request to the token endpoint, an\n // unauthenticated client MUST send its \"client_id\" to prevent itself\n // from inadvertently accepting a code intended for a client with a\n // different \"client_id\". This protects the client from substitution of\n // the authentication code. (It provides no additional security for the\n // protected resource.)\n if (!iss && authSession?.credentialOffer.credential_offer?.grants?.authorization_code) {\n throw new Error(NO_ISS_IN_AUTHORIZATION_CODE_CONTEXT)\n }\n // iss: OPTIONAL (string). The value of this claim MUST be the client_id of the client making the credential request.\n // This claim MUST be omitted if the Access Token authorizing the issuance call was obtained from a Pre-Authorized Code Flow through anonymous access to the Token Endpoint.\n // TODO We need to investigate further what the comment above means, because it's not clear if the client or the user may be authorized anonymously\n // if (iss && grants && grants[PRE_AUTH_GRANT_LITERAL]) {\n // throw new Error(ISS_PRESENT_IN_PRE_AUTHORIZED_CODE_CONTEXT)\n // }\n /*if (iss && iss !== clientId) {\n throw new Error(ISS_MUST_BE_CLIENT_ID + `iss: ${iss}, client_id: ${clientId}`)\n }*/\n if (!aud || aud !== this._issuerMetadata.credential_issuer) {\n throw new Error(AUD_ERROR)\n }\n if (!iat) {\n throw new Error(IAT_ERROR)\n } else if (iat > Math.round(createdAt / 1000) + tokenExpiresIn) {\n // createdAt is in milliseconds whilst iat and tokenExpiresIn are in seconds\n throw new Error(IAT_ERROR)\n }\n // todo: Add a check of iat against current TS on server with a skew\n\n return { jwtVerifyResult, preAuthorizedCode, preAuthSession, issuerState, authSession, cNonceState }\n } catch (error: unknown) {\n await this.updateSession({ preAuthorizedCode, issuerState, error })\n throw error\n }\n }\n\n private isMetadataSupportCredentialRequestFormat(requestFormat: string | string[]): boolean {\n if (!this._issuerMetadata.credential_configurations_supported) {\n return false\n }\n for (const credentialSupported of Object.values(\n this._issuerMetadata['credential_configurations_supported'] as Record,\n )) {\n if (!Array.isArray(requestFormat) && credentialSupported.format === requestFormat) {\n return true\n } else if (Array.isArray(requestFormat)) {\n for (const format of requestFormat as string[]) {\n if (credentialSupported.format === format) {\n return true\n }\n }\n }\n }\n\n return false\n }\n\n private async issueCredentialImpl(\n opts: {\n credentialRequest: CredentialRequest\n credential: CredentialIssuanceInput\n jwtVerifyResult: JwtVerifyResult\n format?: OID4VCICredentialFormat\n issuer?: string\n statusLists?: Array\n },\n issuerCallback?: CredentialSignerCallback,\n ): Promise {\n if ((!opts.credential && !opts.credentialRequest) || !this._credentialSignerCallback) {\n throw new Error(ISSUER_CONFIG_ERROR)\n }\n const credential = issuerCallback ? await issuerCallback(opts) : await this._credentialSignerCallback(opts)\n\n // TODO: Create builder\n EVENTS.emit(CredentialEventNames.OID4VCI_CREDENTIAL_ISSUED, {\n eventName: CredentialEventNames.OID4VCI_CREDENTIAL_ISSUED,\n id: uuidv4(),\n data: credential,\n // TODO: Format, request etc\n initiator: opts.issuer ?? '',\n initiatorType: InitiatorType.EXTERNAL,\n system: System.OID4VCI,\n subsystem: SubSystem.VC_ISSUER,\n })\n\n return credential\n }\n\n get credentialSignerCallback(): CredentialSignerCallback | undefined {\n return this._credentialSignerCallback\n }\n\n get jwtVerifyCallback(): JWTVerifyCallback | undefined {\n return this._jwtVerifyCallback\n }\n\n get credentialDataSupplier(): CredentialDataSupplier | undefined {\n return this._credentialDataSupplier\n }\n\n get uris(): IStateManager {\n return this._uris\n }\n\n get cNonceExpiresIn(): number {\n return this._cNonceExpiresIn\n }\n\n public get credentialOfferSessions(): IStateManager {\n return this._credentialOfferSessions\n }\n\n public get cNonces(): IStateManager {\n return this._cNonces\n }\n\n get defaultCredentialOfferBaseUri(): string | undefined {\n return this._defaultCredentialOfferBaseUri\n }\n\n public get issuerMetadata() {\n return this._issuerMetadata\n }\n\n public get authorizationServerMetadata() {\n return this._authorizationServerMetadata\n }\n\n get asClientOpts() {\n return this._asClientOpts\n }\n}\n","import { uuidv4 } from '@sphereon/oid4vc-common'\nimport {\n AssertedUniformCredentialOffer,\n CredentialIssuerMetadataOpts,\n CredentialIssuerMetadataOptsV1_0_13,\n CredentialIssuerMetadataV1_0_11,\n CredentialOfferMode,\n CredentialOfferPayloadV1_0_11,\n CredentialOfferPayloadV1_0_13,\n CredentialOfferSession,\n CredentialOfferV1_0_13,\n Grant,\n GrantAuthorizationCode,\n GrantUrnIetf,\n IssuerMetadataV1_0_13,\n PIN_NOT_MATCH_ERROR,\n PRE_AUTH_GRANT_LITERAL,\n UniformCredentialOffer,\n} from '@sphereon/oid4vci-common'\n\nexport interface CredentialOfferGrantInput {\n authorization_code?: Partial\n [PRE_AUTH_GRANT_LITERAL]?: Partial\n}\n\nfunction createCredentialOfferGrants(inputGrants?: CredentialOfferGrantInput) {\n // Grants is optional\n if (!inputGrants || Object.keys(inputGrants).length === 0) {\n return undefined\n }\n\n const grants: Grant = {}\n if (inputGrants?.[PRE_AUTH_GRANT_LITERAL]) {\n const grant = {\n ...inputGrants[PRE_AUTH_GRANT_LITERAL],\n 'pre-authorized_code': inputGrants[PRE_AUTH_GRANT_LITERAL]['pre-authorized_code'] ?? uuidv4(),\n }\n\n if (grant.tx_code && !grant.tx_code.length) {\n grant.tx_code.length = 4\n }\n\n grants[PRE_AUTH_GRANT_LITERAL] = grant\n }\n\n if (inputGrants?.authorization_code) {\n grants.authorization_code = {\n ...inputGrants.authorization_code,\n\n // TODO: it should be possible to create offer without issuer_state\n // this is added to avoid breaking changes.\n issuer_state: inputGrants.authorization_code.issuer_state ?? uuidv4(),\n }\n }\n\n return grants\n}\n\nfunction parseCredentialOfferSchemeAndBaseUri(scheme?: string, baseUri?: string, credentialIssuer?: string): { scheme: string; baseUri: string } {\n const newScheme = scheme?.replace('://', '') ?? (baseUri?.includes('://') ? baseUri.split('://')[0] : 'openid-credential-offer')\n let newBaseUri: string\n\n if (baseUri) {\n newBaseUri = baseUri\n } else if (newScheme.startsWith('http')) {\n if (credentialIssuer) {\n newBaseUri = credentialIssuer\n if (!newBaseUri.startsWith(`${newScheme}://`)) {\n throw Error(`scheme ${newScheme} is different from base uri ${newBaseUri}`)\n }\n } else {\n throw Error(`A '${newScheme}' scheme requires a URI to be present as baseUri`)\n }\n } else {\n newBaseUri = ''\n }\n newBaseUri = newBaseUri?.replace(`${newScheme}://`, '')\n\n return { scheme: newScheme, baseUri: newBaseUri }\n}\n\nexport function createCredentialOfferObject(\n issuerMetadata?: CredentialIssuerMetadataOptsV1_0_13,\n // todo: probably it's wise to create another builder for CredentialOfferPayload that will generate different kinds of CredentialOfferPayload\n opts?: {\n credentialOffer?: CredentialOfferPayloadV1_0_13\n credentialOfferUri?: string\n grants?: CredentialOfferGrantInput\n client_id?: string\n },\n): AssertedUniformCredentialOffer {\n if (!issuerMetadata && !opts?.credentialOffer && !opts?.credentialOfferUri) {\n throw new Error('You have to provide issuerMetadata or credentialOffer object for creating a deeplink')\n }\n\n const grants = createCredentialOfferGrants(opts?.grants)\n\n let credential_offer: CredentialOfferPayloadV1_0_13\n if (opts?.credentialOffer) {\n credential_offer = {\n ...opts.credentialOffer,\n }\n } else {\n if (!issuerMetadata?.credential_configurations_supported) {\n throw new Error('credential_configurations_supported is mandatory in the metadata')\n }\n credential_offer = {\n credential_issuer: issuerMetadata.credential_issuer,\n credential_configuration_ids: Object.keys(issuerMetadata.credential_configurations_supported),\n }\n }\n\n if (grants) {\n credential_offer.grants = grants\n }\n if (opts?.client_id) {\n credential_offer.client_id = opts.client_id\n }\n\n // todo: check payload against issuer metadata. Especially strings in the credentials array: When processing, the Wallet MUST resolve this string value to the respective object.\n return { credential_offer, credential_offer_uri: opts?.credentialOfferUri }\n}\n\nexport function createCredentialOfferObjectv1_0_11(\n issuerMetadata?: CredentialIssuerMetadataOpts,\n // todo: probably it's wise to create another builder for CredentialOfferPayload that will generate different kinds of CredentialOfferPayload\n opts?: {\n credentialOffer?: CredentialOfferPayloadV1_0_11\n credentialOfferUri?: string\n scheme?: string\n baseUri?: string\n grants?: CredentialOfferGrantInput\n },\n): AssertedUniformCredentialOffer {\n if (!issuerMetadata && !opts?.credentialOffer && !opts?.credentialOfferUri) {\n throw new Error('You have to provide issuerMetadata or credentialOffer object for creating a deeplink')\n }\n // v13 to v11 grant\n const grants = createCredentialOfferGrants(opts?.grants)\n if (grants?.[PRE_AUTH_GRANT_LITERAL]?.tx_code) {\n const { tx_code, ...rest } = grants[PRE_AUTH_GRANT_LITERAL]\n grants[PRE_AUTH_GRANT_LITERAL] = {\n user_pin_required: true,\n ...rest,\n }\n }\n\n let credential_offer: CredentialOfferPayloadV1_0_11\n if (opts?.credentialOffer) {\n credential_offer = {\n ...opts.credentialOffer,\n credentials:\n opts.credentialOffer?.credentials ?? issuerMetadata?.credentials_supported.map((s) => s.id).filter((i): i is string => i !== undefined),\n }\n } else {\n if (!issuerMetadata) {\n throw new Error('Issuer metadata is required when no credential offer is provided')\n }\n credential_offer = {\n credential_issuer: issuerMetadata.credential_issuer,\n credentials: issuerMetadata?.credentials_supported.map((s) => s.id).filter((i): i is string => i !== undefined),\n }\n }\n\n return { credential_offer, credential_offer_uri: opts?.credentialOfferUri }\n}\n\nexport function createCredentialOfferURIFromObject(\n credentialOffer: CredentialOfferV1_0_13 | UniformCredentialOffer,\n offerMode: CredentialOfferMode,\n opts?: { scheme?: string; baseUri?: string },\n) {\n const { scheme, baseUri } = parseCredentialOfferSchemeAndBaseUri(opts?.scheme, opts?.baseUri, credentialOffer.credential_offer?.credential_issuer)\n\n if (offerMode === 'REFERENCE') {\n if (!credentialOffer.credential_offer_uri) {\n throw Error(`credential_offer_uri must be set for offerMode ${offerMode}`)\n }\n if (credentialOffer.credential_offer_uri.includes('credential_offer_uri=')) {\n // discard the scheme. Apparently a URI is set and it already contains the actual uri, so assume that takes priority\n return credentialOffer.credential_offer_uri\n }\n return `${scheme}://${baseUri}?credential_offer_uri=${encodeURIComponent(credentialOffer.credential_offer_uri)}`\n } else if (offerMode === 'VALUE') {\n return `${scheme}://${baseUri}?credential_offer=${encodeURIComponent(JSON.stringify(credentialOffer.credential_offer))}`\n }\n throw Error(`unsupported offerMode ${offerMode}`)\n}\n\nexport function createCredentialOfferURI(\n offerMode: CredentialOfferMode,\n issuerMetadata?: IssuerMetadataV1_0_13,\n // todo: probably it's wise to create another builder for CredentialOfferPayload that will generate different kinds of CredentialOfferPayload\n opts?: {\n credentialOffer?: CredentialOfferPayloadV1_0_13\n credentialOfferUri?: string\n scheme?: string\n baseUri?: string\n grants?: CredentialOfferGrantInput\n },\n): string {\n const credentialOffer = createCredentialOfferObject(issuerMetadata, opts)\n return createCredentialOfferURIFromObject(credentialOffer, offerMode, opts)\n}\n\nexport function createCredentialOfferURIv1_0_11(\n offerMode: CredentialOfferMode,\n issuerMetadata?: CredentialIssuerMetadataV1_0_11,\n // todo: probably it's wise to create another builder for CredentialOfferPayload that will generate different kinds of CredentialOfferPayload\n opts?: {\n credentialOffer?: CredentialOfferPayloadV1_0_11\n credentialOfferUri?: string\n scheme?: string\n baseUri?: string\n grants?: CredentialOfferGrantInput\n },\n): string {\n const credentialOffer = createCredentialOfferObjectv1_0_11(issuerMetadata, opts)\n return createCredentialOfferURIFromObject(credentialOffer, offerMode, opts)\n}\n\nexport const isPreAuthorizedCodeExpired = (state: CredentialOfferSession, expirationDurationInSeconds: number) => {\n const now = +new Date()\n const expirationTime = state.createdAt + expirationDurationInSeconds * 1000\n return now >= expirationTime\n}\n\nexport const assertValidPinNumber = (pin?: string, pinLength?: number) => {\n if (pin && !RegExp(`[\\\\d\\\\D]{${pinLength ?? 6}}`).test(pin)) {\n throw Error(`${PIN_NOT_MATCH_ERROR}`)\n }\n}\n","import { decodeJwt, decodeProtectedHeader } from '@sphereon/oid4vc-common'\nimport { ClientMetadata, JWTHeader, JWTVerifyCallback, JwtVerifyResult } from '@sphereon/oid4vci-common'\nimport { oidcDiscoverIssuer, oidcGetClient } from '@sphereon/ssi-express-support'\n\nexport function oidcAccessTokenVerifyCallback(opts: {\n credentialIssuer: string\n authorizationServer: string\n clientMetadata?: ClientMetadata\n}): JWTVerifyCallback {\n const clientMetadata = opts.clientMetadata ?? { client_id: opts.credentialIssuer }\n\n return async (args: { jwt: string; kid?: string }): Promise => {\n const oidcIssuer = await oidcDiscoverIssuer({ issuerUrl: opts.authorizationServer })\n const oidcClient = await oidcGetClient(oidcIssuer.issuer, clientMetadata)\n const introspection = await oidcClient.introspect(args.jwt)\n if (!introspection.active) {\n return Promise.reject(Error('Access token is not active or invalid'))\n }\n const jwt = { header: decodeProtectedHeader(args.jwt) as JWTHeader, payload: decodeJwt(args.jwt) }\n\n return {\n jwt,\n alg: jwt.header.alg,\n ...(jwt.header.jwk && { jwk: jwt.header.jwk }),\n ...(jwt.header.x5c && { x5c: jwt.header.x5c }),\n ...(jwt.header.kid && { kid: jwt.header.kid }),\n // We could resolve the did document here if the kid is a VM\n }\n }\n}\n","import { IStateManager, STATE_MISSING_ERROR, StateType } from '@sphereon/oid4vci-common'\n\nexport class MemoryStates implements IStateManager {\n private readonly expiresInMS: number\n private readonly states: Map\n private cleanupIntervalId?: number | NodeJS.Timeout\n\n constructor(opts?: { expiresInSec?: number }) {\n this.expiresInMS = opts?.expiresInSec !== undefined ? opts?.expiresInSec * 1000 : 180000\n this.states = new Map()\n }\n\n async clearAll(): Promise {\n this.states.clear()\n }\n\n async clearExpired(timestamp?: number): Promise {\n const states = Array.from(this.states.entries())\n const ts = timestamp ?? +new Date()\n for (const [id, state] of states) {\n if (state.expiresAt && state.expiresAt < ts) {\n this.states.delete(id)\n } else if (!state.expiresAt) {\n // If there is no expiration set on the state itself, we will use the state manager expiresInMS value\n if (state.createdAt + this.expiresInMS < ts) {\n this.states.delete(id)\n }\n }\n }\n }\n\n async delete(id: string): Promise {\n if (!id) {\n throw Error('No id supplied')\n }\n return this.states.delete(id)\n }\n\n async getAsserted(id: string): Promise {\n if (!id) {\n throw Error('No id supplied')\n }\n let result: T | undefined\n if (await this.has(id)) {\n result = (await this.get(id)) as T\n }\n if (!result) {\n throw new Error(STATE_MISSING_ERROR + ` (${id})`)\n }\n return result\n }\n\n async get(id: string): Promise {\n return this.states.get(id)\n }\n\n async has(id: string): Promise {\n if (!id) {\n throw Error('No id supplied')\n }\n return this.states.has(id)\n }\n\n async set(id: string, stateValue: T): Promise {\n if (!id) {\n throw Error('No id supplied')\n }\n this.states.set(id, stateValue)\n }\n\n async startCleanupRoutine(timeout?: number): Promise {\n if (!this.cleanupIntervalId) {\n this.cleanupIntervalId = setInterval(() => this.clearExpired(), timeout ?? 30000)\n }\n }\n\n async stopCleanupRoutine(): Promise {\n if (this.cleanupIntervalId) {\n clearInterval(this.cleanupIntervalId)\n }\n }\n}\n","// noinspection ES6MissingAwait\n\nimport { IStateManager, StateType } from '@sphereon/oid4vci-common'\n\nexport async function lookupStateManagerMultiGetAsserted(args: {\n id: string\n lookups: string[]\n keyValueMapper: IStateManager\n valueStateManager: IStateManager\n}) {\n const value = await lookupStateManagerMultiGet(args)\n if (value) {\n return value\n }\n return Promise.reject(Error(`no value found for id ${args.id}`))\n}\nexport async function lookupStateManagerMultiGet({\n id,\n lookups,\n keyValueMapper,\n valueStateManager,\n}: {\n id: string\n lookups: string[]\n keyValueMapper: IStateManager\n valueStateManager: IStateManager\n}) {\n for (const lookup of lookups) {\n try {\n const value = await new LookupStateManager(keyValueMapper, valueStateManager, lookup).get(id)\n if (value) {\n return value\n }\n } catch (e) {\n // intentionally ignore the error\n }\n }\n return valueStateManager.get(id)\n}\n\nexport class LookupStateManager implements IStateManager {\n constructor(\n private keyValueMapper: IStateManager,\n private valueStateManager: IStateManager,\n private lookup: string,\n ) {}\n\n startCleanupRoutine(timeout?: number | undefined): Promise {\n this.keyValueMapper.startCleanupRoutine(timeout)\n return this.valueStateManager.startCleanupRoutine(timeout)\n }\n\n stopCleanupRoutine(): Promise {\n this.keyValueMapper.stopCleanupRoutine()\n return this.valueStateManager.stopCleanupRoutine()\n }\n\n async clearAll(): Promise {\n this.keyValueMapper.clearAll()\n this.valueStateManager.clearAll()\n }\n\n async clearExpired(timestamp?: number): Promise {\n this.keyValueMapper.clearExpired(timestamp)\n this.valueStateManager.clearExpired(timestamp)\n }\n\n private async assertedValueId(key: string): Promise {\n const prop = this.lookup\n const valueId = await this.keyValueMapper\n .getAsserted(key)\n // eslint-disable-next-line @typescript-eslint/ban-ts-comment\n // @ts-ignore\n .then((keyState) => (keyState && prop in keyState ? keyState[prop] : undefined))\n if (typeof valueId !== 'string') {\n throw Error('no value id could be derived for key' + key)\n }\n return valueId\n }\n\n private async valueId(key: string): Promise {\n const prop = this.lookup\n return (await this.keyValueMapper\n .get(key)\n // eslint-disable-next-line @typescript-eslint/ban-ts-comment\n // @ts-ignore\n .then((keyState) => (keyState && prop in keyState ? keyState[prop] : undefined))) as string\n }\n\n async delete(id: string): Promise {\n return await this.assertedValueId(id).then(async (value) => {\n await this.keyValueMapper.delete(id)\n return await this.valueStateManager.delete(value)\n })\n }\n\n async get(id: string): Promise {\n return this.valueId(id).then((value) => (value ? this.valueStateManager.get(value) : undefined))\n }\n\n async has(id: string): Promise {\n return this.valueId(id).then((value) => (value ? this.valueStateManager.has(value) : false))\n }\n\n // eslint-disable-next-line @typescript-eslint/no-unused-vars\n async set(_id: string, _stateValue: V): Promise {\n throw Error(`Please use the setMappedMethod that accepts both and id, value and object`)\n }\n\n async setMapped(valueKey: string, keyObject: K, stateValue: V): Promise {\n const keys = keyObject as any\n if (!(this.lookup in keys) || !keys[this.lookup]) {\n return Promise.reject(new Error(`keyValue ${keyObject} does not contain the lookup property ${this.lookup}`))\n }\n const key = keys[this.lookup]\n await this.keyValueMapper.set(key, keyObject)\n await this.valueStateManager.set(valueKey, stateValue)\n }\n\n async getAsserted(id: string): Promise {\n return this.assertedValueId(id).then((value) => this.valueStateManager.getAsserted(value))\n }\n}\n","import { AssertedUniformCredentialOffer, CredentialOfferSession } from '@sphereon/oid4vci-common'\n\nexport class CredentialOfferStateBuilder {\n private readonly credentialOfferState: Partial\n constructor() {\n this.credentialOfferState = {}\n }\n\n credentialOffer(credentialOffer: AssertedUniformCredentialOffer): CredentialOfferStateBuilder {\n this.credentialOfferState.credentialOffer = credentialOffer\n return this\n }\n\n createdAt(timestamp: number): CredentialOfferStateBuilder {\n this.credentialOfferState.createdAt = timestamp\n return this\n }\n\n build(): CredentialOfferSession {\n if (!this.credentialOfferState.createdAt) {\n this.credentialOfferState.createdAt = +new Date()\n }\n if (!this.credentialOfferState.credentialOffer) {\n throw new Error('Not all properties are present to build an IssuerState object')\n }\n return this.credentialOfferState as CredentialOfferSession\n }\n}\n","import { ImageInfo, MetadataDisplay } from '@sphereon/oid4vci-common'\n\nexport class DisplayBuilder {\n name?: string\n locale?: string\n additionalProperties: Record = {}\n\n logo?: ImageInfo\n backgroundColor?: string\n textColor?: string\n\n withName(name: string) {\n this.name = name\n return this\n }\n\n withLocale(locale: string) {\n this.locale = locale\n return this\n }\n\n withLogo(logo: ImageInfo) {\n if (logo) {\n if (!logo.url) {\n throw Error(`logo without url will not work`)\n }\n }\n this.logo = logo\n return this\n }\n\n withBackgroundColor(backgroundColor: string) {\n this.backgroundColor = backgroundColor\n return this\n }\n\n withTextColor(textColor: string) {\n this.textColor = textColor\n return this\n }\n\n withAdditionalProperties(properties: Record) {\n this.additionalProperties = properties ?? {}\n return this\n }\n\n addAdditionalProperty(key: string, value: unknown) {\n this.additionalProperties[key] = value\n return this\n }\n\n build(): MetadataDisplay {\n return {\n ...this.additionalProperties,\n ...(this.name && { name: this.name }),\n ...(this.locale && { locale: this.locale }),\n ...(this.logo && { logo: this.logo }),\n ...(this.backgroundColor && { background_color: this.backgroundColor }),\n ...(this.textColor && { text_color: this.textColor }),\n }\n }\n}\n","import { CredentialConfigurationSupportedV1_0_13, IssuerMetadataV1_0_13, MetadataDisplay } from '@sphereon/oid4vci-common'\n\nimport { CredentialSupportedBuilderV1_13 } from './CredentialSupportedBuilderV1_13'\nimport { DisplayBuilder } from './DisplayBuilder'\n\nexport class IssuerMetadataBuilderV1_13 {\n credentialEndpoint?: string\n credentialIssuer?: string\n supportedBuilders: CredentialSupportedBuilderV1_13[] = []\n credentialConfigurationsSupported: Record = {}\n displayBuilders: DisplayBuilder[] = []\n display: MetadataDisplay[] = []\n batchCredentialEndpoint?: string\n authorizationServers?: string[]\n tokenEndpoint?: string\n authorizationChallengeEndpoint?: string\n\n public withBatchCredentialEndpoint(batchCredentialEndpoint: string) {\n this.batchCredentialEndpoint = batchCredentialEndpoint\n throw Error(`Not supported yet`)\n }\n\n public withAuthorizationServers(authorizationServers: string[]) {\n this.authorizationServers = authorizationServers\n return this\n }\n\n public withAuthorizationServer(authorizationServer: string) {\n if (this.authorizationServers === undefined) {\n this.authorizationServers = []\n }\n this.authorizationServers.push(authorizationServer)\n return this\n }\n\n public withAuthorizationChallengeEndpoint(authorizationChallengeEndpoint: string) {\n this.authorizationChallengeEndpoint = authorizationChallengeEndpoint\n return this\n }\n\n public withTokenEndpoint(tokenEndpoint: string) {\n this.tokenEndpoint = tokenEndpoint\n return this\n }\n\n public withCredentialEndpoint(credentialEndpoint: string): IssuerMetadataBuilderV1_13 {\n this.credentialEndpoint = credentialEndpoint\n return this\n }\n\n public withCredentialIssuer(credentialIssuer: string): IssuerMetadataBuilderV1_13 {\n this.credentialIssuer = credentialIssuer\n return this\n }\n\n public newSupportedCredentialBuilder(): CredentialSupportedBuilderV1_13 {\n const builder = new CredentialSupportedBuilderV1_13()\n this.addSupportedCredentialBuilder(builder)\n return builder\n }\n\n public addSupportedCredentialBuilder(supportedCredentialBuilder: CredentialSupportedBuilderV1_13) {\n this.supportedBuilders.push(supportedCredentialBuilder)\n return this\n }\n\n public addCredentialConfigurationsSupported(id: string, supportedCredential: CredentialConfigurationSupportedV1_0_13) {\n this.credentialConfigurationsSupported[id] = supportedCredential\n return this\n }\n\n public withIssuerDisplay(issuerDisplay: MetadataDisplay[] | MetadataDisplay): IssuerMetadataBuilderV1_13 {\n this.display = Array.isArray(issuerDisplay) ? issuerDisplay : [issuerDisplay]\n return this\n }\n\n public addDisplay(display: MetadataDisplay) {\n this.display.push(display)\n }\n\n public addDisplayBuilder(displayBuilder: DisplayBuilder) {\n this.displayBuilders.push(displayBuilder)\n }\n\n public newDisplayBuilder(): DisplayBuilder {\n const builder = new DisplayBuilder()\n this.addDisplayBuilder(builder)\n return builder\n }\n\n public build(): IssuerMetadataV1_0_13 {\n if (!this.credentialIssuer) {\n throw Error('No credential issuer supplied')\n } else if (!this.credentialEndpoint) {\n throw Error('No credential endpoint supplied')\n }\n const credential_configurations_supported: Record = this.credentialConfigurationsSupported\n const configurationsEntryList: Record[] = this.supportedBuilders.map((builder) =>\n builder.build(),\n )\n configurationsEntryList.forEach((configRecord) => {\n Object.keys(configRecord).forEach((key) => {\n credential_configurations_supported[key] = configRecord[key]\n })\n })\n if (Object.keys(credential_configurations_supported).length === 0) {\n throw Error('No supported credentials supplied')\n }\n\n const display: MetadataDisplay[] = []\n display.push(...this.display)\n display.push(...this.displayBuilders.map((builder) => builder.build()))\n\n const issuerMetadata: IssuerMetadataV1_0_13 = {\n credential_issuer: this.credentialIssuer,\n credential_endpoint: this.credentialEndpoint,\n credential_configurations_supported,\n // batch_credential_endpoint: this.batchCredentialEndpoint; // not implemented yet\n ...(this.authorizationServers && { authorization_servers: this.authorizationServers }),\n ...(this.tokenEndpoint && { token_endpoint: this.tokenEndpoint }),\n ...(this.authorizationChallengeEndpoint && { authorization_challenge_endpoint: this.authorizationChallengeEndpoint }),\n ...(display.length > 0 && { display }),\n }\n\n return issuerMetadata\n }\n}\n","import { SigningAlgo } from '@sphereon/oid4vc-common'\nimport {\n AuthorizationServerMetadata,\n OAuthGrantType,\n OAuthResponseMode,\n OAuthResponseType,\n OAuthScope,\n PKCECodeChallengeMethod,\n RevocationEndpointAuthMethod,\n RevocationEndpointAuthSigningAlg,\n TokenEndpointAuthMethod,\n TokenEndpointAuthSigningAlg,\n} from '@sphereon/oid4vci-common'\n\nexport class AuthorizationServerMetadataBuilder {\n private metadata: Partial = {}\n\n public withIssuer(issuer: string): AuthorizationServerMetadataBuilder {\n this.metadata.issuer = issuer\n return this\n }\n\n public withAuthorizationEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.authorization_endpoint = endpoint\n return this\n }\n\n public withAuthorizationChallengeEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.authorization_challenge_endpoint = endpoint\n return this\n }\n\n public withTokenEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.token_endpoint = endpoint\n return this\n }\n\n public withTokenEndpointAuthMethodsSupported(methods: Array): AuthorizationServerMetadataBuilder {\n this.metadata.token_endpoint_auth_methods_supported = methods\n return this\n }\n\n public withTokenEndpointAuthSigningAlgValuesSupported(algs: Array): AuthorizationServerMetadataBuilder {\n this.metadata.token_endpoint_auth_signing_alg_values_supported = algs\n return this\n }\n\n public withRegistrationEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.registration_endpoint = endpoint\n return this\n }\n\n public withScopesSupported(scopes: Array): AuthorizationServerMetadataBuilder {\n this.metadata.scopes_supported = scopes\n return this\n }\n\n public withResponseTypesSupported(types: Array): AuthorizationServerMetadataBuilder {\n this.metadata.response_types_supported = types\n return this\n }\n\n public withResponseModesSupported(modes: Array): AuthorizationServerMetadataBuilder {\n this.metadata.response_modes_supported = modes\n return this\n }\n\n public withGrantTypesSupported(types: Array): AuthorizationServerMetadataBuilder {\n this.metadata.grant_types_supported = types\n return this\n }\n\n public withServiceDocumentation(url: string): AuthorizationServerMetadataBuilder {\n this.metadata.service_documentation = url\n return this\n }\n\n public withUILocalesSupported(locales: string[]): AuthorizationServerMetadataBuilder {\n this.metadata.ui_locales_supported = locales\n return this\n }\n\n public withOpPolicyUri(uri: string): AuthorizationServerMetadataBuilder {\n this.metadata.op_policy_uri = uri\n return this\n }\n\n public withOpTosUri(uri: string): AuthorizationServerMetadataBuilder {\n this.metadata.op_tos_uri = uri\n return this\n }\n\n public withRevocationEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.revocation_endpoint = endpoint\n return this\n }\n\n public withRevocationEndpointAuthMethodsSupported(methods: Array): AuthorizationServerMetadataBuilder {\n this.metadata.revocation_endpoint_auth_methods_supported = methods\n return this\n }\n\n public withRevocationEndpointAuthSigningAlgValuesSupported(algs: Array): AuthorizationServerMetadataBuilder {\n this.metadata.revocation_endpoint_auth_signing_alg_values_supported = algs\n return this\n }\n\n public withIntrospectionEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.introspection_endpoint = endpoint\n return this\n }\n\n public withCodeChallengeMethodsSupported(methods: Array): AuthorizationServerMetadataBuilder {\n this.metadata.code_challenge_methods_supported = methods\n return this\n }\n\n public withPushedAuthorizationRequestEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.pushed_authorization_request_endpoint = endpoint\n return this\n }\n\n public withRequirePushedAuthorizationRequests(required: boolean): AuthorizationServerMetadataBuilder {\n this.metadata.require_pushed_authorization_requests = required\n return this\n }\n\n public withPreAuthorizedGrantAnonymousAccessSupported(supported: boolean): AuthorizationServerMetadataBuilder {\n this.metadata['pre-authorized_grant_anonymous_access_supported'] = supported\n return this\n }\n\n public withDPoPSigningAlgValuesSupported(algs: (string | SigningAlgo)[]): AuthorizationServerMetadataBuilder {\n this.metadata.dpop_signing_alg_values_supported = algs\n return this\n }\n\n // OIDC specific methods\n public withFrontchannelLogoutSupported(supported: boolean): AuthorizationServerMetadataBuilder {\n this.metadata.frontchannel_logout_supported = supported\n return this\n }\n\n public withFrontchannelLogoutSessionSupported(supported: boolean): AuthorizationServerMetadataBuilder {\n this.metadata.frontchannel_logout_session_supported = supported\n return this\n }\n\n public withBackchannelLogoutSupported(supported: boolean): AuthorizationServerMetadataBuilder {\n this.metadata.backchannel_logout_supported = supported\n return this\n }\n\n public withBackchannelLogoutSessionSupported(supported: boolean): AuthorizationServerMetadataBuilder {\n this.metadata.backchannel_logout_session_supported = supported\n return this\n }\n\n public withUserinfoEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.userinfo_endpoint = endpoint\n return this\n }\n\n public withCheckSessionIframe(url: string): AuthorizationServerMetadataBuilder {\n this.metadata.check_session_iframe = url\n return this\n }\n\n public withEndSessionEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.end_session_endpoint = endpoint\n return this\n }\n\n public withAcrValuesSupported(values: string[]): AuthorizationServerMetadataBuilder {\n this.metadata.acr_values_supported = values\n return this\n }\n\n public withSubjectTypesSupported(types: string[]): AuthorizationServerMetadataBuilder {\n this.metadata.subject_types_supported = types\n return this\n }\n\n public withRequestObjectSigningAlgValuesSupported(algs: string[]): AuthorizationServerMetadataBuilder {\n this.metadata.request_object_signing_alg_values_supported = algs\n return this\n }\n\n public withDisplayValuesSupported(values: string[]): AuthorizationServerMetadataBuilder {\n this.metadata.display_values_supported = values\n return this\n }\n\n public withClaimTypesSupported(types: string[]): AuthorizationServerMetadataBuilder {\n this.metadata.claim_types_supported = types\n return this\n }\n\n public withClaimsSupported(claims: string[]): AuthorizationServerMetadataBuilder {\n this.metadata.claims_supported = claims\n return this\n }\n\n public withClaimsParameterSupported(supported: boolean): AuthorizationServerMetadataBuilder {\n this.metadata.claims_parameter_supported = supported\n return this\n }\n\n // VCI specific methods\n public withCredentialEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.credential_endpoint = endpoint\n return this\n }\n\n public withDeferredCredentialEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.deferred_credential_endpoint = endpoint\n return this\n }\n\n public build(): AuthorizationServerMetadata {\n if (!this.metadata.issuer) {\n throw new Error('Issuer is required')\n }\n\n if (!this.metadata.response_types_supported) {\n throw new Error('Response types supported is required')\n }\n\n return this.metadata as AuthorizationServerMetadata\n }\n}\n","import { calculateJwkThumbprint, JWK, uuidv4 } from '@sphereon/oid4vc-common'\nimport {\n AccessTokenRequest,\n AccessTokenResponse,\n Alg,\n CNonceState,\n CredentialOfferSession,\n EXPIRED_PRE_AUTHORIZED_CODE,\n GrantTypes,\n INVALID_PRE_AUTHORIZED_CODE,\n IssueStatus,\n IStateManager,\n Jwt,\n JWTSignerCallback,\n JWTVerifyCallback,\n PIN_NOT_MATCH_ERROR,\n PIN_VALIDATION_ERROR,\n PRE_AUTH_CODE_LITERAL,\n PRE_AUTHORIZED_CODE_REQUIRED_ERROR,\n TokenError,\n TokenErrorResponse,\n UNSUPPORTED_GRANT_TYPE_ERROR,\n USER_PIN_NOT_REQUIRED_ERROR,\n USER_PIN_REQUIRED_ERROR,\n USER_PIN_TX_CODE_SPEC_ERROR,\n} from '@sphereon/oid4vci-common'\n\nimport { isPreAuthorizedCodeExpired } from '../functions'\n\nexport interface ITokenEndpointOpts {\n tokenEndpointDisabled?: boolean // Disable if used in an existing OAuth2/OIDC environment and have the AS handle tokens\n tokenPath?: string // token path can either be defined here, or will be deduced from issuer metadata\n interval?: number\n cNonceExpiresIn?: number\n tokenExpiresIn?: number\n preAuthorizedCodeExpirationDuration?: number\n accessTokenSignerCallback?: JWTSignerCallback\n accessTokenVerificationCallback?: JWTVerifyCallback\n accessTokenIssuer?: string\n accessTokenProvider?: AccessTokenProvider\n}\n\nexport type AccessTokenProvider = 'internal' | 'oidc' | 'oauth2'\n\nexport const generateAccessToken = async (\n opts: Required> & {\n additionalClaims?: Record\n preAuthorizedCode?: string\n alg?: Alg\n dPoPJwk?: JWK\n },\n): Promise => {\n const {\n dPoPJwk,\n accessTokenIssuer,\n alg,\n accessTokenSignerCallback,\n tokenExpiresIn,\n preAuthorizedCode,\n additionalClaims,\n accessTokenProvider = 'internal',\n } = opts\n // JWT uses seconds for iat and exp\n if (accessTokenProvider !== 'internal') {\n throw new TokenError(\n 400,\n TokenErrorResponse.invalid_request,\n `Access token provider ${accessTokenProvider} is an external access token provider. We cannot generate tokens ourselves in this case`,\n )\n }\n const iat = new Date().getTime() / 1000\n const exp = iat + tokenExpiresIn\n const cnf = dPoPJwk ? { cnf: { jkt: await calculateJwkThumbprint(dPoPJwk, 'sha256') } } : undefined\n const jwt: Jwt = {\n header: { typ: 'JWT', alg: alg ?? Alg.ES256 },\n payload: {\n iat,\n exp,\n iss: accessTokenIssuer,\n ...cnf,\n ...(preAuthorizedCode && { preAuthorizedCode }),\n // Protected resources simultaneously supporting both the DPoP and Bearer schemes need to update how the\n // evaluation process is performed for bearer tokens to prevent downgraded usage of a DPoP-bound access token.\n // Specifically, such a protected resource MUST reject a DPoP-bound access token received as a bearer token per [RFC6750].\n token_type: dPoPJwk ? 'DPoP' : 'Bearer',\n ...additionalClaims,\n },\n }\n return await accessTokenSignerCallback(jwt)\n}\n\nexport const isValidGrant = (assertedState: CredentialOfferSession, grantType: string): boolean => {\n if (assertedState.credentialOffer?.credential_offer?.grants) {\n // TODO implement authorization_code\n return (\n Object.keys(assertedState.credentialOffer?.credential_offer?.grants).includes(GrantTypes.PRE_AUTHORIZED_CODE) &&\n grantType === GrantTypes.PRE_AUTHORIZED_CODE\n )\n }\n return false\n}\n\nexport const assertValidAccessTokenRequest = async (\n request: AccessTokenRequest,\n opts: {\n credentialOfferSessions: IStateManager\n expirationDuration: number\n },\n) => {\n const { credentialOfferSessions, expirationDuration } = opts\n // Only pre-auth supported for now\n if (request.grant_type !== GrantTypes.PRE_AUTHORIZED_CODE) {\n throw new TokenError(400, TokenErrorResponse.invalid_grant, UNSUPPORTED_GRANT_TYPE_ERROR)\n }\n\n // Pre-auth flow\n if (!request[PRE_AUTH_CODE_LITERAL]) {\n throw new TokenError(400, TokenErrorResponse.invalid_request, PRE_AUTHORIZED_CODE_REQUIRED_ERROR)\n }\n\n const credentialOfferSession = await credentialOfferSessions.getAsserted(request[PRE_AUTH_CODE_LITERAL])\n credentialOfferSession.status = IssueStatus.ACCESS_TOKEN_REQUESTED\n credentialOfferSession.lastUpdatedAt = +new Date()\n await credentialOfferSessions.set(request[PRE_AUTH_CODE_LITERAL], credentialOfferSession)\n if (!isValidGrant(credentialOfferSession, request.grant_type)) {\n throw new TokenError(400, TokenErrorResponse.invalid_grant, UNSUPPORTED_GRANT_TYPE_ERROR)\n }\n\n /*\n invalid_request:\n the Authorization Server does not expect a PIN in the pre-authorized flow but the client provides a PIN\n */\n if (\n !credentialOfferSession.credentialOffer.credential_offer?.grants?.[GrantTypes.PRE_AUTHORIZED_CODE]?.tx_code &&\n request.tx_code &&\n !request.user_pin\n ) {\n // >= v13\n throw new TokenError(400, TokenErrorResponse.invalid_request, USER_PIN_NOT_REQUIRED_ERROR)\n } else if (\n !credentialOfferSession.credentialOffer.credential_offer?.grants?.[GrantTypes.PRE_AUTHORIZED_CODE]?.user_pin_required &&\n request.user_pin &&\n !request.tx_code\n ) {\n // <= v12\n throw new TokenError(400, TokenErrorResponse.invalid_request, USER_PIN_NOT_REQUIRED_ERROR)\n }\n /*\n invalid_request:\n the Authorization Server expects a PIN in the pre-authorized flow but the client does not provide a PIN\n */\n if (\n // >= v13\n !!credentialOfferSession.credentialOffer.credential_offer?.grants?.[GrantTypes.PRE_AUTHORIZED_CODE]?.tx_code &&\n !request.tx_code\n ) {\n if (request.user_pin) {\n throw new TokenError(400, TokenErrorResponse.invalid_request, USER_PIN_TX_CODE_SPEC_ERROR)\n }\n throw new TokenError(400, TokenErrorResponse.invalid_request, USER_PIN_REQUIRED_ERROR)\n } else if (\n // <= v12\n credentialOfferSession.credentialOffer.credential_offer?.grants?.[GrantTypes.PRE_AUTHORIZED_CODE]?.user_pin_required &&\n !credentialOfferSession.credentialOffer.credential_offer?.grants?.[GrantTypes.PRE_AUTHORIZED_CODE]?.tx_code &&\n !request.user_pin\n ) {\n if (request.tx_code) {\n throw new TokenError(400, TokenErrorResponse.invalid_request, USER_PIN_TX_CODE_SPEC_ERROR)\n }\n throw new TokenError(400, TokenErrorResponse.invalid_request, USER_PIN_REQUIRED_ERROR)\n }\n\n if (isPreAuthorizedCodeExpired(credentialOfferSession, expirationDuration)) {\n throw new TokenError(400, TokenErrorResponse.invalid_grant, EXPIRED_PRE_AUTHORIZED_CODE)\n } else if (\n request[PRE_AUTH_CODE_LITERAL] !==\n credentialOfferSession.credentialOffer?.credential_offer?.grants?.[GrantTypes.PRE_AUTHORIZED_CODE]?.[PRE_AUTH_CODE_LITERAL]\n ) {\n throw new TokenError(400, TokenErrorResponse.invalid_grant, INVALID_PRE_AUTHORIZED_CODE)\n }\n /*\n invalid_grant:\n the Authorization Server expects a PIN in the pre-authorized flow but the client provides the wrong PIN\n the End-User provides the wrong Pre-Authorized Code or the Pre-Authorized Code has expired\n */\n if (request.tx_code) {\n const txCodeOffer = credentialOfferSession.credentialOffer.credential_offer?.grants?.[GrantTypes.PRE_AUTHORIZED_CODE]?.tx_code\n if (!txCodeOffer) {\n throw new TokenError(400, TokenErrorResponse.invalid_request, USER_PIN_NOT_REQUIRED_ERROR)\n } else if (txCodeOffer.input_mode === 'text') {\n if (!RegExp(`[\\\\D]{${txCodeOffer.length}`).test(request.tx_code)) {\n throw new TokenError(400, TokenErrorResponse.invalid_grant, `${PIN_VALIDATION_ERROR} ${txCodeOffer.length}`)\n }\n } else {\n if (!RegExp(`[\\\\d]{${txCodeOffer.length}}`).test(request.tx_code)) {\n throw new TokenError(400, TokenErrorResponse.invalid_grant, `${PIN_VALIDATION_ERROR} ${txCodeOffer.length}`)\n }\n }\n if (request.tx_code !== credentialOfferSession.txCode) {\n throw new TokenError(400, TokenErrorResponse.invalid_grant, PIN_NOT_MATCH_ERROR)\n }\n } else if (request.user_pin) {\n if (!/[\\\\d]{1,8}/.test(request.user_pin)) {\n throw new TokenError(400, TokenErrorResponse.invalid_grant, `${PIN_VALIDATION_ERROR} 1-8`)\n } else if (request.user_pin !== credentialOfferSession.txCode) {\n throw new TokenError(400, TokenErrorResponse.invalid_grant, PIN_NOT_MATCH_ERROR)\n }\n }\n\n return { preAuthSession: credentialOfferSession }\n}\n\nexport const createAccessTokenResponse = async (\n request: AccessTokenRequest,\n opts: {\n credentialOfferSessions: IStateManager\n cNonces: IStateManager\n cNonce?: string\n cNonceExpiresIn?: number // expiration in seconds\n tokenExpiresIn: number // expiration in seconds\n // preAuthorizedCodeExpirationDuration?: number\n accessTokenSignerCallback: JWTSignerCallback\n accessTokenIssuer: string\n accessTokenProvider?: AccessTokenProvider\n interval?: number\n dPoPJwk?: JWK\n },\n) => {\n const {\n dPoPJwk,\n credentialOfferSessions,\n cNonces,\n cNonceExpiresIn,\n tokenExpiresIn,\n accessTokenIssuer,\n accessTokenSignerCallback,\n interval,\n accessTokenProvider = 'internal',\n } = opts\n // Pre-auth flow\n const preAuthorizedCode = request[PRE_AUTH_CODE_LITERAL] as string\n\n const cNonce = opts.cNonce ?? uuidv4()\n await cNonces.set(cNonce, { cNonce, createdAt: +new Date(), preAuthorizedCode })\n\n const access_token = await generateAccessToken({\n tokenExpiresIn,\n accessTokenSignerCallback,\n preAuthorizedCode,\n accessTokenIssuer,\n dPoPJwk,\n accessTokenProvider,\n })\n\n const response: AccessTokenResponse = {\n access_token,\n token_type: dPoPJwk ? 'DPoP' : 'bearer',\n expires_in: tokenExpiresIn,\n c_nonce: cNonce,\n c_nonce_expires_in: cNonceExpiresIn,\n interval,\n }\n const credentialOfferSession = await credentialOfferSessions.getAsserted(preAuthorizedCode)\n credentialOfferSession.status = IssueStatus.ACCESS_TOKEN_CREATED\n credentialOfferSession.lastUpdatedAt = +new Date()\n await credentialOfferSessions.set(preAuthorizedCode, credentialOfferSession)\n return response\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,IAAAA,yBAA4B;;;ACA5B,4BAYO;AAEA,IAAMC,kCAAN,MAAMA;EAdb,OAcaA;;;EACXC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EAEAC,WAAWC,kBAA4E;AACrF,SAAKV,SAASU;AACd,WAAO;EACT;EAEAC,mBAAmBT,gBAAyD;AAC1E,SAAKA,iBAAiBA;AACtB,WAAO;EACT;EAEAU,yBACET,sBACiC;AACjC,QAAI,CAACA,qBAAqBU,MAAM;AAC9B,YAAM,IAAIC,MAAM,kDAAA;IAClB;AACA,SAAKX,uBAAuBA;AAC5B,WAAO;EACT;EAEAY,UAAUd,OAAgD;AACxD,SAAKA,QAAQA;AACb,WAAO;EACT;EACAe,8BAA8BC,QAA4D;AACxF,QAAI,CAACC,MAAMC,QAAQF,MAAAA,GAAS;AAC1B,WAAKb,uCAAuC,KAAKA,uCAC7C;WAAI,KAAKA;QAAsCa;UAC/C;QAACA;;IACP,OAAO;AACL,WAAKb,uCAAuC,KAAKA,uCAC7C;WAAI,KAAKA;WAAyCa;UAClDA;IACN;AACA,WAAO;EACT;EAEAG,+BAA+BH,QAA4D;AACzF,SAAKb,uCAAuCc,MAAMC,QAAQF,MAAAA,IAAUA,SAAS;MAACA;;AAC9E,WAAO;EACT;EAEAI,uCAAuCC,WAA+D;AACpG,QAAI,CAACJ,MAAMC,QAAQG,SAAAA,GAAY;AAC7B,WAAKjB,sCAAsC,KAAKA,sCAC5C;WAAI,KAAKA;QAAqCiB;UAC9C;QAACA;;IACP,OAAO;AACL,WAAKjB,sCAAsC,KAAKA,sCAC5C;WAAI,KAAKA;WAAwCiB;UACjDA;IACN;AACA,WAAO;EACT;EAEAC,wCAAwCD,WAA+D;AACrG,SAAKjB,sCAAsCa,MAAMC,QAAQG,SAAAA,IAAaA,YAAY;MAACA;;AACnF,WAAO;EACT;EAEAE,uBAAuBC,cAA4BC,WAAuD;AACxG,QAAI,CAAC,KAAKpB,qBAAqB;AAC7B,WAAKA,sBAAsB,CAAC;IAC9B;AACA,SAAKA,oBAAoBmB,YAAAA,IAAgBC;AACzC,WAAO;EACT;EAEAC,wBAAwBrB,qBAA2E;AACjG,SAAKA,sBAAsBA;AAC3B,WAAO;EACT;EAEAsB,8BAA8BC,mBAAiH;AAC7I,QAAI,CAACX,MAAMC,QAAQU,iBAAAA,GAAoB;AACrC,WAAKtB,UAAU,KAAKA,UAAU;WAAI,KAAKA;QAASsB;UAAqB;QAACA;;IACxE,OAAO;AACL,WAAKtB,UAAU,KAAKA,UAAU;WAAI,KAAKA;WAAYsB;UAAqBA;IAC1E;AACA,WAAO;EACT;EAEAC,+BAA+BD,mBAAiH;AAC9I,SAAKtB,UAAUW,MAAMC,QAAQU,iBAAAA,IAAqBA,oBAAoB;MAACA;;AACvE,WAAO;EACT;EAEAE,sBAAsBvB,mBAA4C;AAChE,SAAKA,oBAAoBA;AACzB,WAAO;EACT;EAEAwB,oCACEC,iBACAC,gCACiC;AACjC,QAAI,CAAC,KAAK1B,mBAAmB;AAC3B,WAAKA,oBAAoB,CAAC;IAC5B;AACA,SAAKA,kBAAkByB,eAAAA,IAAmBC;AAC1C,WAAO;EACT;EAEOC,QAAiE;AACtE,QAAI,CAAC,KAAKnC,QAAQ;AAChB,YAAM,IAAIc,MAAMsB,yCAAmBC,eAAe;IACpD;AAEA,UAAMC,sBAA+D;MACnEtC,QAAQ,KAAKA;IACf;AAEA,QAAI,CAAC,KAAKG,sBAAsB;AAC9B,YAAM,IAAIW,MAAM,kCAAA;IAClB;AACAwB,wBAAoBC,wBAAwB,KAAKpC;AACjD,QAAI,KAAKF,OAAO;AACdqC,0BAAoBrC,QAAQ,KAAKA;IACnC;AACA,QAAI,CAAC,KAAKC,gBAAgB;AACxB,YAAM,IAAIY,MAAM,sCAAA;IAClB;AAmBA,QAAI,KAAKT,qCAAqC;AAC5CiC,0BAAoBE,0CAA0C,KAAKnC;IACrE;AACA,QAAI,KAAKD,sCAAsC;AAC7CkC,0BAAoBG,0CAA0C,KAAKrC;IACrE;AACA,QAAI,KAAKG,SAAS;AAChB+B,0BAAoB/B,UAAU,KAAKA;IACrC;AAEA,UAAMmC,yBAAkF,CAAC;AACzFA,2BAAuB,KAAKxC,cAAc,IAAIoC;AAE9C,WAAOI;EACT;AACF;;;ACpLA,IAAAC,yBAgBO;;;AChBP,IAAAC,wBAAuB;AACvB,IAAAC,yBA2CO;AACP,uBAA4G;AAC5G,wBAAsB;;;AC9CtB,2BAAuB;AACvB,IAAAC,yBAiBO;AAOP,SAASC,4BAA4BC,aAAuC;AAE1E,MAAI,CAACA,eAAeC,OAAOC,KAAKF,WAAAA,EAAaG,WAAW,GAAG;AACzD,WAAOC;EACT;AAEA,QAAMC,SAAgB,CAAC;AACvB,MAAIL,cAAcM,6CAAAA,GAAyB;AACzC,UAAMC,QAAQ;MACZ,GAAGP,YAAYM,6CAAAA;MACf,uBAAuBN,YAAYM,6CAAAA,EAAwB,qBAAA,SAA0BE,6BAAAA;IACvF;AAEA,QAAID,MAAME,WAAW,CAACF,MAAME,QAAQN,QAAQ;AAC1CI,YAAME,QAAQN,SAAS;IACzB;AAEAE,WAAOC,6CAAAA,IAA0BC;EACnC;AAEA,MAAIP,aAAaU,oBAAoB;AACnCL,WAAOK,qBAAqB;MAC1B,GAAGV,YAAYU;;;MAIfC,cAAcX,YAAYU,mBAAmBC,oBAAgBH,6BAAAA;IAC/D;EACF;AAEA,SAAOH;AACT;AA/BSN;AAiCT,SAASa,qCAAqCC,QAAiBC,SAAkBC,kBAAyB;AACxG,QAAMC,YAAYH,QAAQI,QAAQ,OAAO,EAAA,MAAQH,SAASI,SAAS,KAAA,IAASJ,QAAQK,MAAM,KAAA,EAAO,CAAA,IAAK;AACtG,MAAIC;AAEJ,MAAIN,SAAS;AACXM,iBAAaN;EACf,WAAWE,UAAUK,WAAW,MAAA,GAAS;AACvC,QAAIN,kBAAkB;AACpBK,mBAAaL;AACb,UAAI,CAACK,WAAWC,WAAW,GAAGL,SAAAA,KAAc,GAAG;AAC7C,cAAMM,MAAM,UAAUN,SAAAA,+BAAwCI,UAAAA,EAAY;MAC5E;IACF,OAAO;AACL,YAAME,MAAM,MAAMN,SAAAA,kDAA2D;IAC/E;EACF,OAAO;AACLI,iBAAa;EACf;AACAA,eAAaA,YAAYH,QAAQ,GAAGD,SAAAA,OAAgB,EAAA;AAEpD,SAAO;IAAEH,QAAQG;IAAWF,SAASM;EAAW;AAClD;AArBSR;AAuBF,SAASW,4BACdC,gBAEAC,MAKC;AAED,MAAI,CAACD,kBAAkB,CAACC,MAAMC,mBAAmB,CAACD,MAAME,oBAAoB;AAC1E,UAAM,IAAIL,MAAM,sFAAA;EAClB;AAEA,QAAMjB,SAASN,4BAA4B0B,MAAMpB,MAAAA;AAEjD,MAAIuB;AACJ,MAAIH,MAAMC,iBAAiB;AACzBE,uBAAmB;MACjB,GAAGH,KAAKC;IACV;EACF,OAAO;AACL,QAAI,CAACF,gBAAgBK,qCAAqC;AACxD,YAAM,IAAIP,MAAM,kEAAA;IAClB;AACAM,uBAAmB;MACjBE,mBAAmBN,eAAeM;MAClCC,8BAA8B9B,OAAOC,KAAKsB,eAAeK,mCAAmC;IAC9F;EACF;AAEA,MAAIxB,QAAQ;AACVuB,qBAAiBvB,SAASA;EAC5B;AACA,MAAIoB,MAAMO,WAAW;AACnBJ,qBAAiBI,YAAYP,KAAKO;EACpC;AAGA,SAAO;IAAEJ;IAAkBK,sBAAsBR,MAAME;EAAmB;AAC5E;AAxCgBJ;AA0CT,SAASW,mCACdV,gBAEAC,MAMC;AAED,MAAI,CAACD,kBAAkB,CAACC,MAAMC,mBAAmB,CAACD,MAAME,oBAAoB;AAC1E,UAAM,IAAIL,MAAM,sFAAA;EAClB;AAEA,QAAMjB,SAASN,4BAA4B0B,MAAMpB,MAAAA;AACjD,MAAIA,SAASC,6CAAAA,GAAyBG,SAAS;AAC7C,UAAM,EAAEA,SAAS,GAAG0B,KAAAA,IAAS9B,OAAOC,6CAAAA;AACpCD,WAAOC,6CAAAA,IAA0B;MAC/B8B,mBAAmB;MACnB,GAAGD;IACL;EACF;AAEA,MAAIP;AACJ,MAAIH,MAAMC,iBAAiB;AACzBE,uBAAmB;MACjB,GAAGH,KAAKC;MACRW,aACEZ,KAAKC,iBAAiBW,eAAeb,gBAAgBc,sBAAsBC,IAAI,CAACC,MAAMA,EAAEC,EAAE,EAAEC,OAAO,CAACC,MAAmBA,MAAMvC,MAAAA;IACjI;EACF,OAAO;AACL,QAAI,CAACoB,gBAAgB;AACnB,YAAM,IAAIF,MAAM,kEAAA;IAClB;AACAM,uBAAmB;MACjBE,mBAAmBN,eAAeM;MAClCO,aAAab,gBAAgBc,sBAAsBC,IAAI,CAACC,MAAMA,EAAEC,EAAE,EAAEC,OAAO,CAACC,MAAmBA,MAAMvC,MAAAA;IACvG;EACF;AAEA,SAAO;IAAEwB;IAAkBK,sBAAsBR,MAAME;EAAmB;AAC5E;AA1CgBO;AA4CT,SAASU,mCACdlB,iBACAmB,WACApB,MAA4C;AAE5C,QAAM,EAAEZ,QAAQC,QAAO,IAAKF,qCAAqCa,MAAMZ,QAAQY,MAAMX,SAASY,gBAAgBE,kBAAkBE,iBAAAA;AAEhI,MAAIe,cAAc,aAAa;AAC7B,QAAI,CAACnB,gBAAgBO,sBAAsB;AACzC,YAAMX,MAAM,kDAAkDuB,SAAAA,EAAW;IAC3E;AACA,QAAInB,gBAAgBO,qBAAqBf,SAAS,uBAAA,GAA0B;AAE1E,aAAOQ,gBAAgBO;IACzB;AACA,WAAO,GAAGpB,MAAAA,MAAYC,OAAAA,yBAAgCgC,mBAAmBpB,gBAAgBO,oBAAoB,CAAA;EAC/G,WAAWY,cAAc,SAAS;AAChC,WAAO,GAAGhC,MAAAA,MAAYC,OAAAA,qBAA4BgC,mBAAmBC,KAAKC,UAAUtB,gBAAgBE,gBAAgB,CAAA,CAAA;EACtH;AACA,QAAMN,MAAM,yBAAyBuB,SAAAA,EAAW;AAClD;AApBgBD;AAsBT,SAASK,yBACdJ,WACArB,gBAEAC,MAMC;AAED,QAAMC,kBAAkBH,4BAA4BC,gBAAgBC,IAAAA;AACpE,SAAOmB,mCAAmClB,iBAAiBmB,WAAWpB,IAAAA;AACxE;AAdgBwB;AAgBT,SAASC,gCACdL,WACArB,gBAEAC,MAMC;AAED,QAAMC,kBAAkBQ,mCAAmCV,gBAAgBC,IAAAA;AAC3E,SAAOmB,mCAAmClB,iBAAiBmB,WAAWpB,IAAAA;AACxE;AAdgByB;AAgBT,IAAMC,6BAA6B,wBAACC,OAA+BC,gCAAAA;AACxE,QAAMC,MAAM,CAAC,oBAAIC,KAAAA;AACjB,QAAMC,iBAAiBJ,MAAMK,YAAYJ,8BAA8B;AACvE,SAAOC,OAAOE;AAChB,GAJ0C;AAMnC,IAAME,uBAAuB,wBAACC,KAAcC,cAAAA;AACjD,MAAID,OAAO,CAACE,OAAO,YAAYD,aAAa,CAAA,GAAI,EAAEE,KAAKH,GAAAA,GAAM;AAC3D,UAAMrC,MAAM,GAAGyC,0CAAAA,EAAqB;EACtC;AACF,GAJoC;;;ACnOpC,IAAAC,wBAAiD;AAEjD,iCAAkD;AAE3C,SAASC,8BAA8BC,MAI7C;AACC,QAAMC,iBAAiBD,KAAKC,kBAAkB;IAAEC,WAAWF,KAAKG;EAAiB;AAEjF,SAAO,OAAOC,SAAAA;AACZ,UAAMC,aAAa,UAAMC,+CAAmB;MAAEC,WAAWP,KAAKQ;IAAoB,CAAA;AAClF,UAAMC,aAAa,UAAMC,0CAAcL,WAAWM,QAAQV,cAAAA;AAC1D,UAAMW,gBAAgB,MAAMH,WAAWI,WAAWT,KAAKU,GAAG;AAC1D,QAAI,CAACF,cAAcG,QAAQ;AACzB,aAAOC,QAAQC,OAAOC,MAAM,uCAAA,CAAA;IAC9B;AACA,UAAMJ,MAAM;MAAEK,YAAQC,6CAAsBhB,KAAKU,GAAG;MAAgBO,aAASC,iCAAUlB,KAAKU,GAAG;IAAE;AAEjG,WAAO;MACLA;MACAS,KAAKT,IAAIK,OAAOI;MAChB,GAAIT,IAAIK,OAAOK,OAAO;QAAEA,KAAKV,IAAIK,OAAOK;MAAI;MAC5C,GAAIV,IAAIK,OAAOM,OAAO;QAAEA,KAAKX,IAAIK,OAAOM;MAAI;MAC5C,GAAIX,IAAIK,OAAOO,OAAO;QAAEA,KAAKZ,IAAIK,OAAOO;MAAI;IAE9C;EACF;AACF;AAzBgB3B;;;ACJhB,IAAA4B,yBAA8D;AAEvD,IAAMC,eAAN,MAAMA;EAFb,OAEaA;;;EACMC;EACAC;EACTC;EAERC,YAAYC,MAAkC;AAC5C,SAAKJ,cAAcI,MAAMC,iBAAiBC,SAAYF,MAAMC,eAAe,MAAO;AAClF,SAAKJ,SAAS,oBAAIM,IAAAA;EACpB;EAEA,MAAMC,WAA0B;AAC9B,SAAKP,OAAOQ,MAAK;EACnB;EAEA,MAAMC,aAAaC,WAAmC;AACpD,UAAMV,SAASW,MAAMC,KAAK,KAAKZ,OAAOa,QAAO,CAAA;AAC7C,UAAMC,KAAKJ,aAAa,CAAC,oBAAIK,KAAAA;AAC7B,eAAW,CAACC,IAAIC,KAAAA,KAAUjB,QAAQ;AAChC,UAAIiB,MAAMC,aAAaD,MAAMC,YAAYJ,IAAI;AAC3C,aAAKd,OAAOmB,OAAOH,EAAAA;MACrB,WAAW,CAACC,MAAMC,WAAW;AAE3B,YAAID,MAAMG,YAAY,KAAKrB,cAAce,IAAI;AAC3C,eAAKd,OAAOmB,OAAOH,EAAAA;QACrB;MACF;IACF;EACF;EAEA,MAAMG,OAAOH,IAA8B;AACzC,QAAI,CAACA,IAAI;AACP,YAAMK,MAAM,gBAAA;IACd;AACA,WAAO,KAAKrB,OAAOmB,OAAOH,EAAAA;EAC5B;EAEA,MAAMM,YAAYN,IAAwB;AACxC,QAAI,CAACA,IAAI;AACP,YAAMK,MAAM,gBAAA;IACd;AACA,QAAIE;AACJ,QAAI,MAAM,KAAKC,IAAIR,EAAAA,GAAK;AACtBO,eAAU,MAAM,KAAKE,IAAIT,EAAAA;IAC3B;AACA,QAAI,CAACO,QAAQ;AACX,YAAM,IAAIF,MAAMK,6CAAsB,KAAKV,EAAAA,GAAK;IAClD;AACA,WAAOO;EACT;EAEA,MAAME,IAAIT,IAAoC;AAC5C,WAAO,KAAKhB,OAAOyB,IAAIT,EAAAA;EACzB;EAEA,MAAMQ,IAAIR,IAA8B;AACtC,QAAI,CAACA,IAAI;AACP,YAAMK,MAAM,gBAAA;IACd;AACA,WAAO,KAAKrB,OAAOwB,IAAIR,EAAAA;EACzB;EAEA,MAAMW,IAAIX,IAAYY,YAA8B;AAClD,QAAI,CAACZ,IAAI;AACP,YAAMK,MAAM,gBAAA;IACd;AACA,SAAKrB,OAAO2B,IAAIX,IAAIY,UAAAA;EACtB;EAEA,MAAMC,oBAAoBC,SAAiC;AACzD,QAAI,CAAC,KAAK7B,mBAAmB;AAC3B,WAAKA,oBAAoB8B,YAAY,MAAM,KAAKtB,aAAY,GAAIqB,WAAW,GAAA;IAC7E;EACF;EAEA,MAAME,qBAAoC;AACxC,QAAI,KAAK/B,mBAAmB;AAC1BgC,oBAAc,KAAKhC,iBAAiB;IACtC;EACF;AACF;;;AC7EA,eAAsBiC,mCAA6EC,MAKlG;AACC,QAAMC,QAAQ,MAAMC,2BAA2BF,IAAAA;AAC/C,MAAIC,OAAO;AACT,WAAOA;EACT;AACA,SAAOE,QAAQC,OAAOC,MAAM,yBAAyBL,KAAKM,EAAE,EAAE,CAAA;AAChE;AAXsBP;AAYtB,eAAsBG,2BAAqE,EACzFI,IACAC,SACAC,gBACAC,kBAAiB,GAMlB;AACC,aAAWC,UAAUH,SAAS;AAC5B,QAAI;AACF,YAAMN,QAAQ,MAAM,IAAIU,mBAAmBH,gBAAgBC,mBAAmBC,MAAAA,EAAQE,IAAIN,EAAAA;AAC1F,UAAIL,OAAO;AACT,eAAOA;MACT;IACF,SAASY,GAAG;IAEZ;EACF;AACA,SAAOJ,kBAAkBG,IAAIN,EAAAA;AAC/B;AAtBsBJ;AAwBf,IAAMS,qBAAN,MAAMA;EAxCb,OAwCaA;;;;;;EACXG,YACUN,gBACAC,mBACAC,QACR;SAHQF,iBAAAA;SACAC,oBAAAA;SACAC,SAAAA;EACP;EAEHK,oBAAoBC,SAA6C;AAC/D,SAAKR,eAAeO,oBAAoBC,OAAAA;AACxC,WAAO,KAAKP,kBAAkBM,oBAAoBC,OAAAA;EACpD;EAEAC,qBAAoC;AAClC,SAAKT,eAAeS,mBAAkB;AACtC,WAAO,KAAKR,kBAAkBQ,mBAAkB;EAClD;EAEA,MAAMC,WAA0B;AAC9B,SAAKV,eAAeU,SAAQ;AAC5B,SAAKT,kBAAkBS,SAAQ;EACjC;EAEA,MAAMC,aAAaC,WAAmC;AACpD,SAAKZ,eAAeW,aAAaC,SAAAA;AACjC,SAAKX,kBAAkBU,aAAaC,SAAAA;EACtC;EAEA,MAAcC,gBAAgBC,KAA8B;AAC1D,UAAMC,OAAO,KAAKb;AAClB,UAAMc,UAAU,MAAM,KAAKhB,eACxBiB,YAAYH,GAAAA,EAGZI,KAAK,CAACC,aAAcA,YAAYJ,QAAQI,WAAWA,SAASJ,IAAAA,IAAQK,MAAAA;AACvE,QAAI,OAAOJ,YAAY,UAAU;AAC/B,YAAMnB,MAAM,yCAAyCiB,GAAAA;IACvD;AACA,WAAOE;EACT;EAEA,MAAcA,QAAQF,KAA0C;AAC9D,UAAMC,OAAO,KAAKb;AAClB,WAAQ,MAAM,KAAKF,eAChBI,IAAIU,GAAAA,EAGJI,KAAK,CAACC,aAAcA,YAAYJ,QAAQI,WAAWA,SAASJ,IAAAA,IAAQK,MAAAA;EACzE;EAEA,MAAMC,OAAOvB,IAA8B;AACzC,WAAO,MAAM,KAAKe,gBAAgBf,EAAAA,EAAIoB,KAAK,OAAOzB,UAAAA;AAChD,YAAM,KAAKO,eAAeqB,OAAOvB,EAAAA;AACjC,aAAO,MAAM,KAAKG,kBAAkBoB,OAAO5B,KAAAA;IAC7C,CAAA;EACF;EAEA,MAAMW,IAAIN,IAAoC;AAC5C,WAAO,KAAKkB,QAAQlB,EAAAA,EAAIoB,KAAK,CAACzB,UAAWA,QAAQ,KAAKQ,kBAAkBG,IAAIX,KAAAA,IAAS2B,MAAAA;EACvF;EAEA,MAAME,IAAIxB,IAA8B;AACtC,WAAO,KAAKkB,QAAQlB,EAAAA,EAAIoB,KAAK,CAACzB,UAAWA,QAAQ,KAAKQ,kBAAkBqB,IAAI7B,KAAAA,IAAS,KAAA;EACvF;;EAGA,MAAM8B,IAAIC,KAAaC,aAA+B;AACpD,UAAM5B,MAAM,2EAA2E;EACzF;EAEA,MAAM6B,UAAUC,UAAkBC,WAAcC,YAA8B;AAC5E,UAAMC,OAAOF;AACb,QAAI,EAAE,KAAK1B,UAAU4B,SAAS,CAACA,KAAK,KAAK5B,MAAM,GAAG;AAChD,aAAOP,QAAQC,OAAO,IAAIC,MAAM,YAAY+B,SAAAA,yCAAkD,KAAK1B,MAAM,EAAE,CAAA;IAC7G;AACA,UAAMY,MAAMgB,KAAK,KAAK5B,MAAM;AAC5B,UAAM,KAAKF,eAAeuB,IAAIT,KAAKc,SAAAA;AACnC,UAAM,KAAK3B,kBAAkBsB,IAAII,UAAUE,UAAAA;EAC7C;EAEA,MAAMZ,YAAYnB,IAAwB;AACxC,WAAO,KAAKe,gBAAgBf,EAAAA,EAAIoB,KAAK,CAACzB,UAAU,KAAKQ,kBAAkBgB,YAAYxB,KAAAA,CAAAA;EACrF;AACF;;;ACxHO,IAAMsC,8BAAN,MAAMA;EAAb,OAAaA;;;EACMC;EACjBC,cAAc;AACZ,SAAKD,uBAAuB,CAAC;EAC/B;EAEAE,gBAAgBA,iBAA8E;AAC5F,SAAKF,qBAAqBE,kBAAkBA;AAC5C,WAAO;EACT;EAEAC,UAAUC,WAAgD;AACxD,SAAKJ,qBAAqBG,YAAYC;AACtC,WAAO;EACT;EAEAC,QAAgC;AAC9B,QAAI,CAAC,KAAKL,qBAAqBG,WAAW;AACxC,WAAKH,qBAAqBG,YAAY,CAAC,oBAAIG,KAAAA;IAC7C;AACA,QAAI,CAAC,KAAKN,qBAAqBE,iBAAiB;AAC9C,YAAM,IAAIK,MAAM,+DAAA;IAClB;AACA,WAAO,KAAKP;EACd;AACF;;;AL2BA,IAAMQ,gBAAYC,kBAAAA,SAAAA;AAEX,IAAMC,WAAN,MAAMA;EAxDb,OAwDaA;;;EACMC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EAEjBC,YACEC,gBACAC,6BACAC,MAaA;AACA,SAAKd,kBAAkBY;AACvB,SAAKX,+BAA+BY;AACpC,SAAKX,iCAAiCY,KAAKC;AAC3C,SAAKT,2BAA2BQ,KAAKE,2BAA2B,IAAIC,aAAAA;AACpE,SAAKT,QAAQM,KAAKI,QAAQ,IAAID,aAAAA;AAC9B,SAAKV,WAAWO,KAAKK;AACrB,SAAKhB,4BAA4BW,MAAMM;AACvC,SAAKhB,qBAAqBU,MAAMO;AAChC,SAAKhB,0BAA0BS,MAAMQ;AACrC,SAAKb,mBAAoBK,MAAMS,oBAAoBC,QAAQC,IAAIC,qBAAqBC,SAASH,QAAQC,IAAIC,kBAAkB,IAAI;AAC/H,SAAKhB,gBAAgBI,MAAMc;EAC7B;EAEA,MAAaC,8BACXC,IACAC,UAAgF;IAAC;IAAqB;IAAe;KACpF;AAEjC,QAAIC,MAAMC,QAAQF,OAAAA,KAAYA,QAAQG,SAAS,GAAG;AAChD,UAAI,CAAC,KAAKhB,MAAM;AACd,eAAOiB,QAAQC,OAAOC,MAAM,sEAAA,CAAA;MAC9B;AACA,aAAOC,mCAAmC;QACxCR;QACAS,gBAAgB,KAAK/B;QACrBgC,mBAAmB,KAAKlC;QACxByB,SAAS;UAAC;UAAqB;UAAe;;MAChD,CAAA;IAEF;AACA,UAAMU,UAAU,MAAM,KAAKnC,yBAAyBoC,IAAIZ,EAAAA;AACxD,QAAI,CAACW,SAAS;AACZ,aAAON,QAAQC,OAAOC,MAAM,2BAA2BP,EAAAA,EAAI,CAAA;IAC7D;AACA,WAAOW;EACT;EAEA,MAAaE,iCACXb,IACAC,UAAgF;IAAC;IAAqB;KACrE;AACjC,UAAMU,UAAU,MAAM,KAAKZ,8BAA8BC,IAAIC,OAAAA;AAC7D,QAAIU,SAAS;AACX,UAAIA,QAAQG,qBAAsB,MAAM,KAAKtC,yBAAyBuC,IAAIJ,QAAQG,iBAAiB,GAAI;AACrG,cAAM,KAAKtC,yBAAyBwC,OAAOL,QAAQG,iBAAiB;MACtE;AACA,UAAIH,QAAQM,eAAgB,MAAM,KAAKzC,yBAAyBuC,IAAIJ,QAAQM,WAAW,GAAI;AACzF,cAAM,KAAKzC,yBAAyBwC,OAAOL,QAAQM,WAAW;MAChE;IACF;AACA,WAAON;EACT;EAEA,MAAaO,oBAAoB,EAC/BJ,mBACAG,aACAE,aAAY,GAK8B;AAC1C,UAAMC,YAAYN,qBAAqBG;AACvC,UAAMN,UAAUS,YAAY,MAAM,KAAKrB,8BAA8BqB,SAAAA,IAAaC;AAClF,QAAI,CAACV,WAAW,CAACS,WAAW;AAC1BE,UAAIC,MAAM,kCAAkCH,SAAAA,EAAW;AACvD,aAAOb,MAAM,8BAAA;IACf;AACA,QAAIY,aAAaK,oBAAoBb,QAAQa,iBAAiB;AAC5DF,UAAIC,MAAM,mBAAmBJ,aAAaK,eAAe,kDAAkDb,QAAQa,eAAe,EAAE;AACpI,aAAOjB,MAAM,yBAAA;IACf,WAAWI,QAAQQ,cAAc;AAC/BG,UAAIG,KAAK,oEAAoEd,QAAQa,eAAe,EAAE;IACxG;AACA,UAAM,KAAKE,cAAc;MAAEZ;MAAsCG;MAA0BE;IAAa,CAAA;AACxGG,QAAIG,KAAK,0BAA0BN,YAAAA,QAAoBR,QAAQa,eAAe,EAAE;AAChF,WAAOb;EACT;EAEA,MAAagB,yBAAyBC,MAgBM;AAC1C,UAAM,EACJC,YAAY,SACZC,gBAAgB/D,UAAUgE,SAAQ,GAClCC,8BACAC,gBACAC,oBACAC,YAAW,IACTP;AACJ,QAAIC,cAAc,eAAe,CAACK,oBAAoB;AACpD,aAAO7B,QAAQC,OAAOC,MAAM,8DAAA,CAAA;IAC9B;AAEA,UAAM6B,SAASR,KAAKQ,SAAS;MAAE,GAAGR,KAAKQ;IAAO,IAAI,CAAC;AAEnD,QAAIR,KAAKS,cAAchB,QAAW;AAChC,UAAIe,OAAOE,6CAAAA,GAAyB;AAClCF,eAAOE,6CAAAA,EAAwBC,UAAU;UACvC,GAAGH,OAAOE,6CAAAA,EAAwBC;UAClCnC,QAAQgC,OAAOE,6CAAAA,EAAwBC,SAASnC,UAAUwB,KAAKS;QACjE;MACF;IACF;AACA,QAAID,OAAOE,6CAAAA,GAAyBC,WAAW,CAACH,OAAOE,6CAAAA,GAAyBC,SAASnC,QAAQ;AAC/FgC,aAAOE,6CAAAA,EAAwBC,QAAQnC,SAAS;IAClD;AAEA,UAAMoC,UAAUZ,MAAMY,WAAW,KAAKvD;AACtC,UAAMwD,wBAAwBC,4BAA4B,KAAKxE,iBAAiB;MAC9E,GAAG0D;MACHQ;MACAO,iBAAiBX,+BACb;QACEY,mBAAmB,KAAK1E,gBAAgB0E;QACxCZ;MACF,IACAX;IACN,CAAA;AAEA,UAAMwB,eAAeJ,sBAAsBK,iBAAiBV,SAASE,6CAAAA;AACrE,UAAMS,YAAYN,sBAAsBK,iBAAiBV,QAAQY;AAEjE,UAAMlC,oBAAoB+B,eAAe,qBAAA;AACzC,UAAM5B,cAAc8B,WAAWE;AAC/B,UAAMC,SAASL,cAAcN;AAE7B,QAAIY;AACJ,QAAIN,cAAcN,SAAS;AACzB,YAAMF,YAAYQ,aAAaN,QAAQnC,UAAU;AAEjD+C,iBAAW,KAAKC,KAAKC,OAAOD,KAAKE,IAAI,IAAIjB,SAAAA,IAAa,KAAKe,KAAKG,OAAM,CAAA,GAAKC,SAASnB,WAAW,GAAA;AAC/FoB,2BAAqBN,SAASd,SAAAA;IAChC;AACA,UAAMqB,YAAY,CAAC,oBAAIC,KAAAA;AACvB,UAAMC,gBAAgBF;AACtB,UAAMG,kBAAkBjC,KAAKkC,wBAAwB,KAAK,MAAM;AAChE,UAAMC,YAAYL,YAAYN,KAAKY,IAAIH,cAAAA;AACvC,QAAIhC,cAAc,aAAa;AAC7B,UAAI,CAAC,KAAKzC,MAAM;AACd,cAAMmB,MAAM,yFAAA;MACd;AAEA,YAAM0D,WAAWrC,KAAKM,oBAAoBgC,QAAQ,OAAOpC,aAAAA;AACzD,UAAI,CAACmC,UAAU;AACb,eAAO5D,QAAQC,OAAOC,MAAM,8DAAA,CAAA;MAC9B;AAEAkC,4BAAsB0B,uBAAuBF;AAC7C,YAAM,KAAK7E,KAAKgF,IAAItC,eAAe;QACjCuC,KAAKJ;QACLP;QACAK;QACAjD;QACAG;QACAa;MACF,CAAA;IACF;AAEA,UAAMa,kBAAkB,UAAM2B,wDAC5B;MACExB,kBAAkBL,sBAAsBK;MACxCqB,sBAAsB1B,sBAAsB0B;IAC9C,GACA;MACEI,SAASC,yCAAkBC;MAC3BC,SAAS;IACX,CAAA;AAGF,UAAMC,SAASC,mCAAYC;AAC3B,UAAMlE,UAAkC;MACtCwB;MACArB;MACAG;MACAyC;MACAE;MACAG;MACAY;MACAnD,qBAAiBsD,8BAAAA;MACjB,GAAIlD,KAAKmD,aAAa;QAAEC,UAAUpD,KAAKmD;MAAU;MACjD,GAAI5B,WAAW;QAAED,QAAQC;MAAQ;MACjC,GAAIvB,KAAKqD,+BAA+B;QAAEA,6BAA6BrD,KAAKqD;MAA4B;MACxGtC;MACAuC,aAAajD;IACf;AAEA,UAAMoC,MAAMc,mCAAmCxC,iBAAiBd,WAAW;MAAE,GAAGD;MAAMY;IAAQ,CAAA;AAC9F,QAAI1B,mBAAmB;AACrB,YAAMsE,gBAAgB,IAAIC,mBAAqD,KAAKjG,MAAM,KAAKZ,0BAA0B,eAAA;AACzH,YAAM4G,cAAcE,UAAUxE,mBAAmB;QAAEA;QAAmBuD;QAAKX;QAAWK;QAAWjC;QAAeb;MAAY,GAAGN,OAAAA;IAEjI;AAEA,QAAIM,aAAa;AACf,YAAMmE,gBAAgB,IAAIC,mBAAqD,KAAKjG,MAAM,KAAKZ,0BAA0B,eAAA;AACzH,YAAM4G,cAAcE,UAAUrE,aAAa;QAAEH;QAAmBuD;QAAKX;QAAWK;QAAWjC;QAAeb;MAAY,GAAGN,OAAAA;IAE3H;AACA,QAAI4E;AACJ,QAAI3D,KAAK4D,YAAY;AACnB,YAAM,EAAEC,UAAS,IAAK,MAAM,OAAO,YAAA;AACnC,YAAMC,SAAS,IAAID,UAAU;QAAE,GAAG7D,KAAK4D;QAAYG,MAAMtB;MAAI,CAAA;AAC7DkB,sBAAgB,0BAA0B,MAAMG,OAAOE,KAAI,GAAKC,SAAS,QAAA,CAAA;IAC3E;AACA,UAAMC,wBAAwB;MAC5BnF;MACA0D;MACAkB;MACAzD;MACAoB;MACA,GAAIC,YAAY9B,UAAa;QAAE8B;QAASd,WAAWc,SAAS/C,UAAU;MAAE;IAC1E;AACA2F,kCAAOC,KAAKC,iDAA0BC,uBAAuB;MAC3DC,WAAWF,iDAA0BC;MACrClG,IAAI8B;MACJsE,MAAMN;MACNO,WAAW;MACXC,eAAeC,+BAAcC;MAC7BC,QAAQC,wBAAOC;MACfC,QAAQ,KAAK9H,eAAe8D;MAC5BiE,WAAWC,2BAAUC;MACrBrD;MACAK;IACF,CAAA;AACA,WAAO+B;EACT;;;;;;;;;;EAWA,MAAakB,gBAAgBpF,MAWG;AAI9B,UAAMqF,oBAAoBrF,KAAKqF;AAC/B,QAAInG;AACJ,QAAIG;AACJ,QAAI;AACF,UAAI,EAAE,2BAA2BgG,sBAAsB,CAACA,kBAAkBC,QAAQ;AAChF,cAAM,IAAI3G,MAAM,kFAAA;MAClB;AACA,UAAI0G,kBAAkBC,UAAU,CAAC,KAAKC,yCAAyCF,kBAAkBC,MAAM,GAAG;AACxG,cAAM,IAAI3G,MAAM6G,0CAAmBC,eAAe;MACpD;AACA,YAAMC,YAAY,MAAM,KAAKC,+BAA+B;QAC1D,GAAG3F;QACH4F,gBAAgB5F,KAAK4F,kBAAkB;MACzC,CAAA;AACA1G,0BAAoBwG,UAAUxG;AAC9BG,oBAAcqG,UAAUrG;AAExB,YAAM,EAAEwG,gBAAgBC,aAAaC,aAAaC,gBAAe,IAAKN;AACtE,YAAMO,MAAMD,gBAAgBC;AAC5B,YAAMC,MAAMF,gBAAgBE;AAC5B,YAAMC,MAAMH,gBAAgBG;AAC5B,YAAMC,YAAYpG,KAAKqG,YAAYrG,KAAKqG,gBAAYnD,8BAAAA;AACpD,YAAMoD,iBAAiB;QACrBC,QAAQH;QACRtE,WAAW,CAAC,oBAAIC,KAAAA;QAChB,GAAI+D,aAAazG,eAAe;UAAEA,aAAayG,YAAYzG;QAAY;QACvE,GAAIwG,kBAAkB;UAAE3G,mBAAmB2G,eAAe3G;QAAkB;MAC9E;AACA,YAAM,KAAKzB,QAAQ+E,IAAI4D,WAAWE,cAAAA;AAElC,UAAI,CAACtG,KAAKwG,cAAc,KAAK7J,4BAA4B8C,UAAaO,KAAKpC,2BAA2B6B,QAAW;AAC/G,cAAMd,MAAM,sEAAsE;MACpF;AACA,UAAI6H;AACJ,UAAIlB,SAA8CD,kBAAkBC;AACpE,UAAImB,iBAAuDzG,KAAKtC;AAChE,YAAMqB,UAA8CG,qBAAqB2G,iBAAiBA,iBAAiBC;AAC3G,UAAI9F,KAAKwG,YAAY;AACnBA,qBAAaxG,KAAKwG;MACpB,OAAO;AACL,cAAM5I,yBACJ,OAAOoC,KAAKpC,2BAA2B,aAAaoC,KAAKpC,yBAAyB,KAAKjB;AACzF,YAAI,OAAOiB,2BAA2B,YAAY;AAChD,gBAAMe,MAAM,yDAAA;QACd;AACA,YAAI,CAACI,SAAS;AACZ,gBAAMJ,MAAM,0DAAA;QACd;AACA,cAAMoC,kBAAkBhC,QAAQgC;AAChC,YAAI,CAACA,iBAAiB;AACpB,gBAAMpC,MAAM,0BAAA;QACd;AACA,cAAM0E,8BAA8BrD,KAAKqD,+BAA+BtE,QAAQsE;AAEhF,cAAMqD,SAAS,MAAM9I,uBAAuB;UAC1C,GAAImI,cAAc;YAAE,GAAGA;UAAY,IAAI;YAAE,GAAGD;UAAY;UACxDT,mBAAmBrF,KAAKqF;UACxBsB,0BAA0B,KAAKrK,gBAAgBsK;UAC/C7F;UACA,GAAIsC,+BAA+B;YAAEA;UAA4B;QACnE,CAAA;AACAmD,qBAAaE,OAAOF;AACpB,YAAIE,OAAOpB,QAAQ;AACjBA,mBAASoB,OAAOpB;QAClB;AACA,YAAI,OAAOoB,OAAOG,iBAAiB,YAAY;AAC7CJ,2BAAiBC,OAAOG;QAC1B;MACF;AACA,UAAI,CAACL,YAAY;AACf,cAAM7H,MAAM,iDAAA;MACd;AAEA,UAAImI,kCAAiBC,gCAAgCP,UAAAA,MAAgBL,OAAOD,QAAQ,CAACM,WAAWQ,KAAK;AACnG,YAAIb,KAAK;AACPK,qBAAWQ,MAAM;YACfb;UACF;QACF;AAEA,YAAID,KAAK;AACPM,qBAAWQ,MAAM;YACfd;UACF;QACF;MACF,WAAWD,OAAO,CAACa,kCAAiBC,gCAAgCP,UAAAA,KAAeA,WAAWS,sBAAsBxH,QAAW;AAC7H,cAAMyH,qBAAqB5I,MAAMC,QAAQiI,WAAWS,iBAAiB,IAAIT,WAAWS,oBAAoB;UAACT,WAAWS;;AACpHC,2BAAmBC,IAAI,CAACC,YAAAA;AACtB,cAAI,CAACA,QAAQhJ,IAAI;AACfgJ,oBAAQhJ,KAAK6H;UACf;AACA,iBAAOmB;QACT,CAAA;AACAZ,mBAAWS,oBAAoB3I,MAAMC,QAAQiI,WAAWS,iBAAiB,IAAIC,qBAAqBA,mBAAmB,CAAA;MACvH,OAAO;MAGP;AAEA,UAAIlC,SAA6BvF;AACjC,UAAI+G,WAAWa,KAAK;AAClBrC,iBAASwB,WAAWa;MACtB,WAAWb,WAAWxB,QAAQ;AAC5B,YAAI,OAAOwB,WAAWxB,WAAW,UAAU;AACzCA,mBAASwB,WAAWxB;QACtB,WAAW,OAAOwB,WAAWxB,WAAW,YAAY,QAAQwB,WAAWxB,UAAU,OAAOwB,WAAWxB,OAAO5G,OAAO,UAAU;AACzH4G,mBAASwB,WAAWxB,OAAO5G;QAC7B;MACF;AAEA,YAAMkJ,uBAAuB,MAAM,KAAKC,oBACtC;QACElC,mBAAmBrF,KAAKqF;QACxBC;QACAkB;QACAR;QACAhB;QACA,GAAIjG,WAAW;UAAEuE,aAAavE,QAAQuE;QAAY;MACpD,GACAmD,cAAAA;AAIF,UAAI,CAACa,sBAAsB;AAEzB,cAAM,IAAI3I,MAAM6I,+CAAAA;MAClB;AACA,UAAIzB,aAAa;AAEf,cAAM,KAAKtI,QAAQ2B,OAAO2G,YAAYQ,MAAM;MAC9C;AAEA,UAAI3G;AAEJ,UAAIV,qBAAqB2G,gBAAgB;AACvCA,uBAAe7D,gBAAgB,CAAC,oBAAID,KAAAA;AACpC8D,uBAAe9C,SAASC,mCAAYyE;AACpC7H,0BAAkBiG,eAAejG;AACjC,cAAM,KAAKhD,yBAAyB4F,IAAItD,mBAAmB2G,cAAAA;MAC7D,WAAWxG,eAAeyG,aAAa;AAErCA,oBAAY9D,gBAAgB,CAAC,oBAAID,KAAAA;AACjC+D,oBAAY/C,SAASC,mCAAYyE;AACjC7H,0BAAkBkG,YAAYlG;AAC9B,cAAM,KAAKhD,yBAAyB4F,IAAInD,aAAayG,WAAAA;MACvD;AAEA,YAAM4B,WAA+B;QACnClB,YAAYc;;QAEZK,SAASvB;QACTwB,oBAAoB,KAAK7K;QACzB,GAAI6C,mBAAmB;UAAEA;QAAgB;MAC3C;AAGA,YAAMiI,8BAA8B7H,KAAKqF,kBAAkByC;AAC3D,UAAID,6BAA6BE,oBAAoB;AACnD,YAAIF,4BAA4BE,uBAAuB,iBAAiB;AACtE,gBAAMpJ,MAAM,2CAAA;QACd;AACA+I,iBAASM,iBAAiBlC,aAAazG;AACvCqI,iBAASI,8BAA8BD;MACzC;AACA,aAAOH;IACT,SAAS/H,OAAgB;AACvB,YAAM,KAAKG,cAAc;QAAEZ;QAAmBG;QAAaM;MAAM,CAAA;AACjE,YAAMA;IACR;EACF;EAEA,MAAcG,cAAc,EAC1BZ,mBACAS,OACAN,aACAE,aAAY,GAMX;AACD,QAAI0I,aAAsCxI;AAC1C,QAAIE,OAAO;AACTsI,mBAAajF,mCAAYkF;IAC3B,WAAW3I,cAAc;AACvB,UAAIA,aAAa4I,SAAS,uBAAuB;AAC/CF,qBAAajF,mCAAYoF;MAC3B,WAAW7I,aAAa4I,SAAS,sBAAsB;AACrDF,qBAAajF,mCAAYqF;MAC3B,WAAW9I,aAAa4I,SAAS,sBAAsB;AACrDF,qBAAajF,mCAAYsF;MAC3B;IACF;AAEA,QAAIpJ,mBAAmB;AACrB,YAAM2G,iBAAiB,MAAM,KAAKjJ,yBAAyBoC,IAAIE,iBAAAA;AAC/D,UAAI2G,gBAAgB;AAClBA,uBAAe7D,gBAAgB,CAAC,oBAAID,KAAAA;AACpC,YAAIkG,YAAY;AACdpC,yBAAe9C,SAASkF;QAC1B;AACA,YAAItI,OAAO;AACTkG,yBAAelG,QAAQA,iBAAiBhB,QAAQgB,MAAM4I,UAAU5I,OAAOsE,SAAAA;QACzE;AACA4B,uBAAejG;AACf,YAAIL,cAAc;AAChBsG,yBAAetG,eAAeA;QAChC;AACA,cAAM,KAAK3C,yBAAyB4F,IAAItD,mBAAmB2G,cAAAA;MAC7D;IACF;AACA,QAAIxG,aAAa;AACf,YAAMyG,cAAc,MAAM,KAAKlJ,yBAAyBoC,IAAIK,WAAAA;AAC5D,UAAIyG,aAAa;AACfA,oBAAY9D,gBAAgB,CAAC,oBAAID,KAAAA;AACjC,YAAIkG,YAAY;AACdnC,sBAAY/C,SAASkF;QACvB;AACA,YAAItI,OAAO;AACTmG,sBAAYnG,QAAQA,iBAAiBhB,QAAQgB,MAAM4I,UAAU5I,OAAOsE,SAAAA;QACtE;AACA,YAAI1E,cAAc;AAChBuG,sBAAYvG,eAAeA;QAC7B;AACA,cAAM,KAAK3C,yBAAyB4F,IAAInD,aAAayG,WAAAA;MACvD;IACF;EACF;;;;;;;;;;;;;;;EAiBA,MAAcH,+BAA+B,EAC3CN,mBACA1H,mBACAiI,eAAc,GAOb;AACD,QAAI1G;AACJ,QAAIG;AAEJ,UAAMmJ,2BAA2B;MAAC;MAAe;MAAkB;MAAa;MAAU;;AAC1F,QAAI;AACF,UAAInD,kBAAkBC,UAAU,CAACkD,yBAAyBC,SAASpD,kBAAkBC,MAAM,GAAG;AAC5F,cAAM3G,MAAM,UAAU0G,kBAAkBC,MAAM,oBAAoB;MACpE,WAAW,OAAO,KAAK5I,uBAAuB,cAAc,OAAOiB,sBAAsB,YAAY;AACnG,cAAM,IAAIgB,MAAM+J,8CAAAA;MAClB,WAAW,CAACrD,kBAAkBsD,OAAO;AACnC,cAAMhK,MAAM,+EAAA;MACd;AAEA,YAAMqH,kBAAkBrI,oBACpB,MAAMA,kBAAkB0H,kBAAkBsD,KAAK,IAE/C,MAAM,KAAKjM,mBAAoB2I,kBAAkBsD,KAAK;AAE1D,YAAM,EAAEC,aAAa3C,KAAK4C,IAAG,IAAK7C;AAClC,YAAM,EAAE8C,QAAQC,QAAO,IAAKF;AAC5B,YAAM,EAAExB,KAAK2B,KAAKC,KAAKC,MAAK,IAAKH;AACjC,YAAM1H,eAAe,kBAAkBgE,qBAAqBA,kBAAkBhE,eAAegE,kBAAkBhE,eAAe5B;AAC9H,UAAI,CAACyJ,SAAS,CAAC7H,cAAc;AAC3B,cAAM1C,MAAM,+CAAA;MACd;AACA,UAAImD;AACJ,UAAIiE;AACJ,UAAImD,OAAO;AACTnD,sBAAc,MAAM,KAAKtI,QAAQ0L,YAAYD,KAAAA;AAC7ChK,4BAAoB6G,YAAY7G;AAChCG,sBAAc0G,YAAY1G;AAC1ByC,oBAAYiE,YAAYjE;MAC1B,WAAWT,cAAc;AACvB,cAAMtC,UAAU,MAAM,KAAKnC,yBAAyBuM,YAAY9H,YAAAA;AAChEhC,sBAAcgC;AACdS,oBAAY/C,QAAQ+C;MACtB,OAAO;AACL,cAAMnD,MAAM,+DAAA;MACd;AAEA,YAAMyK,MAAMpD,gBAAgBoD,OAAON,OAAOM;AAC1C,YAAMjD,MAAMH,gBAAgBG,OAAO2C,OAAO3C;AAC1C,YAAMD,MAAMF,gBAAgBE,OAAO4C,OAAO5C;AAC1C,YAAMmD,MAAMrD,gBAAgBqD,OAAOP,OAAOO;AAC1C,YAAMC,MAAMR,OAAOQ;AAEnB,UAAIA,QAAQ,wBAAwB;AAClC,cAAM3K,MAAM4K,gCAAAA;MACd,WAAW,CAACH,KAAK;AACf,cAAMzK,MAAM6K,gCAAAA;MACd,WAAWH,QAAQlD,OAAOD,MAAM;AAE9B,cAAMvH,MAAM8K,wCAAAA;MACd,WAAWtD,OAAO,CAACF,KAAK;AACtB,YAAI,CAACC,OAAO,CAACmD,KAAK;AAEhB,gBAAM1K,MAAM+K,2CAAAA;QACd,OAAO;AAELC,kBAAQC,IAAI,0CAA0C;QACxD;MACF,WAAW3D,OAAO,CAAC2C,aAAa;AAE9B,cAAMjK,MAAMkL,0CAAAA;MACd;AAEA,YAAMhE,iBAAiB3G,oBAAoB,MAAM,KAAK5B,wBAAwB0B,IAAIE,iBAAAA,IAAqBO;AACvG,YAAMqG,cAAczG,cAAc,MAAM,KAAK/B,wBAAwB0B,IAAIK,WAAAA,IAAeI;AACxF,UAAI,CAACoG,kBAAkB,CAACC,aAAa;AACnC,cAAMnH,MAAM,kEAAA;MACd;AACA,UAAIkH,gBAAgB;AAClB,YAAI,CAACA,eAAe3G,qBAAqB2G,eAAe3G,sBAAsBA,mBAAmB;AAC/F,gBAAMP,MAAM,6BAAA;QACd;AACAkH,uBAAe7D,gBAAgB,CAAC,oBAAID,KAAAA;AACpC8D,uBAAe9C,SAASC,mCAAY8G;AACpC,cAAM,KAAKlN,yBAAyB4F,IAAItD,mBAAmB2G,cAAAA;MAC7D;AACA,UAAIC,aAAa;AACf,YAAI,CAACA,YAAYzG,eAAeyG,YAAYzG,gBAAgBA,aAAa;AACvE,gBAAMV,MAAM,sBAAA;QACd;AACAmH,oBAAY9D,gBAAgB,CAAC,oBAAID,KAAAA;AACjC+D,oBAAY/C,SAASC,mCAAY8G;MACnC;AAWA,UAAI,CAACzC,OAAOvB,aAAa/E,gBAAgBG,kBAAkBV,QAAQY,oBAAoB;AACrF,cAAM,IAAIzC,MAAMoL,2DAAAA;MAClB;AAUA,UAAI,CAACf,OAAOA,QAAQ,KAAK1M,gBAAgB0E,mBAAmB;AAC1D,cAAM,IAAIrC,MAAMqL,gCAAAA;MAClB;AACA,UAAI,CAACf,KAAK;AACR,cAAM,IAAItK,MAAMsL,gCAAAA;MAClB,WAAWhB,MAAMzH,KAAKC,MAAMK,YAAY,GAAA,IAAQ8D,gBAAgB;AAE9D,cAAM,IAAIjH,MAAMsL,gCAAAA;MAClB;AAGA,aAAO;QAAEjE;QAAiB9G;QAAmB2G;QAAgBxG;QAAayG;QAAaC;MAAY;IACrG,SAASpG,OAAgB;AACvB,YAAM,KAAKG,cAAc;QAAEZ;QAAmBG;QAAaM;MAAM,CAAA;AACjE,YAAMA;IACR;EACF;EAEQ4F,yCAAyC2E,eAA2C;AAC1F,QAAI,CAAC,KAAK5N,gBAAgB6N,qCAAqC;AAC7D,aAAO;IACT;AACA,eAAWC,uBAAuBC,OAAOC,OACvC,KAAKhO,gBAAgB,qCAAA,CAAsC,GAC1D;AACD,UAAI,CAACgC,MAAMC,QAAQ2L,aAAAA,KAAkBE,oBAAoB9E,WAAW4E,eAAe;AACjF,eAAO;MACT,WAAW5L,MAAMC,QAAQ2L,aAAAA,GAAgB;AACvC,mBAAW5E,UAAU4E,eAA2B;AAC9C,cAAIE,oBAAoB9E,WAAWA,QAAQ;AACzC,mBAAO;UACT;QACF;MACF;IACF;AAEA,WAAO;EACT;EAEA,MAAciC,oBACZvH,MAQAuK,gBACmD;AACnD,QAAK,CAACvK,KAAKwG,cAAc,CAACxG,KAAKqF,qBAAsB,CAAC,KAAK5I,2BAA2B;AACpF,YAAM,IAAIkC,MAAM6L,0CAAAA;IAClB;AACA,UAAMhE,aAAa+D,iBAAiB,MAAMA,eAAevK,IAAAA,IAAQ,MAAM,KAAKvD,0BAA0BuD,IAAAA;AAGtGmE,kCAAOC,KAAKqG,4CAAqBC,2BAA2B;MAC1DnG,WAAWkG,4CAAqBC;MAChCtM,QAAI8E,8BAAAA;MACJsB,MAAMgC;;MAEN/B,WAAWzE,KAAKgF,UAAU;MAC1BN,eAAeC,+BAAcC;MAC7BC,QAAQC,wBAAOC;MACfE,WAAWC,2BAAUyF;IACvB,CAAA;AAEA,WAAOnE;EACT;EAEA,IAAI9I,2BAAiE;AACnE,WAAO,KAAKjB;EACd;EAEA,IAAIkB,oBAAmD;AACrD,WAAO,KAAKjB;EACd;EAEA,IAAIkB,yBAA6D;AAC/D,WAAO,KAAKjB;EACd;EAEA,IAAIa,OAAgC;AAClC,WAAO,KAAKV;EACd;EAEA,IAAIe,kBAA0B;AAC5B,WAAO,KAAKd;EACd;EAEA,IAAWO,0BAAiE;AAC1E,WAAO,KAAKV;EACd;EAEA,IAAWa,UAAsC;AAC/C,WAAO,KAAKZ;EACd;EAEA,IAAIQ,gCAAoD;AACtD,WAAO,KAAKb;EACd;EAEA,IAAWU,iBAAiB;AAC1B,WAAO,KAAKZ;EACd;EAEA,IAAWa,8BAA8B;AACvC,WAAO,KAAKZ;EACd;EAEA,IAAI2B,eAAe;AACjB,WAAO,KAAKlB;EACd;AACF;;;ADpyBO,IAAM4N,kBAAN,MAAMA;EAzBb,OAyBaA;;;EACXC;EACAC,iBAA+D,CAAC;EAChEC,8BAAoE,CAAC;EACrEC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EAEOC,mBAAmBb,gBAAgC;AACxD,QAAI,CAACA,eAAec,qCAAqC;AACvD,YAAM,IAAIC,MAAM,uDAAA;IAClB;AACA,SAAKf,iBAAiBA;AACtB,WAAO;EACT;EAEOgB,qBAAqBC,gBAAsC;AAChE,SAAKf,eAAee;AACpB,WAAO;EACT;EAEOC,2BAA2B,EAChCC,WACAC,eACAC,eACAC,gBACA,GAAGC,MAAAA,GACqI;AACxI,SAAKrB,eAAe;MAAE,GAAGqB;MAAOJ;MAAWC;MAAeC;MAAeC;IAAe;AACxF,WAAO;EACT;EAEOE,0BAA0BvB,6BAA0D;AACzF,SAAKA,8BAA8BA;AACnC,WAAO;EACT;EAEOwB,0BAA0BC,SAAqC;AACpE,SAAK3B,wBAAwB2B;AAC7B,WAAO;EACT;EAEOC,kCAAkCC,SAAiB;AACxD,SAAKxB,gCAAgCwB;AACrC,WAAO;EACT;EAEOC,qBAAqBC,QAAsB;AAChD,SAAK9B,eAAe+B,oBAAoBD;AACxC,WAAO;EACT;EAEOE,yBAAyBC,sBAA+C;AAC7E,SAAKjC,eAAekC,wBAAwB,OAAOD,yBAAyB,WAAW;MAACA;QAAwBA;AAChH,WAAO;EACT;EAEOE,uBAAuBC,oBAAkC;AAC9D,SAAKpC,eAAeqC,sBAAsBD;AAC1C,WAAO;EACT;EAEOE,4BAA4BC,yBAAuC;AACxE,SAAKvC,eAAewC,4BAA4BD;AAChD,UAAMxB,MAAM,qBAAA;EAEd;EAEO0B,kBAAkBC,eAA6B;AACpD,SAAK1C,eAAe2C,iBAAiBD;AACrC,WAAO;EACT;EAEOE,kBAAkBC,eAA0D;AACjF,SAAK7C,eAAe8C,UAAUC,MAAMC,QAAQH,aAAAA,IAAiBA,gBAAgB;MAACA;;AAC9E,WAAO;EACT;EAEOI,iBAAiBJ,eAAsC;AAC5D,SAAK7C,eAAe8C,UAAU;SAAK,KAAK9C,eAAe8C,WAAW,CAAA;MAAKD;;AACvE,WAAO;EACT;EAEOK,sCAAsCC,mCAA4F;AACvI,SAAKnD,eAAec,sCAAsCqC;AAC1D,WAAO;EACT;EAEOC,qCAAqCC,IAAYC,qBAA8D;AACpH,QAAI,CAAC,KAAKtD,eAAec,qCAAqC;AAC5D,WAAKd,eAAec,sCAAsC,CAAC;IAC7D;AACA,SAAKd,eAAec,oCAAoCuC,EAAAA,IAAMC;AAC9D,WAAO;EACT;EAEOC,WAAWpD,QAAsB;AACtC,SAAKA,SAASA;AACd,WAAO;EACT;EAEOqD,mCAAmChD,2BAA0D;AAClG,SAAKA,4BAA4BA;AACjC,WAAO;EACT;EAEOiD,sCAA4C;AACjD,SAAKD,mCAAmC,IAAIE,aAAAA,CAAAA;AAC5C,WAAO;EACT;EAEOC,gCAAgCC,wBAAqE;AAC1G,SAAKrD,8BAA8BqD;AACnC,WAAO;EACT;EAEOC,mCAAyC;AAC9C,SAAKF,gCAAgC,IAAID,aAAAA,CAAAA;AACzC,WAAO;EACT;EAEOI,uBAAuBC,eAAiD;AAC7E,SAAKtD,qBAAqBsD;AAC1B,WAAO;EACT;EAEOC,0BAAgC;AACrC,SAAKF,uBAAuB,IAAIJ,aAAAA,CAAAA;AAChC,WAAO;EACT;EAEOO,oBAAoB3D,iBAA+B;AACxD,SAAKA,kBAAkBA;AACvB,WAAO;EACT;EAEO4D,6BAA6BC,IAAoC;AACtE,SAAKzD,2BAA2ByD;AAChC,WAAO;EACT;EAEOC,sBAAsBC,gBAAyC;AACpE,SAAK1D,oBAAoB0D;AACzB,WAAO;EACT;EAEOC,2BAA2B1D,wBAAsD;AACtF,SAAKA,yBAAyBA;AAC9B,WAAO;EACT;EAEO2D,QAAkB;AACvB,QAAI,CAAC,KAAKhE,6BAA6B;AACrC,YAAM,IAAIQ,MAAMyD,0CAAmBC,eAAe;IACpD;AACA,QAAI,CAAC,KAAKhE,oBAAoB;AAC5B,YAAM,IAAIM,MAAMyD,0CAAmBC,eAAe;IACpD;AACA,QAAIC,OAAOC,KAAK,KAAK3E,cAAc,EAAE4E,WAAW,GAAG;AACjD,YAAM,IAAI7D,MAAM,wBAAA;IAClB;AACA,QAAI2D,OAAOC,KAAK,KAAK1E,2BAA2B,EAAE2E,WAAW,GAAG;AAC9D,YAAM,IAAI7D,MAAM,qCAAA;IAClB;AAEA,UAAMW,UAAU,KAAK3B,uBAAuBwE,MAAAA;AAC5C,UAAMM,WAA2C;MAAE,GAAG,KAAK7E;MAAgB,GAAG0B;IAAQ;AAEtFmD,aAAS/D,sCAAsC,KAAKd,eAAec;AACnE+D,aAAS/B,UAAU;SAAK,KAAK9C,eAAe8C,WAAW,CAAA;SAASpB,SAASoB,WAAW,CAAA;;AACpF,QAAI,CAAC+B,SAASxC,uBAAuB,CAACwC,SAAS9C,qBAAqB,CAAC,KAAK/B,eAAec,qCAAqC;AAC5H,YAAM,IAAIC,MAAMyD,0CAAmBC,eAAe;IACpD;AACA,QAAI,KAAKvE,gBAAgB,OAAO,KAAKS,sBAAsB,YAAY;AACrE,UAAI,CAAC,KAAKX,eAAe+B,mBAAmB;AAC1C,cAAMhB,MAAM,sEAAA;MACd,WAAW,CAAC,KAAKf,eAAekC,uBAAuB;AACrD,cAAMnB,MAAM,0EAAA;MACd;AACA,WAAKJ,oBAAoBmE,8BAA8B;QACrD7D,gBAAgB,KAAKf;QACrB6E,kBAAkB,KAAK/E,eAAe+B;QACtCiD,qBAAqB,KAAKhF,eAAekC,sBAAsB,CAAA;MACjE,CAAA;IACF;AACA,WAAO,IAAI+C,SAASJ,UAAmC,KAAK5E,6BAA4D;;MAEtH,GAAI,KAAKE,UAAU;QAAEA,QAAQ,KAAKA;MAAO;MACzCC,+BAA+B,KAAKA;MACpCM,0BAA0B,KAAKA;MAC/BC,mBAAmB,KAAKA;MACxBC,wBAAwB,KAAKA;MAC7BsE,yBAAyB,KAAK3E;MAC9B4E,SAAS,KAAK1E;MACdH,iBAAiB,KAAKA;MACtB8E,MAAM,KAAK5E;MACXN,cAAc,KAAKA;IACrB,CAAA;EACF;AACF;;;AOtOO,IAAMmF,iBAAN,MAAMA;EAAb,OAAaA;;;EACXC;EACAC;EACAC,uBAAgD,CAAC;EAEjDC;EACAC;EACAC;EAEAC,SAASN,MAAc;AACrB,SAAKA,OAAOA;AACZ,WAAO;EACT;EAEAO,WAAWN,QAAgB;AACzB,SAAKA,SAASA;AACd,WAAO;EACT;EAEAO,SAASL,MAAiB;AACxB,QAAIA,MAAM;AACR,UAAI,CAACA,KAAKM,KAAK;AACb,cAAMC,MAAM,gCAAgC;MAC9C;IACF;AACA,SAAKP,OAAOA;AACZ,WAAO;EACT;EAEAQ,oBAAoBP,iBAAyB;AAC3C,SAAKA,kBAAkBA;AACvB,WAAO;EACT;EAEAQ,cAAcP,WAAmB;AAC/B,SAAKA,YAAYA;AACjB,WAAO;EACT;EAEAQ,yBAAyBC,YAAqC;AAC5D,SAAKZ,uBAAuBY,cAAc,CAAC;AAC3C,WAAO;EACT;EAEAC,sBAAsBC,KAAaC,OAAgB;AACjD,SAAKf,qBAAqBc,GAAAA,IAAOC;AACjC,WAAO;EACT;EAEAC,QAAyB;AACvB,WAAO;MACL,GAAG,KAAKhB;MACR,GAAI,KAAKF,QAAQ;QAAEA,MAAM,KAAKA;MAAK;MACnC,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;MACzC,GAAI,KAAKE,QAAQ;QAAEA,MAAM,KAAKA;MAAK;MACnC,GAAI,KAAKC,mBAAmB;QAAEe,kBAAkB,KAAKf;MAAgB;MACrE,GAAI,KAAKC,aAAa;QAAEe,YAAY,KAAKf;MAAU;IACrD;EACF;AACF;;;ACxDO,IAAMgB,6BAAN,MAAMA;EAHb,OAGaA;;;EACXC;EACAC;EACAC,oBAAuD,CAAA;EACvDC,oCAA6F,CAAC;EAC9FC,kBAAoC,CAAA;EACpCC,UAA6B,CAAA;EAC7BC;EACAC;EACAC;EACAC;EAEOC,4BAA4BJ,yBAAiC;AAClE,SAAKA,0BAA0BA;AAC/B,UAAMK,MAAM,mBAAmB;EACjC;EAEOC,yBAAyBL,sBAAgC;AAC9D,SAAKA,uBAAuBA;AAC5B,WAAO;EACT;EAEOM,wBAAwBC,qBAA6B;AAC1D,QAAI,KAAKP,yBAAyBQ,QAAW;AAC3C,WAAKR,uBAAuB,CAAA;IAC9B;AACA,SAAKA,qBAAqBS,KAAKF,mBAAAA;AAC/B,WAAO;EACT;EAEOG,mCAAmCR,gCAAwC;AAChF,SAAKA,iCAAiCA;AACtC,WAAO;EACT;EAEOS,kBAAkBV,eAAuB;AAC9C,SAAKA,gBAAgBA;AACrB,WAAO;EACT;EAEOW,uBAAuBnB,oBAAwD;AACpF,SAAKA,qBAAqBA;AAC1B,WAAO;EACT;EAEOoB,qBAAqBnB,kBAAsD;AAChF,SAAKA,mBAAmBA;AACxB,WAAO;EACT;EAEOoB,gCAAiE;AACtE,UAAMC,UAAU,IAAIC,gCAAAA;AACpB,SAAKC,8BAA8BF,OAAAA;AACnC,WAAOA;EACT;EAEOE,8BAA8BC,4BAA6D;AAChG,SAAKvB,kBAAkBc,KAAKS,0BAAAA;AAC5B,WAAO;EACT;EAEOC,qCAAqCC,IAAYC,qBAA8D;AACpH,SAAKzB,kCAAkCwB,EAAAA,IAAMC;AAC7C,WAAO;EACT;EAEOC,kBAAkBC,eAAgF;AACvG,SAAKzB,UAAU0B,MAAMC,QAAQF,aAAAA,IAAiBA,gBAAgB;MAACA;;AAC/D,WAAO;EACT;EAEOG,WAAW5B,SAA0B;AAC1C,SAAKA,QAAQW,KAAKX,OAAAA;EACpB;EAEO6B,kBAAkBC,gBAAgC;AACvD,SAAK/B,gBAAgBY,KAAKmB,cAAAA;EAC5B;EAEOC,oBAAoC;AACzC,UAAMd,UAAU,IAAIe,eAAAA;AACpB,SAAKH,kBAAkBZ,OAAAA;AACvB,WAAOA;EACT;EAEOgB,QAA+B;AACpC,QAAI,CAAC,KAAKrC,kBAAkB;AAC1B,YAAMU,MAAM,+BAAA;IACd,WAAW,CAAC,KAAKX,oBAAoB;AACnC,YAAMW,MAAM,iCAAA;IACd;AACA,UAAM4B,sCAA+F,KAAKpC;AAC1G,UAAMqC,0BAAqF,KAAKtC,kBAAkBuC,IAAI,CAACnB,YACrHA,QAAQgB,MAAK,CAAA;AAEfE,4BAAwBE,QAAQ,CAACC,iBAAAA;AAC/BC,aAAOC,KAAKF,YAAAA,EAAcD,QAAQ,CAACI,QAAAA;AACjCP,4CAAoCO,GAAAA,IAAOH,aAAaG,GAAAA;MAC1D,CAAA;IACF,CAAA;AACA,QAAIF,OAAOC,KAAKN,mCAAAA,EAAqCQ,WAAW,GAAG;AACjE,YAAMpC,MAAM,mCAAA;IACd;AAEA,UAAMN,UAA6B,CAAA;AACnCA,YAAQW,KAAI,GAAI,KAAKX,OAAO;AAC5BA,YAAQW,KAAI,GAAI,KAAKZ,gBAAgBqC,IAAI,CAACnB,YAAYA,QAAQgB,MAAK,CAAA,CAAA;AAEnE,UAAMU,iBAAwC;MAC5CC,mBAAmB,KAAKhD;MACxBiD,qBAAqB,KAAKlD;MAC1BuC;;MAEA,GAAI,KAAKhC,wBAAwB;QAAE4C,uBAAuB,KAAK5C;MAAqB;MACpF,GAAI,KAAKC,iBAAiB;QAAE4C,gBAAgB,KAAK5C;MAAc;MAC/D,GAAI,KAAKC,kCAAkC;QAAE4C,kCAAkC,KAAK5C;MAA+B;MACnH,GAAIJ,QAAQ0C,SAAS,KAAK;QAAE1C;MAAQ;IACtC;AAEA,WAAO2C;EACT;AACF;;;AChHO,IAAMM,qCAAN,MAAMA;EAAb,OAAaA;;;EACHC,WAAiD,CAAC;EAEnDC,WAAWC,QAAoD;AACpE,SAAKF,SAASE,SAASA;AACvB,WAAO;EACT;EAEOC,0BAA0BC,UAAsD;AACrF,SAAKJ,SAASK,yBAAyBD;AACvC,WAAO;EACT;EAEOE,mCAAmCF,UAAsD;AAC9F,SAAKJ,SAASO,mCAAmCH;AACjD,WAAO;EACT;EAEOI,kBAAkBJ,UAAsD;AAC7E,SAAKJ,SAASS,iBAAiBL;AAC/B,WAAO;EACT;EAEOM,sCAAsCC,SAA6E;AACxH,SAAKX,SAASY,wCAAwCD;AACtD,WAAO;EACT;EAEOE,+CAA+CC,MAA8E;AAClI,SAAKd,SAASe,mDAAmDD;AACjE,WAAO;EACT;EAEOE,yBAAyBZ,UAAsD;AACpF,SAAKJ,SAASiB,wBAAwBb;AACtC,WAAO;EACT;EAEOc,oBAAoBC,QAAwE;AACjG,SAAKnB,SAASoB,mBAAmBD;AACjC,WAAO;EACT;EAEOE,2BAA2BC,OAAqE;AACrG,SAAKtB,SAASuB,2BAA2BD;AACzC,WAAO;EACT;EAEOE,2BAA2BC,OAAqE;AACrG,SAAKzB,SAAS0B,2BAA2BD;AACzC,WAAO;EACT;EAEOE,wBAAwBL,OAAkE;AAC/F,SAAKtB,SAAS4B,wBAAwBN;AACtC,WAAO;EACT;EAEOO,yBAAyBC,KAAiD;AAC/E,SAAK9B,SAAS+B,wBAAwBD;AACtC,WAAO;EACT;EAEOE,uBAAuBC,SAAuD;AACnF,SAAKjC,SAASkC,uBAAuBD;AACrC,WAAO;EACT;EAEOE,gBAAgBC,KAAiD;AACtE,SAAKpC,SAASqC,gBAAgBD;AAC9B,WAAO;EACT;EAEOE,aAAaF,KAAiD;AACnE,SAAKpC,SAASuC,aAAaH;AAC3B,WAAO;EACT;EAEOI,uBAAuBpC,UAAsD;AAClF,SAAKJ,SAASyC,sBAAsBrC;AACpC,WAAO;EACT;EAEOsC,2CAA2C/B,SAAkF;AAClI,SAAKX,SAAS2C,6CAA6ChC;AAC3D,WAAO;EACT;EAEOiC,oDAAoD9B,MAAmF;AAC5I,SAAKd,SAAS6C,wDAAwD/B;AACtE,WAAO;EACT;EAEOgC,0BAA0B1C,UAAsD;AACrF,SAAKJ,SAAS+C,yBAAyB3C;AACvC,WAAO;EACT;EAEO4C,kCAAkCrC,SAA6E;AACpH,SAAKX,SAASiD,mCAAmCtC;AACjD,WAAO;EACT;EAEOuC,uCAAuC9C,UAAsD;AAClG,SAAKJ,SAASmD,wCAAwC/C;AACtD,WAAO;EACT;EAEOgD,uCAAuCC,UAAuD;AACnG,SAAKrD,SAASsD,wCAAwCD;AACtD,WAAO;EACT;EAEOE,+CAA+CC,WAAwD;AAC5G,SAAKxD,SAAS,iDAAA,IAAqDwD;AACnE,WAAO;EACT;EAEOC,kCAAkC3C,MAAoE;AAC3G,SAAKd,SAAS0D,oCAAoC5C;AAClD,WAAO;EACT;;EAGO6C,gCAAgCH,WAAwD;AAC7F,SAAKxD,SAAS4D,gCAAgCJ;AAC9C,WAAO;EACT;EAEOK,uCAAuCL,WAAwD;AACpG,SAAKxD,SAAS8D,wCAAwCN;AACtD,WAAO;EACT;EAEOO,+BAA+BP,WAAwD;AAC5F,SAAKxD,SAASgE,+BAA+BR;AAC7C,WAAO;EACT;EAEOS,sCAAsCT,WAAwD;AACnG,SAAKxD,SAASkE,uCAAuCV;AACrD,WAAO;EACT;EAEOW,qBAAqB/D,UAAsD;AAChF,SAAKJ,SAASoE,oBAAoBhE;AAClC,WAAO;EACT;EAEOiE,uBAAuBvC,KAAiD;AAC7E,SAAK9B,SAASsE,uBAAuBxC;AACrC,WAAO;EACT;EAEOyC,uBAAuBnE,UAAsD;AAClF,SAAKJ,SAASwE,uBAAuBpE;AACrC,WAAO;EACT;EAEOqE,uBAAuBC,QAAsD;AAClF,SAAK1E,SAAS2E,uBAAuBD;AACrC,WAAO;EACT;EAEOE,0BAA0BtD,OAAqD;AACpF,SAAKtB,SAAS6E,0BAA0BvD;AACxC,WAAO;EACT;EAEOwD,2CAA2ChE,MAAoD;AACpG,SAAKd,SAAS+E,8CAA8CjE;AAC5D,WAAO;EACT;EAEOkE,2BAA2BN,QAAsD;AACtF,SAAK1E,SAASiF,2BAA2BP;AACzC,WAAO;EACT;EAEOQ,wBAAwB5D,OAAqD;AAClF,SAAKtB,SAASmF,wBAAwB7D;AACtC,WAAO;EACT;EAEO8D,oBAAoBC,QAAsD;AAC/E,SAAKrF,SAASsF,mBAAmBD;AACjC,WAAO;EACT;EAEOE,6BAA6B/B,WAAwD;AAC1F,SAAKxD,SAASwF,6BAA6BhC;AAC3C,WAAO;EACT;;EAGOiC,uBAAuBrF,UAAsD;AAClF,SAAKJ,SAAS0F,sBAAsBtF;AACpC,WAAO;EACT;EAEOuF,+BAA+BvF,UAAsD;AAC1F,SAAKJ,SAAS4F,+BAA+BxF;AAC7C,WAAO;EACT;EAEOyF,QAAqC;AAC1C,QAAI,CAAC,KAAK7F,SAASE,QAAQ;AACzB,YAAM,IAAI4F,MAAM,oBAAA;IAClB;AAEA,QAAI,CAAC,KAAK9F,SAASuB,0BAA0B;AAC3C,YAAM,IAAIuE,MAAM,sCAAA;IAClB;AAEA,WAAO,KAAK9F;EACd;AACF;;;ACtOA,IAAA+F,wBAAoD;AACpD,IAAAC,yBAwBO;AAmBA,IAAMC,sBAAsB,8BACjCC,SAAAA;AAOA,QAAM,EACJC,SACAC,mBACAC,KACAC,2BACAC,gBACAC,mBACAC,kBACAC,sBAAsB,WAAU,IAC9BR;AAEJ,MAAIQ,wBAAwB,YAAY;AACtC,UAAM,IAAIC,kCACR,KACAC,0CAAmBC,iBACnB,yBAAyBH,mBAAAA,yFAA4G;EAEzI;AACA,QAAMI,OAAM,oBAAIC,KAAAA,GAAOC,QAAO,IAAK;AACnC,QAAMC,MAAMH,MAAMP;AAClB,QAAMW,MAAMf,UAAU;IAAEe,KAAK;MAAEC,KAAK,UAAMC,8CAAuBjB,SAAS,QAAA;IAAU;EAAE,IAAIkB;AAC1F,QAAMC,MAAW;IACfC,QAAQ;MAAEC,KAAK;MAAOnB,KAAKA,OAAOoB,2BAAIC;IAAM;IAC5CC,SAAS;MACPb;MACAG;MACAW,KAAKxB;MACL,GAAGc;MACH,GAAIV,qBAAqB;QAAEA;MAAkB;;;;MAI7CqB,YAAY1B,UAAU,SAAS;MAC/B,GAAGM;IACL;EACF;AACA,SAAO,MAAMH,0BAA0BgB,GAAAA;AACzC,GA7CmC;AA+C5B,IAAMQ,eAAe,wBAACC,eAAuCC,cAAAA;AAClE,MAAID,cAAcE,iBAAiBC,kBAAkBC,QAAQ;AAE3D,WACEC,OAAOC,KAAKN,cAAcE,iBAAiBC,kBAAkBC,MAAAA,EAAQG,SAASC,kCAAWC,mBAAmB,KAC5GR,cAAcO,kCAAWC;EAE7B;AACA,SAAO;AACT,GAT4B;AAWrB,IAAMC,gCAAgC,8BAC3CC,SACAxC,SAAAA;AAKA,QAAM,EAAEyC,yBAAyBC,mBAAkB,IAAK1C;AAExD,MAAIwC,QAAQG,eAAeN,kCAAWC,qBAAqB;AACzD,UAAM,IAAI7B,kCAAW,KAAKC,0CAAmBkC,eAAeC,mDAAAA;EAC9D;AAGA,MAAI,CAACL,QAAQM,4CAAAA,GAAwB;AACnC,UAAM,IAAIrC,kCAAW,KAAKC,0CAAmBC,iBAAiBoC,yDAAAA;EAChE;AAEA,QAAMC,yBAAyB,MAAMP,wBAAwBQ,YAAYT,QAAQM,4CAAAA,CAAsB;AACvGE,yBAAuBE,SAASC,mCAAYC;AAC5CJ,yBAAuBK,gBAAgB,CAAC,oBAAIxC,KAAAA;AAC5C,QAAM4B,wBAAwBa,IAAId,QAAQM,4CAAAA,GAAwBE,sBAAAA;AAClE,MAAI,CAACpB,aAAaoB,wBAAwBR,QAAQG,UAAU,GAAG;AAC7D,UAAM,IAAIlC,kCAAW,KAAKC,0CAAmBkC,eAAeC,mDAAAA;EAC9D;AAMA,MACE,CAACG,uBAAuBjB,gBAAgBC,kBAAkBC,SAASI,kCAAWC,mBAAmB,GAAGiB,WACpGf,QAAQe,WACR,CAACf,QAAQgB,UACT;AAEA,UAAM,IAAI/C,kCAAW,KAAKC,0CAAmBC,iBAAiB8C,kDAAAA;EAChE,WACE,CAACT,uBAAuBjB,gBAAgBC,kBAAkBC,SAASI,kCAAWC,mBAAmB,GAAGoB,qBACpGlB,QAAQgB,YACR,CAAChB,QAAQe,SACT;AAEA,UAAM,IAAI9C,kCAAW,KAAKC,0CAAmBC,iBAAiB8C,kDAAAA;EAChE;AAKA;;IAEE,CAAC,CAACT,uBAAuBjB,gBAAgBC,kBAAkBC,SAASI,kCAAWC,mBAAmB,GAAGiB,WACrG,CAACf,QAAQe;IACT;AACA,QAAIf,QAAQgB,UAAU;AACpB,YAAM,IAAI/C,kCAAW,KAAKC,0CAAmBC,iBAAiBgD,kDAAAA;IAChE;AACA,UAAM,IAAIlD,kCAAW,KAAKC,0CAAmBC,iBAAiBiD,8CAAAA;EAChE;;IAEEZ,uBAAuBjB,gBAAgBC,kBAAkBC,SAASI,kCAAWC,mBAAmB,GAAGoB,qBACnG,CAACV,uBAAuBjB,gBAAgBC,kBAAkBC,SAASI,kCAAWC,mBAAmB,GAAGiB,WACpG,CAACf,QAAQgB;IACT;AACA,QAAIhB,QAAQe,SAAS;AACnB,YAAM,IAAI9C,kCAAW,KAAKC,0CAAmBC,iBAAiBgD,kDAAAA;IAChE;AACA,UAAM,IAAIlD,kCAAW,KAAKC,0CAAmBC,iBAAiBiD,8CAAAA;EAChE;AAEA,MAAIC,2BAA2Bb,wBAAwBN,kBAAAA,GAAqB;AAC1E,UAAM,IAAIjC,kCAAW,KAAKC,0CAAmBkC,eAAekB,kDAAAA;EAC9D,WACEtB,QAAQM,4CAAAA,MACRE,uBAAuBjB,iBAAiBC,kBAAkBC,SAASI,kCAAWC,mBAAmB,IAAIQ,4CAAAA,GACrG;AACA,UAAM,IAAIrC,kCAAW,KAAKC,0CAAmBkC,eAAemB,kDAAAA;EAC9D;AAMA,MAAIvB,QAAQe,SAAS;AACnB,UAAMS,cAAchB,uBAAuBjB,gBAAgBC,kBAAkBC,SAASI,kCAAWC,mBAAmB,GAAGiB;AACvH,QAAI,CAACS,aAAa;AAChB,YAAM,IAAIvD,kCAAW,KAAKC,0CAAmBC,iBAAiB8C,kDAAAA;IAChE,WAAWO,YAAYC,eAAe,QAAQ;AAC5C,UAAI,CAACC,OAAO,SAASF,YAAYG,MAAM,EAAE,EAAEC,KAAK5B,QAAQe,OAAO,GAAG;AAChE,cAAM,IAAI9C,kCAAW,KAAKC,0CAAmBkC,eAAe,GAAGyB,2CAAAA,IAAwBL,YAAYG,MAAM,EAAE;MAC7G;IACF,OAAO;AACL,UAAI,CAACD,OAAO,SAASF,YAAYG,MAAM,GAAG,EAAEC,KAAK5B,QAAQe,OAAO,GAAG;AACjE,cAAM,IAAI9C,kCAAW,KAAKC,0CAAmBkC,eAAe,GAAGyB,2CAAAA,IAAwBL,YAAYG,MAAM,EAAE;MAC7G;IACF;AACA,QAAI3B,QAAQe,YAAYP,uBAAuBsB,QAAQ;AACrD,YAAM,IAAI7D,kCAAW,KAAKC,0CAAmBkC,eAAe2B,0CAAAA;IAC9D;EACF,WAAW/B,QAAQgB,UAAU;AAC3B,QAAI,CAAC,aAAaY,KAAK5B,QAAQgB,QAAQ,GAAG;AACxC,YAAM,IAAI/C,kCAAW,KAAKC,0CAAmBkC,eAAe,GAAGyB,2CAAAA,MAA0B;IAC3F,WAAW7B,QAAQgB,aAAaR,uBAAuBsB,QAAQ;AAC7D,YAAM,IAAI7D,kCAAW,KAAKC,0CAAmBkC,eAAe2B,0CAAAA;IAC9D;EACF;AAEA,SAAO;IAAEC,gBAAgBxB;EAAuB;AAClD,GA5G6C;AA8GtC,IAAMyB,4BAA4B,8BACvCjC,SACAxC,SAAAA;AAcA,QAAM,EACJC,SACAwC,yBACAiC,SACAC,iBACAtE,gBACAH,mBACAE,2BACAwE,UACApE,sBAAsB,WAAU,IAC9BR;AAEJ,QAAMM,oBAAoBkC,QAAQM,4CAAAA;AAElC,QAAM+B,SAAS7E,KAAK6E,cAAUC,8BAAAA;AAC9B,QAAMJ,QAAQpB,IAAIuB,QAAQ;IAAEA;IAAQE,WAAW,CAAC,oBAAIlE,KAAAA;IAAQP;EAAkB,CAAA;AAE9E,QAAM0E,eAAe,MAAMjF,oBAAoB;IAC7CM;IACAD;IACAE;IACAJ;IACAD;IACAO;EACF,CAAA;AAEA,QAAMyE,WAAgC;IACpCD;IACArD,YAAY1B,UAAU,SAAS;IAC/BiF,YAAY7E;IACZ8E,SAASN;IACTO,oBAAoBT;IACpBC;EACF;AACA,QAAM5B,yBAAyB,MAAMP,wBAAwBQ,YAAY3C,iBAAAA;AACzE0C,yBAAuBE,SAASC,mCAAYkC;AAC5CrC,yBAAuBK,gBAAgB,CAAC,oBAAIxC,KAAAA;AAC5C,QAAM4B,wBAAwBa,IAAIhD,mBAAmB0C,sBAAAA;AACrD,SAAOiC;AACT,GAvDyC;;;AZjNlC,IAAMK,MAAuCC,mCAAYC,IAAI,yBAAA;","names":["import_oid4vci_common","CredentialSupportedBuilderV1_13","format","scope","credentialName","credentialDefinition","cryptographicBindingMethodsSupported","credentialSigningAlgValuesSupported","proofTypesSupported","display","credentialSubject","withFormat","credentialFormat","withCredentialName","withCredentialDefinition","type","Error","withScope","addCryptographicBindingMethod","method","Array","isArray","withCryptographicBindingMethod","addCredentialSigningAlgValuesSupported","algValues","withCredentialSigningAlgValuesSupported","addProofTypesSupported","keyProofType","proofType","withProofTypesSupported","addCredentialSupportedDisplay","credentialDisplay","withCredentialSupportedDisplay","withCredentialSubject","addCredentialSubjectPropertyDisplay","subjectProperty","issuerCredentialSubjectDisplay","build","TokenErrorResponse","invalid_request","credentialSupported","credential_definition","credential_signing_alg_values_supported","cryptographic_binding_methods_supported","supportedConfiguration","import_oid4vci_common","import_oid4vc_common","import_oid4vci_common","import_oid4vci_common","createCredentialOfferGrants","inputGrants","Object","keys","length","undefined","grants","PRE_AUTH_GRANT_LITERAL","grant","uuidv4","tx_code","authorization_code","issuer_state","parseCredentialOfferSchemeAndBaseUri","scheme","baseUri","credentialIssuer","newScheme","replace","includes","split","newBaseUri","startsWith","Error","createCredentialOfferObject","issuerMetadata","opts","credentialOffer","credentialOfferUri","credential_offer","credential_configurations_supported","credential_issuer","credential_configuration_ids","client_id","credential_offer_uri","createCredentialOfferObjectv1_0_11","rest","user_pin_required","credentials","credentials_supported","map","s","id","filter","i","createCredentialOfferURIFromObject","offerMode","encodeURIComponent","JSON","stringify","createCredentialOfferURI","createCredentialOfferURIv1_0_11","isPreAuthorizedCodeExpired","state","expirationDurationInSeconds","now","Date","expirationTime","createdAt","assertValidPinNumber","pin","pinLength","RegExp","test","PIN_NOT_MATCH_ERROR","import_oid4vc_common","oidcAccessTokenVerifyCallback","opts","clientMetadata","client_id","credentialIssuer","args","oidcIssuer","oidcDiscoverIssuer","issuerUrl","authorizationServer","oidcClient","oidcGetClient","issuer","introspection","introspect","jwt","active","Promise","reject","Error","header","decodeProtectedHeader","payload","decodeJwt","alg","jwk","x5c","kid","import_oid4vci_common","MemoryStates","expiresInMS","states","cleanupIntervalId","constructor","opts","expiresInSec","undefined","Map","clearAll","clear","clearExpired","timestamp","Array","from","entries","ts","Date","id","state","expiresAt","delete","createdAt","Error","getAsserted","result","has","get","STATE_MISSING_ERROR","set","stateValue","startCleanupRoutine","timeout","setInterval","stopCleanupRoutine","clearInterval","lookupStateManagerMultiGetAsserted","args","value","lookupStateManagerMultiGet","Promise","reject","Error","id","lookups","keyValueMapper","valueStateManager","lookup","LookupStateManager","get","e","constructor","startCleanupRoutine","timeout","stopCleanupRoutine","clearAll","clearExpired","timestamp","assertedValueId","key","prop","valueId","getAsserted","then","keyState","undefined","delete","has","set","_id","_stateValue","setMapped","valueKey","keyObject","stateValue","keys","CredentialOfferStateBuilder","credentialOfferState","constructor","credentialOffer","createdAt","timestamp","build","Date","Error","shortUUID","ShortUUID","VcIssuer","_issuerMetadata","_authorizationServerMetadata","_defaultCredentialOfferBaseUri","_credentialSignerCallback","_jwtVerifyCallback","_credentialDataSupplier","_credentialOfferSessions","_cNonces","_uris","_cNonceExpiresIn","_asClientOpts","constructor","issuerMetadata","authorizationServerMetadata","args","defaultCredentialOfferBaseUri","credentialOfferSessions","MemoryStates","uris","cNonces","credentialSignerCallback","jwtVerifyCallback","credentialDataSupplier","cNonceExpiresIn","process","env","C_NONCE_EXPIRES_IN","parseInt","asClientOpts","getCredentialOfferSessionById","id","lookups","Array","isArray","length","Promise","reject","Error","lookupStateManagerMultiGetAsserted","keyValueMapper","valueStateManager","session","get","deleteCredentialOfferSessionById","preAuthorizedCode","has","delete","issuerState","processNotification","notification","sessionId","undefined","LOG","error","notification_id","info","updateSession","createCredentialOfferURI","opts","offerMode","correlationId","generate","credential_configuration_ids","statusListOpts","credentialOfferUri","redirectUri","grants","pinLength","PRE_AUTH_GRANT_LITERAL","tx_code","baseUri","credentialOfferObject","createCredentialOfferObject","credentialOffer","credential_issuer","preAuthGrant","credential_offer","authGrant","authorization_code","issuer_state","txCode","userPin","Math","round","pow","random","padStart","assertValidPinNumber","createdAt","Date","lastUpdatedAt","expirationInMs","sessionLifeTimeInSec","expiresAt","abs","offerUri","replace","credential_offer_uri","set","uri","toUniformCredentialOfferRequest","version","OpenId4VCIVersion","VER_1_0_13","resolve","status","IssueStatus","OFFER_CREATED","uuidv4","client_id","clientId","credentialDataSupplierInput","statusLists","createCredentialOfferURIFromObject","lookupManager","LookupStateManager","setMapped","qrCodeDataUri","qrCodeOpts","AwesomeQR","qrCode","text","draw","toString","credentialOfferResult","EVENTS","emit","CredentialOfferEventNames","OID4VCI_OFFER_CREATED","eventName","data","initiator","initiatorType","InitiatorType","EXTERNAL","system","System","OID4VCI","issuer","subsystem","SubSystem","API","issueCredential","credentialRequest","format","isMetadataSupportCredentialRequestFormat","TokenErrorResponse","invalid_request","validated","validateCredentialRequestProof","tokenExpiresIn","preAuthSession","authSession","cNonceState","jwtVerifyResult","did","jwk","kid","newcNonce","newCNonce","newcNonceState","cNonce","credential","signerCallback","result","credentialSupplierConfig","credential_supplier_config","signCallback","CredentialMapper","isSdJwtDecodedCredentialPayload","cnf","credentialSubject","credentialSubjects","map","subject","iss","verifiableCredential","issueCredentialImpl","CREDENTIAL_MISSING_ERROR","CREDENTIAL_ISSUED","response","c_nonce","c_nonce_expires_in","experimentalSubjectIssuance","credential_subject_issuance","subject_proof_mode","transaction_id","issueState","ERROR","event","NOTIFICATION_CREDENTIAL_ACCEPTED","NOTIFICATION_CREDENTIAL_DELETED","NOTIFICATION_CREDENTIAL_FAILURE","message","supportedIssuanceFormats","includes","JWT_VERIFY_CONFIG_ERROR","proof","didDocument","jwt","header","payload","aud","iat","nonce","getAsserted","alg","x5c","typ","TYP_ERROR","ALG_ERROR","KID_JWK_X5C_ERROR","KID_DID_NO_DID_ERROR","console","log","DID_NO_DIDDOC_ERROR","CREDENTIAL_REQUEST_RECEIVED","NO_ISS_IN_AUTHORIZATION_CODE_CONTEXT","AUD_ERROR","IAT_ERROR","requestFormat","credential_configurations_supported","credentialSupported","Object","values","issuerCallback","ISSUER_CONFIG_ERROR","CredentialEventNames","OID4VCI_CREDENTIAL_ISSUED","VC_ISSUER","VcIssuerBuilder","issuerMetadataBuilder","issuerMetadata","authorizationServerMetadata","asClientOpts","txCode","defaultCredentialOfferBaseUri","userPinRequired","cNonceExpiresIn","credentialOfferStateManager","credentialOfferURIManager","cNonceStateManager","credentialSignerCallback","jwtVerifyCallback","credentialDataSupplier","withIssuerMetadata","credential_configurations_supported","Error","withASClientMetadata","clientMetadata","withASClientMetadataParams","client_id","client_secret","redirect_uris","response_types","other","withAuthorizationMetadata","withIssuerMetadataBuilder","builder","withDefaultCredentialOfferBaseUri","baseUri","withCredentialIssuer","issuer","credential_issuer","withAuthorizationServers","authorizationServers","authorization_servers","withCredentialEndpoint","credentialEndpoint","credential_endpoint","withBatchCredentialEndpoint","batchCredentialEndpoint","batch_credential_endpoint","withTokenEndpoint","tokenEndpoint","token_endpoint","withIssuerDisplay","issuerDisplay","display","Array","isArray","addIssuerDisplay","withCredentialConfigurationsSupported","credentialConfigurationsSupported","addCredentialConfigurationsSupported","id","supportedCredential","withTXCode","withCredentialOfferURIStateManager","withInMemoryCredentialOfferURIState","MemoryStates","withCredentialOfferStateManager","credentialOfferManager","withInMemoryCredentialOfferState","withCNonceStateManager","cNonceManager","withInMemoryCNonceState","withCNonceExpiresIn","withCredentialSignerCallback","cb","withJWTVerifyCallback","verifyCallback","withCredentialDataSupplier","build","TokenErrorResponse","invalid_request","Object","keys","length","metadata","oidcAccessTokenVerifyCallback","credentialIssuer","authorizationServer","VcIssuer","credentialOfferSessions","cNonces","uris","DisplayBuilder","name","locale","additionalProperties","logo","backgroundColor","textColor","withName","withLocale","withLogo","url","Error","withBackgroundColor","withTextColor","withAdditionalProperties","properties","addAdditionalProperty","key","value","build","background_color","text_color","IssuerMetadataBuilderV1_13","credentialEndpoint","credentialIssuer","supportedBuilders","credentialConfigurationsSupported","displayBuilders","display","batchCredentialEndpoint","authorizationServers","tokenEndpoint","authorizationChallengeEndpoint","withBatchCredentialEndpoint","Error","withAuthorizationServers","withAuthorizationServer","authorizationServer","undefined","push","withAuthorizationChallengeEndpoint","withTokenEndpoint","withCredentialEndpoint","withCredentialIssuer","newSupportedCredentialBuilder","builder","CredentialSupportedBuilderV1_13","addSupportedCredentialBuilder","supportedCredentialBuilder","addCredentialConfigurationsSupported","id","supportedCredential","withIssuerDisplay","issuerDisplay","Array","isArray","addDisplay","addDisplayBuilder","displayBuilder","newDisplayBuilder","DisplayBuilder","build","credential_configurations_supported","configurationsEntryList","map","forEach","configRecord","Object","keys","key","length","issuerMetadata","credential_issuer","credential_endpoint","authorization_servers","token_endpoint","authorization_challenge_endpoint","AuthorizationServerMetadataBuilder","metadata","withIssuer","issuer","withAuthorizationEndpoint","endpoint","authorization_endpoint","withAuthorizationChallengeEndpoint","authorization_challenge_endpoint","withTokenEndpoint","token_endpoint","withTokenEndpointAuthMethodsSupported","methods","token_endpoint_auth_methods_supported","withTokenEndpointAuthSigningAlgValuesSupported","algs","token_endpoint_auth_signing_alg_values_supported","withRegistrationEndpoint","registration_endpoint","withScopesSupported","scopes","scopes_supported","withResponseTypesSupported","types","response_types_supported","withResponseModesSupported","modes","response_modes_supported","withGrantTypesSupported","grant_types_supported","withServiceDocumentation","url","service_documentation","withUILocalesSupported","locales","ui_locales_supported","withOpPolicyUri","uri","op_policy_uri","withOpTosUri","op_tos_uri","withRevocationEndpoint","revocation_endpoint","withRevocationEndpointAuthMethodsSupported","revocation_endpoint_auth_methods_supported","withRevocationEndpointAuthSigningAlgValuesSupported","revocation_endpoint_auth_signing_alg_values_supported","withIntrospectionEndpoint","introspection_endpoint","withCodeChallengeMethodsSupported","code_challenge_methods_supported","withPushedAuthorizationRequestEndpoint","pushed_authorization_request_endpoint","withRequirePushedAuthorizationRequests","required","require_pushed_authorization_requests","withPreAuthorizedGrantAnonymousAccessSupported","supported","withDPoPSigningAlgValuesSupported","dpop_signing_alg_values_supported","withFrontchannelLogoutSupported","frontchannel_logout_supported","withFrontchannelLogoutSessionSupported","frontchannel_logout_session_supported","withBackchannelLogoutSupported","backchannel_logout_supported","withBackchannelLogoutSessionSupported","backchannel_logout_session_supported","withUserinfoEndpoint","userinfo_endpoint","withCheckSessionIframe","check_session_iframe","withEndSessionEndpoint","end_session_endpoint","withAcrValuesSupported","values","acr_values_supported","withSubjectTypesSupported","subject_types_supported","withRequestObjectSigningAlgValuesSupported","request_object_signing_alg_values_supported","withDisplayValuesSupported","display_values_supported","withClaimTypesSupported","claim_types_supported","withClaimsSupported","claims","claims_supported","withClaimsParameterSupported","claims_parameter_supported","withCredentialEndpoint","credential_endpoint","withDeferredCredentialEndpoint","deferred_credential_endpoint","build","Error","import_oid4vc_common","import_oid4vci_common","generateAccessToken","opts","dPoPJwk","accessTokenIssuer","alg","accessTokenSignerCallback","tokenExpiresIn","preAuthorizedCode","additionalClaims","accessTokenProvider","TokenError","TokenErrorResponse","invalid_request","iat","Date","getTime","exp","cnf","jkt","calculateJwkThumbprint","undefined","jwt","header","typ","Alg","ES256","payload","iss","token_type","isValidGrant","assertedState","grantType","credentialOffer","credential_offer","grants","Object","keys","includes","GrantTypes","PRE_AUTHORIZED_CODE","assertValidAccessTokenRequest","request","credentialOfferSessions","expirationDuration","grant_type","invalid_grant","UNSUPPORTED_GRANT_TYPE_ERROR","PRE_AUTH_CODE_LITERAL","PRE_AUTHORIZED_CODE_REQUIRED_ERROR","credentialOfferSession","getAsserted","status","IssueStatus","ACCESS_TOKEN_REQUESTED","lastUpdatedAt","set","tx_code","user_pin","USER_PIN_NOT_REQUIRED_ERROR","user_pin_required","USER_PIN_TX_CODE_SPEC_ERROR","USER_PIN_REQUIRED_ERROR","isPreAuthorizedCodeExpired","EXPIRED_PRE_AUTHORIZED_CODE","INVALID_PRE_AUTHORIZED_CODE","txCodeOffer","input_mode","RegExp","length","test","PIN_VALIDATION_ERROR","txCode","PIN_NOT_MATCH_ERROR","preAuthSession","createAccessTokenResponse","cNonces","cNonceExpiresIn","interval","cNonce","uuidv4","createdAt","access_token","response","expires_in","c_nonce","c_nonce_expires_in","ACCESS_TOKEN_CREATED","LOG","VCI_LOGGERS","get"]}