npm - @aster-rpc/aster - Versions diffs - 0.1.2 - Mend

@aster-rpc/aster 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (233) hide show

package/dist/capabilities.d.ts +26 -0
package/dist/capabilities.d.ts.map +1 -0
package/dist/capabilities.js +29 -0
package/dist/capabilities.js.map +1 -0
package/dist/client.d.ts +65 -0
package/dist/client.d.ts.map +1 -0
package/dist/client.js +108 -0
package/dist/client.js.map +1 -0
package/dist/codec.d.ts +156 -0
package/dist/codec.d.ts.map +1 -0
package/dist/codec.js +477 -0
package/dist/codec.js.map +1 -0
package/dist/config.d.ts +102 -0
package/dist/config.d.ts.map +1 -0
package/dist/config.js +454 -0
package/dist/config.js.map +1 -0
package/dist/contract/identity.d.ts +115 -0
package/dist/contract/identity.d.ts.map +1 -0
package/dist/contract/identity.js +188 -0
package/dist/contract/identity.js.map +1 -0
package/dist/contract/manifest.d.ts +77 -0
package/dist/contract/manifest.d.ts.map +1 -0
package/dist/contract/manifest.js +127 -0
package/dist/contract/manifest.js.map +1 -0
package/dist/contract/publication.d.ts +71 -0
package/dist/contract/publication.d.ts.map +1 -0
package/dist/contract/publication.js +85 -0
package/dist/contract/publication.js.map +1 -0
package/dist/decorators.d.ts +139 -0
package/dist/decorators.d.ts.map +1 -0
package/dist/decorators.js +175 -0
package/dist/decorators.js.map +1 -0
package/dist/dynamic.d.ts +61 -0
package/dist/dynamic.d.ts.map +1 -0
package/dist/dynamic.js +147 -0
package/dist/dynamic.js.map +1 -0
package/dist/framing.d.ts +74 -0
package/dist/framing.d.ts.map +1 -0
package/dist/framing.js +162 -0
package/dist/framing.js.map +1 -0
package/dist/health.d.ts +127 -0
package/dist/health.d.ts.map +1 -0
package/dist/health.js +236 -0
package/dist/health.js.map +1 -0
package/dist/index.d.ts +67 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +101 -0
package/dist/index.js.map +1 -0
package/dist/interceptors/audit.d.ts +25 -0
package/dist/interceptors/audit.d.ts.map +1 -0
package/dist/interceptors/audit.js +46 -0
package/dist/interceptors/audit.js.map +1 -0
package/dist/interceptors/auth.d.ts +13 -0
package/dist/interceptors/auth.d.ts.map +1 -0
package/dist/interceptors/auth.js +34 -0
package/dist/interceptors/auth.js.map +1 -0
package/dist/interceptors/base.d.ts +74 -0
package/dist/interceptors/base.d.ts.map +1 -0
package/dist/interceptors/base.js +103 -0
package/dist/interceptors/base.js.map +1 -0
package/dist/interceptors/capability.d.ts +16 -0
package/dist/interceptors/capability.d.ts.map +1 -0
package/dist/interceptors/capability.js +63 -0
package/dist/interceptors/capability.js.map +1 -0
package/dist/interceptors/circuit-breaker.d.ts +40 -0
package/dist/interceptors/circuit-breaker.d.ts.map +1 -0
package/dist/interceptors/circuit-breaker.js +91 -0
package/dist/interceptors/circuit-breaker.js.map +1 -0
package/dist/interceptors/compression.d.ts +11 -0
package/dist/interceptors/compression.d.ts.map +1 -0
package/dist/interceptors/compression.js +12 -0
package/dist/interceptors/compression.js.map +1 -0
package/dist/interceptors/deadline.d.ts +12 -0
package/dist/interceptors/deadline.d.ts.map +1 -0
package/dist/interceptors/deadline.js +28 -0
package/dist/interceptors/deadline.js.map +1 -0
package/dist/interceptors/metrics.d.ts +43 -0
package/dist/interceptors/metrics.d.ts.map +1 -0
package/dist/interceptors/metrics.js +132 -0
package/dist/interceptors/metrics.js.map +1 -0
package/dist/interceptors/rate-limit.d.ts +24 -0
package/dist/interceptors/rate-limit.d.ts.map +1 -0
package/dist/interceptors/rate-limit.js +84 -0
package/dist/interceptors/rate-limit.js.map +1 -0
package/dist/interceptors/retry.d.ts +25 -0
package/dist/interceptors/retry.d.ts.map +1 -0
package/dist/interceptors/retry.js +55 -0
package/dist/interceptors/retry.js.map +1 -0
package/dist/limits.d.ts +77 -0
package/dist/limits.d.ts.map +1 -0
package/dist/limits.js +137 -0
package/dist/limits.js.map +1 -0
package/dist/logging.d.ts +40 -0
package/dist/logging.d.ts.map +1 -0
package/dist/logging.js +92 -0
package/dist/logging.js.map +1 -0
package/dist/metadata.d.ts +14 -0
package/dist/metadata.d.ts.map +1 -0
package/dist/metadata.js +68 -0
package/dist/metadata.js.map +1 -0
package/dist/metrics.d.ts +40 -0
package/dist/metrics.d.ts.map +1 -0
package/dist/metrics.js +92 -0
package/dist/metrics.js.map +1 -0
package/dist/peer-store.d.ts +53 -0
package/dist/peer-store.d.ts.map +1 -0
package/dist/peer-store.js +105 -0
package/dist/peer-store.js.map +1 -0
package/dist/protocol.d.ts +44 -0
package/dist/protocol.d.ts.map +1 -0
package/dist/protocol.js +59 -0
package/dist/protocol.js.map +1 -0
package/dist/registration.d.ts +81 -0
package/dist/registration.d.ts.map +1 -0
package/dist/registration.js +161 -0
package/dist/registration.js.map +1 -0
package/dist/registry/acl.d.ts +57 -0
package/dist/registry/acl.d.ts.map +1 -0
package/dist/registry/acl.js +104 -0
package/dist/registry/acl.js.map +1 -0
package/dist/registry/client.d.ts +70 -0
package/dist/registry/client.d.ts.map +1 -0
package/dist/registry/client.js +115 -0
package/dist/registry/client.js.map +1 -0
package/dist/registry/gossip.d.ts +43 -0
package/dist/registry/gossip.d.ts.map +1 -0
package/dist/registry/gossip.js +102 -0
package/dist/registry/gossip.js.map +1 -0
package/dist/registry/keys.d.ts +25 -0
package/dist/registry/keys.d.ts.map +1 -0
package/dist/registry/keys.js +47 -0
package/dist/registry/keys.js.map +1 -0
package/dist/registry/models.d.ts +80 -0
package/dist/registry/models.d.ts.map +1 -0
package/dist/registry/models.js +35 -0
package/dist/registry/models.js.map +1 -0
package/dist/registry/publisher.d.ts +65 -0
package/dist/registry/publisher.d.ts.map +1 -0
package/dist/registry/publisher.js +164 -0
package/dist/registry/publisher.js.map +1 -0
package/dist/runtime.d.ts +267 -0
package/dist/runtime.d.ts.map +1 -0
package/dist/runtime.js +1366 -0
package/dist/runtime.js.map +1 -0
package/dist/server.d.ts +100 -0
package/dist/server.d.ts.map +1 -0
package/dist/server.js +511 -0
package/dist/server.js.map +1 -0
package/dist/service.d.ts +72 -0
package/dist/service.d.ts.map +1 -0
package/dist/service.js +98 -0
package/dist/service.js.map +1 -0
package/dist/session.d.ts +64 -0
package/dist/session.d.ts.map +1 -0
package/dist/session.js +350 -0
package/dist/session.js.map +1 -0
package/dist/status.d.ts +113 -0
package/dist/status.d.ts.map +1 -0
package/dist/status.js +206 -0
package/dist/status.js.map +1 -0
package/dist/transport/base.d.ts +46 -0
package/dist/transport/base.d.ts.map +1 -0
package/dist/transport/base.js +10 -0
package/dist/transport/base.js.map +1 -0
package/dist/transport/iroh.d.ts +45 -0
package/dist/transport/iroh.d.ts.map +1 -0
package/dist/transport/iroh.js +225 -0
package/dist/transport/iroh.js.map +1 -0
package/dist/transport/local.d.ts +48 -0
package/dist/transport/local.d.ts.map +1 -0
package/dist/transport/local.js +139 -0
package/dist/transport/local.js.map +1 -0
package/dist/trust/admission.d.ts +60 -0
package/dist/trust/admission.d.ts.map +1 -0
package/dist/trust/admission.js +149 -0
package/dist/trust/admission.js.map +1 -0
package/dist/trust/bootstrap.d.ts +109 -0
package/dist/trust/bootstrap.d.ts.map +1 -0
package/dist/trust/bootstrap.js +311 -0
package/dist/trust/bootstrap.js.map +1 -0
package/dist/trust/clock.d.ts +93 -0
package/dist/trust/clock.d.ts.map +1 -0
package/dist/trust/clock.js +154 -0
package/dist/trust/clock.js.map +1 -0
package/dist/trust/consumer.d.ts +139 -0
package/dist/trust/consumer.d.ts.map +1 -0
package/dist/trust/consumer.js +323 -0
package/dist/trust/consumer.js.map +1 -0
package/dist/trust/credentials.d.ts +98 -0
package/dist/trust/credentials.d.ts.map +1 -0
package/dist/trust/credentials.js +250 -0
package/dist/trust/credentials.js.map +1 -0
package/dist/trust/delegated.d.ts +118 -0
package/dist/trust/delegated.d.ts.map +1 -0
package/dist/trust/delegated.js +292 -0
package/dist/trust/delegated.js.map +1 -0
package/dist/trust/gossip.d.ts +146 -0
package/dist/trust/gossip.d.ts.map +1 -0
package/dist/trust/gossip.js +334 -0
package/dist/trust/gossip.js.map +1 -0
package/dist/trust/hooks.d.ts +84 -0
package/dist/trust/hooks.d.ts.map +1 -0
package/dist/trust/hooks.js +125 -0
package/dist/trust/hooks.js.map +1 -0
package/dist/trust/iid.d.ts +65 -0
package/dist/trust/iid.d.ts.map +1 -0
package/dist/trust/iid.js +104 -0
package/dist/trust/iid.js.map +1 -0
package/dist/trust/mesh.d.ts +43 -0
package/dist/trust/mesh.d.ts.map +1 -0
package/dist/trust/mesh.js +105 -0
package/dist/trust/mesh.js.map +1 -0
package/dist/trust/nonce.d.ts +39 -0
package/dist/trust/nonce.d.ts.map +1 -0
package/dist/trust/nonce.js +46 -0
package/dist/trust/nonce.js.map +1 -0
package/dist/trust/producer.d.ts +80 -0
package/dist/trust/producer.d.ts.map +1 -0
package/dist/trust/producer.js +151 -0
package/dist/trust/producer.js.map +1 -0
package/dist/trust/rcan.d.ts +29 -0
package/dist/trust/rcan.d.ts.map +1 -0
package/dist/trust/rcan.js +57 -0
package/dist/trust/rcan.js.map +1 -0
package/dist/types.d.ts +57 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +50 -0
package/dist/types.js.map +1 -0
package/dist/xlang.d.ts +26 -0
package/dist/xlang.d.ts.map +1 -0
package/dist/xlang.js +55 -0
package/dist/xlang.js.map +1 -0
package/package.json +59 -0

package/dist/trust/consumer.d.ts ADDED Viewed

@@ -0,0 +1,139 @@
+/**
+ * Consumer admission — client-side and server-side admission handshake.
+ *
+ * Spec reference: Aster-trust-spec.md S5
+ *
+ * Client side (performAdmission):
+ *   1. Open a stream on the admission ALPN
+ *   2. Send a ConsumerAdmissionRequest (credential + optional IID token)
+ *   3. Receive a ConsumerAdmissionResponse (services list + registry namespace)
+ *
+ * Server side (handleConsumerAdmissionRpc, serveConsumerAdmission):
+ *   Verify credential, admit peer, return response with services + registry namespace.
+ *
+ * Wire format: newline-delimited JSON over a QUIC bidi-stream on
+ * aster.consumer_admission ALPN. Client sends one JSON line; server
+ * responds with one JSON line and closes the stream.
+ */
+import { type ConsumerEnrollmentCredential } from './credentials.js';
+import type { MeshEndpointHook } from './hooks.js';
+import type { NonceStore } from './nonce.js';
+import { type PeerAttributeStore } from '../peer-store.js';
+/**
+ * Service summary returned in admission response.
+ *
+ * NOTE: Wire format uses snake_case keys (contract_id) for Python interop.
+ * The camelCase interface fields here need mapping when parsing from wire.
+ * TODO: Add proper wire-format mapping for ServiceSummary (pre-existing gap).
+ */
+export interface ServiceSummary {
+    name: string;
+    version: number;
+    contractId: string;
+    pattern: string;
+    methods: string[];
+    channels?: Record<string, string>;
+    /** Serialization modes the server supports for this service.
+     *  Values: "xlang" (Fory), "json", "row", "native". A consumer must
+     *  pick one of these for any RPC call. The TypeScript binding only
+     *  publishes "json" because Fory JS is not yet XLANG-compliant. */
+    serializationModes?: string[];
+}
+/** Consumer admission request. */
+export interface ConsumerAdmissionRequest {
+    credentialJson: string;
+    iidToken?: string;
+}
+/** Consumer admission response from producer. */
+export interface ConsumerAdmissionResponse {
+    admitted: boolean;
+    reason?: string;
+    services: ServiceSummary[];
+    registryNamespace?: string;
+    attributes?: Record<string, string>;
+    rootPubkey?: string;
+    /** Hex-encoded 32-byte gossip topic — only populated for root node. */
+    gossipTopic?: string;
+}
+/** Options for server-side consumer admission handlers. */
+export interface ConsumerAdmissionOpts {
+    nonceStore?: NonceStore;
+    services?: ServiceSummary[];
+    registryNamespace?: string;
+    allowUnenrolled?: boolean;
+    /** Gossip topic ID (32 bytes). Included in response only for root node. */
+    gossipTopicId?: Uint8Array;
+    /** When supplied, successful admissions are recorded so the RPC dispatch
+     *  layer can read the peer's attributes from CallContext. */
+    peerStore?: PeerAttributeStore;
+    logger?: {
+        info(msg: string, ...args: unknown[]): void;
+        warn(msg: string, ...args: unknown[]): void;
+        error(msg: string, ...args: unknown[]): void;
+    };
+}
+/**
+ * Perform the consumer admission handshake.
+ *
+ * @param connection - The QUIC connection to the producer (admission ALPN)
+ * @param credential - The consumer enrollment credential
+ * @param iidToken - Optional cloud instance identity token
+ * @returns The admission response with services and registry namespace
+ */
+export declare function performAdmission(connection: {
+    openBi(): Promise<{
+        takeSend(): any;
+        takeRecv(): any;
+    }>;
+}, credential: ConsumerEnrollmentCredential, iidToken?: string): Promise<ConsumerAdmissionResponse>;
+/**
+ * Serialise a ConsumerEnrollmentCredential to the wire JSON format.
+ * Hex-encodes rootPubkey, nonce, and signature fields.
+ */
+export declare function consumerCredToJson(cred: ConsumerEnrollmentCredential): string;
+/**
+ * Deserialise a ConsumerEnrollmentCredential from the wire JSON format.
+ * Validates hex field lengths (pubkey=64, nonce=64, signature=128 hex chars).
+ */
+export declare function consumerCredFromJson(json: string): ConsumerEnrollmentCredential;
+/**
+ * Server-side handler for the aster.consumer_admission ALPN.
+ *
+ * @param requestJson - JSON-serialised ConsumerAdmissionRequest.
+ * @param rootPubkey - The server's root public key (hex string, 64 chars).
+ * @param hook - MeshEndpointHook; addPeer is called on successful admission.
+ * @param peerNodeId - QUIC peer identity from the connection handshake.
+ * @param opts - Additional options (nonceStore, services, registryNamespace, allowUnenrolled, logger).
+ * @returns ConsumerAdmissionResponse — always returned, never throws.
+ */
+export declare function handleConsumerAdmissionRpc(requestJson: string, rootPubkey: string, hook: MeshEndpointHook, peerNodeId: string, opts?: ConsumerAdmissionOpts): Promise<ConsumerAdmissionResponse>;
+/**
+ * Handle one consumer admission connection: read request, write response.
+ *
+ * @param conn - A QUIC connection with acceptBi() and remoteId() methods.
+ * @param rootPubkey - Hex-encoded root public key.
+ * @param hook - MeshEndpointHook for peer admission tracking.
+ * @param opts - Additional options.
+ */
+export declare function handleConsumerAdmissionConnection(conn: {
+    acceptBi(): Promise<{
+        takeSend(): any;
+        takeRecv(): any;
+    }>;
+    remoteId(): string;
+}, rootPubkey: string, hook: MeshEndpointHook, opts?: ConsumerAdmissionOpts): Promise<void>;
+/**
+ * Accept and process connections on aster.consumer_admission until cancelled.
+ *
+ * Runs as a background task alongside the main server. Each connection is
+ * handled concurrently so one slow consumer cannot block others.
+ *
+ * @param node - An endpoint/node bound to the consumer admission ALPN, with accept().
+ * @param rootPubkey - Hex-encoded root public key.
+ * @param hook - MeshEndpointHook allowlist manager.
+ * @param opts - Additional options.
+ */
+export declare function serveConsumerAdmission(node: {
+    accept(): Promise<any>;
+}, rootPubkey: string, hook: MeshEndpointHook, opts?: ConsumerAdmissionOpts): Promise<void>;
+//# sourceMappingURL=consumer.d.ts.map

package/dist/trust/consumer.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"consumer.d.ts","sourceRoot":"","sources":["../../src/trust/consumer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAc,KAAK,4BAA4B,EAAE,MAAM,kBAAkB,CAAC;AAEjF,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAEnD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAuB,KAAK,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAEhF;;;;;;GAMG;AACH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClC;;;uEAGmE;IACnE,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC/B;AAED,kCAAkC;AAClC,MAAM,WAAW,wBAAwB;IACvC,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,iDAAiD;AACjD,MAAM,WAAW,yBAAyB;IACxC,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,cAAc,EAAE,CAAC;IAC3B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,uEAAuE;IACvE,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,2DAA2D;AAC3D,MAAM,WAAW,qBAAqB;IACpC,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,QAAQ,CAAC,EAAE,cAAc,EAAE,CAAC;IAC5B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,2EAA2E;IAC3E,aAAa,CAAC,EAAE,UAAU,CAAC;IAC3B;iEAC6D;IAC7D,SAAS,CAAC,EAAE,kBAAkB,CAAC;IAC/B,MAAM,CAAC,EAAE;QAAE,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;QAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;QAAC,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAA;KAAE,CAAC;CACrJ;AAID;;;;;;;GAOG;AACH,wBAAsB,gBAAgB,CACpC,UAAU,EAAE;IAAE,MAAM,IAAI,OAAO,CAAC;QAAE,QAAQ,IAAI,GAAG,CAAC;QAAC,QAAQ,IAAI,GAAG,CAAA;KAAE,CAAC,CAAA;CAAE,EACvE,UAAU,EAAE,4BAA4B,EACxC,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,yBAAyB,CAAC,CA6CpC;AAID;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,4BAA4B,GAAG,MAAM,CAU7E;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,4BAA4B,CA2B/E;AAID;;;;;;;;;GASG;AACH,wBAAsB,0BAA0B,CAC9C,WAAW,EAAE,MAAM,EACnB,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,gBAAgB,EACtB,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE,qBAA0B,GAC/B,OAAO,CAAC,yBAAyB,CAAC,CA4GpC;AAID;;;;;;;GAOG;AACH,wBAAsB,iCAAiC,CACrD,IAAI,EAAE;IACJ,QAAQ,IAAI,OAAO,CAAC;QAAE,QAAQ,IAAI,GAAG,CAAC;QAAC,QAAQ,IAAI,GAAG,CAAA;KAAE,CAAC,CAAC;IAC1D,QAAQ,IAAI,MAAM,CAAC;CACpB,EACD,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,gBAAgB,EACtB,IAAI,GAAE,qBAA0B,GAC/B,OAAO,CAAC,IAAI,CAAC,CA+Df;AAID;;;;;;;;;;GAUG;AACH,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE;IAAE,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,CAAA;CAAE,EAChC,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,gBAAgB,EACtB,IAAI,GAAE,qBAA0B,GAC/B,OAAO,CAAC,IAAI,CAAC,CAef"}

package/dist/trust/consumer.js ADDED Viewed

@@ -0,0 +1,323 @@
+/**
+ * Consumer admission — client-side and server-side admission handshake.
+ *
+ * Spec reference: Aster-trust-spec.md S5
+ *
+ * Client side (performAdmission):
+ *   1. Open a stream on the admission ALPN
+ *   2. Send a ConsumerAdmissionRequest (credential + optional IID token)
+ *   3. Receive a ConsumerAdmissionResponse (services list + registry namespace)
+ *
+ * Server side (handleConsumerAdmissionRpc, serveConsumerAdmission):
+ *   Verify credential, admit peer, return response with services + registry namespace.
+ *
+ * Wire format: newline-delimited JSON over a QUIC bidi-stream on
+ * aster.consumer_admission ALPN. Client sends one JSON line; server
+ * responds with one JSON line and closes the stream.
+ */
+import { bytesToHex } from './credentials.js';
+import { admit } from './admission.js';
+import { MAX_ADMISSION_PAYLOAD_SIZE, MAX_SERVICES_IN_ADMISSION, validateHexField } from '../limits.js';
+import { createPeerAdmission } from '../peer-store.js';
+// ── Client-side ───────────────────────────────────────────────────────────────
+/**
+ * Perform the consumer admission handshake.
+ *
+ * @param connection - The QUIC connection to the producer (admission ALPN)
+ * @param credential - The consumer enrollment credential
+ * @param iidToken - Optional cloud instance identity token
+ * @returns The admission response with services and registry namespace
+ */
+export async function performAdmission(connection, credential, iidToken) {
+    const bi = await connection.openBi();
+    const send = bi.takeSend();
+    const recv = bi.takeRecv();
+    // Build and send request (snake_case keys for Python interop).
+    // The credential is serialised to its snake_case wire form via
+    // consumerCredToJson — JSON.stringify on the camelCase TS interface
+    // would produce the wrong keys and the server would reject it.
+    const wireRequest = {
+        credential_json: credential ? consumerCredToJson(credential) : '',
+        iid_token: iidToken ?? '',
+    };
+    const reqBytes = new TextEncoder().encode(JSON.stringify(wireRequest));
+    if (reqBytes.byteLength > MAX_ADMISSION_PAYLOAD_SIZE) {
+        throw new Error(`admission request too large: ${reqBytes.byteLength} > ${MAX_ADMISSION_PAYLOAD_SIZE}`);
+    }
+    // Write request + finish send side
+    await send.writeAll(reqBytes);
+    await send.finish();
+    // Read response (snake_case keys from Python wire format)
+    const respBytes = await recv.readToEnd(MAX_ADMISSION_PAYLOAD_SIZE);
+    const respText = new TextDecoder().decode(respBytes);
+    if (!respText || respText.length === 0) {
+        throw new Error('admission failed: server returned empty response (may be overloaded, retry)');
+    }
+    const d = JSON.parse(respText);
+    const response = {
+        admitted: d.admitted,
+        reason: d.reason,
+        services: d.services ?? [],
+        registryNamespace: d.registry_namespace ?? d.registryNamespace ?? '',
+        attributes: d.attributes ?? {},
+        rootPubkey: d.root_pubkey ?? d.rootPubkey ?? '',
+        gossipTopic: d.gossip_topic ?? d.gossipTopic,
+    };
+    // Validate
+    if (response.services && response.services.length > MAX_SERVICES_IN_ADMISSION) {
+        throw new Error(`admission response has ${response.services.length} services, max is ${MAX_SERVICES_IN_ADMISSION}`);
+    }
+    return response;
+}
+// ── Credential serialisation helpers ──────────────────────────────────────────
+/**
+ * Serialise a ConsumerEnrollmentCredential to the wire JSON format.
+ * Hex-encodes rootPubkey, nonce, and signature fields.
+ */
+export function consumerCredToJson(cred) {
+    return JSON.stringify({
+        credential_type: cred.credentialType,
+        root_pubkey: cred.rootPubkey, // already hex in TS type
+        expires_at: cred.expiresAt,
+        attributes: cred.attributes,
+        endpoint_id: cred.endpointId ?? null,
+        nonce: cred.nonce ?? null,
+        signature: cred.signature,
+    });
+}
+/**
+ * Deserialise a ConsumerEnrollmentCredential from the wire JSON format.
+ * Validates hex field lengths (pubkey=64, nonce=64, signature=128 hex chars).
+ */
+export function consumerCredFromJson(json) {
+    const d = JSON.parse(json);
+    // Validate hex field lengths
+    validateHexField('root_pubkey', d.root_pubkey ?? '');
+    const nonceHex = d.nonce ?? '';
+    if (nonceHex) {
+        validateHexField('nonce', nonceHex);
+    }
+    const sigHex = d.signature ?? '';
+    if (sigHex) {
+        validateHexField('signature', sigHex);
+    }
+    const eid = d.endpoint_id ?? '';
+    if (eid) {
+        validateHexField('endpoint_id', eid);
+    }
+    return {
+        credentialType: d.credential_type,
+        rootPubkey: d.root_pubkey,
+        expiresAt: Number(d.expires_at),
+        attributes: d.attributes ?? {},
+        endpointId: d.endpoint_id || undefined,
+        nonce: nonceHex || undefined,
+        signature: sigHex || '',
+    };
+}
+// ── Server-side handler ─────────────────────────────────────────────────────
+/**
+ * Server-side handler for the aster.consumer_admission ALPN.
+ *
+ * @param requestJson - JSON-serialised ConsumerAdmissionRequest.
+ * @param rootPubkey - The server's root public key (hex string, 64 chars).
+ * @param hook - MeshEndpointHook; addPeer is called on successful admission.
+ * @param peerNodeId - QUIC peer identity from the connection handshake.
+ * @param opts - Additional options (nonceStore, services, registryNamespace, allowUnenrolled, logger).
+ * @returns ConsumerAdmissionResponse — always returned, never throws.
+ */
+export async function handleConsumerAdmissionRpc(requestJson, rootPubkey, hook, peerNodeId, opts = {}) {
+    const log = opts.logger ?? console;
+    const denied = {
+        admitted: false,
+        reason: '', // oracle protection — never leak reason on wire
+        services: [],
+        rootPubkey,
+    };
+    // Parse the outer request envelope
+    let req;
+    try {
+        const parsed = JSON.parse(requestJson);
+        req = {
+            credentialJson: parsed.credentialJson ?? parsed.credential_json ?? '',
+            iidToken: parsed.iidToken ?? parsed.iid_token ?? '',
+        };
+    }
+    catch (err) {
+        log.warn(`consumer admission: malformed request from ${peerNodeId}: ${err}`);
+        return denied;
+    }
+    // Include gossip topic only when the connecting peer IS the root node
+    // (its endpoint_id == root_pubkey hex). This lets the operator's shell
+    // observe the producer mesh without exposing the topic to other consumers.
+    let topicForPeer = '';
+    if (opts.gossipTopicId && peerNodeId === rootPubkey) {
+        topicForPeer = bytesToHex(opts.gossipTopicId);
+        log.info('consumer admission: root node detected — including gossip topic');
+    }
+    // Dev mode / open gate: empty credential -> auto-admit
+    const isEmptyCredential = !req.credentialJson || req.credentialJson === '{}' || req.credentialJson === 'null';
+    if (isEmptyCredential && opts.allowUnenrolled) {
+        hook.addPeer(peerNodeId);
+        if (opts.peerStore) {
+            opts.peerStore.admit(createPeerAdmission({
+                endpointId: peerNodeId,
+                attributes: new Map(),
+                admissionPath: 'aster.consumer_admission',
+            }));
+        }
+        const role = topicForPeer ? 'root' : 'open gate';
+        log.info(`consumer admission: auto-admitted ${peerNodeId} (${role})`);
+        return {
+            admitted: true,
+            attributes: {},
+            services: opts.services ?? [],
+            registryNamespace: opts.registryNamespace ?? '',
+            rootPubkey,
+            gossipTopic: topicForPeer || undefined,
+            reason: '',
+        };
+    }
+    // Parse the inner credential
+    let cred;
+    try {
+        cred = consumerCredFromJson(req.credentialJson);
+    }
+    catch (err) {
+        log.warn(`consumer admission: malformed credential from ${peerNodeId}: ${err}`);
+        return denied;
+    }
+    // Trust anchor check: credential's rootPubkey must match server's
+    if (!cred.rootPubkey || cred.rootPubkey !== rootPubkey) {
+        log.warn(`consumer admission: untrusted root key from ${peerNodeId} ` +
+            `(got ${(cred.rootPubkey ?? '(none)').slice(0, 12)}, expected ${rootPubkey.slice(0, 12)})`);
+        return denied;
+    }
+    // Run admission checks (offline + runtime)
+    const result = await admit(cred, peerNodeId, {
+        nonceStore: opts.nonceStore,
+        iidToken: req.iidToken || undefined,
+    });
+    if (!result.admitted) {
+        log.info(`consumer admission: denied ${peerNodeId}`);
+        return denied;
+    }
+    hook.addPeer(peerNodeId);
+    if (opts.peerStore) {
+        const attrMap = new Map();
+        for (const [k, v] of Object.entries(result.attributes ?? {})) {
+            attrMap.set(k, String(v));
+        }
+        opts.peerStore.admit(createPeerAdmission({
+            endpointId: peerNodeId,
+            attributes: attrMap,
+            expiresAt: cred.expiresAt ?? 0,
+            admissionPath: 'aster.consumer_admission',
+        }));
+    }
+    log.info(`consumer admission: admitted ${peerNodeId}`);
+    return {
+        admitted: true,
+        attributes: result.attributes ?? {},
+        services: opts.services ?? [],
+        registryNamespace: opts.registryNamespace ?? '',
+        rootPubkey,
+        gossipTopic: topicForPeer || undefined,
+        reason: '',
+    };
+}
+// ── Per-connection handler ──────────────────────────────────────────────────
+/**
+ * Handle one consumer admission connection: read request, write response.
+ *
+ * @param conn - A QUIC connection with acceptBi() and remoteId() methods.
+ * @param rootPubkey - Hex-encoded root public key.
+ * @param hook - MeshEndpointHook for peer admission tracking.
+ * @param opts - Additional options.
+ */
+export async function handleConsumerAdmissionConnection(conn, rootPubkey, hook, opts = {}) {
+    const peerNodeId = conn.remoteId();
+    const log = opts.logger ?? console;
+    try {
+        const bi = await conn.acceptBi();
+        const send = bi.takeSend();
+        const recv = bi.takeRecv();
+        const raw = await recv.readToEnd(MAX_ADMISSION_PAYLOAD_SIZE);
+        if (!raw || raw.length === 0) {
+            log.warn(`consumer admission: empty request from ${peerNodeId}`);
+            return;
+        }
+        const requestJson = new TextDecoder().decode(raw);
+        const response = await handleConsumerAdmissionRpc(requestJson, rootPubkey, hook, peerNodeId, opts);
+        // Serialise response — snake_case keys for Python interop.
+        // Strip reason on wire (oracle protection).
+        // Convert ServiceSummary to snake_case for wire compat
+        const wireServices = (response.services ?? []).map((s) => ({
+            name: s.name,
+            version: s.version,
+            contract_id: s.contractId ?? s.contract_id ?? '',
+            pattern: s.pattern,
+            methods: s.methods,
+            channels: s.channels ?? {},
+            serialization_modes: s.serializationModes ?? s.serialization_modes ?? [],
+        }));
+        const wireResponse = {
+            admitted: response.admitted,
+            attributes: response.attributes ?? {},
+            services: wireServices,
+            registry_namespace: response.registryNamespace ?? '',
+            root_pubkey: response.rootPubkey ?? '',
+            reason: '', // never leak reason on wire
+        };
+        if (response.gossipTopic) {
+            wireResponse.gossip_topic = response.gossipTopic;
+        }
+        const responseBytes = new TextEncoder().encode(JSON.stringify(wireResponse));
+        try {
+            await send.writeAll(responseBytes);
+            await send.finish();
+        }
+        catch (writeErr) {
+            log.warn(`consumer admission: failed to send response to ${peerNodeId}: ${writeErr}`);
+            // Stream write failed — client will see an empty/closed stream.
+            // Nothing more we can do; the connection may already be gone.
+        }
+        // Don't conn.close() — let QUIC drain the streams naturally.
+        // Calling close() sends CONNECTION_CLOSE which kills in-flight
+        // data before the consumer can readToEnd().
+    }
+    catch (err) {
+        log.warn(`consumer admission: error handling ${peerNodeId}: ${err}`);
+    }
+}
+// ── Accept loop ─────────────────────────────────────────────────────────────
+/**
+ * Accept and process connections on aster.consumer_admission until cancelled.
+ *
+ * Runs as a background task alongside the main server. Each connection is
+ * handled concurrently so one slow consumer cannot block others.
+ *
+ * @param node - An endpoint/node bound to the consumer admission ALPN, with accept().
+ * @param rootPubkey - Hex-encoded root public key.
+ * @param hook - MeshEndpointHook allowlist manager.
+ * @param opts - Additional options.
+ */
+export async function serveConsumerAdmission(node, rootPubkey, hook, opts = {}) {
+    const log = opts.logger ?? console;
+    try {
+        while (true) {
+            const conn = await node.accept();
+            // Fire-and-forget: handle each connection concurrently
+            handleConsumerAdmissionConnection(conn, rootPubkey, hook, opts).catch((err) => {
+                log.warn(`consumer admission: connection handler error: ${err}`);
+            });
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        if (msg.includes('abort') || msg.includes('cancel'))
+            return;
+        log.error(`serveConsumerAdmission: unexpected error: ${msg}`);
+    }
+}
+//# sourceMappingURL=consumer.js.map

package/dist/trust/consumer.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"consumer.js","sourceRoot":"","sources":["../../src/trust/consumer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,UAAU,EAAqC,MAAM,kBAAkB,CAAC;AACjF,OAAO,EAAE,KAAK,EAAE,MAAM,gBAAgB,CAAC;AAEvC,OAAO,EAAE,0BAA0B,EAAE,yBAAyB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEvG,OAAO,EAAE,mBAAmB,EAA2B,MAAM,kBAAkB,CAAC;AAuDhF,iFAAiF;AAEjF;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,UAAuE,EACvE,UAAwC,EACxC,QAAiB;IAEjB,MAAM,EAAE,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE,CAAC;IACrC,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IAC3B,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IAE3B,+DAA+D;IAC/D,+DAA+D;IAC/D,oEAAoE;IACpE,+DAA+D;IAC/D,MAAM,WAAW,GAAG;QAClB,eAAe,EAAE,UAAU,CAAC,CAAC,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE;QACjE,SAAS,EAAE,QAAQ,IAAI,EAAE;KAC1B,CAAC;IACF,MAAM,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC;IACvE,IAAI,QAAQ,CAAC,UAAU,GAAG,0BAA0B,EAAE,CAAC;QACrD,MAAM,IAAI,KAAK,CAAC,gCAAgC,QAAQ,CAAC,UAAU,MAAM,0BAA0B,EAAE,CAAC,CAAC;IACzG,CAAC;IAED,mCAAmC;IACnC,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC9B,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;IAEpB,0DAA0D;IAC1D,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,0BAA0B,CAAC,CAAC;IACnE,MAAM,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACrD,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,6EAA6E,CAAC,CAAC;IACjG,CAAC;IACD,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC/B,MAAM,QAAQ,GAA8B;QAC1C,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,MAAM,EAAE,CAAC,CAAC,MAAM;QAChB,QAAQ,EAAE,CAAC,CAAC,QAAQ,IAAI,EAAE;QAC1B,iBAAiB,EAAE,CAAC,CAAC,kBAAkB,IAAI,CAAC,CAAC,iBAAiB,IAAI,EAAE;QACpE,UAAU,EAAE,CAAC,CAAC,UAAU,IAAI,EAAE;QAC9B,UAAU,EAAE,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,UAAU,IAAI,EAAE;QAC/C,WAAW,EAAE,CAAC,CAAC,YAAY,IAAI,CAAC,CAAC,WAAW;KAC7C,CAAC;IAEF,WAAW;IACX,IAAI,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,yBAAyB,EAAE,CAAC;QAC9E,MAAM,IAAI,KAAK,CAAC,0BAA0B,QAAQ,CAAC,QAAQ,CAAC,MAAM,qBAAqB,yBAAyB,EAAE,CAAC,CAAC;IACtH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,iFAAiF;AAEjF;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAAkC;IACnE,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,eAAe,EAAE,IAAI,CAAC,cAAc;QACpC,WAAW,EAAE,IAAI,CAAC,UAAU,EAAG,yBAAyB;QACxD,UAAU,EAAE,IAAI,CAAC,SAAS;QAC1B,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,WAAW,EAAE,IAAI,CAAC,UAAU,IAAI,IAAI;QACpC,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,IAAI;QACzB,SAAS,EAAE,IAAI,CAAC,SAAS;KAC1B,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,IAAY;IAC/C,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAE3B,6BAA6B;IAC7B,gBAAgB,CAAC,aAAa,EAAE,CAAC,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAW,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;IACvC,IAAI,QAAQ,EAAE,CAAC;QACb,gBAAgB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IACtC,CAAC;IACD,MAAM,MAAM,GAAW,CAAC,CAAC,SAAS,IAAI,EAAE,CAAC;IACzC,IAAI,MAAM,EAAE,CAAC;QACX,gBAAgB,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IACxC,CAAC;IACD,MAAM,GAAG,GAAW,CAAC,CAAC,WAAW,IAAI,EAAE,CAAC;IACxC,IAAI,GAAG,EAAE,CAAC;QACR,gBAAgB,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;IACvC,CAAC;IAED,OAAO;QACL,cAAc,EAAE,CAAC,CAAC,eAAe;QACjC,UAAU,EAAE,CAAC,CAAC,WAAW;QACzB,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;QAC/B,UAAU,EAAE,CAAC,CAAC,UAAU,IAAI,EAAE;QAC9B,UAAU,EAAE,CAAC,CAAC,WAAW,IAAI,SAAS;QACtC,KAAK,EAAE,QAAQ,IAAI,SAAS;QAC5B,SAAS,EAAE,MAAM,IAAI,EAAE;KACxB,CAAC;AACJ,CAAC;AAED,+EAA+E;AAE/E;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,WAAmB,EACnB,UAAkB,EAClB,IAAsB,EACtB,UAAkB,EAClB,OAA8B,EAAE;IAEhC,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC;IACnC,MAAM,MAAM,GAA8B;QACxC,QAAQ,EAAE,KAAK;QACf,MAAM,EAAE,EAAE,EAAE,gDAAgD;QAC5D,QAAQ,EAAE,EAAE;QACZ,UAAU;KACX,CAAC;IAEF,mCAAmC;IACnC,IAAI,GAA6B,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACvC,GAAG,GAAG;YACJ,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,MAAM,CAAC,eAAe,IAAI,EAAE;YACrE,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,SAAS,IAAI,EAAE;SACpD,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,IAAI,CAAC,8CAA8C,UAAU,KAAK,GAAG,EAAE,CAAC,CAAC;QAC7E,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,sEAAsE;IACtE,uEAAuE;IACvE,2EAA2E;IAC3E,IAAI,YAAY,GAAG,EAAE,CAAC;IACtB,IAAI,IAAI,CAAC,aAAa,IAAI,UAAU,KAAK,UAAU,EAAE,CAAC;QACpD,YAAY,GAAG,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC9C,GAAG,CAAC,IAAI,CAAC,iEAAiE,CAAC,CAAC;IAC9E,CAAC;IAED,uDAAuD;IACvD,MAAM,iBAAiB,GAAG,CAAC,GAAG,CAAC,cAAc,IAAI,GAAG,CAAC,cAAc,KAAK,IAAI,IAAI,GAAG,CAAC,cAAc,KAAK,MAAM,CAAC;IAC9G,IAAI,iBAAiB,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;QAC9C,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QACzB,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,mBAAmB,CAAC;gBACvC,UAAU,EAAE,UAAU;gBACtB,UAAU,EAAE,IAAI,GAAG,EAAE;gBACrB,aAAa,EAAE,0BAA0B;aAC1C,CAAC,CAAC,CAAC;QACN,CAAC;QACD,MAAM,IAAI,GAAG,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC;QACjD,GAAG,CAAC,IAAI,CAAC,qCAAqC,UAAU,KAAK,IAAI,GAAG,CAAC,CAAC;QACtE,OAAO;YACL,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,EAAE;YACd,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,EAAE;YAC7B,iBAAiB,EAAE,IAAI,CAAC,iBAAiB,IAAI,EAAE;YAC/C,UAAU;YACV,WAAW,EAAE,YAAY,IAAI,SAAS;YACtC,MAAM,EAAE,EAAE;SACX,CAAC;IACJ,CAAC;IAED,6BAA6B;IAC7B,IAAI,IAAkC,CAAC;IACvC,IAAI,CAAC;QACH,IAAI,GAAG,oBAAoB,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAClD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,IAAI,CAAC,iDAAiD,UAAU,KAAK,GAAG,EAAE,CAAC,CAAC;QAChF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,kEAAkE;IAClE,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;QACvD,GAAG,CAAC,IAAI,CACN,+CAA+C,UAAU,GAAG;YAC5D,QAAQ,CAAC,IAAI,CAAC,UAAU,IAAI,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAC3F,CAAC;QACF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,2CAA2C;IAC3C,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE,UAAU,EAAE;QAC3C,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,SAAS;KACpC,CAAC,CAAC;IAEH,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,GAAG,CAAC,IAAI,CAAC,8BAA8B,UAAU,EAAE,CAAC,CAAC;QACrD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACzB,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAC;QAC1C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,CAAC;YAC7D,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5B,CAAC;QACD,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,mBAAmB,CAAC;YACvC,UAAU,EAAE,UAAU;YACtB,UAAU,EAAE,OAAO;YACnB,SAAS,EAAE,IAAI,CAAC,SAAS,IAAI,CAAC;YAC9B,aAAa,EAAE,0BAA0B;SAC1C,CAAC,CAAC,CAAC;IACN,CAAC;IACD,GAAG,CAAC,IAAI,CAAC,gCAAgC,UAAU,EAAE,CAAC,CAAC;IAEvD,OAAO;QACL,QAAQ,EAAE,IAAI;QACd,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,EAAE;QACnC,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,EAAE;QAC7B,iBAAiB,EAAE,IAAI,CAAC,iBAAiB,IAAI,EAAE;QAC/C,UAAU;QACV,WAAW,EAAE,YAAY,IAAI,SAAS;QACtC,MAAM,EAAE,EAAE;KACX,CAAC;AACJ,CAAC;AAED,+EAA+E;AAE/E;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,iCAAiC,CACrD,IAGC,EACD,UAAkB,EAClB,IAAsB,EACtB,OAA8B,EAAE;IAEhC,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;IACnC,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;QAE3B,MAAM,GAAG,GAAe,MAAM,IAAI,CAAC,SAAS,CAAC,0BAA0B,CAAC,CAAC;QACzE,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,GAAG,CAAC,IAAI,CAAC,0CAA0C,UAAU,EAAE,CAAC,CAAC;YACjE,OAAO;QACT,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAElD,MAAM,QAAQ,GAAG,MAAM,0BAA0B,CAC/C,WAAW,EACX,UAAU,EACV,IAAI,EACJ,UAAU,EACV,IAAI,CACL,CAAC;QAEF,2DAA2D;QAC3D,4CAA4C;QAC5C,uDAAuD;QACvD,MAAM,YAAY,GAAG,CAAC,QAAQ,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC;YAC9D,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,WAAW,EAAE,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,WAAW,IAAI,EAAE;YAChD,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,QAAQ,EAAE,CAAC,CAAC,QAAQ,IAAI,EAAE;YAC1B,mBAAmB,EAAE,CAAC,CAAC,kBAAkB,IAAI,CAAC,CAAC,mBAAmB,IAAI,EAAE;SACzE,CAAC,CAAC,CAAC;QACJ,MAAM,YAAY,GAA4B;YAC5C,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,UAAU,EAAE,QAAQ,CAAC,UAAU,IAAI,EAAE;YACrC,QAAQ,EAAE,YAAY;YACtB,kBAAkB,EAAE,QAAQ,CAAC,iBAAiB,IAAI,EAAE;YACpD,WAAW,EAAE,QAAQ,CAAC,UAAU,IAAI,EAAE;YACtC,MAAM,EAAE,EAAE,EAAE,4BAA4B;SACzC,CAAC;QACF,IAAI,QAAQ,CAAC,WAAW,EAAE,CAAC;YACzB,YAAY,CAAC,YAAY,GAAG,QAAQ,CAAC,WAAW,CAAC;QACnD,CAAC;QAED,MAAM,aAAa,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC;QAC7E,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YACnC,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,QAAQ,EAAE,CAAC;YAClB,GAAG,CAAC,IAAI,CAAC,kDAAkD,UAAU,KAAK,QAAQ,EAAE,CAAC,CAAC;YACtF,gEAAgE;YAChE,8DAA8D;QAChE,CAAC;QACD,6DAA6D;QAC7D,+DAA+D;QAC/D,4CAA4C;IAC9C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,IAAI,CAAC,sCAAsC,UAAU,KAAK,GAAG,EAAE,CAAC,CAAC;IACvE,CAAC;AACH,CAAC;AAED,+EAA+E;AAE/E;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,IAAgC,EAChC,UAAkB,EAClB,IAAsB,EACtB,OAA8B,EAAE;IAEhC,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC;IACnC,IAAI,CAAC;QACH,OAAO,IAAI,EAAE,CAAC;YACZ,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;YACjC,uDAAuD;YACvD,iCAAiC,CAAC,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;gBAC5E,GAAG,CAAC,IAAI,CAAC,iDAAiD,GAAG,EAAE,CAAC,CAAC;YACnE,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAAE,OAAO;QAC5D,GAAG,CAAC,KAAK,CAAC,6CAA6C,GAAG,EAAE,CAAC,CAAC;IAChE,CAAC;AACH,CAAC"}

package/dist/trust/credentials.d.ts ADDED Viewed

@@ -0,0 +1,98 @@
+/**
+ * Credential types and ed25519 signing/verification.
+ *
+ * Spec reference: Aster-trust-spec.md
+ *
+ * Signing bytes computation delegates to Rust core via NAPI.
+ * Ed25519 operations use @noble/ed25519 for portability.
+ */
+/** Producer enrollment credential. */
+export interface EnrollmentCredential {
+    endpointId: string;
+    rootPubkey: string;
+    expiresAt: number;
+    attributes: Record<string, string>;
+    signature: string;
+}
+/** Consumer enrollment credential. */
+export interface ConsumerEnrollmentCredential {
+    credentialType: 'policy' | 'ott';
+    rootPubkey: string;
+    expiresAt: number;
+    attributes: Record<string, string>;
+    endpointId?: string;
+    nonce?: string;
+    signature: string;
+}
+/** Reserved attribute keys. */
+export declare const ATTR_ROLE = "aster.role";
+export declare const ATTR_NAME = "aster.name";
+export declare const ATTR_IID_PROVIDER = "aster.iid_provider";
+export declare const ATTR_IID_ACCOUNT = "aster.iid_account";
+export declare const ATTR_IID_REGION = "aster.iid_region";
+export declare const ATTR_IID_ROLE_ARN = "aster.iid_role_arn";
+/**
+ * Generate an ed25519 keypair.
+ * Returns [privateKey (32 bytes), publicKey (32 bytes)].
+ *
+ * Requires @noble/ed25519:
+ * ```ts
+ * import { utils } from '@noble/ed25519';
+ * const privKey = utils.randomPrivateKey();
+ * const pubKey = await getPublicKeyAsync(privKey);
+ * ```
+ */
+export declare function generateKeypair(): Promise<[Uint8Array, Uint8Array]>;
+/**
+ * Sign a message with an ed25519 private key.
+ * Returns 64-byte signature.
+ */
+export declare function sign(privateKey: Uint8Array, message: Uint8Array): Promise<Uint8Array>;
+/**
+ * Verify an ed25519 signature.
+ */
+export declare function verify(publicKey: Uint8Array, message: Uint8Array, signature: Uint8Array): Promise<boolean>;
+declare function hexToBytes(hex: string): Uint8Array;
+declare function bytesToHex(bytes: Uint8Array): string;
+/** Canonical JSON: UTF-8, sorted keys, no extra whitespace. */
+export declare function canonicalJson(attributes: Record<string, string>): Uint8Array;
+/** Signing bytes for EnrollmentCredential (producer). */
+export declare function producerSigningBytes(cred: EnrollmentCredential): Uint8Array;
+/** Signing bytes for ConsumerEnrollmentCredential. */
+export declare function consumerSigningBytes(cred: ConsumerEnrollmentCredential): Uint8Array;
+/** Compute signing bytes for any credential type. */
+export declare function credentialSigningBytes(cred: EnrollmentCredential | ConsumerEnrollmentCredential): Uint8Array;
+/**
+ * Sign a credential with the root private key.
+ * Returns 64-byte signature as hex string.
+ */
+export declare function signCredential(cred: EnrollmentCredential | ConsumerEnrollmentCredential, rootPrivkeyRaw: Uint8Array): Promise<string>;
+/**
+ * Verify a credential's signature.
+ * If rootPubkeyHex is provided, it overrides cred.rootPubkey.
+ * Returns true on success, false on any failure.
+ */
+export declare function verifyCredentialSignature(cred: EnrollmentCredential | ConsumerEnrollmentCredential, rootPubkeyHex?: string): Promise<boolean>;
+declare function concatBytes(arrays: Uint8Array[]): Uint8Array;
+/**
+ * Generate a root keypair (alias for generateKeypair).
+ * Returns [privateKey, publicKey] as raw 32-byte arrays.
+ */
+export declare function generateRootKeypair(): Promise<[Uint8Array, Uint8Array]>;
+/**
+ * Load a raw 32-byte private key.
+ * Returns the key as-is (validates length).
+ */
+export declare function loadPrivateKey(privRaw: Uint8Array): Uint8Array;
+/**
+ * Load a raw 32-byte public key.
+ * Returns the key as-is (validates length).
+ */
+export declare function loadPublicKey(pubRaw: Uint8Array): Uint8Array;
+/**
+ * Verify an ed25519 signature.
+ * Alias for the low-level `verify()` with a consistent signature.
+ */
+export declare function verifySignature(publicKey: Uint8Array, message: Uint8Array, signature: Uint8Array): Promise<boolean>;
+export { hexToBytes, bytesToHex, concatBytes };
+//# sourceMappingURL=credentials.d.ts.map

package/dist/trust/credentials.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/trust/credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,sCAAsC;AACtC,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,sCAAsC;AACtC,MAAM,WAAW,4BAA4B;IAC3C,cAAc,EAAE,QAAQ,GAAG,KAAK,CAAC;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,+BAA+B;AAC/B,eAAO,MAAM,SAAS,eAAe,CAAC;AACtC,eAAO,MAAM,SAAS,eAAe,CAAC;AACtC,eAAO,MAAM,iBAAiB,uBAAuB,CAAC;AACtD,eAAO,MAAM,gBAAgB,sBAAsB,CAAC;AACpD,eAAO,MAAM,eAAe,qBAAqB,CAAC;AAClD,eAAO,MAAM,iBAAiB,uBAAuB,CAAC;AAsCtD;;;;;;;;;;GAUG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC,CAYzE;AAED;;;GAGG;AACH,wBAAsB,IAAI,CAAC,UAAU,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAe3F;AAED;;GAEG;AACH,wBAAsB,MAAM,CAC1B,SAAS,EAAE,UAAU,EACrB,OAAO,EAAE,UAAU,EACnB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,OAAO,CAAC,CAelB;AAID,iBAAS,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAM3C;AAED,iBAAS,UAAU,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAE7C;AAOD,+DAA+D;AAC/D,wBAAgB,aAAa,CAAC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,UAAU,CAM5E;AAYD,yDAAyD;AACzD,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,oBAAoB,GAAG,UAAU,CAQ3E;AAED,sDAAsD;AACtD,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,4BAA4B,GAAG,UAAU,CA0BnF;AAED,qDAAqD;AACrD,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,oBAAoB,GAAG,4BAA4B,GACxD,UAAU,CAQZ;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,oBAAoB,GAAG,4BAA4B,EACzD,cAAc,EAAE,UAAU,GACzB,OAAO,CAAC,MAAM,CAAC,CAIjB;AAED;;;;GAIG;AACH,wBAAsB,yBAAyB,CAC7C,IAAI,EAAE,oBAAoB,GAAG,4BAA4B,EACzD,aAAa,CAAC,EAAE,MAAM,GACrB,OAAO,CAAC,OAAO,CAAC,CAQlB;AAID,iBAAS,WAAW,CAAC,MAAM,EAAE,UAAU,EAAE,GAAG,UAAU,CASrD;AAID;;;GAGG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC,CAE7E;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,UAAU,GAAG,UAAU,CAK9D;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,UAAU,GAAG,UAAU,CAK5D;AAED;;;GAGG;AACH,wBAAsB,eAAe,CACnC,SAAS,EAAE,UAAU,EACrB,OAAO,EAAE,UAAU,EACnB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,OAAO,CAAC,CAElB;AAED,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC"}