@brightchain/brightchain-lib 0.18.0 → 0.20.0

package/src/lib/services/quorumStateMachine.js

@@ -0,0 +1,1396 @@
+"use strict";
+/**
+ * @fileoverview QuorumStateMachine implementation.
+ *
+ * Central coordinator for the quorum system. Manages operational mode,
+ * epoch lifecycle, proposal/vote orchestration, and delegates to
+ * SealingService for cryptographic operations.
+ *
+ * @see Requirements 1-8, 10-13
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.QuorumStateMachine = void 0;
+const ecies_lib_1 = require("@digitaldefiance/ecies-lib");
+const uuid_1 = require("uuid");
+const proposalActionType_1 = require("../enumerations/proposalActionType");
+const proposalStatus_1 = require("../enumerations/proposalStatus");
+const quorumErrorType_1 = require("../enumerations/quorumErrorType");
+const quorumOperationalMode_1 = require("../enumerations/quorumOperationalMode");
+const quorumError_1 = require("../errors/quorumError");
+const quorumDataRecord_1 = require("../quorumDataRecord");
+const checksum_service_1 = require("./checksum.service");
+/**
+ * Constant-time comparison of two Uint8Array buffers.
+ * Prevents timing side-channel attacks by always comparing all bytes.
+ */
+function constantTimeEqual(a, b) {
+    if (a.length !== b.length) {
+        return false;
+    }
+    let result = 0;
+    for (let i = 0; i < a.length; i++) {
+        result |= a[i] ^ b[i];
+    }
+    return result === 0;
+}
+/**
+ * QuorumStateMachine is the central coordinator for the quorum system.
+ *
+ * It manages:
+ * - Operational mode (Bootstrap / Quorum / TransitionInProgress)
+ * - Epoch lifecycle
+ * - Document sealing/unsealing with mode-aware delegation
+ * - Metrics collection
+ *
+ * @template TID - Platform ID type for frontend/backend DTO compatibility
+ */
+class QuorumStateMachine {
+    constructor(db, sealingService, gossipService, auditLogService, aliasRegistry) {
+        this.db = db;
+        this.sealingService = sealingService;
+        this.gossipService = gossipService;
+        this.auditLogService = auditLogService;
+        this.aliasRegistry = aliasRegistry;
+        this.mode = null;
+        this.currentEpochData = null;
+        this.configuredThreshold = 0;
+        this.initialized = false;
+        this.checksumService = new checksum_service_1.ChecksumService();
+        // Metrics tracking
+        this.metricsData = {
+            proposalsTotal: 0,
+            proposalsPending: 0,
+            votesLatencyMs: 0,
+            redistributionProgress: -1,
+            redistributionFailures: 0,
+            expirationLastRun: null,
+            expirationDeletedTotal: 0,
+        };
+    }
+    /**
+     * Initialize the quorum system.
+     *
+     * - Checks for persisted operational state first (restore on restart).
+     * - If TransitionInProgress is detected, triggers rollback recovery.
+     * - Otherwise, determines mode based on member count vs threshold.
+     * - Persists the operational state and creates epoch 1.
+     */
+    async initialize(members, threshold) {
+        this.configuredThreshold = threshold;
+        // Check for persisted state (restart recovery)
+        const persistedState = await this.db.getOperationalState();
+        if (persistedState) {
+            // Crash recovery: detect TransitionInProgress and rollback
+            if (persistedState.mode === quorumOperationalMode_1.QuorumOperationalMode.TransitionInProgress) {
+                // Get journal entries for the current epoch to restore documents
+                const journalEntries = await this.db.getJournalEntries(persistedState.currentEpochNumber);
+                // Roll back already-re-split documents from journal
+                for (const entry of journalEntries) {
+                    const doc = await this.db.getDocument(entry.documentId);
+                    if (!doc) {
+                        continue;
+                    }
+                    // Restore the document with old shares/members/threshold
+                    const restoredDoc = new quorumDataRecord_1.QuorumDataRecord(doc.creator, entry.oldMemberIds.map((id) => doc.enhancedProvider.fromBytes(new Uint8Array(Buffer.from(id, 'hex')))), entry.oldThreshold, doc.encryptedData, entry.oldShares, doc.enhancedProvider, doc.checksum, doc.signature, doc.id, doc.dateCreated, new Date(), undefined, entry.oldThreshold < 2, entry.oldEpoch, doc.sealedUnderBootstrap, doc.identityRecoveryRecordId);
+                    await this.db.saveDocument(restoredDoc);
+                }
+                // Delete journal entries and reset to Bootstrap
+                if (journalEntries.length > 0) {
+                    await this.db.deleteJournalEntries(persistedState.currentEpochNumber);
+                }
+                // Reset operational state to Bootstrap
+                const bootstrapState = {
+                    mode: quorumOperationalMode_1.QuorumOperationalMode.Bootstrap,
+                    currentEpochNumber: persistedState.currentEpochNumber,
+                    lastUpdated: new Date(),
+                };
+                await this.db.saveOperationalState(bootstrapState);
+            }
+            // Restore from persisted state
+            const restoredEpoch = await this.db.getEpoch(persistedState.currentEpochNumber);
+            if (restoredEpoch) {
+                this.mode =
+                    persistedState.mode === quorumOperationalMode_1.QuorumOperationalMode.TransitionInProgress
+                        ? quorumOperationalMode_1.QuorumOperationalMode.Bootstrap
+                        : persistedState.mode;
+                this.currentEpochData = restoredEpoch;
+                this.initialized = true;
+                return restoredEpoch;
+            }
+        }
+        // Fresh initialization: determine mode based on member count vs threshold
+        const memberCount = members.length;
+        const isBootstrap = memberCount < threshold;
+        this.mode = isBootstrap
+            ? quorumOperationalMode_1.QuorumOperationalMode.Bootstrap
+            : quorumOperationalMode_1.QuorumOperationalMode.Quorum;
+        const effectiveThreshold = isBootstrap
+            ? Math.max(memberCount, 1)
+            : threshold;
+        // Save members to database
+        for (const member of members) {
+            const hexId = (0, ecies_lib_1.uint8ArrayToHex)(member.idBytes);
+            const quorumMember = {
+                id: hexId,
+                publicKey: member.publicKey,
+                metadata: { name: `Member-${hexId.substring(0, 8)}` },
+                isActive: true,
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            };
+            await this.db.saveMember(quorumMember);
+        }
+        // Create epoch 1
+        const memberIds = members.map((m) => (0, ecies_lib_1.uint8ArrayToHex)(m.idBytes));
+        const epoch = {
+            epochNumber: 1,
+            memberIds,
+            threshold: effectiveThreshold,
+            mode: this.mode,
+            createdAt: new Date(),
+        };
+        await this.db.saveEpoch(epoch);
+        // Persist operational state
+        const opState = {
+            mode: this.mode,
+            currentEpochNumber: 1,
+            lastUpdated: new Date(),
+        };
+        await this.db.saveOperationalState(opState);
+        this.currentEpochData = epoch;
+        this.initialized = true;
+        return epoch;
+    }
+    /**
+     * Rollback a transition that was interrupted (crash recovery or failure).
+     *
+     * For each journal entry, restores the document's old shares, member IDs,
+     * and threshold from the journal. Then deletes all journal entries and
+     * resets operational state to Bootstrap mode.
+     *
+     * @param epochNumber - The epoch number to rollback
+     * @param emitAudit - Whether to emit a transition_ceremony_failed audit entry (false during crash recovery in initialize)
+     */
+    async rollbackTransition(epochNumber, emitAudit = false) {
+        const journalEntries = await this.db.getJournalEntries(epochNumber);
+        // Restore each document from its journal entry
+        for (const entry of journalEntries) {
+            const doc = await this.db.getDocument(entry.documentId);
+            if (!doc) {
+                continue;
+            }
+            // Reconstruct the document with old shares/members/threshold
+            const restoredDoc = new quorumDataRecord_1.QuorumDataRecord(doc.creator, entry.oldMemberIds.map((id) => doc.enhancedProvider.fromBytes(new Uint8Array(Buffer.from(id, 'hex')))), entry.oldThreshold, doc.encryptedData, entry.oldShares, doc.enhancedProvider, doc.checksum, doc.signature, doc.id, doc.dateCreated, new Date(), undefined, entry.oldThreshold < 2, // bootstrapMode if threshold < 2
+            entry.oldEpoch, doc.sealedUnderBootstrap, doc.identityRecoveryRecordId);
+            await this.db.saveDocument(restoredDoc);
+        }
+        // Delete all journal entries for this epoch
+        if (journalEntries.length > 0) {
+            await this.db.deleteJournalEntries(epochNumber);
+        }
+        // Reset operational state to Bootstrap
+        const opState = {
+            mode: quorumOperationalMode_1.QuorumOperationalMode.Bootstrap,
+            currentEpochNumber: epochNumber,
+            lastUpdated: new Date(),
+        };
+        await this.db.saveOperationalState(opState);
+        if (emitAudit) {
+            await this.emitAuditEntry('transition_ceremony_failed', {
+                epochNumber,
+                rolledBackDocuments: journalEntries.length,
+            });
+        }
+    }
+    /** Ensure the state machine is initialized before operations. */
+    ensureInitialized() {
+        if (!this.initialized) {
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.Uninitialized);
+        }
+    }
+    /** Ensure operations are not blocked by a transition ceremony. */
+    ensureNotTransitioning() {
+        if (this.mode === quorumOperationalMode_1.QuorumOperationalMode.TransitionInProgress) {
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.TransitionInProgress);
+        }
+    }
+    /**
+     * Create the next epoch with incremented epoch number.
+     *
+     * 1. Gets the current epoch number
+     * 2. Creates a new epoch with epochNumber = current + 1
+     * 3. Saves the epoch to the database
+     * 4. Updates the operational state with the new epoch number
+     * 5. Updates the cached currentEpochData
+     * 6. Returns the new epoch
+     *
+     * @param memberIds - Active member IDs for the new epoch
+     * @param threshold - Threshold for the new epoch
+     * @param mode - Operational mode for the new epoch
+     * @param previousEpochNumber - Optional override for the previous epoch number
+     * @returns The newly created QuorumEpoch
+     */
+    async createNextEpoch(memberIds, threshold, mode, previousEpochNumber) {
+        const currentEpochNum = previousEpochNumber ?? this.currentEpochData?.epochNumber ?? 0;
+        const nextEpochNumber = currentEpochNum + 1;
+        const epoch = {
+            epochNumber: nextEpochNumber,
+            memberIds,
+            threshold,
+            mode,
+            createdAt: new Date(),
+            previousEpochNumber: currentEpochNum > 0 ? currentEpochNum : undefined,
+        };
+        await this.db.saveEpoch(epoch);
+        // Update operational state
+        const opState = {
+            mode,
+            currentEpochNumber: nextEpochNumber,
+            lastUpdated: new Date(),
+        };
+        await this.db.saveOperationalState(opState);
+        // Update cached state
+        this.currentEpochData = epoch;
+        this.mode = mode;
+        return epoch;
+    }
+    /**
+     * Emit an audit log entry.
+     *
+     * If an AuditLogService is configured, routes through it for chain linking
+     * and signing. Otherwise, writes directly to the database.
+     *
+     * @param eventType - The type of audit event
+     * @param details - Additional event-specific details
+     * @param targetMemberId - Optional target member ID
+     */
+    async emitAuditEntry(eventType, details, targetMemberId) {
+        const entry = {
+            id: (0, uuid_1.v4)(),
+            eventType,
+            targetMemberId,
+            details,
+            timestamp: new Date(),
+        };
+        if (this.auditLogService) {
+            await this.auditLogService.appendEntry(entry);
+        }
+        else {
+            await this.db.appendAuditEntry(entry);
+        }
+    }
+    /**
+     * Resolve IQuorumMember records into Member objects suitable for SealingService.
+     *
+     * Creates Member instances with only public keys (no private keys) from
+     * the database member records. These are sufficient for encrypting new shares.
+     *
+     * @param quorumMembers - Database member records to resolve
+     * @returns Array of Member objects with public keys
+     */
+    resolveMembersFromRecords(quorumMembers) {
+        return quorumMembers.map((qm) => {
+            return new ecies_lib_1.Member(this.sealingService.eciesServiceRef, ecies_lib_1.MemberType.User, qm.metadata.name || `Member-${qm.id.substring(0, 8)}`, new ecies_lib_1.EmailString(`${qm.id.substring(0, 8)}@quorum.local`), qm.publicKey, undefined, // no private key
+            undefined, // no wallet
+            this.sealingService.enhancedProviderRef.fromBytes(new Uint8Array(Buffer.from(qm.id, 'hex'))));
+        });
+    }
+    /**
+     * Perform batched share redistribution for all documents in a given epoch.
+     *
+     * Processes documents in pages using `listDocumentsByEpoch`, decrypts shares
+     * from threshold members, calls `redistributeShares`, updates documents,
+     * and saves them back to the database.
+     *
+     * @param fromEpochNumber - The epoch whose documents need redistribution
+     * @param thresholdMembers - Members with private keys to decrypt existing shares
+     * @param newMembers - The new member set for re-encryption
+     * @param newThreshold - The new threshold for shares
+     * @param oldSharingConfig - The old sharing configuration (totalShares, threshold)
+     * @param config - Redistribution configuration (batch size, progress, continue-on-failure)
+     * @returns Array of failed document IDs
+     */
+    async redistributeDocuments(fromEpochNumber, thresholdMembers, newMembers, newThreshold, oldSharingConfig, config) {
+        const failedDocIds = [];
+        let page = 0;
+        let processed = 0;
+        let totalEstimate = 0;
+        const pageSize = config.batchSize;
+        // Process documents page by page
+        let docs;
+        do {
+            docs = await this.db.listDocumentsByEpoch(fromEpochNumber, page, pageSize);
+            if (page === 0 && docs.length === pageSize) {
+                // Rough estimate: at least one more page
+                totalEstimate = pageSize * 2;
+            }
+            else if (page === 0) {
+                totalEstimate = docs.length;
+            }
+            for (const doc of docs) {
+                const docHexId = (0, ecies_lib_1.uint8ArrayToHex)(doc.enhancedProvider.toBytes(doc.id));
+                try {
+                    // Decrypt shares from threshold members
+                    const decryptedShares = await this.sealingService.decryptShares(doc, thresholdMembers);
+                    // Build a map of memberId -> decrypted share hex
+                    const sharesMap = new Map();
+                    for (let i = 0; i < thresholdMembers.length; i++) {
+                        const memberId = (0, ecies_lib_1.uint8ArrayToHex)(thresholdMembers[i].idBytes);
+                        sharesMap.set(memberId, decryptedShares[i]);
+                    }
+                    // Redistribute shares to new members
+                    const newEncryptedShares = await this.sealingService.redistributeShares(sharesMap, newMembers, newThreshold, oldSharingConfig);
+                    // Create updated document with new shares, memberIDs, and threshold
+                    const newMemberTIDs = newMembers.map((m) => m.id);
+                    const updatedDoc = new quorumDataRecord_1.QuorumDataRecord(doc.creator, newMemberTIDs, newThreshold, doc.encryptedData, newEncryptedShares, doc.enhancedProvider, doc.checksum, doc.signature, doc.id, doc.dateCreated, new Date(), undefined, newThreshold < 2, // bootstrapMode if threshold < 2
+                    this.currentEpochData?.epochNumber ?? doc.epochNumber, doc.sealedUnderBootstrap, doc.identityRecoveryRecordId);
+                    await this.db.saveDocument(updatedDoc);
+                    processed++;
+                }
+                catch {
+                    failedDocIds.push(docHexId);
+                    if (!config.continueOnFailure) {
+                        this.metricsData.redistributionFailures += failedDocIds.length;
+                        return failedDocIds;
+                    }
+                }
+                // Report progress
+                if (config.onProgress) {
+                    config.onProgress(processed, totalEstimate, failedDocIds);
+                }
+            }
+            page++;
+        } while (docs.length === pageSize);
+        // Update metrics
+        this.metricsData.redistributionProgress =
+            totalEstimate > 0 ? processed / totalEstimate : 1;
+        this.metricsData.redistributionFailures += failedDocIds.length;
+        return failedDocIds;
+    }
+    /**
+     * Get the current operational mode.
+     * Restores from persisted state on first call if needed.
+     */
+    async getMode() {
+        if (this.mode !== null) {
+            return this.mode;
+        }
+        // Try to restore from persisted state
+        const persistedState = await this.db.getOperationalState();
+        if (persistedState) {
+            this.mode = persistedState.mode;
+            return this.mode;
+        }
+        throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.Uninitialized);
+    }
+    /**
+     * Initiate a transition ceremony from Bootstrap to Quorum mode.
+     *
+     * Flow:
+     * 1. Verify members >= threshold, set mode to TransitionInProgress
+     * 2. Emit transition_ceremony_started audit entry
+     * 3. Block seal/unseal/submitProposal (via ensureNotTransitioning)
+     * 4. For each bootstrap-sealed document (paginated):
+     *    a. Save journal entry with old shares/members/threshold/epoch
+     *    b. Redistribute shares to full member set with configured threshold
+     *    c. Update document in database
+     * 5. On success: create new epoch in Quorum mode, delete journal entries,
+     *    emit transition_ceremony_completed, unblock
+     * 6. On failure: rollback from journal, reset to Bootstrap, delete journal
+     *    entries, emit transition_ceremony_failed
+     */
+    async initiateTransition() {
+        this.ensureInitialized();
+        if (this.mode !== quorumOperationalMode_1.QuorumOperationalMode.Bootstrap) {
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.InvalidModeTransition);
+        }
+        const activeMembers = await this.db.listActiveMembers();
+        if (activeMembers.length < this.configuredThreshold) {
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.InsufficientMembersForTransition);
+        }
+        const currentEpochNumber = this.currentEpochData?.epochNumber ?? 1;
+        const previousThreshold = this.currentEpochData?.threshold ?? 1;
+        const previousMemberIds = this.currentEpochData?.memberIds ?? [];
+        // Set mode to TransitionInProgress — blocks seal/unseal/submitProposal
+        this.mode = quorumOperationalMode_1.QuorumOperationalMode.TransitionInProgress;
+        const opState = {
+            mode: quorumOperationalMode_1.QuorumOperationalMode.TransitionInProgress,
+            currentEpochNumber,
+            lastUpdated: new Date(),
+        };
+        await this.db.saveOperationalState(opState);
+        // Emit transition_ceremony_started audit entry
+        await this.emitAuditEntry('transition_ceremony_started', {
+            epochNumber: currentEpochNumber,
+            memberCount: activeMembers.length,
+            configuredThreshold: this.configuredThreshold,
+        });
+        // Resolve members for redistribution
+        const newMemberObjects = this.resolveMembersFromRecords(activeMembers);
+        const newMemberIds = activeMembers.map((m) => m.id);
+        // Batched re-split of all bootstrap-sealed documents
+        const batchSize = 100;
+        let page = 0;
+        let docs;
+        const failedDocIds = [];
+        try {
+            // Emit share_redistribution_started
+            await this.emitAuditEntry('share_redistribution_started', {
+                reason: 'transition_ceremony',
+                fromEpoch: currentEpochNumber,
+            });
+            do {
+                docs = await this.db.listDocumentsByEpoch(currentEpochNumber, page, batchSize);
+                for (const doc of docs) {
+                    const docHexId = (0, ecies_lib_1.uint8ArrayToHex)(doc.enhancedProvider.toBytes(doc.id));
+                    // Save journal entry BEFORE modifying the document
+                    const oldMemberHexIds = doc.memberIDs.map((mid) => (0, ecies_lib_1.uint8ArrayToHex)(doc.enhancedProvider.toBytes(mid)));
+                    const journalEntry = {
+                        documentId: docHexId,
+                        oldShares: new Map(doc.encryptedSharesByMemberId),
+                        oldMemberIds: oldMemberHexIds,
+                        oldThreshold: doc.sharesRequired,
+                        oldEpoch: doc.epochNumber,
+                    };
+                    await this.db.saveJournalEntry(journalEntry);
+                    try {
+                        // Decrypt shares from threshold members
+                        const decryptedShares = await this.sealingService.decryptShares(doc, newMemberObjects);
+                        // Build shares map
+                        const sharesMap = new Map();
+                        for (let i = 0; i < newMemberObjects.length; i++) {
+                            const memberId = (0, ecies_lib_1.uint8ArrayToHex)(newMemberObjects[i].idBytes);
+                            sharesMap.set(memberId, decryptedShares[i]);
+                        }
+                        // Redistribute shares to full member set with configured threshold
+                        const newEncryptedShares = await this.sealingService.redistributeShares(sharesMap, newMemberObjects, this.configuredThreshold, {
+                            totalShares: previousMemberIds.length,
+                            threshold: previousThreshold,
+                        });
+                        // Create updated document with new shares
+                        const newMemberTIDs = newMemberObjects.map((m) => m.id);
+                        const updatedDoc = new quorumDataRecord_1.QuorumDataRecord(doc.creator, newMemberTIDs, this.configuredThreshold, doc.encryptedData, newEncryptedShares, doc.enhancedProvider, doc.checksum, doc.signature, doc.id, doc.dateCreated, new Date(), undefined, false, // no longer bootstrap mode
+                        currentEpochNumber + 1, doc.sealedUnderBootstrap, doc.identityRecoveryRecordId);
+                        await this.db.saveDocument(updatedDoc);
+                    }
+                    catch {
+                        failedDocIds.push(docHexId);
+                        // On any failure, abort and rollback
+                        throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.RedistributionFailed);
+                    }
+                }
+                page++;
+            } while (docs.length === batchSize);
+            // Emit share_redistribution_completed
+            await this.emitAuditEntry('share_redistribution_completed', {
+                reason: 'transition_ceremony',
+                fromEpoch: currentEpochNumber,
+            });
+            // SUCCESS PATH: all documents re-split
+            // Create new epoch in Quorum mode
+            await this.createTransitionEpoch(newMemberIds, this.configuredThreshold);
+            // Delete journal entries (no longer needed)
+            await this.db.deleteJournalEntries(currentEpochNumber);
+            // Emit transition_ceremony_completed
+            await this.emitAuditEntry('transition_ceremony_completed', {
+                epochNumber: this.currentEpochData?.epochNumber,
+                previousEpochNumber: currentEpochNumber,
+                memberCount: newMemberIds.length,
+                threshold: this.configuredThreshold,
+            });
+        }
+        catch (error) {
+            // FAILURE PATH: rollback from journal
+            await this.rollbackTransition(currentEpochNumber, true);
+            // Restore in-memory state to Bootstrap
+            this.mode = quorumOperationalMode_1.QuorumOperationalMode.Bootstrap;
+            // Emit share_redistribution_failed if we got past the start
+            if (failedDocIds.length > 0) {
+                await this.emitAuditEntry('share_redistribution_failed', {
+                    reason: 'transition_ceremony',
+                    failedDocumentIds: failedDocIds,
+                    failedCount: failedDocIds.length,
+                });
+            }
+            // Re-throw the error so the caller knows the ceremony failed
+            if (error instanceof quorumError_1.QuorumError) {
+                throw error;
+            }
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.RedistributionFailed);
+        }
+    }
+    /**
+     * Create a new epoch for a completed transition ceremony.
+     *
+     * Called by the transition ceremony logic (Task 10) when all documents
+     * have been successfully re-split. Creates a new epoch in Quorum mode
+     * with the full member set and configured threshold.
+     *
+     * @param memberIds - The full member set after transition
+     * @param threshold - The configured quorum threshold
+     * @returns The new QuorumEpoch in Quorum mode
+     */
+    async createTransitionEpoch(memberIds, threshold) {
+        return this.createNextEpoch(memberIds, threshold, quorumOperationalMode_1.QuorumOperationalMode.Quorum);
+    }
+    /**
+     * Add a new member to the quorum.
+     *
+     * Saves the member, increments the epoch, triggers batched share
+     * redistribution for all documents in the previous epoch, and emits
+     * audit entries for member_added and share_redistribution_*.
+     *
+     * @param member - The member to add
+     * @param metadata - Metadata for the member
+     * @param redistributionConfig - Optional redistribution configuration
+     * @returns The new QuorumEpoch after member addition
+     */
+    async addMember(member, metadata, redistributionConfig) {
+        this.ensureInitialized();
+        this.ensureNotTransitioning();
+        const hexId = (0, ecies_lib_1.uint8ArrayToHex)(member.idBytes);
+        // Check if member already exists
+        const existing = await this.db.getMember(hexId);
+        if (existing && existing.isActive) {
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.MemberAlreadyExists);
+        }
+        // Save the new member
+        const quorumMember = {
+            id: hexId,
+            publicKey: member.publicKey,
+            metadata,
+            isActive: true,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+        };
+        await this.db.saveMember(quorumMember);
+        // Capture previous epoch info before creating the new one
+        const previousEpochNumber = this.currentEpochData?.epochNumber ?? 0;
+        const previousThreshold = this.currentEpochData?.threshold ?? 1;
+        const previousMemberIds = this.currentEpochData?.memberIds ?? [];
+        // Build new member list
+        const newMemberIds = [...previousMemberIds, hexId];
+        // Determine mode and threshold for the new epoch
+        const newMode = newMemberIds.length >= this.configuredThreshold
+            ? quorumOperationalMode_1.QuorumOperationalMode.Quorum
+            : quorumOperationalMode_1.QuorumOperationalMode.Bootstrap;
+        const newThreshold = newMode === quorumOperationalMode_1.QuorumOperationalMode.Bootstrap
+            ? Math.max(newMemberIds.length, 1)
+            : this.configuredThreshold;
+        // Create next epoch with the updated membership
+        const newEpoch = await this.createNextEpoch(newMemberIds, newThreshold, newMode);
+        // Emit member_added audit entry
+        await this.emitAuditEntry('member_added', {
+            memberId: hexId,
+            epochNumber: newEpoch.epochNumber,
+            previousEpochNumber,
+            memberCount: newMemberIds.length,
+        }, hexId);
+        // Trigger batched share redistribution for documents in the previous epoch
+        if (previousEpochNumber > 0 && previousMemberIds.length > 0) {
+            const config = {
+                batchSize: redistributionConfig?.batchSize ?? 100,
+                continueOnFailure: redistributionConfig?.continueOnFailure ?? true,
+                onProgress: redistributionConfig?.onProgress,
+            };
+            await this.emitAuditEntry('share_redistribution_started', {
+                reason: 'member_added',
+                memberId: hexId,
+                fromEpoch: previousEpochNumber,
+                toEpoch: newEpoch.epochNumber,
+            });
+            try {
+                // Resolve active members for redistribution
+                const activeQuorumMembers = await this.db.listActiveMembers();
+                const newMemberObjects = this.resolveMembersFromRecords(activeQuorumMembers);
+                // We need threshold members with private keys to decrypt existing shares.
+                // In a real system, these would come from approved votes or key holders.
+                // For redistribution triggered by addMember, we use the members that
+                // have shares in the existing documents. The SealingService.decryptShares
+                // method handles the actual decryption using member private keys.
+                // Since we don't have private keys here, we pass the member objects
+                // and let the redistribution handle documents that have accessible shares.
+                const failedDocIds = await this.redistributeDocuments(previousEpochNumber, newMemberObjects, newMemberObjects, newThreshold, {
+                    totalShares: previousMemberIds.length,
+                    threshold: previousThreshold,
+                }, config);
+                if (failedDocIds.length > 0) {
+                    await this.emitAuditEntry('share_redistribution_failed', {
+                        reason: 'member_added',
+                        memberId: hexId,
+                        failedDocumentIds: failedDocIds,
+                        failedCount: failedDocIds.length,
+                    });
+                }
+                else {
+                    await this.emitAuditEntry('share_redistribution_completed', {
+                        reason: 'member_added',
+                        memberId: hexId,
+                        fromEpoch: previousEpochNumber,
+                        toEpoch: newEpoch.epochNumber,
+                    });
+                }
+            }
+            catch (redistributionError) {
+                await this.emitAuditEntry('share_redistribution_failed', {
+                    reason: 'member_added',
+                    memberId: hexId,
+                    error: redistributionError instanceof Error
+                        ? redistributionError.message
+                        : String(redistributionError),
+                });
+            }
+        }
+        return newEpoch;
+    }
+    /**
+     * Remove a member from the quorum.
+     *
+     * Validates remaining count >= threshold, removes the member,
+     * increments the epoch, triggers share redistribution with fresh
+     * polynomial coefficients, and emits audit entries for member_removed
+     * and share_redistribution_*.
+     *
+     * @param memberId - ID of the member to remove
+     * @param redistributionConfig - Optional redistribution configuration
+     * @returns The new QuorumEpoch after member removal
+     * @throws QuorumError with InsufficientRemainingMembers if removal would drop below threshold
+     * @throws QuorumError with MemberNotFound if the member is not in the current epoch
+     */
+    async removeMember(memberId, redistributionConfig) {
+        this.ensureInitialized();
+        this.ensureNotTransitioning();
+        const currentMemberIds = this.currentEpochData?.memberIds ?? [];
+        // Validate member exists in current epoch
+        if (!currentMemberIds.includes(memberId)) {
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.MemberNotFound);
+        }
+        // Validate remaining count >= threshold after removal
+        const remainingCount = currentMemberIds.length - 1;
+        const currentThreshold = this.currentEpochData?.threshold ?? this.configuredThreshold;
+        if (remainingCount < currentThreshold) {
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.InsufficientRemainingMembers);
+        }
+        // Mark the member as inactive in the database
+        const memberRecord = await this.db.getMember(memberId);
+        if (memberRecord) {
+            const updatedMember = {
+                ...memberRecord,
+                isActive: false,
+                updatedAt: new Date(),
+            };
+            await this.db.saveMember(updatedMember);
+        }
+        // Capture previous epoch info before creating the new one
+        const previousEpochNumber = this.currentEpochData?.epochNumber ?? 0;
+        const previousThreshold = this.currentEpochData?.threshold ?? 1;
+        // Build new member list without the removed member
+        const newMemberIds = currentMemberIds.filter((id) => id !== memberId);
+        // Determine mode and threshold for the new epoch
+        const currentMode = this.mode ?? quorumOperationalMode_1.QuorumOperationalMode.Bootstrap;
+        const newThreshold = currentMode === quorumOperationalMode_1.QuorumOperationalMode.Bootstrap
+            ? Math.max(newMemberIds.length, 1)
+            : this.configuredThreshold;
+        // Create next epoch with the updated membership
+        const newEpoch = await this.createNextEpoch(newMemberIds, newThreshold, currentMode);
+        // Emit member_removed audit entry
+        await this.emitAuditEntry('member_removed', {
+            memberId,
+            epochNumber: newEpoch.epochNumber,
+            previousEpochNumber,
+            memberCount: newMemberIds.length,
+        }, memberId);
+        // Trigger batched share redistribution with fresh polynomial coefficients
+        if (previousEpochNumber > 0 && newMemberIds.length > 0) {
+            const config = {
+                batchSize: redistributionConfig?.batchSize ?? 100,
+                continueOnFailure: redistributionConfig?.continueOnFailure ?? true,
+                onProgress: redistributionConfig?.onProgress,
+            };
+            await this.emitAuditEntry('share_redistribution_started', {
+                reason: 'member_removed',
+                memberId,
+                fromEpoch: previousEpochNumber,
+                toEpoch: newEpoch.epochNumber,
+            });
+            try {
+                // Resolve remaining active members for redistribution
+                const activeQuorumMembers = await this.db.listActiveMembers();
+                // Filter out the removed member
+                const remainingQuorumMembers = activeQuorumMembers.filter((m) => m.id !== memberId);
+                const newMemberObjects = this.resolveMembersFromRecords(remainingQuorumMembers);
+                const failedDocIds = await this.redistributeDocuments(previousEpochNumber, newMemberObjects, newMemberObjects, newThreshold, {
+                    totalShares: currentMemberIds.length,
+                    threshold: previousThreshold,
+                }, config);
+                if (failedDocIds.length > 0) {
+                    await this.emitAuditEntry('share_redistribution_failed', {
+                        reason: 'member_removed',
+                        memberId,
+                        failedDocumentIds: failedDocIds,
+                        failedCount: failedDocIds.length,
+                    });
+                }
+                else {
+                    await this.emitAuditEntry('share_redistribution_completed', {
+                        reason: 'member_removed',
+                        memberId,
+                        fromEpoch: previousEpochNumber,
+                        toEpoch: newEpoch.epochNumber,
+                    });
+                }
+            }
+            catch (redistributionError) {
+                await this.emitAuditEntry('share_redistribution_failed', {
+                    reason: 'member_removed',
+                    memberId,
+                    error: redistributionError instanceof Error
+                        ? redistributionError.message
+                        : String(redistributionError),
+                });
+            }
+        }
+        return newEpoch;
+    }
+    /**
+     * Determine the required threshold for a proposal based on inner quorum routing.
+     *
+     * When member count > 20 and the current epoch has innerQuorumMemberIds,
+     * routine operations use the inner quorum size as threshold,
+     * while critical operations use the full membership threshold.
+     *
+     * @param actionType - The proposal action type
+     * @returns The required vote threshold
+     */
+    getRequiredThreshold(actionType) {
+        if (!this.currentEpochData) {
+            return this.configuredThreshold;
+        }
+        const memberCount = this.currentEpochData.memberIds.length;
+        const innerQuorum = this.currentEpochData.innerQuorumMemberIds;
+        // Inner quorum routing: when members > 20 and inner quorum is defined
+        if (memberCount > QuorumStateMachine.INNER_QUORUM_MEMBER_THRESHOLD &&
+            innerQuorum &&
+            innerQuorum.length > 0) {
+            if (QuorumStateMachine.ROUTINE_ACTION_TYPES.has(actionType)) {
+                // Routine operations use inner quorum threshold (majority of inner quorum)
+                return Math.ceil(innerQuorum.length / 2);
+            }
+            // Critical operations use full membership threshold
+        }
+        return this.currentEpochData.threshold;
+    }
+    /**
+     * Submit a proposal for quorum voting.
+     *
+     * Validates the proposer is an active member, validates description length,
+     * validates IDENTITY_DISCLOSURE has an attachment, assigns a unique ID,
+     * stores as pending, announces via gossip, and emits audit entry.
+     *
+     * @param proposal - The proposal input
+     * @returns The created Proposal with assigned ID and status
+     * @throws QuorumError with MissingAttachment if IDENTITY_DISCLOSURE lacks attachmentCblId
+     */
+    async submitProposal(proposal) {
+        this.ensureInitialized();
+        this.ensureNotTransitioning();
+        // Validate description length (Req 5.3)
+        if (proposal.description.length > QuorumStateMachine.MAX_DESCRIPTION_LENGTH) {
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.DuplicateProposal);
+        }
+        // Validate IDENTITY_DISCLOSURE requires attachment (Req 13.3)
+        if (proposal.actionType === proposalActionType_1.ProposalActionType.IDENTITY_DISCLOSURE &&
+            !proposal.attachmentCblId) {
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.MissingAttachment);
+        }
+        if (!this.currentEpochData) {
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.Uninitialized);
+        }
+        // Determine the required threshold based on inner quorum routing
+        const requiredThreshold = this.getRequiredThreshold(proposal.actionType);
+        // Assign unique ID and create the full proposal
+        const proposalId = (0, uuid_1.v4)();
+        const now = new Date();
+        const fullProposal = {
+            id: proposalId,
+            description: proposal.description,
+            actionType: proposal.actionType,
+            actionPayload: proposal.actionPayload,
+            proposerMemberId: (proposal.actionPayload['proposerMemberId'] ??
+                this.currentEpochData.memberIds[0]),
+            status: proposalStatus_1.ProposalStatus.Pending,
+            requiredThreshold,
+            expiresAt: proposal.expiresAt,
+            createdAt: now,
+            attachmentCblId: proposal.attachmentCblId,
+            epochNumber: this.currentEpochData.epochNumber,
+        };
+        // Store as pending in the database
+        await this.db.saveProposal(fullProposal);
+        // Announce via gossip
+        const gossipMetadata = {
+            proposalId: fullProposal.id,
+            description: fullProposal.description,
+            actionType: fullProposal.actionType,
+            actionPayload: JSON.stringify(fullProposal.actionPayload),
+            proposerMemberId: fullProposal.proposerMemberId,
+            expiresAt: fullProposal.expiresAt,
+            requiredThreshold: fullProposal.requiredThreshold,
+            attachmentCblId: fullProposal.attachmentCblId,
+        };
+        await this.gossipService.announceQuorumProposal(gossipMetadata);
+        // Emit audit entry
+        await this.emitAuditEntry('proposal_created', {
+            proposalId: fullProposal.id,
+            actionType: fullProposal.actionType,
+            proposerMemberId: fullProposal.proposerMemberId,
+            requiredThreshold: fullProposal.requiredThreshold,
+            epochNumber: fullProposal.epochNumber,
+            hasAttachment: !!fullProposal.attachmentCblId,
+        });
+        // Update metrics
+        this.metricsData.proposalsTotal++;
+        this.metricsData.proposalsPending++;
+        return fullProposal;
+    }
+    /**
+     * Submit a vote on a pending proposal.
+     *
+     * Validates the proposal exists and is pending, validates the voter is an
+     * active member, checks for duplicate votes, stores the vote, announces
+     * via gossip, emits audit entry, and triggers vote tallying.
+     *
+     * @param vote - The vote input
+     * @throws QuorumError with ProposalExpired if proposal is not pending
+     * @throws QuorumError with DuplicateVote if voter already voted
+     * @throws QuorumError with VoterNotOnProposal if voter is not an active member
+     */
+    async submitVote(vote) {
+        this.ensureInitialized();
+        this.ensureNotTransitioning();
+        // Validate proposal exists
+        const proposal = await this.db.getProposal(vote.proposalId);
+        if (!proposal) {
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.DocumentNotFound);
+        }
+        // Check expiration before processing
+        if (new Date() > proposal.expiresAt) {
+            await this.expireProposal(proposal);
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.ProposalExpired);
+        }
+        // Validate proposal is still pending
+        if (proposal.status !== proposalStatus_1.ProposalStatus.Pending) {
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.ProposalExpired);
+        }
+        // Validate voter is an active member
+        if (!this.currentEpochData) {
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.Uninitialized);
+        }
+        const resolvedVoterId = vote.voterMemberId ?? this.currentEpochData.memberIds[0];
+        // Check voter is in the current epoch's member list
+        const isActiveMember = this.currentEpochData.memberIds.includes(resolvedVoterId);
+        if (!isActiveMember) {
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.VoterNotOnProposal);
+        }
+        // Check for duplicate votes
+        const existingVotes = await this.db.getVotesForProposal(vote.proposalId);
+        const alreadyVoted = existingVotes.some((v) => v.voterMemberId === resolvedVoterId);
+        if (alreadyVoted) {
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.DuplicateVote);
+        }
+        // Create and store the vote
+        const fullVote = {
+            proposalId: vote.proposalId,
+            voterMemberId: resolvedVoterId,
+            decision: vote.decision,
+            comment: vote.comment,
+            createdAt: new Date(),
+        };
+        await this.db.saveVote(fullVote);
+        // Announce via gossip
+        const gossipMetadata = {
+            proposalId: fullVote.proposalId,
+            voterMemberId: fullVote.voterMemberId,
+            decision: fullVote.decision,
+            comment: fullVote.comment,
+        };
+        await this.gossipService.announceQuorumVote(gossipMetadata);
+        // Emit audit entry
+        await this.emitAuditEntry('vote_cast', {
+            proposalId: fullVote.proposalId,
+            voterMemberId: fullVote.voterMemberId,
+            decision: fullVote.decision,
+        });
+        // Tally votes to check if threshold is reached
+        await this.tallyVotes(proposal);
+    }
+    /**
+     * Tally votes for a proposal.
+     *
+     * Counts approve and reject votes. If approve count >= threshold, marks
+     * the proposal as approved and dispatches the action. If reject count
+     * makes approval impossible, marks the proposal as rejected.
+     *
+     * @param proposal - The proposal to tally votes for
+     */
+    async tallyVotes(proposal) {
+        const votes = await this.db.getVotesForProposal(proposal.id);
+        // Count distinct votes (duplicates already prevented by submitVote)
+        const approveCount = votes.filter((v) => v.decision === 'approve').length;
+        const rejectCount = votes.filter((v) => v.decision === 'reject').length;
+        // Check if threshold is reached for approval
+        if (approveCount >= proposal.requiredThreshold) {
+            // Mark as approved
+            const approvedProposal = {
+                ...proposal,
+                status: proposalStatus_1.ProposalStatus.Approved,
+            };
+            await this.db.saveProposal(approvedProposal);
+            // Emit proposal_approved audit entry
+            await this.emitAuditEntry('proposal_approved', {
+                proposalId: proposal.id,
+                actionType: proposal.actionType,
+                approveCount,
+                rejectCount,
+                requiredThreshold: proposal.requiredThreshold,
+            });
+            // Update metrics
+            this.metricsData.proposalsPending = Math.max(0, this.metricsData.proposalsPending - 1);
+            // Execute the action
+            await this.executeProposalAction(approvedProposal);
+            return;
+        }
+        // Check if approval is impossible (remaining possible votes can't reach threshold)
+        const totalMembers = this.currentEpochData?.memberIds.length ?? 0;
+        const totalVotesCast = approveCount + rejectCount;
+        const remainingVotes = totalMembers - totalVotesCast;
+        const maxPossibleApprovals = approveCount + remainingVotes;
+        if (maxPossibleApprovals < proposal.requiredThreshold) {
+            // Approval is impossible — mark as rejected
+            const rejectedProposal = {
+                ...proposal,
+                status: proposalStatus_1.ProposalStatus.Rejected,
+            };
+            await this.db.saveProposal(rejectedProposal);
+            // Emit proposal_rejected audit entry
+            await this.emitAuditEntry('proposal_rejected', {
+                proposalId: proposal.id,
+                actionType: proposal.actionType,
+                approveCount,
+                rejectCount,
+                requiredThreshold: proposal.requiredThreshold,
+            });
+            // Update metrics
+            this.metricsData.proposalsPending = Math.max(0, this.metricsData.proposalsPending - 1);
+        }
+    }
+    /**
+     * Mark a proposal as expired and emit audit entry.
+     *
+     * @param proposal - The proposal to expire
+     */
+    async expireProposal(proposal) {
+        if (proposal.status !== proposalStatus_1.ProposalStatus.Pending) {
+            return;
+        }
+        const expiredProposal = {
+            ...proposal,
+            status: proposalStatus_1.ProposalStatus.Expired,
+        };
+        await this.db.saveProposal(expiredProposal);
+        await this.emitAuditEntry('proposal_expired', {
+            proposalId: proposal.id,
+            actionType: proposal.actionType,
+            expiresAt: proposal.expiresAt.toISOString(),
+        });
+        this.metricsData.proposalsPending = Math.max(0, this.metricsData.proposalsPending - 1);
+    }
+    /**
+     * Execute the action associated with an approved proposal.
+     *
+     * Dispatches to the appropriate handler based on ProposalActionType.
+     * Simple actions are fully implemented; complex ones are stubs that log.
+     *
+     * @param proposal - The approved proposal whose action to execute
+     */
+    async executeProposalAction(proposal) {
+        switch (proposal.actionType) {
+            case proposalActionType_1.ProposalActionType.ADD_MEMBER:
+                await this.executeAddMember(proposal);
+                break;
+            case proposalActionType_1.ProposalActionType.REMOVE_MEMBER:
+                await this.executeRemoveMember(proposal);
+                break;
+            case proposalActionType_1.ProposalActionType.CHANGE_THRESHOLD:
+                await this.executeChangeThreshold(proposal);
+                break;
+            case proposalActionType_1.ProposalActionType.TRANSITION_TO_QUORUM_MODE:
+                await this.initiateTransition();
+                break;
+            case proposalActionType_1.ProposalActionType.UNSEAL_DOCUMENT:
+                await this.executeUnsealDocument(proposal);
+                break;
+            case proposalActionType_1.ProposalActionType.IDENTITY_DISCLOSURE:
+                await this.executeIdentityDisclosure(proposal);
+                break;
+            case proposalActionType_1.ProposalActionType.REGISTER_ALIAS:
+                await this.executeRegisterAlias(proposal);
+                break;
+            case proposalActionType_1.ProposalActionType.DEREGISTER_ALIAS:
+                await this.executeDeregisterAlias(proposal);
+                break;
+            case proposalActionType_1.ProposalActionType.EXTEND_STATUTE:
+                await this.executeExtendStatute(proposal);
+                break;
+            case proposalActionType_1.ProposalActionType.CHANGE_INNER_QUORUM:
+                await this.executeChangeInnerQuorum(proposal);
+                break;
+            case proposalActionType_1.ProposalActionType.CUSTOM:
+                await this.executeCustomAction(proposal);
+                break;
+        }
+    }
+    /**
+     * 11.8.1 ADD_MEMBER — stub that calls addMember with payload data.
+     */
+    async executeAddMember(proposal) {
+        // Stub: In a full implementation, the member object would be constructed
+        // from the proposal's actionPayload. For now, log the approval.
+        await this.emitAuditEntry('member_added', {
+            proposalId: proposal.id,
+            actionType: proposal.actionType,
+            stub: true,
+            payload: proposal.actionPayload,
+        });
+    }
+    /**
+     * 11.8.2 REMOVE_MEMBER — stub that calls removeMember with payload data.
+     */
+    async executeRemoveMember(proposal) {
+        // Stub: In a full implementation, removeMember would be called with
+        // the memberId from actionPayload. For now, log the approval.
+        await this.emitAuditEntry('member_removed', {
+            proposalId: proposal.id,
+            actionType: proposal.actionType,
+            stub: true,
+            payload: proposal.actionPayload,
+        });
+    }
+    /**
+     * 11.8.3 CHANGE_THRESHOLD — update threshold and trigger share redistribution.
+     */
+    async executeChangeThreshold(proposal) {
+        const newThreshold = proposal.actionPayload['newThreshold'];
+        if (typeof newThreshold !== 'number' || newThreshold < 1) {
+            return;
+        }
+        this.configuredThreshold = newThreshold;
+        if (this.currentEpochData) {
+            const newEpoch = await this.createNextEpoch(this.currentEpochData.memberIds, newThreshold, this.currentEpochData.mode);
+            await this.emitAuditEntry('epoch_created', {
+                proposalId: proposal.id,
+                reason: 'threshold_change',
+                newThreshold,
+                epochNumber: newEpoch.epochNumber,
+            });
+        }
+    }
+    /**
+     * 11.8.5 UNSEAL_DOCUMENT — stub (collect shares, unseal).
+     */
+    async executeUnsealDocument(proposal) {
+        // Stub: In a full implementation, encrypted shares from approve votes
+        // would be collected, decrypted, and used to unseal the document.
+        await this.emitAuditEntry('proposal_approved', {
+            proposalId: proposal.id,
+            actionType: proposal.actionType,
+            stub: true,
+            documentId: proposal.actionPayload['documentId'],
+        });
+    }
+    /**
+     * 11.8.6 IDENTITY_DISCLOSURE — check statute of limitations, reject if expired/deleted.
+     *
+     * When the target IdentityRecoveryRecord has expired or been deleted by the
+     * expiration scheduler, throws IdentityPermanentlyUnrecoverable (Req 17.6).
+     */
+    async executeIdentityDisclosure(proposal) {
+        const targetRecordId = proposal.actionPayload['targetRecordId'];
+        // Check if the identity record still exists (not expired/deleted)
+        if (targetRecordId) {
+            const record = await this.db.getIdentityRecord(targetRecordId);
+            if (!record) {
+                // Identity has been permanently deleted by expiration scheduler
+                await this.emitAuditEntry('identity_disclosure_rejected', {
+                    proposalId: proposal.id,
+                    reason: 'identity_permanently_unrecoverable',
+                    targetRecordId,
+                });
+                throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.IdentityPermanentlyUnrecoverable);
+            }
+            // Check if record has expired (statute of limitations exceeded)
+            if (new Date() > record.expiresAt) {
+                await this.emitAuditEntry('identity_disclosure_expired', {
+                    proposalId: proposal.id,
+                    targetRecordId,
+                    expiresAt: record.expiresAt.toISOString(),
+                });
+                throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.IdentityPermanentlyUnrecoverable);
+            }
+        }
+        await this.emitAuditEntry('identity_disclosure_approved', {
+            proposalId: proposal.id,
+            actionType: proposal.actionType,
+            targetMemberId: proposal.actionPayload['targetMemberId'],
+            attachmentCblId: proposal.attachmentCblId,
+        });
+    }
+    /**
+     * 11.8.7 REGISTER_ALIAS — delegate to AliasRegistry.registerAlias().
+     */
+    async executeRegisterAlias(proposal) {
+        const aliasName = proposal.actionPayload['aliasName'];
+        const ownerMemberId = proposal.actionPayload['ownerMemberId'];
+        const ownerPublicKeyHex = proposal.actionPayload['ownerPublicKey'];
+        if (this.aliasRegistry && aliasName && ownerMemberId && ownerPublicKeyHex) {
+            const ownerPublicKey = new Uint8Array(Buffer.from(ownerPublicKeyHex, 'hex'));
+            await this.aliasRegistry.registerAlias(aliasName, ownerMemberId, ownerPublicKey);
+        }
+        await this.emitAuditEntry('alias_registered', {
+            proposalId: proposal.id,
+            actionType: proposal.actionType,
+            aliasName: aliasName ?? proposal.actionPayload['aliasName'],
+        });
+    }
+    /**
+     * 11.8.8 DEREGISTER_ALIAS — delegate to AliasRegistry.deregisterAlias().
+     */
+    async executeDeregisterAlias(proposal) {
+        const aliasName = proposal.actionPayload['aliasName'];
+        if (this.aliasRegistry && aliasName) {
+            await this.aliasRegistry.deregisterAlias(aliasName);
+        }
+        await this.emitAuditEntry('alias_deregistered', {
+            proposalId: proposal.id,
+            actionType: proposal.actionType,
+            aliasName: aliasName ?? proposal.actionPayload['aliasName'],
+        });
+    }
+    /**
+     * 11.8.9 EXTEND_STATUTE — update expiresAt on the target IdentityRecoveryRecord.
+     */
+    async executeExtendStatute(proposal) {
+        const targetRecordId = proposal.actionPayload['targetRecordId'];
+        const newExpiresAt = proposal.actionPayload['newExpiresAt'];
+        if (targetRecordId && newExpiresAt) {
+            const record = await this.db.getIdentityRecord(targetRecordId);
+            if (record) {
+                const updatedRecord = {
+                    ...record,
+                    expiresAt: new Date(newExpiresAt),
+                };
+                await this.db.saveIdentityRecord(updatedRecord);
+                await this.emitAuditEntry('proposal_approved', {
+                    proposalId: proposal.id,
+                    actionType: proposal.actionType,
+                    targetRecordId,
+                    newExpiresAt,
+                });
+            }
+        }
+    }
+    /**
+     * 11.8.10 CHANGE_INNER_QUORUM — update innerQuorumMemberIds on current epoch.
+     */
+    async executeChangeInnerQuorum(proposal) {
+        const innerQuorumMemberIds = proposal.actionPayload['innerQuorumMemberIds'];
+        if (this.currentEpochData && innerQuorumMemberIds) {
+            // Create a new epoch with the updated inner quorum
+            const newEpoch = await this.createNextEpoch(this.currentEpochData.memberIds, this.currentEpochData.threshold, this.currentEpochData.mode);
+            // Update the epoch with inner quorum member IDs
+            newEpoch.innerQuorumMemberIds = innerQuorumMemberIds;
+            await this.db.saveEpoch(newEpoch);
+            await this.emitAuditEntry('epoch_created', {
+                proposalId: proposal.id,
+                reason: 'inner_quorum_change',
+                innerQuorumMemberIds,
+                epochNumber: newEpoch.epochNumber,
+            });
+        }
+    }
+    /**
+     * 11.8.11 CUSTOM — log approval without automated execution.
+     */
+    async executeCustomAction(proposal) {
+        // Custom actions are logged but not automatically executed
+        await this.emitAuditEntry('proposal_approved', {
+            proposalId: proposal.id,
+            actionType: proposal.actionType,
+            custom: true,
+            payload: proposal.actionPayload,
+        });
+    }
+    /**
+     * Get a proposal by its ID.
+     */
+    async getProposal(proposalId) {
+        this.ensureInitialized();
+        return this.db.getProposal(proposalId);
+    }
+    /**
+     * Seal a document using the appropriate mode (bootstrap or quorum).
+     *
+     * In bootstrap mode: delegates to quorumSealBootstrap with effective threshold = member count.
+     * In quorum mode: delegates to quorumSeal with configured threshold.
+     * Tags document with epoch number and sealedUnderBootstrap flag.
+     *
+     * @throws QuorumError with TransitionInProgress if a transition ceremony is active
+     */
+    async sealDocument(agent, document, memberIds, sharesRequired) {
+        this.ensureInitialized();
+        this.ensureNotTransitioning();
+        if (!this.currentEpochData) {
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.Uninitialized);
+        }
+        const isBootstrap = this.mode === quorumOperationalMode_1.QuorumOperationalMode.Bootstrap;
+        // Resolve members from the active member list
+        const activeMembers = await this.db.listActiveMembers();
+        const memberMap = new Map();
+        for (const m of activeMembers) {
+            memberMap.set(m.id, m);
+        }
+        // Validate all requested member IDs exist
+        for (const mid of memberIds) {
+            if (!memberMap.has(mid)) {
+                throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.MemberNotFound);
+            }
+        }
+        // Determine effective threshold
+        const effectiveThreshold = isBootstrap
+            ? Math.max(memberIds.length, 1)
+            : (sharesRequired ?? this.currentEpochData.threshold);
+        // Delegate to SealingService
+        let sealedDoc;
+        if (isBootstrap) {
+            sealedDoc = await this.sealingService.quorumSealBootstrap(agent, document, [agent], effectiveThreshold);
+        }
+        else {
+            sealedDoc = await this.sealingService.quorumSeal(agent, document, [agent], effectiveThreshold);
+        }
+        const docHexId = (0, ecies_lib_1.uint8ArrayToHex)(sealedDoc.enhancedProvider.toBytes(sealedDoc.id));
+        // Save to database
+        await this.db.saveDocument(sealedDoc);
+        return {
+            documentId: docHexId,
+            encryptedData: sealedDoc.encryptedData,
+            memberIds,
+            sharesRequired: sealedDoc.sharesRequired,
+            createdAt: sealedDoc.dateCreated,
+        };
+    }
+    /**
+     * Unseal a document.
+     *
+     * Verifies checksum (SHA-3) and creator signature using constant-time
+     * comparison before delegating to SealingService.
+     * Returns generic error on failure without revealing which check failed (Req 8.4-8.6).
+     */
+    async unsealDocument(documentId, membersWithPrivateKey) {
+        this.ensureInitialized();
+        this.ensureNotTransitioning();
+        const doc = await this.db.getDocument(documentId);
+        if (!doc) {
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.DocumentNotFound);
+        }
+        // Verify checksum using constant-time comparison (Req 8.5)
+        const calculatedChecksum = this.checksumService.calculateChecksum(doc.encryptedData);
+        const checksumValid = constantTimeEqual(calculatedChecksum.toUint8Array(), doc.checksum.toUint8Array());
+        // Verify creator signature using constant-time comparison (Req 8.5)
+        let signatureValid = false;
+        try {
+            const expectedSignature = doc.creator.sign(doc.checksum.toUint8Array());
+            signatureValid = constantTimeEqual(doc.signature, expectedSignature);
+        }
+        catch {
+            signatureValid = false;
+        }
+        // Return generic error without revealing which check failed (Req 8.6)
+        if (!checksumValid || !signatureValid) {
+            throw new quorumError_1.QuorumError(quorumErrorType_1.QuorumErrorType.UnableToRestoreDocument);
+        }
+        // Delegate to SealingService for actual decryption
+        return this.sealingService.quorumUnseal(doc, membersWithPrivateKey);
+    }
+    /** Get the current epoch. */
+    async getCurrentEpoch() {
+        this.ensureInitialized();
+        if (this.currentEpochData) {
+            return this.currentEpochData;
+        }
+        const epoch = await this.db.getCurrentEpoch();
+        this.currentEpochData = epoch;
+        return epoch;
+    }
+    /** Get a specific epoch by number. */
+    async getEpoch(epochNumber) {
+        this.ensureInitialized();
+        return this.db.getEpoch(epochNumber);
+    }
+    /** Get quorum system metrics for monitoring. */
+    async getMetrics() {
+        const activeMembers = this.initialized
+            ? await this.db.listActiveMembers()
+            : [];
+        const currentEpochNumber = this.currentEpochData?.epochNumber ?? 0;
+        return {
+            proposals: {
+                total: this.metricsData.proposalsTotal,
+                pending: this.metricsData.proposalsPending,
+            },
+            votes: {
+                latency_ms: this.metricsData.votesLatencyMs,
+            },
+            redistribution: {
+                progress: this.metricsData.redistributionProgress,
+                failures: this.metricsData.redistributionFailures,
+            },
+            members: {
+                active: activeMembers.length,
+            },
+            epoch: {
+                current: currentEpochNumber,
+            },
+            expiration: {
+                last_run: this.metricsData.expirationLastRun,
+                deleted_total: this.metricsData.expirationDeletedTotal,
+            },
+        };
+    }
+    /** Get the configured threshold for this quorum. */
+    getConfiguredThreshold() {
+        return this.configuredThreshold;
+    }
+}
+exports.QuorumStateMachine = QuorumStateMachine;
+/**
+ * Maximum allowed description length for proposals.
+ */
+QuorumStateMachine.MAX_DESCRIPTION_LENGTH = 4096;
+/**
+ * Member count threshold above which inner quorum routing is used.
+ */
+QuorumStateMachine.INNER_QUORUM_MEMBER_THRESHOLD = 20;
+/**
+ * Action types considered routine for inner quorum routing.
+ * When member count > 20 and an inner quorum exists, these use the inner quorum threshold.
+ */
+QuorumStateMachine.ROUTINE_ACTION_TYPES = new Set([
+    proposalActionType_1.ProposalActionType.ADD_MEMBER,
+    proposalActionType_1.ProposalActionType.REMOVE_MEMBER,
+    proposalActionType_1.ProposalActionType.UNSEAL_DOCUMENT,
+    proposalActionType_1.ProposalActionType.REGISTER_ALIAS,
+    proposalActionType_1.ProposalActionType.DEREGISTER_ALIAS,
+    proposalActionType_1.ProposalActionType.EXTEND_STATUTE,
+    proposalActionType_1.ProposalActionType.CUSTOM,
+]);
+//# sourceMappingURL=quorumStateMachine.js.map