@continuonai/rcan-ts 0.5.0 → 0.6.0

package/dist/browser.mjs

@@ -99,7 +99,8 @@ var RobotURI = class _RobotURI {
 };
 
 // src/version.ts
-var SPEC_VERSION = "1.5";
+var SPEC_VERSION = "1.6";
+var SDK_VERSION = "0.6.0";
 function validateVersionCompat(incomingVersion, localVersion = SPEC_VERSION) {
   const parseParts = (v) => {
     const parts = v.split(".");
@@ -171,6 +172,12 @@ var RCANMessage = class _RCANMessage {
     __publicField(this, "presenceVerified");
     __publicField(this, "proximityMeters");
     __publicField(this, "readOnly");
+    /** v1.6: GAP-14 level of assurance */
+    __publicField(this, "loa");
+    /** v1.6: GAP-17 transport encoding hint */
+    __publicField(this, "transportEncoding");
+    /** v1.6: GAP-18 multi-modal media chunks */
+    __publicField(this, "mediaChunks");
     if (!data.cmd || data.cmd.trim() === "") {
       throw new RCANMessageError("'cmd' is required");
     }
@@ -195,6 +202,9 @@ var RCANMessage = class _RCANMessage {
     this.presenceVerified = data.presenceVerified;
     this.proximityMeters = data.proximityMeters;
     this.readOnly = data.readOnly;
+    this.loa = data.loa;
+    this.transportEncoding = data.transportEncoding;
+    this.mediaChunks = data.mediaChunks;
     if (this.confidence !== void 0) {
       if (this.confidence < 0 || this.confidence > 1) {
         throw new RCANMessageError(
@@ -233,6 +243,9 @@ var RCANMessage = class _RCANMessage {
     if (this.presenceVerified !== void 0) obj.presenceVerified = this.presenceVerified;
     if (this.proximityMeters !== void 0) obj.proximityMeters = this.proximityMeters;
     if (this.readOnly !== void 0) obj.readOnly = this.readOnly;
+    if (this.loa !== void 0) obj.loa = this.loa;
+    if (this.transportEncoding !== void 0) obj.transportEncoding = this.transportEncoding;
+    if (this.mediaChunks !== void 0) obj.mediaChunks = this.mediaChunks;
     return obj;
   }
   /** Serialize to JSON string */
@@ -272,7 +285,10 @@ var RCANMessage = class _RCANMessage {
       qos: obj.qos,
       presenceVerified: obj.presenceVerified,
       proximityMeters: obj.proximityMeters,
-      readOnly: obj.readOnly
+      readOnly: obj.readOnly,
+      loa: obj.loa,
+      transportEncoding: obj.transportEncoding,
+      mediaChunks: obj.mediaChunks
     });
   }
 };
@@ -2030,23 +2046,645 @@ function makeFaultReport(params) {
   });
 }
 
+// src/identity.ts
+var LevelOfAssurance = /* @__PURE__ */ ((LevelOfAssurance2) => {
+  LevelOfAssurance2[LevelOfAssurance2["ANONYMOUS"] = 1] = "ANONYMOUS";
+  LevelOfAssurance2[LevelOfAssurance2["EMAIL_VERIFIED"] = 2] = "EMAIL_VERIFIED";
+  LevelOfAssurance2[LevelOfAssurance2["HARDWARE_TOKEN"] = 3] = "HARDWARE_TOKEN";
+  return LevelOfAssurance2;
+})(LevelOfAssurance || {});
+var DEFAULT_LOA_POLICY = {
+  minLoaDiscover: 1 /* ANONYMOUS */,
+  minLoaStatus: 1 /* ANONYMOUS */,
+  minLoaChat: 1 /* ANONYMOUS */,
+  minLoaControl: 1 /* ANONYMOUS */,
+  minLoaSafety: 1 /* ANONYMOUS */
+};
+var PRODUCTION_LOA_POLICY = {
+  minLoaDiscover: 1 /* ANONYMOUS */,
+  minLoaStatus: 1 /* ANONYMOUS */,
+  minLoaChat: 1 /* ANONYMOUS */,
+  minLoaControl: 2 /* EMAIL_VERIFIED */,
+  minLoaSafety: 3 /* HARDWARE_TOKEN */
+};
+function extractLoaFromJwt(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length < 2) return 1 /* ANONYMOUS */;
+    const payloadB64 = (parts[1] ?? "").replace(/-/g, "+").replace(/_/g, "/");
+    const padded = payloadB64 + "=".repeat((4 - payloadB64.length % 4) % 4);
+    let json;
+    if (typeof atob !== "undefined") {
+      json = atob(padded);
+    } else {
+      json = Buffer.from(padded, "base64").toString("utf-8");
+    }
+    const claims = JSON.parse(json);
+    const loa = claims["loa"];
+    if (typeof loa === "number" && loa >= 1 && loa <= 3) {
+      return loa;
+    }
+  } catch {
+  }
+  return 1 /* ANONYMOUS */;
+}
+function minLoaForScope(scope, policy) {
+  const s = scope.toLowerCase();
+  switch (s) {
+    case "discover":
+      return policy.minLoaDiscover;
+    case "status":
+      return policy.minLoaStatus;
+    case "chat":
+      return policy.minLoaChat;
+    case "control":
+      return policy.minLoaControl;
+    case "safety":
+      return policy.minLoaSafety;
+    default:
+      return null;
+  }
+}
+function validateLoaForScope(loa, scope, policy = DEFAULT_LOA_POLICY) {
+  const min = minLoaForScope(scope, policy);
+  if (min === null) {
+    return { valid: true, reason: "unknown scope; allowed by default" };
+  }
+  if (loa >= min) {
+    return { valid: true, reason: "ok" };
+  }
+  return {
+    valid: false,
+    reason: `LOA_INSUFFICIENT: scope=${scope} requires LoA>=${min}, caller has LoA=${loa}`
+  };
+}
+
+// src/federation.ts
+var RegistryTier = /* @__PURE__ */ ((RegistryTier2) => {
+  RegistryTier2["ROOT"] = "root";
+  RegistryTier2["AUTHORITATIVE"] = "authoritative";
+  RegistryTier2["COMMUNITY"] = "community";
+  return RegistryTier2;
+})(RegistryTier || {});
+var FederationSyncType = /* @__PURE__ */ ((FederationSyncType2) => {
+  FederationSyncType2["CONSENT"] = "consent";
+  FederationSyncType2["REVOCATION"] = "revocation";
+  FederationSyncType2["KEY"] = "key";
+  return FederationSyncType2;
+})(FederationSyncType || {});
+var CACHE_TTL_MS2 = 24 * 60 * 60 * 1e3;
+var TrustAnchorCache = class {
+  constructor() {
+    __publicField(this, "store", /* @__PURE__ */ new Map());
+  }
+  /** Store or refresh a registry identity. */
+  set(identity) {
+    this.store.set(identity.registryUrl, {
+      identity,
+      expiresAt: Date.now() + CACHE_TTL_MS2
+    });
+  }
+  /**
+   * Look up a registry URL.
+   * Returns undefined when absent or when the TTL has expired.
+   */
+  lookup(url) {
+    const entry = this.store.get(url);
+    if (!entry) return void 0;
+    if (Date.now() > entry.expiresAt) {
+      this.store.delete(url);
+      return void 0;
+    }
+    return entry.identity;
+  }
+  /**
+   * Discover a registry via DNS TXT record `_rcan-registry.<domain>`.
+   *
+   * The TXT record is expected to contain a JSON object with the
+   * RegistryIdentity fields. Returns the identity and caches it.
+   *
+   * Node.js only — returns undefined in environments without `dns.promises`.
+   */
+  async discoverViaDns(domain) {
+    const hostname = `_rcan-registry.${domain}`;
+    let records;
+    try {
+      const dnsModule = __require("dns");
+      records = await dnsModule.promises.resolveTxt(hostname);
+    } catch {
+      return void 0;
+    }
+    for (const record of records) {
+      const text = record.join("");
+      try {
+        const parsed = JSON.parse(text);
+        if (parsed.registryUrl && parsed.tier && parsed.publicKeyPem && parsed.domain) {
+          const identity = {
+            registryUrl: parsed.registryUrl,
+            tier: parsed.tier,
+            publicKeyPem: parsed.publicKeyPem,
+            domain: parsed.domain,
+            verifiedAt: (/* @__PURE__ */ new Date()).toISOString()
+          };
+          this.set(identity);
+          return identity;
+        }
+      } catch {
+      }
+    }
+    return void 0;
+  }
+  /**
+   * Verify a JWT was issued by the registry at `url`.
+   *
+   * Validates the `iss` claim and checks the registry is in the trust cache.
+   * Full cryptographic signature verification requires the registry's public
+   * key material — callers should perform additional checks using `publicKeyPem`
+   * from the returned identity.
+   */
+  async verifyRegistryJwt(token, url) {
+    const identity = this.lookup(url);
+    if (!identity) {
+      throw new Error(`REGISTRY_UNKNOWN: ${url} is not in the trust cache`);
+    }
+    let iss;
+    try {
+      const parts = token.split(".");
+      const payloadB64 = (parts[1] ?? "").replace(/-/g, "+").replace(/_/g, "/");
+      const padded = payloadB64 + "=".repeat((4 - payloadB64.length % 4) % 4);
+      let json;
+      if (typeof atob !== "undefined") {
+        json = atob(padded);
+      } else {
+        json = Buffer.from(padded, "base64").toString("utf-8");
+      }
+      const claims = JSON.parse(json);
+      iss = typeof claims["iss"] === "string" ? claims["iss"] : void 0;
+    } catch {
+      throw new Error("REGISTRY_JWT_MALFORMED: cannot decode token payload");
+    }
+    if (iss !== url) {
+      throw new Error(
+        `REGISTRY_JWT_ISS_MISMATCH: expected iss=${url}, got iss=${iss ?? "(none)"}`
+      );
+    }
+    return identity;
+  }
+};
+function generateId5() {
+  if (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function") {
+    return crypto.randomUUID();
+  }
+  const bytes = Array.from({ length: 16 }, () => Math.floor(Math.random() * 256));
+  bytes[6] = (bytes[6] ?? 0) & 15 | 64;
+  bytes[8] = (bytes[8] ?? 0) & 63 | 128;
+  const hex = bytes.map((b) => b.toString(16).padStart(2, "0"));
+  return `${hex.slice(0, 4).join("")}-${hex.slice(4, 6).join("")}-${hex.slice(6, 8).join("")}-${hex.slice(8, 10).join("")}-${hex.slice(10).join("")}`;
+}
+function makeFederationSync(source, target, syncType, payload) {
+  return new RCANMessage({
+    rcan: "1.6",
+    rcanVersion: "1.6",
+    cmd: "federation_sync",
+    target,
+    params: {
+      msg_type: 12 /* FEDERATION_SYNC */,
+      msg_id: generateId5(),
+      source_registry: source,
+      target_registry: target,
+      sync_type: syncType,
+      payload
+    },
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  });
+}
+async function validateCrossRegistryCommand(msg, localRegistry, trustCache) {
+  const msgType = msg.params?.["msg_type"];
+  const isEstop = msgType === 6 /* SAFETY */ || msgType === 6 || msg.cmd === "estop" || msg.cmd === "ESTOP";
+  if (isEstop) {
+    return { valid: true, reason: "ESTOP always permitted (P66 invariant)" };
+  }
+  const sourceRegistry = msg.params?.["source_registry"] ?? msg.params?.["from_registry"];
+  if (!sourceRegistry || sourceRegistry === localRegistry) {
+    return { valid: true, reason: "local registry; no federation check needed" };
+  }
+  const identity = trustCache.lookup(sourceRegistry);
+  if (!identity) {
+    return {
+      valid: false,
+      reason: `REGISTRY_UNKNOWN: ${sourceRegistry} is not in the local trust cache`
+    };
+  }
+  let loa = 1 /* ANONYMOUS */;
+  const registryJwt = msg.params?.["registry_jwt"];
+  if (registryJwt) {
+    loa = extractLoaFromJwt(registryJwt);
+  } else if (typeof msg.loa === "number") {
+    loa = msg.loa;
+  }
+  if (loa < 2 /* EMAIL_VERIFIED */) {
+    return {
+      valid: false,
+      reason: `LOA_INSUFFICIENT: cross-registry commands require LoA>=2 (EMAIL_VERIFIED), got LoA=${loa}`
+    };
+  }
+  return { valid: true, reason: "cross-registry command accepted" };
+}
+
+// src/transport.ts
+var TransportError = class _TransportError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "TransportError";
+    Object.setPrototypeOf(this, _TransportError.prototype);
+  }
+};
+var TransportEncoding = /* @__PURE__ */ ((TransportEncoding2) => {
+  TransportEncoding2["HTTP"] = "http";
+  TransportEncoding2["COMPACT"] = "compact";
+  TransportEncoding2["MINIMAL"] = "minimal";
+  TransportEncoding2["BLE"] = "ble";
+  return TransportEncoding2;
+})(TransportEncoding || {});
+var COMPACT_ENCODE = {
+  msg_type: "t",
+  msg_id: "i",
+  timestamp: "ts",
+  from_rrn: "f",
+  to_rrn: "to",
+  scope: "s",
+  payload: "p",
+  signature: "sig"
+};
+var COMPACT_DECODE = Object.fromEntries(
+  Object.entries(COMPACT_ENCODE).map(([k, v]) => [v, k])
+);
+function encodeCompact(message) {
+  const full = message.toJSON();
+  const compact = {};
+  for (const [key, value] of Object.entries(full)) {
+    const short = COMPACT_ENCODE[key];
+    compact[short ?? key] = value;
+  }
+  if (compact["p"] && typeof compact["p"] === "object") {
+    const params = compact["p"];
+    const compactParams = {};
+    for (const [k, v] of Object.entries(params)) {
+      const short = COMPACT_ENCODE[k];
+      compactParams[short ?? k] = v;
+    }
+    compact["p"] = compactParams;
+  }
+  const json = JSON.stringify(compact);
+  const encoder = new TextEncoder();
+  return encoder.encode(json);
+}
+function decodeCompact(data) {
+  const decoder = new TextDecoder();
+  const json = decoder.decode(data);
+  const compact = JSON.parse(json);
+  const full = {};
+  for (const [key, value] of Object.entries(compact)) {
+    const long = COMPACT_DECODE[key];
+    full[long ?? key] = value;
+  }
+  if (full["payload"] && typeof full["payload"] === "object") {
+    const params = full["payload"];
+    const expandedParams = {};
+    for (const [k, v] of Object.entries(params)) {
+      const long = COMPACT_DECODE[k];
+      expandedParams[long ?? k] = v;
+    }
+    full["payload"] = expandedParams;
+  }
+  return new RCANMessage({
+    rcan: full["rcan"] ?? "1.6",
+    rcanVersion: full["rcanVersion"],
+    cmd: full["cmd"],
+    target: full["target"],
+    params: full["params"] ?? full["payload"] ?? {},
+    timestamp: full["timestamp"],
+    confidence: full["confidence"],
+    signature: full["signature"]
+  });
+}
+var MINIMAL_SIZE = 32;
+var SAFETY_TYPE = 6;
+async function sha256Bytes(input) {
+  const encoded = new TextEncoder().encode(input);
+  const ab = new ArrayBuffer(encoded.byteLength);
+  new Uint8Array(ab).set(encoded);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", ab);
+  return new Uint8Array(hashBuffer);
+}
+async function encodeMinimal(message) {
+  const msgType = message.params?.["msg_type"] ?? 0;
+  if (msgType !== SAFETY_TYPE) {
+    throw new TransportError(
+      `encodeMinimal only supports SAFETY (type 6) messages; got type=${msgType}`
+    );
+  }
+  const fromRrn = message.params?.["from_rrn"] ?? message.target ?? "";
+  const toRrn = message.params?.["to_rrn"] ?? message.target ?? "";
+  const fromHash = await sha256Bytes(fromRrn);
+  const toHash = await sha256Bytes(toRrn);
+  const sig = (message.signature?.sig ?? "").replace(/[^A-Za-z0-9+/=]/g, "");
+  let sigBytes;
+  try {
+    if (typeof atob !== "undefined") {
+      const raw = atob(sig.slice(0, 16));
+      sigBytes = new Uint8Array(raw.length);
+      for (let i = 0; i < raw.length; i++) sigBytes[i] = raw.charCodeAt(i);
+    } else {
+      sigBytes = Buffer.from(sig.slice(0, 16), "base64");
+    }
+  } catch {
+    sigBytes = new Uint8Array(8);
+  }
+  const ts = message.timestamp ? Math.floor(new Date(message.timestamp).getTime() / 1e3) : Math.floor(Date.now() / 1e3);
+  const unix32 = ts >>> 0;
+  const out = new Uint8Array(MINIMAL_SIZE);
+  const view = new DataView(out.buffer);
+  view.setUint16(0, SAFETY_TYPE, false);
+  out.set(fromHash.subarray(0, 8), 2);
+  out.set(toHash.subarray(0, 8), 10);
+  view.setUint32(18, unix32, false);
+  const sigSlice = new Uint8Array(8);
+  sigSlice.set(sigBytes.subarray(0, Math.min(8, sigBytes.length)));
+  out.set(sigSlice, 22);
+  let checksum = 0;
+  for (let i = 0; i < 30; i++) checksum ^= out[i] ?? 0;
+  view.setUint16(30, checksum & 65535, false);
+  if (out.length !== MINIMAL_SIZE) {
+    throw new TransportError(
+      `encodeMinimal assertion failed: expected ${MINIMAL_SIZE} bytes, got ${out.length}`
+    );
+  }
+  return out;
+}
+function decodeMinimal(data) {
+  if (data.length !== MINIMAL_SIZE) {
+    throw new TransportError(
+      `decodeMinimal: expected ${MINIMAL_SIZE} bytes, got ${data.length}`
+    );
+  }
+  const view = new DataView(data.buffer, data.byteOffset, data.byteLength);
+  const msgType = view.getUint16(0, false);
+  const fromHash = data.subarray(2, 10);
+  const toHash = data.subarray(10, 18);
+  const unix32 = view.getUint32(18, false);
+  const sigTrunc = data.subarray(22, 30);
+  const timestamp = new Date(unix32 * 1e3).toISOString();
+  const toHex2 = (b) => Array.from(b).map((x) => x.toString(16).padStart(2, "0")).join("");
+  return {
+    params: {
+      msg_type: msgType,
+      from_hash: toHex2(fromHash),
+      to_hash: toHex2(toHash),
+      timestamp_s: unix32,
+      sig_truncated: toHex2(sigTrunc)
+    },
+    timestamp
+  };
+}
+var DEFAULT_MTU = 251;
+var BLE_HEADER_SIZE = 3;
+function encodeBleFrames(message, mtu = DEFAULT_MTU) {
+  const payload = encodeCompact(message);
+  const chunkSize = mtu - BLE_HEADER_SIZE;
+  if (chunkSize <= 0) {
+    throw new TransportError(`MTU ${mtu} is too small (need at least ${BLE_HEADER_SIZE + 1})`);
+  }
+  const totalChunks = Math.ceil(payload.length / chunkSize);
+  const frames = [];
+  for (let i = 0; i < totalChunks; i++) {
+    const chunk = payload.subarray(i * chunkSize, (i + 1) * chunkSize);
+    const frame = new Uint8Array(BLE_HEADER_SIZE + chunk.length);
+    frame[0] = i;
+    frame[1] = totalChunks;
+    frame[2] = i === totalChunks - 1 ? 1 : 0;
+    frame.set(chunk, BLE_HEADER_SIZE);
+    frames.push(frame);
+  }
+  return frames;
+}
+function decodeBleFrames(frames) {
+  if (frames.length === 0) {
+    throw new TransportError("decodeBleFrames: no frames provided");
+  }
+  const sorted = [...frames].sort((a, b) => (a[0] ?? 0) - (b[0] ?? 0));
+  const expectedTotal = sorted[0]?.[1] ?? sorted.length;
+  if (sorted.length !== expectedTotal) {
+    throw new TransportError(
+      `decodeBleFrames: expected ${expectedTotal} frames, got ${sorted.length}`
+    );
+  }
+  const payloadChunks = sorted.map((f) => f.subarray(BLE_HEADER_SIZE));
+  const totalLen = payloadChunks.reduce((s, c) => s + c.length, 0);
+  const payload = new Uint8Array(totalLen);
+  let offset = 0;
+  for (const chunk of payloadChunks) {
+    payload.set(chunk, offset);
+    offset += chunk.length;
+  }
+  return decodeCompact(payload);
+}
+function selectTransport(available, message) {
+  const msgType = message.params?.["msg_type"] ?? 0;
+  const isSafety = msgType === SAFETY_TYPE;
+  const has = (enc) => available.includes(enc);
+  if (isSafety) {
+    if (has("minimal" /* MINIMAL */)) return "minimal" /* MINIMAL */;
+    if (has("ble" /* BLE */)) return "ble" /* BLE */;
+    if (has("compact" /* COMPACT */)) return "compact" /* COMPACT */;
+    if (has("http" /* HTTP */)) return "http" /* HTTP */;
+  } else {
+    if (has("http" /* HTTP */)) return "http" /* HTTP */;
+    if (has("compact" /* COMPACT */)) return "compact" /* COMPACT */;
+    if (has("ble" /* BLE */)) return "ble" /* BLE */;
+  }
+  throw new TransportError(
+    `No suitable transport available from: [${available.join(", ")}]`
+  );
+}
+
+// src/multimodal.ts
+var MediaEncoding = /* @__PURE__ */ ((MediaEncoding2) => {
+  MediaEncoding2["BASE64"] = "base64";
+  MediaEncoding2["REF"] = "ref";
+  return MediaEncoding2;
+})(MediaEncoding || {});
+function generateId6() {
+  if (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function") {
+    return crypto.randomUUID();
+  }
+  const bytes = Array.from({ length: 16 }, () => Math.floor(Math.random() * 256));
+  bytes[6] = (bytes[6] ?? 0) & 15 | 64;
+  bytes[8] = (bytes[8] ?? 0) & 63 | 128;
+  const hex = bytes.map((b) => b.toString(16).padStart(2, "0"));
+  return `${hex.slice(0, 4).join("")}-${hex.slice(4, 6).join("")}-${hex.slice(6, 8).join("")}-${hex.slice(8, 10).join("")}-${hex.slice(10).join("")}`;
+}
+async function computeSha256Hex(data) {
+  const ab = new ArrayBuffer(data.byteLength);
+  new Uint8Array(ab).set(data);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", ab);
+  const hashArray = new Uint8Array(hashBuffer);
+  return Array.from(hashArray).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function uint8ToBase64(data) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(data).toString("base64");
+  }
+  let binary = "";
+  for (let i = 0; i < data.length; i++) binary += String.fromCharCode(data[i] ?? 0);
+  return btoa(binary);
+}
+function rebuildMessage(base, overrides) {
+  const data = { ...base.toJSON(), ...overrides };
+  return RCANMessage.fromJSON(data);
+}
+async function addMediaInline(message, data, mimeType) {
+  const hashSha256 = await computeSha256Hex(data);
+  const dataB64 = uint8ToBase64(data);
+  const chunk = {
+    chunkId: generateId6(),
+    mimeType,
+    encoding: "base64" /* BASE64 */,
+    hashSha256,
+    dataB64,
+    sizeBytes: data.length
+  };
+  const existing = message.mediaChunks ?? [];
+  return rebuildMessage(message, { mediaChunks: [...existing, chunk] });
+}
+function addMediaRef(message, refUrl, mimeType, hashSha256, sizeBytes) {
+  const chunk = {
+    chunkId: generateId6(),
+    mimeType,
+    encoding: "ref" /* REF */,
+    hashSha256,
+    refUrl,
+    sizeBytes
+  };
+  const existing = message.mediaChunks ?? [];
+  return rebuildMessage(message, { mediaChunks: [...existing, chunk] });
+}
+async function validateMediaChunks(message) {
+  const chunks = message.mediaChunks ?? [];
+  if (chunks.length === 0) {
+    return { valid: true, reason: "no media chunks" };
+  }
+  for (let i = 0; i < chunks.length; i++) {
+    const chunk = chunks[i];
+    if (!chunk.chunkId) return { valid: false, reason: `chunk[${i}]: missing chunkId` };
+    if (!chunk.mimeType) return { valid: false, reason: `chunk[${i}]: missing mimeType` };
+    if (!chunk.hashSha256) return { valid: false, reason: `chunk[${i}]: missing hashSha256` };
+    if (chunk.sizeBytes < 0) return { valid: false, reason: `chunk[${i}]: sizeBytes must be >= 0` };
+    if (chunk.encoding === "base64" /* BASE64 */) {
+      if (!chunk.dataB64) {
+        return { valid: false, reason: `chunk[${i}]: BASE64 encoding requires dataB64` };
+      }
+      let decoded;
+      try {
+        if (typeof Buffer !== "undefined") {
+          decoded = Buffer.from(chunk.dataB64, "base64");
+        } else {
+          const raw = atob(chunk.dataB64);
+          decoded = new Uint8Array(raw.length);
+          for (let j = 0; j < raw.length; j++) decoded[j] = raw.charCodeAt(j);
+        }
+      } catch {
+        return { valid: false, reason: `chunk[${i}]: failed to decode base64 data` };
+      }
+      const actualHash = await computeSha256Hex(decoded);
+      if (actualHash !== chunk.hashSha256) {
+        return {
+          valid: false,
+          reason: `chunk[${i}]: SHA-256 mismatch (expected ${chunk.hashSha256}, got ${actualHash})`
+        };
+      }
+    } else if (chunk.encoding === "ref" /* REF */) {
+      if (!chunk.refUrl) {
+        return { valid: false, reason: `chunk[${i}]: REF encoding requires refUrl` };
+      }
+    } else {
+      return { valid: false, reason: `chunk[${i}]: unknown encoding '${chunk.encoding}'` };
+    }
+  }
+  return { valid: true, reason: "ok" };
+}
+async function makeTrainingDataMessage(media) {
+  let msg = new RCANMessage({
+    rcan: "1.6",
+    rcanVersion: "1.6",
+    cmd: "training_data",
+    target: "rcan://training/data",
+    params: {
+      msg_type: 10 /* TRAINING_DATA */,
+      msg_id: generateId6()
+    },
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  for (const item of media) {
+    msg = await addMediaInline(msg, item.data, item.mimeType);
+  }
+  return msg;
+}
+async function makeStreamChunk(streamId, data, mimeType, chunkIndex, isFinal) {
+  const hashSha256 = await computeSha256Hex(data);
+  const dataB64 = uint8ToBase64(data);
+  const chunk = {
+    chunkId: generateId6(),
+    mimeType,
+    encoding: "base64" /* BASE64 */,
+    hashSha256,
+    dataB64,
+    sizeBytes: data.length
+  };
+  const streamChunkMeta = {
+    streamId,
+    chunkIndex,
+    isFinal,
+    chunk
+  };
+  let msg = new RCANMessage({
+    rcan: "1.6",
+    rcanVersion: "1.6",
+    cmd: "stream_chunk",
+    target: "rcan://streaming/chunk",
+    params: {
+      msg_type: 7 /* SENSOR_DATA */,
+      msg_id: generateId6(),
+      stream_chunk: streamChunkMeta
+    },
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  msg = rebuildMessage(msg, { mediaChunks: [chunk] });
+  return msg;
+}
+
 // src/index.ts
-var VERSION = "0.5.0";
-var RCAN_VERSION = "1.5";
+var VERSION = "0.6.0";
+var RCAN_VERSION = "1.6";
 export {
   AuditChain,
   AuditError,
   ClockDriftError,
   CommitmentRecord,
   ConfidenceGate,
+  DEFAULT_LOA_POLICY,
   DataCategory,
   FaultCode,
+  FederationSyncType,
   GateError,
   HiTLGate,
   KeyStore,
+  LevelOfAssurance,
+  MediaEncoding,
   MessageType,
   NodeClient,
   OfflineModeManager,
+  PRODUCTION_LOA_POLICY,
   QoSAckTimeoutError,
   QoSLevel,
   QoSManager,
@@ -2068,17 +2706,31 @@ export {
   RCANVersionIncompatibleError,
   RCAN_VERSION,
   RegistryClient,
+  RegistryTier,
   ReplayCache,
   RevocationCache,
   RobotURI,
   RobotURIError,
   SAFETY_MESSAGE_TYPE,
+  SDK_VERSION,
   SPEC_VERSION,
+  TransportEncoding,
+  TransportError,
+  TrustAnchorCache,
   VERSION,
   addDelegationHop,
+  addMediaInline,
+  addMediaRef,
   assertClockSynced,
   checkClockSync,
   checkRevocation,
+  decodeBleFrames,
+  decodeCompact,
+  decodeMinimal,
+  encodeBleFrames,
+  encodeCompact,
+  encodeMinimal,
+  extractLoaFromJwt,
   fetchCanonicalSchema,
   isSafetyMessage,
   makeCloudRelayMessage,
@@ -2089,19 +2741,26 @@ export {
   makeEstopMessage,
   makeEstopWithQoS,
   makeFaultReport,
+  makeFederationSync,
   makeKeyRotationMessage,
   makeResumeMessage,
   makeRevocationBroadcast,
   makeStopMessage,
+  makeStreamChunk,
   makeTrainingConsentDeny,
   makeTrainingConsentGrant,
   makeTrainingConsentRequest,
+  makeTrainingDataMessage,
   makeTransparencyMessage,
+  selectTransport,
   validateConfig,
   validateConfigAgainstSchema,
   validateConfigUpdate,
   validateConsentMessage,
+  validateCrossRegistryCommand,
   validateDelegationChain,
+  validateLoaForScope,
+  validateMediaChunks,
   validateMessage,
   validateNodeAgainstSchema,
   validateReplay,