npm - @continuonai/rcan-ts - Versions diffs - 0.5.0 → 0.6.0 - Mend

@continuonai/rcan-ts 0.5.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/index.js CHANGED Viewed

@@ -25,14 +25,19 @@ __export(index_exports, {
   ClockDriftError: () => ClockDriftError,
   CommitmentRecord: () => CommitmentRecord,
   ConfidenceGate: () => ConfidenceGate,
+  DEFAULT_LOA_POLICY: () => DEFAULT_LOA_POLICY,
   DataCategory: () => DataCategory,
   FaultCode: () => FaultCode,
+  FederationSyncType: () => FederationSyncType,
   GateError: () => GateError,
   HiTLGate: () => HiTLGate,
   KeyStore: () => KeyStore,
+  LevelOfAssurance: () => LevelOfAssurance,
+  MediaEncoding: () => MediaEncoding,
   MessageType: () => MessageType,
   NodeClient: () => NodeClient,
   OfflineModeManager: () => OfflineModeManager,
+  PRODUCTION_LOA_POLICY: () => PRODUCTION_LOA_POLICY,
   QoSAckTimeoutError: () => QoSAckTimeoutError,
   QoSLevel: () => QoSLevel,
   QoSManager: () => QoSManager,
@@ -54,17 +59,31 @@ __export(index_exports, {
   RCANVersionIncompatibleError: () => RCANVersionIncompatibleError,
   RCAN_VERSION: () => RCAN_VERSION,
   RegistryClient: () => RegistryClient,
+  RegistryTier: () => RegistryTier,
   ReplayCache: () => ReplayCache,
   RevocationCache: () => RevocationCache,
   RobotURI: () => RobotURI,
   RobotURIError: () => RobotURIError,
   SAFETY_MESSAGE_TYPE: () => SAFETY_MESSAGE_TYPE,
+  SDK_VERSION: () => SDK_VERSION,
   SPEC_VERSION: () => SPEC_VERSION,
+  TransportEncoding: () => TransportEncoding,
+  TransportError: () => TransportError,
+  TrustAnchorCache: () => TrustAnchorCache,
   VERSION: () => VERSION,
   addDelegationHop: () => addDelegationHop,
+  addMediaInline: () => addMediaInline,
+  addMediaRef: () => addMediaRef,
   assertClockSynced: () => assertClockSynced,
   checkClockSync: () => checkClockSync,
   checkRevocation: () => checkRevocation,
+  decodeBleFrames: () => decodeBleFrames,
+  decodeCompact: () => decodeCompact,
+  decodeMinimal: () => decodeMinimal,
+  encodeBleFrames: () => encodeBleFrames,
+  encodeCompact: () => encodeCompact,
+  encodeMinimal: () => encodeMinimal,
+  extractLoaFromJwt: () => extractLoaFromJwt,
   fetchCanonicalSchema: () => fetchCanonicalSchema,
   isSafetyMessage: () => isSafetyMessage,
   makeCloudRelayMessage: () => makeCloudRelayMessage,
@@ -75,19 +94,26 @@ __export(index_exports, {
   makeEstopMessage: () => makeEstopMessage,
   makeEstopWithQoS: () => makeEstopWithQoS,
   makeFaultReport: () => makeFaultReport,
+  makeFederationSync: () => makeFederationSync,
   makeKeyRotationMessage: () => makeKeyRotationMessage,
   makeResumeMessage: () => makeResumeMessage,
   makeRevocationBroadcast: () => makeRevocationBroadcast,
   makeStopMessage: () => makeStopMessage,
+  makeStreamChunk: () => makeStreamChunk,
   makeTrainingConsentDeny: () => makeTrainingConsentDeny,
   makeTrainingConsentGrant: () => makeTrainingConsentGrant,
   makeTrainingConsentRequest: () => makeTrainingConsentRequest,
+  makeTrainingDataMessage: () => makeTrainingDataMessage,
   makeTransparencyMessage: () => makeTransparencyMessage,
+  selectTransport: () => selectTransport,
   validateConfig: () => validateConfig,
   validateConfigAgainstSchema: () => validateConfigAgainstSchema,
   validateConfigUpdate: () => validateConfigUpdate,
   validateConsentMessage: () => validateConsentMessage,
+  validateCrossRegistryCommand: () => validateCrossRegistryCommand,
   validateDelegationChain: () => validateDelegationChain,
+  validateLoaForScope: () => validateLoaForScope,
+  validateMediaChunks: () => validateMediaChunks,
   validateMessage: () => validateMessage,
   validateNodeAgainstSchema: () => validateNodeAgainstSchema,
   validateReplay: () => validateReplay,
@@ -189,7 +215,8 @@ var RobotURI = class _RobotURI {
 };
 // src/version.ts
-var SPEC_VERSION = "1.5";
+var SPEC_VERSION = "1.6";
+var SDK_VERSION = "0.6.0";
 function validateVersionCompat(incomingVersion, localVersion = SPEC_VERSION) {
   const parseParts = (v) => {
     const parts = v.split(".");
@@ -260,6 +287,12 @@ var RCANMessage = class _RCANMessage {
   presenceVerified;
   proximityMeters;
   readOnly;
+  /** v1.6: GAP-14 level of assurance */
+  loa;
+  /** v1.6: GAP-17 transport encoding hint */
+  transportEncoding;
+  /** v1.6: GAP-18 multi-modal media chunks */
+  mediaChunks;
   constructor(data) {
     if (!data.cmd || data.cmd.trim() === "") {
       throw new RCANMessageError("'cmd' is required");
@@ -285,6 +318,9 @@ var RCANMessage = class _RCANMessage {
     this.presenceVerified = data.presenceVerified;
     this.proximityMeters = data.proximityMeters;
     this.readOnly = data.readOnly;
+    this.loa = data.loa;
+    this.transportEncoding = data.transportEncoding;
+    this.mediaChunks = data.mediaChunks;
     if (this.confidence !== void 0) {
       if (this.confidence < 0 || this.confidence > 1) {
         throw new RCANMessageError(
@@ -323,6 +359,9 @@ var RCANMessage = class _RCANMessage {
     if (this.presenceVerified !== void 0) obj.presenceVerified = this.presenceVerified;
     if (this.proximityMeters !== void 0) obj.proximityMeters = this.proximityMeters;
     if (this.readOnly !== void 0) obj.readOnly = this.readOnly;
+    if (this.loa !== void 0) obj.loa = this.loa;
+    if (this.transportEncoding !== void 0) obj.transportEncoding = this.transportEncoding;
+    if (this.mediaChunks !== void 0) obj.mediaChunks = this.mediaChunks;
     return obj;
   }
   /** Serialize to JSON string */
@@ -362,7 +401,10 @@ var RCANMessage = class _RCANMessage {
       qos: obj.qos,
       presenceVerified: obj.presenceVerified,
       proximityMeters: obj.proximityMeters,
-      readOnly: obj.readOnly
+      readOnly: obj.readOnly,
+      loa: obj.loa,
+      transportEncoding: obj.transportEncoding,
+      mediaChunks: obj.mediaChunks
     });
   }
 };
@@ -2114,9 +2156,624 @@ function makeFaultReport(params) {
   });
 }
+// src/identity.ts
+var LevelOfAssurance = /* @__PURE__ */ ((LevelOfAssurance2) => {
+  LevelOfAssurance2[LevelOfAssurance2["ANONYMOUS"] = 1] = "ANONYMOUS";
+  LevelOfAssurance2[LevelOfAssurance2["EMAIL_VERIFIED"] = 2] = "EMAIL_VERIFIED";
+  LevelOfAssurance2[LevelOfAssurance2["HARDWARE_TOKEN"] = 3] = "HARDWARE_TOKEN";
+  return LevelOfAssurance2;
+})(LevelOfAssurance || {});
+var DEFAULT_LOA_POLICY = {
+  minLoaDiscover: 1 /* ANONYMOUS */,
+  minLoaStatus: 1 /* ANONYMOUS */,
+  minLoaChat: 1 /* ANONYMOUS */,
+  minLoaControl: 1 /* ANONYMOUS */,
+  minLoaSafety: 1 /* ANONYMOUS */
+};
+var PRODUCTION_LOA_POLICY = {
+  minLoaDiscover: 1 /* ANONYMOUS */,
+  minLoaStatus: 1 /* ANONYMOUS */,
+  minLoaChat: 1 /* ANONYMOUS */,
+  minLoaControl: 2 /* EMAIL_VERIFIED */,
+  minLoaSafety: 3 /* HARDWARE_TOKEN */
+};
+function extractLoaFromJwt(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length < 2) return 1 /* ANONYMOUS */;
+    const payloadB64 = (parts[1] ?? "").replace(/-/g, "+").replace(/_/g, "/");
+    const padded = payloadB64 + "=".repeat((4 - payloadB64.length % 4) % 4);
+    let json;
+    if (typeof atob !== "undefined") {
+      json = atob(padded);
+    } else {
+      json = Buffer.from(padded, "base64").toString("utf-8");
+    }
+    const claims = JSON.parse(json);
+    const loa = claims["loa"];
+    if (typeof loa === "number" && loa >= 1 && loa <= 3) {
+      return loa;
+    }
+  } catch {
+  }
+  return 1 /* ANONYMOUS */;
+}
+function minLoaForScope(scope, policy) {
+  const s = scope.toLowerCase();
+  switch (s) {
+    case "discover":
+      return policy.minLoaDiscover;
+    case "status":
+      return policy.minLoaStatus;
+    case "chat":
+      return policy.minLoaChat;
+    case "control":
+      return policy.minLoaControl;
+    case "safety":
+      return policy.minLoaSafety;
+    default:
+      return null;
+  }
+}
+function validateLoaForScope(loa, scope, policy = DEFAULT_LOA_POLICY) {
+  const min = minLoaForScope(scope, policy);
+  if (min === null) {
+    return { valid: true, reason: "unknown scope; allowed by default" };
+  }
+  if (loa >= min) {
+    return { valid: true, reason: "ok" };
+  }
+  return {
+    valid: false,
+    reason: `LOA_INSUFFICIENT: scope=${scope} requires LoA>=${min}, caller has LoA=${loa}`
+  };
+}
+// src/federation.ts
+var RegistryTier = /* @__PURE__ */ ((RegistryTier2) => {
+  RegistryTier2["ROOT"] = "root";
+  RegistryTier2["AUTHORITATIVE"] = "authoritative";
+  RegistryTier2["COMMUNITY"] = "community";
+  return RegistryTier2;
+})(RegistryTier || {});
+var FederationSyncType = /* @__PURE__ */ ((FederationSyncType2) => {
+  FederationSyncType2["CONSENT"] = "consent";
+  FederationSyncType2["REVOCATION"] = "revocation";
+  FederationSyncType2["KEY"] = "key";
+  return FederationSyncType2;
+})(FederationSyncType || {});
+var CACHE_TTL_MS2 = 24 * 60 * 60 * 1e3;
+var TrustAnchorCache = class {
+  store = /* @__PURE__ */ new Map();
+  /** Store or refresh a registry identity. */
+  set(identity) {
+    this.store.set(identity.registryUrl, {
+      identity,
+      expiresAt: Date.now() + CACHE_TTL_MS2
+    });
+  }
+  /**
+   * Look up a registry URL.
+   * Returns undefined when absent or when the TTL has expired.
+   */
+  lookup(url) {
+    const entry = this.store.get(url);
+    if (!entry) return void 0;
+    if (Date.now() > entry.expiresAt) {
+      this.store.delete(url);
+      return void 0;
+    }
+    return entry.identity;
+  }
+  /**
+   * Discover a registry via DNS TXT record `_rcan-registry.<domain>`.
+   *
+   * The TXT record is expected to contain a JSON object with the
+   * RegistryIdentity fields. Returns the identity and caches it.
+   *
+   * Node.js only — returns undefined in environments without `dns.promises`.
+   */
+  async discoverViaDns(domain) {
+    const hostname = `_rcan-registry.${domain}`;
+    let records;
+    try {
+      const dnsModule = require("dns");
+      records = await dnsModule.promises.resolveTxt(hostname);
+    } catch {
+      return void 0;
+    }
+    for (const record of records) {
+      const text = record.join("");
+      try {
+        const parsed = JSON.parse(text);
+        if (parsed.registryUrl && parsed.tier && parsed.publicKeyPem && parsed.domain) {
+          const identity = {
+            registryUrl: parsed.registryUrl,
+            tier: parsed.tier,
+            publicKeyPem: parsed.publicKeyPem,
+            domain: parsed.domain,
+            verifiedAt: (/* @__PURE__ */ new Date()).toISOString()
+          };
+          this.set(identity);
+          return identity;
+        }
+      } catch {
+      }
+    }
+    return void 0;
+  }
+  /**
+   * Verify a JWT was issued by the registry at `url`.
+   *
+   * Validates the `iss` claim and checks the registry is in the trust cache.
+   * Full cryptographic signature verification requires the registry's public
+   * key material — callers should perform additional checks using `publicKeyPem`
+   * from the returned identity.
+   */
+  async verifyRegistryJwt(token, url) {
+    const identity = this.lookup(url);
+    if (!identity) {
+      throw new Error(`REGISTRY_UNKNOWN: ${url} is not in the trust cache`);
+    }
+    let iss;
+    try {
+      const parts = token.split(".");
+      const payloadB64 = (parts[1] ?? "").replace(/-/g, "+").replace(/_/g, "/");
+      const padded = payloadB64 + "=".repeat((4 - payloadB64.length % 4) % 4);
+      let json;
+      if (typeof atob !== "undefined") {
+        json = atob(padded);
+      } else {
+        json = Buffer.from(padded, "base64").toString("utf-8");
+      }
+      const claims = JSON.parse(json);
+      iss = typeof claims["iss"] === "string" ? claims["iss"] : void 0;
+    } catch {
+      throw new Error("REGISTRY_JWT_MALFORMED: cannot decode token payload");
+    }
+    if (iss !== url) {
+      throw new Error(
+        `REGISTRY_JWT_ISS_MISMATCH: expected iss=${url}, got iss=${iss ?? "(none)"}`
+      );
+    }
+    return identity;
+  }
+};
+function generateId5() {
+  if (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function") {
+    return crypto.randomUUID();
+  }
+  const bytes = Array.from({ length: 16 }, () => Math.floor(Math.random() * 256));
+  bytes[6] = (bytes[6] ?? 0) & 15 | 64;
+  bytes[8] = (bytes[8] ?? 0) & 63 | 128;
+  const hex = bytes.map((b) => b.toString(16).padStart(2, "0"));
+  return `${hex.slice(0, 4).join("")}-${hex.slice(4, 6).join("")}-${hex.slice(6, 8).join("")}-${hex.slice(8, 10).join("")}-${hex.slice(10).join("")}`;
+}
+function makeFederationSync(source, target, syncType, payload) {
+  return new RCANMessage({
+    rcan: "1.6",
+    rcanVersion: "1.6",
+    cmd: "federation_sync",
+    target,
+    params: {
+      msg_type: 12 /* FEDERATION_SYNC */,
+      msg_id: generateId5(),
+      source_registry: source,
+      target_registry: target,
+      sync_type: syncType,
+      payload
+    },
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  });
+}
+async function validateCrossRegistryCommand(msg, localRegistry, trustCache) {
+  const msgType = msg.params?.["msg_type"];
+  const isEstop = msgType === 6 /* SAFETY */ || msgType === 6 || msg.cmd === "estop" || msg.cmd === "ESTOP";
+  if (isEstop) {
+    return { valid: true, reason: "ESTOP always permitted (P66 invariant)" };
+  }
+  const sourceRegistry = msg.params?.["source_registry"] ?? msg.params?.["from_registry"];
+  if (!sourceRegistry || sourceRegistry === localRegistry) {
+    return { valid: true, reason: "local registry; no federation check needed" };
+  }
+  const identity = trustCache.lookup(sourceRegistry);
+  if (!identity) {
+    return {
+      valid: false,
+      reason: `REGISTRY_UNKNOWN: ${sourceRegistry} is not in the local trust cache`
+    };
+  }
+  let loa = 1 /* ANONYMOUS */;
+  const registryJwt = msg.params?.["registry_jwt"];
+  if (registryJwt) {
+    loa = extractLoaFromJwt(registryJwt);
+  } else if (typeof msg.loa === "number") {
+    loa = msg.loa;
+  }
+  if (loa < 2 /* EMAIL_VERIFIED */) {
+    return {
+      valid: false,
+      reason: `LOA_INSUFFICIENT: cross-registry commands require LoA>=2 (EMAIL_VERIFIED), got LoA=${loa}`
+    };
+  }
+  return { valid: true, reason: "cross-registry command accepted" };
+}
+// src/transport.ts
+var TransportError = class _TransportError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "TransportError";
+    Object.setPrototypeOf(this, _TransportError.prototype);
+  }
+};
+var TransportEncoding = /* @__PURE__ */ ((TransportEncoding2) => {
+  TransportEncoding2["HTTP"] = "http";
+  TransportEncoding2["COMPACT"] = "compact";
+  TransportEncoding2["MINIMAL"] = "minimal";
+  TransportEncoding2["BLE"] = "ble";
+  return TransportEncoding2;
+})(TransportEncoding || {});
+var COMPACT_ENCODE = {
+  msg_type: "t",
+  msg_id: "i",
+  timestamp: "ts",
+  from_rrn: "f",
+  to_rrn: "to",
+  scope: "s",
+  payload: "p",
+  signature: "sig"
+};
+var COMPACT_DECODE = Object.fromEntries(
+  Object.entries(COMPACT_ENCODE).map(([k, v]) => [v, k])
+);
+function encodeCompact(message) {
+  const full = message.toJSON();
+  const compact = {};
+  for (const [key, value] of Object.entries(full)) {
+    const short = COMPACT_ENCODE[key];
+    compact[short ?? key] = value;
+  }
+  if (compact["p"] && typeof compact["p"] === "object") {
+    const params = compact["p"];
+    const compactParams = {};
+    for (const [k, v] of Object.entries(params)) {
+      const short = COMPACT_ENCODE[k];
+      compactParams[short ?? k] = v;
+    }
+    compact["p"] = compactParams;
+  }
+  const json = JSON.stringify(compact);
+  const encoder = new TextEncoder();
+  return encoder.encode(json);
+}
+function decodeCompact(data) {
+  const decoder = new TextDecoder();
+  const json = decoder.decode(data);
+  const compact = JSON.parse(json);
+  const full = {};
+  for (const [key, value] of Object.entries(compact)) {
+    const long = COMPACT_DECODE[key];
+    full[long ?? key] = value;
+  }
+  if (full["payload"] && typeof full["payload"] === "object") {
+    const params = full["payload"];
+    const expandedParams = {};
+    for (const [k, v] of Object.entries(params)) {
+      const long = COMPACT_DECODE[k];
+      expandedParams[long ?? k] = v;
+    }
+    full["payload"] = expandedParams;
+  }
+  return new RCANMessage({
+    rcan: full["rcan"] ?? "1.6",
+    rcanVersion: full["rcanVersion"],
+    cmd: full["cmd"],
+    target: full["target"],
+    params: full["params"] ?? full["payload"] ?? {},
+    timestamp: full["timestamp"],
+    confidence: full["confidence"],
+    signature: full["signature"]
+  });
+}
+var MINIMAL_SIZE = 32;
+var SAFETY_TYPE = 6;
+async function sha256Bytes(input) {
+  const encoded = new TextEncoder().encode(input);
+  const ab = new ArrayBuffer(encoded.byteLength);
+  new Uint8Array(ab).set(encoded);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", ab);
+  return new Uint8Array(hashBuffer);
+}
+async function encodeMinimal(message) {
+  const msgType = message.params?.["msg_type"] ?? 0;
+  if (msgType !== SAFETY_TYPE) {
+    throw new TransportError(
+      `encodeMinimal only supports SAFETY (type 6) messages; got type=${msgType}`
+    );
+  }
+  const fromRrn = message.params?.["from_rrn"] ?? message.target ?? "";
+  const toRrn = message.params?.["to_rrn"] ?? message.target ?? "";
+  const fromHash = await sha256Bytes(fromRrn);
+  const toHash = await sha256Bytes(toRrn);
+  const sig = (message.signature?.sig ?? "").replace(/[^A-Za-z0-9+/=]/g, "");
+  let sigBytes;
+  try {
+    if (typeof atob !== "undefined") {
+      const raw = atob(sig.slice(0, 16));
+      sigBytes = new Uint8Array(raw.length);
+      for (let i = 0; i < raw.length; i++) sigBytes[i] = raw.charCodeAt(i);
+    } else {
+      sigBytes = Buffer.from(sig.slice(0, 16), "base64");
+    }
+  } catch {
+    sigBytes = new Uint8Array(8);
+  }
+  const ts = message.timestamp ? Math.floor(new Date(message.timestamp).getTime() / 1e3) : Math.floor(Date.now() / 1e3);
+  const unix32 = ts >>> 0;
+  const out = new Uint8Array(MINIMAL_SIZE);
+  const view = new DataView(out.buffer);
+  view.setUint16(0, SAFETY_TYPE, false);
+  out.set(fromHash.subarray(0, 8), 2);
+  out.set(toHash.subarray(0, 8), 10);
+  view.setUint32(18, unix32, false);
+  const sigSlice = new Uint8Array(8);
+  sigSlice.set(sigBytes.subarray(0, Math.min(8, sigBytes.length)));
+  out.set(sigSlice, 22);
+  let checksum = 0;
+  for (let i = 0; i < 30; i++) checksum ^= out[i] ?? 0;
+  view.setUint16(30, checksum & 65535, false);
+  if (out.length !== MINIMAL_SIZE) {
+    throw new TransportError(
+      `encodeMinimal assertion failed: expected ${MINIMAL_SIZE} bytes, got ${out.length}`
+    );
+  }
+  return out;
+}
+function decodeMinimal(data) {
+  if (data.length !== MINIMAL_SIZE) {
+    throw new TransportError(
+      `decodeMinimal: expected ${MINIMAL_SIZE} bytes, got ${data.length}`
+    );
+  }
+  const view = new DataView(data.buffer, data.byteOffset, data.byteLength);
+  const msgType = view.getUint16(0, false);
+  const fromHash = data.subarray(2, 10);
+  const toHash = data.subarray(10, 18);
+  const unix32 = view.getUint32(18, false);
+  const sigTrunc = data.subarray(22, 30);
+  const timestamp = new Date(unix32 * 1e3).toISOString();
+  const toHex2 = (b) => Array.from(b).map((x) => x.toString(16).padStart(2, "0")).join("");
+  return {
+    params: {
+      msg_type: msgType,
+      from_hash: toHex2(fromHash),
+      to_hash: toHex2(toHash),
+      timestamp_s: unix32,
+      sig_truncated: toHex2(sigTrunc)
+    },
+    timestamp
+  };
+}
+var DEFAULT_MTU = 251;
+var BLE_HEADER_SIZE = 3;
+function encodeBleFrames(message, mtu = DEFAULT_MTU) {
+  const payload = encodeCompact(message);
+  const chunkSize = mtu - BLE_HEADER_SIZE;
+  if (chunkSize <= 0) {
+    throw new TransportError(`MTU ${mtu} is too small (need at least ${BLE_HEADER_SIZE + 1})`);
+  }
+  const totalChunks = Math.ceil(payload.length / chunkSize);
+  const frames = [];
+  for (let i = 0; i < totalChunks; i++) {
+    const chunk = payload.subarray(i * chunkSize, (i + 1) * chunkSize);
+    const frame = new Uint8Array(BLE_HEADER_SIZE + chunk.length);
+    frame[0] = i;
+    frame[1] = totalChunks;
+    frame[2] = i === totalChunks - 1 ? 1 : 0;
+    frame.set(chunk, BLE_HEADER_SIZE);
+    frames.push(frame);
+  }
+  return frames;
+}
+function decodeBleFrames(frames) {
+  if (frames.length === 0) {
+    throw new TransportError("decodeBleFrames: no frames provided");
+  }
+  const sorted = [...frames].sort((a, b) => (a[0] ?? 0) - (b[0] ?? 0));
+  const expectedTotal = sorted[0]?.[1] ?? sorted.length;
+  if (sorted.length !== expectedTotal) {
+    throw new TransportError(
+      `decodeBleFrames: expected ${expectedTotal} frames, got ${sorted.length}`
+    );
+  }
+  const payloadChunks = sorted.map((f) => f.subarray(BLE_HEADER_SIZE));
+  const totalLen = payloadChunks.reduce((s, c) => s + c.length, 0);
+  const payload = new Uint8Array(totalLen);
+  let offset = 0;
+  for (const chunk of payloadChunks) {
+    payload.set(chunk, offset);
+    offset += chunk.length;
+  }
+  return decodeCompact(payload);
+}
+function selectTransport(available, message) {
+  const msgType = message.params?.["msg_type"] ?? 0;
+  const isSafety = msgType === SAFETY_TYPE;
+  const has = (enc) => available.includes(enc);
+  if (isSafety) {
+    if (has("minimal" /* MINIMAL */)) return "minimal" /* MINIMAL */;
+    if (has("ble" /* BLE */)) return "ble" /* BLE */;
+    if (has("compact" /* COMPACT */)) return "compact" /* COMPACT */;
+    if (has("http" /* HTTP */)) return "http" /* HTTP */;
+  } else {
+    if (has("http" /* HTTP */)) return "http" /* HTTP */;
+    if (has("compact" /* COMPACT */)) return "compact" /* COMPACT */;
+    if (has("ble" /* BLE */)) return "ble" /* BLE */;
+  }
+  throw new TransportError(
+    `No suitable transport available from: [${available.join(", ")}]`
+  );
+}
+// src/multimodal.ts
+var MediaEncoding = /* @__PURE__ */ ((MediaEncoding2) => {
+  MediaEncoding2["BASE64"] = "base64";
+  MediaEncoding2["REF"] = "ref";
+  return MediaEncoding2;
+})(MediaEncoding || {});
+function generateId6() {
+  if (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function") {
+    return crypto.randomUUID();
+  }
+  const bytes = Array.from({ length: 16 }, () => Math.floor(Math.random() * 256));
+  bytes[6] = (bytes[6] ?? 0) & 15 | 64;
+  bytes[8] = (bytes[8] ?? 0) & 63 | 128;
+  const hex = bytes.map((b) => b.toString(16).padStart(2, "0"));
+  return `${hex.slice(0, 4).join("")}-${hex.slice(4, 6).join("")}-${hex.slice(6, 8).join("")}-${hex.slice(8, 10).join("")}-${hex.slice(10).join("")}`;
+}
+async function computeSha256Hex(data) {
+  const ab = new ArrayBuffer(data.byteLength);
+  new Uint8Array(ab).set(data);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", ab);
+  const hashArray = new Uint8Array(hashBuffer);
+  return Array.from(hashArray).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function uint8ToBase64(data) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(data).toString("base64");
+  }
+  let binary = "";
+  for (let i = 0; i < data.length; i++) binary += String.fromCharCode(data[i] ?? 0);
+  return btoa(binary);
+}
+function rebuildMessage(base, overrides) {
+  const data = { ...base.toJSON(), ...overrides };
+  return RCANMessage.fromJSON(data);
+}
+async function addMediaInline(message, data, mimeType) {
+  const hashSha256 = await computeSha256Hex(data);
+  const dataB64 = uint8ToBase64(data);
+  const chunk = {
+    chunkId: generateId6(),
+    mimeType,
+    encoding: "base64" /* BASE64 */,
+    hashSha256,
+    dataB64,
+    sizeBytes: data.length
+  };
+  const existing = message.mediaChunks ?? [];
+  return rebuildMessage(message, { mediaChunks: [...existing, chunk] });
+}
+function addMediaRef(message, refUrl, mimeType, hashSha256, sizeBytes) {
+  const chunk = {
+    chunkId: generateId6(),
+    mimeType,
+    encoding: "ref" /* REF */,
+    hashSha256,
+    refUrl,
+    sizeBytes
+  };
+  const existing = message.mediaChunks ?? [];
+  return rebuildMessage(message, { mediaChunks: [...existing, chunk] });
+}
+async function validateMediaChunks(message) {
+  const chunks = message.mediaChunks ?? [];
+  if (chunks.length === 0) {
+    return { valid: true, reason: "no media chunks" };
+  }
+  for (let i = 0; i < chunks.length; i++) {
+    const chunk = chunks[i];
+    if (!chunk.chunkId) return { valid: false, reason: `chunk[${i}]: missing chunkId` };
+    if (!chunk.mimeType) return { valid: false, reason: `chunk[${i}]: missing mimeType` };
+    if (!chunk.hashSha256) return { valid: false, reason: `chunk[${i}]: missing hashSha256` };
+    if (chunk.sizeBytes < 0) return { valid: false, reason: `chunk[${i}]: sizeBytes must be >= 0` };
+    if (chunk.encoding === "base64" /* BASE64 */) {
+      if (!chunk.dataB64) {
+        return { valid: false, reason: `chunk[${i}]: BASE64 encoding requires dataB64` };
+      }
+      let decoded;
+      try {
+        if (typeof Buffer !== "undefined") {
+          decoded = Buffer.from(chunk.dataB64, "base64");
+        } else {
+          const raw = atob(chunk.dataB64);
+          decoded = new Uint8Array(raw.length);
+          for (let j = 0; j < raw.length; j++) decoded[j] = raw.charCodeAt(j);
+        }
+      } catch {
+        return { valid: false, reason: `chunk[${i}]: failed to decode base64 data` };
+      }
+      const actualHash = await computeSha256Hex(decoded);
+      if (actualHash !== chunk.hashSha256) {
+        return {
+          valid: false,
+          reason: `chunk[${i}]: SHA-256 mismatch (expected ${chunk.hashSha256}, got ${actualHash})`
+        };
+      }
+    } else if (chunk.encoding === "ref" /* REF */) {
+      if (!chunk.refUrl) {
+        return { valid: false, reason: `chunk[${i}]: REF encoding requires refUrl` };
+      }
+    } else {
+      return { valid: false, reason: `chunk[${i}]: unknown encoding '${chunk.encoding}'` };
+    }
+  }
+  return { valid: true, reason: "ok" };
+}
+async function makeTrainingDataMessage(media) {
+  let msg = new RCANMessage({
+    rcan: "1.6",
+    rcanVersion: "1.6",
+    cmd: "training_data",
+    target: "rcan://training/data",
+    params: {
+      msg_type: 10 /* TRAINING_DATA */,
+      msg_id: generateId6()
+    },
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  for (const item of media) {
+    msg = await addMediaInline(msg, item.data, item.mimeType);
+  }
+  return msg;
+}
+async function makeStreamChunk(streamId, data, mimeType, chunkIndex, isFinal) {
+  const hashSha256 = await computeSha256Hex(data);
+  const dataB64 = uint8ToBase64(data);
+  const chunk = {
+    chunkId: generateId6(),
+    mimeType,
+    encoding: "base64" /* BASE64 */,
+    hashSha256,
+    dataB64,
+    sizeBytes: data.length
+  };
+  const streamChunkMeta = {
+    streamId,
+    chunkIndex,
+    isFinal,
+    chunk
+  };
+  let msg = new RCANMessage({
+    rcan: "1.6",
+    rcanVersion: "1.6",
+    cmd: "stream_chunk",
+    target: "rcan://streaming/chunk",
+    params: {
+      msg_type: 7 /* SENSOR_DATA */,
+      msg_id: generateId6(),
+      stream_chunk: streamChunkMeta
+    },
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  msg = rebuildMessage(msg, { mediaChunks: [chunk] });
+  return msg;
+}
 // src/index.ts
-var VERSION = "0.5.0";
-var RCAN_VERSION = "1.5";
+var VERSION = "0.6.0";
+var RCAN_VERSION = "1.6";
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AuditChain,
@@ -2124,14 +2781,19 @@ var RCAN_VERSION = "1.5";
   ClockDriftError,
   CommitmentRecord,
   ConfidenceGate,
+  DEFAULT_LOA_POLICY,
   DataCategory,
   FaultCode,
+  FederationSyncType,
   GateError,
   HiTLGate,
   KeyStore,
+  LevelOfAssurance,
+  MediaEncoding,
   MessageType,
   NodeClient,
   OfflineModeManager,
+  PRODUCTION_LOA_POLICY,
   QoSAckTimeoutError,
   QoSLevel,
   QoSManager,
@@ -2153,17 +2815,31 @@ var RCAN_VERSION = "1.5";
   RCANVersionIncompatibleError,
   RCAN_VERSION,
   RegistryClient,
+  RegistryTier,
   ReplayCache,
   RevocationCache,
   RobotURI,
   RobotURIError,
   SAFETY_MESSAGE_TYPE,
+  SDK_VERSION,
   SPEC_VERSION,
+  TransportEncoding,
+  TransportError,
+  TrustAnchorCache,
   VERSION,
   addDelegationHop,
+  addMediaInline,
+  addMediaRef,
   assertClockSynced,
   checkClockSync,
   checkRevocation,
+  decodeBleFrames,
+  decodeCompact,
+  decodeMinimal,
+  encodeBleFrames,
+  encodeCompact,
+  encodeMinimal,
+  extractLoaFromJwt,
   fetchCanonicalSchema,
   isSafetyMessage,
   makeCloudRelayMessage,
@@ -2174,19 +2850,26 @@ var RCAN_VERSION = "1.5";
   makeEstopMessage,
   makeEstopWithQoS,
   makeFaultReport,
+  makeFederationSync,
   makeKeyRotationMessage,
   makeResumeMessage,
   makeRevocationBroadcast,
   makeStopMessage,
+  makeStreamChunk,
   makeTrainingConsentDeny,
   makeTrainingConsentGrant,
   makeTrainingConsentRequest,
+  makeTrainingDataMessage,
   makeTransparencyMessage,
+  selectTransport,
   validateConfig,
   validateConfigAgainstSchema,
   validateConfigUpdate,
   validateConsentMessage,
+  validateCrossRegistryCommand,
   validateDelegationChain,
+  validateLoaForScope,
+  validateMediaChunks,
   validateMessage,
   validateNodeAgainstSchema,
   validateReplay,