@continuonai/rcan-ts 0.6.0 → 1.1.0

package/dist/index.js

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,24 +17,39 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  AUTHORITY_ERROR_CODES: () => AUTHORITY_ERROR_CODES,
   AuditChain: () => AuditChain,
   AuditError: () => AuditError,
+  COMPETITION_SCOPE_LEVEL: () => COMPETITION_SCOPE_LEVEL,
+  CONTRIBUTE_SCOPE_LEVEL: () => CONTRIBUTE_SCOPE_LEVEL,
   ClockDriftError: () => ClockDriftError,
   CommitmentRecord: () => CommitmentRecord,
   ConfidenceGate: () => ConfidenceGate,
   DEFAULT_LOA_POLICY: () => DEFAULT_LOA_POLICY,
   DataCategory: () => DataCategory,
+  FIRMWARE_MANIFEST_PATH: () => FIRMWARE_MANIFEST_PATH,
   FaultCode: () => FaultCode,
   FederationSyncType: () => FederationSyncType,
+  FirmwareIntegrityError: () => FirmwareIntegrityError,
   GateError: () => GateError,
   HiTLGate: () => HiTLGate,
   KeyStore: () => KeyStore,
   LevelOfAssurance: () => LevelOfAssurance,
+  M2MAuthError: () => M2MAuthError,
+  M2M_TRUSTED_ISSUER: () => M2M_TRUSTED_ISSUER,
   MediaEncoding: () => MediaEncoding,
   MessageType: () => MessageType,
   NodeClient: () => NodeClient,
@@ -58,13 +75,18 @@ __export(index_exports, {
   RCANValidationError: () => RCANValidationError,
   RCANVersionIncompatibleError: () => RCANVersionIncompatibleError,
   RCAN_VERSION: () => RCAN_VERSION,
+  ROLE_JWT_LEVEL: () => ROLE_JWT_LEVEL,
+  RRF_REVOCATION_CACHE_TTL_MS: () => RRF_REVOCATION_CACHE_TTL_MS,
+  RRF_REVOCATION_URL: () => RRF_REVOCATION_URL,
   RegistryClient: () => RegistryClient,
   RegistryTier: () => RegistryTier,
   ReplayCache: () => ReplayCache,
   RevocationCache: () => RevocationCache,
   RobotURI: () => RobotURI,
   RobotURIError: () => RobotURIError,
+  Role: () => Role,
   SAFETY_MESSAGE_TYPE: () => SAFETY_MESSAGE_TYPE,
+  SCOPE_MIN_ROLE: () => SCOPE_MIN_ROLE,
   SDK_VERSION: () => SDK_VERSION,
   SPEC_VERSION: () => SPEC_VERSION,
   TransportEncoding: () => TransportEncoding,
@@ -75,6 +97,9 @@ __export(index_exports, {
   addMediaInline: () => addMediaInline,
   addMediaRef: () => addMediaRef,
   assertClockSynced: () => assertClockSynced,
+  authorityAccessFromWire: () => authorityAccessFromWire,
+  authorityAccessToWire: () => authorityAccessToWire,
+  canonicalManifestJson: () => canonicalManifestJson,
   checkClockSync: () => checkClockSync,
   checkRevocation: () => checkRevocation,
   decodeBleFrames: () => decodeBleFrames,
@@ -83,21 +108,34 @@ __export(index_exports, {
   encodeBleFrames: () => encodeBleFrames,
   encodeCompact: () => encodeCompact,
   encodeMinimal: () => encodeMinimal,
+  extractIdentityFromJwt: () => extractIdentityFromJwt,
   extractLoaFromJwt: () => extractLoaFromJwt,
+  extractRoleFromJwt: () => extractRoleFromJwt,
   fetchCanonicalSchema: () => fetchCanonicalSchema,
+  fetchRRFRevocations: () => fetchRRFRevocations,
+  isAuthorityRequestValid: () => isAuthorityRequestValid,
+  isM2mTrustedRevoked: () => isM2mTrustedRevoked,
+  isPreemptedBy: () => isPreemptedBy,
   isSafetyMessage: () => isSafetyMessage,
   makeCloudRelayMessage: () => makeCloudRelayMessage,
+  makeCompetitionEnter: () => makeCompetitionEnter,
+  makeCompetitionScore: () => makeCompetitionScore,
   makeConfigUpdate: () => makeConfigUpdate,
   makeConsentDeny: () => makeConsentDeny,
   makeConsentGrant: () => makeConsentGrant,
   makeConsentRequest: () => makeConsentRequest,
+  makeContributeCancel: () => makeContributeCancel,
+  makeContributeRequest: () => makeContributeRequest,
+  makeContributeResult: () => makeContributeResult,
   makeEstopMessage: () => makeEstopMessage,
   makeEstopWithQoS: () => makeEstopWithQoS,
   makeFaultReport: () => makeFaultReport,
   makeFederationSync: () => makeFederationSync,
   makeKeyRotationMessage: () => makeKeyRotationMessage,
+  makePersonalResearchResult: () => makePersonalResearchResult,
   makeResumeMessage: () => makeResumeMessage,
   makeRevocationBroadcast: () => makeRevocationBroadcast,
+  makeSeasonStanding: () => makeSeasonStanding,
   makeStopMessage: () => makeStopMessage,
   makeStreamChunk: () => makeStreamChunk,
   makeTrainingConsentDeny: () => makeTrainingConsentDeny,
@@ -105,22 +143,34 @@ __export(index_exports, {
   makeTrainingConsentRequest: () => makeTrainingConsentRequest,
   makeTrainingDataMessage: () => makeTrainingDataMessage,
   makeTransparencyMessage: () => makeTransparencyMessage,
+  manifestFromWire: () => manifestFromWire,
+  manifestToWire: () => manifestToWire,
+  parseM2mPeerToken: () => parseM2mPeerToken,
+  parseM2mTrustedToken: () => parseM2mTrustedToken,
+  roleFromJwtLevel: () => roleFromJwtLevel,
   selectTransport: () => selectTransport,
+  validateAuthorityAccess: () => validateAuthorityAccess,
+  validateCompetitionScope: () => validateCompetitionScope,
   validateConfig: () => validateConfig,
   validateConfigAgainstSchema: () => validateConfigAgainstSchema,
   validateConfigUpdate: () => validateConfigUpdate,
   validateConsentMessage: () => validateConsentMessage,
+  validateContributeScope: () => validateContributeScope,
   validateCrossRegistryCommand: () => validateCrossRegistryCommand,
   validateDelegationChain: () => validateDelegationChain,
   validateLoaForScope: () => validateLoaForScope,
+  validateManifest: () => validateManifest,
   validateMediaChunks: () => validateMediaChunks,
   validateMessage: () => validateMessage,
   validateNodeAgainstSchema: () => validateNodeAgainstSchema,
   validateReplay: () => validateReplay,
+  validateRoleForScope: () => validateRoleForScope,
   validateSafetyMessage: () => validateSafetyMessage,
   validateTrainingDataMessage: () => validateTrainingDataMessage,
   validateURI: () => validateURI,
-  validateVersionCompat: () => validateVersionCompat
+  validateVersionCompat: () => validateVersionCompat,
+  verifyM2mTrustedToken: () => verifyM2mTrustedToken,
+  verifyM2mTrustedTokenClaims: () => verifyM2mTrustedTokenClaims
 });
 module.exports = __toCommonJS(index_exports);
 
@@ -215,8 +265,8 @@ var RobotURI = class _RobotURI {
 };
 
 // src/version.ts
-var SPEC_VERSION = "1.6";
-var SDK_VERSION = "0.6.0";
+var SPEC_VERSION = "2.1.0";
+var SDK_VERSION = "1.1.0";
 function validateVersionCompat(incomingVersion, localVersion = SPEC_VERSION) {
   const parseParts = (v) => {
     const parts = v.split(".");
@@ -237,18 +287,18 @@ var MessageType = /* @__PURE__ */ ((MessageType2) => {
   MessageType2[MessageType2["HEARTBEAT"] = 4] = "HEARTBEAT";
   MessageType2[MessageType2["CONFIG"] = 5] = "CONFIG";
   MessageType2[MessageType2["SAFETY"] = 6] = "SAFETY";
-  MessageType2[MessageType2["SENSOR_DATA"] = 7] = "SENSOR_DATA";
-  MessageType2[MessageType2["AUDIT"] = 8] = "AUDIT";
+  MessageType2[MessageType2["AUTH"] = 7] = "AUTH";
+  MessageType2[MessageType2["ERROR"] = 8] = "ERROR";
   MessageType2[MessageType2["DISCOVER"] = 9] = "DISCOVER";
-  MessageType2[MessageType2["TRAINING_DATA"] = 10] = "TRAINING_DATA";
-  MessageType2[MessageType2["TRANSPARENCY"] = 11] = "TRANSPARENCY";
-  MessageType2[MessageType2["FEDERATION_SYNC"] = 12] = "FEDERATION_SYNC";
-  MessageType2[MessageType2["ALERT"] = 13] = "ALERT";
-  MessageType2[MessageType2["TELEOP"] = 14] = "TELEOP";
-  MessageType2[MessageType2["CHAT"] = 15] = "CHAT";
-  MessageType2[MessageType2["ERROR"] = 16] = "ERROR";
+  MessageType2[MessageType2["PENDING_AUTH"] = 10] = "PENDING_AUTH";
+  MessageType2[MessageType2["INVOKE"] = 11] = "INVOKE";
+  MessageType2[MessageType2["INVOKE_RESULT"] = 12] = "INVOKE_RESULT";
+  MessageType2[MessageType2["INVOKE_CANCEL"] = 13] = "INVOKE_CANCEL";
+  MessageType2[MessageType2["REGISTRY_REGISTER"] = 14] = "REGISTRY_REGISTER";
+  MessageType2[MessageType2["REGISTRY_RESOLVE"] = 15] = "REGISTRY_RESOLVE";
+  MessageType2[MessageType2["TRANSPARENCY"] = 16] = "TRANSPARENCY";
   MessageType2[MessageType2["COMMAND_ACK"] = 17] = "COMMAND_ACK";
-  MessageType2[MessageType2["COMMAND_COMMIT"] = 18] = "COMMAND_COMMIT";
+  MessageType2[MessageType2["COMMAND_NACK"] = 18] = "COMMAND_NACK";
   MessageType2[MessageType2["ROBOT_REVOCATION"] = 19] = "ROBOT_REVOCATION";
   MessageType2[MessageType2["CONSENT_REQUEST"] = 20] = "CONSENT_REQUEST";
   MessageType2[MessageType2["CONSENT_GRANT"] = 21] = "CONSENT_GRANT";
@@ -257,7 +307,24 @@ var MessageType = /* @__PURE__ */ ((MessageType2) => {
   MessageType2[MessageType2["SUBSCRIBE"] = 24] = "SUBSCRIBE";
   MessageType2[MessageType2["UNSUBSCRIBE"] = 25] = "UNSUBSCRIBE";
   MessageType2[MessageType2["FAULT_REPORT"] = 26] = "FAULT_REPORT";
-  MessageType2[MessageType2["COMMAND_NACK"] = 27] = "COMMAND_NACK";
+  MessageType2[MessageType2["KEY_ROTATION"] = 27] = "KEY_ROTATION";
+  MessageType2[MessageType2["COMMAND_COMMIT"] = 28] = "COMMAND_COMMIT";
+  MessageType2[MessageType2["SENSOR_DATA"] = 29] = "SENSOR_DATA";
+  MessageType2[MessageType2["TRAINING_CONSENT_REQUEST"] = 30] = "TRAINING_CONSENT_REQUEST";
+  MessageType2[MessageType2["TRAINING_CONSENT_GRANT"] = 31] = "TRAINING_CONSENT_GRANT";
+  MessageType2[MessageType2["TRAINING_CONSENT_DENY"] = 32] = "TRAINING_CONSENT_DENY";
+  MessageType2[MessageType2["CONTRIBUTE_REQUEST"] = 33] = "CONTRIBUTE_REQUEST";
+  MessageType2[MessageType2["CONTRIBUTE_RESULT"] = 34] = "CONTRIBUTE_RESULT";
+  MessageType2[MessageType2["CONTRIBUTE_CANCEL"] = 35] = "CONTRIBUTE_CANCEL";
+  MessageType2[MessageType2["TRAINING_DATA"] = 36] = "TRAINING_DATA";
+  MessageType2[MessageType2["COMPETITION_ENTER"] = 37] = "COMPETITION_ENTER";
+  MessageType2[MessageType2["COMPETITION_SCORE"] = 38] = "COMPETITION_SCORE";
+  MessageType2[MessageType2["SEASON_STANDING"] = 39] = "SEASON_STANDING";
+  MessageType2[MessageType2["PERSONAL_RESEARCH_RESULT"] = 40] = "PERSONAL_RESEARCH_RESULT";
+  MessageType2[MessageType2["AUTHORITY_ACCESS"] = 41] = "AUTHORITY_ACCESS";
+  MessageType2[MessageType2["AUTHORITY_RESPONSE"] = 42] = "AUTHORITY_RESPONSE";
+  MessageType2[MessageType2["FIRMWARE_ATTESTATION"] = 43] = "FIRMWARE_ATTESTATION";
+  MessageType2[MessageType2["SBOM_UPDATE"] = 44] = "SBOM_UPDATE";
   return MessageType2;
 })(MessageType || {});
 var RCANMessageError = class extends Error {
@@ -293,6 +360,10 @@ var RCANMessage = class _RCANMessage {
   transportEncoding;
   /** v1.6: GAP-18 multi-modal media chunks */
   mediaChunks;
+  /** v2.1: SHA-256 of sender's firmware manifest */
+  firmwareHash;
+  /** v2.1: URI to sender's SBOM attestation endpoint */
+  attestationRef;
   constructor(data) {
     if (!data.cmd || data.cmd.trim() === "") {
       throw new RCANMessageError("'cmd' is required");
@@ -321,6 +392,13 @@ var RCANMessage = class _RCANMessage {
     this.loa = data.loa;
     this.transportEncoding = data.transportEncoding;
     this.mediaChunks = data.mediaChunks;
+    this.firmwareHash = data.firmwareHash;
+    this.attestationRef = data.attestationRef;
+    if (this.signature !== void 0 && this.signature["sig"] === "pending") {
+      throw new RCANMessageError(
+        "signature.sig:'pending' is not valid in RCAN v2.1. Sign the message before sending."
+      );
+    }
     if (this.confidence !== void 0) {
       if (this.confidence < 0 || this.confidence > 1) {
         throw new RCANMessageError(
@@ -362,6 +440,8 @@ var RCANMessage = class _RCANMessage {
     if (this.loa !== void 0) obj.loa = this.loa;
     if (this.transportEncoding !== void 0) obj.transportEncoding = this.transportEncoding;
     if (this.mediaChunks !== void 0) obj.mediaChunks = this.mediaChunks;
+    if (this.firmwareHash !== void 0) obj.firmwareHash = this.firmwareHash;
+    if (this.attestationRef !== void 0) obj.attestationRef = this.attestationRef;
     return obj;
   }
   /** Serialize to JSON string */
@@ -404,7 +484,9 @@ var RCANMessage = class _RCANMessage {
       readOnly: obj.readOnly,
       loa: obj.loa,
       transportEncoding: obj.transportEncoding,
-      mediaChunks: obj.mediaChunks
+      mediaChunks: obj.mediaChunks,
+      firmwareHash: obj.firmwareHash,
+      attestationRef: obj.attestationRef
     });
   }
 };
@@ -1377,6 +1459,7 @@ async function fetchCanonicalSchema(schemaName) {
   try {
     const controller = new AbortController();
     const timer = setTimeout(() => controller.abort(), 5e3);
+    timer.unref?.();
     const res = await fetch(`${SCHEMA_BASE}/${schemaName}`, { signal: controller.signal });
     clearTimeout(timer);
     if (!res.ok) return null;
@@ -2017,7 +2100,7 @@ function makeTrainingConsentDeny(params) {
   return makeConsentDeny(params);
 }
 function validateTrainingDataMessage(msg) {
-  if (msg.params.message_type !== 10 /* TRAINING_DATA */) {
+  if (msg.params.message_type !== 36 /* TRAINING_DATA */) {
     return { valid: false, reason: "not a TRAINING_DATA message" };
   }
   const token = msg.params.consent_token;
@@ -2157,77 +2240,133 @@ function makeFaultReport(params) {
 }
 
 // src/identity.ts
-var LevelOfAssurance = /* @__PURE__ */ ((LevelOfAssurance2) => {
-  LevelOfAssurance2[LevelOfAssurance2["ANONYMOUS"] = 1] = "ANONYMOUS";
-  LevelOfAssurance2[LevelOfAssurance2["EMAIL_VERIFIED"] = 2] = "EMAIL_VERIFIED";
-  LevelOfAssurance2[LevelOfAssurance2["HARDWARE_TOKEN"] = 3] = "HARDWARE_TOKEN";
-  return LevelOfAssurance2;
-})(LevelOfAssurance || {});
+var Role = /* @__PURE__ */ ((Role2) => {
+  Role2[Role2["GUEST"] = 1] = "GUEST";
+  Role2[Role2["OPERATOR"] = 2] = "OPERATOR";
+  Role2[Role2["CONTRIBUTOR"] = 3] = "CONTRIBUTOR";
+  Role2[Role2["ADMIN"] = 4] = "ADMIN";
+  Role2[Role2["M2M_PEER"] = 5] = "M2M_PEER";
+  Role2[Role2["CREATOR"] = 6] = "CREATOR";
+  Role2[Role2["M2M_TRUSTED"] = 7] = "M2M_TRUSTED";
+  return Role2;
+})(Role || {});
+var LevelOfAssurance = Role;
+var ROLE_JWT_LEVEL = {
+  [1 /* GUEST */]: 1,
+  [2 /* OPERATOR */]: 2,
+  [3 /* CONTRIBUTOR */]: 2.5,
+  [4 /* ADMIN */]: 3,
+  [5 /* M2M_PEER */]: 4,
+  [6 /* CREATOR */]: 5,
+  [7 /* M2M_TRUSTED */]: 6
+};
+var JWT_LEVEL_TO_ROLE = new Map(
+  Object.entries(ROLE_JWT_LEVEL).map(
+    ([role, level]) => [level, Number(role)]
+  )
+);
+function roleFromJwtLevel(level) {
+  return JWT_LEVEL_TO_ROLE.get(level);
+}
+var SCOPE_MIN_ROLE = {
+  "status": 1 /* GUEST */,
+  "discover": 1 /* GUEST */,
+  "chat": 1 /* GUEST */,
+  "observer": 1 /* GUEST */,
+  "contribute": 3 /* CONTRIBUTOR */,
+  "control": 2 /* OPERATOR */,
+  "teleop": 2 /* OPERATOR */,
+  "training": 4 /* ADMIN */,
+  "training_data": 4 /* ADMIN */,
+  "config": 4 /* ADMIN */,
+  "authority": 4 /* ADMIN */,
+  "admin": 6 /* CREATOR */,
+  "safety": 6 /* CREATOR */,
+  "estop": 6 /* CREATOR */,
+  "fleet.trusted": 7 /* M2M_TRUSTED */
+};
 var DEFAULT_LOA_POLICY = {
-  minLoaDiscover: 1 /* ANONYMOUS */,
-  minLoaStatus: 1 /* ANONYMOUS */,
-  minLoaChat: 1 /* ANONYMOUS */,
-  minLoaControl: 1 /* ANONYMOUS */,
-  minLoaSafety: 1 /* ANONYMOUS */
+  minRoleForDiscover: 1 /* GUEST */,
+  minRoleForStatus: 1 /* GUEST */,
+  minRoleForChat: 1 /* GUEST */,
+  minRoleForControl: 1 /* GUEST */,
+  minRoleForSafety: 1 /* GUEST */
 };
 var PRODUCTION_LOA_POLICY = {
-  minLoaDiscover: 1 /* ANONYMOUS */,
-  minLoaStatus: 1 /* ANONYMOUS */,
-  minLoaChat: 1 /* ANONYMOUS */,
-  minLoaControl: 2 /* EMAIL_VERIFIED */,
-  minLoaSafety: 3 /* HARDWARE_TOKEN */
+  minRoleForDiscover: 1 /* GUEST */,
+  minRoleForStatus: 1 /* GUEST */,
+  minRoleForChat: 1 /* GUEST */,
+  minRoleForControl: 2 /* OPERATOR */,
+  minRoleForSafety: 6 /* CREATOR */
 };
-function extractLoaFromJwt(token) {
+function decodeJwtPayload(token) {
   try {
     const parts = token.split(".");
-    if (parts.length < 2) return 1 /* ANONYMOUS */;
+    if (parts.length < 2) return null;
     const payloadB64 = (parts[1] ?? "").replace(/-/g, "+").replace(/_/g, "/");
     const padded = payloadB64 + "=".repeat((4 - payloadB64.length % 4) % 4);
-    let json;
-    if (typeof atob !== "undefined") {
-      json = atob(padded);
-    } else {
-      json = Buffer.from(padded, "base64").toString("utf-8");
-    }
-    const claims = JSON.parse(json);
-    const loa = claims["loa"];
-    if (typeof loa === "number" && loa >= 1 && loa <= 3) {
-      return loa;
-    }
+    return JSON.parse(atob(padded));
   } catch {
+    return null;
   }
-  return 1 /* ANONYMOUS */;
-}
-function minLoaForScope(scope, policy) {
-  const s = scope.toLowerCase();
-  switch (s) {
-    case "discover":
-      return policy.minLoaDiscover;
-    case "status":
-      return policy.minLoaStatus;
-    case "chat":
-      return policy.minLoaChat;
-    case "control":
-      return policy.minLoaControl;
-    case "safety":
-      return policy.minLoaSafety;
-    default:
-      return null;
-  }
-}
-function validateLoaForScope(loa, scope, policy = DEFAULT_LOA_POLICY) {
-  const min = minLoaForScope(scope, policy);
-  if (min === null) {
-    return { valid: true, reason: "unknown scope; allowed by default" };
-  }
-  if (loa >= min) {
-    return { valid: true, reason: "ok" };
+}
+function extractRoleFromJwt(token) {
+  const payload = decodeJwtPayload(token);
+  if (!payload) return 1 /* GUEST */;
+  const rcanRole = payload["rcan_role"];
+  if (rcanRole !== void 0 && rcanRole !== null) {
+    const role = roleFromJwtLevel(Number(rcanRole));
+    if (role !== void 0) return role;
+  }
+  const loa = payload["loa"];
+  if (loa !== void 0 && loa !== null) {
+    const role = roleFromJwtLevel(Number(loa));
+    if (role !== void 0) return role;
+  }
+  return 1 /* GUEST */;
+}
+function extractLoaFromJwt(token) {
+  return extractRoleFromJwt(token);
+}
+function extractIdentityFromJwt(token) {
+  const payload = decodeJwtPayload(token);
+  if (!payload) {
+    return { sub: "", role: 1 /* GUEST */, jwtLevel: 1, scopes: [] };
+  }
+  const rcanRole = payload["rcan_role"];
+  const loa = payload["loa"];
+  const rawLevel = rcanRole !== void 0 ? Number(rcanRole) : loa !== void 0 ? Number(loa) : 1;
+  const role = roleFromJwtLevel(rawLevel) ?? 1 /* GUEST */;
+  const scopes = Array.isArray(payload["rcan_scopes"]) ? payload["rcan_scopes"] : Array.isArray(payload["scopes"]) ? payload["scopes"] : [];
+  return {
+    sub: String(payload["sub"] ?? ""),
+    role,
+    jwtLevel: ROLE_JWT_LEVEL[role],
+    registryUrl: payload["registry_url"],
+    scopes,
+    verifiedAt: payload["verified_at"],
+    peerRrn: payload["peer_rrn"],
+    fleetRrns: Array.isArray(payload["fleet_rrns"]) ? payload["fleet_rrns"] : void 0
+  };
+}
+function validateRoleForScope(role, scope) {
+  const required = SCOPE_MIN_ROLE[scope.toLowerCase()];
+  if (required === void 0) {
+    if (role >= 2 /* OPERATOR */) return { ok: true, reason: "" };
+    return {
+      ok: false,
+      reason: `Unknown scope '${scope}': applying OPERATOR minimum. Caller has ${Role[role]}.`
+    };
   }
+  if (role >= required) return { ok: true, reason: "" };
   return {
-    valid: false,
-    reason: `LOA_INSUFFICIENT: scope=${scope} requires LoA>=${min}, caller has LoA=${loa}`
+    ok: false,
+    reason: `Scope '${scope}' requires ${Role[required]} (JWT level ${ROLE_JWT_LEVEL[required]}), but caller has ${Role[role]} (JWT level ${ROLE_JWT_LEVEL[role]})`
   };
 }
+function validateLoaForScope(role, scope) {
+  return validateRoleForScope(role, scope);
+}
 
 // src/federation.ts
 var RegistryTier = /* @__PURE__ */ ((RegistryTier2) => {
@@ -2351,12 +2490,12 @@ function generateId5() {
 }
 function makeFederationSync(source, target, syncType, payload) {
   return new RCANMessage({
-    rcan: "1.6",
-    rcanVersion: "1.6",
+    rcan: "2.1.0",
+    rcanVersion: "2.1.0",
     cmd: "federation_sync",
     target,
     params: {
-      msg_type: 12 /* FEDERATION_SYNC */,
+      msg_type: 23 /* FLEET_COMMAND */,
       msg_id: generateId5(),
       source_registry: source,
       target_registry: target,
@@ -2383,17 +2522,17 @@ async function validateCrossRegistryCommand(msg, localRegistry, trustCache) {
       reason: `REGISTRY_UNKNOWN: ${sourceRegistry} is not in the local trust cache`
     };
   }
-  let loa = 1 /* ANONYMOUS */;
+  let loa = 1 /* GUEST */;
   const registryJwt = msg.params?.["registry_jwt"];
   if (registryJwt) {
     loa = extractLoaFromJwt(registryJwt);
   } else if (typeof msg.loa === "number") {
     loa = msg.loa;
   }
-  if (loa < 2 /* EMAIL_VERIFIED */) {
+  if (loa < 2 /* OPERATOR */) {
     return {
       valid: false,
-      reason: `LOA_INSUFFICIENT: cross-registry commands require LoA>=2 (EMAIL_VERIFIED), got LoA=${loa}`
+      reason: `LOA_INSUFFICIENT: cross-registry commands require LoA>=2 (OPERATOR), got role=${loa}`
     };
   }
   return { valid: true, reason: "cross-registry command accepted" };
@@ -2482,7 +2621,8 @@ async function sha256Bytes(input) {
   const encoded = new TextEncoder().encode(input);
   const ab = new ArrayBuffer(encoded.byteLength);
   new Uint8Array(ab).set(encoded);
-  const hashBuffer = await crypto.subtle.digest("SHA-256", ab);
+  const subtle = globalThis.crypto?.subtle ?? (await import("crypto")).webcrypto.subtle;
+  const hashBuffer = await subtle.digest("SHA-256", ab);
   return new Uint8Array(hashBuffer);
 }
 async function encodeMinimal(message) {
@@ -2633,9 +2773,10 @@ function generateId6() {
   return `${hex.slice(0, 4).join("")}-${hex.slice(4, 6).join("")}-${hex.slice(6, 8).join("")}-${hex.slice(8, 10).join("")}-${hex.slice(10).join("")}`;
 }
 async function computeSha256Hex(data) {
+  const subtle = globalThis.crypto?.subtle ?? (await import("crypto")).webcrypto.subtle;
   const ab = new ArrayBuffer(data.byteLength);
   new Uint8Array(ab).set(data);
-  const hashBuffer = await crypto.subtle.digest("SHA-256", ab);
+  const hashBuffer = await subtle.digest("SHA-256", ab);
   const hashArray = new Uint8Array(hashBuffer);
   return Array.from(hashArray).map((b) => b.toString(16).padStart(2, "0")).join("");
 }
@@ -2728,7 +2869,7 @@ async function makeTrainingDataMessage(media) {
     cmd: "training_data",
     target: "rcan://training/data",
     params: {
-      msg_type: 10 /* TRAINING_DATA */,
+      msg_type: 36 /* TRAINING_DATA */,
       msg_id: generateId6()
     },
     timestamp: (/* @__PURE__ */ new Date()).toISOString()
@@ -2761,7 +2902,7 @@ async function makeStreamChunk(streamId, data, mimeType, chunkIndex, isFinal) {
     cmd: "stream_chunk",
     target: "rcan://streaming/chunk",
     params: {
-      msg_type: 7 /* SENSOR_DATA */,
+      msg_type: 29 /* SENSOR_DATA */,
       msg_id: generateId6(),
       stream_chunk: streamChunkMeta
     },
@@ -2771,24 +2912,372 @@ async function makeStreamChunk(streamId, data, mimeType, chunkIndex, isFinal) {
   return msg;
 }
 
+// src/contribute.ts
+var CONTRIBUTE_SCOPE_LEVEL = 2.5;
+var _idCounter = 0;
+function _generateId() {
+  return `cr-${Date.now()}-${++_idCounter}`;
+}
+function makeContributeRequest(params = {}) {
+  return {
+    type: 33 /* CONTRIBUTE_REQUEST */,
+    request_id: params.request_id ?? _generateId(),
+    project_id: params.project_id ?? "",
+    project_name: params.project_name ?? "",
+    work_unit_id: params.work_unit_id ?? "",
+    resource_type: params.resource_type ?? "cpu",
+    estimated_duration_s: params.estimated_duration_s ?? 0,
+    priority: params.priority ?? 0,
+    payload: params.payload ?? {},
+    timestamp: params.timestamp ?? Date.now() / 1e3
+  };
+}
+function makeContributeResult(params = {}) {
+  const result = {
+    type: 34 /* CONTRIBUTE_RESULT */,
+    request_id: params.request_id ?? "",
+    work_unit_id: params.work_unit_id ?? "",
+    status: params.status ?? "completed",
+    resource_type: params.resource_type ?? "cpu",
+    duration_s: params.duration_s ?? 0,
+    compute_units: params.compute_units ?? 0,
+    result_payload: params.result_payload ?? {},
+    timestamp: params.timestamp ?? Date.now() / 1e3
+  };
+  if (params.error_message !== void 0) {
+    result.error_message = params.error_message;
+  }
+  return result;
+}
+function makeContributeCancel(params = {}) {
+  return {
+    type: 35 /* CONTRIBUTE_CANCEL */,
+    request_id: params.request_id ?? "",
+    work_unit_id: params.work_unit_id ?? "",
+    reason: params.reason ?? "",
+    timestamp: params.timestamp ?? Date.now() / 1e3
+  };
+}
+function validateContributeScope(scopeLevel, action = "request") {
+  if (action === "request" || action === "result") {
+    return scopeLevel >= CONTRIBUTE_SCOPE_LEVEL;
+  }
+  if (action === "cancel") {
+    return scopeLevel >= 2;
+  }
+  return false;
+}
+function isPreemptedBy(scopeLevel) {
+  return scopeLevel >= 3;
+}
+
+// src/competition.ts
+var COMPETITION_SCOPE_LEVEL = 2;
+var _idCounter2 = 0;
+function _generateRunId() {
+  return `run-${Date.now()}-${++_idCounter2}`;
+}
+function makeCompetitionEnter(params = {}) {
+  return {
+    type: 37 /* COMPETITION_ENTER */,
+    competition_id: params.competition_id ?? "",
+    competition_format: params.competition_format ?? "sprint",
+    hardware_tier: params.hardware_tier ?? "",
+    model_id: params.model_id ?? "",
+    robot_rrn: params.robot_rrn ?? "",
+    entered_at: params.entered_at ?? Date.now() / 1e3
+  };
+}
+function makeCompetitionScore(params = {}) {
+  const score = params.score ?? 0;
+  if (score < 0 || score > 1) {
+    throw new Error(`score must be in [0.0, 1.0], got ${score}`);
+  }
+  return {
+    type: 38 /* COMPETITION_SCORE */,
+    competition_id: params.competition_id ?? "",
+    candidate_id: params.candidate_id ?? "",
+    score,
+    hardware_tier: params.hardware_tier ?? "",
+    verified: params.verified ?? false,
+    submitted_at: params.submitted_at ?? Date.now() / 1e3
+  };
+}
+function makeSeasonStanding(params = {}) {
+  return {
+    type: 39 /* SEASON_STANDING */,
+    season_id: params.season_id ?? "",
+    class_id: params.class_id ?? "",
+    standings: params.standings ?? [],
+    days_remaining: params.days_remaining ?? 0,
+    broadcast_at: params.broadcast_at ?? Date.now() / 1e3
+  };
+}
+function makePersonalResearchResult(params = {}) {
+  const score = params.score ?? 0;
+  if (score < 0 || score > 1) {
+    throw new Error(`score must be in [0.0, 1.0], got ${score}`);
+  }
+  return {
+    type: 40 /* PERSONAL_RESEARCH_RESULT */,
+    run_id: params.run_id ?? _generateRunId(),
+    run_type: params.run_type ?? "personal",
+    candidate_id: params.candidate_id ?? "",
+    score,
+    hardware_tier: params.hardware_tier ?? "",
+    model_id: params.model_id ?? "",
+    owner_uid: params.owner_uid ?? "",
+    metrics: params.metrics ?? {
+      success_rate: 0,
+      p66_rate: 0,
+      token_efficiency: 0,
+      latency_score: 0
+    },
+    submitted_to_community: params.submitted_to_community ?? false,
+    created_at: params.created_at ?? Date.now() / 1e3
+  };
+}
+function validateCompetitionScope(scopeLevel) {
+  return scopeLevel >= COMPETITION_SCOPE_LEVEL;
+}
+
+// src/firmware.ts
+var FIRMWARE_MANIFEST_PATH = "/.well-known/rcan-firmware-manifest.json";
+function manifestToWire(m) {
+  const wire = {
+    rrn: m.rrn,
+    firmware_version: m.firmwareVersion,
+    build_hash: m.buildHash,
+    components: m.components,
+    signed_at: m.signedAt
+  };
+  if (m.signature) wire.signature = m.signature;
+  return wire;
+}
+function manifestFromWire(w) {
+  return {
+    rrn: w.rrn,
+    firmwareVersion: w.firmware_version,
+    buildHash: w.build_hash,
+    components: w.components ?? [],
+    signedAt: w.signed_at ?? "",
+    signature: w.signature
+  };
+}
+function canonicalManifestJson(m) {
+  const obj = {
+    build_hash: m.buildHash,
+    components: m.components.map((c) => ({
+      hash: c.hash,
+      name: c.name,
+      version: c.version
+    })),
+    firmware_version: m.firmwareVersion,
+    rrn: m.rrn,
+    signed_at: m.signedAt
+  };
+  return JSON.stringify(obj);
+}
+var FirmwareIntegrityError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "FirmwareIntegrityError";
+  }
+};
+function validateManifest(m) {
+  const errors = [];
+  if (!m.rrn) errors.push("rrn is required");
+  if (!m.firmwareVersion) errors.push("firmwareVersion is required");
+  if (!m.buildHash) errors.push("buildHash is required");
+  if (!m.buildHash.startsWith("sha256:")) errors.push("buildHash must start with 'sha256:'");
+  if (!m.signedAt) errors.push("signedAt is required");
+  if (!m.signature) errors.push("signature is required (manifest must be signed)");
+  for (const [i, c] of m.components.entries()) {
+    if (!c.name) errors.push(`components[${i}].name is required`);
+    if (!c.version) errors.push(`components[${i}].version is required`);
+    if (!c.hash.startsWith("sha256:")) errors.push(`components[${i}].hash must start with 'sha256:'`);
+  }
+  return errors;
+}
+
+// src/authority.ts
+function authorityAccessToWire(p) {
+  return {
+    request_id: p.requestId,
+    authority_id: p.authorityId,
+    requested_data: p.requestedData,
+    justification: p.justification,
+    expires_at: p.expiresAt
+  };
+}
+function authorityAccessFromWire(w) {
+  return {
+    requestId: w.request_id,
+    authorityId: w.authority_id,
+    requestedData: w.requested_data ?? [],
+    justification: w.justification ?? "",
+    expiresAt: w.expires_at ?? 0
+  };
+}
+function validateAuthorityAccess(p) {
+  const errors = [];
+  if (!p.requestId) errors.push("requestId is required");
+  if (!p.authorityId) errors.push("authorityId is required");
+  if (!p.requestedData || p.requestedData.length === 0)
+    errors.push("requestedData must include at least one category");
+  if (!p.justification) errors.push("justification is required");
+  if (!p.expiresAt || p.expiresAt <= 0) errors.push("expiresAt must be a positive Unix timestamp");
+  if (p.expiresAt < Date.now() / 1e3) errors.push("expiresAt is in the past \u2014 request has expired");
+  return errors;
+}
+function isAuthorityRequestValid(p) {
+  return Date.now() / 1e3 < p.expiresAt && validateAuthorityAccess(p).length === 0;
+}
+var AUTHORITY_ERROR_CODES = {
+  NOT_RECOGNIZED: "AUTHORITY_NOT_RECOGNIZED",
+  REQUEST_EXPIRED: "AUTHORITY_REQUEST_EXPIRED",
+  INVALID_TOKEN: "AUTHORITY_INVALID_TOKEN",
+  RATE_LIMITED: "AUTHORITY_RATE_LIMITED"
+};
+
+// src/m2m.ts
+var RRF_REVOCATION_URL = "https://api.rrf.rcan.dev/v2/revocations";
+var M2M_TRUSTED_ISSUER = "rrf.rcan.dev";
+var RRF_REVOCATION_CACHE_TTL_MS = 55e3;
+var M2MAuthError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "M2MAuthError";
+  }
+};
+function decodeJwtPayload2(token) {
+  const parts = token.split(".");
+  if (parts.length < 2) throw new M2MAuthError("Invalid JWT structure");
+  const b64 = (parts[1] ?? "").replace(/-/g, "+").replace(/_/g, "/");
+  const padded = b64 + "=".repeat((4 - b64.length % 4) % 4);
+  try {
+    return JSON.parse(atob(padded));
+  } catch (e) {
+    throw new M2MAuthError(`JWT payload decode failed: ${String(e)}`);
+  }
+}
+function parseM2mPeerToken(token) {
+  const payload = decodeJwtPayload2(token);
+  const exp = Number(payload["exp"] ?? 0);
+  if (exp > 0 && Date.now() / 1e3 > exp) {
+    throw new M2MAuthError(`M2M_PEER token expired (sub=${String(payload["sub"])})`);
+  }
+  const peerRrn = String(payload["peer_rrn"] ?? "");
+  if (!peerRrn) throw new M2MAuthError("M2M_PEER token missing peer_rrn claim");
+  return {
+    sub: String(payload["sub"] ?? ""),
+    peerRrn,
+    scopes: Array.isArray(payload["rcan_scopes"]) ? payload["rcan_scopes"] : Array.isArray(payload["scopes"]) ? payload["scopes"] : [],
+    exp,
+    iss: String(payload["iss"] ?? "")
+  };
+}
+function parseM2mTrustedToken(token) {
+  const payload = decodeJwtPayload2(token);
+  const iss = String(payload["iss"] ?? "");
+  if (iss !== M2M_TRUSTED_ISSUER) {
+    throw new M2MAuthError(
+      `M2M_TRUSTED issuer must be '${M2M_TRUSTED_ISSUER}', got '${iss}'`
+    );
+  }
+  const scopes = Array.isArray(payload["rcan_scopes"]) ? payload["rcan_scopes"] : Array.isArray(payload["scopes"]) ? payload["scopes"] : [];
+  if (!scopes.includes("fleet.trusted")) {
+    throw new M2MAuthError("M2M_TRUSTED token missing required 'fleet.trusted' scope");
+  }
+  const exp = Number(payload["exp"] ?? 0);
+  if (exp > 0 && Date.now() / 1e3 > exp) {
+    throw new M2MAuthError(`M2M_TRUSTED token expired (sub=${String(payload["sub"])})`);
+  }
+  const rrfSig = String(payload["rrf_sig"] ?? "");
+  if (!rrfSig) throw new M2MAuthError("M2M_TRUSTED token missing rrf_sig claim");
+  const fleetRrns = Array.isArray(payload["fleet_rrns"]) ? payload["fleet_rrns"] : [];
+  return {
+    sub: String(payload["sub"] ?? ""),
+    fleetRrns,
+    scopes,
+    exp,
+    iss,
+    rrfSig
+  };
+}
+function verifyM2mTrustedTokenClaims(token, targetRrn) {
+  const claims = parseM2mTrustedToken(token);
+  if (!claims.fleetRrns.includes(targetRrn)) {
+    throw new M2MAuthError(
+      `M2M_TRUSTED token does not authorize commanding '${targetRrn}'. Authorized fleet: [${claims.fleetRrns.join(", ")}]`
+    );
+  }
+  return claims;
+}
+var _revocationCache = null;
+async function fetchRRFRevocations(url = RRF_REVOCATION_URL) {
+  const now = Date.now();
+  if (_revocationCache && now - _revocationCache.fetchedAt < RRF_REVOCATION_CACHE_TTL_MS) {
+    return _revocationCache;
+  }
+  try {
+    const resp = await fetch(url, { signal: AbortSignal.timeout?.(5e3) });
+    const data = await resp.json();
+    _revocationCache = {
+      revokedOrchestrators: new Set(data.revoked_orchestrators ?? []),
+      revokedJtis: new Set(data.revoked_jtis ?? []),
+      fetchedAt: now
+    };
+  } catch {
+    if (_revocationCache) return _revocationCache;
+    _revocationCache = { revokedOrchestrators: /* @__PURE__ */ new Set(), revokedJtis: /* @__PURE__ */ new Set(), fetchedAt: now };
+  }
+  return _revocationCache;
+}
+async function isM2mTrustedRevoked(claims, jti) {
+  const cache = await fetchRRFRevocations();
+  if (cache.revokedOrchestrators.has(claims.sub)) return true;
+  if (jti && cache.revokedJtis.has(jti)) return true;
+  return false;
+}
+async function verifyM2mTrustedToken(token, targetRrn, options) {
+  const claims = verifyM2mTrustedTokenClaims(token, targetRrn);
+  if (!options?.skipRevocationCheck) {
+    const revoked = await isM2mTrustedRevoked(claims);
+    if (revoked) {
+      throw new M2MAuthError(
+        `M2M_TRUSTED orchestrator '${claims.sub}' is on the RRF revocation list`
+      );
+    }
+  }
+  return claims;
+}
+
 // src/index.ts
 var VERSION = "0.6.0";
 var RCAN_VERSION = "1.6";
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  AUTHORITY_ERROR_CODES,
   AuditChain,
   AuditError,
+  COMPETITION_SCOPE_LEVEL,
+  CONTRIBUTE_SCOPE_LEVEL,
   ClockDriftError,
   CommitmentRecord,
   ConfidenceGate,
   DEFAULT_LOA_POLICY,
   DataCategory,
+  FIRMWARE_MANIFEST_PATH,
   FaultCode,
   FederationSyncType,
+  FirmwareIntegrityError,
   GateError,
   HiTLGate,
   KeyStore,
   LevelOfAssurance,
+  M2MAuthError,
+  M2M_TRUSTED_ISSUER,
   MediaEncoding,
   MessageType,
   NodeClient,
@@ -2814,13 +3303,18 @@ var RCAN_VERSION = "1.6";
   RCANValidationError,
   RCANVersionIncompatibleError,
   RCAN_VERSION,
+  ROLE_JWT_LEVEL,
+  RRF_REVOCATION_CACHE_TTL_MS,
+  RRF_REVOCATION_URL,
   RegistryClient,
   RegistryTier,
   ReplayCache,
   RevocationCache,
   RobotURI,
   RobotURIError,
+  Role,
   SAFETY_MESSAGE_TYPE,
+  SCOPE_MIN_ROLE,
   SDK_VERSION,
   SPEC_VERSION,
   TransportEncoding,
@@ -2831,6 +3325,9 @@ var RCAN_VERSION = "1.6";
   addMediaInline,
   addMediaRef,
   assertClockSynced,
+  authorityAccessFromWire,
+  authorityAccessToWire,
+  canonicalManifestJson,
   checkClockSync,
   checkRevocation,
   decodeBleFrames,
@@ -2839,21 +3336,34 @@ var RCAN_VERSION = "1.6";
   encodeBleFrames,
   encodeCompact,
   encodeMinimal,
+  extractIdentityFromJwt,
   extractLoaFromJwt,
+  extractRoleFromJwt,
   fetchCanonicalSchema,
+  fetchRRFRevocations,
+  isAuthorityRequestValid,
+  isM2mTrustedRevoked,
+  isPreemptedBy,
   isSafetyMessage,
   makeCloudRelayMessage,
+  makeCompetitionEnter,
+  makeCompetitionScore,
   makeConfigUpdate,
   makeConsentDeny,
   makeConsentGrant,
   makeConsentRequest,
+  makeContributeCancel,
+  makeContributeRequest,
+  makeContributeResult,
   makeEstopMessage,
   makeEstopWithQoS,
   makeFaultReport,
   makeFederationSync,
   makeKeyRotationMessage,
+  makePersonalResearchResult,
   makeResumeMessage,
   makeRevocationBroadcast,
+  makeSeasonStanding,
   makeStopMessage,
   makeStreamChunk,
   makeTrainingConsentDeny,
@@ -2861,21 +3371,33 @@ var RCAN_VERSION = "1.6";
   makeTrainingConsentRequest,
   makeTrainingDataMessage,
   makeTransparencyMessage,
+  manifestFromWire,
+  manifestToWire,
+  parseM2mPeerToken,
+  parseM2mTrustedToken,
+  roleFromJwtLevel,
   selectTransport,
+  validateAuthorityAccess,
+  validateCompetitionScope,
   validateConfig,
   validateConfigAgainstSchema,
   validateConfigUpdate,
   validateConsentMessage,
+  validateContributeScope,
   validateCrossRegistryCommand,
   validateDelegationChain,
   validateLoaForScope,
+  validateManifest,
   validateMediaChunks,
   validateMessage,
   validateNodeAgainstSchema,
   validateReplay,
+  validateRoleForScope,
   validateSafetyMessage,
   validateTrainingDataMessage,
   validateURI,
-  validateVersionCompat
+  validateVersionCompat,
+  verifyM2mTrustedToken,
+  verifyM2mTrustedTokenClaims
 });
 //# sourceMappingURL=index.js.map