@continuonai/rcan-ts 0.8.0 → 1.2.0

package/dist/browser.mjs

@@ -99,8 +99,8 @@ var RobotURI = class _RobotURI {
 };
 
 // src/version.ts
-var SPEC_VERSION = "1.9.0";
-var SDK_VERSION = "0.8.0";
+var SPEC_VERSION = "2.2.0";
+var SDK_VERSION = "1.2.0";
 function validateVersionCompat(incomingVersion, localVersion = SPEC_VERSION) {
   const parseParts = (v) => {
     const parts = v.split(".");
@@ -151,9 +151,14 @@ var MessageType = /* @__PURE__ */ ((MessageType2) => {
   MessageType2[MessageType2["CONTRIBUTE_RESULT"] = 34] = "CONTRIBUTE_RESULT";
   MessageType2[MessageType2["CONTRIBUTE_CANCEL"] = 35] = "CONTRIBUTE_CANCEL";
   MessageType2[MessageType2["TRAINING_DATA"] = 36] = "TRAINING_DATA";
-  MessageType2[MessageType2["FEDERATION_SYNC"] = 23] = "FEDERATION_SYNC";
-  MessageType2[MessageType2["ALERT"] = 26] = "ALERT";
-  MessageType2[MessageType2["AUDIT"] = 16] = "AUDIT";
+  MessageType2[MessageType2["COMPETITION_ENTER"] = 37] = "COMPETITION_ENTER";
+  MessageType2[MessageType2["COMPETITION_SCORE"] = 38] = "COMPETITION_SCORE";
+  MessageType2[MessageType2["SEASON_STANDING"] = 39] = "SEASON_STANDING";
+  MessageType2[MessageType2["PERSONAL_RESEARCH_RESULT"] = 40] = "PERSONAL_RESEARCH_RESULT";
+  MessageType2[MessageType2["AUTHORITY_ACCESS"] = 41] = "AUTHORITY_ACCESS";
+  MessageType2[MessageType2["AUTHORITY_RESPONSE"] = 42] = "AUTHORITY_RESPONSE";
+  MessageType2[MessageType2["FIRMWARE_ATTESTATION"] = 43] = "FIRMWARE_ATTESTATION";
+  MessageType2[MessageType2["SBOM_UPDATE"] = 44] = "SBOM_UPDATE";
   return MessageType2;
 })(MessageType || {});
 var RCANMessageError = class extends Error {
@@ -190,6 +195,12 @@ var RCANMessage = class _RCANMessage {
     __publicField(this, "transportEncoding");
     /** v1.6: GAP-18 multi-modal media chunks */
     __publicField(this, "mediaChunks");
+    /** v2.1: SHA-256 of sender's firmware manifest */
+    __publicField(this, "firmwareHash");
+    /** v2.1: URI to sender's SBOM attestation endpoint */
+    __publicField(this, "attestationRef");
+    /** v2.2: ML-DSA-65 post-quantum signature (field 16, FIPS 204). Hybrid alongside Ed25519. */
+    __publicField(this, "pqSig");
     if (!data.cmd || data.cmd.trim() === "") {
       throw new RCANMessageError("'cmd' is required");
     }
@@ -217,6 +228,14 @@ var RCANMessage = class _RCANMessage {
     this.loa = data.loa;
     this.transportEncoding = data.transportEncoding;
     this.mediaChunks = data.mediaChunks;
+    this.firmwareHash = data.firmwareHash;
+    this.attestationRef = data.attestationRef;
+    this.pqSig = data.pqSig;
+    if (this.signature !== void 0 && this.signature["sig"] === "pending") {
+      throw new RCANMessageError(
+        "signature.sig:'pending' is not valid in RCAN v2.1. Sign the message before sending."
+      );
+    }
     if (this.confidence !== void 0) {
       if (this.confidence < 0 || this.confidence > 1) {
         throw new RCANMessageError(
@@ -258,6 +277,9 @@ var RCANMessage = class _RCANMessage {
     if (this.loa !== void 0) obj.loa = this.loa;
     if (this.transportEncoding !== void 0) obj.transportEncoding = this.transportEncoding;
     if (this.mediaChunks !== void 0) obj.mediaChunks = this.mediaChunks;
+    if (this.firmwareHash !== void 0) obj.firmwareHash = this.firmwareHash;
+    if (this.attestationRef !== void 0) obj.attestationRef = this.attestationRef;
+    if (this.pqSig !== void 0) obj.pqSig = this.pqSig;
     return obj;
   }
   /** Serialize to JSON string */
@@ -300,7 +322,10 @@ var RCANMessage = class _RCANMessage {
       readOnly: obj.readOnly,
       loa: obj.loa,
       transportEncoding: obj.transportEncoding,
-      mediaChunks: obj.mediaChunks
+      mediaChunks: obj.mediaChunks,
+      firmwareHash: obj.firmwareHash,
+      attestationRef: obj.attestationRef,
+      pqSig: obj.pqSig
     });
   }
 };
@@ -2060,80 +2085,133 @@ function makeFaultReport(params) {
 }
 
 // src/identity.ts
-var LevelOfAssurance = /* @__PURE__ */ ((LevelOfAssurance2) => {
-  LevelOfAssurance2[LevelOfAssurance2["ANONYMOUS"] = 1] = "ANONYMOUS";
-  LevelOfAssurance2[LevelOfAssurance2["EMAIL_VERIFIED"] = 2] = "EMAIL_VERIFIED";
-  LevelOfAssurance2[LevelOfAssurance2["HARDWARE_TOKEN"] = 3] = "HARDWARE_TOKEN";
-  return LevelOfAssurance2;
-})(LevelOfAssurance || {});
+var Role = /* @__PURE__ */ ((Role2) => {
+  Role2[Role2["GUEST"] = 1] = "GUEST";
+  Role2[Role2["OPERATOR"] = 2] = "OPERATOR";
+  Role2[Role2["CONTRIBUTOR"] = 3] = "CONTRIBUTOR";
+  Role2[Role2["ADMIN"] = 4] = "ADMIN";
+  Role2[Role2["M2M_PEER"] = 5] = "M2M_PEER";
+  Role2[Role2["CREATOR"] = 6] = "CREATOR";
+  Role2[Role2["M2M_TRUSTED"] = 7] = "M2M_TRUSTED";
+  return Role2;
+})(Role || {});
+var LevelOfAssurance = Role;
+var ROLE_JWT_LEVEL = {
+  [1 /* GUEST */]: 1,
+  [2 /* OPERATOR */]: 2,
+  [3 /* CONTRIBUTOR */]: 2.5,
+  [4 /* ADMIN */]: 3,
+  [5 /* M2M_PEER */]: 4,
+  [6 /* CREATOR */]: 5,
+  [7 /* M2M_TRUSTED */]: 6
+};
+var JWT_LEVEL_TO_ROLE = new Map(
+  Object.entries(ROLE_JWT_LEVEL).map(
+    ([role, level]) => [level, Number(role)]
+  )
+);
+function roleFromJwtLevel(level) {
+  return JWT_LEVEL_TO_ROLE.get(level);
+}
+var SCOPE_MIN_ROLE = {
+  "status": 1 /* GUEST */,
+  "discover": 1 /* GUEST */,
+  "chat": 1 /* GUEST */,
+  "observer": 1 /* GUEST */,
+  "contribute": 3 /* CONTRIBUTOR */,
+  "control": 2 /* OPERATOR */,
+  "teleop": 2 /* OPERATOR */,
+  "training": 4 /* ADMIN */,
+  "training_data": 4 /* ADMIN */,
+  "config": 4 /* ADMIN */,
+  "authority": 4 /* ADMIN */,
+  "admin": 6 /* CREATOR */,
+  "safety": 6 /* CREATOR */,
+  "estop": 6 /* CREATOR */,
+  "fleet.trusted": 7 /* M2M_TRUSTED */
+};
 var DEFAULT_LOA_POLICY = {
-  minLoaDiscover: 1 /* ANONYMOUS */,
-  minLoaStatus: 1 /* ANONYMOUS */,
-  minLoaChat: 1 /* ANONYMOUS */,
-  minLoaControl: 1 /* ANONYMOUS */,
-  minLoaSafety: 1 /* ANONYMOUS */
+  minRoleForDiscover: 1 /* GUEST */,
+  minRoleForStatus: 1 /* GUEST */,
+  minRoleForChat: 1 /* GUEST */,
+  minRoleForControl: 1 /* GUEST */,
+  minRoleForSafety: 1 /* GUEST */
 };
 var PRODUCTION_LOA_POLICY = {
-  minLoaDiscover: 1 /* ANONYMOUS */,
-  minLoaStatus: 1 /* ANONYMOUS */,
-  minLoaChat: 1 /* ANONYMOUS */,
-  minLoaControl: 2 /* EMAIL_VERIFIED */,
-  minLoaSafety: 3 /* HARDWARE_TOKEN */
+  minRoleForDiscover: 1 /* GUEST */,
+  minRoleForStatus: 1 /* GUEST */,
+  minRoleForChat: 1 /* GUEST */,
+  minRoleForControl: 2 /* OPERATOR */,
+  minRoleForSafety: 6 /* CREATOR */
 };
-function extractLoaFromJwt(token) {
+function decodeJwtPayload(token) {
   try {
     const parts = token.split(".");
-    if (parts.length < 2) return 1 /* ANONYMOUS */;
+    if (parts.length < 2) return null;
     const payloadB64 = (parts[1] ?? "").replace(/-/g, "+").replace(/_/g, "/");
     const padded = payloadB64 + "=".repeat((4 - payloadB64.length % 4) % 4);
-    let json;
-    if (typeof atob !== "undefined") {
-      json = atob(padded);
-    } else {
-      json = Buffer.from(padded, "base64").toString("utf-8");
-    }
-    const claims = JSON.parse(json);
-    const loa = claims["loa"];
-    if (typeof loa === "number" && loa >= 1 && loa <= 3) {
-      return loa;
-    }
+    return JSON.parse(atob(padded));
   } catch {
+    return null;
   }
-  return 1 /* ANONYMOUS */;
-}
-function minLoaForScope(scope, policy) {
-  const s = scope.toLowerCase();
-  switch (s) {
-    case "discover":
-      return policy.minLoaDiscover;
-    case "status":
-      return policy.minLoaStatus;
-    case "chat":
-      return policy.minLoaChat;
-    case "contribute":
-      return policy.minLoaChat;
-    // v1.7: between chat and control
-    case "control":
-      return policy.minLoaControl;
-    case "safety":
-      return policy.minLoaSafety;
-    default:
-      return null;
-  }
-}
-function validateLoaForScope(loa, scope, policy = DEFAULT_LOA_POLICY) {
-  const min = minLoaForScope(scope, policy);
-  if (min === null) {
-    return { valid: true, reason: "unknown scope; allowed by default" };
-  }
-  if (loa >= min) {
-    return { valid: true, reason: "ok" };
+}
+function extractRoleFromJwt(token) {
+  const payload = decodeJwtPayload(token);
+  if (!payload) return 1 /* GUEST */;
+  const rcanRole = payload["rcan_role"];
+  if (rcanRole !== void 0 && rcanRole !== null) {
+    const role = roleFromJwtLevel(Number(rcanRole));
+    if (role !== void 0) return role;
   }
+  const loa = payload["loa"];
+  if (loa !== void 0 && loa !== null) {
+    const role = roleFromJwtLevel(Number(loa));
+    if (role !== void 0) return role;
+  }
+  return 1 /* GUEST */;
+}
+function extractLoaFromJwt(token) {
+  return extractRoleFromJwt(token);
+}
+function extractIdentityFromJwt(token) {
+  const payload = decodeJwtPayload(token);
+  if (!payload) {
+    return { sub: "", role: 1 /* GUEST */, jwtLevel: 1, scopes: [] };
+  }
+  const rcanRole = payload["rcan_role"];
+  const loa = payload["loa"];
+  const rawLevel = rcanRole !== void 0 ? Number(rcanRole) : loa !== void 0 ? Number(loa) : 1;
+  const role = roleFromJwtLevel(rawLevel) ?? 1 /* GUEST */;
+  const scopes = Array.isArray(payload["rcan_scopes"]) ? payload["rcan_scopes"] : Array.isArray(payload["scopes"]) ? payload["scopes"] : [];
   return {
-    valid: false,
-    reason: `LOA_INSUFFICIENT: scope=${scope} requires LoA>=${min}, caller has LoA=${loa}`
+    sub: String(payload["sub"] ?? ""),
+    role,
+    jwtLevel: ROLE_JWT_LEVEL[role],
+    registryUrl: payload["registry_url"],
+    scopes,
+    verifiedAt: payload["verified_at"],
+    peerRrn: payload["peer_rrn"],
+    fleetRrns: Array.isArray(payload["fleet_rrns"]) ? payload["fleet_rrns"] : void 0
   };
 }
+function validateRoleForScope(role, scope) {
+  const required = SCOPE_MIN_ROLE[scope.toLowerCase()];
+  if (required === void 0) {
+    if (role >= 2 /* OPERATOR */) return { ok: true, reason: "" };
+    return {
+      ok: false,
+      reason: `Unknown scope '${scope}': applying OPERATOR minimum. Caller has ${Role[role]}.`
+    };
+  }
+  if (role >= required) return { ok: true, reason: "" };
+  return {
+    ok: false,
+    reason: `Scope '${scope}' requires ${Role[required]} (JWT level ${ROLE_JWT_LEVEL[required]}), but caller has ${Role[role]} (JWT level ${ROLE_JWT_LEVEL[role]})`
+  };
+}
+function validateLoaForScope(role, scope) {
+  return validateRoleForScope(role, scope);
+}
 
 // src/federation.ts
 var RegistryTier = /* @__PURE__ */ ((RegistryTier2) => {
@@ -2259,12 +2337,12 @@ function generateId5() {
 }
 function makeFederationSync(source, target, syncType, payload) {
   return new RCANMessage({
-    rcan: "1.6",
-    rcanVersion: "1.6",
+    rcan: "2.1.0",
+    rcanVersion: "2.1.0",
     cmd: "federation_sync",
     target,
     params: {
-      msg_type: 23 /* FEDERATION_SYNC */,
+      msg_type: 23 /* FLEET_COMMAND */,
       msg_id: generateId5(),
       source_registry: source,
       target_registry: target,
@@ -2291,17 +2369,17 @@ async function validateCrossRegistryCommand(msg, localRegistry, trustCache) {
       reason: `REGISTRY_UNKNOWN: ${sourceRegistry} is not in the local trust cache`
     };
   }
-  let loa = 1 /* ANONYMOUS */;
+  let loa = 1 /* GUEST */;
   const registryJwt = msg.params?.["registry_jwt"];
   if (registryJwt) {
     loa = extractLoaFromJwt(registryJwt);
   } else if (typeof msg.loa === "number") {
     loa = msg.loa;
   }
-  if (loa < 2 /* EMAIL_VERIFIED */) {
+  if (loa < 2 /* OPERATOR */) {
     return {
       valid: false,
-      reason: `LOA_INSUFFICIENT: cross-registry commands require LoA>=2 (EMAIL_VERIFIED), got LoA=${loa}`
+      reason: `LOA_INSUFFICIENT: cross-registry commands require LoA>=2 (OPERATOR), got role=${loa}`
     };
   }
   return { valid: true, reason: "cross-registry command accepted" };
@@ -2740,24 +2818,470 @@ function isPreemptedBy(scopeLevel) {
   return scopeLevel >= 3;
 }
 
+// src/competition.ts
+var COMPETITION_SCOPE_LEVEL = 2;
+var _idCounter2 = 0;
+function _generateRunId() {
+  return `run-${Date.now()}-${++_idCounter2}`;
+}
+function makeCompetitionEnter(params = {}) {
+  return {
+    type: 37 /* COMPETITION_ENTER */,
+    competition_id: params.competition_id ?? "",
+    competition_format: params.competition_format ?? "sprint",
+    hardware_tier: params.hardware_tier ?? "",
+    model_id: params.model_id ?? "",
+    robot_rrn: params.robot_rrn ?? "",
+    entered_at: params.entered_at ?? Date.now() / 1e3
+  };
+}
+function makeCompetitionScore(params = {}) {
+  const score = params.score ?? 0;
+  if (score < 0 || score > 1) {
+    throw new Error(`score must be in [0.0, 1.0], got ${score}`);
+  }
+  return {
+    type: 38 /* COMPETITION_SCORE */,
+    competition_id: params.competition_id ?? "",
+    candidate_id: params.candidate_id ?? "",
+    score,
+    hardware_tier: params.hardware_tier ?? "",
+    verified: params.verified ?? false,
+    submitted_at: params.submitted_at ?? Date.now() / 1e3
+  };
+}
+function makeSeasonStanding(params = {}) {
+  return {
+    type: 39 /* SEASON_STANDING */,
+    season_id: params.season_id ?? "",
+    class_id: params.class_id ?? "",
+    standings: params.standings ?? [],
+    days_remaining: params.days_remaining ?? 0,
+    broadcast_at: params.broadcast_at ?? Date.now() / 1e3
+  };
+}
+function makePersonalResearchResult(params = {}) {
+  const score = params.score ?? 0;
+  if (score < 0 || score > 1) {
+    throw new Error(`score must be in [0.0, 1.0], got ${score}`);
+  }
+  return {
+    type: 40 /* PERSONAL_RESEARCH_RESULT */,
+    run_id: params.run_id ?? _generateRunId(),
+    run_type: params.run_type ?? "personal",
+    candidate_id: params.candidate_id ?? "",
+    score,
+    hardware_tier: params.hardware_tier ?? "",
+    model_id: params.model_id ?? "",
+    owner_uid: params.owner_uid ?? "",
+    metrics: params.metrics ?? {
+      success_rate: 0,
+      p66_rate: 0,
+      token_efficiency: 0,
+      latency_score: 0
+    },
+    submitted_to_community: params.submitted_to_community ?? false,
+    created_at: params.created_at ?? Date.now() / 1e3
+  };
+}
+function validateCompetitionScope(scopeLevel) {
+  return scopeLevel >= COMPETITION_SCOPE_LEVEL;
+}
+
+// src/firmware.ts
+var FIRMWARE_MANIFEST_PATH = "/.well-known/rcan-firmware-manifest.json";
+function manifestToWire(m) {
+  const wire = {
+    rrn: m.rrn,
+    firmware_version: m.firmwareVersion,
+    build_hash: m.buildHash,
+    components: m.components,
+    signed_at: m.signedAt
+  };
+  if (m.signature) wire.signature = m.signature;
+  return wire;
+}
+function manifestFromWire(w) {
+  return {
+    rrn: w.rrn,
+    firmwareVersion: w.firmware_version,
+    buildHash: w.build_hash,
+    components: w.components ?? [],
+    signedAt: w.signed_at ?? "",
+    signature: w.signature
+  };
+}
+function canonicalManifestJson(m) {
+  const obj = {
+    build_hash: m.buildHash,
+    components: m.components.map((c) => ({
+      hash: c.hash,
+      name: c.name,
+      version: c.version
+    })),
+    firmware_version: m.firmwareVersion,
+    rrn: m.rrn,
+    signed_at: m.signedAt
+  };
+  return JSON.stringify(obj);
+}
+var FirmwareIntegrityError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "FirmwareIntegrityError";
+  }
+};
+function validateManifest(m) {
+  const errors = [];
+  if (!m.rrn) errors.push("rrn is required");
+  if (!m.firmwareVersion) errors.push("firmwareVersion is required");
+  if (!m.buildHash) errors.push("buildHash is required");
+  if (!m.buildHash.startsWith("sha256:")) errors.push("buildHash must start with 'sha256:'");
+  if (!m.signedAt) errors.push("signedAt is required");
+  if (!m.signature) errors.push("signature is required (manifest must be signed)");
+  for (const [i, c] of m.components.entries()) {
+    if (!c.name) errors.push(`components[${i}].name is required`);
+    if (!c.version) errors.push(`components[${i}].version is required`);
+    if (!c.hash.startsWith("sha256:")) errors.push(`components[${i}].hash must start with 'sha256:'`);
+  }
+  return errors;
+}
+
+// src/authority.ts
+function authorityAccessToWire(p) {
+  return {
+    request_id: p.requestId,
+    authority_id: p.authorityId,
+    requested_data: p.requestedData,
+    justification: p.justification,
+    expires_at: p.expiresAt
+  };
+}
+function authorityAccessFromWire(w) {
+  return {
+    requestId: w.request_id,
+    authorityId: w.authority_id,
+    requestedData: w.requested_data ?? [],
+    justification: w.justification ?? "",
+    expiresAt: w.expires_at ?? 0
+  };
+}
+function validateAuthorityAccess(p) {
+  const errors = [];
+  if (!p.requestId) errors.push("requestId is required");
+  if (!p.authorityId) errors.push("authorityId is required");
+  if (!p.requestedData || p.requestedData.length === 0)
+    errors.push("requestedData must include at least one category");
+  if (!p.justification) errors.push("justification is required");
+  if (!p.expiresAt || p.expiresAt <= 0) errors.push("expiresAt must be a positive Unix timestamp");
+  if (p.expiresAt < Date.now() / 1e3) errors.push("expiresAt is in the past \u2014 request has expired");
+  return errors;
+}
+function isAuthorityRequestValid(p) {
+  return Date.now() / 1e3 < p.expiresAt && validateAuthorityAccess(p).length === 0;
+}
+var AUTHORITY_ERROR_CODES = {
+  NOT_RECOGNIZED: "AUTHORITY_NOT_RECOGNIZED",
+  REQUEST_EXPIRED: "AUTHORITY_REQUEST_EXPIRED",
+  INVALID_TOKEN: "AUTHORITY_INVALID_TOKEN",
+  RATE_LIMITED: "AUTHORITY_RATE_LIMITED"
+};
+
+// src/m2m.ts
+var RRF_REVOCATION_URL = "https://api.rrf.rcan.dev/v2/revocations";
+var M2M_TRUSTED_ISSUER = "rrf.rcan.dev";
+var RRF_REVOCATION_CACHE_TTL_MS = 55e3;
+var M2MAuthError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "M2MAuthError";
+  }
+};
+function decodeJwtPayload2(token) {
+  const parts = token.split(".");
+  if (parts.length < 2) throw new M2MAuthError("Invalid JWT structure");
+  const b64 = (parts[1] ?? "").replace(/-/g, "+").replace(/_/g, "/");
+  const padded = b64 + "=".repeat((4 - b64.length % 4) % 4);
+  try {
+    return JSON.parse(atob(padded));
+  } catch (e) {
+    throw new M2MAuthError(`JWT payload decode failed: ${String(e)}`);
+  }
+}
+function parseM2mPeerToken(token) {
+  const payload = decodeJwtPayload2(token);
+  const exp = Number(payload["exp"] ?? 0);
+  if (exp > 0 && Date.now() / 1e3 > exp) {
+    throw new M2MAuthError(`M2M_PEER token expired (sub=${String(payload["sub"])})`);
+  }
+  const peerRrn = String(payload["peer_rrn"] ?? "");
+  if (!peerRrn) throw new M2MAuthError("M2M_PEER token missing peer_rrn claim");
+  return {
+    sub: String(payload["sub"] ?? ""),
+    peerRrn,
+    scopes: Array.isArray(payload["rcan_scopes"]) ? payload["rcan_scopes"] : Array.isArray(payload["scopes"]) ? payload["scopes"] : [],
+    exp,
+    iss: String(payload["iss"] ?? "")
+  };
+}
+function parseM2mTrustedToken(token) {
+  const payload = decodeJwtPayload2(token);
+  const iss = String(payload["iss"] ?? "");
+  if (iss !== M2M_TRUSTED_ISSUER) {
+    throw new M2MAuthError(
+      `M2M_TRUSTED issuer must be '${M2M_TRUSTED_ISSUER}', got '${iss}'`
+    );
+  }
+  const scopes = Array.isArray(payload["rcan_scopes"]) ? payload["rcan_scopes"] : Array.isArray(payload["scopes"]) ? payload["scopes"] : [];
+  if (!scopes.includes("fleet.trusted")) {
+    throw new M2MAuthError("M2M_TRUSTED token missing required 'fleet.trusted' scope");
+  }
+  const exp = Number(payload["exp"] ?? 0);
+  if (exp > 0 && Date.now() / 1e3 > exp) {
+    throw new M2MAuthError(`M2M_TRUSTED token expired (sub=${String(payload["sub"])})`);
+  }
+  const rrfSig = String(payload["rrf_sig"] ?? "");
+  if (!rrfSig) throw new M2MAuthError("M2M_TRUSTED token missing rrf_sig claim");
+  const fleetRrns = Array.isArray(payload["fleet_rrns"]) ? payload["fleet_rrns"] : [];
+  return {
+    sub: String(payload["sub"] ?? ""),
+    fleetRrns,
+    scopes,
+    exp,
+    iss,
+    rrfSig
+  };
+}
+function verifyM2mTrustedTokenClaims(token, targetRrn) {
+  const claims = parseM2mTrustedToken(token);
+  if (!claims.fleetRrns.includes(targetRrn)) {
+    throw new M2MAuthError(
+      `M2M_TRUSTED token does not authorize commanding '${targetRrn}'. Authorized fleet: [${claims.fleetRrns.join(", ")}]`
+    );
+  }
+  return claims;
+}
+var _revocationCache = null;
+async function fetchRRFRevocations(url = RRF_REVOCATION_URL) {
+  const now = Date.now();
+  if (_revocationCache && now - _revocationCache.fetchedAt < RRF_REVOCATION_CACHE_TTL_MS) {
+    return _revocationCache;
+  }
+  try {
+    const resp = await fetch(url, { signal: AbortSignal.timeout?.(5e3) });
+    const data = await resp.json();
+    _revocationCache = {
+      revokedOrchestrators: new Set(data.revoked_orchestrators ?? []),
+      revokedJtis: new Set(data.revoked_jtis ?? []),
+      fetchedAt: now
+    };
+  } catch {
+    if (_revocationCache) return _revocationCache;
+    _revocationCache = { revokedOrchestrators: /* @__PURE__ */ new Set(), revokedJtis: /* @__PURE__ */ new Set(), fetchedAt: now };
+  }
+  return _revocationCache;
+}
+async function isM2mTrustedRevoked(claims, jti) {
+  const cache = await fetchRRFRevocations();
+  if (cache.revokedOrchestrators.has(claims.sub)) return true;
+  if (jti && cache.revokedJtis.has(jti)) return true;
+  return false;
+}
+async function verifyM2mTrustedToken(token, targetRrn, options) {
+  const claims = verifyM2mTrustedTokenClaims(token, targetRrn);
+  if (!options?.skipRevocationCheck) {
+    const revoked = await isM2mTrustedRevoked(claims);
+    if (revoked) {
+      throw new M2MAuthError(
+        `M2M_TRUSTED orchestrator '${claims.sub}' is on the RRF revocation list`
+      );
+    }
+  }
+  return claims;
+}
+
+// src/pqSigning.ts
+function toBase64url(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function fromBase64url(b64) {
+  const padded = b64.replace(/-/g, "+").replace(/_/g, "/");
+  const binary = atob(padded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+  return bytes;
+}
+async function sha256hex(data) {
+  const g = typeof globalThis !== "undefined" ? globalThis : {};
+  const webcrypto = g.crypto;
+  const subtle = webcrypto?.subtle;
+  if (subtle) {
+    const buf = await subtle.digest("SHA-256", data);
+    return Array.from(new Uint8Array(buf)).map((b) => b.toString(16).padStart(2, "0")).join("").slice(0, 8);
+  }
+  const nodeCrypto = await import("crypto").catch(() => null);
+  if (nodeCrypto) {
+    return nodeCrypto.createHash("sha256").update(data).digest("hex").slice(0, 8);
+  }
+  throw new Error("No SHA-256 implementation available");
+}
+var _mlDsaModule;
+async function requireNoblePostQuantum() {
+  if (_mlDsaModule) return _mlDsaModule;
+  if (typeof __require !== "undefined") {
+    try {
+      _mlDsaModule = __require("@noble/post-quantum/ml-dsa.js");
+      return _mlDsaModule;
+    } catch {
+    }
+  }
+  try {
+    _mlDsaModule = await import("@noble/post-quantum/ml-dsa.js");
+    return _mlDsaModule;
+  } catch {
+    throw new Error(
+      "ML-DSA signing requires @noble/post-quantum. Install with: npm install @noble/post-quantum"
+    );
+  }
+}
+var MLDSAKeyPair = class _MLDSAKeyPair {
+  constructor(data) {
+    __publicField(this, "keyId");
+    __publicField(this, "publicKey");
+    __publicField(this, "secretKey");
+    this.keyId = data.keyId;
+    this.publicKey = data.publicKey;
+    this.secretKey = data.secretKey;
+  }
+  /** Generate a new ML-DSA-65 key pair. */
+  static async generate() {
+    const { ml_dsa65 } = await requireNoblePostQuantum();
+    const kp = ml_dsa65.keygen();
+    const keyId = await sha256hex(kp.publicKey);
+    return new _MLDSAKeyPair({
+      publicKey: kp.publicKey,
+      secretKey: kp.secretKey,
+      keyId
+    });
+  }
+  /** Build a verify-only key pair from raw public key bytes. */
+  static async fromPublicKey(publicKey) {
+    const keyId = await sha256hex(publicKey);
+    return new _MLDSAKeyPair({ publicKey, keyId });
+  }
+  /** Build a full key pair from saved bytes (public + secret). */
+  static async fromKeyMaterial(publicKey, secretKey) {
+    const keyId = await sha256hex(publicKey);
+    return new _MLDSAKeyPair({ publicKey, secretKey, keyId });
+  }
+  get hasPrivateKey() {
+    return this.secretKey !== void 0;
+  }
+  /** Sign raw bytes; returns ML-DSA-65 signature (3309 bytes). */
+  async signBytes(data) {
+    if (!this.secretKey) {
+      throw new Error("Cannot sign: MLDSAKeyPair has no private key (verify-only)");
+    }
+    const { ml_dsa65 } = await requireNoblePostQuantum();
+    return ml_dsa65.sign(data, this.secretKey);
+  }
+  /**
+   * Verify an ML-DSA-65 signature.
+   * @returns true if valid
+   * @throws {Error} on invalid signature
+   */
+  async verifyBytes(data, signature) {
+    const { ml_dsa65 } = await requireNoblePostQuantum();
+    const ok = ml_dsa65.verify(signature, data, this.publicKey);
+    if (!ok) throw new Error("ML-DSA signature verification failed");
+  }
+  toString() {
+    const mode = this.hasPrivateKey ? "private+public" : "public-only";
+    return `MLDSAKeyPair(keyId=${this.keyId}, alg=ML-DSA-65, ${mode})`;
+  }
+};
+function canonicalMessageBytes(msg) {
+  const m = msg;
+  const payload = {
+    rcan: msg.rcan,
+    msg_id: m["msgId"] ?? m["msg_id"] ?? "",
+    timestamp: msg.timestamp,
+    cmd: msg.cmd,
+    target: msg.target,
+    params: msg.params
+  };
+  const sorted = JSON.stringify(
+    Object.fromEntries(Object.entries(payload).sort()),
+    null,
+    void 0
+  );
+  return new TextEncoder().encode(sorted);
+}
+async function addPQSignature(msg, keypair) {
+  const payload = canonicalMessageBytes(msg);
+  const rawSig = await keypair.signBytes(payload);
+  const block = {
+    alg: "ml-dsa-65",
+    kid: keypair.keyId,
+    sig: toBase64url(rawSig)
+  };
+  msg["pqSig"] = block;
+  return msg;
+}
+async function verifyPQSignature(msg, trustedKeys, requirePQ = false) {
+  const pqSig = msg["pqSig"];
+  if (!pqSig) {
+    if (requirePQ) {
+      throw new Error("ML-DSA signature (pqSig) required but missing from message");
+    }
+    return;
+  }
+  if (pqSig.alg !== "ml-dsa-65") {
+    throw new Error(`Unsupported PQ signature algorithm: ${pqSig.alg}`);
+  }
+  const matched = trustedKeys.find((k) => k.keyId === pqSig.kid);
+  if (!matched) {
+    throw new Error(
+      `No trusted ML-DSA key with kid=${pqSig.kid}. Known kids: [${trustedKeys.map((k) => k.keyId).join(", ")}]`
+    );
+  }
+  let rawSig;
+  try {
+    rawSig = fromBase64url(pqSig.sig);
+  } catch (e) {
+    throw new Error(`Invalid base64url ML-DSA signature: ${e}`);
+  }
+  const payload = canonicalMessageBytes(msg);
+  await matched.verifyBytes(payload, rawSig);
+}
+
 // src/index.ts
 var VERSION = "0.6.0";
 var RCAN_VERSION = "1.6";
 export {
+  AUTHORITY_ERROR_CODES,
   AuditChain,
   AuditError,
+  COMPETITION_SCOPE_LEVEL,
   CONTRIBUTE_SCOPE_LEVEL,
   ClockDriftError,
   CommitmentRecord,
   ConfidenceGate,
   DEFAULT_LOA_POLICY,
   DataCategory,
+  FIRMWARE_MANIFEST_PATH,
   FaultCode,
   FederationSyncType,
+  FirmwareIntegrityError,
   GateError,
   HiTLGate,
   KeyStore,
   LevelOfAssurance,
+  M2MAuthError,
+  M2M_TRUSTED_ISSUER,
+  MLDSAKeyPair,
   MediaEncoding,
   MessageType,
   NodeClient,
@@ -2783,13 +3307,18 @@ export {
   RCANValidationError,
   RCANVersionIncompatibleError,
   RCAN_VERSION,
+  ROLE_JWT_LEVEL,
+  RRF_REVOCATION_CACHE_TTL_MS,
+  RRF_REVOCATION_URL,
   RegistryClient,
   RegistryTier,
   ReplayCache,
   RevocationCache,
   RobotURI,
   RobotURIError,
+  Role,
   SAFETY_MESSAGE_TYPE,
+  SCOPE_MIN_ROLE,
   SDK_VERSION,
   SPEC_VERSION,
   TransportEncoding,
@@ -2799,7 +3328,11 @@ export {
   addDelegationHop,
   addMediaInline,
   addMediaRef,
+  addPQSignature,
   assertClockSynced,
+  authorityAccessFromWire,
+  authorityAccessToWire,
+  canonicalManifestJson,
   checkClockSync,
   checkRevocation,
   decodeBleFrames,
@@ -2808,11 +3341,18 @@ export {
   encodeBleFrames,
   encodeCompact,
   encodeMinimal,
+  extractIdentityFromJwt,
   extractLoaFromJwt,
+  extractRoleFromJwt,
   fetchCanonicalSchema,
+  fetchRRFRevocations,
+  isAuthorityRequestValid,
+  isM2mTrustedRevoked,
   isPreemptedBy,
   isSafetyMessage,
   makeCloudRelayMessage,
+  makeCompetitionEnter,
+  makeCompetitionScore,
   makeConfigUpdate,
   makeConsentDeny,
   makeConsentGrant,
@@ -2825,8 +3365,10 @@ export {
   makeFaultReport,
   makeFederationSync,
   makeKeyRotationMessage,
+  makePersonalResearchResult,
   makeResumeMessage,
   makeRevocationBroadcast,
+  makeSeasonStanding,
   makeStopMessage,
   makeStreamChunk,
   makeTrainingConsentDeny,
@@ -2834,7 +3376,14 @@ export {
   makeTrainingConsentRequest,
   makeTrainingDataMessage,
   makeTransparencyMessage,
+  manifestFromWire,
+  manifestToWire,
+  parseM2mPeerToken,
+  parseM2mTrustedToken,
+  roleFromJwtLevel,
   selectTransport,
+  validateAuthorityAccess,
+  validateCompetitionScope,
   validateConfig,
   validateConfigAgainstSchema,
   validateConfigUpdate,
@@ -2843,13 +3392,18 @@ export {
   validateCrossRegistryCommand,
   validateDelegationChain,
   validateLoaForScope,
+  validateManifest,
   validateMediaChunks,
   validateMessage,
   validateNodeAgainstSchema,
   validateReplay,
+  validateRoleForScope,
   validateSafetyMessage,
   validateTrainingDataMessage,
   validateURI,
-  validateVersionCompat
+  validateVersionCompat,
+  verifyM2mTrustedToken,
+  verifyM2mTrustedTokenClaims,
+  verifyPQSignature
 };
 //# sourceMappingURL=browser.mjs.map