npm - @continuonai/rcan-ts - Versions diffs - 0.8.0 → 1.2.0 - Mend

@continuonai/rcan-ts 0.8.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/index.mjs CHANGED Viewed

@@ -96,8 +96,8 @@ var RobotURI = class _RobotURI {
 };
 // src/version.ts
-var SPEC_VERSION = "1.9.0";
-var SDK_VERSION = "0.8.0";
+var SPEC_VERSION = "2.2.0";
+var SDK_VERSION = "1.2.0";
 function validateVersionCompat(incomingVersion, localVersion = SPEC_VERSION) {
   const parseParts = (v) => {
     const parts = v.split(".");
@@ -148,9 +148,14 @@ var MessageType = /* @__PURE__ */ ((MessageType2) => {
   MessageType2[MessageType2["CONTRIBUTE_RESULT"] = 34] = "CONTRIBUTE_RESULT";
   MessageType2[MessageType2["CONTRIBUTE_CANCEL"] = 35] = "CONTRIBUTE_CANCEL";
   MessageType2[MessageType2["TRAINING_DATA"] = 36] = "TRAINING_DATA";
-  MessageType2[MessageType2["FEDERATION_SYNC"] = 23] = "FEDERATION_SYNC";
-  MessageType2[MessageType2["ALERT"] = 26] = "ALERT";
-  MessageType2[MessageType2["AUDIT"] = 16] = "AUDIT";
+  MessageType2[MessageType2["COMPETITION_ENTER"] = 37] = "COMPETITION_ENTER";
+  MessageType2[MessageType2["COMPETITION_SCORE"] = 38] = "COMPETITION_SCORE";
+  MessageType2[MessageType2["SEASON_STANDING"] = 39] = "SEASON_STANDING";
+  MessageType2[MessageType2["PERSONAL_RESEARCH_RESULT"] = 40] = "PERSONAL_RESEARCH_RESULT";
+  MessageType2[MessageType2["AUTHORITY_ACCESS"] = 41] = "AUTHORITY_ACCESS";
+  MessageType2[MessageType2["AUTHORITY_RESPONSE"] = 42] = "AUTHORITY_RESPONSE";
+  MessageType2[MessageType2["FIRMWARE_ATTESTATION"] = 43] = "FIRMWARE_ATTESTATION";
+  MessageType2[MessageType2["SBOM_UPDATE"] = 44] = "SBOM_UPDATE";
   return MessageType2;
 })(MessageType || {});
 var RCANMessageError = class extends Error {
@@ -186,6 +191,12 @@ var RCANMessage = class _RCANMessage {
   transportEncoding;
   /** v1.6: GAP-18 multi-modal media chunks */
   mediaChunks;
+  /** v2.1: SHA-256 of sender's firmware manifest */
+  firmwareHash;
+  /** v2.1: URI to sender's SBOM attestation endpoint */
+  attestationRef;
+  /** v2.2: ML-DSA-65 post-quantum signature (field 16, FIPS 204). Hybrid alongside Ed25519. */
+  pqSig;
   constructor(data) {
     if (!data.cmd || data.cmd.trim() === "") {
       throw new RCANMessageError("'cmd' is required");
@@ -214,6 +225,14 @@ var RCANMessage = class _RCANMessage {
     this.loa = data.loa;
     this.transportEncoding = data.transportEncoding;
     this.mediaChunks = data.mediaChunks;
+    this.firmwareHash = data.firmwareHash;
+    this.attestationRef = data.attestationRef;
+    this.pqSig = data.pqSig;
+    if (this.signature !== void 0 && this.signature["sig"] === "pending") {
+      throw new RCANMessageError(
+        "signature.sig:'pending' is not valid in RCAN v2.1. Sign the message before sending."
+      );
+    }
     if (this.confidence !== void 0) {
       if (this.confidence < 0 || this.confidence > 1) {
         throw new RCANMessageError(
@@ -255,6 +274,9 @@ var RCANMessage = class _RCANMessage {
     if (this.loa !== void 0) obj.loa = this.loa;
     if (this.transportEncoding !== void 0) obj.transportEncoding = this.transportEncoding;
     if (this.mediaChunks !== void 0) obj.mediaChunks = this.mediaChunks;
+    if (this.firmwareHash !== void 0) obj.firmwareHash = this.firmwareHash;
+    if (this.attestationRef !== void 0) obj.attestationRef = this.attestationRef;
+    if (this.pqSig !== void 0) obj.pqSig = this.pqSig;
     return obj;
   }
   /** Serialize to JSON string */
@@ -297,7 +319,10 @@ var RCANMessage = class _RCANMessage {
       readOnly: obj.readOnly,
       loa: obj.loa,
       transportEncoding: obj.transportEncoding,
-      mediaChunks: obj.mediaChunks
+      mediaChunks: obj.mediaChunks,
+      firmwareHash: obj.firmwareHash,
+      attestationRef: obj.attestationRef,
+      pqSig: obj.pqSig
     });
   }
 };
@@ -2051,80 +2076,133 @@ function makeFaultReport(params) {
 }
 // src/identity.ts
-var LevelOfAssurance = /* @__PURE__ */ ((LevelOfAssurance2) => {
-  LevelOfAssurance2[LevelOfAssurance2["ANONYMOUS"] = 1] = "ANONYMOUS";
-  LevelOfAssurance2[LevelOfAssurance2["EMAIL_VERIFIED"] = 2] = "EMAIL_VERIFIED";
-  LevelOfAssurance2[LevelOfAssurance2["HARDWARE_TOKEN"] = 3] = "HARDWARE_TOKEN";
-  return LevelOfAssurance2;
-})(LevelOfAssurance || {});
+var Role = /* @__PURE__ */ ((Role2) => {
+  Role2[Role2["GUEST"] = 1] = "GUEST";
+  Role2[Role2["OPERATOR"] = 2] = "OPERATOR";
+  Role2[Role2["CONTRIBUTOR"] = 3] = "CONTRIBUTOR";
+  Role2[Role2["ADMIN"] = 4] = "ADMIN";
+  Role2[Role2["M2M_PEER"] = 5] = "M2M_PEER";
+  Role2[Role2["CREATOR"] = 6] = "CREATOR";
+  Role2[Role2["M2M_TRUSTED"] = 7] = "M2M_TRUSTED";
+  return Role2;
+})(Role || {});
+var LevelOfAssurance = Role;
+var ROLE_JWT_LEVEL = {
+  [1 /* GUEST */]: 1,
+  [2 /* OPERATOR */]: 2,
+  [3 /* CONTRIBUTOR */]: 2.5,
+  [4 /* ADMIN */]: 3,
+  [5 /* M2M_PEER */]: 4,
+  [6 /* CREATOR */]: 5,
+  [7 /* M2M_TRUSTED */]: 6
+};
+var JWT_LEVEL_TO_ROLE = new Map(
+  Object.entries(ROLE_JWT_LEVEL).map(
+    ([role, level]) => [level, Number(role)]
+  )
+);
+function roleFromJwtLevel(level) {
+  return JWT_LEVEL_TO_ROLE.get(level);
+}
+var SCOPE_MIN_ROLE = {
+  "status": 1 /* GUEST */,
+  "discover": 1 /* GUEST */,
+  "chat": 1 /* GUEST */,
+  "observer": 1 /* GUEST */,
+  "contribute": 3 /* CONTRIBUTOR */,
+  "control": 2 /* OPERATOR */,
+  "teleop": 2 /* OPERATOR */,
+  "training": 4 /* ADMIN */,
+  "training_data": 4 /* ADMIN */,
+  "config": 4 /* ADMIN */,
+  "authority": 4 /* ADMIN */,
+  "admin": 6 /* CREATOR */,
+  "safety": 6 /* CREATOR */,
+  "estop": 6 /* CREATOR */,
+  "fleet.trusted": 7 /* M2M_TRUSTED */
+};
 var DEFAULT_LOA_POLICY = {
-  minLoaDiscover: 1 /* ANONYMOUS */,
-  minLoaStatus: 1 /* ANONYMOUS */,
-  minLoaChat: 1 /* ANONYMOUS */,
-  minLoaControl: 1 /* ANONYMOUS */,
-  minLoaSafety: 1 /* ANONYMOUS */
+  minRoleForDiscover: 1 /* GUEST */,
+  minRoleForStatus: 1 /* GUEST */,
+  minRoleForChat: 1 /* GUEST */,
+  minRoleForControl: 1 /* GUEST */,
+  minRoleForSafety: 1 /* GUEST */
 };
 var PRODUCTION_LOA_POLICY = {
-  minLoaDiscover: 1 /* ANONYMOUS */,
-  minLoaStatus: 1 /* ANONYMOUS */,
-  minLoaChat: 1 /* ANONYMOUS */,
-  minLoaControl: 2 /* EMAIL_VERIFIED */,
-  minLoaSafety: 3 /* HARDWARE_TOKEN */
+  minRoleForDiscover: 1 /* GUEST */,
+  minRoleForStatus: 1 /* GUEST */,
+  minRoleForChat: 1 /* GUEST */,
+  minRoleForControl: 2 /* OPERATOR */,
+  minRoleForSafety: 6 /* CREATOR */
 };
-function extractLoaFromJwt(token) {
+function decodeJwtPayload(token) {
   try {
     const parts = token.split(".");
-    if (parts.length < 2) return 1 /* ANONYMOUS */;
+    if (parts.length < 2) return null;
     const payloadB64 = (parts[1] ?? "").replace(/-/g, "+").replace(/_/g, "/");
     const padded = payloadB64 + "=".repeat((4 - payloadB64.length % 4) % 4);
-    let json;
-    if (typeof atob !== "undefined") {
-      json = atob(padded);
-    } else {
-      json = Buffer.from(padded, "base64").toString("utf-8");
-    }
-    const claims = JSON.parse(json);
-    const loa = claims["loa"];
-    if (typeof loa === "number" && loa >= 1 && loa <= 3) {
-      return loa;
-    }
+    return JSON.parse(atob(padded));
   } catch {
+    return null;
   }
-  return 1 /* ANONYMOUS */;
-}
-function minLoaForScope(scope, policy) {
-  const s = scope.toLowerCase();
-  switch (s) {
-    case "discover":
-      return policy.minLoaDiscover;
-    case "status":
-      return policy.minLoaStatus;
-    case "chat":
-      return policy.minLoaChat;
-    case "contribute":
-      return policy.minLoaChat;
-    // v1.7: between chat and control
-    case "control":
-      return policy.minLoaControl;
-    case "safety":
-      return policy.minLoaSafety;
-    default:
-      return null;
-  }
-}
-function validateLoaForScope(loa, scope, policy = DEFAULT_LOA_POLICY) {
-  const min = minLoaForScope(scope, policy);
-  if (min === null) {
-    return { valid: true, reason: "unknown scope; allowed by default" };
-  }
-  if (loa >= min) {
-    return { valid: true, reason: "ok" };
+}
+function extractRoleFromJwt(token) {
+  const payload = decodeJwtPayload(token);
+  if (!payload) return 1 /* GUEST */;
+  const rcanRole = payload["rcan_role"];
+  if (rcanRole !== void 0 && rcanRole !== null) {
+    const role = roleFromJwtLevel(Number(rcanRole));
+    if (role !== void 0) return role;
   }
+  const loa = payload["loa"];
+  if (loa !== void 0 && loa !== null) {
+    const role = roleFromJwtLevel(Number(loa));
+    if (role !== void 0) return role;
+  }
+  return 1 /* GUEST */;
+}
+function extractLoaFromJwt(token) {
+  return extractRoleFromJwt(token);
+}
+function extractIdentityFromJwt(token) {
+  const payload = decodeJwtPayload(token);
+  if (!payload) {
+    return { sub: "", role: 1 /* GUEST */, jwtLevel: 1, scopes: [] };
+  }
+  const rcanRole = payload["rcan_role"];
+  const loa = payload["loa"];
+  const rawLevel = rcanRole !== void 0 ? Number(rcanRole) : loa !== void 0 ? Number(loa) : 1;
+  const role = roleFromJwtLevel(rawLevel) ?? 1 /* GUEST */;
+  const scopes = Array.isArray(payload["rcan_scopes"]) ? payload["rcan_scopes"] : Array.isArray(payload["scopes"]) ? payload["scopes"] : [];
   return {
-    valid: false,
-    reason: `LOA_INSUFFICIENT: scope=${scope} requires LoA>=${min}, caller has LoA=${loa}`
+    sub: String(payload["sub"] ?? ""),
+    role,
+    jwtLevel: ROLE_JWT_LEVEL[role],
+    registryUrl: payload["registry_url"],
+    scopes,
+    verifiedAt: payload["verified_at"],
+    peerRrn: payload["peer_rrn"],
+    fleetRrns: Array.isArray(payload["fleet_rrns"]) ? payload["fleet_rrns"] : void 0
   };
 }
+function validateRoleForScope(role, scope) {
+  const required = SCOPE_MIN_ROLE[scope.toLowerCase()];
+  if (required === void 0) {
+    if (role >= 2 /* OPERATOR */) return { ok: true, reason: "" };
+    return {
+      ok: false,
+      reason: `Unknown scope '${scope}': applying OPERATOR minimum. Caller has ${Role[role]}.`
+    };
+  }
+  if (role >= required) return { ok: true, reason: "" };
+  return {
+    ok: false,
+    reason: `Scope '${scope}' requires ${Role[required]} (JWT level ${ROLE_JWT_LEVEL[required]}), but caller has ${Role[role]} (JWT level ${ROLE_JWT_LEVEL[role]})`
+  };
+}
+function validateLoaForScope(role, scope) {
+  return validateRoleForScope(role, scope);
+}
 // src/federation.ts
 var RegistryTier = /* @__PURE__ */ ((RegistryTier2) => {
@@ -2248,12 +2326,12 @@ function generateId5() {
 }
 function makeFederationSync(source, target, syncType, payload) {
   return new RCANMessage({
-    rcan: "1.6",
-    rcanVersion: "1.6",
+    rcan: "2.1.0",
+    rcanVersion: "2.1.0",
     cmd: "federation_sync",
     target,
     params: {
-      msg_type: 23 /* FEDERATION_SYNC */,
+      msg_type: 23 /* FLEET_COMMAND */,
       msg_id: generateId5(),
       source_registry: source,
       target_registry: target,
@@ -2280,17 +2358,17 @@ async function validateCrossRegistryCommand(msg, localRegistry, trustCache) {
       reason: `REGISTRY_UNKNOWN: ${sourceRegistry} is not in the local trust cache`
     };
   }
-  let loa = 1 /* ANONYMOUS */;
+  let loa = 1 /* GUEST */;
   const registryJwt = msg.params?.["registry_jwt"];
   if (registryJwt) {
     loa = extractLoaFromJwt(registryJwt);
   } else if (typeof msg.loa === "number") {
     loa = msg.loa;
   }
-  if (loa < 2 /* EMAIL_VERIFIED */) {
+  if (loa < 2 /* OPERATOR */) {
     return {
       valid: false,
-      reason: `LOA_INSUFFICIENT: cross-registry commands require LoA>=2 (EMAIL_VERIFIED), got LoA=${loa}`
+      reason: `LOA_INSUFFICIENT: cross-registry commands require LoA>=2 (OPERATOR), got role=${loa}`
     };
   }
   return { valid: true, reason: "cross-registry command accepted" };
@@ -2729,24 +2807,470 @@ function isPreemptedBy(scopeLevel) {
   return scopeLevel >= 3;
 }
+// src/competition.ts
+var COMPETITION_SCOPE_LEVEL = 2;
+var _idCounter2 = 0;
+function _generateRunId() {
+  return `run-${Date.now()}-${++_idCounter2}`;
+}
+function makeCompetitionEnter(params = {}) {
+  return {
+    type: 37 /* COMPETITION_ENTER */,
+    competition_id: params.competition_id ?? "",
+    competition_format: params.competition_format ?? "sprint",
+    hardware_tier: params.hardware_tier ?? "",
+    model_id: params.model_id ?? "",
+    robot_rrn: params.robot_rrn ?? "",
+    entered_at: params.entered_at ?? Date.now() / 1e3
+  };
+}
+function makeCompetitionScore(params = {}) {
+  const score = params.score ?? 0;
+  if (score < 0 || score > 1) {
+    throw new Error(`score must be in [0.0, 1.0], got ${score}`);
+  }
+  return {
+    type: 38 /* COMPETITION_SCORE */,
+    competition_id: params.competition_id ?? "",
+    candidate_id: params.candidate_id ?? "",
+    score,
+    hardware_tier: params.hardware_tier ?? "",
+    verified: params.verified ?? false,
+    submitted_at: params.submitted_at ?? Date.now() / 1e3
+  };
+}
+function makeSeasonStanding(params = {}) {
+  return {
+    type: 39 /* SEASON_STANDING */,
+    season_id: params.season_id ?? "",
+    class_id: params.class_id ?? "",
+    standings: params.standings ?? [],
+    days_remaining: params.days_remaining ?? 0,
+    broadcast_at: params.broadcast_at ?? Date.now() / 1e3
+  };
+}
+function makePersonalResearchResult(params = {}) {
+  const score = params.score ?? 0;
+  if (score < 0 || score > 1) {
+    throw new Error(`score must be in [0.0, 1.0], got ${score}`);
+  }
+  return {
+    type: 40 /* PERSONAL_RESEARCH_RESULT */,
+    run_id: params.run_id ?? _generateRunId(),
+    run_type: params.run_type ?? "personal",
+    candidate_id: params.candidate_id ?? "",
+    score,
+    hardware_tier: params.hardware_tier ?? "",
+    model_id: params.model_id ?? "",
+    owner_uid: params.owner_uid ?? "",
+    metrics: params.metrics ?? {
+      success_rate: 0,
+      p66_rate: 0,
+      token_efficiency: 0,
+      latency_score: 0
+    },
+    submitted_to_community: params.submitted_to_community ?? false,
+    created_at: params.created_at ?? Date.now() / 1e3
+  };
+}
+function validateCompetitionScope(scopeLevel) {
+  return scopeLevel >= COMPETITION_SCOPE_LEVEL;
+}
+// src/firmware.ts
+var FIRMWARE_MANIFEST_PATH = "/.well-known/rcan-firmware-manifest.json";
+function manifestToWire(m) {
+  const wire = {
+    rrn: m.rrn,
+    firmware_version: m.firmwareVersion,
+    build_hash: m.buildHash,
+    components: m.components,
+    signed_at: m.signedAt
+  };
+  if (m.signature) wire.signature = m.signature;
+  return wire;
+}
+function manifestFromWire(w) {
+  return {
+    rrn: w.rrn,
+    firmwareVersion: w.firmware_version,
+    buildHash: w.build_hash,
+    components: w.components ?? [],
+    signedAt: w.signed_at ?? "",
+    signature: w.signature
+  };
+}
+function canonicalManifestJson(m) {
+  const obj = {
+    build_hash: m.buildHash,
+    components: m.components.map((c) => ({
+      hash: c.hash,
+      name: c.name,
+      version: c.version
+    })),
+    firmware_version: m.firmwareVersion,
+    rrn: m.rrn,
+    signed_at: m.signedAt
+  };
+  return JSON.stringify(obj);
+}
+var FirmwareIntegrityError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "FirmwareIntegrityError";
+  }
+};
+function validateManifest(m) {
+  const errors = [];
+  if (!m.rrn) errors.push("rrn is required");
+  if (!m.firmwareVersion) errors.push("firmwareVersion is required");
+  if (!m.buildHash) errors.push("buildHash is required");
+  if (!m.buildHash.startsWith("sha256:")) errors.push("buildHash must start with 'sha256:'");
+  if (!m.signedAt) errors.push("signedAt is required");
+  if (!m.signature) errors.push("signature is required (manifest must be signed)");
+  for (const [i, c] of m.components.entries()) {
+    if (!c.name) errors.push(`components[${i}].name is required`);
+    if (!c.version) errors.push(`components[${i}].version is required`);
+    if (!c.hash.startsWith("sha256:")) errors.push(`components[${i}].hash must start with 'sha256:'`);
+  }
+  return errors;
+}
+// src/authority.ts
+function authorityAccessToWire(p) {
+  return {
+    request_id: p.requestId,
+    authority_id: p.authorityId,
+    requested_data: p.requestedData,
+    justification: p.justification,
+    expires_at: p.expiresAt
+  };
+}
+function authorityAccessFromWire(w) {
+  return {
+    requestId: w.request_id,
+    authorityId: w.authority_id,
+    requestedData: w.requested_data ?? [],
+    justification: w.justification ?? "",
+    expiresAt: w.expires_at ?? 0
+  };
+}
+function validateAuthorityAccess(p) {
+  const errors = [];
+  if (!p.requestId) errors.push("requestId is required");
+  if (!p.authorityId) errors.push("authorityId is required");
+  if (!p.requestedData || p.requestedData.length === 0)
+    errors.push("requestedData must include at least one category");
+  if (!p.justification) errors.push("justification is required");
+  if (!p.expiresAt || p.expiresAt <= 0) errors.push("expiresAt must be a positive Unix timestamp");
+  if (p.expiresAt < Date.now() / 1e3) errors.push("expiresAt is in the past \u2014 request has expired");
+  return errors;
+}
+function isAuthorityRequestValid(p) {
+  return Date.now() / 1e3 < p.expiresAt && validateAuthorityAccess(p).length === 0;
+}
+var AUTHORITY_ERROR_CODES = {
+  NOT_RECOGNIZED: "AUTHORITY_NOT_RECOGNIZED",
+  REQUEST_EXPIRED: "AUTHORITY_REQUEST_EXPIRED",
+  INVALID_TOKEN: "AUTHORITY_INVALID_TOKEN",
+  RATE_LIMITED: "AUTHORITY_RATE_LIMITED"
+};
+// src/m2m.ts
+var RRF_REVOCATION_URL = "https://api.rrf.rcan.dev/v2/revocations";
+var M2M_TRUSTED_ISSUER = "rrf.rcan.dev";
+var RRF_REVOCATION_CACHE_TTL_MS = 55e3;
+var M2MAuthError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "M2MAuthError";
+  }
+};
+function decodeJwtPayload2(token) {
+  const parts = token.split(".");
+  if (parts.length < 2) throw new M2MAuthError("Invalid JWT structure");
+  const b64 = (parts[1] ?? "").replace(/-/g, "+").replace(/_/g, "/");
+  const padded = b64 + "=".repeat((4 - b64.length % 4) % 4);
+  try {
+    return JSON.parse(atob(padded));
+  } catch (e) {
+    throw new M2MAuthError(`JWT payload decode failed: ${String(e)}`);
+  }
+}
+function parseM2mPeerToken(token) {
+  const payload = decodeJwtPayload2(token);
+  const exp = Number(payload["exp"] ?? 0);
+  if (exp > 0 && Date.now() / 1e3 > exp) {
+    throw new M2MAuthError(`M2M_PEER token expired (sub=${String(payload["sub"])})`);
+  }
+  const peerRrn = String(payload["peer_rrn"] ?? "");
+  if (!peerRrn) throw new M2MAuthError("M2M_PEER token missing peer_rrn claim");
+  return {
+    sub: String(payload["sub"] ?? ""),
+    peerRrn,
+    scopes: Array.isArray(payload["rcan_scopes"]) ? payload["rcan_scopes"] : Array.isArray(payload["scopes"]) ? payload["scopes"] : [],
+    exp,
+    iss: String(payload["iss"] ?? "")
+  };
+}
+function parseM2mTrustedToken(token) {
+  const payload = decodeJwtPayload2(token);
+  const iss = String(payload["iss"] ?? "");
+  if (iss !== M2M_TRUSTED_ISSUER) {
+    throw new M2MAuthError(
+      `M2M_TRUSTED issuer must be '${M2M_TRUSTED_ISSUER}', got '${iss}'`
+    );
+  }
+  const scopes = Array.isArray(payload["rcan_scopes"]) ? payload["rcan_scopes"] : Array.isArray(payload["scopes"]) ? payload["scopes"] : [];
+  if (!scopes.includes("fleet.trusted")) {
+    throw new M2MAuthError("M2M_TRUSTED token missing required 'fleet.trusted' scope");
+  }
+  const exp = Number(payload["exp"] ?? 0);
+  if (exp > 0 && Date.now() / 1e3 > exp) {
+    throw new M2MAuthError(`M2M_TRUSTED token expired (sub=${String(payload["sub"])})`);
+  }
+  const rrfSig = String(payload["rrf_sig"] ?? "");
+  if (!rrfSig) throw new M2MAuthError("M2M_TRUSTED token missing rrf_sig claim");
+  const fleetRrns = Array.isArray(payload["fleet_rrns"]) ? payload["fleet_rrns"] : [];
+  return {
+    sub: String(payload["sub"] ?? ""),
+    fleetRrns,
+    scopes,
+    exp,
+    iss,
+    rrfSig
+  };
+}
+function verifyM2mTrustedTokenClaims(token, targetRrn) {
+  const claims = parseM2mTrustedToken(token);
+  if (!claims.fleetRrns.includes(targetRrn)) {
+    throw new M2MAuthError(
+      `M2M_TRUSTED token does not authorize commanding '${targetRrn}'. Authorized fleet: [${claims.fleetRrns.join(", ")}]`
+    );
+  }
+  return claims;
+}
+var _revocationCache = null;
+async function fetchRRFRevocations(url = RRF_REVOCATION_URL) {
+  const now = Date.now();
+  if (_revocationCache && now - _revocationCache.fetchedAt < RRF_REVOCATION_CACHE_TTL_MS) {
+    return _revocationCache;
+  }
+  try {
+    const resp = await fetch(url, { signal: AbortSignal.timeout?.(5e3) });
+    const data = await resp.json();
+    _revocationCache = {
+      revokedOrchestrators: new Set(data.revoked_orchestrators ?? []),
+      revokedJtis: new Set(data.revoked_jtis ?? []),
+      fetchedAt: now
+    };
+  } catch {
+    if (_revocationCache) return _revocationCache;
+    _revocationCache = { revokedOrchestrators: /* @__PURE__ */ new Set(), revokedJtis: /* @__PURE__ */ new Set(), fetchedAt: now };
+  }
+  return _revocationCache;
+}
+async function isM2mTrustedRevoked(claims, jti) {
+  const cache = await fetchRRFRevocations();
+  if (cache.revokedOrchestrators.has(claims.sub)) return true;
+  if (jti && cache.revokedJtis.has(jti)) return true;
+  return false;
+}
+async function verifyM2mTrustedToken(token, targetRrn, options) {
+  const claims = verifyM2mTrustedTokenClaims(token, targetRrn);
+  if (!options?.skipRevocationCheck) {
+    const revoked = await isM2mTrustedRevoked(claims);
+    if (revoked) {
+      throw new M2MAuthError(
+        `M2M_TRUSTED orchestrator '${claims.sub}' is on the RRF revocation list`
+      );
+    }
+  }
+  return claims;
+}
+// src/pqSigning.ts
+function toBase64url(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function fromBase64url(b64) {
+  const padded = b64.replace(/-/g, "+").replace(/_/g, "/");
+  const binary = atob(padded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+  return bytes;
+}
+async function sha256hex(data) {
+  const g = typeof globalThis !== "undefined" ? globalThis : {};
+  const webcrypto = g.crypto;
+  const subtle = webcrypto?.subtle;
+  if (subtle) {
+    const buf = await subtle.digest("SHA-256", data);
+    return Array.from(new Uint8Array(buf)).map((b) => b.toString(16).padStart(2, "0")).join("").slice(0, 8);
+  }
+  const nodeCrypto = await import("crypto").catch(() => null);
+  if (nodeCrypto) {
+    return nodeCrypto.createHash("sha256").update(data).digest("hex").slice(0, 8);
+  }
+  throw new Error("No SHA-256 implementation available");
+}
+var _mlDsaModule;
+async function requireNoblePostQuantum() {
+  if (_mlDsaModule) return _mlDsaModule;
+  if (typeof __require !== "undefined") {
+    try {
+      _mlDsaModule = __require("@noble/post-quantum/ml-dsa.js");
+      return _mlDsaModule;
+    } catch {
+    }
+  }
+  try {
+    _mlDsaModule = await import("@noble/post-quantum/ml-dsa.js");
+    return _mlDsaModule;
+  } catch {
+    throw new Error(
+      "ML-DSA signing requires @noble/post-quantum. Install with: npm install @noble/post-quantum"
+    );
+  }
+}
+var MLDSAKeyPair = class _MLDSAKeyPair {
+  keyId;
+  publicKey;
+  secretKey;
+  constructor(data) {
+    this.keyId = data.keyId;
+    this.publicKey = data.publicKey;
+    this.secretKey = data.secretKey;
+  }
+  /** Generate a new ML-DSA-65 key pair. */
+  static async generate() {
+    const { ml_dsa65 } = await requireNoblePostQuantum();
+    const kp = ml_dsa65.keygen();
+    const keyId = await sha256hex(kp.publicKey);
+    return new _MLDSAKeyPair({
+      publicKey: kp.publicKey,
+      secretKey: kp.secretKey,
+      keyId
+    });
+  }
+  /** Build a verify-only key pair from raw public key bytes. */
+  static async fromPublicKey(publicKey) {
+    const keyId = await sha256hex(publicKey);
+    return new _MLDSAKeyPair({ publicKey, keyId });
+  }
+  /** Build a full key pair from saved bytes (public + secret). */
+  static async fromKeyMaterial(publicKey, secretKey) {
+    const keyId = await sha256hex(publicKey);
+    return new _MLDSAKeyPair({ publicKey, secretKey, keyId });
+  }
+  get hasPrivateKey() {
+    return this.secretKey !== void 0;
+  }
+  /** Sign raw bytes; returns ML-DSA-65 signature (3309 bytes). */
+  async signBytes(data) {
+    if (!this.secretKey) {
+      throw new Error("Cannot sign: MLDSAKeyPair has no private key (verify-only)");
+    }
+    const { ml_dsa65 } = await requireNoblePostQuantum();
+    return ml_dsa65.sign(data, this.secretKey);
+  }
+  /**
+   * Verify an ML-DSA-65 signature.
+   * @returns true if valid
+   * @throws {Error} on invalid signature
+   */
+  async verifyBytes(data, signature) {
+    const { ml_dsa65 } = await requireNoblePostQuantum();
+    const ok = ml_dsa65.verify(signature, data, this.publicKey);
+    if (!ok) throw new Error("ML-DSA signature verification failed");
+  }
+  toString() {
+    const mode = this.hasPrivateKey ? "private+public" : "public-only";
+    return `MLDSAKeyPair(keyId=${this.keyId}, alg=ML-DSA-65, ${mode})`;
+  }
+};
+function canonicalMessageBytes(msg) {
+  const m = msg;
+  const payload = {
+    rcan: msg.rcan,
+    msg_id: m["msgId"] ?? m["msg_id"] ?? "",
+    timestamp: msg.timestamp,
+    cmd: msg.cmd,
+    target: msg.target,
+    params: msg.params
+  };
+  const sorted = JSON.stringify(
+    Object.fromEntries(Object.entries(payload).sort()),
+    null,
+    void 0
+  );
+  return new TextEncoder().encode(sorted);
+}
+async function addPQSignature(msg, keypair) {
+  const payload = canonicalMessageBytes(msg);
+  const rawSig = await keypair.signBytes(payload);
+  const block = {
+    alg: "ml-dsa-65",
+    kid: keypair.keyId,
+    sig: toBase64url(rawSig)
+  };
+  msg["pqSig"] = block;
+  return msg;
+}
+async function verifyPQSignature(msg, trustedKeys, requirePQ = false) {
+  const pqSig = msg["pqSig"];
+  if (!pqSig) {
+    if (requirePQ) {
+      throw new Error("ML-DSA signature (pqSig) required but missing from message");
+    }
+    return;
+  }
+  if (pqSig.alg !== "ml-dsa-65") {
+    throw new Error(`Unsupported PQ signature algorithm: ${pqSig.alg}`);
+  }
+  const matched = trustedKeys.find((k) => k.keyId === pqSig.kid);
+  if (!matched) {
+    throw new Error(
+      `No trusted ML-DSA key with kid=${pqSig.kid}. Known kids: [${trustedKeys.map((k) => k.keyId).join(", ")}]`
+    );
+  }
+  let rawSig;
+  try {
+    rawSig = fromBase64url(pqSig.sig);
+  } catch (e) {
+    throw new Error(`Invalid base64url ML-DSA signature: ${e}`);
+  }
+  const payload = canonicalMessageBytes(msg);
+  await matched.verifyBytes(payload, rawSig);
+}
 // src/index.ts
 var VERSION = "0.6.0";
 var RCAN_VERSION = "1.6";
 export {
+  AUTHORITY_ERROR_CODES,
   AuditChain,
   AuditError,
+  COMPETITION_SCOPE_LEVEL,
   CONTRIBUTE_SCOPE_LEVEL,
   ClockDriftError,
   CommitmentRecord,
   ConfidenceGate,
   DEFAULT_LOA_POLICY,
   DataCategory,
+  FIRMWARE_MANIFEST_PATH,
   FaultCode,
   FederationSyncType,
+  FirmwareIntegrityError,
   GateError,
   HiTLGate,
   KeyStore,
   LevelOfAssurance,
+  M2MAuthError,
+  M2M_TRUSTED_ISSUER,
+  MLDSAKeyPair,
   MediaEncoding,
   MessageType,
   NodeClient,
@@ -2772,13 +3296,18 @@ export {
   RCANValidationError,
   RCANVersionIncompatibleError,
   RCAN_VERSION,
+  ROLE_JWT_LEVEL,
+  RRF_REVOCATION_CACHE_TTL_MS,
+  RRF_REVOCATION_URL,
   RegistryClient,
   RegistryTier,
   ReplayCache,
   RevocationCache,
   RobotURI,
   RobotURIError,
+  Role,
   SAFETY_MESSAGE_TYPE,
+  SCOPE_MIN_ROLE,
   SDK_VERSION,
   SPEC_VERSION,
   TransportEncoding,
@@ -2788,7 +3317,11 @@ export {
   addDelegationHop,
   addMediaInline,
   addMediaRef,
+  addPQSignature,
   assertClockSynced,
+  authorityAccessFromWire,
+  authorityAccessToWire,
+  canonicalManifestJson,
   checkClockSync,
   checkRevocation,
   decodeBleFrames,
@@ -2797,11 +3330,18 @@ export {
   encodeBleFrames,
   encodeCompact,
   encodeMinimal,
+  extractIdentityFromJwt,
   extractLoaFromJwt,
+  extractRoleFromJwt,
   fetchCanonicalSchema,
+  fetchRRFRevocations,
+  isAuthorityRequestValid,
+  isM2mTrustedRevoked,
   isPreemptedBy,
   isSafetyMessage,
   makeCloudRelayMessage,
+  makeCompetitionEnter,
+  makeCompetitionScore,
   makeConfigUpdate,
   makeConsentDeny,
   makeConsentGrant,
@@ -2814,8 +3354,10 @@ export {
   makeFaultReport,
   makeFederationSync,
   makeKeyRotationMessage,
+  makePersonalResearchResult,
   makeResumeMessage,
   makeRevocationBroadcast,
+  makeSeasonStanding,
   makeStopMessage,
   makeStreamChunk,
   makeTrainingConsentDeny,
@@ -2823,7 +3365,14 @@ export {
   makeTrainingConsentRequest,
   makeTrainingDataMessage,
   makeTransparencyMessage,
+  manifestFromWire,
+  manifestToWire,
+  parseM2mPeerToken,
+  parseM2mTrustedToken,
+  roleFromJwtLevel,
   selectTransport,
+  validateAuthorityAccess,
+  validateCompetitionScope,
   validateConfig,
   validateConfigAgainstSchema,
   validateConfigUpdate,
@@ -2832,13 +3381,18 @@ export {
   validateCrossRegistryCommand,
   validateDelegationChain,
   validateLoaForScope,
+  validateManifest,
   validateMediaChunks,
   validateMessage,
   validateNodeAgainstSchema,
   validateReplay,
+  validateRoleForScope,
   validateSafetyMessage,
   validateTrainingDataMessage,
   validateURI,
-  validateVersionCompat
+  validateVersionCompat,
+  verifyM2mTrustedToken,
+  verifyM2mTrustedTokenClaims,
+  verifyPQSignature
 };
 //# sourceMappingURL=index.mjs.map