@continuonai/rcan-ts 1.2.0 → 1.2.1

package/dist/index.mjs

@@ -97,7 +97,7 @@ var RobotURI = class _RobotURI {
 
 // src/version.ts
 var SPEC_VERSION = "2.2.0";
-var SDK_VERSION = "1.2.0";
+var SDK_VERSION = "1.2.1";
 function validateVersionCompat(incomingVersion, localVersion = SPEC_VERSION) {
   const parseParts = (v) => {
     const parts = v.split(".");
@@ -276,7 +276,6 @@ var RCANMessage = class _RCANMessage {
     if (this.mediaChunks !== void 0) obj.mediaChunks = this.mediaChunks;
     if (this.firmwareHash !== void 0) obj.firmwareHash = this.firmwareHash;
     if (this.attestationRef !== void 0) obj.attestationRef = this.attestationRef;
-    if (this.pqSig !== void 0) obj.pqSig = this.pqSig;
     return obj;
   }
   /** Serialize to JSON string */
@@ -3103,21 +3102,15 @@ function fromBase64url(b64) {
   return bytes;
 }
 async function sha256hex(data) {
-  const g = typeof globalThis !== "undefined" ? globalThis : {};
-  const webcrypto = g.crypto;
-  const subtle = webcrypto?.subtle;
-  if (subtle) {
-    const buf = await subtle.digest("SHA-256", data);
+  if (typeof crypto !== "undefined" && crypto.subtle) {
+    const buf = await crypto.subtle.digest("SHA-256", data.buffer);
     return Array.from(new Uint8Array(buf)).map((b) => b.toString(16).padStart(2, "0")).join("").slice(0, 8);
   }
-  const nodeCrypto = await import("crypto").catch(() => null);
-  if (nodeCrypto) {
-    return nodeCrypto.createHash("sha256").update(data).digest("hex").slice(0, 8);
-  }
-  throw new Error("No SHA-256 implementation available");
+  const { createHash } = __require("crypto");
+  return createHash("sha256").update(data).digest("hex").slice(0, 8);
 }
 var _mlDsaModule;
-async function requireNoblePostQuantum() {
+async function requireMlDsa() {
   if (_mlDsaModule) return _mlDsaModule;
   if (typeof __require !== "undefined") {
     try {
@@ -3131,7 +3124,7 @@ async function requireNoblePostQuantum() {
     return _mlDsaModule;
   } catch {
     throw new Error(
-      "ML-DSA signing requires @noble/post-quantum. Install with: npm install @noble/post-quantum"
+      "ML-DSA-65 signing requires @noble/post-quantum. Install with: npm install @noble/post-quantum"
     );
   }
 }
@@ -3144,23 +3137,16 @@ var MLDSAKeyPair = class _MLDSAKeyPair {
     this.publicKey = data.publicKey;
     this.secretKey = data.secretKey;
   }
-  /** Generate a new ML-DSA-65 key pair. */
   static async generate() {
-    const { ml_dsa65 } = await requireNoblePostQuantum();
-    const kp = ml_dsa65.keygen();
+    const m = await requireMlDsa();
+    const kp = m.ml_dsa65.keygen();
     const keyId = await sha256hex(kp.publicKey);
-    return new _MLDSAKeyPair({
-      publicKey: kp.publicKey,
-      secretKey: kp.secretKey,
-      keyId
-    });
+    return new _MLDSAKeyPair({ publicKey: kp.publicKey, secretKey: kp.secretKey, keyId });
   }
-  /** Build a verify-only key pair from raw public key bytes. */
   static async fromPublicKey(publicKey) {
     const keyId = await sha256hex(publicKey);
     return new _MLDSAKeyPair({ publicKey, keyId });
   }
-  /** Build a full key pair from saved bytes (public + secret). */
   static async fromKeyMaterial(publicKey, secretKey) {
     const keyId = await sha256hex(publicKey);
     return new _MLDSAKeyPair({ publicKey, secretKey, keyId });
@@ -3168,82 +3154,68 @@ var MLDSAKeyPair = class _MLDSAKeyPair {
   get hasPrivateKey() {
     return this.secretKey !== void 0;
   }
-  /** Sign raw bytes; returns ML-DSA-65 signature (3309 bytes). */
   async signBytes(data) {
-    if (!this.secretKey) {
-      throw new Error("Cannot sign: MLDSAKeyPair has no private key (verify-only)");
-    }
-    const { ml_dsa65 } = await requireNoblePostQuantum();
-    return ml_dsa65.sign(data, this.secretKey);
+    if (!this.secretKey) throw new Error("Cannot sign: MLDSAKeyPair has no private key (verify-only)");
+    const m = await requireMlDsa();
+    return m.ml_dsa65.sign(data, this.secretKey);
   }
-  /**
-   * Verify an ML-DSA-65 signature.
-   * @returns true if valid
-   * @throws {Error} on invalid signature
-   */
   async verifyBytes(data, signature) {
-    const { ml_dsa65 } = await requireNoblePostQuantum();
-    const ok = ml_dsa65.verify(signature, data, this.publicKey);
-    if (!ok) throw new Error("ML-DSA signature verification failed");
+    const m = await requireMlDsa();
+    const ok = m.ml_dsa65.verify(signature, data, this.publicKey);
+    if (!ok) throw new Error("ML-DSA-65 signature verification failed");
   }
   toString() {
-    const mode = this.hasPrivateKey ? "private+public" : "public-only";
-    return `MLDSAKeyPair(keyId=${this.keyId}, alg=ML-DSA-65, ${mode})`;
+    return `MLDSAKeyPair(keyId=${this.keyId}, alg=ML-DSA-65, ${this.hasPrivateKey ? "private+public" : "public-only"})`;
   }
 };
 function canonicalMessageBytes(msg) {
-  const m = msg;
   const payload = {
     rcan: msg.rcan,
-    msg_id: m["msgId"] ?? m["msg_id"] ?? "",
+    msg_id: msg["msgId"] ?? "",
     timestamp: msg.timestamp,
     cmd: msg.cmd,
     target: msg.target,
     params: msg.params
   };
-  const sorted = JSON.stringify(
-    Object.fromEntries(Object.entries(payload).sort()),
-    null,
-    void 0
+  return new TextEncoder().encode(
+    JSON.stringify(Object.fromEntries(Object.entries(payload).sort()))
   );
-  return new TextEncoder().encode(sorted);
 }
-async function addPQSignature(msg, keypair) {
+async function signMessage(msg, keypair) {
   const payload = canonicalMessageBytes(msg);
   const rawSig = await keypair.signBytes(payload);
-  const block = {
+  msg["signature"] = {
     alg: "ml-dsa-65",
     kid: keypair.keyId,
     sig: toBase64url(rawSig)
   };
-  msg["pqSig"] = block;
   return msg;
 }
-async function verifyPQSignature(msg, trustedKeys, requirePQ = false) {
-  const pqSig = msg["pqSig"];
-  if (!pqSig) {
-    if (requirePQ) {
-      throw new Error("ML-DSA signature (pqSig) required but missing from message");
-    }
-    return;
-  }
-  if (pqSig.alg !== "ml-dsa-65") {
-    throw new Error(`Unsupported PQ signature algorithm: ${pqSig.alg}`);
+async function verifyMessage(msg, trustedKeys) {
+  const sig = msg.signature;
+  if (!sig) throw new Error("Message is unsigned \u2014 signature field missing");
+  if (sig.alg !== "ml-dsa-65") {
+    throw new Error(
+      `Unsupported signature algorithm: ${sig.alg}. RCAN v2.2 requires ml-dsa-65 (Ed25519 is deprecated).`
+    );
   }
-  const matched = trustedKeys.find((k) => k.keyId === pqSig.kid);
+  const matched = trustedKeys.find((k) => k.keyId === sig.kid);
   if (!matched) {
     throw new Error(
-      `No trusted ML-DSA key with kid=${pqSig.kid}. Known kids: [${trustedKeys.map((k) => k.keyId).join(", ")}]`
+      `No trusted ML-DSA-65 key with kid=${sig.kid}. Known kids: [${trustedKeys.map((k) => k.keyId).join(", ")}]`
     );
   }
   let rawSig;
   try {
-    rawSig = fromBase64url(pqSig.sig);
+    rawSig = fromBase64url(sig.sig);
   } catch (e) {
-    throw new Error(`Invalid base64url ML-DSA signature: ${e}`);
+    throw new Error(`Invalid base64url sig: ${e}`);
   }
-  const payload = canonicalMessageBytes(msg);
-  await matched.verifyBytes(payload, rawSig);
+  await matched.verifyBytes(canonicalMessageBytes(msg), rawSig);
+}
+var addPQSignature = signMessage;
+async function verifyPQSignature(msg, trustedKeys, _requirePQ = true) {
+  return verifyMessage(msg, trustedKeys);
 }
 
 // src/index.ts
@@ -3371,6 +3343,7 @@ export {
   parseM2mTrustedToken,
   roleFromJwtLevel,
   selectTransport,
+  signMessage,
   validateAuthorityAccess,
   validateCompetitionScope,
   validateConfig,
@@ -3393,6 +3366,7 @@ export {
   validateVersionCompat,
   verifyM2mTrustedToken,
   verifyM2mTrustedTokenClaims,
+  verifyMessage,
   verifyPQSignature
 };
 //# sourceMappingURL=index.mjs.map