@hesohq/sdk 0.1.2-dev.21

package/dist/cloud.d.ts

@@ -0,0 +1,188 @@
+import type { ActionContent, ActionReceipt } from './types.js';
+/** The org's pinned policy bundle (heso-backend ``PolicyPullResponse``). */
+export interface PolicyPullResult {
+    status: 'policy' | 'up_to_date';
+    policyId: string;
+    policyHash: string;
+    /** The policy TOML the engine loads. Empty string == the deny-everything pin. */
+    toml: string;
+}
+/**
+ * Pull the org's current pinned policy. The org is resolved from the api-key —
+ * there is no team id. An empty ``toml`` is the fail-safe deny pin: the engine
+ * routes every action to a human when the org has no resolvable policy.
+ */
+export declare function pullPolicy(): Promise<PolicyPullResult>;
+/** The cloud mirror entry for a pushed receipt (heso-backend ``ReceiptPushResponse``). */
+export interface ReceiptPushResult {
+    /** ``appended`` (new mirror row), ``duplicate`` (idempotent re-push), or
+     * ``quota_exceeded`` (the monthly mirror soft-cap; the local chain is unaffected). */
+    status: 'appended' | 'duplicate' | 'quota_exceeded';
+    /** Echoes the receipt's own ``action_hash``. */
+    entryHash: string;
+    /** The mirror's per-org append position (0 when no row was written). */
+    seq: number;
+}
+/**
+ * Push one signed receipt to the cloud outbox. The server recomputes the content
+ * hash and rejects a tampered or malformed body before mirroring it.
+ *
+ * ``supersedesActionHash`` finalizes an approval: the freshly assembled L1 receipt
+ * supersedes the suspended L0 entry it was built from (its ``action_hash``). The
+ * server replaces that suspended row with the L1 (M5: only suspended/L0 -> L1).
+ */
+export declare function pushReceipt(receipt: ActionReceipt, supersedesActionHash?: string): Promise<ReceiptPushResult>;
+/**
+ * Push a batch of receipts. There is no server-side batch route — this loops over
+ * ``POST /v1/receipts`` in order, preserving each receipt's outbox result.
+ */
+export declare function pushReceipts(receipts: ActionReceipt[]): Promise<ReceiptPushResult[]>;
+/** The derived state of an approval (heso-backend ``ApprovalView``). */
+export interface ApprovalView {
+    approvalId: string;
+    actionHash: string;
+    status: 'pending' | 'approved' | 'rejected';
+    /** The m-of-n requirement. */
+    threshold: number;
+    /** Distinct verified approvers recorded so far. */
+    approvedCount: number;
+    resolvedAt: string | null;
+}
+/**
+ * Poll an approval by its ``action_hash``. Approvals are keyed by the action they
+ * gate, not by an opaque approval id. Throws if no approval exists for the hash.
+ */
+export declare function pollApproval(actionHash: string): Promise<ApprovalView>;
+/**
+ * The parts the cloud relays for finalizing an approved gate into an L1 receipt.
+ * The cloud holds NO signing key (thin-cloud): it stores the approver's verbatim
+ * signed record + co-signature and the byte-exact operator-stamped suspended
+ * content, and the SDK reassembles the L1 in-core off the IDENTICAL body.
+ */
+export interface L1Parts {
+    /** The approver's signed decision record, as the EXACT verbatim JSON TEXT the cloud
+     * stored (M2 — never parsed/reserialized; canonicalization is the Rust moat). The SDK
+     * threads this string STRAIGHT into the native assemble and only ``JSON.parse``s it
+     * read-only for the ``decision`` gate. ``decision`` is asserted ``approved`` before
+     * any assemble. */
+    record: string;
+    /** The approver's raw Ed25519 public key, base64 — the co-signature's verify key. */
+    approverPubkeyB64: string;
+    /** The approver's detached co-signature over the L1 co-sign payload, base64. */
+    coSigB64: string;
+    /** The operator-stamped suspended receipt CONTENT the L1 is built from — the same
+     * bytes the browser co-signed and the SDK mirror-pushed at suspend time. */
+    suspendedContent: ActionContent;
+    /** An OPTIONAL relayed RFC-3161 trusted-time anchor, carried VERBATIM and treated
+     * as OPAQUE bytes — the SDK NEVER parses or canonicalizes it; it is threaded
+     * straight into the native assemble (where the operator signature covers it).
+     * Absent ⇒ the unchanged anchorless path (the L1 golden never moves). */
+    timeAnchor?: unknown;
+}
+/**
+ * Fetch the L1 relay parts for an approved action — a dedicated GET kept OFF the
+ * 2s poll loop (``pollApproval``/``waitForApproval`` stay lean; only this call,
+ * made once after the status flips to ``approved``, pulls the heavier parts).
+ *
+ * It hits the SAME unified ``/assembly`` surface as {@link getQuorumParts} — the backend
+ * returns ONE shape (a ``legs`` list + threshold/roster/suspended_content). An L1 is
+ * exactly ONE approver leg, so this reads ``legs[0]``. Throws if no resolved parts
+ * exist for the hash (the cloud 404s an unknown action; an empty ``legs`` list ⇒ no
+ * co-sign relay has landed yet).
+ */
+export declare function getL1Parts(actionHash: string): Promise<L1Parts>;
+/** One approver's verbatim relayed leg of a multi-approver QUORUM assembly. The
+ * cloud holds NO key: it stored each approver's signed record + detached co-sig
+ * VERBATIM and returns them unchanged, and the SDK reassembles the quorum in-core off
+ * the IDENTICAL bytes (canonicalization stays the Rust moat — the browser already
+ * produced each co-sig over ``quorumCosignPayload`` bytes). */
+export interface QuorumLeg {
+    /** This approver's signed decision record, as the EXACT verbatim JSON TEXT the cloud
+     * stored (M2 — never parsed/reserialized; canonicalization is the Rust moat). Threaded
+     * STRAIGHT into the native assemble; only ``JSON.parse``d read-only for the decision
+     * gate. Every leg's ``decision`` is asserted ``approved`` before any quorum is assembled. */
+    record: string;
+    /** This approver's raw Ed25519 public key, base64 — the co-signature's verify key. */
+    approverPubkeyB64: string;
+    /** This approver's detached co-signature over the quorum per-approver payload, base64. */
+    coSigB64: string;
+}
+/**
+ * The parts the cloud relays for finalizing an approved k-of-n gate into a QUORUM
+ * receipt. The multi-approver sibling of {@link L1Parts}: a LIST of ``k`` approver legs
+ * plus the gate's ``threshold`` + sorted ``roster`` and the byte-exact operator-stamped
+ * ``suspendedContent`` the legs were co-signed against. Stored/relayed VERBATIM —
+ * the cloud never re-canonicalizes (it holds no signing key). The assembled receipt
+ * embeds ``L1`` WITH a ``multi_approval`` block (not a higher level).
+ */
+export interface QuorumParts {
+    /** The ``k`` relayed approver legs (one verbatim record + co-sig per approver). */
+    legs: QuorumLeg[];
+    /** The k-of-n approval threshold the gate requires (echoed from the operator-
+     * signed suspended content; the cloud rejects a disagreeing stored threshold). */
+    threshold: number;
+    /** The n-roster: base64 approver public keys, sorted ascending — the eligible set. */
+    roster: string[];
+    /** The operator-stamped suspended receipt CONTENT the quorum is built from — the same
+     * bytes each approver co-signed and the SDK mirror-pushed at suspend time. */
+    suspendedContent: ActionContent;
+    /** An OPTIONAL relayed RFC-3161 trusted-time anchor, carried VERBATIM and treated
+     * as OPAQUE bytes — the SDK NEVER parses it; absent ⇒ the anchorless path. */
+    timeAnchor?: unknown;
+}
+/**
+ * Fetch the QUORUM relay parts for an approved k-of-n action — the multi-approver
+ * sibling of {@link getL1Parts}, kept OFF the lean poll loop. Both read the SAME
+ * unified ``/assembly`` surface; this consumes the WHOLE ``legs`` list (k approver
+ * legs) plus the operator-signed threshold + roster. Relays the legs VERBATIM; the
+ * SDK reassembles the quorum in-core ({@link finalizeQuorum}). Throws if no approval
+ * exists for the hash (404); an empty ``legs`` list ⇒ no co-sign has landed yet.
+ */
+export declare function getQuorumParts(actionHash: string): Promise<QuorumParts>;
+/** An ``ApprovalView`` enriched with the relayed L1 parts (present only when the
+ * approval resolved ``approved``; ``null`` on ``rejected``). */
+export interface ResolvedApproval extends ApprovalView {
+    /** The L1 parts, fetched once on approval; ``null`` when the approval was rejected. */
+    parts: L1Parts | null;
+}
+/**
+ * Poll until an approval resolves (``approved``/``rejected``) or the timeout
+ * elapses. On ``approved`` it makes ONE extra GET ({@link getL1Parts}) so the
+ * caller can finalize without re-polling — the poll loop itself stays lean.
+ * Throws if the timeout elapses while the approval is still ``pending``.
+ */
+export declare function waitForApproval(actionHash: string, options?: {
+    pollIntervalMs?: number;
+    timeoutMs?: number;
+}): Promise<ResolvedApproval>;
+/** The body of ``POST /v1/approvals/{action_hash}/submit-token`` (``SubmitTokenRequest``). */
+export interface SubmitTokenInput {
+    /** The raw approval-token wire bytes, base64. */
+    tokenB64: string;
+    /** The receipt ``content`` JSON the token signs over (the cloud re-derives the
+     * canonical bytes from it; never send a client-supplied canonical form). */
+    actionContent: ActionReceipt['content'];
+    /** The scope the token must cover — the gated approval rule id (the cloud binds
+     * required_scope server-side to the stored rule_id and the wheel does strict
+     * byte-equality, so this must equal that rule id, not `${verb}:${decisionPath}`). */
+    requiredScope?: string;
+    /** The human's decision. This rides INSIDE the token's signed bytes now (one
+     * decision byte folded into the Ed25519 payload), so the cloud records the
+     * wheel-verified decision and rejects (403 out-of-decision) any token whose
+     * signed verdict disagrees with this field. Tokens minted by the browser
+     * (`approval-token.ts`); this field declares the human's intent for the edge. */
+    decision?: 'approved' | 'rejected';
+    /** A one-line reason, persisted server-side. */
+    reason?: string;
+    /** Client-approval (delegation) path: the operator delegation envelope, base64. */
+    delegationEnvelopeB64?: string;
+    /** Client-approval (delegation) path: the one-time gate bearer. */
+    clientBearer?: string;
+}
+/**
+ * Submit a human-signed approval token for an open approval, keyed by the action
+ * it gates. The cloud verifies the token against the org's registered approver
+ * keys and records it as a vote; the response is the updated ``ApprovalView``.
+ */
+export declare function submitApprovalToken(actionHash: string, input: SubmitTokenInput): Promise<ApprovalView>;
+//# sourceMappingURL=cloud.d.ts.map

package/dist/cloud.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud.d.ts","sourceRoot":"","sources":["../src/cloud.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,YAAY,CAAA;AAyB9D,4EAA4E;AAC5E,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,QAAQ,GAAG,YAAY,CAAA;IAC/B,QAAQ,EAAE,MAAM,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,iFAAiF;IACjF,IAAI,EAAE,MAAM,CAAA;CACb;AASD;;;;GAIG;AACH,wBAAsB,UAAU,IAAI,OAAO,CAAC,gBAAgB,CAAC,CAQ5D;AAID,0FAA0F;AAC1F,MAAM,WAAW,iBAAiB;IAChC;0FACsF;IACtF,MAAM,EAAE,UAAU,GAAG,WAAW,GAAG,gBAAgB,CAAA;IACnD,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAA;IACjB,wEAAwE;IACxE,GAAG,EAAE,MAAM,CAAA;CACZ;AAkBD;;;;;;;GAOG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,aAAa,EACtB,oBAAoB,CAAC,EAAE,MAAM,GAC5B,OAAO,CAAC,iBAAiB,CAAC,CAU5B;AAED;;;GAGG;AACH,wBAAsB,YAAY,CAAC,QAAQ,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC,iBAAiB,EAAE,CAAC,CAM1F;AAID,wEAAwE;AACxE,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,MAAM,CAAA;IAClB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,UAAU,CAAA;IAC3C,8BAA8B;IAC9B,SAAS,EAAE,MAAM,CAAA;IACjB,mDAAmD;IACnD,aAAa,EAAE,MAAM,CAAA;IACrB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAC1B;AAsBD;;;GAGG;AACH,wBAAsB,YAAY,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAG5E;AAID;;;;;GAKG;AACH,MAAM,WAAW,OAAO;IACtB;;;;uBAImB;IACnB,MAAM,EAAE,MAAM,CAAA;IACd,qFAAqF;IACrF,iBAAiB,EAAE,MAAM,CAAA;IACzB,gFAAgF;IAChF,QAAQ,EAAE,MAAM,CAAA;IAChB;gFAC4E;IAC5E,gBAAgB,EAAE,aAAa,CAAA;IAC/B;;;6EAGyE;IACzE,UAAU,CAAC,EAAE,OAAO,CAAA;CACrB;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,UAAU,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAqBrE;AAID;;;;+DAI+D;AAC/D,MAAM,WAAW,SAAS;IACxB;;;iGAG6F;IAC7F,MAAM,EAAE,MAAM,CAAA;IACd,sFAAsF;IACtF,iBAAiB,EAAE,MAAM,CAAA;IACzB,0FAA0F;IAC1F,QAAQ,EAAE,MAAM,CAAA;CACjB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,WAAW;IAC1B,mFAAmF;IACnF,IAAI,EAAE,SAAS,EAAE,CAAA;IACjB;sFACkF;IAClF,SAAS,EAAE,MAAM,CAAA;IACjB,sFAAsF;IACtF,MAAM,EAAE,MAAM,EAAE,CAAA;IAChB;kFAC8E;IAC9E,gBAAgB,EAAE,aAAa,CAAA;IAC/B;kFAC8E;IAC9E,UAAU,CAAC,EAAE,OAAO,CAAA;CACrB;AAsBD;;;;;;;GAOG;AACH,wBAAsB,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CAkB7E;AAED;gEACgE;AAChE,MAAM,WAAW,gBAAiB,SAAQ,YAAY;IACpD,uFAAuF;IACvF,KAAK,EAAE,OAAO,GAAG,IAAI,CAAA;CACtB;AAED;;;;;GAKG;AACH,wBAAsB,eAAe,CACnC,UAAU,EAAE,MAAM,EAClB,OAAO,GAAE;IAAE,cAAc,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAO,GAC5D,OAAO,CAAC,gBAAgB,CAAC,CAgB3B;AAED,8FAA8F;AAC9F,MAAM,WAAW,gBAAgB;IAC/B,iDAAiD;IACjD,QAAQ,EAAE,MAAM,CAAA;IAChB;gFAC4E;IAC5E,aAAa,EAAE,aAAa,CAAC,SAAS,CAAC,CAAA;IACvC;;yFAEqF;IACrF,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB;;;;qFAIiF;IACjF,QAAQ,CAAC,EAAE,UAAU,GAAG,UAAU,CAAA;IAClC,gDAAgD;IAChD,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,mFAAmF;IACnF,qBAAqB,CAAC,EAAE,MAAM,CAAA;IAC9B,mEAAmE;IACnE,YAAY,CAAC,EAAE,MAAM,CAAA;CACtB;AAYD;;;;GAIG;AACH,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,gBAAgB,GACtB,OAAO,CAAC,YAAY,CAAC,CAoBvB"}

package/dist/cloud.js

@@ -0,0 +1,196 @@
+"use strict";
+// Cloud client — policy pull, receipt outbox push, approval poll + token submit.
+//
+// Tenancy is resolved from the api-key at the edge (api-key -> org); there is no
+// "teams" path segment. Every shape here mirrors the heso-backend routers:
+//   - GET  /v1/policy/pull                       (policy.py  -> PolicyPullResponse)
+//   - POST /v1/receipts                          (receipts.py -> ReceiptPushResponse)
+//   - GET  /v1/approvals/{action_hash}           (approvals.py -> ApprovalView)
+//   - POST /v1/approvals/{action_hash}/submit-token (approvals.py -> ApprovalView)
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.pullPolicy = pullPolicy;
+exports.pushReceipt = pushReceipt;
+exports.pushReceipts = pushReceipts;
+exports.pollApproval = pollApproval;
+exports.getL1Parts = getL1Parts;
+exports.getQuorumParts = getQuorumParts;
+exports.waitForApproval = waitForApproval;
+exports.submitApprovalToken = submitApprovalToken;
+const config_js_1 = require("./config.js");
+// ─── Internal fetch helper ────────────────────────────────────────────────────
+async function apiFetch(path, init = {}) {
+    const { apiKey, endpoint } = (0, config_js_1.getConfig)();
+    const url = `${endpoint.replace(/\/$/, '')}${path}`;
+    const res = await fetch(url, {
+        ...init,
+        headers: {
+            'Content-Type': 'application/json',
+            // The SDK plane authenticates with an api-key; the org is resolved from it.
+            'x-api-key': apiKey,
+            ...(init.headers ?? {}),
+        },
+    });
+    if (!res.ok) {
+        const body = await res.text().catch(() => '');
+        throw new Error(`@hesohq/sdk: ${res.status} ${res.statusText} — ${path}\n${body}`);
+    }
+    return res.json();
+}
+/**
+ * Pull the org's current pinned policy. The org is resolved from the api-key —
+ * there is no team id. An empty ``toml`` is the fail-safe deny pin: the engine
+ * routes every action to a human when the org has no resolvable policy.
+ */
+async function pullPolicy() {
+    const wire = await apiFetch('/v1/policy/pull');
+    return {
+        status: wire.status,
+        policyId: wire.policy_id,
+        policyHash: wire.policy_hash,
+        toml: wire.toml,
+    };
+}
+/**
+ * Push one signed receipt to the cloud outbox. The server recomputes the content
+ * hash and rejects a tampered or malformed body before mirroring it.
+ *
+ * ``supersedesActionHash`` finalizes an approval: the freshly assembled L1 receipt
+ * supersedes the suspended L0 entry it was built from (its ``action_hash``). The
+ * server replaces that suspended row with the L1 (M5: only suspended/L0 -> L1).
+ */
+async function pushReceipt(receipt, supersedesActionHash) {
+    const body = { receipt };
+    if (supersedesActionHash !== undefined) {
+        body.supersedes_action_hash = supersedesActionHash;
+    }
+    const wire = await apiFetch('/v1/receipts', {
+        method: 'POST',
+        body: JSON.stringify(body),
+    });
+    return { status: wire.status, entryHash: wire.entry_hash, seq: wire.seq };
+}
+/**
+ * Push a batch of receipts. There is no server-side batch route — this loops over
+ * ``POST /v1/receipts`` in order, preserving each receipt's outbox result.
+ */
+async function pushReceipts(receipts) {
+    const results = [];
+    for (const receipt of receipts) {
+        results.push(await pushReceipt(receipt));
+    }
+    return results;
+}
+function mapApprovalView(wire) {
+    return {
+        approvalId: wire.approval_id,
+        actionHash: wire.action_hash,
+        status: wire.status,
+        threshold: wire.threshold,
+        approvedCount: wire.approved_count,
+        resolvedAt: wire.resolved_at ?? null,
+    };
+}
+/**
+ * Poll an approval by its ``action_hash``. Approvals are keyed by the action they
+ * gate, not by an opaque approval id. Throws if no approval exists for the hash.
+ */
+async function pollApproval(actionHash) {
+    const wire = await apiFetch(`/v1/approvals/${encodeURIComponent(actionHash)}`);
+    return mapApprovalView(wire);
+}
+/**
+ * Fetch the L1 relay parts for an approved action — a dedicated GET kept OFF the
+ * 2s poll loop (``pollApproval``/``waitForApproval`` stay lean; only this call,
+ * made once after the status flips to ``approved``, pulls the heavier parts).
+ *
+ * It hits the SAME unified ``/assembly`` surface as {@link getQuorumParts} — the backend
+ * returns ONE shape (a ``legs`` list + threshold/roster/suspended_content). An L1 is
+ * exactly ONE approver leg, so this reads ``legs[0]``. Throws if no resolved parts
+ * exist for the hash (the cloud 404s an unknown action; an empty ``legs`` list ⇒ no
+ * co-sign relay has landed yet).
+ */
+async function getL1Parts(actionHash) {
+    const wire = await apiFetch(`/v1/approvals/${encodeURIComponent(actionHash)}/assembly`);
+    const leg = wire.legs[0];
+    if (leg === undefined) {
+        throw new Error(`@hesohq/sdk: no L1 co-sign parts relayed yet for ${actionHash} (assembly legs empty)`);
+    }
+    const parts = {
+        record: leg.record,
+        approverPubkeyB64: leg.approver_pubkey_b64,
+        coSigB64: leg.co_sig_b64,
+        suspendedContent: wire.suspended_content,
+    };
+    // Carry the anchor only when the cloud relayed one — absent ⇒ anchorless.
+    if (wire.time_anchor !== undefined && wire.time_anchor !== null) {
+        parts.timeAnchor = wire.time_anchor;
+    }
+    return parts;
+}
+/**
+ * Fetch the QUORUM relay parts for an approved k-of-n action — the multi-approver
+ * sibling of {@link getL1Parts}, kept OFF the lean poll loop. Both read the SAME
+ * unified ``/assembly`` surface; this consumes the WHOLE ``legs`` list (k approver
+ * legs) plus the operator-signed threshold + roster. Relays the legs VERBATIM; the
+ * SDK reassembles the quorum in-core ({@link finalizeQuorum}). Throws if no approval
+ * exists for the hash (404); an empty ``legs`` list ⇒ no co-sign has landed yet.
+ */
+async function getQuorumParts(actionHash) {
+    const wire = await apiFetch(`/v1/approvals/${encodeURIComponent(actionHash)}/assembly`);
+    const parts = {
+        legs: wire.legs.map((leg) => ({
+            record: leg.record,
+            approverPubkeyB64: leg.approver_pubkey_b64,
+            coSigB64: leg.co_sig_b64,
+        })),
+        threshold: wire.threshold,
+        roster: wire.roster,
+        suspendedContent: wire.suspended_content,
+    };
+    if (wire.time_anchor !== undefined && wire.time_anchor !== null) {
+        parts.timeAnchor = wire.time_anchor;
+    }
+    return parts;
+}
+/**
+ * Poll until an approval resolves (``approved``/``rejected``) or the timeout
+ * elapses. On ``approved`` it makes ONE extra GET ({@link getL1Parts}) so the
+ * caller can finalize without re-polling — the poll loop itself stays lean.
+ * Throws if the timeout elapses while the approval is still ``pending``.
+ */
+async function waitForApproval(actionHash, options = {}) {
+    const { pollIntervalMs = 2000, timeoutMs = 300000 } = options;
+    const deadline = Date.now() + timeoutMs;
+    while (Date.now() < deadline) {
+        const view = await pollApproval(actionHash);
+        if (view.status !== 'pending') {
+            const parts = view.status === 'approved' ? await getL1Parts(actionHash) : null;
+            return { ...view, parts };
+        }
+        await new Promise((resolve) => setTimeout(resolve, pollIntervalMs));
+    }
+    throw new Error(`@hesohq/sdk: approval ${actionHash} did not resolve within ${timeoutMs}ms`);
+}
+/**
+ * Submit a human-signed approval token for an open approval, keyed by the action
+ * it gates. The cloud verifies the token against the org's registered approver
+ * keys and records it as a vote; the response is the updated ``ApprovalView``.
+ */
+async function submitApprovalToken(actionHash, input) {
+    const body = {
+        token_b64: input.tokenB64,
+        action_content: input.actionContent,
+        required_scope: input.requiredScope ?? '',
+        decision: input.decision ?? 'approved',
+        reason: input.reason ?? '',
+    };
+    if (input.delegationEnvelopeB64 !== undefined) {
+        body.delegation_envelope_b64 = input.delegationEnvelopeB64;
+    }
+    if (input.clientBearer !== undefined) {
+        body.client_bearer = input.clientBearer;
+    }
+    const wire = await apiFetch(`/v1/approvals/${encodeURIComponent(actionHash)}/submit-token`, { method: 'POST', body: JSON.stringify(body) });
+    return mapApprovalView(wire);
+}
+//# sourceMappingURL=cloud.js.map

package/dist/cloud.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud.js","sourceRoot":"","sources":["../src/cloud.ts"],"names":[],"mappings":";AAAA,iFAAiF;AACjF,EAAE;AACF,iFAAiF;AACjF,2EAA2E;AAC3E,oFAAoF;AACpF,sFAAsF;AACtF,gFAAgF;AAChF,mFAAmF;;AAiDnF,gCAQC;AAuCD,kCAaC;AAMD,oCAMC;AAwCD,oCAGC;AA0CD,gCAqBC;AAyED,wCAkBC;AAeD,0CAmBC;AA0CD,kDAuBC;AA/ZD,2CAAuC;AAGvC,iFAAiF;AAEjF,KAAK,UAAU,QAAQ,CAAI,IAAY,EAAE,OAAoB,EAAE;IAC7D,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,IAAA,qBAAS,GAAE,CAAA;IACxC,MAAM,GAAG,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,IAAI,EAAE,CAAA;IACnD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC3B,GAAG,IAAI;QACP,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,4EAA4E;YAC5E,WAAW,EAAE,MAAM;YACnB,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC;SACxB;KACF,CAAC,CAAA;IACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAA;QAC7C,MAAM,IAAI,KAAK,CAAC,gBAAgB,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,MAAM,IAAI,KAAK,IAAI,EAAE,CAAC,CAAA;IACpF,CAAC;IACD,OAAO,GAAG,CAAC,IAAI,EAAgB,CAAA;AACjC,CAAC;AAoBD;;;;GAIG;AACI,KAAK,UAAU,UAAU;IAC9B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAyB,iBAAiB,CAAC,CAAA;IACtE,OAAO;QACL,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,QAAQ,EAAE,IAAI,CAAC,SAAS;QACxB,UAAU,EAAE,IAAI,CAAC,WAAW;QAC5B,IAAI,EAAE,IAAI,CAAC,IAAI;KAChB,CAAA;AACH,CAAC;AA+BD;;;;;;;GAOG;AACI,KAAK,UAAU,WAAW,CAC/B,OAAsB,EACtB,oBAA6B;IAE7B,MAAM,IAAI,GAA2B,EAAE,OAAO,EAAE,CAAA;IAChD,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;QACvC,IAAI,CAAC,sBAAsB,GAAG,oBAAoB,CAAA;IACpD,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,QAAQ,CAA0B,cAAc,EAAE;QACnE,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;KAC3B,CAAC,CAAA;IACF,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,IAAI,CAAC,UAAU,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAA;AAC3E,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,YAAY,CAAC,QAAyB;IAC1D,MAAM,OAAO,GAAwB,EAAE,CAAA;IACvC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,OAAO,CAAC,IAAI,CAAC,MAAM,WAAW,CAAC,OAAO,CAAC,CAAC,CAAA;IAC1C,CAAC;IACD,OAAO,OAAO,CAAA;AAChB,CAAC;AAyBD,SAAS,eAAe,CAAC,IAAsB;IAC7C,OAAO;QACL,UAAU,EAAE,IAAI,CAAC,WAAW;QAC5B,UAAU,EAAE,IAAI,CAAC,WAAW;QAC5B,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,aAAa,EAAE,IAAI,CAAC,cAAc;QAClC,UAAU,EAAE,IAAI,CAAC,WAAW,IAAI,IAAI;KACrC,CAAA;AACH,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,YAAY,CAAC,UAAkB;IACnD,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAmB,iBAAiB,kBAAkB,CAAC,UAAU,CAAC,EAAE,CAAC,CAAA;IAChG,OAAO,eAAe,CAAC,IAAI,CAAC,CAAA;AAC9B,CAAC;AA+BD;;;;;;;;;;GAUG;AACI,KAAK,UAAU,UAAU,CAAC,UAAkB;IACjD,MAAM,IAAI,GAAG,MAAM,QAAQ,CACzB,iBAAiB,kBAAkB,CAAC,UAAU,CAAC,WAAW,CAC3D,CAAA;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACxB,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CACb,oDAAoD,UAAU,wBAAwB,CACvF,CAAA;IACH,CAAC;IACD,MAAM,KAAK,GAAY;QACrB,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,iBAAiB,EAAE,GAAG,CAAC,mBAAmB;QAC1C,QAAQ,EAAE,GAAG,CAAC,UAAU;QACxB,gBAAgB,EAAE,IAAI,CAAC,iBAAiB;KACzC,CAAA;IACD,0EAA0E;IAC1E,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS,IAAI,IAAI,CAAC,WAAW,KAAK,IAAI,EAAE,CAAC;QAChE,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,WAAW,CAAA;IACrC,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAiED;;;;;;;GAOG;AACI,KAAK,UAAU,cAAc,CAAC,UAAkB;IACrD,MAAM,IAAI,GAAG,MAAM,QAAQ,CACzB,iBAAiB,kBAAkB,CAAC,UAAU,CAAC,WAAW,CAC3D,CAAA;IACD,MAAM,KAAK,GAAgB;QACzB,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YAC5B,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,iBAAiB,EAAE,GAAG,CAAC,mBAAmB;YAC1C,QAAQ,EAAE,GAAG,CAAC,UAAU;SACzB,CAAC,CAAC;QACH,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,gBAAgB,EAAE,IAAI,CAAC,iBAAiB;KACzC,CAAA;IACD,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS,IAAI,IAAI,CAAC,WAAW,KAAK,IAAI,EAAE,CAAC;QAChE,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,WAAW,CAAA;IACrC,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AASD;;;;;GAKG;AACI,KAAK,UAAU,eAAe,CACnC,UAAkB,EAClB,UAA2D,EAAE;IAE7D,MAAM,EAAE,cAAc,GAAG,IAAI,EAAE,SAAS,GAAG,MAAO,EAAE,GAAG,OAAO,CAAA;IAC9D,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAA;IAEvC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,UAAU,CAAC,CAAA;QAC3C,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,KAAK,UAAU,CAAC,CAAC,CAAC,MAAM,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;YAC9E,OAAO,EAAE,GAAG,IAAI,EAAE,KAAK,EAAE,CAAA;QAC3B,CAAC;QACD,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC,CAAA;IAC3E,CAAC;IAED,MAAM,IAAI,KAAK,CACb,yBAAyB,UAAU,2BAA2B,SAAS,IAAI,CAC5E,CAAA;AACH,CAAC;AAqCD;;;;GAIG;AACI,KAAK,UAAU,mBAAmB,CACvC,UAAkB,EAClB,KAAuB;IAEvB,MAAM,IAAI,GAA2B;QACnC,SAAS,EAAE,KAAK,CAAC,QAAQ;QACzB,cAAc,EAAE,KAAK,CAAC,aAAa;QACnC,cAAc,EAAE,KAAK,CAAC,aAAa,IAAI,EAAE;QACzC,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,UAAU;QACtC,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,EAAE;KAC3B,CAAA;IACD,IAAI,KAAK,CAAC,qBAAqB,KAAK,SAAS,EAAE,CAAC;QAC9C,IAAI,CAAC,uBAAuB,GAAG,KAAK,CAAC,qBAAqB,CAAA;IAC5D,CAAC;IACD,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;QACrC,IAAI,CAAC,aAAa,GAAG,KAAK,CAAC,YAAY,CAAA;IACzC,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CACzB,iBAAiB,kBAAkB,CAAC,UAAU,CAAC,eAAe,EAC9D,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAC/C,CAAA;IACD,OAAO,eAAe,CAAC,IAAI,CAAC,CAAA;AAC9B,CAAC"}

package/dist/config.d.ts

@@ -0,0 +1,7 @@
+export interface HesoCoreConfig {
+    apiKey: string;
+    endpoint: string;
+}
+export declare function configure(apiKey: string, endpoint: string): void;
+export declare function getConfig(): HesoCoreConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAA;IACd,QAAQ,EAAE,MAAM,CAAA;CACjB;AAID,wBAAgB,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,CAEhE;AAED,wBAAgB,SAAS,IAAI,cAAc,CAK1C"}

package/dist/config.js

@@ -0,0 +1,16 @@
+"use strict";
+// SDK configuration — set once at process startup.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.configure = configure;
+exports.getConfig = getConfig;
+let _config = null;
+function configure(apiKey, endpoint) {
+    _config = { apiKey, endpoint };
+}
+function getConfig() {
+    if (!_config) {
+        throw new Error('@hesohq/sdk: call configure(apiKey, endpoint) before using cloud APIs');
+    }
+    return _config;
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":";AAAA,mDAAmD;;AASnD,8BAEC;AAED,8BAKC;AAXD,IAAI,OAAO,GAA0B,IAAI,CAAA;AAEzC,SAAgB,SAAS,CAAC,MAAc,EAAE,QAAgB;IACxD,OAAO,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAA;AAChC,CAAC;AAED,SAAgB,SAAS;IACvB,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,uEAAuE,CAAC,CAAA;IAC1F,CAAC;IACD,OAAO,OAAO,CAAA;AAChB,CAAC"}

package/dist/delegation.d.ts

@@ -0,0 +1,68 @@
+/**
+ * The operator signer — holds the operator PRIVATE key (server-side only). The SDK
+ * never sees the private key; it calls `sign` over the canonical bytes and pairs the
+ * result with `publicKeyRaw` (the half registered with HESO via registerOperatorKey).
+ */
+export interface OperatorSigner {
+    /** raw 32-byte Ed25519 public key — the org's registered operator key */
+    publicKeyRaw: Uint8Array;
+    /** sign a message, returning the raw 64-byte Ed25519 signature */
+    sign: (message: Uint8Array) => Promise<Uint8Array>;
+}
+export interface SignedDelegation {
+    /** base64 of the wire envelope — what the gate iframe needs (mountGate's mintEnvelope) */
+    envelopeB64: string;
+    /** the wire envelope bytes */
+    envelopeBytes: Uint8Array;
+    /** the operator's PUBLIC key (raw 32 bytes) — the verification target */
+    operatorPublicKeyRaw: Uint8Array;
+}
+export interface DelegationInput {
+    /** the 32-byte BLAKE3 action digest this delegation authorizes (hex or raw) */
+    actionHash: string | Uint8Array;
+    /** server-issued 32-byte nonce (replay prevention, single-use per mint) */
+    nonce: Uint8Array;
+    /** the delegated key K — raw 32-byte Ed25519 public key, published by the gate iframe */
+    authorizedKey: Uint8Array;
+    /** the scope string the delegated authority is bound to (the policy rule id) */
+    scope: string;
+    /** subject the operator stamps onto the delegation (e.g. "operator:gate") */
+    sub: string;
+    /** absolute expiry, Unix seconds */
+    expiryUnixSecs: bigint;
+    /** absolute not_before, Unix seconds */
+    notBeforeUnixSecs: bigint;
+    /** the operator signer (holds the operator PRIVATE key, server-side only) */
+    signer: OperatorSigner;
+}
+/**
+ * Sign a delegation envelope. The wire bytes are byte-exact with what
+ * verify_delegation expects (Rust + the wheel), so an envelope minted here verifies
+ * offline against the org's registered operator key.
+ */
+export declare function signDelegation(input: DelegationInput): Promise<SignedDelegation>;
+export interface MintDelegationInput {
+    /** the 32-byte BLAKE3 action digest this gate authorizes (hex or raw) */
+    actionHash: string | Uint8Array;
+    /** the end-user's public key K (raw 32 bytes) — published by the gate iframe */
+    authorizedKey: Uint8Array;
+    /** the scope the gate is bound to (the policy rule id) — must match the co-sign */
+    scope: string;
+    /** the operator signer (holds the operator PRIVATE key, server-side only) */
+    signer: OperatorSigner;
+    /** subject stamped onto the delegation (default "operator:gate") */
+    sub?: string;
+    /** how long the gate stays valid, in seconds (default 300) */
+    ttlSecs?: number;
+    /** server-issued 32-byte nonce; defaults to a fresh CSPRNG nonce */
+    nonce?: Uint8Array;
+}
+/**
+ * Mint a delegation envelope for ONE gate, server-side — the one-call helper an
+ * operator invokes from mountGate's `mintEnvelope(publicKeyB64)` callback once the
+ * gate iframe has published the end-user key K. Fills the nonce, the time window,
+ * the version, and the subject so the caller supplies only the action, K, the scope,
+ * and the signer. Returns the same `SignedDelegation` as `signDelegation`.
+ */
+export declare function mintDelegationEnvelope(input: MintDelegationInput): Promise<SignedDelegation>;
+//# sourceMappingURL=delegation.d.ts.map

package/dist/delegation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"delegation.d.ts","sourceRoot":"","sources":["../src/delegation.ts"],"names":[],"mappings":"AA6EA;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,yEAAyE;IACzE,YAAY,EAAE,UAAU,CAAA;IACxB,kEAAkE;IAClE,IAAI,EAAE,CAAC,OAAO,EAAE,UAAU,KAAK,OAAO,CAAC,UAAU,CAAC,CAAA;CACnD;AAED,MAAM,WAAW,gBAAgB;IAC/B,0FAA0F;IAC1F,WAAW,EAAE,MAAM,CAAA;IACnB,8BAA8B;IAC9B,aAAa,EAAE,UAAU,CAAA;IACzB,yEAAyE;IACzE,oBAAoB,EAAE,UAAU,CAAA;CACjC;AAED,MAAM,WAAW,eAAe;IAC9B,+EAA+E;IAC/E,UAAU,EAAE,MAAM,GAAG,UAAU,CAAA;IAC/B,2EAA2E;IAC3E,KAAK,EAAE,UAAU,CAAA;IACjB,yFAAyF;IACzF,aAAa,EAAE,UAAU,CAAA;IACzB,gFAAgF;IAChF,KAAK,EAAE,MAAM,CAAA;IACb,6EAA6E;IAC7E,GAAG,EAAE,MAAM,CAAA;IACX,oCAAoC;IACpC,cAAc,EAAE,MAAM,CAAA;IACtB,wCAAwC;IACxC,iBAAiB,EAAE,MAAM,CAAA;IACzB,6EAA6E;IAC7E,MAAM,EAAE,cAAc,CAAA;CACvB;AAED;;;;GAIG;AACH,wBAAsB,cAAc,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA8BtF;AAED,MAAM,WAAW,mBAAmB;IAClC,yEAAyE;IACzE,UAAU,EAAE,MAAM,GAAG,UAAU,CAAA;IAC/B,gFAAgF;IAChF,aAAa,EAAE,UAAU,CAAA;IACzB,mFAAmF;IACnF,KAAK,EAAE,MAAM,CAAA;IACb,6EAA6E;IAC7E,MAAM,EAAE,cAAc,CAAA;IACtB,oEAAoE;IACpE,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,8DAA8D;IAC9D,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,oEAAoE;IACpE,KAAK,CAAC,EAAE,UAAU,CAAA;CACnB;AAED;;;;;;GAMG;AACH,wBAAsB,sBAAsB,CAAC,KAAK,EAAE,mBAAmB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAclG"}

package/dist/delegation.js

@@ -0,0 +1,139 @@
+"use strict";
+// @hesohq/sdk — operator delegation-envelope minting.
+//
+// An OPERATOR delegates ONE gate (bound to a single action_hash) to a client key
+// K by signing an Ed25519 delegation envelope. Consistent with this SDK's
+// zero-crypto-in-TS rule: this module assembles the canonical WIRE bytes only; the
+// CALLER injects the signer (their Ed25519 sign over the operator PRIVATE key) — the
+// SDK never holds or implements a key. The wire layout is byte-exact with the Rust
+// core (crates/heso-action/src/delegation.rs) and the Python wheel, pinned by the
+// golden test, so an envelope minted here verifies through verify_delegation
+// unchanged.
+//
+//   signed payload =
+//     DELEGATION_SIGNING_DOMAIN ++ version(1) ++ action_hash(32) ++ nonce(32)
+//       ++ expiry(BE8) ++ not_before(BE8) ++ K(32)
+//       ++ sub_len(BE4) ++ sub ++ scope_len(BE4) ++ scope
+//   wire envelope =
+//     <signed payload, sans domain> ++ signature(64) ++ operator_pubkey(32)
+//
+// The envelope carries NO decision byte by design: the operator pre-mints it
+// before any human verdict exists. The approve/reject decision is bound in the
+// END-USER CO-SIGN TOKEN (browser approval-token.ts), which verify_delegation
+// threads through verify_approval_token. So this wire — and its GOLDEN_WIRE_HEX —
+// stay frozen; do NOT add a decision field here.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.signDelegation = signDelegation;
+exports.mintDelegationEnvelope = mintDelegationEnvelope;
+// b"heso-delegation/v1\0" — 19 bytes, matches DELEGATION_SIGNING_DOMAIN in Rust.
+const DELEGATION_SIGNING_DOMAIN = new TextEncoder().encode('heso-delegation/v1\0');
+const DELEGATION_VERSION = 0x01;
+function u64be(n) {
+    const out = new Uint8Array(8);
+    let v = n;
+    for (let i = 7; i >= 0; i--) {
+        out[i] = Number(v & 0xffn);
+        v >>= 8n;
+    }
+    return out;
+}
+function u32be(n) {
+    const out = new Uint8Array(4);
+    out[0] = (n >>> 24) & 0xff;
+    out[1] = (n >>> 16) & 0xff;
+    out[2] = (n >>> 8) & 0xff;
+    out[3] = n & 0xff;
+    return out;
+}
+function concat(parts) {
+    const total = parts.reduce((s, p) => s + p.length, 0);
+    const out = new Uint8Array(total);
+    let off = 0;
+    for (const p of parts) {
+        out.set(p, off);
+        off += p.length;
+    }
+    return out;
+}
+function toBase64(bytes) {
+    let bin = '';
+    for (const b of bytes)
+        bin += String.fromCharCode(b);
+    return typeof btoa === 'function' ? btoa(bin) : Buffer.from(bytes).toString('base64');
+}
+function fromHex(hex) {
+    if (hex.length % 2 !== 0)
+        throw new Error(`hex must have an even length, got ${hex.length}`);
+    const out = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < out.length; i++)
+        out[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+    return out;
+}
+function asActionHash(actionHash) {
+    const raw = typeof actionHash === 'string' ? fromHex(actionHash) : actionHash;
+    if (raw.length !== 32)
+        throw new Error(`delegation action_hash must be a 32-byte digest, got ${raw.length}`);
+    return raw;
+}
+/**
+ * Sign a delegation envelope. The wire bytes are byte-exact with what
+ * verify_delegation expects (Rust + the wheel), so an envelope minted here verifies
+ * offline against the org's registered operator key.
+ */
+async function signDelegation(input) {
+    const actionHash = asActionHash(input.actionHash);
+    if (input.nonce.length !== 32)
+        throw new Error(`delegation nonce must be 32 bytes, got ${input.nonce.length}`);
+    if (input.authorizedKey.length !== 32) {
+        throw new Error(`authorized key K must be 32 bytes, got ${input.authorizedKey.length}`);
+    }
+    const subBytes = new TextEncoder().encode(input.sub);
+    const scopeBytes = new TextEncoder().encode(input.scope);
+    // The field run shared by the signed payload and the wire envelope: every byte
+    // before the signature, in the contract's order.
+    const fields = concat([
+        new Uint8Array([DELEGATION_VERSION]),
+        actionHash,
+        input.nonce,
+        u64be(input.expiryUnixSecs),
+        u64be(input.notBeforeUnixSecs),
+        input.authorizedKey,
+        u32be(subBytes.length),
+        subBytes,
+        u32be(scopeBytes.length),
+        scopeBytes,
+    ]);
+    const signature = await input.signer.sign(concat([DELEGATION_SIGNING_DOMAIN, fields]));
+    if (signature.length !== 64)
+        throw new Error(`expected a 64-byte Ed25519 signature, got ${signature.length}`);
+    const envelopeBytes = concat([fields, signature, input.signer.publicKeyRaw]);
+    return { envelopeB64: toBase64(envelopeBytes), envelopeBytes, operatorPublicKeyRaw: input.signer.publicKeyRaw };
+}
+/**
+ * Mint a delegation envelope for ONE gate, server-side — the one-call helper an
+ * operator invokes from mountGate's `mintEnvelope(publicKeyB64)` callback once the
+ * gate iframe has published the end-user key K. Fills the nonce, the time window,
+ * the version, and the subject so the caller supplies only the action, K, the scope,
+ * and the signer. Returns the same `SignedDelegation` as `signDelegation`.
+ */
+async function mintDelegationEnvelope(input) {
+    const ttl = BigInt(input.ttlSecs ?? 300);
+    const now = BigInt(Math.floor(Date.now() / 1000));
+    const nonce = input.nonce ?? randomNonce();
+    return signDelegation({
+        actionHash: input.actionHash,
+        nonce,
+        authorizedKey: input.authorizedKey,
+        scope: input.scope,
+        sub: input.sub ?? 'operator:gate',
+        notBeforeUnixSecs: now,
+        expiryUnixSecs: now + ttl,
+        signer: input.signer,
+    });
+}
+function randomNonce() {
+    const n = new Uint8Array(32);
+    globalThis.crypto.getRandomValues(n);
+    return n;
+}
+//# sourceMappingURL=delegation.js.map