@motebit/protocol 1.1.0 → 1.3.0

package/dist/retention-policy.d.ts

@@ -0,0 +1,464 @@
+/**
+ * Retention policy — three shapes, one signed deletion-certificate union,
+ * sensitivity ceilings as interop law, reference defaults below them.
+ *
+ * Permissive floor (Apache-2.0). Type-only file — no I/O, no algorithms
+ * that bind the runtime. Verifiers and signers live in `@motebit/crypto`;
+ * runtime-validation schemas live in `@motebit/wire-schemas`; the
+ * judgment of which retention shape a store registers under lives in the
+ * BSL packages that hold those stores. Adding a new retention shape is
+ * an additive `kind: "..."` entry here plus a new dispatch arm in
+ * `verifyDeletionCertificate` — never a rename of an existing one.
+ *
+ * Doctrine: docs/doctrine/retention-policy.md.
+ */
+import type { MotebitId, NodeId } from "./index.js";
+import type { SuiteId } from "./crypto-suite.js";
+/** A ceiling for retention in days, or `Infinity` for "no upper bound." */
+export type RetentionCeilingDays = number;
+/**
+ * Protocol-stated UPPER BOUND on retention, by sensitivity level.
+ * Compliant implementations MUST enforce a finite ceiling for
+ * `medical | financial | secret` and MAY enforce one for `personal`.
+ * `none` is `Infinity` by law. Operators MAY ship a stricter policy.
+ *
+ * Federation peers compare retention claims against these values. An
+ * operator manifest declaring retention beyond a ceiling is non-conforming.
+ *
+ * Retention dissolution axis of Liquescentia's persistence property —
+ * see `docs/doctrine/dissolution-spectrum.md` §4. Form: hard cliff per
+ * sensitivity tier; sensitivity acts as the permeability gradient (higher
+ * sensitivity → higher dissolution pressure → shorter persistence). This
+ * is the only dissolution axis that interop law constrains across
+ * implementations.
+ */
+export declare const MAX_RETENTION_DAYS_BY_SENSITIVITY: Readonly<{
+    none: RetentionCeilingDays;
+    personal: RetentionCeilingDays;
+    medical: RetentionCeilingDays;
+    financial: RetentionCeilingDays;
+    secret: RetentionCeilingDays;
+}>;
+/**
+ * Reference defaults — what motebit's canonical relay enforces today.
+ * At-or-below `MAX_RETENTION_DAYS_BY_SENSITIVITY` for every level. An
+ * alternative implementation MAY override and remain interop-compliant
+ * so long as its values are at-or-below the ceiling.
+ *
+ * `@motebit/privacy-layer` consumes these as the in-runtime defaults; a
+ * parity test asserts `REFERENCE_RETENTION_DAYS_BY_SENSITIVITY[k] <=
+ * MAX_RETENTION_DAYS_BY_SENSITIVITY[k]` for every key.
+ */
+export declare const REFERENCE_RETENTION_DAYS_BY_SENSITIVITY: Readonly<{
+    none: RetentionCeilingDays;
+    personal: RetentionCeilingDays;
+    medical: RetentionCeilingDays;
+    financial: RetentionCeilingDays;
+    secret: RetentionCeilingDays;
+}>;
+/**
+ * Retention shape registered by a store. Three legitimate motions
+ * derived from the doctrine's droplet-physics framing:
+ *
+ *   - `mutable_pruning` — interior structure where individual deletion
+ *     is sound (memory).
+ *   - `append_only_horizon` — audit ledgers that admit only whole-prefix
+ *     truncation (event-log, federation audit, settlement audit).
+ *   - `consolidation_flush` — surface flow that consolidates into memory
+ *     or expires (conversations, tool-audit).
+ */
+export type RetentionShape = {
+    readonly kind: "mutable_pruning";
+    /** Per-sensitivity max retention days. Enforced ≤ `MAX_RETENTION_DAYS_BY_SENSITIVITY`. */
+    readonly max_retention_days_by_sensitivity: Readonly<Record<string, RetentionCeilingDays>>;
+    /** Always `true` — the shape commits to producing signed deletion certs. */
+    readonly deletion_cert: true;
+} | {
+    readonly kind: "append_only_horizon";
+    /** How often the store may advance its horizon. */
+    readonly horizon_advance_period_days: number;
+    /** Always `true` — the shape commits to producing signed horizon certs. */
+    readonly horizon_cert: true;
+    /**
+     * Whether co-witness signatures are required on horizon certs.
+     * Decision 9: this value is DERIVED from federation state, not
+     * declared. The store declares `false` for self-witnessed mode;
+     * the manifest layer overrides to `true` when the operator
+     * appears in any peer's federation graph.
+     */
+    readonly witness_required: boolean;
+} | {
+    readonly kind: "consolidation_flush";
+    readonly flush_to: "memory" | "expire";
+    /**
+     * Optional per-record min-floor resolver. Examines a record and
+     * returns the minimum days before flush is permissible. Used for
+     * settlement-floor obligations on tool-audit records (decision 3).
+     *
+     * Pure or async — phase 5 reads the resolver's return type and
+     * picks accordingly. Stateful resolvers close over a context
+     * passed at store registration; the resolver itself receives the
+     * record and returns the floor.
+     */
+    readonly min_floor_resolver?: (record: unknown) => number | Promise<number>;
+    /** Always `true` — the shape commits to producing signed flush certs. */
+    readonly flush_cert: true;
+};
+/** The closed registry of Merkle algorithm identifiers. */
+export type MerkleAlgo = "merkle-sha256-v1";
+/**
+ * Federation graph anchor — Merkle commitment over the operator's
+ * federation peer set at `horizon_ts`. Phase 4 quorum verification
+ * recomputes the root from the operator's published peer set or
+ * verifies inclusion proofs against it.
+ *
+ * `leaf_count = 0` is the canonical self-witnessed encoding (no peers
+ * at `horizon_ts`); see `EMPTY_FEDERATION_GRAPH_ANCHOR`.
+ */
+export interface FederationGraphAnchor {
+    readonly algo: MerkleAlgo;
+    /** Hex-encoded SHA-256 root. */
+    readonly merkle_root: string;
+    /** Number of peer pubkeys in the anchored set. */
+    readonly leaf_count: number;
+}
+/**
+ * Empty-tree federation graph anchor — the canonical self-witnessed
+ * encoding when an operator has no federation peers at `horizon_ts`.
+ *
+ * `merkle_root` is the hex-encoded SHA-256 of the empty byte string
+ * (`sha256(new Uint8Array(0))`). Verifiers in `@motebit/crypto` admit
+ * `append_only_horizon` certs carrying this anchor as self-witnessed —
+ * `witnessed_by[]` may be empty since there are no peers to solicit.
+ *
+ * Phase 4b-3 makes `federation_graph_anchor` mandatory on certs from
+ * federation-aware deployments; pre-4b-3 certs without the field are
+ * grandfathered self-witnessed (verifier policy enforces
+ * presence-when-peered, not presence-always).
+ */
+export declare const EMPTY_FEDERATION_GRAPH_ANCHOR: FederationGraphAnchor;
+/**
+ * Merkle inclusion proof — same wire shape as
+ * `spec/credential-anchor-v1.md` §6 (siblings ordered leaf-to-root,
+ * `layer_sizes` for odd-leaf-promotion detection, `leaf_index`
+ * positional).
+ */
+export interface MerkleInclusionProof {
+    readonly siblings: string[];
+    readonly leaf_index: number;
+    readonly layer_sizes: number[];
+}
+export interface HorizonWitness {
+    readonly motebit_id: MotebitId;
+    /** Ed25519 signature over the cert's canonical signing payload. */
+    readonly signature: string;
+    /**
+     * Optional Merkle inclusion proof for the witness's pubkey against
+     * the cert's `federation_graph_anchor.merkle_root`. Phase 4 quorum
+     * mechanisms either require this (Merkle-membership verification)
+     * or accept signature-only witnesses. Reserved in phase 1 so phase
+     * 4 lands without a wire break.
+     */
+    readonly inclusion_proof?: MerkleInclusionProof;
+}
+/**
+ * Cert body the witness canonicalizes and signs. Mirrors the
+ * `append_only_horizon` arm of `DeletionCertificate` minus
+ * `witnessed_by[]` and minus `signature` — exactly the shape
+ * `canonicalizeHorizonCertForWitness` in `@motebit/crypto` derives at
+ * verification time. A peer recomputes `canonicalJson(cert_body)`,
+ * verifies the issuer's `issuer_signature` against it, then signs the
+ * same bytes with its own federation key.
+ */
+export interface HorizonWitnessRequestBody {
+    readonly kind: "append_only_horizon";
+    readonly subject: HorizonSubject;
+    readonly store_id: string;
+    readonly horizon_ts: number;
+    readonly issued_at: number;
+    /**
+     * Mandatory from phase 4b-3 onward when the issuer has any federation
+     * peers at `horizon_ts` — the `EMPTY_FEDERATION_GRAPH_ANCHOR`
+     * sentinel signals self-witnessed deployments. Optional in the type
+     * for grandfathered pre-4b-3 callers.
+     */
+    readonly federation_graph_anchor?: FederationGraphAnchor;
+    readonly suite: SuiteId;
+}
+/**
+ * `POST /federation/v1/horizon/witness` request body — issuer asks a
+ * federation peer to co-witness a pending `append_only_horizon` cert.
+ *
+ * Peer-side flow (fail-closed throughout):
+ *   1. Resolve `issuer_id` → issuer's federation Ed25519 public key
+ *      from the local `relay_peers` table; reject if unknown.
+ *   2. Verify `issuer_signature` against `canonicalJson(cert_body)`
+ *      under `cert_body.suite`. The issuer-signature payload is
+ *      byte-equal to what the witness will sign, so verification +
+ *      signing share canonical-bytes derivation.
+ *   3. Sign the same bytes; return a `WitnessSolicitationResponse`
+ *      carrying the peer's `motebit_id`, signature, and (if available)
+ *      a Merkle inclusion proof for its pubkey against
+ *      `cert_body.federation_graph_anchor.merkle_root`.
+ *
+ * Non-goals: the request does NOT carry `witnessed_by[]`. Witnesses
+ * are portable across compositions of the same body; the issuer's
+ * eventual cert.signature is what binds the assembled witness array.
+ */
+export interface WitnessSolicitationRequest {
+    readonly cert_body: HorizonWitnessRequestBody;
+    /**
+     * Issuer's identifier — MUST match the id projected from
+     * `cert_body.subject` (the `motebit_id` for per-motebit horizons,
+     * the `operator_id` for operator-wide horizons). Disagreement is
+     * fail-closed at the peer.
+     */
+    readonly issuer_id: string;
+    /**
+     * Base64url-encoded Ed25519 signature by the issuer's federation key
+     * over `canonicalJson(cert_body)` under `cert_body.suite`. Same
+     * canonical bytes the witness signs — the request authenticates
+     * itself by the issuer's pre-commitment to the body.
+     */
+    readonly issuer_signature: string;
+}
+/**
+ * `POST /federation/v1/horizon/witness` response body — the peer's
+ * `HorizonWitness`. Same shape as `cert.witnessed_by[]` entries; the
+ * issuer copies the response verbatim into the assembled cert before
+ * producing its final cert.signature.
+ *
+ * Distinct named type from `HorizonWitness` for RPC-surface clarity:
+ * the response is the on-the-wire envelope between two relays;
+ * `HorizonWitness` is the type as embedded inside a published cert.
+ * Structurally identical — issuer-side code passes the response
+ * directly into `witnessed_by[]` without transformation.
+ */
+export interface WitnessSolicitationResponse {
+    readonly motebit_id: MotebitId;
+    /**
+     * Base64url-encoded Ed25519 signature over the same canonical bytes
+     * the issuer signed in `WitnessSolicitationRequest.issuer_signature`
+     * (i.e. `canonicalJson(cert_body)` under `cert_body.suite`).
+     */
+    readonly signature: string;
+    /**
+     * Optional Merkle inclusion proof for the peer's federation pubkey
+     * against `cert_body.federation_graph_anchor.merkle_root`. Phase
+     * 4b-3 verifier policy admits signature-only witnesses; future
+     * tightening to mandatory-inclusion-proof lands by changing verifier
+     * policy alone — the wire shape is forward-compatible.
+     */
+    readonly inclusion_proof?: MerkleInclusionProof;
+}
+/** Subject (motebit) signature block. */
+export interface SubjectSignature {
+    readonly motebit_id: MotebitId;
+    readonly suite: SuiteId;
+    readonly signature: string;
+}
+/** Operator signature block. */
+export interface OperatorSignature {
+    readonly operator_id: string;
+    readonly suite: SuiteId;
+    readonly signature: string;
+}
+/**
+ * Delegate signature block — multi-hop authorization per delegation-v1
+ * §5.5. The delegate's identity key signs; the delegation_receipt_id
+ * references the receipt that authorized the retention scope.
+ */
+export interface DelegateSignature {
+    readonly motebit_id: MotebitId;
+    readonly delegation_receipt_id: string;
+    readonly suite: SuiteId;
+    readonly signature: string;
+}
+/**
+ * Guardian signature block — enterprise custody per identity-v1 §3.3.
+ * Verifier MUST cross-check `guardian_public_key` against the motebit's
+ * identity file `guardian.public_key` field.
+ */
+export interface GuardianSignature {
+    /** Hex-encoded guardian Ed25519 public key. Matches `motebit.md` §3.3 `guardian.public_key`. */
+    readonly guardian_public_key: string;
+    readonly suite: SuiteId;
+    readonly signature: string;
+}
+/**
+ * Reasons admitted by `mutable_pruning` and `consolidation_flush` arms.
+ * Each reason constrains the permitted signer set per decision 5's
+ * `reason × signer × mode` table. Verifiers reject certs whose
+ * present signature(s) don't match the reason's permitted set.
+ *
+ * `retention_enforcement_post_classification` is admitted by
+ * `consolidation_flush` only — it names the migration cohort under
+ * decision 6b's lazy-classify-on-flush path.
+ */
+export type DeletionReason = "user_request" | "retention_enforcement" | "retention_enforcement_post_classification" | "operator_request" | "delegated_request" | "self_enforcement" | "guardian_request";
+/**
+ * Subject discriminator on `append_only_horizon`. Per decision 8, both
+ * per-motebit and operator-wide horizons are first-class; effective
+ * horizon for any given motebit's events is `max` of both.
+ */
+export type HorizonSubject = {
+    readonly kind: "motebit";
+    readonly motebit_id: MotebitId;
+} | {
+    readonly kind: "operator";
+    readonly operator_id: string;
+};
+/**
+ * Signed retention deletion certificate. Single discriminated union by
+ * `kind`. New deletion shapes ship as additive registry entries; the
+ * verifier in `@motebit/crypto` closes under additions.
+ *
+ * Canonical signing payload (decision 5): each signature in
+ * `mutable_pruning` and `consolidation_flush` covers
+ * `canonicalJson(cert_body)` where `cert_body` is the cert with all
+ * `*_signature` fields removed. All present signers sign identical
+ * bytes — same shape as identity-v1.md §3.8.1 dual-signature succession.
+ * The `append_only_horizon` arm covers `canonicalJson(cert minus
+ * signature)`.
+ *
+ * Certificates are TERMINAL: there is no signed-revocation path. A cert
+ * issued in error is corrected by a follow-up cert under a different
+ * reason. Same foundation-law shape as delegation-v1.md §4.2 and
+ * migration-v1.md §3.2 terminal-state irreversibility.
+ */
+export type DeletionCertificate = {
+    readonly kind: "mutable_pruning";
+    readonly target_id: NodeId;
+    readonly sensitivity: SensitivityLevelString;
+    readonly reason: DeletionReason;
+    readonly deleted_at: number;
+    readonly subject_signature?: SubjectSignature;
+    readonly operator_signature?: OperatorSignature;
+    readonly delegate_signature?: DelegateSignature;
+    readonly guardian_signature?: GuardianSignature;
+} | {
+    readonly kind: "append_only_horizon";
+    readonly subject: HorizonSubject;
+    readonly store_id: string;
+    readonly horizon_ts: number;
+    readonly witnessed_by: HorizonWitness[];
+    /**
+     * Optional pre-4b-3, mandatory from 4b-3+. When present with
+     * `leaf_count = 0` (`EMPTY_FEDERATION_GRAPH_ANCHOR`) the cert is
+     * self-witnessed — `witnessed_by` may be empty.
+     */
+    readonly federation_graph_anchor?: FederationGraphAnchor;
+    readonly issued_at: number;
+    readonly suite: SuiteId;
+    readonly signature: string;
+} | {
+    readonly kind: "consolidation_flush";
+    readonly target_id: string;
+    readonly sensitivity: SensitivityLevelString;
+    readonly reason: DeletionReason;
+    readonly flushed_to: "memory_node" | "expire";
+    readonly memory_node_id?: NodeId;
+    readonly flushed_at: number;
+    readonly subject_signature?: SubjectSignature;
+    readonly operator_signature?: OperatorSignature;
+    readonly delegate_signature?: DelegateSignature;
+    readonly guardian_signature?: GuardianSignature;
+};
+/**
+ * Sensitivity expressed as the wire string. Mirrors
+ * `SensitivityLevel` enum values without importing the enum (this file
+ * stays minimal; the enum lives in index.ts).
+ */
+export type SensitivityLevelString = "none" | "personal" | "medical" | "financial" | "secret";
+/**
+ * Per-store retention declaration, embedded in the operator's signed
+ * retention manifest. Names the registered shape and the parameters a
+ * verifier needs to check the operator's claims against running code.
+ */
+export interface RetentionStoreDeclaration {
+    /** Stable identifier for the store within the operator's deployment. */
+    readonly store_id: string;
+    /** Human-readable name for tooling display. */
+    readonly store_name: string;
+    /** The registered retention shape. */
+    readonly shape: RetentionShapeDeclaration;
+}
+/**
+ * Wire-format projection of `RetentionShape` — drops the resolver
+ * function (a closure can't ride the wire) and surfaces declared
+ * parameters only. The runtime registration in BSL carries the
+ * resolver; the manifest declares its presence as a boolean.
+ */
+export type RetentionShapeDeclaration = {
+    readonly kind: "mutable_pruning";
+    readonly max_retention_days_by_sensitivity: Readonly<Record<string, RetentionCeilingDays>>;
+} | {
+    readonly kind: "append_only_horizon";
+    readonly horizon_advance_period_days: number;
+    readonly witness_required: boolean;
+} | {
+    readonly kind: "consolidation_flush";
+    readonly flush_to: "memory" | "expire";
+    readonly has_min_floor_resolver: boolean;
+};
+/**
+ * Stable string identifier for each canonical runtime store. The
+ * discriminator is interop law — verifiers and tooling cross-reference
+ * these exact strings with the manifest's `RetentionStoreDeclaration.store_id`.
+ */
+export type RuntimeStoreId = "memory" | "event_log" | "conversation_messages" | "tool_audit" | "skill_audit";
+/**
+ * Canonical registry: `RuntimeStoreId` → declared `RetentionShape`.
+ *
+ *   - `memory` registers under `mutable_pruning` per phase 3 — the
+ *     privacy-layer's `deleteMemory` constructs and signs the cert at
+ *     each erase call site.
+ *   - `event_log` registers under `append_only_horizon` per phase 4a —
+ *     `EventStore.advanceHorizon` signs the horizon cert and truncates.
+ *     `witness_required: false` is the no-peer-deployment derivation
+ *     per decision 9; the manifest layer overrides to `true` once the
+ *     operator appears in any peer's federation graph (phase 4b-3).
+ *   - `conversation_messages` and `tool_audit` register under
+ *     `consolidation_flush` per phase 5-ship — the consolidation cycle's
+ *     flush phase enforces, lazy-classifying on read per decision 6b.
+ *     Tool-audit's settlement-floor resolver per decision 3 is wired at
+ *     runtime; the manifest projection surfaces only its presence.
+ *
+ * Reference defaults below come from `REFERENCE_RETENTION_DAYS_BY_SENSITIVITY`;
+ * an alternative implementation MAY ship stricter ceilings and remain
+ * interop-compliant.
+ */
+export declare const RUNTIME_RETENTION_REGISTRY: Readonly<Record<RuntimeStoreId, RetentionShapeDeclaration>>;
+/**
+ * Signed retention manifest published at
+ * `/.well-known/motebit-retention.json`. Sibling to the operator
+ * transparency manifest (`docs/doctrine/operator-transparency.md`),
+ * same suite and same browser-side re-verification pattern.
+ *
+ * Decision 6b's lazy-classify-on-flush path declares its default tier
+ * via `pre_classification_default_sensitivity`.
+ */
+export interface RetentionManifest {
+    /** Always `motebit/retention-manifest@1`. */
+    readonly spec: "motebit/retention-manifest@1";
+    /** The operator publishing this manifest. */
+    readonly operator_id: string;
+    readonly issued_at: number;
+    /** Per-store declarations. Drift gate enumerates against the registry. */
+    readonly stores: RetentionStoreDeclaration[];
+    /**
+     * Default sensitivity for un-classified pre-deploy records under
+     * `consolidation_flush` (decision 6b). Defaults to `"personal"` if
+     * absent.
+     */
+    readonly pre_classification_default_sensitivity?: SensitivityLevelString;
+    /**
+     * Honest gaps the operator declares — same pattern as
+     * `operator-transparency.md` § "Reference implementation". Stage 1
+     * ships with the chain anchor in `honest_gaps` until stage 2.
+     */
+    readonly honest_gaps?: string[];
+    readonly suite: SuiteId;
+    readonly signature: string;
+}
+//# sourceMappingURL=retention-policy.d.ts.map

package/dist/retention-policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"retention-policy.d.ts","sourceRoot":"","sources":["../src/retention-policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,YAAY,CAAC;AACpD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAajD,2EAA2E;AAC3E,MAAM,MAAM,oBAAoB,GAAG,MAAM,CAAC;AAE1C;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,iCAAiC,EAAE,QAAQ,CAAC;IACvD,IAAI,EAAE,oBAAoB,CAAC;IAC3B,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,OAAO,EAAE,oBAAoB,CAAC;IAC9B,SAAS,EAAE,oBAAoB,CAAC;IAChC,MAAM,EAAE,oBAAoB,CAAC;CAC9B,CAMC,CAAC;AAEH;;;;;;;;;GASG;AACH,eAAO,MAAM,uCAAuC,EAAE,QAAQ,CAAC;IAC7D,IAAI,EAAE,oBAAoB,CAAC;IAC3B,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,OAAO,EAAE,oBAAoB,CAAC;IAC9B,SAAS,EAAE,oBAAoB,CAAC;IAChC,MAAM,EAAE,oBAAoB,CAAC;CAC9B,CAMC,CAAC;AAQH;;;;;;;;;;GAUG;AACH,MAAM,MAAM,cAAc,GACtB;IACE,QAAQ,CAAC,IAAI,EAAE,iBAAiB,CAAC;IACjC,0FAA0F;IAC1F,QAAQ,CAAC,iCAAiC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC,CAAC;IAC3F,4EAA4E;IAC5E,QAAQ,CAAC,aAAa,EAAE,IAAI,CAAC;CAC9B,GACD;IACE,QAAQ,CAAC,IAAI,EAAE,qBAAqB,CAAC;IACrC,mDAAmD;IACnD,QAAQ,CAAC,2BAA2B,EAAE,MAAM,CAAC;IAC7C,2EAA2E;IAC3E,QAAQ,CAAC,YAAY,EAAE,IAAI,CAAC;IAC5B;;;;;;OAMG;IACH,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;CACpC,GACD;IACE,QAAQ,CAAC,IAAI,EAAE,qBAAqB,CAAC;IACrC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,GAAG,QAAQ,CAAC;IACvC;;;;;;;;;OASG;IACH,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC,MAAM,EAAE,OAAO,KAAK,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC5E,yEAAyE;IACzE,QAAQ,CAAC,UAAU,EAAE,IAAI,CAAC;CAC3B,CAAC;AAgBN,2DAA2D;AAC3D,MAAM,MAAM,UAAU,GAAG,kBAAkB,CAAC;AAE5C;;;;;;;;GAQG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,gCAAgC;IAChC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,kDAAkD;IAClD,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,6BAA6B,EAAE,qBAK1C,CAAC;AAEH;;;;;GAKG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC;IAC5B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,WAAW,EAAE,MAAM,EAAE,CAAC;CAChC;AAID,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC;IAC/B,mEAAmE;IACnE,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B;;;;;;OAMG;IACH,QAAQ,CAAC,eAAe,CAAC,EAAE,oBAAoB,CAAC;CACjD;AAyBD;;;;;;;;GAQG;AACH,MAAM,WAAW,yBAAyB;IACxC,QAAQ,CAAC,IAAI,EAAE,qBAAqB,CAAC;IACrC,QAAQ,CAAC,OAAO,EAAE,cAAc,CAAC;IACjC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B;;;;;OAKG;IACH,QAAQ,CAAC,uBAAuB,CAAC,EAAE,qBAAqB,CAAC;IACzD,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;CACzB;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,SAAS,EAAE,yBAAyB,CAAC;IAC9C;;;;;OAKG;IACH,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B;;;;;OAKG;IACH,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;CACnC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,2BAA2B;IAC1C,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC;IAC/B;;;;OAIG;IACH,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B;;;;;;OAMG;IACH,QAAQ,CAAC,eAAe,CAAC,EAAE,oBAAoB,CAAC;CACjD;AAID,yCAAyC;AACzC,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC;IAC/B,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED,gCAAgC;AAChC,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC;IAC/B,QAAQ,CAAC,qBAAqB,EAAE,MAAM,CAAC;IACvC,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;IAChC,gGAAgG;IAChG,QAAQ,CAAC,mBAAmB,EAAE,MAAM,CAAC;IACrC,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAID;;;;;;;;;GASG;AACH,MAAM,MAAM,cAAc,GACtB,cAAc,GACd,uBAAuB,GACvB,2CAA2C,GAC3C,kBAAkB,GAClB,mBAAmB,GACnB,kBAAkB,GAClB,kBAAkB,CAAC;AAIvB;;;;GAIG;AACH,MAAM,MAAM,cAAc,GACtB;IAAE,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IAAC,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAA;CAAE,GAC5D;IAAE,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAAC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;CAAE,CAAC;AAEhE;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,MAAM,mBAAmB,GAC3B;IACE,QAAQ,CAAC,IAAI,EAAE,iBAAiB,CAAC;IACjC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,WAAW,EAAE,sBAAsB,CAAC;IAC7C,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAChC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,iBAAiB,CAAC,EAAE,gBAAgB,CAAC;IAC9C,QAAQ,CAAC,kBAAkB,CAAC,EAAE,iBAAiB,CAAC;IAChD,QAAQ,CAAC,kBAAkB,CAAC,EAAE,iBAAiB,CAAC;IAChD,QAAQ,CAAC,kBAAkB,CAAC,EAAE,iBAAiB,CAAC;CACjD,GACD;IACE,QAAQ,CAAC,IAAI,EAAE,qBAAqB,CAAC;IACrC,QAAQ,CAAC,OAAO,EAAE,cAAc,CAAC;IACjC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,YAAY,EAAE,cAAc,EAAE,CAAC;IACxC;;;;OAIG;IACH,QAAQ,CAAC,uBAAuB,CAAC,EAAE,qBAAqB,CAAC;IACzD,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B,GACD;IACE,QAAQ,CAAC,IAAI,EAAE,qBAAqB,CAAC;IACrC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,WAAW,EAAE,sBAAsB,CAAC;IAC7C,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAChC,QAAQ,CAAC,UAAU,EAAE,aAAa,GAAG,QAAQ,CAAC;IAC9C,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,iBAAiB,CAAC,EAAE,gBAAgB,CAAC;IAC9C,QAAQ,CAAC,kBAAkB,CAAC,EAAE,iBAAiB,CAAC;IAChD,QAAQ,CAAC,kBAAkB,CAAC,EAAE,iBAAiB,CAAC;IAChD,QAAQ,CAAC,kBAAkB,CAAC,EAAE,iBAAiB,CAAC;CACjD,CAAC;AAEN;;;;GAIG;AACH,MAAM,MAAM,sBAAsB,GAAG,MAAM,GAAG,UAAU,GAAG,SAAS,GAAG,WAAW,GAAG,QAAQ,CAAC;AAI9F;;;;GAIG;AACH,MAAM,WAAW,yBAAyB;IACxC,wEAAwE;IACxE,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,+CAA+C;IAC/C,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,sCAAsC;IACtC,QAAQ,CAAC,KAAK,EAAE,yBAAyB,CAAC;CAC3C;AAED;;;;;GAKG;AACH,MAAM,MAAM,yBAAyB,GACjC;IACE,QAAQ,CAAC,IAAI,EAAE,iBAAiB,CAAC;IACjC,QAAQ,CAAC,iCAAiC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC,CAAC;CAC5F,GACD;IACE,QAAQ,CAAC,IAAI,EAAE,qBAAqB,CAAC;IACrC,QAAQ,CAAC,2BAA2B,EAAE,MAAM,CAAC;IAC7C,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;CACpC,GACD;IACE,QAAQ,CAAC,IAAI,EAAE,qBAAqB,CAAC;IACrC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,GAAG,QAAQ,CAAC;IACvC,QAAQ,CAAC,sBAAsB,EAAE,OAAO,CAAC;CAC1C,CAAC;AAwBN;;;;GAIG;AACH,MAAM,MAAM,cAAc,GACtB,QAAQ,GACR,WAAW,GACX,uBAAuB,GACvB,YAAY,GACZ,aAAa,CAAC;AAElB;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,0BAA0B,EAAE,QAAQ,CAC/C,MAAM,CAAC,cAAc,EAAE,yBAAyB,CAAC,CAgCjD,CAAC;AAEH;;;;;;;;GAQG;AACH,MAAM,WAAW,iBAAiB;IAChC,6CAA6C;IAC7C,QAAQ,CAAC,IAAI,EAAE,8BAA8B,CAAC;IAC9C,6CAA6C;IAC7C,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,0EAA0E;IAC1E,QAAQ,CAAC,MAAM,EAAE,yBAAyB,EAAE,CAAC;IAC7C;;;;OAIG;IACH,QAAQ,CAAC,sCAAsC,CAAC,EAAE,sBAAsB,CAAC;IACzE;;;;OAIG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B"}

package/dist/retention-policy.js

@@ -0,0 +1,128 @@
+/**
+ * Retention policy — three shapes, one signed deletion-certificate union,
+ * sensitivity ceilings as interop law, reference defaults below them.
+ *
+ * Permissive floor (Apache-2.0). Type-only file — no I/O, no algorithms
+ * that bind the runtime. Verifiers and signers live in `@motebit/crypto`;
+ * runtime-validation schemas live in `@motebit/wire-schemas`; the
+ * judgment of which retention shape a store registers under lives in the
+ * BSL packages that hold those stores. Adding a new retention shape is
+ * an additive `kind: "..."` entry here plus a new dispatch arm in
+ * `verifyDeletionCertificate` — never a rename of an existing one.
+ *
+ * Doctrine: docs/doctrine/retention-policy.md.
+ */
+/**
+ * Protocol-stated UPPER BOUND on retention, by sensitivity level.
+ * Compliant implementations MUST enforce a finite ceiling for
+ * `medical | financial | secret` and MAY enforce one for `personal`.
+ * `none` is `Infinity` by law. Operators MAY ship a stricter policy.
+ *
+ * Federation peers compare retention claims against these values. An
+ * operator manifest declaring retention beyond a ceiling is non-conforming.
+ *
+ * Retention dissolution axis of Liquescentia's persistence property —
+ * see `docs/doctrine/dissolution-spectrum.md` §4. Form: hard cliff per
+ * sensitivity tier; sensitivity acts as the permeability gradient (higher
+ * sensitivity → higher dissolution pressure → shorter persistence). This
+ * is the only dissolution axis that interop law constrains across
+ * implementations.
+ */
+export const MAX_RETENTION_DAYS_BY_SENSITIVITY = Object.freeze({
+    none: Infinity,
+    personal: 365,
+    medical: 90,
+    financial: 90,
+    secret: 30,
+});
+/**
+ * Reference defaults — what motebit's canonical relay enforces today.
+ * At-or-below `MAX_RETENTION_DAYS_BY_SENSITIVITY` for every level. An
+ * alternative implementation MAY override and remain interop-compliant
+ * so long as its values are at-or-below the ceiling.
+ *
+ * `@motebit/privacy-layer` consumes these as the in-runtime defaults; a
+ * parity test asserts `REFERENCE_RETENTION_DAYS_BY_SENSITIVITY[k] <=
+ * MAX_RETENTION_DAYS_BY_SENSITIVITY[k]` for every key.
+ */
+export const REFERENCE_RETENTION_DAYS_BY_SENSITIVITY = Object.freeze({
+    none: Infinity,
+    personal: 365,
+    medical: 90,
+    financial: 90,
+    secret: 30,
+});
+/**
+ * Empty-tree federation graph anchor — the canonical self-witnessed
+ * encoding when an operator has no federation peers at `horizon_ts`.
+ *
+ * `merkle_root` is the hex-encoded SHA-256 of the empty byte string
+ * (`sha256(new Uint8Array(0))`). Verifiers in `@motebit/crypto` admit
+ * `append_only_horizon` certs carrying this anchor as self-witnessed —
+ * `witnessed_by[]` may be empty since there are no peers to solicit.
+ *
+ * Phase 4b-3 makes `federation_graph_anchor` mandatory on certs from
+ * federation-aware deployments; pre-4b-3 certs without the field are
+ * grandfathered self-witnessed (verifier policy enforces
+ * presence-when-peered, not presence-always).
+ */
+export const EMPTY_FEDERATION_GRAPH_ANCHOR = Object.freeze({
+    algo: "merkle-sha256-v1",
+    // SHA-256 of zero bytes — well-known constant.
+    merkle_root: "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+    leaf_count: 0,
+});
+/**
+ * Canonical registry: `RuntimeStoreId` → declared `RetentionShape`.
+ *
+ *   - `memory` registers under `mutable_pruning` per phase 3 — the
+ *     privacy-layer's `deleteMemory` constructs and signs the cert at
+ *     each erase call site.
+ *   - `event_log` registers under `append_only_horizon` per phase 4a —
+ *     `EventStore.advanceHorizon` signs the horizon cert and truncates.
+ *     `witness_required: false` is the no-peer-deployment derivation
+ *     per decision 9; the manifest layer overrides to `true` once the
+ *     operator appears in any peer's federation graph (phase 4b-3).
+ *   - `conversation_messages` and `tool_audit` register under
+ *     `consolidation_flush` per phase 5-ship — the consolidation cycle's
+ *     flush phase enforces, lazy-classifying on read per decision 6b.
+ *     Tool-audit's settlement-floor resolver per decision 3 is wired at
+ *     runtime; the manifest projection surfaces only its presence.
+ *
+ * Reference defaults below come from `REFERENCE_RETENTION_DAYS_BY_SENSITIVITY`;
+ * an alternative implementation MAY ship stricter ceilings and remain
+ * interop-compliant.
+ */
+export const RUNTIME_RETENTION_REGISTRY = Object.freeze({
+    memory: {
+        kind: "mutable_pruning",
+        max_retention_days_by_sensitivity: REFERENCE_RETENTION_DAYS_BY_SENSITIVITY,
+    },
+    event_log: {
+        kind: "append_only_horizon",
+        horizon_advance_period_days: 365,
+        witness_required: false,
+    },
+    conversation_messages: {
+        kind: "consolidation_flush",
+        flush_to: "expire",
+        has_min_floor_resolver: false,
+    },
+    tool_audit: {
+        kind: "consolidation_flush",
+        flush_to: "expire",
+        has_min_floor_resolver: true,
+    },
+    // `skill_audit` carries the same shape as `tool_audit` — append-only
+    // operator-act ledger with a `sensitivity` column on the
+    // `skill_consent_granted` variant. Registers under `consolidation_flush`
+    // so the consolidation cycle's flush phase respects sensitivity-tier
+    // retention ceilings. No min-floor resolver: skill audit doesn't
+    // gate settlement, so the per-tier horizon is the only ceiling.
+    skill_audit: {
+        kind: "consolidation_flush",
+        flush_to: "expire",
+        has_min_floor_resolver: false,
+    },
+});
+//# sourceMappingURL=retention-policy.js.map

package/dist/retention-policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"retention-policy.js","sourceRoot":"","sources":["../src/retention-policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAmBH;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,MAAM,iCAAiC,GAMzC,MAAM,CAAC,MAAM,CAAC;IACjB,IAAI,EAAE,QAAQ;IACd,QAAQ,EAAE,GAAG;IACb,OAAO,EAAE,EAAE;IACX,SAAS,EAAE,EAAE;IACb,MAAM,EAAE,EAAE;CACX,CAAC,CAAC;AAEH;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,uCAAuC,GAM/C,MAAM,CAAC,MAAM,CAAC;IACjB,IAAI,EAAE,QAAQ;IACd,QAAQ,EAAE,GAAG;IACb,OAAO,EAAE,EAAE;IACX,SAAS,EAAE,EAAE;IACb,MAAM,EAAE,EAAE;CACX,CAAC,CAAC;AA8FH;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAA0B,MAAM,CAAC,MAAM,CAAC;IAChF,IAAI,EAAE,kBAAkB;IACxB,+CAA+C;IAC/C,WAAW,EAAE,kEAAkE;IAC/E,UAAU,EAAE,CAAC;CACd,CAAC,CAAC;AAqWH;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAEnC,MAAM,CAAC,MAAM,CAAC;IAChB,MAAM,EAAE;QACN,IAAI,EAAE,iBAAiB;QACvB,iCAAiC,EAAE,uCAAuC;KAC3E;IACD,SAAS,EAAE;QACT,IAAI,EAAE,qBAAqB;QAC3B,2BAA2B,EAAE,GAAG;QAChC,gBAAgB,EAAE,KAAK;KACxB;IACD,qBAAqB,EAAE;QACrB,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,QAAQ;QAClB,sBAAsB,EAAE,KAAK;KAC9B;IACD,UAAU,EAAE;QACV,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,QAAQ;QAClB,sBAAsB,EAAE,IAAI;KAC7B;IACD,qEAAqE;IACrE,yDAAyD;IACzD,yEAAyE;IACzE,qEAAqE;IACrE,iEAAiE;IACjE,gEAAgE;IAChE,WAAW,EAAE;QACX,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,QAAQ;QAClB,sBAAsB,EAAE,KAAK;KAC9B;CACF,CAAC,CAAC"}