@nokinc-flur/sdk 1.1.1 → 1.1.3

package/dist/index.js

@@ -2920,15 +2920,45 @@ import { z as z13 } from "zod";
 var Hex64 = z13.string().regex(/^[0-9a-f]{64}$/i);
 var HexAny = z13.string().regex(/^[0-9a-f]+$/i);
 var Sha256Hex = z13.string().regex(/^[0-9a-f]{64}$/i);
+var Base64Std = z13.string().regex(/^[A-Za-z0-9+/]+={0,2}$/);
 var RegisterDeviceKeyInputSchema = z13.object({
   deviceId: z13.string().min(1).max(128),
   publicKeyHex: Hex64
 });
+var AttestationSecurityLevelSchema = z13.enum([
+  "STRONGBOX",
+  "TEE",
+  "SECURE_ENCLAVE",
+  "SOFTWARE"
+]);
+var DeviceKeyAlgSchema = z13.enum(["ed25519", "p256"]);
+var RegisterDeviceKeyP256InputSchema = z13.object({
+  deviceId: z13.string().min(1).max(128),
+  /** P-256 SubjectPublicKeyInfo DER, base64. */
+  publicKeySpkiB64: Base64Std.min(64).max(4096),
+  /** Base64 of the server-issued enrollment challenge string. */
+  challengeB64: Base64Std.min(8).max(1024),
+  /** iOS App Attest payload or Android X.509 Key Attestation chain. */
+  attestationChainB64: z13.array(Base64Std.min(16).max(16384)).min(1).max(16),
+  securityLevel: AttestationSecurityLevelSchema
+});
+var P256EnrollmentChallengeInputSchema = z13.object({
+  deviceId: z13.string().min(1).max(128)
+});
+var P256EnrollmentChallengeResultSchema = z13.object({
+  challenge: z13.string().min(16),
+  expiresAtMs: z13.number().int().positive()
+});
 var DeviceKeyRecordSchema = z13.object({
   id: z13.string().uuid(),
   userId: z13.string().uuid(),
   deviceId: z13.string(),
-  publicKeyHex: Hex64,
+  alg: DeviceKeyAlgSchema.default("ed25519"),
+  publicKeyHex: Hex64.nullable().default(null),
+  publicKeySpkiB64: Base64Std.nullable().default(null),
+  securityLevel: AttestationSecurityLevelSchema.nullable().default(null),
+  hardwareBacked: z13.boolean().default(false),
+  attestedAtMs: z13.number().int().nonnegative().nullable().default(null),
   createdAtMs: z13.number().int().nonnegative(),
   revokedAtMs: z13.number().int().nonnegative().nullable()
 });
@@ -2937,7 +2967,9 @@ var ConsumerOACSchema = z13.object({
   issuerId: z13.string().min(1).max(64),
   userId: z13.string().uuid(),
   deviceId: z13.string().min(1).max(128),
-  devicePubkeyHex: Hex64,
+  alg: z13.enum(["ed25519", "p256"]).optional(),
+  devicePubkeyHex: Hex64.optional(),
+  devicePubkeySpkiB64: Base64Std.min(64).max(4096).optional(),
   perTxCapKobo: z13.number().int().positive(),
   cumulativeCapKobo: z13.number().int().positive(),
   currency: z13.string().length(3),
@@ -2945,7 +2977,16 @@ var ConsumerOACSchema = z13.object({
   validUntilMs: z13.number().int().nonnegative(),
   counterSeed: z13.number().int().nonnegative(),
   issuedAtMs: z13.number().int().nonnegative()
-});
+}).refine(
+  (o) => {
+    const alg = o.alg ?? "ed25519";
+    if (alg === "ed25519") {
+      return Boolean(o.devicePubkeyHex) && !o.devicePubkeySpkiB64;
+    }
+    return Boolean(o.devicePubkeySpkiB64) && !o.devicePubkeyHex;
+  },
+  { message: "OAC device pubkey shape must match alg" }
+);
 var SignedConsumerOACSchema = z13.object({
   oac: ConsumerOACSchema,
   issuerSig: HexAny,
@@ -2981,6 +3022,7 @@ var EnableOfflineInputSchema = z13.object({
   installId: z13.string().min(1).max(128),
   partnerId: z13.string().min(1).max(64).optional()
 });
+var ProvisionOfflineAllowanceInputSchema = EnableOfflineInputSchema;
 var DisableOfflineInputSchema = z13.object({
   deviceId: z13.string().min(1).max(128),
   installId: z13.string().min(1).max(128).optional(),
@@ -3018,6 +3060,7 @@ var EnableOfflineResultSchema = z13.object({
   hold: OfflineHoldRecordSchema,
   oac: OACRecordSchema
 });
+var ProvisionOfflineAllowanceResultSchema = EnableOfflineResultSchema;
 var DisableOfflineResultSchema = z13.object({
   hold: OfflineHoldRecordSchema,
   trusted: z13.boolean(),
@@ -3030,7 +3073,10 @@ var OfflineStatusResultSchema = z13.object({
 var OfflineStateResultSchema = z13.object({
   active: OACRecordSchema.nullable()
 });
+var ClaimAlgSchema = z13.enum(["ed25519", "p256"]);
 var ConsumerPaymentClaimSchema = z13.object({
+  /** Algorithm discriminator. Omit / 'ed25519' for V1 clients. */
+  alg: ClaimAlgSchema.optional(),
   oacId: z13.string().uuid(),
   encounterId: Sha256Hex.optional(),
   payerUserId: z13.string().uuid(),
@@ -3043,11 +3089,28 @@ var ConsumerPaymentClaimSchema = z13.object({
   occurredAtMs: z13.number().int().nonnegative(),
   completedAtMs: z13.number().int().nonnegative().optional(),
   contextId: z13.string().max(128).optional(),
-  payerPubkeyHex: Hex64,
-  payerSignature: HexAny,
+  // ed25519 path
+  payerPubkeyHex: Hex64.optional(),
+  payerSignature: HexAny.optional(),
   payeePubkeyHex: Hex64.optional(),
-  payeeSignature: HexAny.optional()
-});
+  payeeSignature: HexAny.optional(),
+  // p256 path
+  payerPubkeySpkiB64: z13.string().min(64).max(4096).optional(),
+  payerSignatureDerB64: z13.string().min(16).max(2048).optional(),
+  payeePubkeySpkiB64: z13.string().min(64).max(4096).optional(),
+  payeeSignatureDerB64: z13.string().min(16).max(2048).optional()
+}).refine(
+  (c) => {
+    const alg = c.alg ?? "ed25519";
+    if (alg === "ed25519") {
+      return Boolean(c.payerPubkeyHex) && Boolean(c.payerSignature);
+    }
+    return Boolean(c.payerPubkeySpkiB64) && Boolean(c.payerSignatureDerB64);
+  },
+  {
+    message: "payer key/signature fields must match alg (ed25519: hex; p256: SPKI+DER b64)"
+  }
+);
 var ConsumerSettlementSchema = z13.object({
   settlementId: z13.string().uuid(),
   settlementKey: Sha256Hex,
@@ -3112,6 +3175,18 @@ function createMeOfflineClient(opts) {
       RegisterDeviceKeyInputSchema.parse(input),
       (raw) => DeviceKeyRecordSchema.parse(raw)
     ),
+    issueP256EnrollmentChallenge: (input) => call(
+      "POST",
+      "/v1/me/offline/keys/p256/challenge",
+      P256EnrollmentChallengeInputSchema.parse(input),
+      (raw) => P256EnrollmentChallengeResultSchema.parse(raw)
+    ),
+    registerDeviceKeyP256: (input) => call(
+      "POST",
+      "/v1/me/offline/keys/p256",
+      RegisterDeviceKeyP256InputSchema.parse(input),
+      (raw) => DeviceKeyRecordSchema.parse(raw)
+    ),
     listDeviceKeys: () => call(
       "GET",
       "/v1/me/offline/keys",
@@ -3124,6 +3199,12 @@ function createMeOfflineClient(opts) {
       RevokeDeviceKeyInputSchema.parse(input),
       () => void 0
     ),
+    provisionAllowance: (input) => call(
+      "POST",
+      "/v1/me/offline/allowance",
+      ProvisionOfflineAllowanceInputSchema.parse(input),
+      (raw) => ProvisionOfflineAllowanceResultSchema.parse(raw)
+    ),
     enable: (input) => call(
       "POST",
       "/v1/me/offline/enable",
@@ -3169,6 +3250,148 @@ function createMeOfflineClient(opts) {
   };
 }
 
+// src/me-offline/signer.ts
+import { ed25519 as ed255192 } from "@noble/curves/ed25519";
+import { p256 } from "@noble/curves/nist";
+import { bytesToHex as bytesToHex5, hexToBytes as hexToBytes2 } from "@noble/hashes/utils";
+var CLAIM_DOMAIN_V2 = "flur:consumer-offline:v2:claim";
+function canonicalClaimSigningPayload(claim) {
+  return {
+    domain: CLAIM_DOMAIN_V2,
+    alg: claim.alg,
+    oacId: claim.oacId,
+    payerUserId: claim.payerUserId,
+    payeeUserId: claim.payeeUserId,
+    payerDeviceId: claim.payerDeviceId,
+    payerNonce: claim.payerNonce,
+    payeeNonce: claim.payeeNonce,
+    amountKobo: claim.amountKobo,
+    currency: claim.currency,
+    occurredAtMs: claim.occurredAtMs,
+    completedAtMs: claim.completedAtMs ?? null,
+    contextId: claim.contextId ?? null
+  };
+}
+function canonicalClaimSigningBytes(claim) {
+  return canonicalJSONBytes(canonicalClaimSigningPayload(claim));
+}
+function bytesToBase64(bytes) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  let bin = "";
+  for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]);
+  return btoa(bin);
+}
+function base64ToBytes(b64) {
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(b64, "base64"));
+  }
+  const bin = atob(b64);
+  const out = new Uint8Array(bin.length);
+  for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
+  return out;
+}
+var P256_SPKI_HEADER = new Uint8Array([
+  48,
+  89,
+  48,
+  19,
+  6,
+  7,
+  42,
+  134,
+  72,
+  206,
+  61,
+  2,
+  1,
+  6,
+  8,
+  42,
+  134,
+  72,
+  206,
+  61,
+  3,
+  1,
+  7,
+  3,
+  66,
+  0
+]);
+function p256PublicKeyToSpkiB64(rawUncompressed) {
+  if (rawUncompressed.length !== 65 || rawUncompressed[0] !== 4) {
+    throw new Error("p256: expected 65-byte uncompressed point");
+  }
+  const out = new Uint8Array(P256_SPKI_HEADER.length + rawUncompressed.length);
+  out.set(P256_SPKI_HEADER, 0);
+  out.set(rawUncompressed, P256_SPKI_HEADER.length);
+  return bytesToBase64(out);
+}
+function p256SpkiB64ToPublicKey(spkiB64) {
+  const spki = base64ToBytes(spkiB64);
+  if (spki.length !== P256_SPKI_HEADER.length + 65) {
+    throw new Error("p256: invalid SPKI length");
+  }
+  for (let i = 0; i < P256_SPKI_HEADER.length; i++) {
+    if (spki[i] !== P256_SPKI_HEADER[i]) {
+      throw new Error("p256: invalid SPKI header");
+    }
+  }
+  return spki.slice(P256_SPKI_HEADER.length);
+}
+function createSoftwareEd25519Signer(privateKey) {
+  const pub = ed255192.getPublicKey(privateKey);
+  return {
+    alg: "ed25519",
+    async getPublicKey() {
+      return { alg: "ed25519", publicKey: bytesToHex5(pub) };
+    },
+    async sign(bytes) {
+      const sig = ed255192.sign(bytes, privateKey);
+      return { alg: "ed25519", signature: bytesToHex5(sig) };
+    }
+  };
+}
+function createSoftwareP256Signer(privateKey) {
+  const raw = p256.getPublicKey(privateKey, false);
+  const spkiB64 = p256PublicKeyToSpkiB64(raw);
+  return {
+    alg: "p256",
+    async getPublicKey() {
+      return { alg: "p256", publicKey: spkiB64 };
+    },
+    async sign(bytes) {
+      const sig = p256.sign(bytes, privateKey, { prehash: true });
+      const der = sig.toBytes("der");
+      return { alg: "p256", signature: bytesToBase64(der) };
+    }
+  };
+}
+function verifyClaimSignature(input) {
+  try {
+    if (input.alg === "ed25519") {
+      return ed255192.verify(
+        hexToBytes2(input.signature),
+        input.bytes,
+        hexToBytes2(input.publicKey)
+      );
+    }
+    if (input.alg === "p256") {
+      const sigDer = base64ToBytes(input.signature);
+      const pub = p256SpkiB64ToPublicKey(input.publicKey);
+      return p256.verify(sigDer, input.bytes, pub, {
+        prehash: true,
+        format: "der"
+      });
+    }
+    return false;
+  } catch {
+    return false;
+  }
+}
+
 // src/partner-funding/client.ts
 import { z as z14 } from "zod";
 var MinorString = z14.string().regex(/^-?\d+$/);
@@ -3895,6 +4118,8 @@ export {
   AccountSchema,
   ApiCredentialPublicSchema,
   ArtifactHeaderSchema,
+  AttestationSecurityLevelSchema,
+  CLAIM_DOMAIN_V2,
   COLLECTION_INTENT_STATUSES,
   COLLECTION_PAYMENT_STATUSES,
   CUSTODIAL_MODES,
@@ -3913,6 +4138,7 @@ export {
   CreatePayoutInputSchema,
   CreateWithdrawalInputSchema,
   CreateWithdrawalResultSchema,
+  DeviceKeyAlgSchema,
   DeviceKeyRecordSchema,
   DisableOfflineInputSchema,
   DisableOfflineResultSchema,
@@ -3957,6 +4183,8 @@ export {
   OfflineStateResultSchema,
   OfflineStatusResultSchema,
   OfflineTokenSchema,
+  P256EnrollmentChallengeInputSchema,
+  P256EnrollmentChallengeResultSchema,
   PARTNER_FUNDING_DIRECTIONS,
   PARTNER_FUNDING_STATUSES,
   PARTNER_KINDS,
@@ -3980,6 +4208,8 @@ export {
   PayoutEventInputSchema,
   ProviderEventInputSchema,
   ProviderEventRecordSchema,
+  ProvisionOfflineAllowanceInputSchema,
+  ProvisionOfflineAllowanceResultSchema,
   PublicCollectionIntentSchema,
   RECEIPT_CHANNELS,
   RECEIPT_KINDS,
@@ -3991,6 +4221,7 @@ export {
   RecordPayoutEventResultSchema,
   RedemptionSchema,
   RegisterDeviceKeyInputSchema,
+  RegisterDeviceKeyP256InputSchema,
   ReversalRecordArtifactSchema,
   RevokeDeviceKeyInputSchema,
   SETTLEMENT_SCHEDULES,
@@ -4013,6 +4244,8 @@ export {
   buildPaymentRequest,
   buildReceipt,
   buildRedemption,
+  canonicalClaimSigningBytes,
+  canonicalClaimSigningPayload,
   canonicalJSONBytes,
   canonicalJSONStringify,
   canonicalRequestString,
@@ -4037,6 +4270,8 @@ export {
   createPassesClient,
   createReceiptArtifactUri,
   createReceiptsClient,
+  createSoftwareEd25519Signer,
+  createSoftwareP256Signer,
   decodeArtifactUri,
   decodeAuthorizationQR,
   decodeBase45,
@@ -4078,6 +4313,7 @@ export {
   verifyArtifactUri,
   verifyAuthorization,
   verifyCanonical,
+  verifyClaimSignature,
   verifyOAC,
   verifyPass,
   verifyPaymentRequest,