@orqenix/transport-security 0.6.0-phase-6

package/LICENSE

@@ -0,0 +1,19 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+Copyright 2026 Milo Nguyen and Orqenix contributors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+[Full Apache 2.0 text: include verbatim from https://www.apache.org/licenses/LICENSE-2.0.txt]

package/README.md

@@ -0,0 +1,6 @@
+# @orqenix/transport-security
+
+Ed25519 IdentityVerifier and capability verification pipeline for Orqenix Phase 6.
+Replaces the no-op verifier/signer placeholders used in Parts 2 and 3-4.
+
+See CR v7.2 Chapter 6 for the full specification.

package/dist/adapters.d.ts

@@ -0,0 +1,15 @@
+import type { ScopeId } from '@orqenix/mesh-transport-core';
+import { LRUKeyStore } from './key-store.js';
+export interface StructuralIdentityVerifier {
+    verifyScopeSig(fromScope: ScopeId, requestIdOrNonce: string, toScope: ScopeId, sigB64u: string): Promise<boolean>;
+}
+export interface Ed25519IdentityVerifierOptions {
+    keyStore: LRUKeyStore;
+}
+export declare class Ed25519IdentityVerifier implements StructuralIdentityVerifier {
+    private readonly keyStore;
+    constructor(opts: Ed25519IdentityVerifierOptions);
+    verifyScopeSig(fromScope: ScopeId, requestIdOrNonce: string, toScope: ScopeId, sigB64u: string): Promise<boolean>;
+}
+export declare function makeEd25519IdentityVerifier(keyStore: LRUKeyStore): Ed25519IdentityVerifier;
+//# sourceMappingURL=adapters.d.ts.map

package/dist/adapters.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapters.d.ts","sourceRoot":"","sources":["../src/adapters.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,8BAA8B,CAAC;AAE5D,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAE7C,MAAM,WAAW,0BAA0B;IACzC,cAAc,CACZ,SAAS,EAAE,OAAO,EAClB,gBAAgB,EAAE,MAAM,EACxB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,CAAC,CAAC;CACrB;AAED,MAAM,WAAW,8BAA8B;IAC7C,QAAQ,EAAE,WAAW,CAAC;CACvB;AAED,qBAAa,uBAAwB,YAAW,0BAA0B;IACxE,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAc;gBAC3B,IAAI,EAAE,8BAA8B;IAI1C,cAAc,CAClB,SAAS,EAAE,OAAO,EAClB,gBAAgB,EAAE,MAAM,EACxB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,CAAC;CAapB;AAED,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,WAAW,GAAG,uBAAuB,CAE1F"}

package/dist/adapters.js

@@ -0,0 +1,27 @@
+import { b64urlDecode, ed25519Verify, importEd25519PublicKey } from './ed25519.js';
+export class Ed25519IdentityVerifier {
+    keyStore;
+    constructor(opts) {
+        this.keyStore = opts.keyStore;
+    }
+    async verifyScopeSig(fromScope, requestIdOrNonce, toScope, sigB64u) {
+        if (!fromScope || !requestIdOrNonce || !toScope || !sigB64u)
+            return false;
+        const pubRaw = await this.keyStore.get(fromScope);
+        if (!pubRaw)
+            return false;
+        try {
+            const publicKey = await importEd25519PublicKey(pubRaw);
+            const sigBytes = b64urlDecode(sigB64u);
+            const message = new TextEncoder().encode(`${requestIdOrNonce}.${toScope}`);
+            return await ed25519Verify(publicKey, sigBytes, message);
+        }
+        catch {
+            return false;
+        }
+    }
+}
+export function makeEd25519IdentityVerifier(keyStore) {
+    return new Ed25519IdentityVerifier({ keyStore });
+}
+//# sourceMappingURL=adapters.js.map

package/dist/adapters.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapters.js","sourceRoot":"","sources":["../src/adapters.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AAgBnF,MAAM,OAAO,uBAAuB;IACjB,QAAQ,CAAc;IACvC,YAAY,IAAoC;QAC9C,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,cAAc,CAClB,SAAkB,EAClB,gBAAwB,EACxB,OAAgB,EAChB,OAAe;QAEf,IAAI,CAAC,SAAS,IAAI,CAAC,gBAAgB,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO;YAAE,OAAO,KAAK,CAAC;QAC1E,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAClD,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,sBAAsB,CAAC,MAAM,CAAC,CAAC;YACvD,MAAM,QAAQ,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;YACvC,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,gBAAgB,IAAI,OAAO,EAAE,CAAC,CAAC;YAC3E,OAAO,MAAM,aAAa,CAAC,SAAS,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF;AAED,MAAM,UAAU,2BAA2B,CAAC,QAAqB;IAC/D,OAAO,IAAI,uBAAuB,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;AACnD,CAAC"}

package/dist/capability-token.d.ts

@@ -0,0 +1,14 @@
+import type { ScopeId, CapabilityToken } from '@orqenix/mesh-transport-core';
+export interface CapabilityTokenFields {
+    iss: ScopeId;
+    sub: ScopeId;
+    caps: string[];
+    exp: number;
+    nbf?: number;
+    jti: string;
+    sig: string;
+}
+export declare function canonicalSigningBytes(token: Omit<CapabilityTokenFields, 'sig'>): Uint8Array;
+export declare function encodeCapabilityToken(token: CapabilityTokenFields): CapabilityToken;
+export declare function decodeCapabilityToken(s: string): CapabilityTokenFields;
+//# sourceMappingURL=capability-token.d.ts.map

package/dist/capability-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"capability-token.d.ts","sourceRoot":"","sources":["../src/capability-token.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAO7E,MAAM,WAAW,qBAAqB;IACpC,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,EAAE,OAAO,CAAC;IACb,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAED,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,IAAI,CAAC,qBAAqB,EAAE,KAAK,CAAC,GAAG,UAAU,CAU3F;AAED,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,qBAAqB,GAAG,eAAe,CAEnF;AAED,wBAAgB,qBAAqB,CAAC,CAAC,EAAE,MAAM,GAAG,qBAAqB,CA4BtE"}

package/dist/capability-token.js

@@ -0,0 +1,49 @@
+import { Packr, Unpackr } from 'msgpackr';
+import { canonicalize } from '@orqenix/mesh-transport-core';
+import { b64urlDecode, b64urlEncode } from './ed25519.js';
+const packr = new Packr({ useRecords: false });
+const unpackr = new Unpackr({ useRecords: false });
+export function canonicalSigningBytes(token) {
+    const stripped = {
+        iss: token.iss,
+        sub: token.sub,
+        caps: [...token.caps].sort(),
+        exp: token.exp,
+        nbf: token.nbf,
+        jti: token.jti,
+    };
+    return packr.pack(canonicalize(stripped));
+}
+export function encodeCapabilityToken(token) {
+    return b64urlEncode(packr.pack(canonicalize(token)));
+}
+export function decodeCapabilityToken(s) {
+    const raw = unpackr.unpack(b64urlDecode(s));
+    if (!raw || typeof raw !== 'object')
+        throw new Error('cap-token: not an object');
+    const o = raw;
+    for (const k of ['iss', 'sub', 'jti', 'sig']) {
+        if (typeof o[k] !== 'string' || o[k].length === 0) {
+            throw new Error(`cap-token: field ${k} missing or empty`);
+        }
+    }
+    if (!Array.isArray(o.caps) || o.caps.some((c) => typeof c !== 'string')) {
+        throw new Error('cap-token: caps must be string[]');
+    }
+    if (!Number.isInteger(o.exp) || o.exp <= 0) {
+        throw new Error('cap-token: exp must be a positive integer');
+    }
+    if (o.nbf !== undefined && (!Number.isInteger(o.nbf) || o.nbf <= 0)) {
+        throw new Error('cap-token: nbf must be a positive integer when present');
+    }
+    return {
+        iss: o.iss,
+        sub: o.sub,
+        caps: o.caps,
+        exp: o.exp,
+        nbf: o.nbf,
+        jti: o.jti,
+        sig: o.sig,
+    };
+}
+//# sourceMappingURL=capability-token.js.map

package/dist/capability-token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"capability-token.js","sourceRoot":"","sources":["../src/capability-token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAE1C,OAAO,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE1D,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,CAAC;AAC/C,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,CAAC;AAYnD,MAAM,UAAU,qBAAqB,CAAC,KAAyC;IAC7E,MAAM,QAAQ,GAAG;QACf,GAAG,EAAE,KAAK,CAAC,GAAG;QACd,GAAG,EAAE,KAAK,CAAC,GAAG;QACd,IAAI,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE;QAC5B,GAAG,EAAE,KAAK,CAAC,GAAG;QACd,GAAG,EAAE,KAAK,CAAC,GAAG;QACd,GAAG,EAAE,KAAK,CAAC,GAAG;KACf,CAAC;IACF,OAAO,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,KAA4B;IAChE,OAAO,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAoB,CAAC;AAC1E,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,CAAS;IAC7C,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAY,CAAC;IACvD,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IACjF,MAAM,CAAC,GAAG,GAA8B,CAAC;IAEzC,KAAK,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAU,EAAE,CAAC;QACtD,IAAI,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAK,CAAC,CAAC,CAAC,CAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,mBAAmB,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,EAAE,CAAC;QACxE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,IAAK,CAAC,CAAC,GAAc,IAAI,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/D,CAAC;IACD,IAAI,CAAC,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,IAAK,CAAC,CAAC,GAAc,IAAI,CAAC,CAAC,EAAE,CAAC;QAChF,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;IAC5E,CAAC;IACD,OAAO;QACL,GAAG,EAAE,CAAC,CAAC,GAAc;QACrB,GAAG,EAAE,CAAC,CAAC,GAAc;QACrB,IAAI,EAAE,CAAC,CAAC,IAAgB;QACxB,GAAG,EAAE,CAAC,CAAC,GAAa;QACpB,GAAG,EAAE,CAAC,CAAC,GAAyB;QAChC,GAAG,EAAE,CAAC,CAAC,GAAa;QACpB,GAAG,EAAE,CAAC,CAAC,GAAa;KACrB,CAAC;AACJ,CAAC"}

package/dist/ed25519.d.ts

@@ -0,0 +1,13 @@
+export interface Ed25519Keypair {
+    publicKey: CryptoKey;
+    privateKey: CryptoKey;
+}
+export declare function generateEd25519Keypair(): Promise<Ed25519Keypair>;
+export declare function importEd25519PublicKey(raw: Uint8Array): Promise<CryptoKey>;
+export declare function importEd25519PrivateKey(seed: Uint8Array): Promise<CryptoKey>;
+export declare function exportEd25519PublicKeyRaw(key: CryptoKey): Promise<Uint8Array>;
+export declare function ed25519Sign(privateKey: CryptoKey, message: Uint8Array): Promise<Uint8Array>;
+export declare function ed25519Verify(publicKey: CryptoKey, signature: Uint8Array, message: Uint8Array): Promise<boolean>;
+export declare function b64urlEncode(bytes: Uint8Array): string;
+export declare function b64urlDecode(s: string): Uint8Array;
+//# sourceMappingURL=ed25519.d.ts.map

package/dist/ed25519.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ed25519.d.ts","sourceRoot":"","sources":["../src/ed25519.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,SAAS,CAAC;IACrB,UAAU,EAAE,SAAS,CAAC;CACvB;AAED,wBAAsB,sBAAsB,IAAI,OAAO,CAAC,cAAc,CAAC,CAGtE;AAED,wBAAsB,sBAAsB,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAGhF;AAED,wBAAsB,uBAAuB,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAIlF;AAED,wBAAsB,yBAAyB,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAEnF;AAED,wBAAsB,WAAW,CAAC,UAAU,EAAE,SAAS,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAEjG;AAED,wBAAsB,aAAa,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,CAMtH;AAaD,wBAAgB,YAAY,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAEtD;AAED,wBAAgB,YAAY,CAAC,CAAC,EAAE,MAAM,GAAG,UAAU,CAGlD"}

package/dist/ed25519.js

@@ -0,0 +1,51 @@
+const subtle = globalThis.crypto.subtle;
+function toBuf(src) {
+    return src.buffer.slice(src.byteOffset, src.byteOffset + src.byteLength);
+}
+export async function generateEd25519Keypair() {
+    const kp = (await subtle.generateKey('Ed25519', true, ['sign', 'verify']));
+    return { publicKey: kp.publicKey, privateKey: kp.privateKey };
+}
+export async function importEd25519PublicKey(raw) {
+    if (raw.length !== 32)
+        throw new Error('ed25519: public key must be 32 bytes');
+    return await subtle.importKey('raw', toBuf(raw), 'Ed25519', true, ['verify']);
+}
+export async function importEd25519PrivateKey(seed) {
+    if (seed.length !== 32)
+        throw new Error('ed25519: private seed must be 32 bytes');
+    const pkcs8 = wrapEd25519SeedAsPkcs8(seed);
+    return await subtle.importKey('pkcs8', toBuf(pkcs8), 'Ed25519', false, ['sign']);
+}
+export async function exportEd25519PublicKeyRaw(key) {
+    return new Uint8Array(await subtle.exportKey('raw', key));
+}
+export async function ed25519Sign(privateKey, message) {
+    return new Uint8Array(await subtle.sign('Ed25519', privateKey, toBuf(message)));
+}
+export async function ed25519Verify(publicKey, signature, message) {
+    try {
+        return await subtle.verify('Ed25519', publicKey, toBuf(signature), toBuf(message));
+    }
+    catch {
+        return false;
+    }
+}
+function wrapEd25519SeedAsPkcs8(seed) {
+    const prefix = new Uint8Array([
+        0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,
+        0x03, 0x2b, 0x65, 0x70, 0x04, 0x22, 0x04, 0x20,
+    ]);
+    const out = new Uint8Array(prefix.length + 32);
+    out.set(prefix, 0);
+    out.set(seed, prefix.length);
+    return out;
+}
+export function b64urlEncode(bytes) {
+    return Buffer.from(bytes).toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+export function b64urlDecode(s) {
+    const pad = s.length % 4 === 0 ? '' : '='.repeat(4 - (s.length % 4));
+    return new Uint8Array(Buffer.from(s.replace(/-/g, '+').replace(/_/g, '/') + pad, 'base64'));
+}
+//# sourceMappingURL=ed25519.js.map

package/dist/ed25519.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ed25519.js","sourceRoot":"","sources":["../src/ed25519.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,GAAiB,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC;AAEtD,SAAS,KAAK,CAAC,GAAe;IAC5B,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC,UAAU,CAAgB,CAAC;AAC1F,CAAC;AAOD,MAAM,CAAC,KAAK,UAAU,sBAAsB;IAC1C,MAAM,EAAE,GAAG,CAAC,MAAM,MAAM,CAAC,WAAW,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAkB,CAAC;IAC5F,OAAO,EAAE,SAAS,EAAE,EAAE,CAAC,SAAS,EAAE,UAAU,EAAE,EAAE,CAAC,UAAU,EAAE,CAAC;AAChE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,GAAe;IAC1D,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC/E,OAAO,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;AAChF,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,IAAgB;IAC5D,IAAI,IAAI,CAAC,MAAM,KAAK,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAClF,MAAM,KAAK,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;IAC3C,OAAO,MAAM,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC;AACnF,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAAC,GAAc;IAC5D,OAAO,IAAI,UAAU,CAAC,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,UAAqB,EAAE,OAAmB;IAC1E,OAAO,IAAI,UAAU,CAAC,MAAM,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AAClF,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,SAAoB,EAAE,SAAqB,EAAE,OAAmB;IAClG,IAAI,CAAC;QACH,OAAO,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;IACrF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAAC,IAAgB;IAC9C,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC;QAC5B,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI;QAC9C,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI;KAC/C,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAC/C,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACnB,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IAC7B,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,KAAiB;IAC5C,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAC1G,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,CAAS;IACpC,MAAM,GAAG,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;IACrE,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC;AAC9F,CAAC"}

package/dist/glob.d.ts

@@ -0,0 +1,10 @@
+export interface CompiledPattern {
+    readonly raw: string;
+    readonly segments: ReadonlyArray<'*' | '**' | {
+        literal: string;
+    }>;
+}
+export declare function compileGlob(pattern: string): CompiledPattern;
+export declare function matches(compiled: CompiledPattern, method: string): boolean;
+export declare function methodAllowed(caps: ReadonlyArray<string>, method: string): boolean;
+//# sourceMappingURL=glob.d.ts.map

package/dist/glob.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"glob.d.ts","sourceRoot":"","sources":["../src/glob.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,GAAG,GAAG,IAAI,GAAG;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACpE;AAED,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,eAAe,CAY5D;AAED,wBAAgB,OAAO,CAAC,QAAQ,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAI1E;AA+BD,wBAAgB,aAAa,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAKlF"}

package/dist/glob.js

@@ -0,0 +1,58 @@
+export function compileGlob(pattern) {
+    if (typeof pattern !== 'string' || pattern.length === 0) {
+        throw new Error('glob: empty pattern');
+    }
+    const parts = pattern.split('.');
+    const out = parts.map((p) => {
+        if (p === '*')
+            return '*';
+        if (p === '**')
+            return '**';
+        if (p.includes('*'))
+            throw new Error(`glob: mixed segment "${p}" not allowed (use whole-segment * or **)`);
+        return { literal: p };
+    });
+    return { raw: pattern, segments: out };
+}
+export function matches(compiled, method) {
+    if (typeof method !== 'string' || method.length === 0)
+        return false;
+    const m = method.split('.');
+    return matchHelper(compiled.segments, 0, m, 0);
+}
+function matchHelper(pat, pi, parts, mi) {
+    while (pi < pat.length) {
+        const seg = pat[pi];
+        if (seg === '**') {
+            if (pi === pat.length - 1)
+                return true;
+            for (let take = parts.length - mi; take >= 0; take--) {
+                if (matchHelper(pat, pi + 1, parts, mi + take))
+                    return true;
+            }
+            return false;
+        }
+        if (mi >= parts.length)
+            return false;
+        if (seg === '*') {
+            if (parts[mi].length === 0)
+                return false;
+            pi++;
+            mi++;
+            continue;
+        }
+        if (parts[mi] !== seg.literal)
+            return false;
+        pi++;
+        mi++;
+    }
+    return mi === parts.length;
+}
+export function methodAllowed(caps, method) {
+    for (const c of caps) {
+        if (matches(compileGlob(c), method))
+            return true;
+    }
+    return false;
+}
+//# sourceMappingURL=glob.js.map

package/dist/glob.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"glob.js","sourceRoot":"","sources":["../src/glob.ts"],"names":[],"mappings":"AAKA,MAAM,UAAU,WAAW,CAAC,OAAe;IACzC,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxD,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;IACzC,CAAC;IACD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACjC,MAAM,GAAG,GAAgC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QACvD,IAAI,CAAC,KAAK,GAAG;YAAE,OAAO,GAAG,CAAC;QAC1B,IAAI,CAAC,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAC5B,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,2CAA2C,CAAC,CAAC;QAC3G,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;IACxB,CAAC,CAAC,CAAC;IACH,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,OAAO,CAAC,QAAyB,EAAE,MAAc;IAC/D,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACpE,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC5B,OAAO,WAAW,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;AACjD,CAAC;AAED,SAAS,WAAW,CAClB,GAAgC,EAChC,EAAU,EACV,KAAe,EACf,EAAU;IAEV,OAAO,EAAE,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,GAAG,CAAC,EAAE,CAAC,CAAC;QACpB,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YACjB,IAAI,EAAE,KAAK,GAAG,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAC;YACvC,KAAK,IAAI,IAAI,GAAG,KAAK,CAAC,MAAM,GAAG,EAAE,EAAE,IAAI,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,CAAC;gBACrD,IAAI,WAAW,CAAC,GAAG,EAAE,EAAE,GAAG,CAAC,EAAE,KAAK,EAAE,EAAE,GAAG,IAAI,CAAC;oBAAE,OAAO,IAAI,CAAC;YAC9D,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QACD,IAAI,EAAE,IAAI,KAAK,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QACrC,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;YAChB,IAAI,KAAK,CAAC,EAAE,CAAC,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YACzC,EAAE,EAAE,CAAC;YACL,EAAE,EAAE,CAAC;YACL,SAAS;QACX,CAAC;QACD,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,GAAG,CAAC,OAAO;YAAE,OAAO,KAAK,CAAC;QAC5C,EAAE,EAAE,CAAC;QACL,EAAE,EAAE,CAAC;IACP,CAAC;IACD,OAAO,EAAE,KAAK,KAAK,CAAC,MAAM,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,IAA2B,EAAE,MAAc;IACvE,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,IAAI,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;IACnD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,8 @@
+export * from './ed25519.js';
+export * from './capability-token.js';
+export * from './key-store.js';
+export * from './glob.js';
+export * from './verifier.js';
+export * from './signer.js';
+export * from './adapters.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAC;AAC7B,cAAc,uBAAuB,CAAC;AACtC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,WAAW,CAAC;AAC1B,cAAc,eAAe,CAAC;AAC9B,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC"}

package/dist/index.js

@@ -0,0 +1,8 @@
+export * from './ed25519.js';
+export * from './capability-token.js';
+export * from './key-store.js';
+export * from './glob.js';
+export * from './verifier.js';
+export * from './signer.js';
+export * from './adapters.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAC;AAC7B,cAAc,uBAAuB,CAAC;AACtC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,WAAW,CAAC;AAC1B,cAAc,eAAe,CAAC;AAC9B,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC"}

package/dist/key-store.d.ts

@@ -0,0 +1,26 @@
+import type { ScopeId } from '@orqenix/mesh-transport-core';
+export interface KeyResolver {
+    resolve(scopeId: ScopeId): Promise<Uint8Array | undefined>;
+}
+export interface KeyStoreOptions {
+    maxEntries?: number;
+    resolver?: KeyResolver;
+}
+export interface KeyStoreStats {
+    hits: number;
+    misses: number;
+    size: number;
+}
+export declare class LRUKeyStore {
+    private readonly maxEntries;
+    private readonly resolver?;
+    private readonly map;
+    private hits;
+    private misses;
+    constructor(opts?: KeyStoreOptions);
+    put(scopeId: ScopeId, publicKey: Uint8Array): void;
+    get(scopeId: ScopeId): Promise<Uint8Array | undefined>;
+    getStats(): KeyStoreStats;
+    clear(): void;
+}
+//# sourceMappingURL=key-store.d.ts.map

package/dist/key-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-store.d.ts","sourceRoot":"","sources":["../src/key-store.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,8BAA8B,CAAC;AAE5D,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,UAAU,GAAG,SAAS,CAAC,CAAC;CAC5D;AAED,MAAM,WAAW,eAAe;IAC9B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,WAAW,CAAC;CACxB;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;CACd;AAED,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAc;IACxC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAkC;IACtD,OAAO,CAAC,IAAI,CAAK;IACjB,OAAO,CAAC,MAAM,CAAK;gBAEP,IAAI,GAAE,eAAoB;IAKtC,GAAG,CAAC,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,GAAG,IAAI;IAW5C,GAAG,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,UAAU,GAAG,SAAS,CAAC;IAe5D,QAAQ,IAAI,aAAa;IAIzB,KAAK,IAAI,IAAI;CAKd"}

package/dist/key-store.js

@@ -0,0 +1,49 @@
+export class LRUKeyStore {
+    maxEntries;
+    resolver;
+    map = new Map();
+    hits = 0;
+    misses = 0;
+    constructor(opts = {}) {
+        this.maxEntries = opts.maxEntries ?? 4_096;
+        this.resolver = opts.resolver;
+    }
+    put(scopeId, publicKey) {
+        if (publicKey.length !== 32)
+            throw new Error('LRUKeyStore: public key must be 32 bytes');
+        if (this.map.has(scopeId))
+            this.map.delete(scopeId);
+        this.map.set(scopeId, publicKey);
+        while (this.map.size > this.maxEntries) {
+            const oldest = this.map.keys().next().value;
+            if (oldest === undefined)
+                break;
+            this.map.delete(oldest);
+        }
+    }
+    async get(scopeId) {
+        const cached = this.map.get(scopeId);
+        if (cached) {
+            this.hits++;
+            this.map.delete(scopeId);
+            this.map.set(scopeId, cached);
+            return cached;
+        }
+        this.misses++;
+        if (!this.resolver)
+            return undefined;
+        const fetched = await this.resolver.resolve(scopeId);
+        if (fetched)
+            this.put(scopeId, fetched);
+        return fetched;
+    }
+    getStats() {
+        return { hits: this.hits, misses: this.misses, size: this.map.size };
+    }
+    clear() {
+        this.map.clear();
+        this.hits = 0;
+        this.misses = 0;
+    }
+}
+//# sourceMappingURL=key-store.js.map

package/dist/key-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-store.js","sourceRoot":"","sources":["../src/key-store.ts"],"names":[],"mappings":"AAiBA,MAAM,OAAO,WAAW;IACL,UAAU,CAAS;IACnB,QAAQ,CAAe;IACvB,GAAG,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC9C,IAAI,GAAG,CAAC,CAAC;IACT,MAAM,GAAG,CAAC,CAAC;IAEnB,YAAY,OAAwB,EAAE;QACpC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,KAAK,CAAC;QAC3C,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;IAChC,CAAC;IAED,GAAG,CAAC,OAAgB,EAAE,SAAqB;QACzC,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QACzF,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC;YAAE,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACpD,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QACjC,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;YACvC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;YAC5C,IAAI,MAAM,KAAK,SAAS;gBAAE,MAAM;YAChC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAgB;QACxB,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC,IAAI,EAAE,CAAC;YACZ,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACzB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC9B,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,IAAI,CAAC,MAAM,EAAE,CAAC;QACd,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,OAAO,SAAS,CAAC;QACrC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACrD,IAAI,OAAO;YAAE,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACxC,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,QAAQ;QACN,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;IACvE,CAAC;IAED,KAAK;QACH,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;QACjB,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC;QACd,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;IAClB,CAAC;CACF"}

package/dist/signer.d.ts

@@ -0,0 +1,14 @@
+import type { ScopeId } from '@orqenix/mesh-transport-core';
+export interface Ed25519SignerOptions {
+    fromScope: ScopeId;
+    privateKey: CryptoKey;
+}
+export declare class Ed25519Signer {
+    readonly fromScope: ScopeId;
+    private readonly privateKey;
+    constructor(opts: Ed25519SignerOptions);
+    signScopeProof(requestId: string, toScope: ScopeId): Promise<string>;
+}
+export type SignFn = (requestId: string, toScope: ScopeId) => Promise<string>;
+export declare function makeSignFn(signer: Ed25519Signer): SignFn;
+//# sourceMappingURL=signer.d.ts.map

package/dist/signer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.d.ts","sourceRoot":"","sources":["../src/signer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,8BAA8B,CAAC;AAG5D,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,SAAS,CAAC;CACvB;AAED,qBAAa,aAAa;IACxB,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAY;gBAE3B,IAAI,EAAE,oBAAoB;IAKhC,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;CAK3E;AAED,MAAM,MAAM,MAAM,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;AAE9E,wBAAgB,UAAU,CAAC,MAAM,EAAE,aAAa,GAAG,MAAM,CAExD"}

package/dist/signer.js

@@ -0,0 +1,18 @@
+import { b64urlEncode, ed25519Sign } from './ed25519.js';
+export class Ed25519Signer {
+    fromScope;
+    privateKey;
+    constructor(opts) {
+        this.fromScope = opts.fromScope;
+        this.privateKey = opts.privateKey;
+    }
+    async signScopeProof(requestId, toScope) {
+        const canonical = new TextEncoder().encode(`${requestId}.${toScope}`);
+        const sig = await ed25519Sign(this.privateKey, canonical);
+        return b64urlEncode(sig);
+    }
+}
+export function makeSignFn(signer) {
+    return (requestId, toScope) => signer.signScopeProof(requestId, toScope);
+}
+//# sourceMappingURL=signer.js.map

package/dist/signer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.js","sourceRoot":"","sources":["../src/signer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAOzD,MAAM,OAAO,aAAa;IACf,SAAS,CAAU;IACX,UAAU,CAAY;IAEvC,YAAY,IAA0B;QACpC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAChC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,SAAiB,EAAE,OAAgB;QACtD,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,SAAS,IAAI,OAAO,EAAE,CAAC,CAAC;QACtE,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;QAC1D,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;CACF;AAID,MAAM,UAAU,UAAU,CAAC,MAAqB;IAC9C,OAAO,CAAC,SAAS,EAAE,OAAO,EAAE,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;AAC3E,CAAC"}

package/dist/verifier.d.ts

@@ -0,0 +1,35 @@
+import { type CapabilityToken, type ScopeId } from '@orqenix/mesh-transport-core';
+import { type CapabilityTokenFields } from './capability-token.js';
+import { LRUKeyStore } from './key-store.js';
+export interface VerifyInput {
+    capability: CapabilityToken | string;
+    fromScope: ScopeId;
+    toScope: ScopeId;
+    method: string;
+    now?: () => number;
+}
+export interface VerifyOk {
+    ok: true;
+    token: CapabilityTokenFields;
+}
+export interface VerifyDenied {
+    ok: false;
+    code: string;
+    message: string;
+}
+export type VerifyResult = VerifyOk | VerifyDenied;
+export type DelegationHook = (token: CapabilityTokenFields) => Promise<VerifyResult>;
+export interface CapabilityVerifierOptions {
+    keyStore: LRUKeyStore;
+    delegation?: DelegationHook;
+}
+export declare class CapabilityVerifier {
+    private readonly keyStore;
+    private readonly delegation?;
+    private globCache;
+    constructor(opts: CapabilityVerifierOptions);
+    verify(input: VerifyInput): Promise<VerifyResult>;
+    private methodAllowed;
+}
+export declare function throwOnDenied(result: VerifyResult): asserts result is VerifyOk;
+//# sourceMappingURL=verifier.d.ts.map

package/dist/verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../src/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,eAAe,EAEpB,KAAK,OAAO,EACb,MAAM,8BAA8B,CAAC;AAEtC,OAAO,EAGL,KAAK,qBAAqB,EAC3B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAG7C,MAAM,WAAW,WAAW;IAC1B,UAAU,EAAE,eAAe,GAAG,MAAM,CAAC;IACrC,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,IAAI,CAAC;IACT,KAAK,EAAE,qBAAqB,CAAC;CAC9B;AACD,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,KAAK,CAAC;IACV,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AACD,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,YAAY,CAAC;AAEnD,MAAM,MAAM,cAAc,GAAG,CAAC,KAAK,EAAE,qBAAqB,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;AAErF,MAAM,WAAW,yBAAyB;IACxC,QAAQ,EAAE,WAAW,CAAC;IACtB,UAAU,CAAC,EAAE,cAAc,CAAC;CAC7B;AAED,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAc;IACvC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAiB;IAC7C,OAAO,CAAC,SAAS,CAAqD;gBAE1D,IAAI,EAAE,yBAAyB;IAKrC,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,YAAY,CAAC;IAsDvD,OAAO,CAAC,aAAa;CAetB;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,IAAI,QAAQ,CAI9E"}

package/dist/verifier.js

@@ -0,0 +1,92 @@
+import { CapabilityError, ErrorCode, } from '@orqenix/mesh-transport-core';
+import { b64urlDecode, ed25519Verify, importEd25519PublicKey } from './ed25519.js';
+import { canonicalSigningBytes, decodeCapabilityToken, } from './capability-token.js';
+import { compileGlob, matches } from './glob.js';
+export class CapabilityVerifier {
+    keyStore;
+    delegation;
+    globCache = new Map();
+    constructor(opts) {
+        this.keyStore = opts.keyStore;
+        this.delegation = opts.delegation;
+    }
+    async verify(input) {
+        const now = (input.now ?? Date.now)();
+        let token;
+        try {
+            if (!input.capability || (typeof input.capability === 'string' && input.capability.length === 0)) {
+                return denied(ErrorCode.CAP_MISSING, 'capability missing');
+            }
+            token = decodeCapabilityToken(String(input.capability));
+        }
+        catch (e) {
+            return denied(ErrorCode.CAP_MALFORMED, sanitizeMessage(String(e.message)));
+        }
+        if (token.nbf !== undefined && now < token.nbf) {
+            return denied(ErrorCode.CAP_EXPIRED, 'token not yet valid');
+        }
+        if (now >= token.exp) {
+            return denied(ErrorCode.CAP_EXPIRED, 'token expired');
+        }
+        const pubRaw = await this.keyStore.get(token.iss);
+        if (!pubRaw) {
+            return denied(ErrorCode.CAP_SIG_INVALID, 'signature invalid');
+        }
+        let sigOk = false;
+        try {
+            const publicKey = await importEd25519PublicKey(pubRaw);
+            const sigBytes = b64urlDecode(token.sig);
+            const signed = canonicalSigningBytes(token);
+            sigOk = await ed25519Verify(publicKey, sigBytes, signed);
+        }
+        catch {
+            sigOk = false;
+        }
+        if (!sigOk)
+            return denied(ErrorCode.CAP_SIG_INVALID, 'signature invalid');
+        if (token.sub !== input.fromScope) {
+            return denied(ErrorCode.CAP_SUBJECT_MISMATCH, 'subject mismatch');
+        }
+        if (token.iss !== input.toScope) {
+            return denied(ErrorCode.CAP_ISSUER_MISMATCH, 'issuer mismatch');
+        }
+        if (!this.methodAllowed(token.caps, input.method)) {
+            return denied(ErrorCode.CAP_METHOD_NOT_ALLOWED, 'method not allowed');
+        }
+        if (this.delegation) {
+            const r = await this.delegation(token);
+            if (!r.ok)
+                return r;
+        }
+        return { ok: true, token };
+    }
+    methodAllowed(caps, method) {
+        for (const c of caps) {
+            let g = this.globCache.get(c);
+            if (!g) {
+                try {
+                    g = compileGlob(c);
+                }
+                catch {
+                    continue;
+                }
+                this.globCache.set(c, g);
+            }
+            if (matches(g, method))
+                return true;
+        }
+        return false;
+    }
+}
+export function throwOnDenied(result) {
+    if (!result.ok) {
+        throw new CapabilityError(result.message, result.code);
+    }
+}
+function denied(code, message) {
+    return { ok: false, code, message };
+}
+function sanitizeMessage(s) {
+    return s.split('\n')[0].slice(0, 160);
+}
+//# sourceMappingURL=verifier.js.map

package/dist/verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../src/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,eAAe,EACf,SAAS,GAIV,MAAM,8BAA8B,CAAC;AACtC,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AACnF,OAAO,EACL,qBAAqB,EACrB,qBAAqB,GAEtB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AA4BjD,MAAM,OAAO,kBAAkB;IACZ,QAAQ,CAAc;IACtB,UAAU,CAAkB;IACrC,SAAS,GAAG,IAAI,GAAG,EAA0C,CAAC;IAEtE,YAAY,IAA+B;QACzC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC9B,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAkB;QAC7B,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAEtC,IAAI,KAA4B,CAAC;QACjC,IAAI,CAAC;YACH,IAAI,CAAC,KAAK,CAAC,UAAU,IAAI,CAAC,OAAO,KAAK,CAAC,UAAU,KAAK,QAAQ,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;gBACjG,OAAO,MAAM,CAAC,SAAS,CAAC,WAAW,EAAE,oBAAoB,CAAC,CAAC;YAC7D,CAAC;YACD,KAAK,GAAG,qBAAqB,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC;QAC1D,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,MAAM,CAAC,SAAS,CAAC,aAAa,EAAE,eAAe,CAAC,MAAM,CAAE,CAAW,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACxF,CAAC;QAED,IAAI,KAAK,CAAC,GAAG,KAAK,SAAS,IAAI,GAAG,GAAG,KAAK,CAAC,GAAG,EAAE,CAAC;YAC/C,OAAO,MAAM,CAAC,SAAS,CAAC,WAAW,EAAE,qBAAqB,CAAC,CAAC;QAC9D,CAAC;QACD,IAAI,GAAG,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;YACrB,OAAO,MAAM,CAAC,SAAS,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;QACxD,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,MAAM,CAAC,SAAS,CAAC,eAAe,EAAE,mBAAmB,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,KAAK,GAAG,KAAK,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,sBAAsB,CAAC,MAAM,CAAC,CAAC;YACvD,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACzC,MAAM,MAAM,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;YAC5C,KAAK,GAAG,MAAM,aAAa,CAAC,SAAS,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC;YACP,KAAK,GAAG,KAAK,CAAC;QAChB,CAAC;QACD,IAAI,CAAC,KAAK;YAAE,OAAO,MAAM,CAAC,SAAS,CAAC,eAAe,EAAE,mBAAmB,CAAC,CAAC;QAE1E,IAAI,KAAK,CAAC,GAAG,KAAK,KAAK,CAAC,SAAS,EAAE,CAAC;YAClC,OAAO,MAAM,CAAC,SAAS,CAAC,oBAAoB,EAAE,kBAAkB,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,KAAK,CAAC,GAAG,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC;YAChC,OAAO,MAAM,CAAC,SAAS,CAAC,mBAAmB,EAAE,iBAAiB,CAAC,CAAC;QAClE,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;YAClD,OAAO,MAAM,CAAC,SAAS,CAAC,sBAAsB,EAAE,oBAAoB,CAAC,CAAC;QACxE,CAAC;QAED,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YACvC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAAE,OAAO,CAAC,CAAC;QACtB,CAAC;QAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IAC7B,CAAC;IAEO,aAAa,CAAC,IAA2B,EAAE,MAAc;QAC/D,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;YACrB,IAAI,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC9B,IAAI,CAAC,CAAC,EAAE,CAAC;gBACP,IAAI,CAAC;oBACH,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;gBACrB,CAAC;gBAAC,MAAM,CAAC;oBACP,SAAS;gBACX,CAAC;gBACD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YAC3B,CAAC;YACD,IAAI,OAAO,CAAC,CAAC,EAAE,MAAM,CAAC;gBAAE,OAAO,IAAI,CAAC;QACtC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAED,MAAM,UAAU,aAAa,CAAC,MAAoB;IAChD,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACf,MAAM,IAAI,eAAe,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,IAAsB,CAAC,CAAC;IAC3E,CAAC;AACH,CAAC;AAED,SAAS,MAAM,CAAC,IAAY,EAAE,OAAe;IAC3C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AACtC,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IAChC,OAAO,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;AACxC,CAAC"}

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@orqenix/transport-security",
+  "version": "0.6.0-phase-6",
+  "description": "Ed25519 IdentityVerifier and capability verification pipeline for Orqenix Phase 6. Replaces the no-op verifier/signer placeholders used in Parts 2 and 3-4.",
+  "type": "module",
+  "license": "Apache-2.0",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE",
+    "CHANGELOG.md"
+  ],
+  "dependencies": {
+    "msgpackr": "^1.11.0",
+    "@orqenix/mesh-transport-core": "0.6.0-phase-6"
+  },
+  "devDependencies": {
+    "@types/node": "^22.7.0",
+    "@vitest/coverage-v8": "^2.1.0",
+    "tsx": "^4.19.0",
+    "typescript": "^5.6.0",
+    "vitest": "^2.1.0"
+  },
+  "publishConfig": {
+    "access": "public",
+    "provenance": false
+  },
+  "engines": {
+    "node": ">=22.0.0"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "test": "vitest run --coverage",
+    "gate:G40": "vitest run test/G40-gate-wrapper.test.ts --reporter verbose",
+    "bench": "vitest run test/bench.p95.test.ts"
+  }
+}