@phosra/cli 0.1.0

package/dist/envelope.js

@@ -0,0 +1,53 @@
+/**
+ * Build a §4.2 consent_attestation OCSS envelope for the doctor round-trip.
+ *
+ * Seals the payload bytes to the router's EC P-256 payload JWK (JWE),
+ * wraps in an Outer, and signs the outer with the parent Ed25519 sender key.
+ * Mirrors @phosra/link census-client.ts sealConsentAttestation without pg.
+ *
+ * SANDBOX ONLY — called with household-acme (pre-admitted test key).
+ */
+import { seal, signSender, defaultSenderSignatureCodec, SPEC_VERSION, } from "@openchildsafety/ocss";
+function rfc3339SecondsZ(d) {
+    return d.toISOString().replace(/\.\d{3}Z$/, "Z");
+}
+function nonceB64url() {
+    const b = crypto.getRandomValues(new Uint8Array(16));
+    let bin = "";
+    for (const x of b)
+        bin += String.fromCharCode(x);
+    return btoa(bin).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+/**
+ * buildConsentAttestation seals the payload to the router and signs the outer
+ * with the parent persona key. Returns the wire-ready Envelope.
+ *
+ * @param payload        Consent attestation fields (idempotency_key must be unique per run)
+ * @param parentKey      household-acme SenderKey (signs the outer + HTTP request)
+ * @param routerJwk      Router's EC P-256 payload public key (from the trust list)
+ * @param censusBaseUrl  Census base URL — sets the envelope's `resource`
+ * @param routerDid      Router DID — sets `inner.receiver` + `outer.intermediary_audience`
+ */
+export async function buildConsentAttestation(payload, parentKey, routerJwk, censusBaseUrl, routerDid) {
+    const resource = `${censusBaseUrl}/api/v1`;
+    const sealed = await seal(new TextEncoder().encode(JSON.stringify(payload)), routerJwk);
+    const inner = {
+        receiver: routerDid,
+        envelope_type: "consent_attestation",
+        payload: sealed,
+    };
+    const now = new Date();
+    const outer = {
+        ocss_version: SPEC_VERSION,
+        intermediary_audience: routerDid,
+        issued_at: rfc3339SecondsZ(now),
+        nonce: nonceB64url(),
+        resource,
+        sender_signature: "", // filled in by signSender below
+    };
+    const envelope = { outer, inner };
+    // signSender mutates outer.sender_signature AND returns it — mutation is fine here.
+    signSender(envelope, parentKey, Math.floor(now.getTime() / 1000), defaultSenderSignatureCodec);
+    return envelope;
+}
+//# sourceMappingURL=envelope.js.map

package/dist/envelope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"envelope.js","sourceRoot":"","sources":["../src/envelope.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EACL,IAAI,EACJ,UAAU,EACV,2BAA2B,EAC3B,YAAY,GAMb,MAAM,uBAAuB,CAAC;AAE/B,SAAS,eAAe,CAAC,CAAO;IAC9B,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,WAAW;IAClB,MAAM,CAAC,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IACrD,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,MAAM,CAAC,IAAI,CAAC;QAAE,GAAG,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACjD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAC9E,CAAC;AAaD;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAuB,EACvB,SAAoB,EACpB,SAAc,EACd,aAAqB,EACrB,SAAiB;IAEjB,MAAM,QAAQ,GAAG,GAAG,aAAa,SAAS,CAAC;IAC3C,MAAM,MAAM,GAAK,MAAM,IAAI,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;IAE1F,MAAM,KAAK,GAAU;QACnB,QAAQ,EAAO,SAAS;QACxB,aAAa,EAAE,qBAAqB;QACpC,OAAO,EAAQ,MAAM;KACtB,CAAC;IAEF,MAAM,GAAG,GAAK,IAAI,IAAI,EAAE,CAAC;IACzB,MAAM,KAAK,GAAU;QACnB,YAAY,EAAW,YAAY;QACnC,qBAAqB,EAAE,SAAS;QAChC,SAAS,EAAc,eAAe,CAAC,GAAG,CAAC;QAC3C,KAAK,EAAkB,WAAW,EAAE;QACpC,QAAQ;QACR,gBAAgB,EAAO,EAAE,EAAI,gCAAgC;KAC9D,CAAC;IAEF,MAAM,QAAQ,GAAa,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IAC5C,oFAAoF;IACpF,UAAU,CAAC,QAAQ,EAAE,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,EAAE,2BAA2B,CAAC,CAAC;IAC/F,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/keygen.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Client-side Ed25519 key generation for `phosra init`.
+ *
+ * §12.3 clean: keys are generated LOCALLY in Node's crypto module and are NEVER
+ * transmitted to the census during init. The generated seed is printed ONCE to
+ * stdout/the env file; the partner must store it securely (it has the same threat
+ * model as any API secret key).
+ *
+ * The public X (base64url-raw) is safe to share and can be submitted to the OCSS
+ * governance process for accreditation.
+ */
+export interface GeneratedKey {
+    /** Base64url-encoded 32-byte Ed25519 private seed. KEEP SECRET. */
+    seedB64Url: string;
+    /** Base64url-raw Ed25519 public X. Safe to share. */
+    pubXB64Url: string;
+    /** "did:ocss:<slug>#YYYY-MM" — the keyID format the trust list uses. */
+    keyId: string;
+    /** "did:ocss:<slug>" — the partner's DID. */
+    did: string;
+}
+/**
+ * Generate a fresh Ed25519 key pair for a partner integration.
+ *
+ * @param slug   Lowercase slug for the partner's DID (e.g. "acme-parental").
+ *               Must match did:ocss identifier rules (alphanumeric + - _ .).
+ */
+export declare function generateKey(slug: string): GeneratedKey;
+//# sourceMappingURL=keygen.d.ts.map

package/dist/keygen.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keygen.d.ts","sourceRoot":"","sources":["../src/keygen.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAKH,MAAM,WAAW,YAAY;IAC3B,mEAAmE;IACnE,UAAU,EAAE,MAAM,CAAC;IACnB,qDAAqD;IACrD,UAAU,EAAE,MAAM,CAAC;IACnB,wEAAwE;IACxE,KAAK,EAAE,MAAM,CAAC;IACd,6CAA6C;IAC7C,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,YAAY,CAqBtD"}

package/dist/keygen.js

@@ -0,0 +1,38 @@
+/**
+ * Client-side Ed25519 key generation for `phosra init`.
+ *
+ * §12.3 clean: keys are generated LOCALLY in Node's crypto module and are NEVER
+ * transmitted to the census during init. The generated seed is printed ONCE to
+ * stdout/the env file; the partner must store it securely (it has the same threat
+ * model as any API secret key).
+ *
+ * The public X (base64url-raw) is safe to share and can be submitted to the OCSS
+ * governance process for accreditation.
+ */
+import { randomBytes, createPrivateKey, createPublicKey } from "node:crypto";
+import { senderKeyFromSeedB64url } from "./sender-key.js";
+/**
+ * Generate a fresh Ed25519 key pair for a partner integration.
+ *
+ * @param slug   Lowercase slug for the partner's DID (e.g. "acme-parental").
+ *               Must match did:ocss identifier rules (alphanumeric + - _ .).
+ */
+export function generateKey(slug) {
+    const seed = randomBytes(32);
+    const seedB64Url = seed.toString("base64url");
+    // Derive public X from seed via PKCS#8 → JWK round-trip (same as gatekeeper.ts).
+    const pkcs8 = Buffer.concat([
+        Buffer.from("302e020100300506032b657004220420", "hex"),
+        seed,
+    ]);
+    const priv = createPrivateKey({ key: pkcs8, format: "der", type: "pkcs8" });
+    const pubXB64Url = createPublicKey(priv).export({ format: "jwk" }).x;
+    const now = new Date();
+    const kidSuffix = `${now.getFullYear()}-${String(now.getMonth() + 1).padStart(2, "0")}`;
+    const did = `did:ocss:${slug}`;
+    const keyId = `${did}#${kidSuffix}`;
+    // Validate: round-trip through senderKeyFromSeedB64url to catch slug issues early.
+    senderKeyFromSeedB64url(seedB64Url, keyId);
+    return { seedB64Url, pubXB64Url, keyId, did };
+}
+//# sourceMappingURL=keygen.js.map

package/dist/keygen.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keygen.js","sourceRoot":"","sources":["../src/keygen.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC7E,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAa1D;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,IAAY;IACtC,MAAM,IAAI,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC7B,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAE9C,iFAAiF;IACjF,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC;QAC1B,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE,KAAK,CAAC;QACtD,IAAI;KACL,CAAC,CAAC;IACH,MAAM,IAAI,GAAO,gBAAgB,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IAChF,MAAM,UAAU,GAAI,eAAe,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAmB,CAAC,CAAC,CAAC;IAExF,MAAM,GAAG,GAAK,IAAI,IAAI,EAAE,CAAC;IACzB,MAAM,SAAS,GAAG,GAAG,GAAG,CAAC,WAAW,EAAE,IAAI,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC;IACxF,MAAM,GAAG,GAAK,YAAY,IAAI,EAAE,CAAC;IACjC,MAAM,KAAK,GAAG,GAAG,GAAG,IAAI,SAAS,EAAE,CAAC;IAEpC,mFAAmF;IACnF,uBAAuB,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAE3C,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;AAChD,CAAC"}

package/dist/out.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Output layer for @phosra/cli — no external colour dependencies.
+ *
+ * Every command has two modes:
+ *   human — ANSI-coloured, interactive-terminal-friendly
+ *   --json — stable machine-readable JSON to stdout (for CI/agents)
+ *
+ * Invariant: no ANSI ever lands in --json mode. No JSON ever lands in
+ * human mode (use printJson only in the --json branch of each command).
+ */
+export type CheckStatus = "pass" | "fail" | "warn" | "skip";
+export interface CheckResult {
+    /** Stable snake_case identifier — the --json key. */
+    name: string;
+    status: CheckStatus;
+    /** One-liner human message (optional). */
+    message?: string;
+    /** Actionable fix hint shown on fail/warn (human mode only). */
+    hint?: string;
+    /** Arbitrary structured data for --json mode. */
+    data?: unknown;
+}
+/** Print a single check line in human mode. No-op in --json mode. */
+export declare function printCheck(r: CheckResult, jsonMode: boolean): void;
+/** Emit a JSON payload to stdout. Used only in --json branches. */
+export declare function printJson(data: unknown): void;
+/** Section heading. No-op in --json mode. */
+export declare function heading(text: string, jsonMode: boolean): void;
+/** Trailing status summary line. No-op in --json mode. */
+export declare function summary(results: CheckResult[], jsonMode: boolean): void;
+/** Dim trailing note line. No-op in --json mode. */
+export declare function note(text: string, jsonMode: boolean): void;
+//# sourceMappingURL=out.d.ts.map

package/dist/out.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"out.d.ts","sourceRoot":"","sources":["../src/out.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAYH,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;AAE5D,MAAM,WAAW,WAAW;IAC1B,qDAAqD;IACrD,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,WAAW,CAAC;IACpB,0CAA0C;IAC1C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gEAAgE;IAChE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,iDAAiD;IACjD,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAgBD,qEAAqE;AACrE,wBAAgB,UAAU,CAAC,CAAC,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,GAAG,IAAI,CASlE;AAED,mEAAmE;AACnE,wBAAgB,SAAS,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI,CAE7C;AAED,6CAA6C;AAC7C,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,GAAG,IAAI,CAE7D;AAED,0DAA0D;AAC1D,wBAAgB,OAAO,CAAC,OAAO,EAAE,WAAW,EAAE,EAAE,QAAQ,EAAE,OAAO,GAAG,IAAI,CAgBvE;AAED,oDAAoD;AACpD,wBAAgB,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,GAAG,IAAI,CAE1D"}

package/dist/out.js

@@ -0,0 +1,76 @@
+/**
+ * Output layer for @phosra/cli — no external colour dependencies.
+ *
+ * Every command has two modes:
+ *   human — ANSI-coloured, interactive-terminal-friendly
+ *   --json — stable machine-readable JSON to stdout (for CI/agents)
+ *
+ * Invariant: no ANSI ever lands in --json mode. No JSON ever lands in
+ * human mode (use printJson only in the --json branch of each command).
+ */
+const IS_TTY = Boolean(process.stdout.isTTY);
+const C = {
+    green: (s) => IS_TTY ? `\x1b[32m${s}\x1b[0m` : s,
+    red: (s) => IS_TTY ? `\x1b[31m${s}\x1b[0m` : s,
+    yellow: (s) => IS_TTY ? `\x1b[33m${s}\x1b[0m` : s,
+    dim: (s) => IS_TTY ? `\x1b[2m${s}\x1b[0m` : s,
+    bold: (s) => IS_TTY ? `\x1b[1m${s}\x1b[0m` : s,
+};
+const ICON = {
+    pass: "✔",
+    fail: "✘",
+    warn: "⚠",
+    skip: "—",
+};
+const COLOUR = {
+    pass: C.green,
+    fail: C.red,
+    warn: C.yellow,
+    skip: C.dim,
+};
+/** Print a single check line in human mode. No-op in --json mode. */
+export function printCheck(r, jsonMode) {
+    if (jsonMode)
+        return;
+    const icon = COLOUR[r.status](ICON[r.status]);
+    const label = COLOUR[r.status](r.name.replace(/_/g, " "));
+    const msg = r.message ? C.dim("  " + r.message) : "";
+    console.log(`  ${icon}  ${label}${msg}`);
+    if ((r.status === "fail" || r.status === "warn") && r.hint) {
+        console.log(C.dim(`     hint: ${r.hint}`));
+    }
+}
+/** Emit a JSON payload to stdout. Used only in --json branches. */
+export function printJson(data) {
+    console.log(JSON.stringify(data, null, 2));
+}
+/** Section heading. No-op in --json mode. */
+export function heading(text, jsonMode) {
+    if (!jsonMode)
+        console.log(C.bold("\n  " + text + "\n"));
+}
+/** Trailing status summary line. No-op in --json mode. */
+export function summary(results, jsonMode) {
+    if (jsonMode)
+        return;
+    const failed = results.filter((r) => r.status === "fail").length;
+    const warned = results.filter((r) => r.status === "warn").length;
+    const passed = results.filter((r) => r.status === "pass").length;
+    if (failed > 0) {
+        console.log(`\n  ${C.red("●")} ${failed} check${failed > 1 ? "s" : ""} failed` +
+            (warned > 0 ? `, ${warned} warning${warned > 1 ? "s" : ""}` : "") +
+            "\n");
+    }
+    else if (warned > 0) {
+        console.log(`\n  ${C.yellow("●")} ${passed} passed, ${warned} warning${warned > 1 ? "s" : ""}\n`);
+    }
+    else {
+        console.log(`\n  ${C.green("●")} All ${passed} checks passed\n`);
+    }
+}
+/** Dim trailing note line. No-op in --json mode. */
+export function note(text, jsonMode) {
+    if (!jsonMode)
+        console.log(C.dim("  " + text + "\n"));
+}
+//# sourceMappingURL=out.js.map

package/dist/out.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"out.js","sourceRoot":"","sources":["../src/out.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAE7C,MAAM,CAAC,GAAG;IACR,KAAK,EAAG,CAAC,CAAS,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACzD,GAAG,EAAK,CAAC,CAAS,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACzD,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACzD,GAAG,EAAK,CAAC,CAAS,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAE,CAAC,CAAC,CAAC;IACzD,IAAI,EAAI,CAAC,CAAS,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAE,CAAC,CAAC,CAAC;CAC1D,CAAC;AAgBF,MAAM,IAAI,GAAgC;IACxC,IAAI,EAAE,GAAG;IACT,IAAI,EAAE,GAAG;IACT,IAAI,EAAE,GAAG;IACT,IAAI,EAAE,GAAG;CACV,CAAC;AAEF,MAAM,MAAM,GAA+C;IACzD,IAAI,EAAE,CAAC,CAAC,KAAK;IACb,IAAI,EAAE,CAAC,CAAC,GAAG;IACX,IAAI,EAAE,CAAC,CAAC,MAAM;IACd,IAAI,EAAE,CAAC,CAAC,GAAG;CACZ,CAAC;AAEF,qEAAqE;AACrE,MAAM,UAAU,UAAU,CAAC,CAAc,EAAE,QAAiB;IAC1D,IAAI,QAAQ;QAAE,OAAO;IACrB,MAAM,IAAI,GAAI,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;IAC/C,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;IAC1D,MAAM,GAAG,GAAK,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACvD,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,KAAK,KAAK,GAAG,GAAG,EAAE,CAAC,CAAC;IACzC,IAAI,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,IAAI,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3D,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAC7C,CAAC;AACH,CAAC;AAED,mEAAmE;AACnE,MAAM,UAAU,SAAS,CAAC,IAAa;IACrC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,6CAA6C;AAC7C,MAAM,UAAU,OAAO,CAAC,IAAY,EAAE,QAAiB;IACrD,IAAI,CAAC,QAAQ;QAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED,0DAA0D;AAC1D,MAAM,UAAU,OAAO,CAAC,OAAsB,EAAE,QAAiB;IAC/D,IAAI,QAAQ;QAAE,OAAO;IACrB,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IACjE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IACjE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IACjE,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;QACf,OAAO,CAAC,GAAG,CACT,OAAO,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,MAAM,SAAS,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,SAAS;YAChE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,MAAM,WAAW,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACjE,IAAI,CACP,CAAC;IACJ,CAAC;SAAM,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,MAAM,YAAY,MAAM,WAAW,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;IACpG,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,MAAM,kBAAkB,CAAC,CAAC;IACnE,CAAC;AACH,CAAC;AAED,oDAAoD;AACpD,MAAM,UAAU,IAAI,CAAC,IAAY,EAAE,QAAiB;IAClD,IAAI,CAAC,QAAQ;QAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC;AACxD,CAAC"}

package/dist/round-trip.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Zero-provisioning sandbox provider round-trip.
+ *
+ * Uses household-acme (pre-admitted, trustTier: "accredited" in the staging
+ * sandbox trust list, entry 16) to perform a full §8.3.2 + §8.3.1 write cycle:
+ *
+ *   1. Fetch + verify the staging trust list → extract router P-256 payload JWK
+ *   2. POST /api/v1/webhooks/inbound/app-store — ingest a consent_attestation
+ *      sealed to the router, signed by household-acme
+ *   3. POST /api/v1/policies/{SANDBOX_MIA_POLICY_ID}/rules — write addictive_pattern_block
+ *      citing the attestation's idem key as standing_ref
+ *
+ * Every idem key is suffixed with a monotonic timestamp (base36) so repeated
+ * doctor runs each succeed with 201 independently.
+ *
+ * SANDBOX ONLY — household-acme is a deterministic test key (slug bytes right-padded
+ * 0x01 to 32B; published in apps/sim-common/sandbox-seed.json). Never call this against
+ * a production census.
+ *
+ * §12.3 clean: the CLI DRIVES the census (probes it) but carries NO authority.
+ * It cannot mint grants, publish the trust list, or touch billing.
+ */
+import { type SenderKey } from "@openchildsafety/ocss";
+export interface RoundTripResult {
+    /** Number of active entries in the verified trust list. */
+    trustListEntries: number;
+    /** HTTP status of the consent_attestation ingest. */
+    consentStatus: number;
+    /** HTTP status of the rule write. */
+    ruleStatus: number;
+    /** True iff all three steps succeeded (trust list verified, consent 201/200, rule 201/200). */
+    ok: boolean;
+    /** Error message if any step failed (undefined on success). */
+    error?: string;
+}
+/**
+ * runProviderRoundTrip — the zero-provisioning doctor probe.
+ *
+ * @param senderKey  household-acme SenderKey built from HOUSEHOLD_ACME_SEED
+ * @param opts.fetchImpl  Injectable for unit tests (mock census)
+ * @param opts.now        Injectable clock — affects idem-key suffix + attestation timestamps
+ */
+export declare function runProviderRoundTrip(senderKey: SenderKey, opts: {
+    censusUrl: string;
+    trustRootX: string;
+    miaPolicyId: string;
+    miaChildId: string;
+    fetchImpl?: typeof fetch;
+    now?: () => number;
+}): Promise<RoundTripResult>;
+//# sourceMappingURL=round-trip.d.ts.map

package/dist/round-trip.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"round-trip.d.ts","sourceRoot":"","sources":["../src/round-trip.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAIL,KAAK,SAAS,EACf,MAAM,uBAAuB,CAAC;AAa/B,MAAM,WAAW,eAAe;IAC9B,2DAA2D;IAC3D,gBAAgB,EAAE,MAAM,CAAC;IACzB,qDAAqD;IACrD,aAAa,EAAE,MAAM,CAAC;IACtB,qCAAqC;IACrC,UAAU,EAAE,MAAM,CAAC;IACnB,+FAA+F;IAC/F,EAAE,EAAE,OAAO,CAAC;IACZ,+DAA+D;IAC/D,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,SAAS,EAAE,SAAS,EACpB,IAAI,EAAE;IACJ,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IACzB,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CACpB,GACA,OAAO,CAAC,eAAe,CAAC,CA+F1B"}

package/dist/round-trip.js

@@ -0,0 +1,115 @@
+/**
+ * Zero-provisioning sandbox provider round-trip.
+ *
+ * Uses household-acme (pre-admitted, trustTier: "accredited" in the staging
+ * sandbox trust list, entry 16) to perform a full §8.3.2 + §8.3.1 write cycle:
+ *
+ *   1. Fetch + verify the staging trust list → extract router P-256 payload JWK
+ *   2. POST /api/v1/webhooks/inbound/app-store — ingest a consent_attestation
+ *      sealed to the router, signed by household-acme
+ *   3. POST /api/v1/policies/{SANDBOX_MIA_POLICY_ID}/rules — write addictive_pattern_block
+ *      citing the attestation's idem key as standing_ref
+ *
+ * Every idem key is suffixed with a monotonic timestamp (base36) so repeated
+ * doctor runs each succeed with 201 independently.
+ *
+ * SANDBOX ONLY — household-acme is a deterministic test key (slug bytes right-padded
+ * 0x01 to 32B; published in apps/sim-common/sandbox-seed.json). Never call this against
+ * a production census.
+ *
+ * §12.3 clean: the CLI DRIVES the census (probes it) but carries NO authority.
+ * It cannot mint grants, publish the trust list, or touch billing.
+ */
+import { verifyDocument, fromVerifiedDocument, } from "@openchildsafety/ocss";
+import { CensusTransport } from "./transport.js";
+import { buildConsentAttestation } from "./envelope.js";
+import { HOUSEHOLD_ACME_KEY_ID, ROUTER_DID, ROUNDTRIP_APP_DID, ROUNDTRIP_RULE_CATEGORY, } from "./config.js";
+// The household-acme DID (prefix of HOUSEHOLD_ACME_KEY_ID before '#').
+const HOUSEHOLD_ACME_DID = HOUSEHOLD_ACME_KEY_ID.split("#")[0];
+/**
+ * runProviderRoundTrip — the zero-provisioning doctor probe.
+ *
+ * @param senderKey  household-acme SenderKey built from HOUSEHOLD_ACME_SEED
+ * @param opts.fetchImpl  Injectable for unit tests (mock census)
+ * @param opts.now        Injectable clock — affects idem-key suffix + attestation timestamps
+ */
+export async function runProviderRoundTrip(senderKey, opts) {
+    const fetchImpl = opts.fetchImpl ?? fetch;
+    const now = opts.now ?? (() => Date.now());
+    const censusUrl = opts.censusUrl;
+    // ── Step 1: fetch + verify trust list ──────────────────────────────────────
+    let tlRes;
+    try {
+        tlRes = await fetchImpl(`${censusUrl}/.well-known/ocss/trust-list`);
+    }
+    catch (e) {
+        return { trustListEntries: 0, consentStatus: 0, ruleStatus: 0, ok: false, error: `trust-list network error: ${String(e)}` };
+    }
+    if (!tlRes.ok) {
+        return { trustListEntries: 0, consentStatus: 0, ruleStatus: 0, ok: false, error: `trust-list HTTP ${tlRes.status}` };
+    }
+    let doc;
+    try {
+        const signed = (await tlRes.json());
+        doc = verifyDocument(signed, opts.trustRootX);
+    }
+    catch (e) {
+        return { trustListEntries: 0, consentStatus: 0, ruleStatus: 0, ok: false, error: `trust-list verify failed: ${String(e)}` };
+    }
+    const resolver = fromVerifiedDocument(doc, now);
+    const trustListEntries = doc.entries?.length ?? 0;
+    let routerJwk;
+    try {
+        routerJwk = resolver.payloadKey(ROUTER_DID);
+    }
+    catch (e) {
+        return { trustListEntries, consentStatus: 0, ruleStatus: 0, ok: false, error: `router payload key not found: ${String(e)}` };
+    }
+    // ── Step 2: ingest consent_attestation ─────────────────────────────────────
+    // Timestamp-suffixed idem key → each doctor run generates a fresh pair that
+    // both succeed with 201 (no 409 ErrPayloadMismatch from attested_at drift).
+    const idemSuffix = now().toString(36);
+    const consentIdemKey = `cli-doctor-rt-${idemSuffix}`;
+    const consentPayload = {
+        app_ref: ROUNDTRIP_APP_DID,
+        target: `child:${opts.miaChildId}`,
+        band: "13_15",
+        consent_scope: "collection_parental_authority",
+        consent_method: `parental_consent_link:cli-quickstart-${idemSuffix}`,
+        attested_at: new Date(now()).toISOString().replace(/\.\d{3}Z$/, "Z"),
+        expiry: "2030-01-01T00:00:00Z",
+        idempotency_key: consentIdemKey,
+    };
+    const transport = new CensusTransport({ baseUrl: censusUrl, senderKey, fetchImpl, now });
+    let consentEnvelope;
+    try {
+        consentEnvelope = await buildConsentAttestation(consentPayload, senderKey, routerJwk, censusUrl, ROUTER_DID);
+    }
+    catch (e) {
+        return { trustListEntries, consentStatus: 0, ruleStatus: 0, ok: false, error: `consent envelope build failed: ${String(e)}` };
+    }
+    const consentRes = await transport.post("/api/v1/webhooks/inbound/app-store", consentEnvelope);
+    const consentStatus = consentRes.status;
+    if (consentStatus !== 201 && consentStatus !== 200) {
+        const body = await consentRes.text().catch(() => "");
+        return { trustListEntries, consentStatus, ruleStatus: 0, ok: false, error: `consent ingest ${consentStatus}: ${body}` };
+    }
+    // ── Step 3: write rule citing the consent attestation ──────────────────────
+    // writer_ref must equal the signing DID (RFC-9421 caller.DID == writer_ref).
+    // household-acme is accredited for addictive_pattern_block (sandbox-seed.json).
+    const ruleIdemKey = `cli-rule-rt-${idemSuffix}`;
+    const ruleBody = {
+        rule_category: ROUNDTRIP_RULE_CATEGORY,
+        decision: "block",
+        target: { child_ref: `child:${opts.miaChildId}` },
+        standing_ref: `consent:attestation:${consentIdemKey}`,
+        idempotency_key: ruleIdemKey,
+        writer_ref: HOUSEHOLD_ACME_DID,
+    };
+    const ruleRes = await transport.post(`/api/v1/policies/${opts.miaPolicyId}/rules`, ruleBody);
+    const ruleStatus = ruleRes.status;
+    const ok = (consentStatus === 201 || consentStatus === 200) &&
+        (ruleStatus === 201 || ruleStatus === 200);
+    return { trustListEntries, consentStatus, ruleStatus, ok };
+}
+//# sourceMappingURL=round-trip.js.map

package/dist/round-trip.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"round-trip.js","sourceRoot":"","sources":["../src/round-trip.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EACL,cAAc,EACd,oBAAoB,GAGrB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AACxD,OAAO,EACL,qBAAqB,EACrB,UAAU,EACV,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,aAAa,CAAC;AAErB,uEAAuE;AACvE,MAAM,kBAAkB,GAAG,qBAAqB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;AAehE;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,SAAoB,EACpB,IAOC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;IAC1C,MAAM,GAAG,GAAS,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;IAEjC,8EAA8E;IAC9E,IAAI,KAAe,CAAC;IACpB,IAAI,CAAC;QACH,KAAK,GAAG,MAAM,SAAS,CAAC,GAAG,SAAS,8BAA8B,CAAC,CAAC;IACtE,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,gBAAgB,EAAE,CAAC,EAAE,aAAa,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,6BAA6B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAC9H,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;QACd,OAAO,EAAE,gBAAgB,EAAE,CAAC,EAAE,aAAa,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;IACvH,CAAC;IAED,IAAI,GAAG,CAAC;IACR,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,CAAC,MAAM,KAAK,CAAC,IAAI,EAAE,CAAmB,CAAC;QACtD,GAAG,GAAG,cAAc,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IAChD,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,gBAAgB,EAAE,CAAC,EAAE,aAAa,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,6BAA6B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAC9H,CAAC;IAED,MAAM,QAAQ,GAAW,oBAAoB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,GAAG,CAAC,OAAO,EAAE,MAAM,IAAI,CAAC,CAAC;IAElD,IAAI,SAAS,CAAC;IACd,IAAI,CAAC;QACH,SAAS,GAAG,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;IAC9C,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,iCAAiC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAC/H,CAAC;IAED,8EAA8E;IAC9E,4EAA4E;IAC5E,4EAA4E;IAC5E,MAAM,UAAU,GAAM,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACzC,MAAM,cAAc,GAAG,iBAAiB,UAAU,EAAE,CAAC;IAErD,MAAM,cAAc,GAAG;QACrB,OAAO,EAAU,iBAAiB;QAClC,MAAM,EAAW,SAAS,IAAI,CAAC,UAAU,EAAE;QAC3C,IAAI,EAAa,OAAgB;QACjC,aAAa,EAAI,+BAA+B;QAChD,cAAc,EAAG,wCAAwC,UAAU,EAAE;QACrE,WAAW,EAAM,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,WAAW,EAAE,GAAG,CAAC;QACxE,MAAM,EAAW,sBAAsB;QACvC,eAAe,EAAE,cAAc;KAChC,CAAC;IAEF,MAAM,SAAS,GAAG,IAAI,eAAe,CAAC,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;IAEzF,IAAI,eAAe,CAAC;IACpB,IAAI,CAAC;QACH,eAAe,GAAG,MAAM,uBAAuB,CAC7C,cAAc,EACd,SAAS,EACT,SAAS,EACT,SAAS,EACT,UAAU,CACX,CAAC;IACJ,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,kCAAkC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAChI,CAAC;IAED,MAAM,UAAU,GAAM,MAAM,SAAS,CAAC,IAAI,CAAC,oCAAoC,EAAE,eAAe,CAAC,CAAC;IAClG,MAAM,aAAa,GAAG,UAAU,CAAC,MAAM,CAAC;IAExC,IAAI,aAAa,KAAK,GAAG,IAAI,aAAa,KAAK,GAAG,EAAE,CAAC;QACnD,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QACrD,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,UAAU,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,kBAAkB,aAAa,KAAK,IAAI,EAAE,EAAE,CAAC;IAC1H,CAAC;IAED,8EAA8E;IAC9E,6EAA6E;IAC7E,gFAAgF;IAChF,MAAM,WAAW,GAAG,eAAe,UAAU,EAAE,CAAC;IAChD,MAAM,QAAQ,GAAG;QACf,aAAa,EAAI,uBAAuB;QACxC,QAAQ,EAAS,OAAO;QACxB,MAAM,EAAW,EAAE,SAAS,EAAE,SAAS,IAAI,CAAC,UAAU,EAAE,EAAE;QAC1D,YAAY,EAAK,uBAAuB,cAAc,EAAE;QACxD,eAAe,EAAE,WAAW;QAC5B,UAAU,EAAO,kBAAkB;KACpC,CAAC;IAEF,MAAM,OAAO,GAAM,MAAM,SAAS,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,WAAW,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAChG,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC;IAElC,MAAM,EAAE,GAAG,CAAC,aAAa,KAAK,GAAG,IAAI,aAAa,KAAK,GAAG,CAAC;QAChD,CAAC,UAAU,KAAK,GAAG,IAAI,UAAU,KAAK,GAAG,CAAC,CAAC;IAEtD,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;AAC7D,CAAC"}

package/dist/sender-key.d.ts

@@ -0,0 +1,26 @@
+/**
+ * SenderKey construction helpers for @phosra/cli.
+ *
+ * SenderKey = { seed: Uint8Array (32 bytes), keyID: string }
+ * Built from a base64url-encoded seed (config / .phosra.env), then passed
+ * to signRequest() (RFC-9421 census signing, @openchildsafety/ocss).
+ *
+ * §12.3 invariant: seed material is NEVER logged or placed in --json output.
+ * The keyID (DID fragment) is public; the seed bytes are not.
+ */
+import { type SenderKey } from "@openchildsafety/ocss";
+/**
+ * Build a SenderKey from a base64url-encoded 32-byte Ed25519 seed.
+ *
+ * @param seedB64url  Base64url-encoded 32-byte seed (padding optional).
+ * @param keyID       "did:ocss:<slug>#<kid>" — must match the trust-list entry.
+ * @throws if the decoded seed is not exactly 32 bytes.
+ */
+export declare function senderKeyFromSeedB64url(seedB64url: string, keyID: string): SenderKey;
+/**
+ * Derive the base64url-raw Ed25519 public key X from a SenderKey's seed.
+ * Used by the doctor key-material check to verify the seed's public half
+ * appears in the resolved trust-list entry for the keyID's DID.
+ */
+export declare function publicXFromSenderKey(key: SenderKey): string;
+//# sourceMappingURL=sender-key.d.ts.map

package/dist/sender-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sender-key.d.ts","sourceRoot":"","sources":["../src/sender-key.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAoC,KAAK,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAEzF;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,MAAM,GACZ,SAAS,CAQX;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,SAAS,GAAG,MAAM,CAG3D"}

package/dist/sender-key.js

@@ -0,0 +1,35 @@
+/**
+ * SenderKey construction helpers for @phosra/cli.
+ *
+ * SenderKey = { seed: Uint8Array (32 bytes), keyID: string }
+ * Built from a base64url-encoded seed (config / .phosra.env), then passed
+ * to signRequest() (RFC-9421 census signing, @openchildsafety/ocss).
+ *
+ * §12.3 invariant: seed material is NEVER logged or placed in --json output.
+ * The keyID (DID fragment) is public; the seed bytes are not.
+ */
+import { ed25519PublicFromSeed, b64urlRaw } from "@openchildsafety/ocss";
+/**
+ * Build a SenderKey from a base64url-encoded 32-byte Ed25519 seed.
+ *
+ * @param seedB64url  Base64url-encoded 32-byte seed (padding optional).
+ * @param keyID       "did:ocss:<slug>#<kid>" — must match the trust-list entry.
+ * @throws if the decoded seed is not exactly 32 bytes.
+ */
+export function senderKeyFromSeedB64url(seedB64url, keyID) {
+    const raw = Buffer.from(seedB64url, "base64url");
+    if (raw.length !== 32) {
+        throw new Error(`senderKey: seed "${keyID}" must decode to 32 bytes, got ${raw.length}`);
+    }
+    return { seed: new Uint8Array(raw), keyID };
+}
+/**
+ * Derive the base64url-raw Ed25519 public key X from a SenderKey's seed.
+ * Used by the doctor key-material check to verify the seed's public half
+ * appears in the resolved trust-list entry for the keyID's DID.
+ */
+export function publicXFromSenderKey(key) {
+    const pubBytes = ed25519PublicFromSeed(key.seed);
+    return b64urlRaw(pubBytes);
+}
+//# sourceMappingURL=sender-key.js.map

package/dist/sender-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sender-key.js","sourceRoot":"","sources":["../src/sender-key.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,qBAAqB,EAAE,SAAS,EAAkB,MAAM,uBAAuB,CAAC;AAEzF;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CACrC,UAAkB,EAClB,KAAa;IAEb,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACjD,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CACb,oBAAoB,KAAK,kCAAkC,GAAG,CAAC,MAAM,EAAE,CACxE,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,IAAI,UAAU,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE,CAAC;AAC9C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,GAAc;IACjD,MAAM,QAAQ,GAAG,qBAAqB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACjD,OAAO,SAAS,CAAC,QAAQ,CAAC,CAAC;AAC7B,CAAC"}

package/dist/transport.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Minimal RFC-9421 census transport — no pg dependency.
+ *
+ * Mirrors @phosra/link's OcssHttpClient but is a standalone copy so @phosra/cli
+ * carries NO database dependency whatsoever. The CLI is a thin read/verify/probe
+ * tool; it never writes grants to a database.
+ *
+ * §12.3 clean: the transport DRIVES the census (verifies, writes demo round-trips
+ * against the pre-seeded sandbox) but carries NO billing authority and never mints
+ * grants, publishes the trust list, or touches a production census.
+ */
+import { type SenderKey } from "@openchildsafety/ocss";
+export interface TransportOpts {
+    baseUrl: string;
+    senderKey: SenderKey;
+    fetchImpl?: typeof fetch;
+    now?: () => number;
+}
+export declare class CensusTransport {
+    private baseUrl;
+    private senderKey;
+    private fetchImpl;
+    private now;
+    constructor(opts: TransportOpts);
+    post(path: string, body: unknown): Promise<Response>;
+    get(path: string): Promise<Response>;
+    /** Unsigned GET — for well-known docs and /health (no RFC-9421 required). */
+    getPublic(path: string): Promise<Response>;
+}
+//# sourceMappingURL=transport.d.ts.map

package/dist/transport.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"transport.d.ts","sourceRoot":"","sources":["../src/transport.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAA6B,KAAK,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAElF,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,SAAS,CAAC;IACrB,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IACzB,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CACpB;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,SAAS,CAAY;IAC7B,OAAO,CAAC,SAAS,CAAe;IAChC,OAAO,CAAC,GAAG,CAAe;gBAEd,IAAI,EAAE,aAAa;IAOzB,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;IAgBpD,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAY1C,6EAA6E;IACvE,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;CAUjD"}

package/dist/transport.js

@@ -0,0 +1,62 @@
+/**
+ * Minimal RFC-9421 census transport — no pg dependency.
+ *
+ * Mirrors @phosra/link's OcssHttpClient but is a standalone copy so @phosra/cli
+ * carries NO database dependency whatsoever. The CLI is a thin read/verify/probe
+ * tool; it never writes grants to a database.
+ *
+ * §12.3 clean: the transport DRIVES the census (verifies, writes demo round-trips
+ * against the pre-seeded sandbox) but carries NO billing authority and never mints
+ * grants, publishes the trust list, or touches a production census.
+ */
+import { signRequest, SPEC_VERSION } from "@openchildsafety/ocss";
+export class CensusTransport {
+    baseUrl;
+    senderKey;
+    fetchImpl;
+    now;
+    constructor(opts) {
+        this.baseUrl = opts.baseUrl;
+        this.senderKey = opts.senderKey;
+        this.fetchImpl = opts.fetchImpl ?? fetch;
+        this.now = opts.now ?? (() => Date.now());
+    }
+    async post(path, body) {
+        const targetURI = this.baseUrl + path;
+        const bodyText = JSON.stringify(body);
+        const bodyBytes = new TextEncoder().encode(bodyText);
+        const headers = signRequest({
+            method: "POST",
+            targetURI,
+            body: bodyBytes,
+            keyID: this.senderKey.keyID,
+            seed: this.senderKey.seed,
+            created: Math.floor(this.now() / 1000),
+        });
+        headers["Content-Type"] = "application/json";
+        return this.fetchImpl(targetURI, { method: "POST", headers, body: bodyText });
+    }
+    async get(path) {
+        const targetURI = this.baseUrl + path;
+        const headers = signRequest({
+            method: "GET",
+            targetURI,
+            keyID: this.senderKey.keyID,
+            seed: this.senderKey.seed,
+            created: Math.floor(this.now() / 1000),
+        });
+        return this.fetchImpl(targetURI, { method: "GET", headers });
+    }
+    /** Unsigned GET — for well-known docs and /health (no RFC-9421 required). */
+    async getPublic(path) {
+        const targetURI = this.baseUrl + path;
+        return this.fetchImpl(targetURI, {
+            method: "GET",
+            headers: {
+                "Accept": "application/json",
+                "OCSS-Spec-Version": SPEC_VERSION,
+            },
+        });
+    }
+}
+//# sourceMappingURL=transport.js.map

package/dist/transport.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"transport.js","sourceRoot":"","sources":["../src/transport.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAkB,MAAM,uBAAuB,CAAC;AASlF,MAAM,OAAO,eAAe;IAClB,OAAO,CAAS;IAChB,SAAS,CAAY;IACrB,SAAS,CAAe;IACxB,GAAG,CAAe;IAE1B,YAAY,IAAmB;QAC7B,IAAI,CAAC,OAAO,GAAK,IAAI,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAChC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;QACzC,IAAI,CAAC,GAAG,GAAS,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,IAAY,EAAE,IAAa;QACpC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACtC,MAAM,QAAQ,GAAI,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACrD,MAAM,OAAO,GAAK,WAAW,CAAC;YAC5B,MAAM,EAAE,MAAM;YACd,SAAS;YACT,IAAI,EAAE,SAAS;YACf,KAAK,EAAI,IAAI,CAAC,SAAS,CAAC,KAAK;YAC7B,IAAI,EAAK,IAAI,CAAC,SAAS,CAAC,IAAI;YAC5B,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;SACvC,CAAC,CAAC;QACH,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;QAC7C,OAAO,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;IAChF,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,IAAY;QACpB,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACtC,MAAM,OAAO,GAAK,WAAW,CAAC;YAC5B,MAAM,EAAE,KAAK;YACb,SAAS;YACT,KAAK,EAAI,IAAI,CAAC,SAAS,CAAC,KAAK;YAC7B,IAAI,EAAK,IAAI,CAAC,SAAS,CAAC,IAAI;YAC5B,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;SACvC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,6EAA6E;IAC7E,KAAK,CAAC,SAAS,CAAC,IAAY;QAC1B,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACtC,OAAO,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE;YAC/B,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACP,QAAQ,EAAE,kBAAkB;gBAC5B,mBAAmB,EAAE,YAAY;aAClC;SACF,CAAC,CAAC;IACL,CAAC;CACF"}