@phosra/gatekeeper 0.1.0

package/README.md

@@ -0,0 +1,83 @@
+# @phosra/gatekeeper
+
+Platform-side SDK for the OCSS (Open Child Safety Specification). Verifies signed
+enforcement profiles, runs the local decision engine, sends §8.3.8 confirmation
+receipts, and reports parent-side rating changes back to the Phosra census.
+
+## Quickstart
+
+```ts
+import { createGatekeeper } from "@phosra/gatekeeper"
+import type { GatekeeperConfig, ReportParentChangeArgs } from "@phosra/gatekeeper"
+
+// 1. Construct the gatekeeper with your platform's signing key + census URL.
+const config: GatekeeperConfig = {
+  platformDid: "did:ocss:your-platform",
+  platformKeyId: "your-platform#key-2026",
+  gatekeeperSigningKey: { seed: new Uint8Array(32) /* real Ed25519 seed */, keyID: "did:ocss:your-platform#key-2026" },
+  censusBaseUrl: "https://api.sandbox.phosra.com",
+  trustRootXB64Url: process.env.OCSS_TRUST_ROOT_X!,
+  endpointId: "endpoint-mia-01",   // the §9.3(b) bound resolver label
+  ratingMappings: [
+    { ocssCategory: "content_rating", myField: "maturity", vocabulary: "mpaa" },
+  ],
+}
+
+const gk = createGatekeeper(config)
+
+// 2. Decide whether to allow a piece of content.
+const verdict = gk.check("content_rating", { nativeValue: "PG-13" })
+if (verdict.decision === "block") {
+  // block the content
+}
+
+// 3. Confirm enforcement outcome (§8.3.8 receipt).
+await verdict.confirm("applied")
+
+// 4. Report a parent-side rating change.
+const args: ReportParentChangeArgs = {
+  ocssCategory: "content_rating",
+  nativeValue: "G",
+  changeScope: "family_wide",
+}
+const result = await gk.reportParentChange(args)
+
+// 5. Clean up timers when done.
+gk.destroy()
+```
+
+## Error classes
+
+```ts
+import { RuleRefRequired, NoRatingMappingError, UnmappedRatingValueError } from "@phosra/gatekeeper"
+
+try {
+  await gk.reportParentChange({ ocssCategory: "unknown_cat", nativeValue: "PG", changeScope: "platform_local" })
+} catch (e) {
+  if (e instanceof NoRatingMappingError) { /* no mapping declared */ }
+  if (e instanceof UnmappedRatingValueError) { /* nativeValue not in crosswalk */ }
+}
+```
+
+## Pricing & keys
+
+This SDK is **free and open** (MIT). It performs all signing/verification **locally** and calls
+the hosted Phosra census over RFC 9421. Metered census usage requires a **Phosra API key** —
+**billing is enforced server-side**, never in this package. Provision a key with `@phosra/api`
+(the control-plane SDK), then use it here.
+
+## The `/protocol` subpath
+
+```ts
+import { verifyDocument, verifyReceipt } from "@phosra/gatekeeper/protocol"
+```
+
+`@phosra/gatekeeper/protocol` is a verbatim re-export of `@openchildsafety/ocss` — identical object
+identities. It lets you verify signed documents and receipts without a separate `@openchildsafety/ocss`
+install when you already depend on this package.
+
+## Stability
+
+This package is `0.1.0` — live-proven but still co-evolving with the OCSS spec. Under `0.x`
+semver, minor bumps (`0.1 → 0.2`) may include breaking changes with a one-minor deprecation
+window. Exports marked `@experimental` are excluded from that window.

package/dist/capabilities-cache.d.ts

@@ -0,0 +1,25 @@
+import { type CapabilitiesDocument } from "@openchildsafety/ocss";
+/**
+ * CapabilitiesCache fetches /.well-known/ocss/capabilities, verifies it to the OCSS ROOT
+ * (verifyCapabilitiesDocument — the capabilities_v1 twin of the trust-list root path), and
+ * admits it ONLY if fresh: not_after > now AND serial > the last admitted serial (anti-rollback).
+ * On any rejection the prior admitted doc (if still unexpired) is RETAINED; if none, doc() is
+ * undefined and the gatekeeper coercion defaults every unknown verb to block (fail-closed).
+ */
+export declare class CapabilitiesCache {
+    private opts;
+    private current?;
+    private lastSerial;
+    constructor(opts: {
+        fetchImpl: typeof fetch;
+        baseUrl: string;
+        trustRootXB64Url: string;
+        now: () => number;
+    });
+    refresh(): Promise<void>;
+    ensure(): Promise<void>;
+    /** The admitted-and-unexpired caps doc, or undefined (→ coercion defaults to block). */
+    doc(): CapabilitiesDocument | undefined;
+    private expireIfStale;
+}
+//# sourceMappingURL=capabilities-cache.d.ts.map

package/dist/capabilities-cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"capabilities-cache.d.ts","sourceRoot":"","sources":["../src/capabilities-cache.ts"],"names":[],"mappings":"AAAA,OAAO,EAAmD,KAAK,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAEnH;;;;;;GAMG;AACH,qBAAa,iBAAiB;IAI1B,OAAO,CAAC,IAAI;IAHd,OAAO,CAAC,OAAO,CAAC,CAAuB;IACvC,OAAO,CAAC,UAAU,CAAM;gBAEd,IAAI,EAAE;QAAE,SAAS,EAAE,OAAO,KAAK,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,gBAAgB,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,MAAM,CAAA;KAAE;IAGnG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAYxB,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAE7B,wFAAwF;IACxF,GAAG,IAAI,oBAAoB,GAAG,SAAS;IAEvC,OAAO,CAAC,aAAa;CAGtB"}

package/dist/capabilities-cache.js

@@ -0,0 +1,45 @@
+import { verifyCapabilitiesDocument } from "@openchildsafety/ocss";
+/**
+ * CapabilitiesCache fetches /.well-known/ocss/capabilities, verifies it to the OCSS ROOT
+ * (verifyCapabilitiesDocument — the capabilities_v1 twin of the trust-list root path), and
+ * admits it ONLY if fresh: not_after > now AND serial > the last admitted serial (anti-rollback).
+ * On any rejection the prior admitted doc (if still unexpired) is RETAINED; if none, doc() is
+ * undefined and the gatekeeper coercion defaults every unknown verb to block (fail-closed).
+ */
+export class CapabilitiesCache {
+    opts;
+    current;
+    lastSerial = -1;
+    constructor(opts) {
+        this.opts = opts;
+    }
+    async refresh() {
+        const res = await this.opts.fetchImpl(this.opts.baseUrl + "/.well-known/ocss/capabilities", { method: "GET" });
+        if (!res.ok) {
+            this.expireIfStale();
+            return;
+        } // transient/404 → keep prior-if-fresh, else none
+        const signed = (await res.json());
+        const doc = verifyCapabilitiesDocument(signed, this.opts.trustRootXB64Url); // throws on bad sig / wrong type
+        const naMs = Date.parse(doc.not_after);
+        if (!Number.isFinite(naMs) || naMs < this.opts.now()) {
+            this.expireIfStale();
+            return;
+        } // expired → reject
+        if (doc.serial <= this.lastSerial) {
+            this.expireIfStale();
+            return;
+        } // rollback → reject
+        this.current = doc;
+        this.lastSerial = doc.serial;
+    }
+    async ensure() { if (!this.current)
+        await this.refresh(); }
+    /** The admitted-and-unexpired caps doc, or undefined (→ coercion defaults to block). */
+    doc() { this.expireIfStale(); return this.current; }
+    expireIfStale() {
+        if (this.current && Date.parse(this.current.not_after) < this.opts.now())
+            this.current = undefined;
+    }
+}
+//# sourceMappingURL=capabilities-cache.js.map

package/dist/capabilities-cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"capabilities-cache.js","sourceRoot":"","sources":["../src/capabilities-cache.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,0BAA0B,EAAkD,MAAM,uBAAuB,CAAC;AAEnH;;;;;;GAMG;AACH,MAAM,OAAO,iBAAiB;IAIlB;IAHF,OAAO,CAAwB;IAC/B,UAAU,GAAG,CAAC,CAAC,CAAC;IACxB,YACU,IAA+F;QAA/F,SAAI,GAAJ,IAAI,CAA2F;IACtG,CAAC;IAEJ,KAAK,CAAC,OAAO;QACX,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,GAAG,gCAAgC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/G,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YAAC,OAAO;QAAC,CAAC,CAAY,iDAAiD;QAC3G,MAAM,MAAM,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAmB,CAAC;QACpD,MAAM,GAAG,GAAG,0BAA0B,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,iCAAiC;QAC7G,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACvC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YAAC,OAAO;QAAC,CAAC,CAAC,mBAAmB;QAC3G,IAAI,GAAG,CAAC,MAAM,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YAAC,OAAO;QAAC,CAAC,CAAqB,oBAAoB;QAC7G,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC;QACnB,IAAI,CAAC,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,MAAM,KAAoB,IAAI,CAAC,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IAE1E,wFAAwF;IACxF,GAAG,KAAuC,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAE9E,aAAa;QACnB,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;YAAE,IAAI,CAAC,OAAO,GAAG,SAAS,CAAC;IACrG,CAAC;CACF"}

package/dist/crosswalk.d.ts

@@ -0,0 +1,11 @@
+import type { RatingMapping } from "./types.js";
+export declare const CROSSWALKS: Record<RatingMapping["vocabulary"], Record<string, number>>;
+/**
+ * contentAgeFor maps a platform's native rating code to its age equivalent on the
+ * `ratings_age` scale. A `codeMap` (declarative, platform-supplied) remaps a
+ * proprietary code to a standard board code first. Anything unresolved (unknown
+ * code, missing field, non-string) returns MAX_ORDINAL so the downstream
+ * compareToCeiling fails closed.
+ */
+export declare function contentAgeFor(vocabulary: RatingMapping["vocabulary"], nativeCode: unknown, codeMap?: Record<string, string>): number;
+//# sourceMappingURL=crosswalk.d.ts.map

package/dist/crosswalk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crosswalk.d.ts","sourceRoot":"","sources":["../src/crosswalk.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAEhD,eAAO,MAAM,UAAU,EAAE,MAAM,CAAC,aAAa,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAMlF,CAAC;AAEF;;;;;;GAMG;AACH,wBAAgB,aAAa,CAC3B,UAAU,EAAE,aAAa,CAAC,YAAY,CAAC,EACvC,UAAU,EAAE,OAAO,EACnB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,MAAM,CAMR"}

package/dist/crosswalk.js

@@ -0,0 +1,32 @@
+// @phosra/gatekeeper PRODUCT DATA — the standard-vocabulary board->age crosswalk.
+// Values are AGES on the `ratings_age` scale (the SAME vocabulary as the census
+// `params.max_allowed`), sourced verbatim from published board definitions. This
+// is NOT OCSS-normative (the comparison primitive `compareToCeiling` is); it ships
+// as product data with a documented promotion path (census-served signed data once
+// a 2nd conformant gatekeeper + an active §8.3.7 lane exist). NO `custom` vocabulary,
+// NO platform-supplied `blockAt`. A wrong mapping is load-bearing safety policy:
+// an unmapped code resolves to MAX_ORDINAL (block, never allow).
+import { MAX_ORDINAL } from "@openchildsafety/ocss";
+export const CROSSWALKS = {
+    mpaa: { G: 0, PG: 8, "PG-13": 13, R: 17, "NC-17": 18 },
+    tv_parental: { "TV-Y": 0, "TV-G": 0, "TV-PG": 8, "TV-14": 14, "TV-MA": 17 },
+    esrb: { EC: 3, E: 6, "E10+": 10, T: 13, M: 17, AO: 18 },
+    pegi: { "3": 3, "7": 7, "12": 12, "16": 16, "18": 18 },
+    age_band: { under_13: 12, "13_15": 15, "16_17": 17 },
+};
+/**
+ * contentAgeFor maps a platform's native rating code to its age equivalent on the
+ * `ratings_age` scale. A `codeMap` (declarative, platform-supplied) remaps a
+ * proprietary code to a standard board code first. Anything unresolved (unknown
+ * code, missing field, non-string) returns MAX_ORDINAL so the downstream
+ * compareToCeiling fails closed.
+ */
+export function contentAgeFor(vocabulary, nativeCode, codeMap) {
+    if (typeof nativeCode !== "string")
+        return MAX_ORDINAL;
+    const boardCode = codeMap?.[nativeCode] ?? nativeCode;
+    const table = CROSSWALKS[vocabulary];
+    const age = table?.[boardCode];
+    return typeof age === "number" ? age : MAX_ORDINAL;
+}
+//# sourceMappingURL=crosswalk.js.map

package/dist/crosswalk.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crosswalk.js","sourceRoot":"","sources":["../src/crosswalk.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,gFAAgF;AAChF,iFAAiF;AACjF,mFAAmF;AACnF,mFAAmF;AACnF,sFAAsF;AACtF,iFAAiF;AACjF,iEAAiE;AACjE,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAGpD,MAAM,CAAC,MAAM,UAAU,GAAgE;IACrF,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;IACtD,WAAW,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;IAC3E,IAAI,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE;IACvD,IAAI,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;IACtD,QAAQ,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;CACrD,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAC3B,UAAuC,EACvC,UAAmB,EACnB,OAAgC;IAEhC,IAAI,OAAO,UAAU,KAAK,QAAQ;QAAE,OAAO,WAAW,CAAC;IACvD,MAAM,SAAS,GAAG,OAAO,EAAE,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC;IACtD,MAAM,KAAK,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,KAAK,EAAE,CAAC,SAAS,CAAC,CAAC;IAC/B,OAAO,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC;AACrD,CAAC"}

package/dist/fleet-backcompat.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=fleet-backcompat.test.d.ts.map

package/dist/fleet-backcompat.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fleet-backcompat.test.d.ts","sourceRoot":"","sources":["../src/fleet-backcompat.test.ts"],"names":[],"mappings":""}

package/dist/fleet-backcompat.test.js

@@ -0,0 +1,38 @@
+// fleet-backcompat.test.ts — P0 Task 9 TS-side integration test.
+//
+// Proves the BACKWARD-COMPATIBLE constraint from the gatekeeper / client side:
+//   - an old client advertising only the bare SPEC_VERSION token (no
+//     OCSS-Accept-Versions header, single bare -pre) negotiates -pre;
+//   - the gatekeeper accepting an echoed -pre profile version still accepts it;
+//   - fail-closed: no common version → null (rejected, never default-allow).
+import { describe, it, expect } from "vitest";
+import { negotiate, SUPPORTED_VERSIONS, SPEC_VERSION } from "@openchildsafety/ocss";
+describe("fleet back-compat", () => {
+    it("old gatekeeper accepts -pre echo; census picks -pre for an old client", () => {
+        // Census-side pick for a legacy client (single bare token — no range header):
+        // the census calls negotiate([SPEC_VERSION], SUPPORTED_VERSIONS) and resolves
+        // OCSS-v1.0-pre — no forced upgrade.
+        expect(negotiate([SPEC_VERSION], SUPPORTED_VERSIONS)).toBe("OCSS-v1.0-pre");
+        // Gatekeeper-side accept of the echoed -pre profile version: the gatekeeper
+        // calls negotiate([echoed], SUPPORTED_VERSIONS); echoed == "OCSS-v1.0-pre"
+        // → accepted.
+        expect(negotiate(["OCSS-v1.0-pre"], SUPPORTED_VERSIONS)).toBe("OCSS-v1.0-pre");
+    });
+    it("fail-closed: no common version → null (never default-allow)", () => {
+        expect(negotiate(["OCSS-v2.0"], SUPPORTED_VERSIONS)).toBeNull();
+        expect(negotiate(["OCSS-v9.9-GREASE-ff"], SUPPORTED_VERSIONS)).toBeNull();
+    });
+    it("GREASE tolerated: real common version wins beside a GREASE token", () => {
+        // GREASE sentinel is skipped; the real -pre is returned.
+        expect(negotiate(["OCSS-v9.9-GREASE-ff", SPEC_VERSION], SUPPORTED_VERSIONS)).toBe("OCSS-v1.0-pre");
+    });
+    it("forward path: higher common version wins when both endpoints share it", () => {
+        // Simulate a future dual-version census locally (no global mutation).
+        const futureServerVers = ["OCSS-v1.0-pre", "OCSS-v1.1"];
+        // Forward-capable client gets the higher common version.
+        expect(negotiate(["OCSS-v1.0-pre", "OCSS-v1.1"], futureServerVers)).toBe("OCSS-v1.1");
+        // Old client gets -pre — ZERO forced upgrade.
+        expect(negotiate(["OCSS-v1.0-pre"], futureServerVers)).toBe("OCSS-v1.0-pre");
+    });
+});
+//# sourceMappingURL=fleet-backcompat.test.js.map

package/dist/fleet-backcompat.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fleet-backcompat.test.js","sourceRoot":"","sources":["../src/fleet-backcompat.test.ts"],"names":[],"mappings":"AAAA,iEAAiE;AACjE,EAAE;AACF,+EAA+E;AAC/E,qEAAqE;AACrE,sEAAsE;AACtE,gFAAgF;AAChF,6EAA6E;AAE7E,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAEpF,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,8EAA8E;QAC9E,8EAA8E;QAC9E,qCAAqC;QACrC,MAAM,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,EAAE,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QAE5E,4EAA4E;QAC5E,2EAA2E;QAC3E,cAAc;QACd,MAAM,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,EAAE,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACjF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6DAA6D,EAAE,GAAG,EAAE;QACrE,MAAM,CAAC,SAAS,CAAC,CAAC,WAAW,CAAC,EAAE,kBAAkB,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;QAChE,MAAM,CAAC,SAAS,CAAC,CAAC,qBAAqB,CAAC,EAAE,kBAAkB,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,GAAG,EAAE;QAC1E,yDAAyD;QACzD,MAAM,CAAC,SAAS,CAAC,CAAC,qBAAqB,EAAE,YAAY,CAAC,EAAE,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAC/E,eAAe,CAChB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,sEAAsE;QACtE,MAAM,gBAAgB,GAAG,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;QAExD,yDAAyD;QACzD,MAAM,CAAC,SAAS,CAAC,CAAC,eAAe,EAAE,WAAW,CAAC,EAAE,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAEtF,8CAA8C;QAC9C,MAAM,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,EAAE,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAC/E,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/gatekeeper-version.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=gatekeeper-version.test.d.ts.map

package/dist/gatekeeper-version.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gatekeeper-version.test.d.ts","sourceRoot":"","sources":["../src/gatekeeper-version.test.ts"],"names":[],"mappings":""}

package/dist/gatekeeper-version.test.js

@@ -0,0 +1,12 @@
+import { describe, it, expect } from "vitest";
+import { negotiate, SUPPORTED_VERSIONS } from "@openchildsafety/ocss";
+describe("gatekeeper version gate", () => {
+    it("accepts the echoed -pre version (backward-compat)", () => {
+        expect(negotiate(["OCSS-v1.0-pre"], SUPPORTED_VERSIONS)).not.toBeNull();
+    });
+    it("BLOCKS a GREASE / unknown echoed version", () => {
+        expect(negotiate(["OCSS-v9.9-GREASE-ff"], SUPPORTED_VERSIONS)).toBeNull(); // → throw at :173
+        expect(negotiate(["OCSS-v2.0"], SUPPORTED_VERSIONS)).toBeNull();
+    });
+});
+//# sourceMappingURL=gatekeeper-version.test.js.map

package/dist/gatekeeper-version.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gatekeeper-version.test.js","sourceRoot":"","sources":["../src/gatekeeper-version.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAEtE,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;IACvC,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,EAAE,kBAAkB,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC1E,CAAC,CAAC,CAAC;IACH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,CAAC,SAAS,CAAC,CAAC,qBAAqB,CAAC,EAAE,kBAAkB,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,kBAAkB;QAC7F,MAAM,CAAC,SAAS,CAAC,CAAC,WAAW,CAAC,EAAE,kBAAkB,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IAClE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/gatekeeper.d.ts

@@ -0,0 +1,38 @@
+import { type SigningKey } from "@openchildsafety/ocss";
+import { OcssHttpClient } from "./ocss-http-client.js";
+import { TrustListCache } from "./trust-list-cache.js";
+import { CapabilitiesCache } from "./capabilities-cache.js";
+import { type GatekeeperConfig, type Gatekeeper, type VerifiedProfile } from "./types.js";
+/** Internal in-memory stores. */
+declare class EnforcementProfileStore {
+    private m;
+    get(endpointId: string): VerifiedProfile | undefined;
+    put(endpointId: string, p: VerifiedProfile): void;
+}
+declare class ConsentStore {
+    private active;
+    private revoked;
+    markActive(endpointId: string): void;
+    markRevoked(endpointId: string): void;
+    isActive(endpointId: string): boolean;
+}
+export interface GatekeeperRuntime {
+    cfg: GatekeeperConfig;
+    http: OcssHttpClient;
+    trustList: TrustListCache;
+    caps: CapabilitiesCache;
+    profileStore: EnforcementProfileStore;
+    consentStore: ConsentStore;
+    signingKey: SigningKey;
+    now: () => number;
+    /** P3: the endpoint_id_label delivered by gk.handleConnect; overrides cfg.endpointId
+     *  for the no-arg accessors once a connect ceremony completes (Gap-7). */
+    connectedEndpointId?: string;
+    /** Idempotency guard: labels that have already been successfully connected.
+     *  A re-delivered connect callback for an already-seen label returns 200 immediately
+     *  without re-running refreshProfile. */
+    processedConnectLabels: Set<string>;
+}
+export declare function createGatekeeper(config: GatekeeperConfig): Gatekeeper;
+export {};
+//# sourceMappingURL=gatekeeper.d.ts.map

package/dist/gatekeeper.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gatekeeper.d.ts","sourceRoot":"","sources":["../src/gatekeeper.ts"],"names":[],"mappings":"AACA,OAAO,EAAuJ,KAAK,UAAU,EAAgC,MAAM,uBAAuB,CAAC;AAG3O,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EACL,KAAK,gBAAgB,EACrB,KAAK,UAAU,EAEf,KAAK,eAAe,EAKrB,MAAM,YAAY,CAAC;AAsBpB,iCAAiC;AACjC,cAAM,uBAAuB;IAC3B,OAAO,CAAC,CAAC,CAAsC;IAC/C,GAAG,CAAC,UAAU,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS;IAGpD,GAAG,CAAC,UAAU,EAAE,MAAM,EAAE,CAAC,EAAE,eAAe,GAAG,IAAI;CAGlD;AAED,cAAM,YAAY;IAChB,OAAO,CAAC,MAAM,CAAqB;IACnC,OAAO,CAAC,OAAO,CAAqB;IACpC,UAAU,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI;IAIpC,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI;IAGrC,QAAQ,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;CAGtC;AAED,MAAM,WAAW,iBAAiB;IAChC,GAAG,EAAE,gBAAgB,CAAC;IACtB,IAAI,EAAE,cAAc,CAAC;IACrB,SAAS,EAAE,cAAc,CAAC;IAC1B,IAAI,EAAE,iBAAiB,CAAC;IACxB,YAAY,EAAE,uBAAuB,CAAC;IACtC,YAAY,EAAE,YAAY,CAAC;IAC3B,UAAU,EAAE,UAAU,CAAC;IACvB,GAAG,EAAE,MAAM,MAAM,CAAC;IAClB;8EAC0E;IAC1E,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;6CAEyC;IACzC,sBAAsB,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;CACrC;AAOD,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,gBAAgB,GAAG,UAAU,CA4ErE"}