@phosra/gatekeeper 0.1.0

package/dist/gatekeeper.js

@@ -0,0 +1,466 @@
+import { createPrivateKey, createPublicKey, verify as nodeVerify, randomBytes, createHmac, timingSafeEqual } from "node:crypto";
+import { compareToCeiling, ed25519Sign, validateResiduals, signReceipt, SUPPORTED_VERSIONS, negotiate, MAX_ORDINAL, b64urlRaw, b64urlRawDecode } from "@openchildsafety/ocss";
+import { RuleRefRequired, NoRatingMappingError, UnmappedRatingValueError, AssuranceLevelError } from "./types.js";
+import { contentAgeFor } from "./crosswalk.js";
+import { OcssHttpClient } from "./ocss-http-client.js";
+import { TrustListCache } from "./trust-list-cache.js";
+import { CapabilitiesCache } from "./capabilities-cache.js";
+import { RULE_ASSURANCE_FLOORS, ASSURANCE_RANK, HARD_AV_FLOOR_RULES, } from "./types.js";
+// HARD_AV_FLOOR_RULES is imported from types.ts where it is DERIVED from
+// RULE_ASSURANCE_FLOORS (the drift-checked map) — see types.ts for the
+// derivation and the invariant comment.  It was previously a hardcoded set
+// here; the Fix 6 refactor ensures any future document_verified-floor rule
+// added to RULE_ASSURANCE_FLOORS is automatically covered by the
+// confirm-stage guardrail without a manual update to this file.
+/** Direct Ed25519 verify of a raw 32-byte public key over a message. */
+function ed25519VerifyRaw(pub, msg, sig) {
+    const key = createPublicKey({ key: { kty: "OKP", crv: "Ed25519", x: b64urlRaw(pub) }, format: "jwk" });
+    return nodeVerify(null, Buffer.from(msg), key, Buffer.from(sig));
+}
+/** Derive the base64url-raw Ed25519 public X from a 32-byte raw seed (node:crypto). */
+function ed25519PublicXB64Url(seed) {
+    const pkcs8 = Buffer.concat([Buffer.from("302e020100300506032b657004220420", "hex"), Buffer.from(seed)]);
+    const priv = createPrivateKey({ key: pkcs8, format: "der", type: "pkcs8" });
+    return createPublicKey(priv).export({ format: "jwk" }).x;
+}
+/** Internal in-memory stores. */
+class EnforcementProfileStore {
+    m = new Map();
+    get(endpointId) {
+        return this.m.get(endpointId);
+    }
+    put(endpointId, p) {
+        this.m.set(endpointId, p);
+    }
+}
+class ConsentStore {
+    active = new Set();
+    revoked = new Set();
+    markActive(endpointId) {
+        this.active.add(endpointId);
+        this.revoked.delete(endpointId);
+    }
+    markRevoked(endpointId) {
+        this.revoked.add(endpointId);
+    }
+    isActive(endpointId) {
+        return this.active.has(endpointId) && !this.revoked.has(endpointId);
+    }
+}
+/** The effective endpoint for no-arg accessors: the connected label wins over cfg. */
+function defaultEid(rt) {
+    return rt.connectedEndpointId ?? rt.cfg.endpointId;
+}
+export function createGatekeeper(config) {
+    // §3.1 construction-time assertion: the reserved EC payload key (if any) MUST be a
+    // distinct identity from the Ed25519 signing key. (Guarded by presence — the key is
+    // OPTIONAL/reserved and unused in the read path.)
+    if (config.platformPayloadKeyJwk) {
+        const signX = ed25519PublicXB64Url(config.gatekeeperSigningKey.seed);
+        if (signX === config.platformPayloadKeyJwk.x) {
+            throw new Error("@phosra/gatekeeper: gatekeeperSigningKey and platformPayloadKeyJwk MUST be distinct identities");
+        }
+    }
+    const now = config.now ?? (() => Date.now());
+    const sk = config.gatekeeperSigningKey;
+    const signingKey = {
+        keyId: sk.keyID,
+        sign: (msg) => ed25519Sign(sk.seed, msg),
+    };
+    const http = new OcssHttpClient({
+        baseUrl: config.censusBaseUrl,
+        senderKey: sk,
+        fetchImpl: config.fetchImpl,
+        now,
+    });
+    const trustList = new TrustListCache({
+        fetchImpl: config.fetchImpl ?? fetch,
+        baseUrl: config.censusBaseUrl,
+        trustRootXB64Url: config.trustRootXB64Url,
+        now,
+    });
+    const caps = new CapabilitiesCache({
+        fetchImpl: config.fetchImpl ?? fetch,
+        baseUrl: config.censusBaseUrl,
+        trustRootXB64Url: config.trustRootXB64Url,
+        now,
+    });
+    const rt = {
+        cfg: config,
+        http,
+        trustList,
+        caps,
+        profileStore: new EnforcementProfileStore(),
+        consentStore: new ConsentStore(),
+        signingKey,
+        now,
+        processedConnectLabels: new Set(),
+    };
+    // P2 boots NO background timers (kept out of unit tests; the harness calls
+    // refreshProfile explicitly). tlRefreshIntervalMs/pollIntervalMs are reserved.
+    //
+    // _testInjectProfile is attached to the runtime object but NOT declared on the
+    // public Gatekeeper interface — test fixtures access it via a typed cast in
+    // test/fixtures.ts (GatekeeperRuntime = Gatekeeper & { _testInjectProfile }).
+    const gk = {
+        refreshTrustList: () => refreshTrustList(rt),
+        refreshProfile: (endpointId) => refreshProfile(rt, endpointId),
+        getCachedProfile: (endpointId) => rt.profileStore.get(endpointId ?? defaultEid(rt)),
+        isAllowed: (args) => isAllowed(rt, args),
+        check: (category, ctx) => isAllowed(rt, { category, signal: ctx }),
+        confirm: (envelopeRef, ruleRef, state, methodClass) => confirm(rt, envelopeRef, ruleRef, state, methodClass),
+        handleConnect: (req) => handleConnect(rt, req),
+        reportParentChange: (change) => reportParentChange(rt, change),
+        destroy: () => {
+            /* no timers in P2 */
+        },
+        _testInjectProfile: (profile) => {
+            rt.profileStore.put(profile.endpointId, profile);
+            rt.consentStore.markActive(profile.endpointId);
+        },
+    };
+    return gk;
+}
+// --- Task 4: profile read path ---
+async function refreshTrustList(rt) {
+    await rt.trustList.refresh();
+    await rt.caps.refresh().catch(() => { }); // best-effort — advisory; never a hard dependency
+}
+async function refreshProfile(rt, endpointId) {
+    const eid = endpointId ?? defaultEid(rt);
+    await rt.trustList.ensure();
+    const res = await rt.http.get(`/api/v1/enforcement-profiles/${eid}`);
+    // any non-2xx (404 unknown/wrong-resolver, 401/403 unaccredited/revoked, 5xx transient) →
+    // fail-closed, cache nothing → the gate blocks (§9.3(b) + fail-closed). Do NOT throw on
+    // an HTTP status: a revoked/unaccredited platform must degrade to BLOCK, not crash the caller.
+    if (!res.ok)
+        return;
+    const signed = (await res.json());
+    // VERIFY the router signature directly (NOT verifyDocument — that is the root path):
+    const routerPub = rt.trustList.signingKey(signed.key_id);
+    const ok = ed25519VerifyRaw(routerPub, Buffer.from(signed.document, "utf-8"), b64urlRawDecode(signed.sig));
+    if (!ok)
+        throw new Error("@phosra/gatekeeper: enforcement profile signature invalid (fail-closed)");
+    const doc = JSON.parse(signed.document);
+    if (doc.document_type !== "enforcement_profile") {
+        throw new Error(`@phosra/gatekeeper: not an enforcement_profile (${doc.document_type})`);
+    }
+    // GREASE BLOCK (P0 Task 8): accept any echoed version the gatekeeper speaks;
+    // block an unknown/unparseable/GREASE version fail-closed (do NOT pass through).
+    if (negotiate([doc.ocss_version], SUPPORTED_VERSIONS) === null) {
+        throw new Error(`@phosra/gatekeeper: profile version ${doc.ocss_version} not in supported set ${SUPPORTED_VERSIONS.join(",")} (fail-closed)`);
+    }
+    // §profile residuals are N/A at this receive surface (DoH-only resolvers carry none);
+    // validateResiduals tolerates undefined/empty and throws only on a malformed residual.
+    validateResiduals(doc.residuals ?? undefined);
+    rt.profileStore.put(eid, {
+        endpointId: eid,
+        document_type: doc.document_type,
+        ocss_version: doc.ocss_version,
+        profile_ref: doc.profile_ref,
+        window: doc.window,
+        categories: doc.categories,
+    });
+    rt.consentStore.markActive(eid); // a router-verified in-window profile implies active consent at compile
+}
+// --- filled in Task 5 ---
+/** Parse the census `params` field, which is a JSON object on the wire but tolerate a string. */
+function parseParams(p) {
+    if (p == null)
+        return {};
+    return typeof p === "string" ? JSON.parse(p) : p;
+}
+function failClosedVerdict(rt, category) {
+    return { decision: "block", failMode: "block", ruleSlug: category, ruleRef: null, confirm: async () => undefined };
+}
+function isAllowed(rt, args) {
+    const eid = args.endpointId ?? defaultEid(rt);
+    const prof = rt.profileStore.get(eid);
+    if (!prof)
+        return failClosedVerdict(rt, args.category); // missing profile
+    if (!rt.consentStore.isActive(eid))
+        return failClosedVerdict(rt, args.category); // no active consent
+    const _na = Date.parse(prof.window.not_after);
+    const _nb = Date.parse(prof.window.not_before);
+    if (!Number.isFinite(_na) || _na < rt.now() || !Number.isFinite(_nb) || _nb > rt.now())
+        return failClosedVerdict(rt, args.category); // expired / not yet open / malformed bound
+    const cat = prof.categories.find((c) => c.category === args.category);
+    if (!cat)
+        return failClosedVerdict(rt, args.category); // absent category
+    // ASSURANCE-LEVEL GUARDRAIL (spec-faithfulness, §7.3):
+    // If the caller supplies signal.assurance_level, verify it meets the rule's
+    // §7.3 floor INDEPENDENTLY of the compiled profile decision.  A signature
+    // proves provenance, not age truth — a parental_declared signal MUST NOT
+    // satisfy a document_verified-floor rule (UT/TX AV statutes, adult_site_av_required,
+    // hard_id_verification_escalation).  Fail-closed: unknown assurance strings rank -1.
+    //
+    // This is a defense-in-depth check; the census compiler already applies floors
+    // at compile time.  The guardrail catches races (profile compiled before the
+    // signal's assurance level was known) and mis-use by platform integrators who
+    // call isAllowed with a weaker signal than the rule requires.
+    const signalAssurance = args.signal?.assurance_level;
+    if (typeof signalAssurance === "string") {
+        const ruleFloor = RULE_ASSURANCE_FLOORS[args.category];
+        if (ruleFloor !== undefined) {
+            const signalRank = ASSURANCE_RANK[signalAssurance] ?? -1;
+            if (signalRank < ruleFloor) {
+                // Assurance insufficient: fail-closed regardless of profile decision.
+                // The failMode from the profile still applies (open profiles stay open).
+                const failMode = cat.fail_mode === "open" ? "allow" : "block";
+                return {
+                    decision: "block",
+                    failMode,
+                    ruleSlug: cat.rule_slug ?? args.category,
+                    ruleRef: cat.rule_ref ?? null,
+                    // M5: throw for "applied" (no false enforcement claim on a weak-assurance verdict).
+                    // "degraded"/"refused" may still be submitted if a rule_ref is available (honest
+                    // attestation that enforcement was attempted but the required assurance was not met).
+                    confirm: (state) => {
+                        if (state === "applied")
+                            throw new AssuranceLevelError(args.category);
+                        const ruleRef = cat.rule_ref ?? null;
+                        const envelopeRef = prof.profile_ref ?? `endpoint:${eid}:${args.category}`;
+                        return ruleRef ? confirm(rt, envelopeRef, ruleRef, state) : Promise.resolve(undefined);
+                    },
+                };
+            }
+        }
+    }
+    const failMode = cat.fail_mode === "open" ? "allow" : "block";
+    let decision = cat.decision;
+    const mapping = rt.cfg.ratingMappings.find((m) => m.ocssCategory === args.category);
+    if (mapping) {
+        const nativeCode = args.signal?.[mapping.myField];
+        const contentAge = contentAgeFor(mapping.vocabulary, nativeCode, mapping.codeMap);
+        const params = parseParams(cat.params);
+        if (params.max_allowed == null || !Number.isFinite(params.max_allowed)) {
+            decision = "block"; // fail-closed: no signed ceiling
+        }
+        else {
+            const cmp = compareToCeiling(contentAge, params.max_allowed);
+            decision = cmp === "block" ? "block" : cat.decision; // warn/allow come from the profile
+        }
+    }
+    // CHILD-SAFETY FIX (P1): the verb set {allow,warn,block} is no longer assumed. A profile verb
+    // the gatekeeper does not natively action (e.g. a future "throttle") is COERCED to its signed
+    // fallback from the root-verified capabilities doc; with no signed fallback OR no caps doc loaded
+    // it defaults to "block". This runs LAST so it also clamps a crosswalk result. Without it, an
+    // unknown verb rode into the Verdict verbatim and an integrator's `if (decision==="block")` never
+    // fired → fail-OPEN. Coercion makes that path fail-CLOSED. Known verbs are unchanged (back-compat).
+    //
+    // RUNTIME ENUM GUARD (P1 review finding 1): the signed fallback itself is ALSO runtime-validated.
+    // A caps doc carrying {verb:"throttle", fallback:"scalate"} (a typo or a future extension the
+    // verifier did not yet reject) must NOT allow "scalate" to ride into the Verdict.  We explicitly
+    // check the fallback is in the closed enum — anything outside {allow,warn,block} → "block".
+    // This is the LAST LINE OF DEFENSE, source-agnostic: it closes the gate even if verify.ts and
+    // the Go builder both failed to catch the bad fallback upstream.
+    if (decision !== "allow" && decision !== "warn" && decision !== "block") {
+        const fb = rt.caps.doc()?.decision_verbs?.find((d) => d.verb === decision)?.fallback;
+        decision = (fb === "allow" || fb === "warn" || fb === "block") ? fb : "block";
+    }
+    const ruleRef = cat.rule_ref ?? null;
+    const envelopeRef = prof.profile_ref ?? `endpoint:${eid}:${args.category}`;
+    const category = args.category;
+    return {
+        decision,
+        failMode,
+        ruleSlug: cat.rule_slug ?? args.category,
+        ruleRef,
+        confirm: (state) => {
+            // §7.3 CONFIRM-STAGE ASSURANCE GUARDRAIL (defense-in-depth, second layer):
+            // The isAllowed stage already blocks on a weak signal.assurance_level.
+            // This layer catches the case where isAllowed returned a verdict (possibly
+            // "block") and the platform nonetheless calls confirm("applied") — asserting
+            // the rule FIRED even though the platform cannot have performed the hard AV
+            // (e.g. a parental-declared signal was used to decide, but the rule mandates
+            // document_verified).  The receipt MUST NOT assert "applied" for a rule the
+            // platform did not actually enforce at the required assurance level.
+            if (state === "applied" && HARD_AV_FLOOR_RULES.has(category)) {
+                throw new AssuranceLevelError(category);
+            }
+            return ruleRef ? confirm(rt, envelopeRef, ruleRef, state) : Promise.resolve(undefined);
+        },
+    };
+}
+// --- filled in Task 6 ---
+async function confirm(rt, envelopeRef, ruleRef, state, methodClass) {
+    // §8.3.8: rule_ref is required. A fail-closed verdict (ruleRef null) MUST NOT confirm —
+    // an orphan confirm pollutes the attribution rail (census keys idempotency on rule_ref).
+    if (!ruleRef)
+        throw new RuleRefRequired();
+    // INTERVENTION-FIRED SEMANTICS (§8.3.8 spec-faithfulness):
+    // enforcement_state == "applied" already means the intervention fired — the
+    // closed 3-value vocab is the spec's way of encoding this.  A separate
+    // intervention_fired boolean would be redundant AND non-spec (the census
+    // strict-decodes EnforcementResultBody with DisallowUnknownFields and would
+    // reject it).  What the spec requires is that the platform attest HOW the
+    // intervention fired via method_class — distinguishing "policy received" from
+    // "enforcement confirmed."  This is enforced on the census side for "applied":
+    // method_class must be non-empty (census rejects blank method_class on applied).
+    const body = {
+        envelope_ref: envelopeRef,
+        rule_ref: ruleRef,
+        enforcement_state: state,
+        applied_at: new Date(rt.now()).toISOString(),
+        method_class: methodClass ?? "platform_gate",
+    };
+    // signReceipt: sig covers canon({body, spec, type}) only (D-9); id/key_id ride outside.
+    const receipt = signReceipt("enforcement_result", body, rt.signingKey, new Date(rt.now()), new Uint8Array(randomBytes(10)));
+    // receipt.body is a Uint8Array; JSON.stringify(Uint8Array) emits a numeric-keyed object
+    // {"0":123,...} (the "numeric-keys trap"). The census strict-decodes body as a verbatim
+    // json.RawMessage, so the bytes must match the signed canon. Decode once here for the
+    // wire object; return the in-memory receipt so verifyReceipt still works on the Uint8Array.
+    const wire = { ...receipt, body: JSON.parse(new TextDecoder().decode(receipt.body)) };
+    const res = await rt.http.post("/api/v1/enforcement-confirmations", wire);
+    // 201 = written; 200 = idempotent same receipt; 409 = already confirmed (census deduplicates
+    // on rule_ref — same (policy_id, category) produces the same rule_ref, so a rule confirmed
+    // in a prior session/run returns 409 on re-confirm). All three mean "enforcement is recorded".
+    if (res.status !== 201 && res.status !== 200 && res.status !== 409) {
+        throw new Error(`@phosra/gatekeeper: confirm POST failed (${res.status})`);
+    }
+    return receipt;
+}
+// --- Task 11: reportParentChange (P4 §3.2) ---
+/** Canonical key-sorted JSON bytes over the proposal event fields (mirrors Go canon). */
+function canonEvent(ev) {
+    const sorted = {};
+    for (const k of Object.keys(ev).sort())
+        sorted[k] = ev[k];
+    return new TextEncoder().encode(JSON.stringify(sorted));
+}
+async function reportParentChange(rt, change) {
+    const eid = change.endpointId ?? defaultEid(rt);
+    // C8: only declared total-ordered rating fields are reportable.
+    const mapping = rt.cfg.ratingMappings.find((m) => m.ocssCategory === change.ocssCategory);
+    if (!mapping)
+        throw new NoRatingMappingError(change.ocssCategory);
+    // Normalize through the SAME crosswalk isAllowed uses (C1/C8).
+    // The census does NOT normalize (no crosswalk on the census, C2) — send the integer.
+    const desiredMaxAllowed = contentAgeFor(mapping.vocabulary, change.nativeValue, mapping.codeMap);
+    // Fix 1 — unmapped-value safety guard: MAX_ORDINAL is the fail-closed sentinel meaning
+    // "unresolvable code". It is safe as a CONTENT-AGE (→ block), but MUST NOT be sent as a
+    // proposed CEILING (desired_max_allowed === MAX_ORDINAL = "allow everything"). Reject here
+    // instead of emitting a maximally-permissive proposal.
+    if (desiredMaxAllowed === MAX_ORDINAL) {
+        throw new UnmappedRatingValueError(mapping.vocabulary, change.nativeValue);
+    }
+    // Echo-suppression (A5/§5.11.1): EXACT equality against the cached profile ceiling
+    // (per-endpoint). Do NOT emit a proposal if the value echoes the last-received canonical.
+    const prof = rt.profileStore.get(eid);
+    const cat = prof?.categories.find((c) => c.category === change.ocssCategory);
+    const params = cat ? parseParams(cat.params) : {};
+    if (params.max_allowed != null &&
+        Number.isFinite(params.max_allowed) &&
+        desiredMaxAllowed === params.max_allowed) {
+        return { suppressed: true };
+    }
+    // Sign a self-contained phosra_platform_proposal (C6/R-4): Ed25519 sig over the
+    // canonical event bytes. Distinct from the RFC-9421 transport sig the POST adds.
+    // This is a Phosra-PRODUCT signed event — NOT an OCSS vocab.ts envelope_type,
+    // NOT enforcement_result=degraded, MUST NOT write a rule.
+    // Fix 2 — event_type is included in the signed ev so the kind is tamper-bound by the
+    // Ed25519 signature. "phosra_platform_proposal" is a Phosra-PRODUCT event — NOT an OCSS
+    // vocab.ts envelope_type. The distinction is explicit in the signed bytes.
+    const ev = {
+        change_scope: change.changeScope,
+        desired_max_allowed: desiredMaxAllowed,
+        endpoint_id: eid,
+        event_type: "phosra_platform_proposal",
+        ocss_category: change.ocssCategory,
+        signed_at: new Date(rt.now()).toISOString().replace(/\.\d{3}Z$/, "Z"),
+    };
+    const canonBytes = canonEvent(ev);
+    const sig = ed25519Sign(rt.cfg.gatekeeperSigningKey.seed, canonBytes);
+    const body = { ...ev, key_id: rt.cfg.gatekeeperSigningKey.keyID, sig: b64urlRaw(sig) };
+    // POST — rt.http.post adds the RFC-9421 transport signature over the wire body.
+    const res = await rt.http.post("/api/v1/proposals", body);
+    if (!res.ok) {
+        throw new Error(`reportParentChange: census POST /proposals failed ${res.status}`);
+    }
+    const filed = (await res.json());
+    return { proposalId: filed.body?.proposal_id ?? "", delta_kind: filed.body?.delta_kind };
+}
+/** Compute HMAC-SHA256(secret, message) → lowercase hex.
+ * Matches the server-side signing scheme in internal/service/webhook.go:155-157. */
+function hmacSha256Hex(secret, message) {
+    return createHmac("sha256", secret).update(message).digest("hex");
+}
+/** P3 connect callback. Receives the writer-BFF-delivered endpoint_id_label (the census
+ * disclosed it ONCE to completeLink on the writer plane — GC1), persists it as the
+ * connected endpoint, and activates the PULL path. No decrypt (GC3); webhook PUSH deferred (GC7).
+ *
+ * Security: when cfg.connectSecret is set, the `X-Phosra-Signature` header MUST carry a
+ * valid HMAC-SHA256(secret, rawBody) hex value. Missing or wrong signature → HTTP 401
+ * (fail-closed). Algorithm mirrors internal/service/webhook.go:155-157.
+ *
+ * Idempotency: a re-delivered connect callback for an already-processed label returns 200
+ * immediately without re-running refreshProfile (safe to replay; nonce-in-label is the key).
+ *
+ * NOT-PROVEN (C7 deferral): body.state is recorded but NOT validated against a platform-side
+ * pending session record here — consumer-platform session-binding validation is P4+. */
+async function handleConnect(rt, req) {
+    // Read the raw body text first so we can HMAC over the exact bytes received.
+    let rawBody;
+    try {
+        rawBody = await req.text();
+    }
+    catch {
+        return new Response(JSON.stringify({ error: "malformed body" }), { status: 400, headers: { "content-type": "application/json" } });
+    }
+    // HMAC-SHA256 verification (fail-closed when connectSecret is configured).
+    const connectSecret = rt.cfg.connectSecret;
+    if (connectSecret) {
+        const sigHeader = req.headers.get("x-phosra-signature");
+        if (!sigHeader) {
+            return new Response(JSON.stringify({ error: "missing X-Phosra-Signature" }), { status: 401, headers: { "content-type": "application/json" } });
+        }
+        const expected = hmacSha256Hex(connectSecret, rawBody);
+        // Constant-time compare (same length: 64 hex chars for SHA-256). A length mismatch means
+        // the header value is definitely wrong, so reject without timing-sensitive comparison.
+        if (sigHeader.length !== expected.length ||
+            !timingSafeEqual(Buffer.from(sigHeader, "utf8"), Buffer.from(expected, "utf8"))) {
+            return new Response(JSON.stringify({ error: "invalid X-Phosra-Signature" }), { status: 401, headers: { "content-type": "application/json" } });
+        }
+    }
+    // Parse JSON body.
+    let body;
+    try {
+        body = JSON.parse(rawBody);
+    }
+    catch {
+        return new Response(JSON.stringify({ error: "malformed body" }), { status: 400, headers: { "content-type": "application/json" } });
+    }
+    const label = body.endpoint_id_label;
+    if (!label) {
+        return new Response(JSON.stringify({ error: "endpoint_id_label required" }), { status: 400, headers: { "content-type": "application/json" } });
+    }
+    // Idempotency guard: a re-delivered connect callback for an already-processed label
+    // returns 200 immediately (binding already established; re-running refreshProfile is
+    // unnecessary and could cause thundering-herd on retries). A nonce embedded in the
+    // label by the census (GC1) makes distinct connect invocations distinct labels.
+    if (rt.processedConnectLabels.has(label)) {
+        return new Response(JSON.stringify({ connected: true, endpointId: label }), {
+            status: 200,
+            headers: { "content-type": "application/json" },
+        });
+    }
+    // body.state intentionally unvalidated here (C7 deferral — see GC6/NOT-PROVEN).
+    rt.connectedEndpointId = label;
+    rt.processedConnectLabels.add(label);
+    try {
+        await refreshProfile(rt, label); // PULL: fetch + router-verify + cache + markActive (best-effort)
+    }
+    catch {
+        // refreshProfile is best-effort here: a profile may legitimately not exist yet
+        // (no rule written to this endpoint) and will populate on the first PULL after
+        // rules are written. The binding is established once the label is persisted —
+        // that is the "connected" (Plaid-linked) semantic. → status 200 always.
+    }
+    // "connected" = the binding/label was persisted, NOT "a profile is immediately cached".
+    // Profile priming above is best-effort; callers verify profile presence via getCachedProfile.
+    return new Response(JSON.stringify({ connected: true, endpointId: label }), {
+        status: 200,
+        headers: { "content-type": "application/json" },
+    });
+}
+//# sourceMappingURL=gatekeeper.js.map

package/dist/gatekeeper.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gatekeeper.js","sourceRoot":"","sources":["../src/gatekeeper.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,IAAI,UAAU,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAChI,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,iBAAiB,EAAE,WAAW,EAAgB,kBAAkB,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE,eAAe,EAAiD,MAAM,uBAAuB,CAAC;AAC3O,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,wBAAwB,EAAE,mBAAmB,EAA8D,MAAM,YAAY,CAAC;AAC9K,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAML,qBAAqB,EACrB,cAAc,EACd,mBAAmB,GACpB,MAAM,YAAY,CAAC;AAEpB,yEAAyE;AACzE,uEAAuE;AACvE,2EAA2E;AAC3E,2EAA2E;AAC3E,iEAAiE;AACjE,gEAAgE;AAEhE,wEAAwE;AACxE,SAAS,gBAAgB,CAAC,GAAe,EAAE,GAAe,EAAE,GAAe;IACzE,MAAM,GAAG,GAAG,eAAe,CAAC,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,CAAC,EAAE,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACvG,OAAO,UAAU,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AACnE,CAAC;AAED,uFAAuF;AACvF,SAAS,oBAAoB,CAAC,IAAgB;IAC5C,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACzG,MAAM,IAAI,GAAG,gBAAgB,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IAC5E,OAAQ,eAAe,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAmB,CAAC,CAAC,CAAC;AAC9E,CAAC;AAED,iCAAiC;AACjC,MAAM,uBAAuB;IACnB,CAAC,GAAG,IAAI,GAAG,EAA2B,CAAC;IAC/C,GAAG,CAAC,UAAkB;QACpB,OAAO,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAChC,CAAC;IACD,GAAG,CAAC,UAAkB,EAAE,CAAkB;QACxC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;IAC5B,CAAC;CACF;AAED,MAAM,YAAY;IACR,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;IAC3B,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IACpC,UAAU,CAAC,UAAkB;QAC3B,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC5B,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC;IACD,WAAW,CAAC,UAAkB;QAC5B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC/B,CAAC;IACD,QAAQ,CAAC,UAAkB;QACzB,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACtE,CAAC;CACF;AAoBD,sFAAsF;AACtF,SAAS,UAAU,CAAC,EAAqB;IACvC,OAAO,EAAE,CAAC,mBAAmB,IAAI,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC;AACrD,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,MAAwB;IACvD,mFAAmF;IACnF,oFAAoF;IACpF,kDAAkD;IAClD,IAAI,MAAM,CAAC,qBAAqB,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,oBAAoB,CAAC,MAAM,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC;QACrE,IAAI,KAAK,KAAK,MAAM,CAAC,qBAAqB,CAAC,CAAC,EAAE,CAAC;YAC7C,MAAM,IAAI,KAAK,CACb,gGAAgG,CACjG,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IAC7C,MAAM,EAAE,GAAc,MAAM,CAAC,oBAAoB,CAAC;IAClD,MAAM,UAAU,GAAe;QAC7B,KAAK,EAAE,EAAE,CAAC,KAAK;QACf,IAAI,EAAE,CAAC,GAAe,EAAE,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC,IAAI,EAAE,GAAG,CAAC;KACrD,CAAC;IACF,MAAM,IAAI,GAAG,IAAI,cAAc,CAAC;QAC9B,OAAO,EAAE,MAAM,CAAC,aAAa;QAC7B,SAAS,EAAE,EAAE;QACb,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,GAAG;KACJ,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,IAAI,cAAc,CAAC;QACnC,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,KAAK;QACpC,OAAO,EAAE,MAAM,CAAC,aAAa;QAC7B,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;QACzC,GAAG;KACJ,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,IAAI,iBAAiB,CAAC;QACjC,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,KAAK;QACpC,OAAO,EAAE,MAAM,CAAC,aAAa;QAC7B,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;QACzC,GAAG;KACJ,CAAC,CAAC;IAEH,MAAM,EAAE,GAAsB;QAC5B,GAAG,EAAE,MAAM;QACX,IAAI;QACJ,SAAS;QACT,IAAI;QACJ,YAAY,EAAE,IAAI,uBAAuB,EAAE;QAC3C,YAAY,EAAE,IAAI,YAAY,EAAE;QAChC,UAAU;QACV,GAAG;QACH,sBAAsB,EAAE,IAAI,GAAG,EAAE;KAClC,CAAC;IAEF,2EAA2E;IAC3E,+EAA+E;IAC/E,EAAE;IACF,+EAA+E;IAC/E,4EAA4E;IAC5E,8EAA8E;IAC9E,MAAM,EAAE,GAAwE;QAC9E,gBAAgB,EAAE,GAAG,EAAE,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAC5C,cAAc,EAAE,CAAC,UAAmB,EAAE,EAAE,CAAC,cAAc,CAAC,EAAE,EAAE,UAAU,CAAC;QACvE,gBAAgB,EAAE,CAAC,UAAmB,EAAE,EAAE,CACxC,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACnD,SAAS,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,IAAI,CAAC;QACxC,KAAK,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QAClE,OAAO,EAAE,CAAC,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,CACpD,OAAO,CAAC,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE,WAAW,CAAC;QACvD,aAAa,EAAE,CAAC,GAAY,EAAE,EAAE,CAAC,aAAa,CAAC,EAAE,EAAE,GAAG,CAAC;QACvD,kBAAkB,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,kBAAkB,CAAC,EAAE,EAAE,MAAM,CAAC;QAC9D,OAAO,EAAE,GAAG,EAAE;YACZ,qBAAqB;QACvB,CAAC;QACD,kBAAkB,EAAE,CAAC,OAAwB,EAAE,EAAE;YAC/C,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACjD,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QACjD,CAAC;KACF,CAAC;IACF,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,oCAAoC;AACpC,KAAK,UAAU,gBAAgB,CAAC,EAAqB;IACnD,MAAM,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;IAC7B,MAAM,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC,CAAC,kDAAkD;AAC7F,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,EAAqB,EAAE,UAAmB;IACtE,MAAM,GAAG,GAAG,UAAU,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACzC,MAAM,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,gCAAgC,GAAG,EAAE,CAAC,CAAC;IACrE,0FAA0F;IAC1F,wFAAwF;IACxF,+FAA+F;IAC/F,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO;IAEpB,MAAM,MAAM,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAmE,CAAC;IACpG,qFAAqF;IACrF,MAAM,SAAS,GAAG,EAAE,CAAC,SAAS,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzD,MAAM,EAAE,GAAG,gBAAgB,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3G,IAAI,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,yEAAyE,CAAC,CAAC;IAEpG,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAOrC,CAAC;IACF,IAAI,GAAG,CAAC,aAAa,KAAK,qBAAqB,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CAAC,mDAAmD,GAAG,CAAC,aAAa,GAAG,CAAC,CAAC;IAC3F,CAAC;IACD,6EAA6E;IAC7E,iFAAiF;IACjF,IAAI,SAAS,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,kBAAkB,CAAC,KAAK,IAAI,EAAE,CAAC;QAC/D,MAAM,IAAI,KAAK,CACb,uCAAuC,GAAG,CAAC,YAAY,yBAAyB,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAClI,CAAC;IACD,sFAAsF;IACtF,uFAAuF;IACvF,iBAAiB,CAAE,GAAG,CAAC,SAAiB,IAAI,SAAS,CAAC,CAAC;IAEvD,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE;QACvB,UAAU,EAAE,GAAG;QACf,aAAa,EAAE,GAAG,CAAC,aAAa;QAChC,YAAY,EAAE,GAAG,CAAC,YAAY;QAC9B,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,UAAU,EAAE,GAAG,CAAC,UAAU;KAC3B,CAAC,CAAC;IACH,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,wEAAwE;AAC3G,CAAC;AACD,2BAA2B;AAE3B,iGAAiG;AACjG,SAAS,WAAW,CAAC,CAA+B;IAClD,IAAI,CAAC,IAAI,IAAI;QAAE,OAAO,EAAE,CAAC;IACzB,OAAO,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,iBAAiB,CAAC,EAAqB,EAAE,QAAgB;IAChE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE,CAAC,SAAS,EAAE,CAAC;AACrH,CAAC;AAED,SAAS,SAAS,CAChB,EAAqB,EACrB,IAAiF;IAEjF,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IAC9C,MAAM,IAAI,GAAG,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,CAAC,IAAI;QAAE,OAAO,iBAAiB,CAAC,EAAE,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,kBAAkB;IAC1E,IAAI,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,iBAAiB,CAAC,EAAE,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,oBAAoB;IACrG,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAC/C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,EAAE;QACpF,OAAO,iBAAiB,CAAC,EAAE,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,2CAA2C;IAC1F,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,IAAI,CAAC,QAAQ,CAAC,CAAC;IACtE,IAAI,CAAC,GAAG;QAAE,OAAO,iBAAiB,CAAC,EAAE,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,kBAAkB;IAEzE,uDAAuD;IACvD,4EAA4E;IAC5E,0EAA0E;IAC1E,yEAAyE;IACzE,qFAAqF;IACrF,qFAAqF;IACrF,EAAE;IACF,+EAA+E;IAC/E,6EAA6E;IAC7E,8EAA8E;IAC9E,8DAA8D;IAC9D,MAAM,eAAe,GAAG,IAAI,CAAC,MAAM,EAAE,eAAe,CAAC;IACrD,IAAI,OAAO,eAAe,KAAK,QAAQ,EAAE,CAAC;QACxC,MAAM,SAAS,GAAG,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvD,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,MAAM,UAAU,GAAG,cAAc,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC;YACzD,IAAI,UAAU,GAAG,SAAS,EAAE,CAAC;gBAC3B,sEAAsE;gBACtE,yEAAyE;gBACzE,MAAM,QAAQ,GAAsB,GAAG,CAAC,SAAS,KAAK,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;gBACjF,OAAO;oBACL,QAAQ,EAAE,OAAO;oBACjB,QAAQ;oBACR,QAAQ,EAAE,GAAG,CAAC,SAAS,IAAI,IAAI,CAAC,QAAQ;oBACxC,OAAO,EAAE,GAAG,CAAC,QAAQ,IAAI,IAAI;oBAC7B,oFAAoF;oBACpF,iFAAiF;oBACjF,sFAAsF;oBACtF,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE;wBACjB,IAAI,KAAK,KAAK,SAAS;4BAAE,MAAM,IAAI,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;wBACtE,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,IAAI,IAAI,CAAC;wBACrC,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,YAAY,GAAG,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;wBAC3E,OAAO,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;oBACzF,CAAC;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAsB,GAAG,CAAC,SAAS,KAAK,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;IACjF,IAAI,QAAQ,GAA+B,GAAG,CAAC,QAAQ,CAAC;IAExD,MAAM,OAAO,GAAG,EAAE,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,KAAK,IAAI,CAAC,QAAQ,CAAC,CAAC;IACpF,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,aAAa,CAAC,OAAO,CAAC,UAAU,EAAE,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;QAClF,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACvC,IAAI,MAAM,CAAC,WAAW,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;YACvE,QAAQ,GAAG,OAAO,CAAC,CAAC,iCAAiC;QACvD,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,GAAG,gBAAgB,CAAC,UAAU,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;YAC7D,QAAQ,GAAG,GAAG,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,mCAAmC;QAC1F,CAAC;IACH,CAAC;IAED,8FAA8F;IAC9F,8FAA8F;IAC9F,kGAAkG;IAClG,8FAA8F;IAC9F,kGAAkG;IAClG,oGAAoG;IACpG,EAAE;IACF,kGAAkG;IAClG,8FAA8F;IAC9F,iGAAiG;IACjG,4FAA4F;IAC5F,8FAA8F;IAC9F,iEAAiE;IACjE,IAAI,QAAQ,KAAK,OAAO,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACxE,MAAM,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,EAAE,QAAQ,CAAC;QACrF,QAAQ,GAAG,CAAC,EAAE,KAAK,OAAO,IAAI,EAAE,KAAK,MAAM,IAAI,EAAE,KAAK,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;IAChF,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,IAAI,IAAI,CAAC;IACrC,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,YAAY,GAAG,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;IAC3E,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;IAC/B,OAAO;QACL,QAAQ;QACR,QAAQ;QACR,QAAQ,EAAE,GAAG,CAAC,SAAS,IAAI,IAAI,CAAC,QAAQ;QACxC,OAAO;QACP,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE;YACjB,2EAA2E;YAC3E,uEAAuE;YACvE,2EAA2E;YAC3E,6EAA6E;YAC7E,4EAA4E;YAC5E,6EAA6E;YAC7E,4EAA4E;YAC5E,qEAAqE;YACrE,IAAI,KAAK,KAAK,SAAS,IAAI,mBAAmB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC7D,MAAM,IAAI,mBAAmB,CAAC,QAAQ,CAAC,CAAC;YAC1C,CAAC;YACD,OAAO,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACzF,CAAC;KACF,CAAC;AACJ,CAAC;AACD,2BAA2B;AAC3B,KAAK,UAAU,OAAO,CACpB,EAAqB,EACrB,WAAmB,EACnB,OAAsB,EACtB,KAAyC,EACzC,WAAoB;IAEpB,wFAAwF;IACxF,yFAAyF;IACzF,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,eAAe,EAAE,CAAC;IAE1C,2DAA2D;IAC3D,4EAA4E;IAC5E,uEAAuE;IACvE,yEAAyE;IACzE,4EAA4E;IAC5E,0EAA0E;IAC1E,8EAA8E;IAC9E,+EAA+E;IAC/E,iFAAiF;IACjF,MAAM,IAAI,GAAG;QACX,YAAY,EAAE,WAAW;QACzB,QAAQ,EAAE,OAAO;QACjB,iBAAiB,EAAE,KAAK;QACxB,UAAU,EAAE,IAAI,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE;QAC5C,YAAY,EAAE,WAAW,IAAI,eAAe;KAC7C,CAAC;IACF,wFAAwF;IACxF,MAAM,OAAO,GAAG,WAAW,CACzB,oBAAoB,EACpB,IAAW,EACX,EAAE,CAAC,UAAU,EACb,IAAI,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,EAClB,IAAI,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAChC,CAAC;IAEF,wFAAwF;IACxF,wFAAwF;IACxF,sFAAsF;IACtF,4FAA4F;IAC5F,MAAM,IAAI,GAAG,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;IACtF,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,mCAAmC,EAAE,IAAI,CAAC,CAAC;IAC1E,6FAA6F;IAC7F,2FAA2F;IAC3F,+FAA+F;IAC/F,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QACnE,MAAM,IAAI,KAAK,CAAC,4CAA4C,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;IAC7E,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,gDAAgD;AAEhD,yFAAyF;AACzF,SAAS,UAAU,CAAC,EAA2B;IAC7C,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,EAAE;QAAE,MAAM,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;IAC1D,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,EAAqB,EACrB,MAA8B;IAE9B,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IAEhD,gEAAgE;IAChE,MAAM,OAAO,GAAG,EAAE,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,KAAK,MAAM,CAAC,YAAY,CAAC,CAAC;IAC1F,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,oBAAoB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAElE,+DAA+D;IAC/D,qFAAqF;IACrF,MAAM,iBAAiB,GAAG,aAAa,CAAC,OAAO,CAAC,UAAU,EAAE,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAEjG,uFAAuF;IACvF,wFAAwF;IACxF,2FAA2F;IAC3F,uDAAuD;IACvD,IAAI,iBAAiB,KAAK,WAAW,EAAE,CAAC;QACtC,MAAM,IAAI,wBAAwB,CAAC,OAAO,CAAC,UAAU,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;IAC7E,CAAC;IAED,mFAAmF;IACnF,0FAA0F;IAC1F,MAAM,IAAI,GAAG,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,YAAY,CAAC,CAAC;IAC7E,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAClD,IACE,MAAM,CAAC,WAAW,IAAI,IAAI;QAC1B,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,CAAC;QACnC,iBAAiB,KAAK,MAAM,CAAC,WAAW,EACxC,CAAC;QACD,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;IAC9B,CAAC;IAED,gFAAgF;IAChF,iFAAiF;IACjF,8EAA8E;IAC9E,0DAA0D;IAC1D,qFAAqF;IACrF,wFAAwF;IACxF,2EAA2E;IAC3E,MAAM,EAAE,GAA4B;QAClC,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,mBAAmB,EAAE,iBAAiB;QACtC,WAAW,EAAE,GAAG;QAChB,UAAU,EAAE,0BAA0B;QACtC,aAAa,EAAE,MAAM,CAAC,YAAY;QAClC,SAAS,EAAE,IAAI,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,WAAW,EAAE,GAAG,CAAC;KACtE,CAAC;IACF,MAAM,UAAU,GAAG,UAAU,CAAC,EAAE,CAAC,CAAC;IAClC,MAAM,GAAG,GAAG,WAAW,CAAC,EAAE,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IACtE,MAAM,IAAI,GAAG,EAAE,GAAG,EAAE,EAAE,MAAM,EAAE,EAAE,CAAC,GAAG,CAAC,oBAAoB,CAAC,KAAK,EAAE,GAAG,EAAE,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;IAEvF,gFAAgF;IAChF,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,IAAI,CAAC,CAAC;IAC1D,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,qDAAqD,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IACrF,CAAC;IACD,MAAM,KAAK,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA6D,CAAC;IAC7F,OAAO,EAAE,UAAU,EAAE,KAAK,CAAC,IAAI,EAAE,WAAW,IAAI,EAAE,EAAE,UAAU,EAAE,KAAK,CAAC,IAAI,EAAE,UAAU,EAAE,CAAC;AAC3F,CAAC;AAED;oFACoF;AACpF,SAAS,aAAa,CAAC,MAAc,EAAE,OAAe;IACpD,OAAO,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACpE,CAAC;AAED;;;;;;;;;;;;wFAYwF;AACxF,KAAK,UAAU,aAAa,CAAC,EAAqB,EAAE,GAAY;IAC9D,6EAA6E;IAC7E,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAC;IACrI,CAAC;IAED,2EAA2E;IAC3E,MAAM,aAAa,GAAG,EAAE,CAAC,GAAG,CAAC,aAAa,CAAC;IAC3C,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;QACxD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAC;QACjJ,CAAC;QACD,MAAM,QAAQ,GAAG,aAAa,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QACvD,yFAAyF;QACzF,uFAAuF;QACvF,IACE,SAAS,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;YACpC,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,EAC/E,CAAC;YACD,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAC;QACjJ,CAAC;IACH,CAAC;IAED,mBAAmB;IACnB,IAAI,IAAoD,CAAC;IACzD,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAmD,CAAC;IAC/E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAC;IACrI,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,CAAC,iBAAiB,CAAC;IACrC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAC;IACjJ,CAAC;IAED,oFAAoF;IACpF,qFAAqF;IACrF,mFAAmF;IACnF,gFAAgF;IAChF,IAAI,EAAE,CAAC,sBAAsB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QACzC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,EAAE;YAC1E,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;SAChD,CAAC,CAAC;IACL,CAAC;IAED,gFAAgF;IAChF,EAAE,CAAC,mBAAmB,GAAG,KAAK,CAAC;IAC/B,EAAE,CAAC,sBAAsB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACrC,IAAI,CAAC;QACH,MAAM,cAAc,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,CAAC,iEAAiE;IACpG,CAAC;IAAC,MAAM,CAAC;QACP,+EAA+E;QAC/E,+EAA+E;QAC/E,8EAA8E;QAC9E,wEAAwE;IAC1E,CAAC;IACD,wFAAwF;IACxF,8FAA8F;IAC9F,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,EAAE;QAC1E,MAAM,EAAE,GAAG;QACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAChD,CAAC,CAAC;AACL,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,4 @@
+export { createGatekeeper } from "./gatekeeper.js";
+export { contentAgeFor } from "./crosswalk.js";
+export { RuleRefRequired, NoRatingMappingError, UnmappedRatingValueError, AssuranceLevelError, type RatingMapping, type GatekeeperConfig, type Verdict, type GatekeeperCategory, type VerifiedProfile, type Gatekeeper, type ReportParentChangeArgs, type ReportParentChangeResult, } from "./types.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EACL,eAAe,EACf,oBAAoB,EACpB,wBAAwB,EACxB,mBAAmB,EACnB,KAAK,aAAa,EAClB,KAAK,gBAAgB,EACrB,KAAK,OAAO,EACZ,KAAK,kBAAkB,EACvB,KAAK,eAAe,EACpB,KAAK,UAAU,EACf,KAAK,sBAAsB,EAC3B,KAAK,wBAAwB,GAC9B,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,5 @@
+// @phosra/gatekeeper public API barrel.
+export { createGatekeeper } from "./gatekeeper.js";
+export { contentAgeFor } from "./crosswalk.js";
+export { RuleRefRequired, NoRatingMappingError, UnmappedRatingValueError, AssuranceLevelError, } from "./types.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,wCAAwC;AACxC,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EACL,eAAe,EACf,oBAAoB,EACpB,wBAAwB,EACxB,mBAAmB,GASpB,MAAM,YAAY,CAAC"}

package/dist/ocss-http-client.d.ts

@@ -0,0 +1,21 @@
+import { type SenderKey } from "@openchildsafety/ocss";
+export interface OcssHttpClientConfig {
+    baseUrl: string;
+    senderKey: SenderKey;
+    fetchImpl?: typeof fetch;
+    now?: () => number;
+}
+/**
+ * OcssHttpClient is the generic RFC-9421 census transport for @phosra/gatekeeper.
+ * Signs the §9.3(b) profile GET and the §8.3.8 confirm POST as the gatekeeper key.
+ * No @ocss/sim-common, no @phosra/link — its own boundary.
+ */
+export declare class OcssHttpClient {
+    private cfg;
+    private fetchImpl;
+    private now;
+    constructor(cfg: OcssHttpClientConfig);
+    post(path: string, body: unknown): Promise<Response>;
+    get(path: string): Promise<Response>;
+}
+//# sourceMappingURL=ocss-http-client.d.ts.map

package/dist/ocss-http-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ocss-http-client.d.ts","sourceRoot":"","sources":["../src/ocss-http-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAA6B,KAAK,SAAS,EAAE,MAAM,uBAAuB,CAAA;AAEjF,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAA;IACf,SAAS,EAAE,SAAS,CAAA;IACpB,SAAS,CAAC,EAAE,OAAO,KAAK,CAAA;IACxB,GAAG,CAAC,EAAE,MAAM,MAAM,CAAA;CACnB;AAED;;;;GAIG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,GAAG,CAAsB;IACjC,OAAO,CAAC,SAAS,CAAc;IAC/B,OAAO,CAAC,GAAG,CAAc;gBACb,GAAG,EAAE,oBAAoB;IAM/B,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;IAkBpD,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;CAW3C"}

package/dist/ocss-http-client.js

@@ -0,0 +1,45 @@
+import { signRequest, SPEC_VERSION } from "@openchildsafety/ocss";
+/**
+ * OcssHttpClient is the generic RFC-9421 census transport for @phosra/gatekeeper.
+ * Signs the §9.3(b) profile GET and the §8.3.8 confirm POST as the gatekeeper key.
+ * No @ocss/sim-common, no @phosra/link — its own boundary.
+ */
+export class OcssHttpClient {
+    cfg;
+    fetchImpl;
+    now;
+    constructor(cfg) {
+        this.cfg = cfg;
+        this.fetchImpl = cfg.fetchImpl ?? fetch;
+        this.now = cfg.now ?? (() => Date.now());
+    }
+    async post(path, body) {
+        const targetURI = this.cfg.baseUrl + path;
+        const bodyText = JSON.stringify(body);
+        const headers = signRequest({
+            method: "POST",
+            targetURI,
+            body: new TextEncoder().encode(bodyText),
+            keyID: this.cfg.senderKey.keyID,
+            seed: this.cfg.senderKey.seed,
+            created: Math.floor(this.now() / 1000),
+        });
+        headers["Content-Type"] = "application/json";
+        if (headers["OCSS-Spec-Version"] !== SPEC_VERSION) {
+            throw new Error(`@phosra/gatekeeper: spec version drift ${headers["OCSS-Spec-Version"]} != ${SPEC_VERSION}`);
+        }
+        return this.fetchImpl(targetURI, { method: "POST", headers, body: bodyText });
+    }
+    async get(path) {
+        const targetURI = this.cfg.baseUrl + path;
+        const headers = signRequest({
+            method: "GET",
+            targetURI,
+            keyID: this.cfg.senderKey.keyID,
+            seed: this.cfg.senderKey.seed,
+            created: Math.floor(this.now() / 1000),
+        });
+        return this.fetchImpl(targetURI, { method: "GET", headers });
+    }
+}
+//# sourceMappingURL=ocss-http-client.js.map

package/dist/ocss-http-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ocss-http-client.js","sourceRoot":"","sources":["../src/ocss-http-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAkB,MAAM,uBAAuB,CAAA;AASjF;;;;GAIG;AACH,MAAM,OAAO,cAAc;IACjB,GAAG,CAAsB;IACzB,SAAS,CAAc;IACvB,GAAG,CAAc;IACzB,YAAY,GAAyB;QACnC,IAAI,CAAC,GAAG,GAAG,GAAG,CAAA;QACd,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC,SAAS,IAAI,KAAK,CAAA;QACvC,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAA;IAC1C,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,IAAY,EAAE,IAAa;QACpC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,GAAG,IAAI,CAAA;QACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAA;QACrC,MAAM,OAAO,GAAG,WAAW,CAAC;YAC1B,MAAM,EAAE,MAAM;YACd,SAAS;YACT,IAAI,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC;YACxC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK;YAC/B,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI;YAC7B,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;SACvC,CAAC,CAAA;QACF,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAA;QAC5C,IAAI,OAAO,CAAC,mBAAmB,CAAC,KAAK,YAAY,EAAE,CAAC;YAClD,MAAM,IAAI,KAAK,CAAC,0CAA0C,OAAO,CAAC,mBAAmB,CAAC,OAAO,YAAY,EAAE,CAAC,CAAA;QAC9G,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAA;IAC/E,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,IAAY;QACpB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,GAAG,IAAI,CAAA;QACzC,MAAM,OAAO,GAAG,WAAW,CAAC;YAC1B,MAAM,EAAE,KAAK;YACb,SAAS;YACT,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK;YAC/B,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI;YAC7B,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;SACvC,CAAC,CAAA;QACF,OAAO,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAA;IAC9D,CAAC;CACF"}

package/dist/protocol.d.ts

@@ -0,0 +1,10 @@
+/**
+ * @phosra/gatekeeper/protocol — byte-identical re-export of @openchildsafety/ocss.
+ *
+ * This is a pure re-export, not a capture vector: no re-wrapping,
+ * no interposition, no shadowing. Callers may import from either
+ * "@openchildsafety/ocss" or "@phosra/gatekeeper/protocol" and get the same exports
+ * with the same object identities — the platform-side half of the §12.3 cut-test.
+ */
+export * from "@openchildsafety/ocss";
+//# sourceMappingURL=protocol.d.ts.map

package/dist/protocol.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"protocol.d.ts","sourceRoot":"","sources":["../src/protocol.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,cAAc,uBAAuB,CAAA"}

package/dist/protocol.js

@@ -0,0 +1,10 @@
+/**
+ * @phosra/gatekeeper/protocol — byte-identical re-export of @openchildsafety/ocss.
+ *
+ * This is a pure re-export, not a capture vector: no re-wrapping,
+ * no interposition, no shadowing. Callers may import from either
+ * "@openchildsafety/ocss" or "@phosra/gatekeeper/protocol" and get the same exports
+ * with the same object identities — the platform-side half of the §12.3 cut-test.
+ */
+export * from "@openchildsafety/ocss";
+//# sourceMappingURL=protocol.js.map

package/dist/protocol.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"protocol.js","sourceRoot":"","sources":["../src/protocol.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,cAAc,uBAAuB,CAAA"}